Search This Blog

Showing posts with label Privacy. Show all posts

Google Play Protect Shields Users From Cyberattacks


The leading Android devices all use Google Play Services as a key component. It serves as a link between the Android OS and programs, mostly Google programs and programs from other developers that make use of Google authentication, cloud services, and Game Dashboard.

You could use an Android app that protects users from severe cyberattacks and operates through the official Google Play store called Google Play Protect.

According to a security notice from Google, "Google Play Protect removes apps that have been marked as potentially hazardous because the app actually contains malicious behavior, not only because we are unsure if the app is harmful or not."

Before allowing you to download an app, the feature verifies its security. To deceive users into manually installing the infected files, some of these malicious sites invite victims to download phoney security tools or upgrades.

Four malicious apps were detected by research:
  • Bluetooth App Sender
  • Bluetooth Auto Connect
  • Driver: Bluetooth, USB, Wi-Fi
  • Mobile Transfer: smart switch
More than a million people have downloaded all of the applications together, and they invite a significant danger of identity theft and scams.

"These apps offer capabilities that consumers desire, such as device rooting and other developer features. Users knowingly install these potentially hazardous apps," as per Google.

Essentially Google Play Protect will initially issue a warning about the app's possible dangers when a user starts to install an app that Google has categorized as 'user-wanted.'  Google will not send any more warnings if the user decides to install the program anyhow.

Main functions of Google Play Protect:
  • Verifies the security of downloaded programs from the Google Play store.
  • Detects potentially hazardous programs outside the Google Play store.
  • Warns you about hazardous applications.
  • Removes or disables unwanted applications.
  • Alerts you to apps that break the rules by hiding or making false representations of themselves.
  • Sends you privacy alerts about applications that may request access to your personal information.
  • To protect your privacy, reset your app's permissions.
Google stated in its security note that "after installation, the user-wanted classifications restrict Google Play Protect from delivering additional warnings, so there is no disturbance to the user experience."

The Google Play Services platform also enables Google to push Project Mainline modules, allowing your device to receive security upgrades without having to wait for the producer to release them.

An Online Date Led to an Inquiry into 'Systemic' Failures at American Express

 

Last summer, John Smith* had just returned to Sydney after more than a decade abroad when he met someone online. He began chatting with a man named Tahn Daniel Lee on the dating app Grindr. Lee was undergoing treatment for COVID at the time, so they communicated online for a few weeks before meeting in Sydney's Surry Hills for their first date - a Japanese dinner followed by Messina ice cream. The date would be one of many in a relationship that progressed quickly before taking a dark turn when Smith began to suspect Lee was watching his bank accounts.

The Age and The Sydney Morning Herald can disclose that American Express, one of the world's largest financial companies, would not only dismiss Smith's initial complaint without proper investigation but would also provide misleading information during an external inquiry. It comes after two major ASX-listed companies, Optus and Medibank, revealed sensitive identification and health data to criminals, igniting a national debate about how to best deal with emerging cyber threats.

The "insider threat," according to cybersecurity experts, is a major risk, and the Privacy Commissioner's inability to penalize companies that violate the law has created a culture of impunity among corporate Australia.

“Because, what is the recourse? Businesses just aren’t doing the risk management that’s required. The tone starts from the top, ” says former Australian Federal Police investigator turned cyber expert Nigel Phair.

Smith's first assumption of Lee was that he had a charming smile, and the relationship developed quickly. Lee worked as a relationship manager for American Express Centurion, an exclusive club for black cardholders who spend at least $500,000 per year.

Smith had a platinum American Express card from living in the United States, but Lee suggested he sign up in Australia so he could illustrate how to maximize the benefits. He consented and began using American Express as his primary banking card shortly thereafter. After a series of comments about items Smith had purchased, places he had been, or payments he had made, he became skeptical that Lee was watching his transactions.

“I asked him how he was able to do this without my consent or authority (one-time pin etc), and he replied, ‘because the system is completely open, I have god mode’,” Smith wrote in a complaint later filed with American Express.

Smith has autism, and while he is classified as "high functioning," he occasionally struggles to recognize inappropriate behavior. He noticed "warning signs" about Lee but ignored them while traveling to Hawaii and Hamilton Island with his new partner, he claims.

