Pardon the Intrusion #9: Privacy or security?

Subscribe to this bi-weekly newsletter here!

Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.

We’re starting off with some good news for a change! California’s landmark Consumer Privacy Act (CCPA) is now in effect — although, it won’t actually kick in for another six months.

CCPA is somewhat similar to the General Data Protection Regulation (GDPR) in the EU. What the law effectively means is that it allows anyone in California to now ask that companies don’t sell their data, and also request a copy of the data that companies have on them and hopefully even delete them. Sounds good, right?

But nothing is simple when it comes to the current exceedingly complex online data economy. What’s more, it raises some interesting questions about who exactly owns the data and whether we can ever have our data deleted completely.

What that means is honoring the principles of CCPA won’t be that easy. Companies readying to comply with CCPA in the state of California alone, never mind deciding to expand compliance nationally like Microsoft did, must now be able to detect phishing attacks quickly and work towards prevent data breaches.

This doesn’t consider another aspect of these regulations, as The New York Times’ Kashmir Hill wrote yesterday: “To get your personal data, you may have to give up more personal data.”

All of this only goes to show that regulations need to carefully assess the unintended consequences of giving individuals more control over their data.

***

Do you have a burning cybersecurity question, or a privacy problem you need help with? Drop them in an email to me, and I’ll discuss it in the next newsletter! Now, onto more security news.

What’s trending in security?

Windows 7 reached its end of life, card skimmer malware hit Australian bushfire donation website, the United Nationsand Ukranian oil firm Burisma were the targets of a phishing attack, and the baddies behind Sodinokibi ransomware followed Maze’s footsteps by publishing data stolen from Artech Information Systems for not choosing to pay ransom.

In other news, North Korean state-backed hacker group Lazarus is using Telegram to steal cryptocurrency, Google tackled Joker malware by booting 1,700 apps from the Play Store, while a new Android “Shopper” Trojan camouflages itself as a system app to disable the Google Play Protect service, generate fake reviews, install malicious apps, and show ads.

• Fleeceware continues to be a major problem on Android. [Sophos]
• You can now use an iPhone as a security key for Google accounts. [Google]
• Microsoft fixed a bug in various versions of Windows after the National Security Agency (NSA) found that it could allow malicious code to masquerade as legitimate software. [Microsoft]
• Israeli forensics firm Cellebrite, which offers tools to help law-enforcement unlock and extract data from mobile devices, has acquired BlackBag Technologies for $33 million to expand its capabilities to computer forensics. [Reuters]
• SIM-swappers are escalating their attacks by targeting telecom companies run through remote software that grants them direct access to internal systems of telcos like AT&T, T-Mobile, and Sprint to take over customer cell phone numbers. [Motherboard]
• We all knew that SMS-based authentication is not secure. Here’s more proof: telcos use insecure authentication challenges that can easily be defeated by attackers. [Is SMS 2FA Secure?]
• Iranian state-backed hackers dubbed “Magnallium” are carrying out password-spraying attacks, which guess a set of common passwords for hundreds or even thousands of different accounts, targeting US electric utilities as well as oil and gas firms. [WIRED / Dragos]
• 200 million cable modems from Broadcom are impacted by a “Cable Haunt” flaw that allows hackers to trick users into accessing a malicious page via their browser and execute malicious commands on the device. [ZDNet]

• The controversial Emirati messaging app ToTok made a quiet return to Google Play Store after being pulled for claims that it was being used for government espionage. [Threatpost]
• Citrix is racing to release a patch for a severe flaw disclosed in its Gateway products that could allow hackers to execute malicious code. The Cybersecurity and Infrastructure Security Agency (CISA) has now released a test to check for the vulnerability. [Positive Technologies / CERT]
• The UK’s top intelligence agency, GCHQ, is investigating the possibility that the London Stock Exchange outage in August may have been a cyberattack. [The Wall Street Journal]
• A cybercriminal group dubbed “SideWinder” is actively exploiting three Android apps Camero, FileCrypt Manager, and callCam to steal sensitive data stored on the device. [Trend Micro]
• London-based international foreign currency exchange Travelex is recovering from a ransomware attack last month that exploited a bug in Pulse Secure corporate VPN software. It allowed remote hackers to gain access without a username or password but also to turn off multi-factor authentication and view logs, usernames, and passwords cached by the VPN server in plain text. [TNW / CyberScoop]

• The Amazon Ring saga continued after the retail giant fired four employees for improperly accessing user videos. [Motherboard]
• HappyHotel, a Japanese search engine for finding and booking rooms in “love hotels,” disclosed a security breach. Worse, baddies may have gotten hold of real names, email addresses, login credentials, birth dates, gender information, phone numbers, home addresses, and payment card details. [ZDNet]
• Universities are tracking students by turning their phones into surveillance machines and beaming their whereabouts through short-range Bluetooth beacons and campus-wide Wi-Fi networks. [The Washington Post]
• US government funded Android phones for low-income users come pre-installed with unremovable malware capable of auto-installing adware and other unwanted apps without user consent. [Malwarebytes]
• TikTok fixed major security vulnerabilities in its app that could have let hackers manipulate content, gain access to private videos, and extract personal data. Likewise, Mozilla patched an actively exploited Firefox zero-day flaw that could allow attackers to take control of computers by accessing sensitive memory locations. [Check Point / Ars Technica]
• Snooping comes cheap! People can now buy an online account associated with a stranger’s home security camera for as low as 50 Yuan ($7.20) in Zhejiang, China. [Abacus]
• Misconfigured databases and unprotected servers continue to leak sensitive personal information, including email addresses and medical images, for anyone to access. [TechCrunch]

Data Point

The Society for Information Management’s (SIM) recently released IT Issues and Trends Study for 2019 — which polled 1,033 IT executives who hail from 618 organizations — showed that only 45.5% of organizations have a Chief Information Security Officer (CISO).

But in a positive development, 89% of them with revenue greater than $5 billion have a CISO in place. But having a CISO in place alone isn’t enough — the average readiness of companies hovered around 3.06 mark on a 0-5 scale, 1 being “Not Ready at All” and 5 for “Extremely Ready”.

Tweet of the week

Another showdown — Apple has reignited the encryption debate after it refused to help break into two phones used by a gunman in a deadly shooting last month at a naval air station in Pensacola, Florida.

We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements. They will have to step up to the plate and help our great Country, NOW! MAKE AMERICA GREAT AGAIN.

— Donald J. Trump (@realDonaldTrump) January 14, 2020

That’s it. See you all in 2 weeks. Stay safe!

Ravie x TNW (ravie[at]thenextweb[dot]com)