Raymond Tec News for February 17, 2019
Welcome to the February 17th, 2019 episode of the Raymond Tec News podcast. I scour the web and curate the articles, tweets, and backchannel sources to provide you, the non-nerd, a concise summary of the bullet points and takeaways from the week’s tech news.
I start off each episode with the stuff to keep you up at night; data breaches, privacy concerns, and security threats. But I like to instill a bit of joy around technology so I end with a series of stories that will restore your faith in technology, and, maybe, humanity.
Let’s dive in to data breaches.
First up, a devastating hack of email provider VFEmail.net wiped all primary and backup data from their servers. Unlike most hacks I report on where an attacker is out for financial gain by locking data or stealing account information, this one was solely intended to destroy the target. The primary domain is back online, but all secondary domains are still down. These secondary domains are chewiemail.com, clovermail.net, mail-on.us, manlymail.net, metadatamitigator.com, offensivelytolerant.com, openmail.cc, powdermail.com, and toothandmail.com.
Malta’s largest bank, the Bank of Valletta, was attacked on Wednesday. Hackers attempted to steal about 13 million euros, transferring them to banks in the US, UK, and Hong Kong. All IT systems were shut down and the transactions were reversed. No customer accounts were impacted, according to the bank.
A Chinese company that uses facial recognition to track Muslims in the country has left a database exposed online, leaking information about 2.5 million people. The leak was discovered by a security researcher named Victor Gevers. Gevers said the data was highly sensitive and included GPS coordinates of the users.
A Pakistani hacker emailed the Hacker News with a list of websites he’s hacked attempting to sell the login credentials he’s stolen. A lot of these are popular services, and these are recent hacks, unlike the Collection 1-5 data dumps I’ve reported on the past couple weeks. The biggest names among them include MyFitnessPal, MyHeritage, Whitepages, 500px, CoffeeMeetsBagel, and Houzz. The complete list is in the show notes. Two other dating apps have also been affected, OkCupid and Jack’d. OkCupid is denying being breached. Of those last two, it’s unclear if they’re linked with the Pakistani hacker.
LandMark White, an Australian commercial and residential property valuation firm admits that it exposed up to 100,000 records online containing client’s personal details and property valuation records.
TechCrunch has received an update from Marriott on the Marriott/Starwood breach. Marriott has partnered with security firm OneTrust to provide a checker to see if your information has been included in the breach. Link in the show notes for this one.
Dunkin’ Donuts was hacked again with another credential stuffing attack. Credential stuffing means attackers take compromised usernames and passwords from other websites and try to log in. People who recycle passwords are vulnerable to these attacks.
Of course, you don’t have to worry about changing passwords, because you don’t recycle your passwords, do you? Well, if you do, I’d recommend you break that habit by using a password manager. I use LastPass.
The LastPass password manager works on your computers, phones, and tablets. It randomly generates passwords for you each time you create an account, plus for many sites, it will automatically change passwords for you during installation.
It’s simple and makes your online life more secure. Learn more about LastPass by visiting my affiliate link at Raytec dot co slash LastPass. That’s r-a-y-t-e-c dot c-o slash l-a-s-t-p-a-s-s. If you purchase a subscription using my affiliate link, I will receive compensation for it. But, if I didn’t use it, I wouldn’t recommend it.
Moving on to Privacy News.
A recent addition to the browser marketplace, Brave, whose focus is on enhanced privacy, has revealed that Facebook and Twitter trackers are allowed by default in the browser. This has brought some in the information security industry to call into question the quality of privacy protection in the new browser.
While we’re talking about browsers, Google has announced that Chrome will soon make it harder for websites to detect that you’re using its private Incognito mode. Once this update is rolled out, your web activity will be harder to track if you’re still using Chrome.
The International Computer Science Institute has shared research with CNET revealing about 17,000 Android apps track your activity over time and create a permanent record on your device, even if you tell the app to delete previous data.
Google Voice will now have an option to hide your caller ID on all outgoing calls, allowing you to hide your number from people you don’t want to have it.
The European Union’s General Data Protection Regulation forces companies to allow users to download their data from websites. While downloading data from Twitter this week, a user discovered that deleted direct messages were kept in Twitter’s database, even messages to accounts that were suspended or deleted. The bug has been reported to Twitter and they’re, reportedly, looking into it.