During one of these trips, Smith became uneasy with the manner in which Lee discussed his clients' affairs, including major food distributor Primo Foods, which he claimed siphoned millions of dollars to the Cayman Islands. Lee later texted, "FYI, everything I tell you about work is highly confidential." 

By April, he had attempted to end the relationship and had warned Lee that he would report his behavior to American Express. Lee reacted negatively to this. He begged Smith to continue the relationship and, at one point, called Smith's close friend out of the blue to persuade her not to file a complaint. This was the breaking point. He was hell-bent on reporting Lee.

Amex: ‘No inappropriate access’

At the same time, another American Express employee noticed unusual activity on Smith's account. Lee was subjected to an internal investigation, which swiftly cleared him of any wrongdoing. On May 26, the company wrote to Smith, claiming Lee was not in a position to access his account and, in any case, there was training and processes in place to protect customer data.

Unconvinced, Smith asked American Express to confirm that Lee's access to his account had been blocked and reported the Primo Foods discussions. Smith claims that the following week, during a phone call, he was told that if Lee had looked at his account, it was no big deal because they were partners, and discussing Centurion's clients was also no cause for concern.

Smith filed a complaint with the Privacy Commissioner, who directed it to the Australian Financial Complaints Authority. AFCA immediately requested a meeting with American Express to verify that Lee had lost the rights to Smith's account.

The company's response was quick, but it turned out to be incorrect.  “We confirm that the employee has no access to [Smith]’s account,” Amex responded.

In subsequent letters between AFCA, Smith, and American Express, the company continued to imply that there had been no inappropriate access or violation of privacy laws. Until the plot shifted. In August, three months after Lee's suspicious activity was discovered, Smith was notified by American Express that Lee had indeed accessed his personal information.  

Lee accessed Smith's private account nine times between February and April of this year, according to digital access logs. American Express then stated that while it was impossible to prevent Lee from accessing the account, he would be disciplined and the account would be monitored to ensure no further intrusions.

“American Express is unable to practically restrict American Express employees from being able to access any specific Card member data. We acknowledge that [Smith] feels uncomfortable with his previous partner access to his personal information and have made every effort to implement controls to further protect his data,” the company wrote in a letter.

In a final decision issued this month, AFCA determined that American Express violated privacy laws by letting Lee to access his accounts without authorization both before and after the relationship. It awarded Smith $2000 in damages but did not order an apology or absolve the company of any wrongdoing.

“I am satisfied the financial firm has investigated the matters raised by the complainant, and in the circumstances, it has responded appropriately,” AFCA found.

American Express declined to answer specific questions about how it investigated Smith's complaint or what action it took against Lee, but stated it maintains the "highest levels of integrity" and has cooperated with AFCA.

“Whilst they made a determination against us, they concluded that American Express had investigated and responded appropriately,” the company said. “We are satisfied that this matter poses no risk to the integrity of our systems. Protecting the privacy of our customers and the integrity of our systems remains our utmost priority.”

Current laws allow for fines of up to $2.2 million for each unauthorized access. The federal government is considering raising the penalty to $50 million per breach, which would mean that American Express could have faced penalties totaling $450 million for the nine breaches.

“Companies need to take this issue around unauthorized access to information more seriously because the penalties are significant,” CyberCX privacy law expert David Batch says. “But in reality, the Privacy Commissioner has historically not handed down those fines.”

Smith was informed in October that AFCA's systemic issues team had agreed to investigate American Express's handling of Smith's case. This team investigates serious violations and systemic issues and has the authority to refer cases to other regulators, such as the Privacy Commissioner, however, its findings are a little transparent. AFCA was unable to comment on whether the promised investigation would be carried out.

According to Nigel Phair, Professor of Cybersecurity at the University of New South Wales, the "insider threat" is a major concern for businesses, where the actions of rogue employees can jeopardize the security of the entire organization.

He claims that the government's failure to implement harsh penalties on companies that mishandle their customers' data fosters a culture of impunity among Australian corporations.

For Smith, American Express and the system designed to hold companies accountable have let him down. He now makes a point of only using the card in ways that do not reveal his location. Requests for comment from Lee and Primo Foods were not returned.

