Author Archives: Luana PASCU

Adidas fans hit by phishing scam

Why users always fall for the lamest phishing scams is beyond comprehension, but hackers take advantage of this weakness and hide their scheming behind the usual fake prizes and too-good-to-be-true giveaways. This time, it was Adidas’ turn to feature in a major phishing scam that targeted users in specific regions.

A fake Adidas campaign promising free shoes instantly became popular through WhatsApp, and it’s not even the first time such a phishing scheme was used this year. To celebrate its 69th anniversary, the sports company was allegedly giving away 2,500 pairs of shoes to users who filled out a four-question survey.

All they had to do was click on a link to claim the prize and share it on WhatsApp with their contacts. The redirections were based on the IP address and targeted mobile devices in Norway, Sweden, Pakistan, Nigeria, Kenya, Macau, United States, Netherlands, Belgium and India.

No matter how many times users tried to share the campaign, they had no way to confirm that the share actually went through. It was just part of the scam. The very detail that they couldn’t choose color or size should have been a hint that it wasn’t a legitimate campaign – either that or the misspelled company name in the spoofed link.

Users were promised free sneakers in exchange for $1 to claim them, but all they were left with was a recurring $50-per-month subscription fee. Through the scam, hackers got access to users’ payments and contact details. The subscription users are automatically signed up for the “organizejobs” service, which has been identified as a scam.

Banco de Chile admits losing $10 million in disk-wiping malware attack

Banco de Chile, the second largest bank in the country, released a public statement confirming a major malware attack that breached its computer systems on May 24, shutting down bank operations. The hackers used a disk-wiping malware to cause the outage in order to distract attention from their original target – the SWIFT money transferring system.

Although bank operations were cancelled, internet portals, mobile applications and ATMs were not affected and were secure to use. Some 9,000 terminals and 500 servers across multiple branches were compromised by the malware.

According to the bank’s CEO Eduardo Ebensperger, $10 million were stolen and linked to accounts based in Hong Kong.

“We found some strange transactions on the Swift system, and that’s when we realized that the virus wasn’t all of it, but fraud was being attempted,” he confirmed in an interview last week (translation).

Analyzing images posted by bank employees, Bleeping Computer deduced the malware “was affecting hard drives’ Master Boot Records (MBRs) a-la NotPetya.” It was identified as a possible KillMBR, malware that was specifically used in attacks meant to destroy data in financial institutions.

Financial institutions remain a top target for hackers in 2018. In 2015 and 2016, millions of dollars were stolen by hackers who manipulated the SWIFT banking network. Known as Lazarus Group, they have been directly associated with North Korea and are responsible for cyberattacks on 12 banks in Southeast Asia and Sony Pictures Entertainment.

HOTforSecurity: Banco de Chile admits losing $10 million in disk-wiping malware attack

Banco de Chile, the second largest bank in the country, released a public statement confirming a major malware attack that breached its computer systems on May 24, shutting down bank operations. The hackers used a disk-wiping malware to cause the outage in order to distract attention from their original target – the SWIFT money transferring system.

Although bank operations were cancelled, internet portals, mobile applications and ATMs were not affected and were secure to use. Some 9,000 terminals and 500 servers across multiple branches were compromised by the malware.

According to the bank’s CEO Eduardo Ebensperger, $10 million were stolen and linked to accounts based in Hong Kong.

“We found some strange transactions on the Swift system, and that’s when we realized that the virus wasn’t all of it, but fraud was being attempted,” he confirmed in an interview last week (translation).

Analyzing images posted by bank employees, Bleeping Computer deduced the malware “was affecting hard drives’ Master Boot Records (MBRs) a-la NotPetya.” It was identified as a possible KillMBR, malware that was specifically used in attacks meant to destroy data in financial institutions.

Financial institutions remain a top target for hackers in 2018. In 2015 and 2016, millions of dollars were stolen by hackers who manipulated the SWIFT banking network. Known as Lazarus Group, they have been directly associated with North Korea and are responsible for cyberattacks on 12 banks in Southeast Asia and Sony Pictures Entertainment.



HOTforSecurity

FBI arrests 74 alleged scammers in international financial fraud operation

The Nigerian prince scam is back, and this time going after smaller businesses instead of corporates. On Monday, the FBI announced the arrest of 74 alleged email scammers from seven countries, including 15 money mules and 42 scammers in the US alone.

