Security/privacy news

[acct]

We found 6 critical PayPal vulnerabilities – and PayPal punished us for it

 

Quote

#1 Bypassing PayPal’s two-factor authentication (2FA)

For this issue, PayPal decided that, since the user’s account must already be compromised for this attack to work, “there does not appear to be any security implications as a direct result of this behavior.”

 

#2 Phone verification without OTP

Initially, the PayPal team via HackerOne took this issue more seriously. However, after a few exchanges, they stopped responding to our queries, and recently PayPal itself (not the HackerOne staff) locked this report, meaning that we aren’t able to comment any longer.

 

#3 Sending money security bypass

When we submitted this to HackerOne, they responded that this is an “out-of-scope” issue since it requires stolen PayPal accounts

 

#4 Full name change

This issue was deemed a Duplicate by PayPal, since it had been apparently discovered by another researcher.

 

#5 The self-help SmartChat stored XSS vulnerability

The same day that we informed PayPal of this issue, they replied that since it isn’t “exploitable externally,” it is a non-issue. However, while we planned to send them a full POC (proof of concept), PayPal seems to have removed the file on which the exploit was based.

 

#6 Security questions persistent XSS

The same day we reported this issue, PayPal responded that it had already been reported. Also on the same day, the vulnerability seems to have been patched on PayPal’s side.

 

REDDIT - Transparency Report 2019

Σταχυολογώ αυτό το απόσπασμα, γιατί two of these are not like the others... 

 

Quote

In 2019, Reddit received a total of 110 requests from 12 law enforcement and other government entities to remove or restrict access to content on the platform.

 

 

[salde]

3 hours ago, acct said:

Σταχυολογώ αυτό το απόσπασμα, γιατί two of these are not like the others...

Ξέρεις το ανέκδοτο με το πού κρύβεται ο ελέφαντας;

[acct]

IBM will no longer offer, develop, or research facial recognition technology

WWW.THEVERGE.COM

---

IBM is also advocating for police reform.

 

 

 

[trendy]

https://www.vice.com/en_us/article/3aza95/how-police-took-over-encrochat-hacked

[minast]

Ευκαιρία να αναστήσω το θέμα, με δύο σημαντικά νέα:

 

Νέα ευπάθεια σε Active Directory δίνει διαχειριστική πρόσβαση σε μη εξουσιοδοτημένους χρήστες, μάλλον λόγω κακής υλοποίησης AES:

 

New Windows exploit lets you instantly become admin. Have you patched?

ARSTECHNICA.COM

---

Zerologon lets anyone with a network toehold obtain domain-controller password.

 

Και άλλος ένας λόγος που δεν μου αρέσει να ζητούνται προσωπικά στοιχεία απλά για μπορώ να τρέξω κάτι στον υπολογιστή μου:

H Razer τα έχει παρατημένα σε κοινή θέα...

Private data gone public: Razer leaks 100,000+ gamers’ personal info

ARSTECHNICA.COM

---

No need to breach any systems when the vendor gives the data away for free.

 

[minast]

Έτσι για να ξυπνάμε το θέμα κάθε λίγους μήνες:

Walmart-exclusive router and others sold on Amazon & eBay contain hidden backdoors to control devices | CyberNews

CYBERNEWS.COM

---

Walmart-exclusive Jetstream routers and Wavlink routers contain hidden backdoors. The routers are actively being exploited by Mirai malware

 

Μπορεί να μην έχουμε Walmart στα μέρη μας, αλλά παραμένει ως υπενθύμιση ότι πάντα χρειάζεται λίγη προσοχή ο τρόπος που επιλέγουμε δικτυακές συσκευές.

[acct]

Facebook is shutting down its facial recognition software

EDITION.CNN.COM

---

Facebook said Tuesday it plans to stop using facial-recognition software that could automatically recognize people in photos and videos posted on the social network, marking a massive shift both...

 

Quote

Facebook said Tuesday it plans to stop using facial-recognition software that could automatically recognize people in photos and videos posted on the social network, marking a massive shift both for the tech industry and for a company known for collecting vast amounts of data about its billions of users.

 

Facebook, which changed its company name to Meta in late October, also said it plans to delete the data it had gathered through its use of this software, which is associated with over a billion people's faces.

 

The move, announced in a blog post authored by artificial intelligence vice president Jerome Pesenti, comes as the company is widely scrutinized for the potential real-world harms of its social platforms in the wake of a whistleblower's leak of hundreds of internal documents.

 

[acct]

Robinhood Announces Data Security Incident — Under the Hood

BLOG.ROBINHOOD.COM

---

 

 

Quote

The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed.

 

[acct]

Europe’s Move Against Google Analytics Is Just the Beginning | WIRED

WWW.WIRED.COM

---

Austria’s data regulator has found that the use of Google Analytics is a breach of GDPR. In the absence of a new EU-US data deal, other...

 

Quote

On December 22, the Austrian data regulator, Datenschutzbehörde, said the use of Google Analytics on NetDoktor breached the European Union’s General Data Protection Regulation (GDPR). The data being sent to the US wasn’t being properly protected against potential access by US intelligence agencies, the regulator said in a decision that was published last week. Days earlier it was revealed that European Parliament’s Covid-19 testing website had also breached GDPR by using cookies from Google Analytics and Stripe, according to a decision from the European Data Protection Supervisor (EDPS).

