Raymond Tec News for February 10, 2019
Welcome to the February 10th, 2019 episode of the Raymond Tec News podcast. I scour the web and curate the articles, tweets, and backchannel sources to provide you, the non-nerd, a concise summary of the bullet points and takeaways from the week’s tech news.
I start off each episode with the stuff to keep you up at night; data breaches, privacy concerns, and security threats. But I like to instill a bit of joy around technology so I end with a series of stories that will restore your faith in technology, and, maybe, humanity.
Let’s dive in to data breaches.
First up, an investigation is underway to find out who breached the Australian Parliament’s networks. Preliminary information indicates no data was accessed and it may have been nation-state attackers behind the breach.
Home Design Website Houzz, H-O-U-Z-Z, has reported a data breach which exposed some personal information of its users. Even though Houzz sees over 40 million unique users monthly, not all its users were affected.
An undisclosed managed services provider, or MSP, was attacked with Ransomware this week grinding operations of all their customers to a screeching halt. MSPs provide their clients with remote administration of their networks, and some MSPs provide completely remote systems. Meaning, the computer sitting in the office or retail space is a dummy and the desktop people use is on a server in a data center somewhere.
A spam-based phishing campaign has been targeting North Americans with Excel documents containing a trojan horse that steals banking details. It appears it’s only been in the wild since January 27, so reach is limited. You can avoid becoming infected by not opening attachments you aren’t expecting.
Ontario, Canada-based CarePartners has received a new ransom demand from hackers who breached their databases in June of last year. Partial data dumps have been posted online revealing detailed medical histories and credit card data of patients.
Bleeping Computer reported this week that Business Email Compromise, or BEC, attacks increased nearly 500% last year. As software and hardware security improves, attackers are increasingly relying on the weakest link in the chain; the humans.
Security researchers from Wandera have found several airlines have been leaking passenger data by sending unencrypted links for flight check-in. This data includes passenger names, boarding pass and flight details, passport and travel documents, email addresses, phone numbers, and other information. Over 40 airlines in the US, Europe, and Asia Pacific region are affected. Thus far, no actual leaks have been reported, as this is only a theoretical possibility.
Finally, in data breaches, I have an update to the Collection 1 through 5 data dumps that I’ve reported on for the last couple of weeks. Cybersecurity firm Recorded Future has identified the hackers behind the sale of the compromised credentials. In their research they’ve also determined most of the data was from breaches dating from 2008 to 2016. This means that most of the 993 gigabytes of data was largely useless as most users will have been notified or forced to change their credentials already.
Of course, you don’t have to worry about changing passwords, because you don’t recycle your passwords, do you? Well, if you do, I’d recommend you break that habit by using a password manager. I use LastPass.
The LastPass password manager works on your computers, phones, and tablets. It randomly generates passwords for you each time you create an account, plus for many sites, it will automatically change passwords for you during installation.
It’s simple and makes your online life more secure. Learn more about LastPass by visiting my affiliate link at Raytec dot co slash LastPass. That’s r-a-y-t-e-c dot c-o slash l-a-s-t-p-a-s-s. If you purchase a subscription using my affiliate link, I will receive compensation for it. But, if I didn’t use it, I wouldn’t recommend it.
Moving on to Privacy News.
iOS 12.1.4 rolled out this week and fixed Apple’s issues with the FaceTime spying bug that was revealed last week. It also fixed two other issues related to malicious software being able to attack and gain control of your device.
US Federal prosecutors have indicted and extradited 20 Romanians who ran multi-million-dollar scams on sites like Craigslist and eBay. The scammers would post ads, purporting to be US military, take people’s money for goods, and never deliver.
Attackers are using an old scheme to hide ransomware in images, known as Steganography. Steganography is a broad term which means concealing a message, file, image, or video within another message, file, image, or video. In this particular case discovered by a security researcher, an image of Nintendo’s Mario character is concealing ransomware. Currently, it’s only targeting people in Italy.
In more bad news for images, a trio of bugs were revealed affecting Android versions 7, 8, and 9 which could allow an attacker to compromise a phone by simply displaying an image. The bugs have been patched with Google’s February 2019 update, so please be sure to update your smartphones.
Triout malware, an Android-based spy software capable of monitoring almost every aspect of compromised devices, is back on the Google App store masquerading as a legitimate privacy app. Called Psiphon, that’s P-S-I-P-H-O-N, the bogus privacy software has over 10 million downloads from Google’s app store and an unknown number of third-party sites.
A security researcher has discovered flaws in a video-conferencing system, manufactured by Lifesize, used by tens of thousands of organizations globally. When the researcher initially disclosed this bug in November 2018 to the company, their response was that they may fix it, but most of the affected devices are near or past their end of life. The bugs would allow attackers to gain complete control of the device and the network they were attached to. Fortunately, the researcher reached out again last month and let the company know that he would have to disclose the bug publicly to warn users of the potential of attacks. One day before he was going to publish his findings, the company posted an announcement for users of the affected devices to contact the company directly for a hotfix.