Apple’s recent push for improved user privacy has resulted in a law suit. A New York resident has filed a class action lawsuit against Apple for forcing users to use two-factor authentication. The New Yorker claims that having to enter the code can take up to five minutes and is causing economic losses to him and other Apple customers.
In another blow to Apple’s privacy cred, a new flaw has been found in the macOS privacy protection features. A developer has inadvertently found a way to access the address book on macOS without requesting permission from the operating system or the user, meaning a malicious program or app could grab data from your address book without your knowing it. This same developer also discovered a flaw that will allow malicious apps to access your browsing history. The latter has been fixed with an update released for macOS on February 7th.
I came across several articles this week detailing the ways that children are currently being exploited online. From recruiting teens for money laundering from Instagram and Snapchat, to sexual exploitation via live streaming apps, children as young as 8 are becoming victims of online fraudsters and predators. While this is disturbing and disheartening, the Australian government has set aside 10 million dollars to hand out to non-government organizations to deliver online safety education and training targeted at children.
While we’re talking about Australia, their disastrous Assistance and Access bill is back in the news this week. If you’ll recall, this bill was rushed through in December and granted sweeping powers for law enforcement to coerce people into granting access to encrypted devices, as well as force companies to create back doors into encrypted communications. This means chat services like WhatsApp would no longer be secure and private. The newly convened legislation has proposed an amendment to that bill that would mitigate the most damaging sections.
South Korea, in a move reminiscent of China’s internet surveillance, has begun snooping encrypted traffic on its networks to block websites it doesn’t want its citizens to see. South Korea has, for many years, blocked traffic from websites that are unencrypted, meaning they use http not https. This move now means encrypted traffic will be blocked as well. This is detrimental to a free and open internet.
While working on plans to partner with Hungary for defense, US Secretary of State Mike Pompeo has warned central European nations that using Huawei equipment make it more difficult for America to be present in their countries.
On Wednesday, the US Government Accountability Office released a 56-page report that included a recommendation for the US to adopt a GDPR type privacy rule. The GAO suggested that the Federal Trade Commission be the governing body for internet privacy issues, noting that it was already partially in that role, but lacked sufficient enforcement abilities.
That’s it for Privacy News, moving on to Security News.
A new variant of malware targeting macOS has been discovered this week. Known as Shlayer, the malware poses as an Adobe Flash update and can bypass macOS’s Gatekeeper security software. This new variant has been discovered on fake and hijacked legitimate websites. Very few sites use Adobe Flash any more, and you should probably uninstall it if you still have it.
After a bunch of reports of Nest devices getting attacked in recent weeks, Google’s Nest has proactively reset user’s passwords for them. Typically, companies will send an email notifying users that they should reset their passwords, in this case, Nest is forcing the reset and recommending users enable two-factor authentication.
A new malware has been discovered on the Android app store. Known as Clipper, the malware pretends to be MetaMask, a legitimate cryptocurrency wallet. The app steals credentials and then attackers empty users’ crypto wallets.
A new flaw was discovered in the Android version of the OkCupid dating app which may be the cause of the data breach that OkCupid denied this week. The flaw, basically, allows attackers to re-direct users to a fake login form to steal their credentials. Attackers are then accessing the users accounts and changing email addresses and passwords.
Updates this month from both Adobe and Microsoft have fixed more than 70 bugs each. Adobe has patched some dangerous flaws in its Adobe Reader app. Microsoft has patched Exchange, SharePoint, and, of all things, Internet Explorer in its most recent patches. If you haven’t yet, it’s time to update your computers.
Microsoft also announced that it removed 8 apps from its Windows app store after it discovered these apps were actually mining cryptocurrency on users’ systems without their knowledge. Apps include Fast-search Lite, Battery Optimizer (Tutorials), VPN Browser+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search. If you have these apps on your computer, you should uninstall them.
Apache’s OpenOffice, a free, open-source alternative to Microsoft’s Office suite, has had a patch released to fix a vulnerability that has been on the books since last year.
Switzerland has invited hackers to penetration test its e-voting system offering cash rewards worth as much as $50,000. Running from February 25th to March 24th, companies and security researchers will have to sign up to receive permission to attack the system. More governments and companies should adopt this model before rolling out new systems. Even if the bounties are lower, it can shore up weaknesses.