*Not his real name. He asked that his identity be kept confidential.

To Support Passkeys, 1Password has Joined Passage

Passkey functionality, which enables users to securely log in to apps and websites without a password, will be made accessible to 1Password's customers by early 2023, the company announced.

Passkeys, which employ the WebAuthn standard developed by the FIDO Alliance and the World Wide Web Consortium, replace passwords with cryptographic key pairs that enable users to sign into accounts. These key pairs consist of a public key that can be shared and a private key that cannot be shared.

For users of Android devices, installing passwords on an Android phone or tablet is also simple. Passwords are simple to set up on an iPhone or iPad. In addition to extensions for various browsers, there still are versions for Linux, Windows 11, and macOS Ventura. The issue is that these platforms are beginning to ignore the password for the passkey.

Next year, 1Password will add support for passkeys, enabling users to log in without a password. Even for current users, the business has built up an interactive demo so they can see how the feature will operate once it is released.

Passkeys eliminate the requirement for a two-factor authentication code and are more resistant to phishing and compromised credentials than passwords in terms of password brute force attacks like password spraying.

It is accurate that 1Password claims that its version will have a few benefits over its rivals. Because it works with so many different operating systems, 1Password asserts that its passkeys are the only ones that support numerous devices and enable cross-platform synchronization.

The main benefits of passkeys, according to 1Password, are that they come with strong default encryption and do not need to be memorized because they are saved on the device, while the private key is kept private from the website being signed into. Furthermore, the private key cannot be deduced from the public key.

The world of authentication will alter as a result of passwordless technologies. This partnership must make it substantially simpler for businesses to integrate a safe, password-free authentication flow into their products in order for it to grow.


A Nearly $400 Million Fine Has Been Imposed on Google by the States

 

In a settlement over Google's location tracking practices, Google will have to pay close to $400 million to over 40 states. This is part of a $2.6 billion settlement to settle the matter as announced on Monday. 

Attorney General Rosenblum led an investigation into the multinational technology company that has its headquarters in Mountain View, California, along with Nebraska Attorney General Doug Peterson. According to the Oregon Attorney General's office, this is the largest consumer privacy settlement ever brought by an attorney general. 

In 2018, Rosenblum and other attorneys general started a bipartisan investigation into the company's practices based on an article published by the Associated Press. They found that Google had created confusing settings for consumers since at least 2014, and had been violating state consumer protection laws as a result. 

Rosenblum's office explained how the public was misled. According to the settlement agreement, Google misled its users into believing that they had turned off location tracking in their account settings. In fact, Google continued to collect their location information as indicated in the settlement. Further, in conjunction with the multimillion-dollar settlement, Google has agreed in the negotiations with the AGs to improve its user controls and disclosures about location tracking by 2023. 

To make sure users receive targeted advertisements, Google uses location data, as well as other types of personal information. In the view of Rosenblum's office, users' location data is among the most sensitive pieces of information that are collected by the company. This is because it is part of its attempt to create detailed profiles of them which can further be used in order to completely reveal the identity and routines of a person. 

In Rosenblum's view, "Google has prioritized profit over the privacy of its users for years. There has been a lot of deception and craftiness on their part. The company has been secretly recording the movements of consumers throughout the day and using that information for advertising purposes in spite of the fact that they thought they had turned off location tracking on Google." 

Besides paying $391.5 million, Google has also been ordered to make key information about location tracking unavoidable for users (not hidden). Google is now required to give users detailed information on a page titled “Location Technologies” about the types of location data it collects and how it is used. 

In addition to Arkansas, Florida, Illinois, Louisiana, New Jersey, North Carolina, Pennsylvania, and Tennessee, there were many other states that were part of the settlement. 

Among the states that have joined this settlement are Alabama, Alaska, Colorado, Connecticut, Delaware, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nevada, New Mexico, New York, North Dakota, Ohio, Oklahoma, South Carolina, South Dakota, Utah, Vermont, Virginia, and Wisconsin. 

"Consumer privacy is one of my office’s top priorities. That’s why it’s so significant to me that Oregon played a key role in this settlement," Rosenblum further stated. "Until we have comprehensive privacy laws, companies will continue to compile large amounts of our personal data for marketing purposes with few controls."

