zackwhittaker

zackwhittaker, 3 days ago to random

NEW, by me: The check-in computers at several hotels around the U.S. are running a consumer-grade spyware app called pcTattletale.

pcTattletale was seen stealthily and continually capturing screenshots of the hotel booking systems, which contained guest information and reservation details.

This was discovered because a security researcher found a flaw in the spyware is exposing these screenshots to the internet, not just the spyware's intended users.

More: https://techcrunch.com/2024/05/22/spyware-found-on-hotel-check-in-computers/

zackwhittaker, 2 months ago to random

New, by me: A technology company that routes millions of SMS text messages across the world has secured an exposed database that was spilling one-time security codes that may have granted users’ access to their Facebook, Google and TikTok accounts.

The SMS routing company's database was connected to the internet with no password.

More: https://techcrunch.com/2024/02/29/leaky-database-two-factor-codes/

zackwhittaker, 5 months ago to random

New: Sen. Ron Wyden is warning that governments are spying on Apple and Google phone users through their push notifications.

Wyden says Apple and Google can be “secretly compelled by governments to hand over this information.”

An Apple spokesperson told TechCrunch that it was prohibited from disclosing the surveillance, but will add to its upcoming transparency report "now that this method has become public."

More: https://techcrunch.com/2023/12/06/us-senator-warns-governments-spying-apple-google-smartphone-users-via-push-notifications/

zackwhittaker, 8 days ago (edited 8 days ago) to random

New, by me: Two university students have uncovered a security bug that lets millions do their laundry for free.

CSC ServiceWorks provides internet-connected laundry machines to thousands of residential homes and universities around the U.S., Canada and Europe.

The students found that any security checks are done by the app on the user’s device and automatically trusted by CSC’s servers,

But CSC still hasn't fixed the isue — or acknowledged their findings.

More: https://techcrunch.com/2024/05/17/csc-serviceworks-free-laundry-million-machines

zackwhittaker, 3 months ago to random

This is excellent news! The journalists at 404 Media have done incredible work in the past ~six months that they've been working for themselves, and driven considerable impact from their reporting. I've found considerable value in my 404 Media paid subscription, and would definitely recommend.
https://www.niemanlab.org/2024/02/six-months-in-journalist-owned-tech-publication-404-media-is-profitable/

zackwhittaker, 5 months ago to random

New: Security flaws in court record systems used in five U.S. states exposed restricted, sealed and confidential legal documents.

Security researcher Jason Parker said the bugs they discovered varied by complexity, but all could be exploited using only the tools built-in to a web browser.

Two out of three notified vendors confirmed bug fixes, and one Florida county judiciary also confirmed a fix. Another Florida judiciary threatened Parker with legal action.

More: https://techcrunch.com/2023/11/30/us-court-records-systems-vulnerabilities-exposed-sealed-documents/

zackwhittaker, 4 months ago to random

Powerful testimony by @Tarah to the Senate Homeland Security Committee about the Cyber Safety Review Board, set up by DHS to learn lessons from past cyber incidents.

Wheeler said CSRB members "do not have the time, freedom or authority to conduct independent, thorough investigations" of cybersecurity incidents. In written testimony, Wheeler added: "Depoliticize the CSRB by funding it, giving it subpoena power, and make it an independent civil agency instead of involving political appointees."

zackwhittaker, 3 months ago to random

New, by @Sarahp: A fake app that was masquerading as password manager LastPass on the App Store has been removed, whether by Apple or the fake app’s developer is yet unclear — Apple has not commented.

"That such an obviously fake app got through Apple’s App Review process is a bad look for the tech giant, which has been arguing against new regulations, like the EU’s Digital Markets Act, by claiming these laws would compromise customer safety and privacy."

More: https://techcrunch.com/2024/02/08/a-fake-app-masquerading-as-password-manager-lastpass-just-got-pulled-from-the-app-store/

zackwhittaker, 10 months ago to random

Looks like there's a new WebKit zero-day under active exploitation targeting iOS, iPadOS, and macOS. Apple rolled out a Rapid Security Response patch today.

CVE: https://support.apple.com/en-us/HT213823

I also wrote about these real-time rapid security updates last year, in case you want a backgrounder: https://techcrunch.com/2022/06/07/apple-introduces-real-time-security-updates-for-ios-and-macos/

zackwhittaker, 7 months ago to random

New by @lorenzofb and me: Hackers advertised 23andMe stolen data months earlier than first known. A post on another hacking forum advertising the data back in August matches some of the data published last week.

We also found several dozen records in the stolen data that match the same user profile and genetic information found in public genealogy records, which appears consistent with 23andMe's claim that user data was obtained by credential stuffing.

More: https://techcrunch.com/2023/10/10/hackers-advertised-23andme-stolen-data-two-months-ago/

zackwhittaker, 7 months ago to random

23andMe's security incident involving the theft of users' genetic information was likely caused by credential stuffing.