Email fraud attacks in the Healthcare sector jumped 473% since 2017. This revelation comes on the heels of a new phishing attack that may fool even savvy users. Attackers are now requesting users log in to Facebook to view blog posts. In reality, when a user clicks on the login with Facebook link, it shows a very realistic copy of a Facebook login, capturing your credentials. Security researchers recommend enabling two-factor authentication on accounts in case you fall prey to one of these scams.
Security researchers are warning that a new spate of phishing emails have been designed to exploit the lonely. These romantic emails have a zip file containing a particularly nasty ransomware known as GandCrab.
Emotet malware, a banking trojan, has become more destructive. Malicious groups have begun selling access to the Trojan and making money as a distribution platform allowing less sophisticated groups and individuals to wet their beaks on a larger scale.
Finally, in security news, a technology researcher named Mike Grover has developed a USB cable that will make any phone connected to it vulnerable to attacks via Wi-Fi. His thought was, why be obvious by connecting a USB drive, when you can leave this cable somewhere for someone to charge their phone, and they’ll never have any idea.
Moving on to Other News.
Apex Legends, a new competitor to Epic Games’ Fortnite, has tallied 25 million players in its first week.
Microsoft’s LinkedIn social networking site is launching a new live video tool. Currently it’s in an invite-only beta test. It will allow individuals and companies to broadcast to select groups or all of LinkedIn.
No one’s quite sure why, but Russia has announced it will be disconnecting itself from the Internet sometime in the coming months. The country could be doing a resiliency test on its own systems, beefing up cyberwarfare capabilities, or planning new ways to censor content for its citizens. I’ll be watching for more information on this one, because it’s the first test of its kind.
MGM has announced its Epix television network will enter the streaming video fray with its new EpixNow offering. This was announced the same week that Epix has purchased the rights to turn Slate’s Slow Burn podcast into a documentary series. For those unfamiliar, Slow Burn is a podcast about the Watergate scandal.
CBS has announced its All Access and Showtime streaming platforms have reached 8 million subscribers, beating their expectations. Their next goal is 25 million subscribers by 2022.
Amazon’s HQ2 in Queens has been scrapped. Pressure from citizens has forced the tech behemoth to re-think its expansion.
In other Amazon news this week, they’ve purchased eero, a company that makes home mesh routers. A mesh router enables Wi-Fi to be spread more evenly throughout a home without the need to run an ethernet cable to each access point. The systems ‘mesh’ together wirelessly.
On Monday, President Trump signed an executive order to create the American AI Initiative. The order will invest in AI R&D, establish governmental standards, educate workers about AI, and promote international AI R&D cooperation. Details are a little murky, but it’s a forward-thinking step.
As I’ve mentioned in past podcasts, Windows 7 support ends in the coming year. That means no more security upgrades. ZDNet has a great article about all the best reasons to upgrade to Windows 10, and why you probably don’t actually have to pay to upgrade, even though that free upgrade deal supposedly ended in 2016. The top reason I suggest you upgrade? Security. Windows 10 is much more secure than Windows 7.
Reddit, the front page of the internet, as it is known, has raised the ire of its users by announcing a new funding round which is being managed by Chinese company Tencent. Reddit itself, is banned in China, so the ire sparked irony and a spate of Winnie the Pooh memes. Why Winnie the Pooh? Apparently, comparisons were made between Chinese President Ping and Winnie the Pooh which offended the ruler causing the Chinese Communist Party to ban the movie Christopher Robin and all Winnie the Pooh related memes, jokes, and GIFs.
A new bill in the United Kingdom proposes to make looking at online content which is deemed of a “terrorist” nature a criminal offense. This expands an existing law which requires the material be downloaded to a device. The UK is moving into criminalizing thoughtcrime. George Orwell’s nightmare has come to life.
A former U.S. Air Force Officer has been indicted along with four Iranian citizens affiliated with the Iranian Revolutionary Guard. Monica Witt, the former Air Force Officer, provided US secrets to the Iranians to help them craft a spear-phishing campaign targeting users that had access to important US computer infrastructure.