Apple Accused Over Monitoring Users' Behavior Without Consent


According to a lawsuit, despite the fact that settings on Apple's iPhones and other devices are designed to prevent any tracking or sharing of app data, the corporation nonetheless collects, tracks, and monetizes user details even after users have turned off sharing.

When using the App Store app on iOS 14.6, each click users make is recorded and given to Apple, according to the thread posted last week by the Twitter account Mysk, which is maintained by two developers in Canada and Germany. 

The developers assert that this occurs regardless of users’ preferences and settings. The developers claim that "opting out or switching the personalization options off did not decrease the amount of detailed data that the app was transmitting." Apple provides a number of toggles designed to limit tracking.

In a follow-up report by Gizmodo, the developers discovered that although the privacy toggles, a number of additional apps, including Music, TV, Books, the iTunes Store, and Stocks, all transferred data to Apple. The site claims that the majority of the apps that transmitted analytics data shared constant ID numbers, which would allow Apple to follow user behavior across its services like the Health and Wallet apps.

Elliot Libman, the plaintiff, alleged  Apple's assurances that users have control over the data they provide when using iPhone apps are factually false and in violation of the California Invasion of Privacy Act.

The thread also notes how ironic Apple's alleged surveillance appears given that strong controls were introduced in iOS 14.5 to stop third-party developers from tracking users against their own will. Although the iOS 14.6 operating system has been around for more than a year, the researchers said they observed identical apps sending comparable data packets when using iOS 16.

Over 50% of Twitter Staff are Sacked by Elon Musk


Elon Musk, the new owner of Twitter, defended the decision on Saturday, claiming that there was 'no choice because the firm was losing millions of dollars daily. This comes amid a wave of widespread layoffs at Twitter around the world, including in India, and the outrage that followed.

Elon Musk made the decision to fire over 50% of the Twitter workers. After overnight limiting access to the company's headquarters and internal systems, employees were notified by email of their employment status.

To announce their departure, employees are tweeting using the hashtag #LoveWhereYouWorked and a saluting emoji. Elon justified the choice by claiming that the business was losing $4 million daily. Three months' worth of severance pay was provided to everyone who lost their jobs.

In contrast to a profit of $66 million during the same period last year, the corporation reported a net loss of $270 million for the second quarter that concluded on June 30, 2022. There are rumors that up to half of Twitter's 8,000 jobs could be eliminated. The website has trouble turning a profit. Making a dent in the salary cost is one method to solve the issue.

Simon Balmain, a senior community manager for Twitter in the UK, said that he had been signed out of both his work laptop and the Slack chat app, leading him to fear that he had been fired.

After already terminating some employees, several Twitter employees on Thursday night filed a class action complaint, according to CNN, alleging that Twitter violated the federal and California Worker Adjustment and Retraining Notification Act (WARN Act).

According to the WARN Act, if a mass layoff "affects 50 or more employees at a single site of employment," the employer has to give 60 days written notice in advance. Additionally, Twitter has let go of the majority of its over 200 Indian staff. According to sources, the engineering, sales and marketing, and communications teams will all be affected".

Following Elon Musk's takeover of the social media company, Twitter founder Jack Dorsey finally spoke out about the widespread layoffs. He stated, " I realize many are angry with me. I own the responsibility for why everyone is in this situation: I grew the company size too quickly. I apologise for that.”

The cost-cutting comes in response to criticism of Twitter's efforts to collect money by putting up a proposal to charge $8 (£7) per month for a blue check-mark that says, "Verified."Those that pay could receive more promotion for their tweets and see fewer advertisements in addition to the verification badge.

Since a few years prior, Twitter has not turned a profit, and its monthly user base of around 300 million people has remained broadly stable. Experts cautioned that Twitter's ability to battle misinformation may be impacted by the dismissal of half of its workers, particularly with the US midterm elections set for next week.





Six Steps to Vanish From the Internet and Erase Your Digital Footprint

 


Whenever you do something online, whether it is banking, shopping or simply commenting on social media posts, you leave a digital footprint. A digital footprint is basically a trace of yourself in cyberspace, which can be traced back to your IP address. 

