Table of Contents
- Michigan college is tracking its students with a flawed app
- US Border Patrol says they can create central repository of traveler emails, keep them for 75 years
- Cory Doctorow on “Contact Tracing”
- London Police snooped on personal health data 10,475 times in 4 months
- Yet Another Biometric: Bioacoustic Signatures
- Instacart discloses security incident caused by two contractors
- Mental Health Partners discloses email hack potentially compromised employee and patient data
- Social grant applications found dumped in Ndedwe
- Dozens of boxes of medical records found at Odessa Recycling Center
- Free photos, graphics site Freepik discloses data breach impacting 8.3m users
- LiveAuctioneers - 3,385,862 breached accounts
- Turkey: KVKK announces Rezzan Günday data breach
- Turkey: KVKK announces Kariyer.net data breach
- Japan: Mitsukoshi and MI Card announce data breach affecting approximately 19,000 customers
- Jefferson Parish Schools data breach exposes 86 students’ information
- Finding vulnerable Twitter accounts with expired domains
- Hackers discover security gaps in the Mebis school platform
- Sending SPF and DMARC passing mail as any Gmail or G Suite customer
- MITRE shares this year's top 25 most dangerous software bugs
- High-Severity Vulnerability Patched in Advanced Access Manager
- Memory leak in IBM DB2 gives access to sensitive data, causes DoS
- FINRA Warns Of Spoofed Websites Impersonating Real Brokers
- Anti-Piracy Outfit Hires VPN Expert to Help Track Down the Pirate Bay
- FBI, CISA Echo Warnings on ‘Vishing’ Threat
- Baugo Community Schools dealing with cyber attack
- Former Uber CSO charged for 2016 hack cover-up
- HealthEngine ordered to pay $2.9m for ‘misleading conduct’
- Transparent Tribe APT targets government, military by infecting USB devices
- Dark web market Empire down for days from DDoS attack
Michigan college is tracking its students with a flawed app
Albion College, a small liberal arts school in Michigan, said in June it would allow its nearly 1,500 students to return to campus for the new academic year starting in August. Lectures would be limited in size and the semester would finish by Thanksgiving rather than December. The school said it would test both staff and students upon their arrival to campus and throughout the academic year. But less than two weeks before students began arriving on campus, the school announced it would require them to download and install a contact-tracing app called Aura, which it says will help it tackle any coronavirus outbreak on campus. There's a catch. The app is designed to track students' real-time locations around the clock, and there is no way to opt out. In addition to having to install the app, students were told they are not allowed to leave campus for the duration of the semester without permission over fears that contact with the wider community might bring the virus back to campus. If a student leaves campus without permission, the app will alert the school, and the student's ID card will be locked and access to campus buildings will be revoked
US Border Patrol says they can create central repository of traveler emails, keep them for 75 years
The U.S. government has taken the opportunity during the global pandemic, when people aren't traveling out of the country much, to roll out a new platform for storing information they believe they are entitled to take from people crossing the border. A new filing reveals how the U.S. Border Patrol will store data from traveler devices centrally, keeping it backed up and searchable for up to 75 years. On July 30 the Department of Homeland Security published a privacy impact assessment detailing the electronic data that they may choose to collect from people crossing the border -- and what happens to that data.
Cory Doctorow on “Contact Tracing”
In the early days of the pandemic, the term "contact tracing" vaulted into the public consciousness: that's the shoe-leather- and labor-intensive process whereby skilled heath experts establish a personal rapport with infected people to establish who they had contact with. For both good reasons (the scale of the pandemic) and bad ones (tech's epistemological blindness, which insists that all social factors can be ignored in favor of quantifiable ones), there was interest in automating this process and "exposure notification" was born. The difference is that exposure notification tells you whether your device was near another device whose owner is sick. It doesn't tell you about the circumstances - like, was it one of the people at that eyeball-licking party? Or someone in the next car in a traffic jam?
London Police snooped on personal health data 10,475 times in 4 months
The London Police Service used a provincial database containing the personal health records of people who tested positive for COVID-19 at one of the highest rates in Ontario, snooping on private medical information 10,475 times between April and July. Law enforcement gained the unprecedented power to access people's personal medical information when the database was shared by emergency order of the Ontario government in April, a period of heightened anxiety about the coronavirus pandemic when the caseload of new infections topped 400 a day. *The order gave police officers the ability to access the names, dates of birth and addresses of anyone in Ontario who tested positive for COVID-19.