The elaborate scam had been targeting employees from medium-sized businesses that had access to finances or wire transfer payments. Once scammers gained access to an employee’s email account, they posed as that person or as a business partner.

A typical BEC (Business E-Mail Compromise) scheme, also known as “cyber-enabled financial fraud,” the financial fraud campaign started in Nigeria and rapidly spread to other countries. Email scams can also target individuals, seeking to trick them into making payments for real estate or to help someone in need, and even tech giants such as Google and Facebook have already lost millions in email scams.

Dubbed “Operation WireWire,” the investigation took six months and involved a joint effort of overseas local law enforcement and US federal authorities including the Department of Homeland Security, the Department of the Treasury and the U.S. Postal Inspection Service. The investigation led to a significant number of arrests in just two weeks in the US, Canada, Nigeria, Mauritius and Poland. Authorities blocked wire transfers to successfully recover some $14 million, and they confiscated $2.4 million.

“A number of cases charged in this operation involved international criminal organizations that defrauded small- to large-sized businesses, while others involved individual victims who transferred high-dollar amounts or sensitive records in the course of business,” said the FBI.

“The devastating impacts these cases have on victims and victim companies affect not only the individual business but also the global economy. Since the Internet Crime Complaint Center (IC3) began formally keeping track of BEC and its variant, e-mail account compromise (EAC), there has been a loss of over $3.7 billion reported to the IC3.”

Bitcoin drops 10% after hack of South Korean exchange service

CoinRail, a small cryptocurrency exchange service based in South Korea, reported on Sunday that it fell victim to a cyberattack and publicly confirmed it on Twitter. As a result, bitcoin prices collapsed by 10 percent to the lowest since April.

“The price of bitcoin dropped $500 in a single hour Sunday to hit a two-month low below $6,700,” wrote CoinDesk.

Following the hack, CoinRail lost some 30 percent of the tokens traded at the time of the hack, namely Pundi X (NPXS), NPER (NPER) and Aston (ATX). Local media estimated the loss at $37.28 million. CoinRail’s website has been in maintenance mode ever since the hack was identified. Their website said most of the cryptocurrency has been moved to offline wallets but it gave no detail about the actual financial loss.

“At present, 70% of your coin rail total coin / token reserves have been confirmed to be safely stored and moved to a cold wallet and are in storage,” reads their website (according to Google translate). “Two-thirds of the coins confirmed to have been leaked are covered by freezing / recalling through consultation with each coach and related exchanges. The remaining one-third of coins are being investigated with investigators, relevant exchanges and coin developers.”

CoinRail is working with an external forensics agency to investigate the breach and recover from the damage. Together with the compromised ICOs, they are trying to freeze the stolen tokens.

As South Korea is an important cryptocurrency trading center, this is not the first time a cryptocurrency exchange service has been attacked. After it was hacked twice, Youbit shut down in December.

MyHeritage breach leaks 92 million emails, hashed passwords

DNA testing application MyHeritage announced that it has fallen victim to a cyberattack. It appears a security researcher allegedly found online, on a private server, a database containing over 92 million user emails and hashed passwords stolen by a mysterious hacker.

Once MyHeritage received news of the breach, the company immediately assembled an Information Security Incident Response Team to investigate, and confirmed that the discovery was genuine. The security researcher did not say how he got hold of the information, so MyHeritage is now investigating further to see how the breach actually occurred.

The internal investigation also revealed that only accounts from up to October 26, 2017 were affected, and hackers haven’t used the stolen information to attack the accounts so far. MyHeritage stored a one-way hash of each password, so hackers wouldn’t be able to do much with the data because they didn’t really steal actual passwords. However, the company has started a reset for all accounts.

“Although no passwords leaked but only hashed versions of the passwords, we encouraged our users to change their password, and many already did so,” MyHeritage said. “However, to maximize the security of our users, we have started the process of expiring ALL user passwords on MyHeritage. This process will take place over the next few days.”

MyHeritage systems doesn’t store credit card information either because it uses third-party providers.  Family trees and DNA data have not been affected as they are kept on segregated systems.

“We believe the intrusion is limited to the user email addresses,” reads the company blog. “Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security.”

MyHeritage announced the immediate addition of two-factor authentication for extra account safety. Authorities will also be informed, so as to comply with GDPR, and users are advised to check their accounts.

