Raymond Tec News for February 17, 2019

Raymond Tec News

00:00 / 20:54

Intro

Welcome to the February 17^th, 2019 episode of the Raymond Tec News podcast. I scour the web and curate the articles, tweets, and backchannel sources to provide you, the non-nerd, a concise summary of the bullet points and takeaways from the week’s tech news.

I start off each episode with the stuff to keep you up at night; data breaches, privacy concerns, and security threats. But I like to instill a bit of joy around technology so I end with a series of stories that will restore your faith in technology, and, maybe, humanity.

Let’s dive in to data breaches.

Intro

Data Breaches

First up, a devastating hack of email provider VFEmail.net wiped all primary and backup data from their servers. Unlike most hacks I report on where an attacker is out for financial gain by locking data or stealing account information, this one was solely intended to destroy the target. The primary domain is back online, but all secondary domains are still down. These secondary domains are chewiemail.com, clovermail.net, mail-on.us, manlymail.net, metadatamitigator.com, offensivelytolerant.com, openmail.cc, powdermail.com, and toothandmail.com.

Malta’s largest bank, the Bank of Valletta, was attacked on Wednesday. Hackers attempted to steal about 13 million euros, transferring them to banks in the US, UK, and Hong Kong. All IT systems were shut down and the transactions were reversed. No customer accounts were impacted, according to the bank.

A Chinese company that uses facial recognition to track Muslims in the country has left a database exposed online, leaking information about 2.5 million people. The leak was discovered by a security researcher named Victor Gevers. Gevers said the data was highly sensitive and included GPS coordinates of the users.

A Pakistani hacker emailed the Hacker News with a list of websites he’s hacked attempting to sell the login credentials he’s stolen. A lot of these are popular services, and these are recent hacks, unlike the Collection 1-5 data dumps I’ve reported on the past couple weeks. The biggest names among them include MyFitnessPal, MyHeritage, Whitepages, 500px, CoffeeMeetsBagel, and Houzz. The complete list is in the show notes. Two other dating apps have also been affected, OkCupid and Jack’d. OkCupid is denying being breached. Of those last two, it’s unclear if they’re linked with the Pakistani hacker.

LandMark White, an Australian commercial and residential property valuation firm admits that it exposed up to 100,000 records online containing client’s personal details and property valuation records.

TechCrunch has received an update from Marriott on the Marriott/Starwood breach. Marriott has partnered with security firm OneTrust to provide a checker to see if your information has been included in the breach. Link in the show notes for this one.

Dunkin’ Donuts was hacked again with another credential stuffing attack. Credential stuffing means attackers take compromised usernames and passwords from other websites and try to log in. People who recycle passwords are vulnerable to these attacks.

Of course, you don’t have to worry about changing passwords, because you don’t recycle your passwords, do you? Well, if you do, I’d recommend you break that habit by using a password manager. I use LastPass.

The LastPass password manager works on your computers, phones, and tablets. It randomly generates passwords for you each time you create an account, plus for many sites, it will automatically change passwords for you during installation.

It’s simple and makes your online life more secure. Learn more about LastPass by visiting my affiliate link at Raytec dot co slash LastPass. That’s r-a-y-t-e-c dot c-o slash l-a-s-t-p-a-s-s. If you purchase a subscription using my affiliate link, I will receive compensation for it. But, if I didn’t use it, I wouldn’t recommend it.

Moving on to Privacy News.

Data Breach Links

Hackers Wipe US Servers of Email Provider VFEmail

Cyber Attack on Malta’s Bank of Valletta | Hackers Tried to Steal eur13 Million from Malta’s Bank of Valletta

Chinese Facial Recognition Database Exposes 2.5M People | Chinese Company Leaves Muslim-Tracking Facial Recognition Database Exposed Online

Hacker Breaches Dozens of Sites, Puts 127 Million New Records Up for Sale | 127 Million User Records from 8 Companies Put up for Sale on the Dark Web | Photography Site 500PX Resets 14.8 Million Passwords After Data Breach

OkCupid Denies Data Breach Amid Account Hack Complaints | Coffee Meets Bagel Confirms Hack on Valentine’s Day | Hacks, Nudes, and Breaches: It’s Been a Rough Month for Dating Apps

Up to 100,000 Reported Affected in Landmark White Data Breach

Marriott Now Lets You Check if You’re a Victim of the Starwood Hack

Dunkin’ Donuts Accounts Compromised in Second Credential Stuffing Attack in Three Months

Privacy News

A recent addition to the browser marketplace, Brave, whose focus is on enhanced privacy, has revealed that Facebook and Twitter trackers are allowed by default in the browser. This has brought some in the information security industry to call into question the quality of privacy protection in the new browser.

