zackwhittaker

zackwhittaker, 1 day ago to random

A busy edition of ~ this week in security ~ is now out:

• FBI seizes BreachForums (again)
• CISA official breaks ranks on SS7 flaws
• May's Patch Tuesday fixes plenty of zero-days
• Jamaica's state-run agency hit by ransomware
• Australian prescription company hacked
• CSC ignores "free laundry" bug
• A brand new pair of cyber cats, and more.

Sign up/RSS: https://this.weekinsecurity.com

Read online: https://mailchi.mp/weekinsecurity/this-week-in-security-may-19-2024-edition

Donate/support: https://ko-fi.com/thisweekinsecurity

zackwhittaker, 3 days ago (edited 3 days ago) to random

New, by me: Two university students have uncovered a security bug that lets millions do their laundry for free.

CSC ServiceWorks provides internet-connected laundry machines to thousands of residential homes and universities around the U.S., Canada and Europe.

The students found that any security checks are done by the app on the user’s device and automatically trusted by CSC’s servers,

But CSC still hasn't fixed the isue — or acknowledged their findings.

More: https://techcrunch.com/2024/05/17/csc-serviceworks-free-laundry-million-machines

zackwhittaker, 3 days ago to random

We've spent years securing endpoints and network perimeters from external threats. And now the biggest threat to our data is coming from inside the house.
https://cloudisland.nz/@mugginsm/112453455988901949

zackwhittaker, 6 days ago to random

Found a power-up box in the wild.

zackwhittaker, 7 days ago to random

Some of the attacks recorded in Estate's database show efforts to carry out SIM swap attacks — one campaign was simply titled “ur getting sim swapped buddy” — and doxing victims.

The database also exposed information about Estate's founder, a Danish programmer in their early 20s, who claimed, “I do not operate the site anymore.”

Although the cybercrime site is hidden behind Cloudflare, Estate's founder misconfigured the site's server exposing its real-world location.

https://techcrunch.com/2024/05/13/cyber-criminals-stealing-one-time-passcodes-sim-swap-raiding-bank-accounts/

zackwhittaker, 7 days ago to random

A Jamaica state-run agency is recovering from a ransomware attack, reports the Jamaica Gleaner.

"BSJ, the statutory body established to promote and encourage standardisation in relation to commodities, processes and practices, confirmed that it suffered a ransomware attack in February and is still working to 'normalise' its operations."

Several other authorities are affected by the cyberattack.

More: https://jamaica-gleaner.com/article/lead-stories/20240511/bsj-hit-cyberattack

zackwhittaker, 7 days ago to random

NEW, by me: Since mid-2023, a cybercrime operation called Estate has allowed hundreds of members to carry out thousands of automated phone calls aimed at tricking victims into turning over their one-time passcodes.

Oftentimes, that one-time passcode is all the attacker needs to break into a victim’s online account.

But a bug in Estate's code exposed the site's backend database, which was not encrypted. A security researcher shared the database with TechCrunch.

https://techcrunch.com/2024/05/13/cyber-criminals-stealing-one-time-passcodes-sim-swap-raiding-bank-accounts/

zackwhittaker, 8 days ago to random

~ this week in security ~ is back after a week away, with:

• U.S. name and sanction LockBit ransomware leader
• U.K. Armed Forces' payroll hacked
• Ascension healthcare system hit by ransomware
• Research shows VPNs can leak data
• USPTO inadvertently leaked filers' addresses (again!)
• Plus: Someone scraped 49 million Dell customer addresses
• A brand new cyber cat, and more.

Sign up/RSS: https://this.weekinsecurity.com

Read online: https://mailchi.mp/weekinsecurity/this-week-in-security-may-12-2024-edition

Support/donate: https://ko-fi.com/thisweekinsecurity

zackwhittaker, 10 days ago to random

Scoop, by @lorenzofb: We spoke to the threat actor who allegedly stole the data of 49 million Dell customers, including physical addresses.

The threat actor said they scraped the data directly from Dell's servers over a three-week period before Dell noticed.

We verified that the data is authentic by checking leaked data with victims.

