Categories
privacy security

If you installed PEAR PHP in the last 6 months, you may be infected | Ars Technica

This is a serious hijack of a toolchain used by developers.

Pear.php.net shuts down after maintainers discover serious supply-chain attack.

Source: If you installed PEAR PHP in the last 6 months, you may be infected | Ars Technica

Categories
legal privacy security

Mondelez Lawsuit Shows the Dangers of Attributing Cyberattacks – Bloomberg

This is a case that will test the limits of exclusion in the brave new world of cybersecurity insurance. Basically, the insurance company is refusing to pay for cybersecurity related damages by citing an exclusion clause which states the malware was created as part of a cyber warfare.

What if courts and lawyers actually start believing the cyberwar narrative and acting as if any damage caused to Western companies is uninsurable war damage?

What will happen to the insurance of cyber risks if any attack could potentially be declared part of a war?

Source: Mondelez Lawsuit Shows the Dangers of Attributing Cyberattacks – Bloomberg

Categories
privacy security

In the New Fight for Online Privacy and Security, Australia Falls:

In a move that has sent shock waves through the cybersecurity and software community, Australia passes new law that could potentially devastate its software industry, by compelling tech companies to help law enforcement break into user’s encrypted data.

Both countries now claim the right to secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers – to re-engineer software and hardware under their control, so that it can be used to spy on their users. Engineers can be penalized for refusing to comply with fines and prison; in Australia, even counseling a technologist to oppose these orders is a crime.

Source: In the New Fight for Online Privacy and Security, Australia Falls:

  1. Response from 1Password
  2. Response from Protonmail
Categories
privacy security

New form of Google banking scam

A novel way of scamming. Make your phone number appear in Google Maps by claiming it. People who clicks on the result of Google Maps gets directed to you. Profit!

When you see any information listed on a website, your first reaction isn’t to immediately question whether or not that information is accurate. It is to blindly trust the technology that has helped you unfailingly countless times in the past. That is precisely why this scam is so potent.

Source: New form of Google banking scam

Categories
privacy security

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies – Bloomberg

Bloomberg’s big story on alleged China hacking through server hardware implants. If true, it would be an absolutely incredible feat, equivalent in terms of impressiveness to the Stuxnet worm.

The attack by Chinese spies reached almost 30 U.S. companies by compromising America’s technology supply chain.

Source: The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies – Bloomberg

At the moment, Bloomberg seems to double-down on its story with the following statement:

“Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews,” a spokesperson told BuzzFeed News in response to a series of questions. “Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”

It’ll be interesting to see who’s telling the truth as the story develops. Meanwhile, governments and companies around the world should be in panic mode, as they try to figure out if they are using Supermicro servers, and if so, whether they are affected by the so-called hacking.

(2018-Oct-04) Apple and Amazon both issued strong denials to the claims of the article.

(2018-Oct-04) Separately, Apple and Amazon both issued even stronger statements on their website to set the record straight on the matter.

(2018-Oct-05) Buzzfeed’s coverage of the story also seem to indicate that even senior staff in Apple doesn’t know about the alleged hacks.

(2018-Oct-20) Apple CEO Tim Cook Is Calling For Bloomberg To Retract Its Chinese Spy Chip Story

(2018-Oct-23) Amazon cloud chief Jassy follows Apple in calling for retraction of Chinese spy chip story

Categories
privacy

Turn Off Your Fitbit, Garmin, Apple Watch GPS NOW!

IOW, location data can be mined for valuable information. The proliferation of sensors in everyday devices and the rapid adoption of IoT has put the spotlight on the problem.

This was all sparked when reports surfaced earlier this year of a fitness-tracking company, Strava, publishing maps showing where users jog, bike and exercise. Since many of its users are members of the military, their jogging routes and other exercises showed exactly where the US has service members around the world, as well as showing their running routes.

Source: Turn Off Your Fitbit, Garmin, Apple Watch GPS NOW!

Categories
privacy security

SingHealth cyberattack: MAS orders financial institutions to tighten customer verification – Channel NewsAsia

Good pre-emptive measure to prevent possible misuse of information from the SingHealth hack.

“With immediate effect, all financial institutions should not rely solely on the types of information stolen (name, NRIC number, address, gender, race, and date of birth) for customer verification,” MAS said in a statement.

“Additional information must be used for verification before undertaking transactions for the customer. This may include, for instance, One-Time Password, PIN, biometrics, last transaction date or amount, etc.”

Source: SingHealth cyberattack: MAS orders financial institutions to tighten customer verification – Channel NewsAsia

Categories
privacy security

Singapore health system hit by ‘most serious breach of personal data’ in cyberattack; PM Lee’s data targeted

This is indeed the most serious cybersecurity breach in Singapore so far. 1.5 million records were exfiltrated. If this were to happen to a private company, the fine for breaching PDPA would surely be significant. While cyber attacks are not uncommon or unexpected, having it happen in a way that affects so many people will surely bring pause to many ongoing and upcoming IT projects in the pipeline.

Source: Singapore health system hit by ‘most serious breach of personal data’ in cyberattack; PM Lee’s data targeted

Categories
privacy

Facebook scraped call, text message data for years from Android phones

I’ve been saying this for ages. iOS privacy and app permission handling is superior to Android from the start.

Maybe check your data archive to see if Facebook’s algorithms know who you called.

Source: Facebook scraped call, text message data for years from Android phones

Categories
privacy security

Maersk Reinstalled 45,000 PCs and 4,000 Servers to Recover From NotPetya Attack

A heroic effort by the IT team from Maersk. But this just goes to show the huge impact that randomware can have on today’s businesses.

The world’s largest container shipping company —A.P. Møller-Maersk— said it recovered from the NotPetya ransomware incident by reinstalling over 4,000 servers, 45,000 PCs, and 2500 applications over the course of ten days in late June and early July 2017.

Source: Maersk Reinstalled 45,000 PCs and 4,000 Servers to Recover From NotPetya Attack