While we’re talking about browsers, Google has announced that Chrome will soon make it harder for websites to detect that you’re using its private Incognito mode. Once this update is rolled out, your web activity will be harder to track if you’re still using Chrome.

The International Computer Science Institute has shared research with CNET revealing about 17,000 Android apps track your activity over time and create a permanent record on your device, even if you tell the app to delete previous data.

Google Voice will now have an option to hide your caller ID on all outgoing calls, allowing you to hide your number from people you don’t want to have it.

The European Union’s General Data Protection Regulation forces companies to allow users to download their data from websites. While downloading data from Twitter this week, a user discovered that deleted direct messages were kept in Twitter’s database, even messages to accounts that were suspended or deleted. The bug has been reported to Twitter and they’re, reportedly, looking into it.

Apple’s recent push for improved user privacy has resulted in a law suit. A New York resident has filed a class action lawsuit against Apple for forcing users to use two-factor authentication. The New Yorker claims that having to enter the code can take up to five minutes and is causing economic losses to him and other Apple customers.

In another blow to Apple’s privacy cred, a new flaw has been found in the macOS privacy protection features. A developer has inadvertently found a way to access the address book on macOS without requesting permission from the operating system or the user, meaning a malicious program or app could grab data from your address book without your knowing it. This same developer also discovered a flaw that will allow malicious apps to access your browsing history. The latter has been fixed with an update released for macOS on February 7^th.

I came across several articles this week detailing the ways that children are currently being exploited online. From recruiting teens for money laundering from Instagram and Snapchat, to sexual exploitation via live streaming apps, children as young as 8 are becoming victims of online fraudsters and predators. While this is disturbing and disheartening, the Australian government has set aside 10 million dollars to hand out to non-government organizations to deliver online safety education and training targeted at children.

While we’re talking about Australia, their disastrous Assistance and Access bill is back in the news this week. If you’ll recall, this bill was rushed through in December and granted sweeping powers for law enforcement to coerce people into granting access to encrypted devices, as well as force companies to create back doors into encrypted communications. This means chat services like WhatsApp would no longer be secure and private. The newly convened legislation has proposed an amendment to that bill that would mitigate the most damaging sections.

South Korea, in a move reminiscent of China’s internet surveillance, has begun snooping encrypted traffic on its networks to block websites it doesn’t want its citizens to see. South Korea has, for many years, blocked traffic from websites that are unencrypted, meaning they use http not https. This move now means encrypted traffic will be blocked as well. This is detrimental to a free and open internet.

While working on plans to partner with Hungary for defense, US Secretary of State Mike Pompeo has warned central European nations that using Huawei equipment make it more difficult for America to be present in their countries.

On Wednesday, the US Government Accountability Office released a 56-page report that included a recommendation for the US to adopt a GDPR type privacy rule. The GAO suggested that the Federal Trade Commission be the governing body for internet privacy issues, noting that it was already partially in that role, but lacked sufficient enforcement abilities.

That’s it for Privacy News, moving on to Security News.