Most people would agree that this is just an inevitable consequence of technological living. However, some are not comfortable with the thought that Google is tracking everything that they do online. This includes people who are concerned about online security or those who are victims of spam, doxxing, or spyware attacks. You may want to know how to hide completely from the Internet if you are in this camp, since you may wish to prevent people from finding you.

There are several steps you can take toward this end. If you are vigilant, committed, and diligent about it, you will be able to do a fairly effective job of cleaning up your online reputation.

If you have had any kind of online identity at all, then there is a high chance that you will always be able to find a trace of yourself somewhere online. As a result, here's how to get rid of 99% of the digital footprints left behind by you.

1. If you use social media, make sure your privacy settings are set to private: According to Beau Friedlander, a cyber security expert and co-host of the podcast What the Hack with Adam Levin, a true cybercrime podcast with Adam Levin, there is no good reason to have your personal information visible on your social media accounts. If you change the settings in your account so that it only shows information about you to close friends and relatives, your data will be able to be used for a variety of identity-related crimes. While you may delete your account completely, Friedlander advises that you should keep in mind that the information that has already been collected about you and sold to third parties will not disappear when you 'leave the building.' In addition, you could consider limiting how much personal information you share in your social media bios so that it only contains the bare minimum amount of information.

2. Choosing to stay away from online directories may be the most effective way to protect your privacy. Several online data brokers provide data on anyone with any kind of public record that is open-source intelligence, or OSINT, Friedlander explains to Yahoo Life. Essentially, what he is referring to is what is commonly referred to as a "people-finder website," which is an online version of the White Pages (Books of Information). It is, fortunately, possible for you to remove your personal information from their website by filling out online forms. You can opt-out of the following company's services by visiting the websites of Acxiom, Epsilon, Oracle, Equifax Information Services, Experian, and CoreLogic. By opting out, you can ensure that your information remains secure from prying eyes. It is advisable to use a service such as JustDeleteMe.com if you would like to simplify the process.

3. The next thing you should do is to close your old accounts: "You might have forgotten all about [social media sites] associated with bygone eras of the web, but in reality, your data may still be out there," warns Friedlander. Check out HaveIBeenPwned.com to see if any of your old accounts have been compromised in data breaches. If the site flags that your passwords are compromised (and, therefore, your personal information) then you need to shut them down immediately. Even better, if you do not need them anymore, shut them down regardless of all things.

4. Create many accounts: Friedlander recommends setting up several accounts so that you can access all the services you need to make your life easier. In addition, you can create multiple accounts for free. There are numerous benefits to setting up separate email addresses and accounts when you are shopping online. These benefits include donating to political causes and keeping a private account that is just for your close acquaintances. So think about it!

5. Do regular privacy audits for your personal information: There may be a time when you want to undertake a personal privacy audit for your personal information (wants to think you have it set up as tight as possible) if you think your privacy is as tight as it can be. The first step is acquainting yourself with the privacy features offered by the services. This is regardless of whether you have been using them for years or if this is your first time using them. Make certain you know what privacy features they provide and what controls and settings they provide.

6. Check out what comes up when you search your name on a search engine: Try to find out what comes up when you search your name. It is always possible to request the removal of your name and/or photo from third-party sites where you appear, whether for reasons of a community event or a quote you provided to a local reporter.

Drizly Sued by FTC Over Data Breach Which Affected 2.5 Million Customers

According to claims that Drizly's security lapses resulted in a data breach that exposed the personal information of roughly 2.5 million customers, the Federal Trade Commission is taking legal action against the company and its CEO James Cory Rellas.

The FTC claims that the Uber-owned booze delivery business and its CEO, James Cory Rellas, were made aware of security concerns as early as 2018. The digital alcohol retailer Drizly and its CEO James Cory Rellas are being investigated by the Federal Trade Commission over claims that the company's security flaws caused a data breach that exposed the private data of around 2.5 million customers.

Drizly, an Uber subsidiary, runs an online marketplace where local shops can sell alcohol to customers who are of legal drinking age. The complaint alleges that Drizly gathered and stored users' email addresses, passwords, geolocation data, and postal addresses on Amazon Web Services (AWS) cloud computing service while negotiating deals.

