In news that will confirm your worst fears about a device with an always-on microphone in your home, security researchers have created a “skill” for Amazon’s popular voice assistant Alexa that allows the device to indefinitely eavesdrop on your conversations… 

https://search.app.goo.gl/M8q7P

You heard right. The embattled ride sharing service @Uber paid thieves $100,000.00 to delete stolen data of ~57 million of its users private information. Then they attempted to bury the entire event and not disclose the breach to the public as they are legally required to by law.

Uber has struggled with many legal and business mishaps the past year and yet another bad choice will definitely take an toll on the company’s continued existence. So does anyone need a Lyft?

#uber #security #hacking #databreach

https://www.cnbc.com/2017/11/21/uber-hack-exposes-data-of-57-million-users-and-drivers-report-says.html

OnePlus is one of my new mobile device favorite but lacks in there software development process it’s beginning to show. They have released multiple new applications now that have been found to be easily subverted to gain access. Tile to keep a close eye on those updates!

#security #hacking #OnePlus

https://latesthackingnews.com/2017/11/16/another-oneplus-factory-app-allow-attackers-steal-photos-gps-wifi-data/

 

From a technical perspective, the Equifax breach was a fairly simple hack.  Boiled WAY down the thieves took advantage of an old bug in Apache Struts on an unpatched vulnerable web server and in doing so became a process owner on that server.  This then gave them access to other connected systems.  So with time likely on their side, they roamed the network and made out with the proverbial goods.

In reflection, now that we have had time to digest the response it begs to reason if Equifax did all it could as stewards of our information and data.

So as further reading we’d thought we’d share a great article on the techie part of the how and how it affects us all.

#security #equifaxbreach #hacking

https://www.wired.com/story/equifax-breach-no-excuse/

It’s another day and another hacked company! Whole Foods announced recently that hackers obtained access to their network and were able to steal credit card information of its customers. While they claimed that their primary systems for taking credit card payments were not impacted, they report systems pertaining to the taprooms, restaurants, and other service systems that are in store use a different credit card processing system. These were the ones that were infiltrated.

Whole Foods who were recently purchased by Amazon did not release the range of the impact nor which facilities were at-risk. They have hired a leading cyber security firm and are investigating.

#hacking #security #WholeFoods

http://abc7.com/2468228/

With confidence in our reporting agencies at a all time low another completely avoidable hole in their security has surfaced. Experian, one of the big 3 reporting agencies, let’s you remove your credit freeze with a simple tick box and a 4 digit code. How does one get that code you may ask? Well all you have to do is ask nice enough and they’ll just give to you.

With the procedures being used to validate you identity being so weak it is most definitely important for everybody to stay vigilant. Watch out for yourself out there friends.

#experian #weaksecurity #hacking

https://boingboing.net/2017/09/21/cross-my-heart.html

iTerm2 which is a popular replacement terminal app for OSX leaks everything you hover your mouse over via DNS requests. Why you may ask? Well in an attempt to be a “better app” iTerm2 will take any string you place your mouse cursor over and will do a DNS lookup on the text string. While sounding like a great idea this passes ANYTHING you Hover over to DNS. This includes anything that a user may have on screen such as usernames, passwords, and other sensitive information. All going to DNS servers as a request and typically unencrypted.

This behavior is a huge privacy issue as many users have no idea that they are opening themselves to yet another vulnerability that is super simple to intercept.

So for users of iTerm2 it is advised you upgrade asap to the latest version that just released today that turns this feature off which was set to on by default.

#vulnerability #hacking #apple #osx #iTerm2

https://www.bleepingcomputer.com/news/security/iterm2-leaks-everything-you-hover-in-your-terminal-via-dns-requests/

Avast Security owned software CCleaner was recently found to have been hijacked with a backdoor installed into it by unknown “bad actors”. An wildly popular Windows maintenance application that has been downloaded over 2 billion times, CCleaner has been a favorite of techies and corporate types alike. Avast has acknowledged the issue and a new upgrade was released but to many out there who knows how much was hijacked or stolen during the months this hack has been in play. TR;DL below.

#security #hacking #avast #ccleaner

https://www.forbes.com/sites/thomasbrewster/2017/09/18/ccleaner-cybersecurity-app-infected-with-backdoor/amp/

http://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

https://www.wired.com/story/ccleaner-malware-supply-chain-software-security/

On the heels of Apple’s big “Look at our new stuff” show comes the news that a flaw in iOS dubbed Leaky reported in February remains unpatched by both Microsoft and Apple.

Sad part is that Microsoft doesn’t consider this flaw to be a serious issue and Apple only said that this issue should be addressed in iOS 11, to the dismay of everyone that can not upgrade to latest version.

Technical explanation and TL;DR below.

#security #hacking #Microsoft #apple

http://www.techrepublic.com/article/ios-security-alert-your-device-is-transmitting-exchange-credentials-without-any-encryption/?ftag=COS-05-10aaa0g

 

In another twist in an already complex and difficult response to a major security breach, Equifax was found to be using a very simple algorithm for assigning PINs to individuals for credit file freezes.  A Smithsonian research scientist stumbled upon this little bit of info while signing up to freeze her credit files.  The 10 digit pin was based simply on the time and date you signed up.

This prompted Equifax to announce, after a flood of customer complaints, they would be changing the PIN generation and reset request process.  This new process should be active as of now.

So continue to be vigilant out there friends.  Because your info is available out there and those that are paid to protect it have made it your problem to monitor now.

#security #equifaxhack #equifax #hacking

https://mobile.nytimes.com/2017/09/10/your-money/identity-theft/equifax-breach-credit-freeze.html