Privacy News Links

These Android Apps Have Been Tracking You, Even When You Say Stop

Facebook, Twitter Trackers Whitelisted by Brave Browser

Google Wants to Make it Harder for Sites to Detect That You’re Using Chrome’s Incognito Mode

Google Voice Adding ‘Anonymous Caller ID’ Option in Settings

Twitter Has Been Storing Your ‘Deleted’ DMs for Years

Apple Sued for ‘forcing’ 2FA on Accounts

Another Flaw Found in macOS Mojave’s Privacy Protection | Privacy Protection Bypass Flaw in macOS Gives Access to Browsing History

Fraudsters Scamming Teenage ‘money mules’ on Social Media | Get-Rich-Quick Social Media Scams are Turning Teens into Money Mules | Australian Government Offers AU$10m in Grants for children’s Online Safety | Kids as Young as Eight Falling Victim to Online Predators

Dueling Ghosts Battle Over Encryption Laws in a Dying Parliament

South Korea is Censoring the Internet by Snooping on SNI Traffic

US Government Warns Allies About Huawei Again

US Needs an Internet Data Privacy Law, GAO Tells Congress

Security News

A new variant of malware targeting macOS has been discovered this week. Known as Shlayer, the malware poses as an Adobe Flash update and can bypass macOS’s Gatekeeper security software. This new variant has been discovered on fake and hijacked legitimate websites. Very few sites use Adobe Flash any more, and you should probably uninstall it if you still have it.

After a bunch of reports of Nest devices getting attacked in recent weeks, Google’s Nest has proactively reset user’s passwords for them. Typically, companies will send an email notifying users that they should reset their passwords, in this case, Nest is forcing the reset and recommending users enable two-factor authentication.

A new malware has been discovered on the Android app store. Known as Clipper, the malware pretends to be MetaMask, a legitimate cryptocurrency wallet. The app steals credentials and then attackers empty users’ crypto wallets.

A new flaw was discovered in the Android version of the OkCupid dating app which may be the cause of the data breach that OkCupid denied this week. The flaw, basically, allows attackers to re-direct users to a fake login form to steal their credentials. Attackers are then accessing the users accounts and changing email addresses and passwords.

Updates this month from both Adobe and Microsoft have fixed more than 70 bugs each. Adobe has patched some dangerous flaws in its Adobe Reader app. Microsoft has patched Exchange, SharePoint, and, of all things, Internet Explorer in its most recent patches. If you haven’t yet, it’s time to update your computers.

Microsoft also announced that it removed 8 apps from its Windows app store after it discovered these apps were actually mining cryptocurrency on users’ systems without their knowledge. Apps include Fast-search Lite, Battery Optimizer (Tutorials), VPN Browser+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search. If you have these apps on your computer, you should uninstall them.

Apache’s OpenOffice, a free, open-source alternative to Microsoft’s Office suite, has had a patch released to fix a vulnerability that has been on the books since last year.

Switzerland has invited hackers to penetration test its e-voting system offering cash rewards worth as much as $50,000. Running from February 25^th to March 24^th, companies and security researchers will have to sign up to receive permission to attack the system. More governments and companies should adopt this model before rolling out new systems. Even if the bounties are lower, it can shore up weaknesses.

Email fraud attacks in the Healthcare sector jumped 473% since 2017. This revelation comes on the heels of a new phishing attack that may fool even savvy users. Attackers are now requesting users log in to Facebook to view blog posts. In reality, when a user clicks on the login with Facebook link, it shows a very realistic copy of a Facebook login, capturing your credentials. Security researchers recommend enabling two-factor authentication on accounts in case you fall prey to one of these scams.

Security researchers are warning that a new spate of phishing emails have been designed to exploit the lonely. These romantic emails have a zip file containing a particularly nasty ransomware known as GandCrab.

Emotet malware, a banking trojan, has become more destructive. Malicious groups have begun selling access to the Trojan and making money as a distribution platform allowing less sophisticated groups and individuals to wet their beaks on a larger scale.

Finally, in security news, a technology researcher named Mike Grover has developed a USB cable that will make any phone connected to it vulnerable to attacks via Wi-Fi. His thought was, why be obvious by connecting a USB drive, when you can leave this cable somewhere for someone to charge their phone, and they’ll never have any idea.

Moving on to Other News.