Yet Another Biometric: Bioacoustic Signatures
Sound waves through the body are unique enough to be a biometric: "Modeling allowed us to infer what structures or material features of the human body actually differentiated people," explains Joo Yong Sim, one of the ETRI researchers who conducted the study. "For example, we could see how the structure, size, and weight of the bones, as well as the stiffness of the joints, affect the bioacoustics spectrum." Notably, the researchers were concerned that the accuracy of this approach could diminish with time, since the human body constantly changes its cells, matrices, and fluid content. To account for this, they acquired the acoustic data of participants at three separate intervals, each 30 days apart. "We were very surprised that people's bioacoustics spectral pattern maintained well over time, despite the concern that the pattern would change greatly," says Sim. "These results suggest that the bioacoustics signature reflects more anatomical features than changes in water, body temperature, or biomolecule concentration in blood that change from day to day."
Instacart discloses security incident caused by two contractors
Grocery delivery and pick-up service Instacart disclosed a security incident caused by two employees working for a company providing tech support services for Instacart shoppers. According to a press release, Instacart says the two employees "may have reviewed more shopper profiles than was necessary in their roles as support agents." The company is now notifying 2,180 shoppers via email about the incident. The figure represents the Instacart user profiles the company believes the two employees might have needlessly accessed while working as tech support agents.
Mental Health Partners discloses email hack potentially compromised employee and patient data
Mental Health Partners (also known as "Mental Health Center of Boulder County Inc.) issued a press release about an employee email account compromise discovered in late March. An investigation revealed that the personal information of some MHP clients and current and former employees may have been accessed or taken during the incident. The information involved may have included names; dates of birth; Social Security numbers; driver's license or state identification card numbers; passport numbers; financial account information; medical record numbers; medical treatment information, including symptom, diagnosis, treatment, medication, and doctor information; and/or health insurance information.
Social grant applications found dumped in Ndedwe
Nothando Mkhize reports that a pile of social grant applications were found on a street in Ndwedwe. The South African Post Office is investigating to see if they were stolen from a post office during a burglary last month. In a puzzlingly vague statement, a spokesperson noted that an employee has been suspended. But why?
Dozens of boxes of medical records found at Odessa Recycling Center
Over two dozen boxes of old medical records containing personal patient information were found at the Odessa Recycling Center over the weekend. How old medical records from West Texas Orthopedics came to be sitting out in the open at the recycling center this past weekend isn't clear, nor is who's to blame.
Free photos, graphics site Freepik discloses data breach impacting 8.3m users
Freepik, a website dedicated to providing access to high-quality free photos and design graphics, has disclosed a major security breach. The company made it official after users started grumbling on social media this week about receiving shady-looking breach notification emails in their inboxes. According to the company's official statement, the security breach occurred after a hacker (or hackers) used an SQL injection vulnerability to gain access to one of its databases storing user data.
LiveAuctioneers - 3,385,862 breached accounts
In June 2020, the online antiques marketplace LiveAuctioneers suffered a data breach which was subsequently sold online then extensively redistributed in the hacking community. The data contained 3.4 million records including names, email and IP addresses, physical addresses, phones numbers and passwords stored as unsalted MD5 hashes.
Turkey: KVKK announces Rezzan Günday data breach
The Turkish data protection authority ('KVKK') announced, on 18 August 2020, a data breach suffered by Rezzan Günday (Şimşek Pharmacy). In particular, the KVKK highlighted that the breach resulted from the misconduct of a former employee and involved obtaining the identification numbers of patients and transferring them to another pharmacy without their knowledge in order to provide the supply of drugs from other pharmacies. In addition, the KVKK noted that the violation had occurred since October 2019 and that personal data affected by the breach included ID numbers, telephone numbers, and special category health data.
Turkey: KVKK announces Kariyer.net data breach
The Turkish data protection authority ('KVKK') announced, on 18 August 2020, a data breach suffered by Kariyer.net Elektronik Yayıncılık ve İletişim Hiz. Inc. In particular, the KVKK highlighted that the breach was detected by a consultant serving as a supplier to Kariyer.net on 12 August 2020 and was communicated to an employee of Kariyer.net informing them that a file allegedly holding the information of 50,000 members of the website had been uploaded to a website on that day.