HR software PageUp breached, faces class action in Australia

Australia HR software provider PageUp is facing a class lawsuit after a major data breach that exposed users’ personal information. Australian law firm Centennial Lawyers just announced. Fearing their personal data may have been exposed, some users who applied for jobs through PageUp are taking legal action against the company because they feel they haven’t received enough details about the breach, as only a simple, general email was sent out without much explanation.

“If any personal data has been affected it could include information such as name and contact details. It could also include identification and authentication data e.g. usernames and passwords which are encrypted (hashed and salted),” the company said in a statement.

PageUp reported “unusual activity” on May 23, CEO and co-founder Karen Cariss wrote on the company website, and a forensic investigation immediately followed after malware was identified. Thousands of job applicants may have been affected by the breach and could fall victim to identity fraud.

“There is no evidence that there is still an active threat, and the jobs website can continue to be used,” Cariss wrote. “All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password.”

Some of Australia’s top companies including Wesfarmers: Coles, Target, Kmart, Officeworks, NAB, Telstra, Commonwealth Bank, Lindt, Aldi, Linfox, Reserve, Bank of Australia, Australia Post, Medibank, ABC, Australian Red Cross, University of Tasmania, AGL and Jetstar used the software provided by PageUp in their online recruitment process.

PageUp claims to have some 2 million active users in 190 countries.

Booking.com partners, customers hit by phishing scam

Customers of hotels and guest houses listed on Booking.com were the target of a recent phishing scam launched by cybercriminals to steal user information, writes The Sun. Users first received WhatsApp and text messages instructing them to change their passwords because they had allegedly fallen victim to a security breach. Once they clicked on the link, hackers immediately sent phishing emails asking them to send payment details for their bookings.

The content of the emails was very well-written and detailed enough to trick users into believing they had received a legitimate email about their holiday accommodation. Hackers included names, addresses, phone numbers, costs, reference numbers and booking dates.

According to some reports, the data on the customers may have in fact been stolen following a breach on hotels operating on Booking.com.

The company claims not many properties were affected and there was no prejudice on their systems.

A Booking.com spokesperson said in a statement for The Independent:

“Security and the protection of our partner and customer data is a top priority at Booking.com. Not only do we handle all personal data in line with the highest technical standards, but we are continuously innovating our processes and systems to ensure robust security on our platform.

“In this case, there has been no compromise on Booking.com systems. A small number of properties have been targeted by phishing emails sent by cyber criminals and by clicking on those emails, the properties compromised their accounts. All potentially impacted guests have been notified and because we value our customers at Booking.com, we are supporting impacted guests to compensate for any losses incurred, and reclaim these from the property.

“If customers have any questions regarding their reservation or to report losses, they can contact our customer service team.”

Australia’s Commonwealth Bank leaks data of 10,000 customers over domain misspelling

Just last month, Australia’s Commonwealth Bank admitted losing the financial history of some 20 million customers. Now, the financial institution drops the ball again, this time mistakenly sending the data of some 10,000 customers to the wrong email address, the bank confirmed on Friday.

During the last financial year, the simple misspelling of the domain, forgetting to include “.au” after the domain name “cba.com,” sent 651 internal emails to the wrong domain. After an internal investigation of the domain ownership, it was revealed it belonged to a US-based cybersecurity company and, prior to that, it was owned by a US financial services company.

CBA purchased the domain in April 2017 and, as of January 2017, emails sent to cba.com were blocked.

CBA assures its customers their data has not been compromised, and anyone involved in the error will be contacted immediately.

“We want our customers to know that we are committed to being more transparent about data security and privacy matters,” said Angus Sullivan, CBA’s acting group executive for retail banking services.

“Our investigation confirmed that no customer data has been compromised as a result of this issue. We acknowledge, however, that customers want to be informed about data security and privacy issues and we have begun contacting affected customers.”

The emails were deleted by the domain owner’s system and permanently discarded from the servers. The investigation confirmed the data in the emails was not used in any way.

Australia to force tech companies to allow government access to encrypted messages

The Australian government has drafted laws to gain access to encrypted messages from messaging apps, but tech companies fear this would create backdoors that would lead to encryption exploits and jeopardize security, writes The Guardian.