Security News Links

New Variant of Shlayer macOS Malware Discovered | macOS Trojan Disables Gatekeeper to Deploy Malicious Payloads

Nest Resetting Compromised Passwords Instead of Just Recommending Users Do So

Clipper Malware Slips into Google Play

Android Dating App Flaw Could Have Opened the Door to Phishing Attacks

Unofficial Patch Released for Adobe Reader Zero-Day | Micropatch Released for Adobe Reader Zero-Day Vulnerability | Update Now! Microsoft and Adobe’s February 2019 Patch Tuesday is Here | Microsoft, Adobe Both Close More Than 70 Security Issues

Microsoft Removes Eight Cryptojacking Apps from Official Store

Third-Party Patch Released for Code Execution Flaw in OpenOffice

Swiss Government Invites Hackers to Pen-Test its E-Voting System

Warning – New Phishing Attack That Even Most Vigilant Users Could Fall For | Email Fraud Attacks on Healthcare Jumped 473% Since 2017

Ransomware Warning: That Romantic Message May Hide a Nasty Surprise

Emotet Malware Tweaks Tactics in Fresh Attack Wave

Evil USB O.MG Cable Opens Up Wi-Fi to Remote Attacks

Other News

Apex Legends, a new competitor to Epic Games’ Fortnite, has tallied 25 million players in its first week.

Microsoft’s LinkedIn social networking site is launching a new live video tool. Currently it’s in an invite-only beta test. It will allow individuals and companies to broadcast to select groups or all of LinkedIn.

No one’s quite sure why, but Russia has announced it will be disconnecting itself from the Internet sometime in the coming months. The country could be doing a resiliency test on its own systems, beefing up cyberwarfare capabilities, or planning new ways to censor content for its citizens. I’ll be watching for more information on this one, because it’s the first test of its kind.

MGM has announced its Epix television network will enter the streaming video fray with its new EpixNow offering. This was announced the same week that Epix has purchased the rights to turn Slate’s Slow Burn podcast into a documentary series. For those unfamiliar, Slow Burn is a podcast about the Watergate scandal.

CBS has announced its All Access and Showtime streaming platforms have reached 8 million subscribers, beating their expectations. Their next goal is 25 million subscribers by 2022.

Amazon’s HQ2 in Queens has been scrapped. Pressure from citizens has forced the tech behemoth to re-think its expansion.

In other Amazon news this week, they’ve purchased eero, a company that makes home mesh routers. A mesh router enables Wi-Fi to be spread more evenly throughout a home without the need to run an ethernet cable to each access point. The systems ‘mesh’ together wirelessly.

On Monday, President Trump signed an executive order to create the American AI Initiative. The order will invest in AI R&D, establish governmental standards, educate workers about AI, and promote international AI R&D cooperation. Details are a little murky, but it’s a forward-thinking step.

As I’ve mentioned in past podcasts, Windows 7 support ends in the coming year. That means no more security upgrades. ZDNet has a great article about all the best reasons to upgrade to Windows 10, and why you probably don’t actually have to pay to upgrade, even though that free upgrade deal supposedly ended in 2016. The top reason I suggest you upgrade? Security. Windows 10 is much more secure than Windows 7.

Reddit, the front page of the internet, as it is known, has raised the ire of its users by announcing a new funding round which is being managed by Chinese company Tencent. Reddit itself, is banned in China, so the ire sparked irony and a spate of Winnie the Pooh memes. Why Winnie the Pooh? Apparently, comparisons were made between Chinese President Ping and Winnie the Pooh which offended the ruler causing the Chinese Communist Party to ban the movie Christopher Robin and all Winnie the Pooh related memes, jokes, and GIFs.

A new bill in the United Kingdom proposes to make looking at online content which is deemed of a “terrorist” nature a criminal offense. This expands an existing law which requires the material be downloaded to a device. The UK is moving into criminalizing thoughtcrime. George Orwell’s nightmare has come to life.

A former U.S. Air Force Officer has been indicted along with four Iranian citizens affiliated with the Iranian Revolutionary Guard. Monica Witt, the former Air Force Officer, provided US secrets to the Iranians to help them craft a spear-phishing campaign targeting users that had access to important US computer infrastructure.

Apple’s Enterprise Certificates have been abused again. A couple weeks ago I reported on Apple’s crackdown on Facebook and Google for using these corporate, internal only methods for creating Apple apps that track regular users. Now it appears these certificates have been used to target porn and gambling apps at regular users.