Japan: Mitsukoshi and MI Card announce data breach affecting approximately 19,000 customers
Isetan Mitsukoshi Co., Ltd and MI Card Co., Ltd announced, on 5 August 2020, that they had suffered a data breach affecting approximately 19,000 customers as a result of unauthorised access. In particular, MI Card noted that the data breach occurred on the Isetan Mitsukoshi Online Store as well as MI Card's homepage. In addition, MI Card highlighted that personal information such as name, address, phone number, email address, and date of birth of customers of the Mitsukoshi online store were accessed, whereas the member name, expected billing amount, and current membership points held on the MI Card homepage were also accessed.
Jefferson Parish Schools data breach exposes 86 students’ information
A data breach that exposed 86 Jefferson Parish public school students' confidential student portal log information to more than 40,000 families was caused by a problem with a vendor, a school system spokeswoman confirmed Tuesday. When system officials began to receive calls about the problem, they contacted EdGear, the vendor that powers JCampus, a portal through which parents can view their students' grades and other information.
University of Utah hit by ransomware, pays $457K ransom
The University of Utah has paid a $457,000 ransomware to prevent threat actors from releasing files stolen during a ransomware attack. In a 'data security incident' notification, the University of Utah disclosed that they were attacked by ransomware on Sunday, July 19, 2020. "On Sunday, July 19, 2020, the university's College of Social and Behavioral Science (CSBS) was notified by the university's Information Security Office (ISO) of a ransomware attack on CSBS computing servers. Content on the compromised CSBS servers was encrypted by an unknown entity and no longer accessible by the college," the University of Utah disclosed. The attack encrypted the servers in the university's College of Social and Behavioral Science (CSBS) department. As part of the attack, the threat actors stole unencrypted data before encrypting computers.
Top exploits used by ransomware gangs are VPN bugs, but RDP still reigns supreme
Ransomware attacks targeting the enterprise sector have been at an all-time high in the first half of 2020. While ransomware groups each operate based on their own skillset, most of the ransomware incidents in H1 2020 can be attributed to a handful of intrusion vectors that gangs appear to have prioritized this year. The top three most popular intrusion methods include unsecured RDP endpoints, email phishing, and the exploitation of corporate VPN appliances. At the top of this list, we have the Remote Desktop Protocol (RDP). Reports from Coveware, Emsisoft, and Recorded Future clearly put RDP as the most popular intrusion vector and the source of most ransomware incidents in 2020. "Today, RDP is regarded as the single biggest attack vector for ransomware," cyber-security firm Emsisoft said last month, as part of a guide on securing RDP endpoints against ransomware gangs.
More Canadian entities hit with ransomware
A new ransomware group says a Toronto-based billion-dollar company is allegedly one of its first victims of a new ransomware group calling itself DarkSide. The new group is demanding payment or threatening to release the copied corporate files publically. IT World Canada isn't identifying the publicly-traded company until the data breach is confirmed, but according to a posting today on the group's dark web site some 200 GB of information including employee files, finance and payroll records and business plans were copied before encryption.
Malware can no longer disable Microsoft Defender via the Registry
Microsoft has removed the ability to disable Microsoft Defender and third-party security software via the Registry to prevent malware from tampering with protection settings. Since Windows Vista, users have been able to disable Microsoft Defender completely, and potentially other third-party security software, through the use of the 'Turn off Microsoft Defender Antivirus' group policy setting.
Community-provided Amazon Machine Images come with malware risk
Security researchers are sounding the alarm about Amazon Machine Images (AMIs) tainted with malicious code that could compromise an organization's cloud environment. While the method is not new, it could become a trend unless taking the proper precautions before deploying an Elastic Compute Cloud (EC2) instance based on community AMIs. During a recent engagement at a financial institution, researchers at cybersecurity company Mitiga found that an EC2 server in the customer's Amazon Web Services (AWS) environment was running unauthorized code. They discovered an active cryptocurrency miner that had not been planted by exploiting a vulnerability or misconfigured settings. Instead, it came embedded in the community AMI used to create the EC2 instance.
Most antivirus programs can’t detect new coronavirus malware that steals victims’ money, personal data
CyberNews tested antivirus programs with a packed version of Racoon Stealer, and came to these conclusions: Only ESET and AVG were able to automatically detect the Raccoon malware in all its forms. Avira and F-Secure detected the malware in all its forms only after running a full scan, but did not detect it automatically. Dr. Web completely failed to detect any forms of the malware, while Kaspersky, Bitdefender and Bullguard only detected 1 of the 4 forms of the malware. Trend Micro and Avast were not able to detect all forms of the malware.
Finding vulnerable Twitter accounts with expired domains
Twitter accounts with login emails that are using expired domains can be hijacked by registering the domain, forwarding all emails to your email, then submitting a password reset on that account.