The government sees these measures as a partnership with telecom and tech companies “to modernize” interception legislation and keep a closer eye on alleged criminals and terrorists. Officials say backdoors are out of the question, as other decryption methods will be used. As expected, Facebook and Google are key actors involved due to the massive amounts of personal data they collect from users.

Australian Cyber Security Minister Angus Taylor gave no clear explanations of the technology and methods behind getting access to encrypted messages, or whether surveillance codes would be installed on mobile devices. Despite his reluctance to offer details, one thing is certain; the law will take effect in coming months and companies that don’t comply will be fined.

“The key point here is that we need to modernize our laws and get access to information for holding criminals and terrorists to account for investigations and gathering evidence,” Taylor said in an interview.

“Those laws were developed during an analogue era decades ago and they are now out of date. Much data and information is transferred through messaging apps and it’s digital not analogue. There’ve been very substantial changes in the technology and we need to update the powers.”

HOTforSecurity: Australia to force tech companies to allow government access to encrypted messages

The Australian government has drafted laws to gain access to encrypted messages from messaging apps, but tech companies fear this would create backdoors that would lead to encryption exploits and jeopardize security, writes The Guardian.

The government sees these measures as a partnership with telecom and tech companies “to modernize” interception legislation and keep a closer eye on alleged criminals and terrorists. Officials say backdoors are out of the question, as other decryption methods will be used. As expected, Facebook and Google are key actors involved due to the massive amounts of personal data they collect from users.

Australian Cyber Security Minister Angus Taylor gave no clear explanations of the technology and methods behind getting access to encrypted messages, or whether surveillance codes would be installed on mobile devices. Despite his reluctance to offer details, one thing is certain; the law will take effect in coming months and companies that don’t comply will be fined.

“The key point here is that we need to modernize our laws and get access to information for holding criminals and terrorists to account for investigations and gathering evidence,” Taylor said in an interview.

“Those laws were developed during an analogue era decades ago and they are now out of date. Much data and information is transferred through messaging apps and it’s digital not analogue. There’ve been very substantial changes in the technology and we need to update the powers.”



HOTforSecurity

Facebook exposed users’ personal data in data-sharing partnership

“Every piece of content that you share on Facebook you own. You have complete control over who sees it and how you share it,” said Mark Zuckerberg in front of Congress a couple of months ago. But his company may not be taking privacy protection as seriously as he claimed during the Congress hearings.

For the past 10 years, Facebook has been in a data-sharing partnership with over 60 computer, tablet and smartphone manufacturers, including Amazon, Apple, Samsung, Microsoft, HTC and Blackberry, exposing users to privacy and security risks, accuses The New York Times in an investigative report.

The newspaper says the partnership might violate a 2011 agreement with the Federal Trade Commission that states Facebook needs explicit user consent to provide third parties with their data. Facebook facilitated access to users’ personal data and to the data of their friends, breaching its own privacy policies.

The social network disagrees with the accusations in the New York Times and claims the decision concerned device-integrated APIs to “recreate Facebook-like experiences” on mobile devices, reads a blog post written by Ime Archibong, VP of Product Partnerships at Facebook. The company confirms some of the partners stored the data on their servers.

“Partners could not integrate the user’s Facebook features with their devices without the user’s permission. And our partnership and engineering teams approved the Facebook experiences these companies built,” Archibong writes.

“Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends. We are not aware of any abuse by these companies.”

Apple users can download all the data the company has on them

Unless you’ve been living under a rock this entire time, you’ve probably heard and already been blasted with emails related to GDPR, the EU’s data privacy regulation. Companies must keep customers informed about how their data is processed and assure them that they will from now on do their best to protect it.

Apple is one of the companies trying to comply with GDPR that goes into effect tomorrow, May 25. The company has released the Data and Privacy portal where you have access to everything Apple knows and stores about you, including online history, Apple ID accounts, iCloud data, contacts, photos, documents, music and store history. Once they log in, users have clear instructions how to download their data.

Because they can download as much as 25GB, the download process may take as much as a week. If interested in the data, users are advised to hurry with the download because otherwise the data will be deleted from Apple’s database in two weeks. Since users will most likely download data they have willingly provided the company with, they shouldn’t be shocked by anything they find in the dataset.

For now, the download option is provided for accounts located in member states of the European Union, as these are directly targeted by the regulation, and the European countries outside the Union – Iceland, Liechtenstein, Norway and Switzerland. In the future, Apple plans on making this feature available for all countries worldwide.