Cybercriminals are exploiting a Gmail feature to increase the scale of their attacks. Gmail doesn’t recognize a dot in an email address, meaning John Smith at Gmail dot com is the same as John dot Smith at Gmail dot com or J-O dot H-N Smith at Gmail dot com, and so on. This means with a single email account, people with malicious intent can setup multiple accounts on target websites. Using the John Smith example, someone who wants to make a lot of Twitter accounts for spam purposes, can create 36 different Twitter accounts with that one Gmail address, just by adding and moving dots around.
According to a report from Recorded Future via the Security Week news site, APT10, a Chinese cyber-espionage group, has targeted companies in the United States and Europe to steal intellectual property or gain commercial advantage. They’ve done this by using illicitly obtained user credentials for Citrix and LogMeIn. This highlights the importance of vigilance of all users.
Moving on to Other News.
Australia’s Assistance and Access act has been put into use despite the legislature promising to review it beforehand. Under these new laws, refusing to grant access to an encrypted device carries a penalty of up to 10 years in prison. But the act has sweeping powers that can nullify encryption of all types, requiring the computing industry to put a back door in all forms of encrypted communications, rendering everyone susceptible to having data breached or stolen.
Google has developed a new storage encryption call Adiantum for mobile and Internet of Things, or IoT, devices. This means even low-end phones and very basic smart home devices can be encrypted to protect against data leaks and breaches.
While we’re on the topic of IoT, security researchers have discovered a plethora of temperature control systems exposed online due to poor security practices. These systems are in a variety of businesses around the globe including supermarkets, cold storage facilities, pharmaceutical companies, and hospitals.
In a move contrary to his original statements, Mark Zuckerberg has announced that Facebook will begin combining user data from WhatsApp and Instagram into Facebook. This means users of all three services will no longer be able to use the other two services without having their data stored within Facebook’s own databases. German regulators have ordered that Facebook stop combining data from WhatsApp, Instagram, and Facebook citing a violation of German competition and anti-trust rules.
China has passed a new cybersecurity law that allows state agencies to penetration test local companies. This new law will give the Chinese government legal authority to hack into any business operating in China and includes the ability to copy and share data.
Microsoft is going to be updating Office ProPlus and Office 365 in response to privacy concerns raised by the Dutch. It appears that the software was covertly collecting and transmitting private data that wasn’t disclosed violating the European Union’s General Data Protection Regulation.
Slack, messaging platform and the next hot tech IPO, will be expanding their HIPAA compliance in the coming months. Currently only files transferred via the app are compliant with US health privacy laws, but messaging will soon receive the necessary encryption to bring it into compliance as well.
US Senators Rubio of Florida and Wyden of Oregon have sent a letter to the Department of Homeland Security this week requesting the newly formed Cybersecurity and Infrastructure Security Agency investigate whether Federal workers are using foreign-owned Virtual Private Networks, or VPNs. VPNs allow people to safely and anonymously browse the web by sending the requested pages through an intermediate server to obscure the end user’s IP address. But traffic may be vulnerable to interception by hostile foreign nations if it’s routed through their servers before going back to the end user. According to a study conducted by security research firm Metric Labs, about 60% of the free VPN apps available on mobile app stores are owned or operated by companies based in China.
Apple has expanded its crackdown on malicious apps this week to include apps that are recording taps, keystrokes, and, essentially, recording screenshots. This was done for analytical purposes but seems to have led to at least one known data leak. That data leak exposed personal data of about 20,000 Air Canada users.
That’s it for Privacy News, moving on to Security News.
Jeff Bezos, CEO of Amazon, has escalated his war against political corruption and corrupt journalism in an article he wrote and published to blogging site Medium. In the article, Bezos published emails from AMI, the parent company of the National Enquirer, which indicate they were trying to blackmail him. Last month, the National Enquirer published a 12-page story with private text messages from Bezos alleging an extramarital affair. Three weeks later, Bezos’ head of security announced he was investigating how AMI had obtained the correspondence. The emails Bezos revealed suggest AMI has more compromising photos and text messages and would release them unless Bezos ended the investigation. Bezos alleged political motivation in his article, because Amazon owns the Washington Post, a media outlet that is largely critical of the Trump administration. Bezos’ post goes on to elaborate why he believes the tabloid is in bed with the Trump administration, citing the revelation that AMI paid a young woman to suppress an affair with President Trump and the 97-page magazine AMI published last year which gushed about the Saudi Arabian government and its leaders several months ahead of the assassination of a Washington Post columnist.
The EU Copyright Directive is back in the news this week because French and German negotiators have announced a deal to revive the worst parts of Article 13. That’s the one that will put a filter all online services to prevent copyrights from being used improperly. While this might sound like a benefit for copyright holders, the directive is vague and lacks protections for fair use. Tech giants such as Google have suggested that these rules will cut as much as 45% of the traffic to news sites.