Hackers discover security gaps in the Mebis school platform
A group of hackers found security gaps in the Mebis learning platform. Through this should it be possible, for example, to direct users to harmful sites with links within the platform forward. A spokesman for the Bavarian Ministry of Culture admitted to dpa on Friday Problems a. However, the security gaps pointed out by the hackers are now Fixed. Mebis is an online platform for Bavarian schools, operated by the Bavarian Ministry of Culture. The hackers, including a student who says they own the platform uses, discovered the vulnerabilities in May. According to their own information, they discovered the Vulnerabilities reported to the platform operator on May 20 and 21 and a deadline of 90 Days set.
Sending SPF and DMARC passing mail as any Gmail or G Suite customer
Due to missing verification when configuring mail routes, both Gmail's and any G Suite customer's strict DMARC/SPF policy [[https://ezh.es/blog/2020/08/the-confused-mailman-sending-spf-and-dmarc-passing-mail-as-any-gmail-or-g-suite-customer/][may be subverted by using G Suite's mail routing rules to relay and grant authenticity to fraudulent messages]]. This is notably not the same as classic mail spoofing of yesteryear in which the From header is given an arbitrary value, a technique which is easily blocked by mail servers using the Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC). This issue is a bug unique to Google which allows an attacker to send mail as any other user or G Suite customer while still passing even the most restrictive SPF and DMARC rules.
MITRE shares this year's top 25 most dangerous software bugs
MITRE shared a list of the top 25 most common and dangerous weaknesses plaguing software during the last two previous years. Software weaknesses can be flaws, bugs, vulnerabilities, and other types of errors found in a software solution's code, architecture, implementation, or design that could expose the systems it's running on to attacks. To make this list, the American not-for-profit organization scored each weakness based on both severity and prevalence using Common Vulnerabilities and Exposures (CVE) data from 2018 and 2019 from the National Vulnerability Database (NVD) (roughly 27,000 CVEs), including Common Vulnerability Scoring System (CVSS) scores. "NVD provides this information in a digestible format that helps drive the data-driven approach in creating the 2020 CWE Top 25," MITRE explained.
High-Severity Vulnerability Patched in Advanced Access Manager
On August 13, 2020, the Wordfence Threat Intelligence team finished investigating two vulnerabilities in Advanced Access Manager, a WordPress plugin with over 100,000 installations, including a high-severity Authorization Bypass vulnerability that could lead to privilege escalation and site takeover.
Memory leak in IBM DB2 gives access to sensitive data, causes DoS
A memory leak vulnerability in IBM Db2 relational database could allow an attacker to gain access to sensitive data or cause a denial-of-service (DoS) condition in the database. The flaw affects IBM Db2 versions for Linux, UNIX, and Windows (9.7, 10.1, 10.5, 11.1, 11.5). It originates from improper usage of shared memory and exploitation is possible by sending a specially crafted request. Tracked as CVE-2020-4414, the issue is with the shared memory used by the Db2 trace facility, which lacks explicit protections, allowing read and write access to a local attacker. With no permissions assigned, a local hacker can open a given memory section used by IBM Db2 and dump the content available. In a blog post, Martin Rakhmanov, Security Research Manager, SpiderLabs at Trustwave, details how an attacker could exploit CVE-2020-4414. He explains that launching a tool, like Process Explorer, that checks for open handles of the Db2 main process, shows that there permissions for accessing the shared memory are missing.
FINRA Warns Of Spoofed Websites Impersonating Real Brokers
The Financial Industry Regulatory Authority, a private organization that helps self-regulate brokerage firms and exchange markets in the U.S., is warning that fraudsters have recently started creating spoofed websites and domains using members' real names and images in an attempt to steal personal information and credentials. In an alert sent Friday, FINRA is warning members that fraudsters are attempting to steer potential victims to these sites in order to collect personally identifiable information such as their names, mailing addresses and phone numbers though contact forms posted on these websites. "Several firms have recently informed FINRA that malicious actors are using registered representatives' names and other information to establish websites that appear to be the representatives' personal sites and are also calling and directing potential customers to use these imposter websites," according to the FINRA alert. "Imposters may be using these sites to collect personal information from the potential customers with the likely end goal of committing financial fraud."