HOTforSecurity: Apple users can download all the data the company has on them

Unless you’ve been living under a rock this entire time, you’ve probably heard and already been blasted with emails related to GDPR, the EU’s data privacy regulation. Companies must keep customers informed about how their data is processed and assure them that they will from now on do their best to protect it.

Apple is one of the companies trying to comply with GDPR that goes into effect tomorrow, May 25. The company has released the Data and Privacy portal where you have access to everything Apple knows and stores about you, including online history, Apple ID accounts, iCloud data, contacts, photos, documents, music and store history. Once they log in, users have clear instructions how to download their data.

Because they can download as much as 25GB, the download process may take as much as a week. If interested in the data, users are advised to hurry with the download because otherwise the data will be deleted from Apple’s database in two weeks. Since users will most likely download data they have willingly provided the company with, they shouldn’t be shocked by anything they find in the dataset.

For now, the download option is provided for accounts located in member states of the European Union, as these are directly targeted by the regulation, and the European countries outside the Union – Iceland, Liechtenstein, Norway and Switzerland. In the future, Apple plans on making this feature available for all countries worldwide.



HOTforSecurity

The University of Greenwich fined by ICO for leaking 20,000 records

The University of Greenwich was fined $160,000 under the Data Protection Act of 1998 by the Information Commissioner’s Office for leaking the personal data of almost 20,000 staff, alumni and students, writes the BBC.

The exposed information included names, addresses, birthdates, phone numbers, study progress, email conversations between students and staff and some 3,500 health records with detailed information about physical and mental issues.

It appears the data was placed online on a microsite for a conference in 2004, which was left active and unsecured after the event ended. The site was hacked in both 2013 and 2016 by a number of cybercriminals who took advantage of its vulnerabilities to infiltrate the web server.

The security breach was detected by a university student who reported it to the BBC and the ICO.

“Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” said Steve Eckersley, head of enforcement at the ICO.

“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”

The University of Greenwich accepted the decision and claims to have taken serious measures to secure its data and infrastructure.

“We acknowledge the ICO’s findings and apologize again to all those who may have been affected,” said University Secretary Peter Garrod.

“No organization can say it will be immune to unauthorized access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made. We take these matters extremely seriously and keep our procedures under constant review to ensure they reflect best practice.”

Kid monitoring app TeenSafe exposes user data

Phone application TeenSafe allegedly leaked thousands of passwords that were kept on a vulnerable Amazon server, found Robert Wiggins, a security researcher based in the UK.

The application was created for parents to keep track of their children’s online activity such as messages on various social media sites, internet searches, call history and applications downloaded to their phone. It is available for both Android and iOS devices.

It all started with a security vulnerability on one of the data servers the company has hosted on Amazon’s cloud services. Because device names, Apple ID emails and plaintext passwords were kept unencrypted, not even secured with a password, over 10,000 accounts of parents and their children were exposed. For some reason, in order to use the application, two-factor authentication had to be disabled, making it even easier for anyone on the web to access the data.

“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” a company spokesperson told ZDNet.

TeenSafe collects a large amount of data from its users, so the recent data breach and invasion of privacy are raising questions about the company’s overall strategy to ensure user online safety. In-app content such as photos, GPS data or messages were not kept on company servers so this data was not affected.

The company claims to have over 1 million users in the US.

Former CIA engineer allegedly leaked Vault 7 hacking tools

Former CIA employee Joshua Adam Schulte has been identified as a top suspect behind the leak last year of the Vault 7 secret computer hacking tools used by the agency in espionage operations, although the FBI had previously suspected contractors, writes The Washington Post. The document Wikileaks received allegedly contained over 8,000 pages of documented techniques.

Although the man’s apartment has been searched and a number of notes, notebooks and computer equipment has been retrieved, the evidence was not strong enough to indict him. His attorney claims “those search warrants haven’t yielded anything that is consistent with [Schulte’s] involvement in that disclosure.”

Schulte was part of the CIA’s Engineering Development Group responsible for writing code used in cyberespionage. He is currently in prison in Manhattan on child pornography charges issued in August 2017. He has pleaded not guilty to the pornography charges.

The US government has not brought charges against him despite months of investigations. The Vault 7 investigation is advancing and Schulte “remains a target of that investigation,” the prosecutor said.