Some folks have said that users share some responsibility by not using 2FA on their accounts. I think the company with hundreds of millions in revenue has more responsibility (and far greater resources) to protect users' data than the users themselves.

zackwhittaker, 4 months ago to random

New, by me: International law firm Orrick, which works with companies affected by security incidents and data breaches, has experienced its own cyberattack that exposed the sensitive health information of hundreds of thousands of data breach victims.

More than 637,000 data breach victims had information stolen during Orrick's cyberattack in March 2023.

More: https://techcrunch.com/2024/01/04/orrick-law-firm-data-breach/

zackwhittaker, 7 months ago to random

"When WIRED asked Okta a series of questions about what steps it is taking to improve customer service defenses in the wake of the two breaches, and why there appears to be a lack of urgency when the company receives reports of potential incidents, the company declined to comment."

https://www.wired.com/story/okta-support-system-breach-disclosure/

zackwhittaker, 3 months ago to random

Just my totally normal cat sleeping like he's been violently assassinated. Why, why sleep like this?

zackwhittaker, 8 months ago to random

Bloomberg is reporting that the same hackers who took down MGM Resorts this week recently targeted Caesars Entertainment , which paid millions in ransom to stop the publishing of its sensitive information.

The hacking group behind the attacks is believed to be Scattered Spider, aka 0ktapu, comprised mostly of young adults. The group was responsible for hacking Twilio, Coinbase and others last year.

https://www.bloomberg.com/news/articles/2023-09-13/caesars-entertainment-paid-millions-in-ransom-in-recent-attack

zackwhittaker, 4 months ago to random

SEC spokesperson Cory Jarvis told me by email:

"The SEC's @SECGov X/Twitter account has been compromised. The unauthorized tweet regarding bitcoin ETFs was not made by the SEC or its staff."

Here is the false tweet that was posted.

zackwhittaker, 3 months ago to random

New, by me: Proofpoint is laying off about 6% of its global workforce, or 280 employees, the company confirmed to TechCrunch.

Proofpoint’s leadership page — which has no women — says the company has about 4,500 employees.

More: https://techcrunch.com/2024/01/31/proofpoint-layoffs-280-employees/

zackwhittaker, 1 month ago to random

Breaking: AT&T has reset millions of customer account passcodes after a huge cache of data containing AT&T customer records was dumped online earlier this month, TechCrunch has exclusively learned.

A security researcher who analyzed the leaked data told TechCrunch that the encrypted account passcodes are easy to decipher. TechCrunch held the publication of this story until AT&T could reset customer account passcodes.

More: https://techcrunch.com/2024/03/30/att-reset-account-passcodes-customer-data/

zackwhittaker, 1 month ago to random

New, by me: Security researchers found an Azure storage server exposed to the internet containing internal credentials for accessing Microsoft systems.

More: https://techcrunch.com/2024/04/09/microsoft-employees-exposed-internal-passwords-security-lapse/

zackwhittaker, 3 months ago to random

For that absolute chef's kiss level of detail, the filenames of the screenshots posted by U.K. authorities on LockBit's dark web leak site read "oh dear.png", "doesnt_look_good.png" and "this_is_really_bad.png."

zackwhittaker, 3 months ago to random

New, by me: Notorious stalkerware operation TheTruthSpy was hacked — again.

Two hacking groups independently found a security flaw in TheTruthSpy that allows the mass access of victims’ stolen mobile device data directly from TheTruthSpy’s servers.

The hack reveals TheTruthSpy continues to spy on tens of thousands of new victims.

TechCrunch added the new data to our spyware lookup tool, which lets you check if your Android device was compromised by TheTruthSpy.

More: https://techcrunch.com/2024/02/12/new-thetruthspy-stalkerware-victims-is-your-android-device-compromised

zackwhittaker, 2 months ago to random

My TechCrunch colleague and friend @Sarahp experienced a devastating house fire last night. Please share and support if you can.

https://www.gofundme.com/f/yd78gx-sarah-and-josie-need-our-help

zackwhittaker, 1 month ago to random

Wow, Elon Musk must be desperate if he's re-adding blue checks to people like me who have long left the hellsite formerly known as Twitter. No, I'm not going back. Instead, I will continue my lifelong streak of not giving Musk a single penny of my money.

zackwhittaker, 1 month ago to random

New, by me: An extortion group has published a portion of what it says are the private and sensitive patient records on millions of Americans stolen during the ransomware attack on Change Healthcare in February.

It’s the first time that cybercriminals have published evidence that they have in their possession medical and patient records from the cyberattack.

Change Healthcare handles between one-third and one-half of all U.S. patient records.

More: https://techcrunch.com/2024/04/15/change-healthcare-stolen-patient-data-ransomhub-leak/

zackwhittaker, 4 months ago to random

New, by me: ACLU attorneys say they found what they called an “alarming error” in a geofence warrant application that “resulted in a warrant stretching nearly two miles across San Francisco.”

The error was likely caused by a typo, but allowed the requesting law enforcement agency to capture information on anyone who entered the stretch of city between Fortuna Avenue to Leavenworth Street during the time the warrant was active.

More: https://techcrunch.com/2024/01/11/geofence-warrant-dragnet-error/