Anti-Piracy Outfit Hires VPN Expert to Help Track Down the Pirate Bay
Movie companies and their anti-piracy partners are pressing ahead with their legal action to track down The Pirate Bay. The site reportedly used VPN provider OVPN, which carries no logs, but a security expert - one that regularly penetration tests several major VPN providers - believes that information about the notorious site could still be obtained. Tracking down, prosecuting, blocking and otherwise trying to prevent The Pirate Bay from operating has become an entertainment industry project for the last 15 years. The torrent site has faced more adversaries than any other on the planet yet today the site remains stubbornly online. Exactly where and operated by whom remains either a mystery or a topic of speculation.
FBI, CISA Echo Warnings on ‘Vishing’ Threat
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a joint alert to warn about the growing threat from voice phishing or "vishing" attacks targeting companies. The advisory came less than 24 hours after KrebsOnSecurity published an in-depth look at a crime group offering a service that people can hire to steal VPN credentials and other sensitive data from employees working remotely during the Coronavirus pandemic.
Baugo Community Schools dealing with cyber attack
WNDU in Indiana reports that the unnamed ISP for Baugo Community Schools has been the target of cyberattacks that began Monday morning. Officials say no Baugo Community Schools data has been compromised. However, the cyber attacks have disrupted virtual learning.
Former Uber CSO charged for 2016 hack cover-up
Uber's former chief security officer was charged on Thursday for covering up the company's 2016 security breach, during which hackers stole the personal details of 57 million Uber customers and the details of 600,000 Uber drivers. Prosecutors in Northern California are charging Joe Sullivan, 52, who served as Uber CSO between April 2015 and November 2017, when Uber changed its CEO and most of its management team. According to court documents, DOJ officials claim that Sullivan "took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the  breach."
HealthEngine ordered to pay $2.9m for ‘misleading conduct’
The settlement saw HealthEngine admit to providing non-clinical personal information -- such as names, dates of birth, phone numbers and email addresses -- to nine different third-party private health insurance brokers without properly informing consumers. This arrangement earned the online medical booking platform more than $1.8 million over a period of four years and two months.
Transparent Tribe APT targets government, military by infecting USB devices
The advanced persistent threat (APT) group, as previously tracked by Proofpoint, has been in operation since at least 2013 and has previously been connected to attacks against the Indian government and military. Recently, the APT has shifted its focus to Afghanistan, however, researchers have documented its presence in close to 30 countries. Also known as PROJECTM and MYTHIC LEOPARD, Transparent Tribe is described as a "prolific" group involved in "massive espionage campaigns." Transparent Tribe is focused on surveillance and spying, and to accomplish these ends, the group is constantly evolving its toolkit depending on the intended target, Kaspersky said in a blog post on Thursday.
Dark web market Empire down for days from DDoS attack
The popular dark web site Empire Market has been down for at least 48 hours, with some users suspecting an exit scam and others blaming a prolonged distributed denial-of-service (DDoS) attack. Over the weekend, multiple reports emerged on Twitter and Reddit from users complaining about not being to load the Empire Market website. Empire Market features numerous illicit goods including illegal drugs, chemicals, counterfeit items, jewelry, and credit card numbers while offering payment methods including Bitcoin (BTC), Litecoin (LTC), and Monero (XMR).
Global furor over TikTok security alarms users in Japan
What appears at first sight like a solid way to kill some spare time, however, has morphed into a diplomatic flash point. First, India banned it, citing security concerns related to user data being harvested by ByteDance, the Chinese-owned company behind TikTok. It's a mix of legitimate concern and political theater as China expands its power globally. U.S. President Donald Trump has warned that he might impose similar restrictions. The Japanese government is also considering something similar. While the rhetoric around potential regulations isn't as fiery as it might be elsewhere in the world, lawmakers in Japan have already pointed out TikTok's data risks, and the Chinese government has also warned that a potential ban could impact relations between the two nations.
Accused Russian Spy Peter Rafael Dzibinski Debbins Evidently Beat the Polygraph to Penetrate the NSA, DIA
On Thursday, 20 August 2020, a grand jury in the Eastern District of Virginia indicted former U.S. Army Special Forces officer Peter Rafael Dzibinski Debbins of Gainesville, Virginia on a single count of "Conspiracy to Gather or Deliver Defense Information to Aid a Foreign Government." Debbins was arrested on Friday, 21 August 2020. The indictment states that the 45-year-old Debbins graduated from the Reserve Officer Training Corps (ROTC) program at the University of Minnesota in 1997 and served on active military duty from July 1998 until November 2005. During this time, Debbins served in the U.S. Army Chemical Corps in Korea and at Fort Polk, Louisiana, and with the 1st Battalion, 10th Special Forces Group in Germany. Debbins was investigated for a security violation during a deployment to Azerbaijan in 2004, as a consequence of which he was relieved of command and his Top Secret/SCI security clearance was suspended. After leaving active duty, Debbins served in the inactive army reserve until 2010.