Apple’s Enterprise Certificates have been abused again. A couple weeks ago I reported on Apple’s crackdown on Facebook and Google for using these corporate, internal only methods for creating Apple apps that track regular users. Now it appears these certificates have been used to target porn and gambling apps at regular users.
Apple has purchased an AI startup named PullString that specializes in building interactive systems. Think Alexa and Google Assistant apps and Mattell’s talking Hello Barbie doll that came out in 2015. It would appear Apple is attempting to strength their Siri voice assistant and Home Pod offerings.
A lawyer who formerly worked for Apple has been accused of insider trading by the Securities and Exchange Commission. He reportedly made more than a quarter of a million dollars in profit by trading stocks based on non-public information. The real irony here? He was the lawyer in charge of informing employees not to trade on insider information.
News about Google, both good and bad, has been all over this week. Google has been discovered reducing their tax liabilities through shell companies. Their Sidewalk Labs division has inadvertently revealed a plan to skim tax revenue from the development of property in downtown Toronto. The right click menu in Gmail is about to get a big update, making it more useful. Their mobile phone service, Google Fi, is about to start selling SIM cards in Best Buy to expand their reach. And, finally, Google Maps is launching an Alternate Reality component to overlay walking directions, business listings, and other information by combining Google Lens technology with the Google Maps app.
In the final story in Other News, Uber has filed a law suit against New York City to remove its cap on cars allowed to operate in the city. Uber argues that a one-year freeze on the number of vehicles allowed to operate as ride-hail cars is anticompetitive, an overreach of the city’s powers, and not the best solution to traffic congestion issues. The city has fired back stating, quote, “No legal challenge changes the fact that Uber made congestion on our roads worse and paid their drivers less than a living wage,” end quote. According to the Wired article linked in the show notes, 106,000 for-hire vehicles are licensed to operate in New York City, which is up 60 percent since 2016.
It’s finally time to move onto the Good News.
In good news for safety, an expanded system designed by the University of Michigan, will allow self-driving cars to not only see pedestrians, but predict where they will move. Using posture and other factors, artificial intelligence built into autonomous vehicles will be able to better guess a human’s intended next move.
As a measles epidemic unfolds in Washington state, Facebook and Google are being pressured to end anti-vax conspiracy theories. The root of these conspiracy theories seems to be falsified evidence from a doctor whose license was stripped and a campaign by failed model and actress Jenny McCarthy. Representative Adam Schiff sent a letter to Mark Zuckerberg stating, quote, “Repetition of information, even if false, can often be mistaken for accuracy,” end quote.
A new tool called Authenticate by start up Amber, has developed a method for reducing video tampering and deepfakes. Deepfakes, or Deep Learning Fakes, are videos that are created by artificial intelligence by combining two videos or images to create a false image. Deepfakes have been used maliciously by individuals wishing to leak fake sex tapes of famous actors and create false narratives for legal cases, such as police interactions gone wrong. The new Amber Authenticate tool runs in the background on video recording equipment and creates a cryptographic hash, which, if the video is altered, will reveal that the video was tampered with.
Facebook has rolled out a new messenger feature that I reported on back in December. I’m sure, many of us wish it had been around since the start: Message unsend. Now, drunk texts can be deleted before its recipient reads them.
MIT’s Technology Review has reported on a new hybrid plane initiative which will reduce the amount of time it will take for manufacturers to start developing fully electric planes. We’re still a long way from packing the power into batteries that a large airliner needs to keep it aloft, but these new 12-passenger planes from Zunum will be a step towards that future.
That’s it for this week in tech news that matters to you. If you’ve enjoyed the podcast, please subscribe, rate, and review on iTunes, Google Play, Spotify, Stitcher Radio, or TuneIn. The more buttons you press on those sites, the easier it is for other people to find me. Also, be sure to follow me on Facebook and Twitter at Raymond Tec IT.
Don’t forgot to check the show notes, there are bonus links for further reading, including articles about how monkeys with superpowered eyes could help cure color blindness, how crooks are breaking into iCloud locked iPhones, an AI text generator that’s too dangerous to release to the public, and much more. To get to the show notes, go to Raytec dot co slash listen, that’s r-a-y-t-e-c dot c-o slash listen. There’s links to each of the podcast apps I listed there as well as links to my social media.
Thanks for listening and have a great week!