More: https://techcrunch.com/2024/05/10/threat-actor-scraped-49m-dell-customer-addresses-before-the-company-found-out/

zackwhittaker, 10 days ago to random

CNN's @snlyngaas reporting that the ransomware attack on Ascension's hospital chain is the work of the Black Basta gang, citing four sources with knowledge of the investigation. Ascension has 140 hospitals in 19 states. Black Basta has previously targeted healthcare organizations and other big corporations.

https://edition.cnn.com/2024/05/10/tech/cyberattack-ascension-ambulances-hospitals/index.html

zackwhittaker, 11 days ago to random

Even with end-to-end encrypted services, metadata matters.

https://techcrunch.com/2024/05/08/encrypted-services-apple-proton-and-wire-helped-spanish-police-identify-activist

zackwhittaker, 12 days ago to random

New, by me: U.S. Patent and Trademark Office confirmed it "inadvertently exposed" another 14,000 applicants' domicile addresses as a result of a second security spill in as many years.

I chatted with USPTO's deputy CIO about the incident, who explained that the agency fixed the issue (again) to prevent future spills.

https://techcrunch.com/2024/05/08/us-patent-and-trademark-office-confirms-another-leak-of-filers-address-data/

zackwhittaker, 12 days ago to random

New, by me: Brandywine Realty Trust, one of the largest real estate trusts in the United States, confirms data was stolen in a recent cyberattack, which it describes as ransomware.

https://techcrunch.com/2024/05/07/brandywine-realty-trust-cyberattack/

zackwhittaker, 12 days ago to random

UK defense minister Grant Shapps confirms cyberattack and data breach involving a payments system for the UK Armed Forces — names, bank account information, and some addresses of military personnel.

"This is an external system... operated by a contractor," says Shapps.

I think a big question here is why U.K. military personnel data was being handled by a third-party contractor? Government systems might not be much stronger, but another consequence of privatization?

https://www.gov.uk/government/speeches/defence-secretary-oral-statement-to-provide-a-defence-personnel-update-07-may-2024

zackwhittaker, 20 days ago to random

New, by me: The ransomware gang that hacked into U.S. health tech giant Change Healthcare used a set of stolen credentials to remotely access the company's systems that weren't protected by MFA, according to the CEO of its parent company UnitedHealth.

It’s not known why Change did not set up MFA on this system, but this will likely become a focus for investigators trying to understand potential deficiencies in the insurer’s systems.

More: https://techcrunch.com/2024/04/30/uhg-change-healthcare-ransomware-compromised-credentials-mfa/

zackwhittaker, 21 days ago to random

To the driver of the grey Dodge, NY license plate JPX-1255. It's never OK to shout sexually aggressive remarks at women as you drive by, you repulsive sack of shit.

zackwhittaker, 22 days ago to random

It's Sunday, so a new ~ this week in security ~ just went out:

• UHG hackers stole health data on most people in America
• GitHub comments abused to push malware via Microsoft repo
• U.K. expands surveillance laws
• Kaiser shared millions of patients' data with advertisers
• GM's sneaky vehicle dat collection
• Brand new cybercat(s) and more.

Sign up/RSS: https://this.weekinsecurity.com/

Read online: https://mailchi.mp/weekinsecurity/this-week-in-security-april-27-2024-edition

Support/donate: https://ko-fi.com/thisweekinsecurity

zackwhittaker, 24 days ago to random

Once in awhile, and it's becoming more frequent, someone emails me to ask why some very bad privacy practice — like sharing someone's sensitive search terms on a medical provider's website with third-party advertisers — is allowed to happen or isn't illegal.

Elect better lawmakers, and demand better from them. That's it. Nothing will change until lawmakers start serving the interests of their electorate and not the big tech giants that fund their political campaigns.

zackwhittaker, 25 days ago (edited 24 days ago) to random

UPDATED, by me: U.S. health conglomerate Kaiser disclosed a data breach affecting 13.4 million members.

Kaiser confirmed it was sharing patients’ information with third-party advertisers, including Google, Microsoft, and X (formerly Twitter).

In a statement, Kaiser blamed "certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”

More: https://techcrunch.com/2024/04/25/kaiser-permanente-health-plan-millions-data-breach