Privacy and security news, 2 14 2021
Hacks, leaks, breaches, security holes
The Solarwinds hack appears to have opened a window on a pervasive problem. It appears that some of the vulnerabilities were well-known: Russian hackers used a technique experts had warned about for years. Why wasn’t the U.S. government ready? And a key opening was discussed years ago: Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps
This leads to the belief that Supply chain security is actually worse than we think Some of those problems appear to have gone on for a long time The Long Hack: How China Exploited a U.S. Tech Supplier And it doesn’t just affect data centers: With one update, this malicious Android app hijacked millions of devices
Ransomware appears to have entered an arms race Free decrypter released for Avaddon ransomware victims... aaand, it's gone! Even if they can’t recover their data CD Projekt Red says it was hacked but won't pay the ransom
An alarming hack last week did not just affect the digital domain, but hit physical systems: Florida city attacked by a hacker trying to poison its drinking water While this was detected by an alert employee, there is some blame to go around Breached water plant employees used the same TeamViewer password and no firewall
As usual, a broad range of hacks came to light last week:
Europol takes down hackers who allegedly stole over $100 million in crypto from celebs
Researchers find more victims of one of Iran’s oldest hacking groups
Singtel hit by third-party vendor's security breach, customer data may be leaked
Authorities arrest SIM swapping gang that targeted celebrities
Yandex said it caught an employee selling access to users' inboxes
KeepChange said it stopped hackers from stealing user funds, but not personal data
Zero-days under active exploit are keeping Windows users busy
The continuing disclosure of vulnerabilities illustrates the risk of hacks to come
This old security vulnerability left millions of Internet of Things devices vulnerable to attacks
A Windows Defender Vulnerability Lurked Undetected for 12 Years
Microsoft warns enterprises of new 'dependency confusion' attack technique
Microsoft to add 'nation-state activity alerts' to Defender for Office 365
Some vulnerabilities are disclosed, others are traded The Untold History of America’s Zero-Day Market The never-ending news is leading to data breach 'fatigue' that reduces Wall Street punishment for cybersecurity failures
Privacy & surveillance
The controversies about face recognition and other biometric technologies continue. While Sweden’s data watchdog slaps police for unlawful use of Clearview AI and Minneapolis prohibits use of facial recognition software by its police department , Clearview AI Thinks The Solution to Dating Is Facial Recognition. Not wanting to fall behind Amazon’s Halo, Facebook's Reportedly Working on a Smartwatch so It Can Hoover Up Your Health Data Too. And for athletes, As biometrics boom, who owns athletes’ data? It depends on the sport.
The surveillance technologies are getting more sophisticated
FingerprintJS raises $8 million to expand its enterprise identification API
Browser ‘Favicons’ Can Be Used as Undeletable ‘Supercookies’ to Track You Online
Android spyware strains linked to state-sponsored Confucius threat group
Attacking the final frontier: Thought-detection: AI has infiltrated our last bastion of privacy
While some intrusions are becoming more invasive
Amazon delivery app Mentor tracks drivers’ locations and measures their performance
LA cops tried using Instagram's copyright filter to stop someone from filming them
there is some push to limit the privacy incursions
Ancestry says it fought two police requests to search its DNA database
Prosecutors Suspend Government Spyware Used in WhatsApp Phishing Attacks
Clubhouse is tightening security to address China spying fears
Government regulation
Some regulations are advancing privacy
EU’s top privacy regulator urges ban on surveillance-based ad targeting
Existing consumer right to repair protections are not enough: ACCC
It’s interesting to see how private companies are asking for more regulations Facebook and Snap Inc call for a GDPR-aligned Australian Privacy Act while others are pushing back Huawei files lawsuit disputing FCC 'security threat' designation