According to the FTC, Drizly's lax security procedures, such as not forcing employees to utilize two-factor authentication for GitHub, where it stored login information, allowed those occurrences to occur. The FTC further notes that Drizly has no senior executive in charge of its security practice and did not restrict employees' access to consumers' personal information.

According to Samuel Levine, Director of the FTC's Bureau of Consumer Protection, "our proposed order against Drizly not only limits what the firm can retain and collect going ahead but also ensures the CEO suffers penalties for the company's negligence."

In its lawsuits and rulings, the FTC has been naming firm officials more frequently. As CEO of Drizly, Rellas was accused by the FTC of failing to appoint a senior executive to manage the security procedures. Companies may wish to make sure they hire a senior official in charge of security to help reduce the potential of individual liability for CEOs.

These draft orders will be published by the FTC soon, and the public will have 30 days to comment on them until the commission chooses whether to make them public.



 Sophos: Hackers Avoid Deep Fakes as Phishing Attacks are Effective

According to a prominent security counsel for the UK-based infosec business Sophos, the fear of deepfake scams is entirely exaggerated.

According to John Shier, senior security adviser for cybersecurity company Sophos, hackers may never need to utilize deepfakes on a large scale because there are other, more effective ways to deceive individuals into giving up personal information and financial data.

As per Shier, phishing and other types of social engineering are much more effective than deepfakes, which are artificial intelligence-generated videos that imitate human speech.

What are deepfakes?

Scammers frequently use technology to carry out 'Identity Theft'. In order to demonstrate the risks of deepfakes, researchers in 2018 employed the technology to assume the identity of former US President Barack Obama and disseminate a hoax online.

Shier believes that while deepfakes may be overkill for some kinds of fraud, romance scams—in which a scammer develops a close relationship with their victim online in order to persuade them to send them money—could make good use of the technology because videos will give an online identity inherent legitimacy.

Since deepfake technology has gotten simpler to access and apply, Eric Horvitz, chief science officer at Microsoft, outlines his opinion that in the near future, "we won't be able to tell if the person we're chatting to on a video conversation is real or an impostor."

The expert also anticipates that deepfakes will become more common in several sectors, including romance scams. Making convincing false personas requires a significant commitment of time, effort, and devotion, and adding a deepfake does not require much more work. Shier is concerned that deepfaked romance frauds might become an issue if AI makes it possible for the con artist to operate on a large scale.

Shier was hesitant to assign a date for industrialized deepfake bots, but he claimed that the required technology is becoming better and better every year.

The researcher noted that "AI experts make it sound like it is still a few years away from the huge effect." In the interim, we will observe well-funded criminal organizations carrying out the subsequent degree of compromise to deceive victims into writing checks into accounts.

Deepfakes have historically been employed primarily to produce sexualized images and movies, almost always featuring women.

Nevertheless, a Binance PR executive recently disclosed that fraudsters had developed a deepfaked clone that took part in Zoom calls and attempted to conduct bitcoin scams.

Deepfakes may not necessarily be a scammer's primary tactic, but security researchers at Trend Micro said last month that they are frequently used to augment other techniques. The lifelike computerized images have recently appeared in online advertisements, phony business meetings, and job seeker frauds. The distress is that anybody could become a victim because the internet is so pervasive.






Elon Musk and Twitter Will End Their Court Battle as Early as Wednesday




A source close to the litigation, familiar with Elon Musk's case, tells Reuters that the world's richest man and Twitter Inc are likely to reach an agreement as soon as Wednesday that will allow him to close a $44 billion deal with the social media platform. Evaporation of the litigation could take place as early as Wednesday, the source adds. 

Musk, who is also the chief executive officer and a billionaire founder of the electric car manufacturer Tesla Motors, announced on Twitter late Monday that he would change course and abide by his agreement to purchase the company for $54.20 per share. There is a possibility that the following will happen if Twitter drops its lawsuit against the company. 

During Monday's announcement of his plans, Musk included a condition that the deal would not close unless the necessary debt financing had been obtained. As per a source, depending on how the negotiations unfold, it is possible that this condition could be lifted by a potential agreement, which is why he has requested anonymity due to the sensitive nature of the negotiations. 