Some argue the Vault 7 leak could cause more harm than Edward Snowden’s revelations, because these are the actual tools the CIA used to hack messaging apps and electronic devices such as routers, computers, phones and TVs to exfiltrate data. The CIA hacking tools could also be used against US national security.

Before the CIA, Schulte worked for the NSA, and claims he was “the only one to have recently departed [the CIA engineering group] on poor terms,” after reporting “incompetent management and bureaucracy.”

The CIA refused to comment.

Chili’s hit by malware, payment card data stolen

Chili’s customers may have fallen victim to a malware attack that affected a number of credit and debit cards used in several restaurants, confirmed parent company Brinker International on Saturday. The malware allegedly collected not only payment card details, but also customers’ names. Because Chili’s does not collect Social Security numbers, full dates of birth or federal ID data, these were not compromised.

Brinker brought in an external forensic team to investigate the incident, but so far it is believed the attack took place between March and April. Also, the company said, simply because customers used their cards in the affected facilities does not mean their data was exposed. The investigation will determine who is responsible and how the incident actually took place.

“On May 11, 2018, we learned that some of our Guests’ payment card information was compromised at certain Chili’s restaurants as the result of a data incident,” said Brinker International in a press release. “Currently, we believe the data incident was limited to between March – April 2018; however, we continue to assess the scope of the incident. We deeply value our relationships with our Guests and sincerely apologize to those who may have been affected.”

As the breach was detected on Friday, customers are strongly advised to check their bank statements for illegal transactions and to immediately contact their bank if fraud is suspected. Brinker offers free credit monitoring and fraud resolution for customers whose payment card data was stolen.

It seems hackers have made a habit of going after popular restaurants, shops and hotel chains, as Sears, Kmart, Whole Foods, Under Armour, Home Depot and Target have also suffered security breaches recently. So far there’s no evidence to suggest the data stolen from Chili’s has been put on sale on the dark web.

16-year-old arrested after phishing scheme against teachers to change grades

A 16-year-old high school student from California was arrested on Wednesday on 14 felony counts associated with a phishing scheme he allegedly launched against teachers in his school district. The investigation that led to the arrest was a joint effort by local law enforcement, Contra Costa County task force and the Secret Service, according to KTVU.

David Rotaro, a student at Ygnacio Valley High School in the Bay Area, is accused of sending manipulative emails to teachers to trick them into clicking on a link that redirected them to a fake page he had created to mimic the school’s official teacher portal.

It was enough for one teacher to unwittingly log in to the fake website with credentials. Rotaro allegedly stole the teacher’s information and used it to access the school’s grade system to change his grades and those of other students. In some cases the grades were lowered, while in others they were raised.

Teachers reported the suspicious campaign about two weeks ago. The police traced the IP address to the boy’s house and used a special K-9 unit to detect hidden electronics. The dog found a flash drive hidden in a tissue box.

“We wrote numerous search warrants to get the IP addresses of the possible phishing site email. We got it and we did good old-fashioned police detective work and we narrowed it down to an address,” said Sgt. Carl Cruz, the Concord Police Financial Crimes Supervisor. “We believe 10-15 students’ grades were changed, but we’re still investigating.”

David Rotaro was released to his parents and is awaiting a court date.

US senators demand FTC investigate Google’s GPS data collection

Two US senators from the Democratic Party urged the US Federal Trade Commission to thoroughly investigate Google and the way its Location History collects user data on Android smartphones. Once the application is turned on, it is apparently enabled on all signed-in devices.

Google has been collecting massive amounts of data and tracking user location since 2009. Although Google was asked to comment on this matter and its privacy policies in an official letter in December 2017. Senators Richard Blumenthal (D-Conn.) and Ed Markey (D-Mass.) were not convinced by the company’s detailed answers so they wrote a letter to Federal Trade Commission (FTC) Chairman Joseph Simons asking him to take a closer look at the company’s practices.

“Google has an intimate understanding of personal lives as they watch their users seek the support of reproductive health services, engage in civic activities or attend places of religious worship,” reads the request.

The two argue that users cannot opt out of the service even though they think they can. Blumenthal and Markey believe Google is taking advantage of consumers’ lack of proper knowledge of how data collection works, which has driven them to making uninformed decisions about what they share.

They “found that the consent process frequently mischaracterizes the service and degrades the functionality of products in order to push users into providing permission.”