Apple has purchased an AI startup named PullString that specializes in building interactive systems. Think Alexa and Google Assistant apps and Mattell’s talking Hello Barbie doll that came out in 2015. It would appear Apple is attempting to strength their Siri voice assistant and Home Pod offerings.

A lawyer who formerly worked for Apple has been accused of insider trading by the Securities and Exchange Commission. He reportedly made more than a quarter of a million dollars in profit by trading stocks based on non-public information. The real irony here? He was the lawyer in charge of informing employees not to trade on insider information.

News about Google, both good and bad, has been all over this week. Google has been discovered reducing their tax liabilities through shell companies. Their Sidewalk Labs division has inadvertently revealed a plan to skim tax revenue from the development of property in downtown Toronto. The right click menu in Gmail is about to get a big update, making it more useful. Their mobile phone service, Google Fi, is about to start selling SIM cards in Best Buy to expand their reach. And, finally, Google Maps is launching an Alternate Reality component to overlay walking directions, business listings, and other information by combining Google Lens technology with the Google Maps app.

In the final story in Other News, Uber has filed a law suit against New York City to remove its cap on cars allowed to operate in the city. Uber argues that a one-year freeze on the number of vehicles allowed to operate as ride-hail cars is anticompetitive, an overreach of the city’s powers, and not the best solution to traffic congestion issues. The city has fired back stating, quote, “No legal challenge changes the fact that Uber made congestion on our roads worse and paid their drivers less than a living wage,” end quote. According to the Wired article linked in the show notes, 106,000 for-hire vehicles are licensed to operate in New York City, which is up 60 percent since 2016.

It’s finally time to move onto the Good News.

Other News Links

Fortnite, Look Out: Apex Legends Tallies 25 Million Players a Week After Launch

LinkedIn to Launch its Own Live Video Tool

Russian ISPs Plan Internet Disconnection Test for Entire Country | Russia to Disconnect from the Internet as Part of a Planned Test | What Happens if Russia Cuts Itself Off from the Internet

Epix is Turning Slate’s Slow Burn Podcast into a Documentary Series | MGM-Owned Epix Jumps into the Streaming Service Arena with EpixNow

CBS Reached its Streaming Subscription Target Two Years Early

Amazon Pulls Out of NYC

Amazon to Acquire eero, Home Mesh Router Maker

Trump Signs Executive Order Prioritising AI Development

I Like Windows 7: Why Should I Pay to Move to Windows 10?

Winnie The Pooh Takes Over Reddit Due to Chinese Investment, Censorship Fears

Today in Thoughtcrime: UK Bill Makes Clicking on ‘Terrorism’ Links Worth a Jail Term

Former U.S. Air Force Officer Indicted for Aiding Iranian Cyber Attacks

Apple Phone Users Targeted with Hardcore Porn and Gambling Apps

Apple Buys AI Voice Startup that Helps Companies Build Alexa and Google Assistant Apps

Ex-Apple Lawyer in Charge of Stopping Insider Trading Charged with Insider Trading

Google Reportedly Scored Tax Breaks Using Secret Shell Companies | Alphabet’s Sidewalk Labs Outlines How it’ll Make Money from Toronto | Google Refreshes Right-Click Menu Options in Gmail | Google Fi begins Retail Push with SIM Cards at Best Buy | Google Maps AR Navigation Coming First to Local Guides as UI Detailed in First Look

Uber Sues NYC to Kill Its Ride-Hail Car Cap

Good News

In good news for safety, an expanded system designed by the University of Michigan, will allow self-driving cars to not only see pedestrians, but predict where they will move. Using posture and other factors, artificial intelligence built into autonomous vehicles will be able to better guess a human’s intended next move.

As a measles epidemic unfolds in Washington state, Facebook and Google are being pressured to end anti-vax conspiracy theories. The root of these conspiracy theories seems to be falsified evidence from a doctor whose license was stripped and a campaign by failed model and actress Jenny McCarthy. Representative Adam Schiff sent a letter to Mark Zuckerberg stating, quote, “Repetition of information, even if false, can often be mistaken for accuracy,” end quote.