There has been no sign that Twitter's legal team has accepted any of the offers made by the federal government. Instead, earlier in the day, Chancellor Kathaleen McCormick, the Supreme Court justice on Delaware's Court of Chancery, said that she was preparing for a possible trial. 

An attorney representing the Twitter shareholders who are seeking to begin a class action lawsuit against Musk, also stated in a letter to McCormick that Musk should be required to make a substantial deposit to cover any losses if he reneges on his commitment to finishing the deal again. Michael Hanrahan also claims that he should be held liable for interest that was caused by his actions that delayed the closing of the deal. 

On Wednesday, the New York Times reported that Musk and Twitter executives had several unsuccessful discussions in recent weeks. These discussions were regarding a possible price cut to Musk's $44 billion plan to buy the popular social media platform. On Monday, he reversed course after he reversed course on the acquisition. 

As per the report, Musk on the first occasion requested a 30% discount. This was later reduced to about 10% and ultimately rejected by Twitter due to the lack of interest from the company. 

Musk's legal team did not provide any information on what led to the team's offer of settling the case. He was, however, expected to face some tough questions at his deposition in Austin, Texas on Thursday. Twitter may have been able to gain leverage in talks for a deal to close because of the same. 

On Wednesday, Twitter shares closed at $51.30, a drop of 1.3% from their previous closing price of $53.90. On Tuesday, Twitter's shares touched their highest since Musk and Twitter reached a deal in April calling for Musk's purchase of the company at $54.20 a share. 

Musk's shares of Tesla fell by 3.5% on Wednesday. This was because investors were fearful Musk may be forced to sell more shares of the electric carmaker to fund the Twitter deal. Musk is yet to confirm. Additionally, Twitter could be a distraction for entrepreneurs since it is a social media platform. 

According to Musk, he walked away from Facebook’s acquisition deal in July after discovering Twitter had allegedly misled him about the number of fake accounts. However, Twitter did not respond to Musk’s request for comment. 



Laws Regulating SIM Card Registration may Violate Private Data

The law protecting personal data in the Philippines was in the works, and it was ultimately passed. A wave of data security breaches in the nation, according to the administration, makes the new data protection measures essential.

Although it's fair to be concerned about internet theft, a progressive group called Bagong Alyansang Makabayan (Bayan) warned on Monday that the new law requiring SIM card registration could be abused to invade people's privacy.

"While abandoning privacy is a more difficult reaction, we are aware of the latest worries around internet scams. Any policy that would jeopardize the right to privacy should be viewed as dangerous," according to Renato Reyes, secretary-general of the Bayan organization. The Philippine government has a long history of violating human rights.

"The SIM register could develop into a huge network of surveillance used against people. Given that the Philippine government has experienced data leaks in the past, the data that is collected might not be kept secure," Renato Reyes stated.

President Ferdinand Marcos gave the SIM card law his first official signature since assuming office on June 30 early that day. It demonstrated the purpose of the Marcos administration to safeguard Filipinos from cybercrime, as per House Speaker Ferdinand Martin Romualdez.

Users of mobile phones are required by Republic Act No. 11934 to register their SIM cards with telecommunications companies. They would then be required to present legitimate identification cards as well as a fully completed registration form.

Those who were unable to produce a legitimate ID might instead show a clearance from the National Bureau of Investigation, a police clearance, or a birth certificate that had been approved by the Philippine Statistics Authority and had an ID photo on it.

Since authorities will be able to determine the owner of a SIM card used for the commission of a crime, even terrorism, supporters of the proposal believe it may be a tool against internet scams. Legislators recently found during hearings on text scams and spam messages sent to cell phones that insufficient regulations made it difficult for law enforcement to pursue cybercriminals.

Pavel Durov: Users Must Cease Using WhatsApp Since it's a Spying Tool

WhatsApp is among the most popular messaging apps in the world. It was first launched in January 2009 and since then evolved to include audio and video calls, emojis, and WhatsApp Payments. However, criticism has also surrounded the well-known messaging app due to claims about privacy and security issues. 

Recently, WhatsApp disclosed a security flaw affecting its Android app that was deemed critical. Pavel Durov, the creator of Telegram, pokes fun at WhatsApp and advises users to avoid it. 