Analyzing the Threat of Ransomware Attacks Against US Elections
The threat of a ransomware attack against elections in the United States has been a growing concern within the government and the private sector. We already know that threat actors managed to infiltrate the networks of election offices in multiple states, and according to a Senate Intelligence Report, those same adversaries were targeting all 50 states. In addition, it was reported earlier this year that the Palm Beach County Supervisor of Elections Office was hit with a ransomware attack in September of 2016, which was not reported to the FBI or Homeland Security. According to reports released under FOIA request by Recorded Future the Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings that ransomware actors are planning to do the same again.
Iranian hackers attack exposed RDP to deploy Dharma ransomware
Low-skilled hackers likely from Iran have joined the ransomware business targeting companies in Russia, India, China, and Japan. They are going after easy hits, using publicly available tools in their activity. The new group is deploying Dharma ransomware. Based on forensic artifacts, this is a non-sophisticated, financially-motivated gang that is new to cybercrime. The threat actor is not greedy. Their demand is between 1-5 Bitcoin (currently $11,700 - $59,000), which is on the lower range of ransom demand compared to other ransomware operations. They find victims by scanning IP address ranges on the internet for exposed remote desktop connections (RDP); their tool of choice for this stage is Masscan, an open-source port scanner.
Chromium’s impact on root DNS traffic
Chromium is an open-source software project that forms the foundation for Google's Chrome web browser, as well as several other browser products, including Microsoft Edge, Opera, Amazon Silk, and Brave. Since its introduction in 2008, Chromium-based browsers have risen steadily in popularity and today comprise approximately 70% of the market share. Chromium has, since its early days, included a feature known as the omnibox, which allows users to enter either a website name, URL, or search terms. But the omnibox has an interface challenge. The user might enter a word like "marketing" that could refer to both an (intranet) website and a search term. Which should the browser choose to display? Chromium treats it as a search term but also displays an infobar that says something like "did you mean http://marketing/?" if a background DNS lookup for the name results in an IP address.
Microsoft enables TLS 1.3 by default in latest Windows 10 builds
Microsoft says that TLS 1.3 will be enabled by default in all Windows 10 Insider Preview builds beginning with Build 20170 as the start of a wider rollout to all Windows 10 systems. According to Microsoft, TLS 1.3 is also enabled by default in IIS/HTTP.SYS and it will be added to .NET starting with version 5.0. The company recommends developers to start implementing TLS 1.3 within their services and apps, using the TLS~AES128GCMSHA256~, TLS~AES256GCMSHA384~, and TLS~CHACHA20POLY1305SHA256~ cipher suites supported by the Windows TLS stack.
ATM makers Diebold and NCR deploy fixes for 'deposit forgery' attacks
Two of today's biggest ATM manufacturers, Diebold Nixdorf and NCR, have released software updates to address bugs that could have been exploited for "deposit forgery" attacks. Deposit forgery attacks happen when fraudsters can tamper with an ATM's software to modify the amount and value of currency being deposited on a payment card. Such attacks are usually followed by quick cash withdrawals, either during weekends or via transactions at other banks, with the fraudsters trying to capitalize on the inexistent funds before banks detect any errors in account balances.
Bug bounty platform ZDI awarded $25m to researchers over the past 15 years
Bug bounty platform pioneer Zero-Day Initiative (ZDI) said it awarded more than $25 million in bounty rewards to security researchers over the past decade and a half. In an anniversary post celebrating its 15-year-old birthday, ZDI said the bounty rewards represent payments to more than 10,000 security researchers for more than 7,500 successful bug submissions. Most of these bugs were filed through the ZDI's vendor-agnostic bug bounty platform, but many were also acquired through Pwn2Own, a yearly hacking contest that ZDI organizes.
DiceKeys is a physical mechanism for creating and storing a 192-bit key. The idea is that you roll a special set of twenty-five dice, put them into a plastic jig, and then use an app to convert those dice into a key. You can then use that key for a variety of purposes, and regenerate it from the dice if you need to. You can then use that key to derive master passwords for password managers, as the seed to create a U2F key for two-factor authentication, or even as the secret key for cryptocurrency wallets. Perhaps most importantly, the box of dice is designed to serve as a permanent, offline key to regenerate that master password, crypto key, or U2F token if it gets lost, forgotten, or broken.