The NYPD sent a cease and desist letter to Google requesting they disable users’ ability to report DWI checkpoints in their Waze mapping app. Going so far as to suggest users, and the company, may become criminally liable for the evasions.
Amazon has launched a new live streaming service for merchants. The service also features Amazon talent directly hawking merchandise in a fashion similar to QVC and HSN.
A Canadian cryptocurrency exchange CEO died last month freezing about 137 million dollars in funds within an account only he had the password to. Unfortunately for more than 100,000 cryptocurrency holders, they’re out of luck for retrieving this money. The money was stored in this private account to reduce damage in the event of an attack on the exchange.
In more bad news for cryptocurrency traders, using a technique like the Italian Ransomware attack I mentioned earlier, a payments system called Money Button had its service abused to transmit illegal images of child abuse. The news source suggested it may have been to prove a point about the insecurity and exploitability of cryptocurrency’s blockchain technology.
A recently concluded study from the University of Iowa reveals that Twitter simply can’t keep up with removing malicious and junk accounts. The study analyzed 1.5 billion Tweets and found 167,000 different apps using Twitter’s API to automate bot accounts. These tweets pushed spam and links to malware, among other garbage. Twitter’s current threshold, according to the study, is about 100 tweets before it identifies an account as abusive. The researchers have developed a way to identify these accounts better than Twitter, but Twitter hasn’t requested any more assistance or information from them despite being shown the results.
Dell has recalled about 9,000 of its hybrid power adapters made between January and March of 2017 after discovering they pose a shock risk. They’re offering free replacements for affected models.
Just a quick Public Service Announcement, there’s one month left to download all your photos from Flickr before they start getting deleted. Flickr was recently acquired by Smug Mug, who is going to be limiting free accounts to 1,000 photos. The new rate for higher limits is fifty dollars a year.
Along similar lines to Flickr, Lowes has announced it will be ending its Iris smart home platform at the end of March. To compensate users of their soon-to-be defunct devices, Lowes will be sending out prepaid Visa cards to help migrate to another system. The home improvement chain has not specified how much users will be reimbursed.
It’s finally time to move onto the Good News.
I have exciting news out of the airline sector from Honeywell and Curtiss-Wright. To decrease loses of information after airplane crashes, all next generation Cockpit Voice Recorders and Flight Data Records will have always-connected data streams.
The US Justice Department and the Department of Homeland Security released a joint report stating that foreign influence had no material impact on the 2018 midterm elections. We have Increased awareness by the general public and intensified scrutiny by the US government to thank for these results.
Stick with me, because this story is a bit technical. Firefox is going to be rolling out some behind the scenes changes to further cement its place as the most secure browser. In the coming months, Firefox will have a feature called Site Isolation. This means when a website opens another site on the same page, known as frame, Firefox will place the other site into its own boxed in memory space. For instance, you could be using a site you completely trust, but it shares weather data from a different website. The weather site may have been compromised allowing remote attackers, in turn, to compromise your system. Firefox will soon separate and isolate that site by placing into its own unique memory space protecting the rest of your device.
Last summer, Verizon reportedly throttled the unlimited data of Santa Clara County California’s firefighters hampering first responder’s response. Upon hearing this, the Texas legislature has brought a bill that will make it illegal for telecom companies to throttle data in disaster areas. This is wonderful news because a state level bill doesn’t rely on the FCC to enforce it, because the FCC was gutted when Net Neutrality was repealed in 2017.
Microsoft has rolled out an update for Skype that adds background blur to video calls. This will improve the security of video calling with individuals you don’t yet trust. Microsoft acknowledges that the feature may not be perfect or foolproof, so do your best to keep the background neutral. To enable the blur feature, hover over the screen to bring up the video options, hover over the video icon to bring up further options, then enable the “Blur My Background” toggle button.
My final story for the week is about a young man from Andorra, Spain named David Aguilar. Rather than summarizing this, I’m going to let David tell his story with some audio from Great Big World on YouTube.
Another great example of ingenuity and technology solving a problem.
That’s it for this week in tech news that matters to you. If you’ve enjoyed the podcast, please subscribe, rate, and review on iTunes, Google Play, Spotify, Stitcher Radio, or TuneIn. The more buttons you press on those sites, the easier it is for other people to find me. Also, be sure to follow me on Facebook and Twitter at Raymond Tec IT.
Don’t forgot to check the show notes, there are bonus links for further reading, including articles about the future of Net Neutrality, Neuromorphic Engineering, why romance with robots is a foregone conclusion, and much more. I’ve also included links to Great Big Story’s Website, YouTube, Facebook, Instagram, and Twitter so you can get more feel-good news whenever and wherever you are. To get to the show notes, go to Raytec dot co slash listen, that’s r-a-y-t-e-c dot c-o slash listen. There’s links to each of the podcast apps I listed there as well as links to my social media.
Thanks for listening and have a great week!