 

The two cases are the first decisions following a July 2020 ruling that Privacy Shield, the mechanism used by thousands of companies to move data from the EU to the US, was illegal. These landmark cases will likely pile pressure on negotiators in the US and Europe who are trying to replace Privacy Shield with a new way for data to flow between the two. If an agreement takes too long, then similar cases across Europe could have a domino effect, with cloud services from Amazon, Facebook, Google, and Microsoft all potentially being ruled incompatible, one country at a time

 

Google Analytics declared illegal in the EU.

TUTANOTA.COM

---

Will Google protect data of European better to comply with the GDPR?

 

Quote

The issue at hand is that due to the American CLOUD Act US authorities are able to demand personal data from Google, Facebook and other US providers, even when they are operating outside of the US, so in Europe for instance.

 

Thus, Google cannot provide an adequate level of protection under Article 44 GDPR - a clear violation of European data protection guarantees. The standard contractual clauses invoked by the website operator do not help, as recognized in 2020 by the European Court of Justice (ECJ) in its decision on the "Privacy Shield" (Schrems II).

 

The decisive factor for the legal assessment of the use of Google Analytics is not whether a U.S. intelligence agency actually obtained the data or whether Google actually identified the user. The mere fact that this was theoretically possible already was a violation of the GDPR.

 

[acct]

FTC fines Twitter $150M for using 2FA info for targeted advertising

WWW.BLEEPINGCOMPUTER.COM

---

The Federal Trade Commission has fined Twitter $150 million for using phone numbers and email addresses collected to enable two-factor authentication for targeted advertising.

 

Quote

As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads. This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.

 

The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy.

 

Additional provisions of FTC's proposed order also would:

-prohibit Twitter from profiting from deceptively collected data;
-allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
-notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;
-implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
-limit employee access to users’ personal data; and
-notify the FTC if the company experiences a data breach.

 

[minast]

1 ώρα πριν, το μέλος acct έγραψε:

FTC fines Twitter $150M for using 2FA info for targeted advertising

WWW.BLEEPINGCOMPUTER.COM

---

The Federal Trade Commission has fined Twitter $150 million for using phone numbers and email addresses collected to enable...

Σειρά της ΕΕ τώρα

[minast]

Διείσδυση σε συστήματα της Cisco, που παρέκαμψε και 2FA/MFA. Ενδιαφέρουσα η ανάλυση των ενεργειών του/των επιτιθέμενων, όπως και η απόκριση της εταιρείας:

Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Cisco Talos shares insights related to recent cyber attack on Cisco

BLOG.TALOSINTELLIGENCE.COM

---

A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group

 

[minast]

Ενδιαφέρον άρθρο για ευπάθεια στο Linux kernel που έμεινε χωρίς διόρθωση για μια πενταετία, παρά τον αρχικό εντοπισμό της το 2016.

H Google την συνδέει με λογισμικό παρακολούθησης συσκευών, όπως το γνωστό μας πλέον Predator. Ενδεικτικά:

Παράθεση

they are found to be used by some state actors for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers, and opposition party politicians

 

A Linux Zero-Day Was Finally Patched After Half Decade of Inaction

GIZMODO.COM

---

Google said the exploit, located in a garbage collection mechanism within the Linux kernel, was first reported by developers in 2016.

 

Έγινε επεξεργασία Αύγουστος 18, 2022 από minast
formatting

[hurin]

Μου ήρθε mail από Plex για πιθανή διαρροή προσωπικών δεδομένων και παρότρυνση να αλλάξω password.

Καλού κακού, αλλάξτε password.

[minast]

Η Microsoft θα ξεκινήσει να στέλνει ειδοποιήσεις για ενημερώσεις ασφαλείας σε RSS:

Microsoft Security Response Center

MSRC-BLOG.MICROSOFT.COM

 

[minast]

Καλά πάει το LastPass:

Notice of Recent Security Incident - The LastPass Blog

BLOG.LASTPASS.COM

---

We are working diligently to understand the scope of the incident and identify what specific information has been accessed.

 

[trendy]

https://0dayfans.com/

[minast]

Κακόβουλο λογισμικό υπογεγραμμένο με έμπιστα πιστοποιητικά (εγκεκριμένων από την Microsoft developers για Windows):

Microsoft digital certificates have once again been abused to sign malware

ARSTECHNICA.COM

---

Code-signing is supposed to make people safer. In this case, it made them less so.

 

[minast]

Παραβιάστηκε η Okta, γνωστός πάροχος υπηρεσιών ταυτότητας, ταυτοποίησης και διαχείρισης πρόσβασης, με αποτέλεσμα να διαρρεύσει ο κώδικας των υπηρεσιών της:

Okta's source code stolen after GitHub repositories hacked

WWW.BLEEPINGCOMPUTER.COM

---

In a 'confidential' email notification sent by Okta and seen by BleepingComputer, the company states that attackers gained...

 

[HotPeanut]

ΕΛΤΑ: Δεδομένα πελατών και εργαζομένων φαίνεται πως υποκλάπηκαν στην κυβερνοεπίθεση του Μαρτίου | in.gr

WWW.IN.GR

---

Οι διαστάσεις της κυβερνοεπίθεσης του Μαρτίου μόλις τώρα γίνονται σαφείς.