A new tool called Authenticate by start up Amber, has developed a method for reducing video tampering and deepfakes. Deepfakes, or Deep Learning Fakes, are videos that are created by artificial intelligence by combining two videos or images to create a false image. Deepfakes have been used maliciously by individuals wishing to leak fake sex tapes of famous actors and create false narratives for legal cases, such as police interactions gone wrong. The new Amber Authenticate tool runs in the background on video recording equipment and creates a cryptographic hash, which, if the video is altered, will reveal that the video was tampered with.

Facebook has rolled out a new messenger feature that I reported on back in December. I’m sure, many of us wish it had been around since the start: Message unsend. Now, drunk texts can be deleted before its recipient reads them.

MIT’s Technology Review has reported on a new hybrid plane initiative which will reduce the amount of time it will take for manufacturers to start developing fully electric planes. We’re still a long way from packing the power into batteries that a large airliner needs to keep it aloft, but these new 12-passenger planes from Zunum will be a step towards that future.

That’s it for this week in tech news that matters to you. If you’ve enjoyed the podcast, please subscribe, rate, and review on iTunes, Google Play, Spotify, Stitcher Radio, or TuneIn. The more buttons you press on those sites, the easier it is for other people to find me. Also, be sure to follow me on Facebook and Twitter at Raymond Tec IT.

Don’t forgot to check the show notes, there are bonus links for further reading, including articles about how monkeys with superpowered eyes could help cure color blindness, how crooks are breaking into iCloud locked iPhones, an AI text generator that’s too dangerous to release to the public, and much more. To get to the show notes, go to Raytec dot co slash listen, that’s r-a-y-t-e-c dot c-o slash listen. There’s links to each of the podcast apps I listed there as well as links to my social media.

Thanks for listening and have a great week!

Good News Links

Vision System for Autonomous Vehicles Watches Not Just Where Pedestrians Walk, But How

Pressure Mounts on Facebook and Google to Stop Anti-Vax Conspiracy Theories | Facebook May Take Extra Steps to Remove Anti-Vaccine Misinformation

A New Tool Protects Videos from Deepfakes and Tampering

You Can Now Unsend Messages in Facebook Messenger

Worry Less About Children’s Screen Use, Parents Told

Hybrid Planes could Shorten the Leap to All-Electric 737s
Additional Reading

Monkeys with Superpower Eyes Could Help cure color Blindness

Testimony: There’s No Internet of Things Risk in Repair

1 in 3 Americans Suffered Severe Online Harassment in 2018

ThisPersonDoesNotExist.com Uses AI to Generate Endless Fake Faces

What’s Behind this 1,000-Character Phishing URL?

Security Pros Agree Military Should Conduct Offensive Hacking

How Do Crooks Break into iCloud-Locked iPhones? Let’s Take a Look

Should You Be Scared of Your Laptop’s Webcam?

Explainer: What is a Quantum Computer?

The AI Text Generator That’s Too Dangerous to Make Public

A Pristine ‘Super Mario Bros.’ Cartridge Sold for Over $100,000

How to Decarbonize America – and the World

25 Fun Games You Can Play with Alexa

3 WhatsApp, Facebook Messenger Alternatives

What Happens When Techno-Utopians Actually Run a Country

AR Will Spark the Next Big Tech Platform – Call It Mirrorworld

Experian: US Suffers the Most Online Fraud

IP Australia’s Alex is More Than Just a Chatbot

Don’t Get Your Valentine an Internet-Connected Sex Toy
Credits

The theme song for the Raymond Tec news podcast was created by me, with samples of modems from the following generous individuals: guitarguy1985, tt_runscript, and 1tmsounds.

Other sounds or music may have been provided by: RossBell (Shuffling Papers), InspectorJ (Segment Swoosh), Klaudux, levelclearer, Teacoma, Julian Matthey, Doctor_Dreamchip, Greek555, and eardeer.

All samples, sounds, and music are from FreeSound.org.

Raymond Tec News for February 17, 2019

Intro

Table of Contents

Data Breaches

Privacy News

Security News

Other News

Good News

Leave a Reply Cancel reply