Privacy and security news, 2 14 2021

Hacks, leaks, breaches, security holes

The Solarwinds hack appears to have opened a window on a pervasive problem. It appears that some of the vulnerabilities were well-known: Russian hackers used a technique experts had warned about for years. Why wasn’t the U.S. government ready? And a key opening was discussed years ago: Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps

This leads to the belief that Supply chain security is actually worse than we think Some of those problems appear to have gone on for a long time The Long Hack: How China Exploited a U.S. Tech Supplier And it doesn’t just affect data centers: With one update, this malicious Android app hijacked millions of devices

Ransomware appears to have entered an arms race Free decrypter released for Avaddon ransomware victims... aaand, it's gone! Even if they can’t recover their data CD Projekt Red says it was hacked but won't pay the ransom

An alarming hack last week did not just affect the digital domain, but hit physical systems: Florida city attacked by a hacker trying to poison its drinking water While this was detected by an alert employee, there is some blame to go around Breached water plant employees used the same TeamViewer password and no firewall

As usual, a broad range of hacks came to light last week:

• Europol takes down hackers who allegedly stole over $100 million in crypto from celebs

• Researchers find more victims of one of Iran’s oldest hacking groups

• Singtel hit by third-party vendor's security breach, customer data may be leaked

• Authorities arrest SIM swapping gang that targeted celebrities

• Yandex said it caught an employee selling access to users' inboxes

• KeepChange said it stopped hackers from stealing user funds, but not personal data

• Zero-days under active exploit are keeping Windows users busy

The continuing disclosure of vulnerabilities illustrates the risk of hacks to come

• This old security vulnerability left millions of Internet of Things devices vulnerable to attacks

• A Windows Defender Vulnerability Lurked Undetected for 12 Years

• A Barcode Scanner App With Millions of Downloads Goes Rogue

• A webcam app left thousands of user accounts exposed online

• Microsoft warns enterprises of new 'dependency confusion' attack technique

• Microsoft to add 'nation-state activity alerts' to Defender for Office 365

Some vulnerabilities are disclosed, others are traded The Untold History of America’s Zero-Day Market The never-ending news is leading to data breach 'fatigue' that reduces Wall Street punishment for cybersecurity failures

Privacy & surveillance

The controversies about face recognition and other biometric technologies continue. While Sweden’s data watchdog slaps police for unlawful use of Clearview AI and Minneapolis prohibits use of facial recognition software by its police department , Clearview AI Thinks The Solution to Dating Is Facial Recognition. Not wanting to fall behind Amazon’s Halo, Facebook's Reportedly Working on a Smartwatch so It Can Hoover Up Your Health Data Too. And for athletes, As biometrics boom, who owns athletes’ data? It depends on the sport.

The surveillance technologies are getting more sophisticated

• FingerprintJS raises $8 million to expand its enterprise identification API

• Scientists prove that deepfake detectors can be duped

• Browser ‘Favicons’ Can Be Used as Undeletable ‘Supercookies’ to Track You Online

• Android spyware strains linked to state-sponsored Confucius threat group

Attacking the final frontier: Thought-detection: AI has infiltrated our last bastion of privacy

While some intrusions are becoming more invasive

• Amazon delivery app Mentor tracks drivers’ locations and measures their performance

• These dating apps are tracking your location

• LA cops tried using Instagram's copyright filter to stop someone from filming them

there is some push to limit the privacy incursions

• Ancestry says it fought two police requests to search its DNA database

• Prosecutors Suspend Government Spyware Used in WhatsApp Phishing Attacks

• Clubhouse is tightening security to address China spying fears

Government regulation

Some regulations are advancing privacy

• EU’s top privacy regulator urges ban on surveillance-based ad targeting

• Virginia is poised to pass a state privacy law

• Existing consumer right to repair protections are not enough: ACCC

It’s interesting to see how private companies are asking for more regulations Facebook and Snap Inc call for a GDPR-aligned Australian Privacy Act while others are pushing back Huawei files lawsuit disputing FCC 'security threat' designation