In the fall of 2017, Quartz investigated Google and found that, even though the GPS service was disabled, Android would still collect location information from cellular towers and share it with Google, violating user privacy.

Facebook removes 200 suspicious apps

Following the Cambridge Analytica scandal, Facebook CEO Mark Zuckerberg announced on March 21 that the company would conduct an audit to identify suspicious applications that may have exploited user data.

So far, 200 applications have been detected and removed, but their names haven’t been made public yet. Users whose data has been misused will be immediately notified by Facebook. However, this casts doubt over the company’s ability to properly secure users’ information and right to privacy.

“To date thousands of apps have been investigated and around 200 have been suspended — pending a thorough investigation into whether they did in fact misuse any data,” reads an update written by Ime Archibong, VP of Product Partnerships. “Where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website. It will show people if they or their friends installed an app that misused data before 2015 — just as we did for Cambridge Analytica.”

The main problem is that Facebook’s business model has always been based on sharing user data with applications and the sudden change of heart might not necessarily fix much because once the information leaves their servers, they lose control over it.

“The investigation process is in full swing, and it has two phases,” added Archibong. “First, a comprehensive review to identify every app that had access to this amount of Facebook data. And second, where we have concerns, we will conduct interviews, make requests for information (RFI) — which ask a series of detailed questions about the app and the data it has access to — and perform audits that may include on-site inspections.”

Soon after Facebook announced partial results of its app audit, New Scientist reported that the personal data of over 3 million Facebook users collected through the Cambridge Analytica personality test had in fact been accessible to anyone for the past four years.

Australia’s largest bank lost its customers’ financial history and forgot to mention it

Australia’s Commonwealth Bank admitted losing years’ worth of data backup containing the financial details of some 12 million customers. When the breach occurred in 2016, the bank informed the Office of the Australian Information Commissioner, yet chose not to notify its customers. As a consequence, the CBA is facing further investigations.

BuzzFeed News revealed that the backup contained banking statements collected between 2004 and 2014, while  News.com.au claims the loss affects data of almost 20 million customers, collected between 2000 and 2016.

Because bank data was kept on magnetic tape drives, subcontractor Fuji Xerox accidentally destroyed some of them; that data was never retrieved and the bank is now investigating what happened and why a destruction certificate was not found.

The CBA assures its customers that no sensitive information, such as PIN codes and passwords, was leaked, nor was suspicious activity detected. The tapes contained names, addresses, account numbers and transaction details.

“We take the protection of customer data very seriously and incidents like this are not acceptable. We want to assure our customers that no action is required and we apologize for any concern the incident may cause,” said Angus Sullivan, acting group executive.

“We undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred.”

One possible scenario, as initially concluded by a forensic team hired to investigate the privacy breach, is that “the drives weren’t secured properly and fell from a truck in transit that was carrying the data for destruction.”

Anti-theft LoJack supposedly manipulated by Russian hackers to hijack computers

Security researchers from Arbor Networks’ ASERT lab have found that laptop recovery software LoJack appears to be used in a sophisticated, yet subtle, Russian state-sponsored attack scheme through remote code execution. The tool was created as an anti-theft program to remotely protect corporate information should computers be stolen.

Security solutions don’t flag the malware hidden in the installation as malware activity, which makes it easy for attackers to intercept the communication and get inside the computer.

Anyone with administrator privilege can use the software to locate and encrypt stolen computers, and delete information. Some devices have the tool by default.

“This is basically giving the attacker a foothold in an agency,” said in an interview with Dark Reading Richard Hummel, manager of threat research at NETSCOUT Arbor’s ASERT. “There’s no LoJack execution of files, but they could launch additional software at a later date.”

According to the report published on Tuesday, the Fancy Bear hacking group was manipulating the software to hack into a company’s network. Fancy Bear servers appear to have been communicating with a number of LoJack executables; “LoJack agents containing command and control (C2) domains likely associated with Fancy Bear operations,” reads the report.

“If they’re on a critical system or the user is someone with high privileges, then they have a direct line into the enterprise,” Hummel added, “with the permissions that LoJack requires, [the attackers] have permission to install whatever they want on the victims’ machines.”

It’s not yet clear how the malware payloads spread, but researchers believe the hackers used phishing techniques.

Fancy Bear has been widely covered in the news due to its strong association with Russian military intelligence and the attacks against the Democratic National Committee in the US.