Hackers could have complete access to all aspects of WhatsApp users' phones, according to Telegram founder Pavel Durov. Additionally, he asserted that WhatsApp has been monitoring user data for the past 13 years while claiming that WhatsApp's security flaws were planned purposely.

Durov outlined Telegram's security and privacy characteristics by saying, "I'm not trying to convince anyone to use Telegram here. There is no need to promote Telegram more." He claimed that Telegram's instant messaging software prioritizes privacy. With more than 700 million active users as of right now, the app is apparently growing steadily, adding over 2 million new users every day.

Regarding security and privacy, WhatsApp states that all texts, chats, and video calls are provided with end-to-end encryption. However, the program has frequently experienced bugs and security problems, which have sparked concerns about its privacy.

In terms of private chats and user data, WhatsApp already has a complicated and distorted past. People have been worried about Facebook's handling of users' personal data ever since it purchased Meta in 2014. For revealing user data not just with governmental organizations but also with private parties, Meta has been criticized for a considerable time.

The rise in popularity of Telegram and Signal and other instant messaging services with a security and privacy focus can be attributed to this.

According to a recent report from Meta, WhatsApp users are susceptible to hacking due to a flaw in the way videos are downloaded and played back. If this flaw is exploited, hackers would have complete access to virtually everything on the phone of the WhatsApp user. Along with users' emails and pictures, this also contains other correspondence, such as SMS messages from various banks and app data from one's banking and payment apps.




Telecom Giant Optus Suffers Data Breach, Leaking Info of Million Customers


Millions of customers suffer a data leak

Optus, an Australian telecom giant earlier this week confirmed that around 2.1 million of its present and past customers suffered data leaks that included their personal details,  at least one type of identification number, as a consequence of a data breach that happened late in September. 

Others believe that the Optus data breach incident has exposed the personal information of around 10 million people. Cybercrime in Australia has always been a pressing issue, it costs the country a minimum of $10 Million per year, and the figures can only go up. 

Due to exposing to hyper-personal information like DoB, driving license, passport, residential address, etc. Threat actors will misuse your information for applying for credit on your behalf without you knowing about it. 

What do criminals do with stolen data?

If cybercriminals find some agency willing to give credit, they'll immediately spend it, resulting in load default, it will put a black mark against your name, and you won't even know about it until you need the credit for yourself the next time. 

Optus said that it has contacted Deloitte for assistance, and will do an external forensic inquiry of the breach to know how the incident happened and how Optus can take preventive measures to stop it from happening again. 

Singtel, a telecommunication conglomerate in Singapore is the parent company of Optus, it also shares a few stakes in Bharti Airtel, the second largest telecommunication carrier in India. Singtel on its website said:

"Approximately 1.2 million customers have had at least one number from a current and valid form of identification, and personal information, compromised."

What kind of information was leaked?

Singtel also said that the leak has impacted expired IDs and personal info of around 900,000 additional customers, stressing that leaked data doesn't include valid or current document ID numbers for around 7.7 million customers. Customers are advised to stay vigilant about possible smishing and phishing attacks. 

In the Optus incident involving the customers that are most affected, state law enforcement agencies and Australian police are working together on "Operation Guardian" to help with securing the identity of the impacted customers. 

The next step for Optus

Optus has informed the affected customers that their personal information has been compromised in the breach, also including Medicare IDs. Optus on 28 September disclosed- out of 9.8 million customer records leaked, the leak involved around 14,900 working Medicare IDs and 22,000 expired Medicare card numbers.

The data leak incident surfaced on September 22, involving a threat actor getting unauthorized access to customer details. The criminals used the alias "optusdata," and they leaked a small sample of the stolen data of 10,200 users, demanding Optus to pay a ransom of $1 million to stop more leaks. 

It raises a question for you: why can't I control my own identity? The answer, is you can, by limiting how and where you share your information. 

However, the Optus data leak has made us all doubt if we can trust any organization?  












Bjorka Hunt: Indonesian Parliament Passes Personal Data Protection Bill


After a series of data leaks pertaining to 1.3 billion registered phone numbers and 105 million voters and confidential official records of the President’s correspondence, Indonesia's newly established data protection task force is chasing down a hacker dubbed 'Bjorka'.  
 
Bjorka claims to be based in Warsaw, Poland and has been stealing and selling data that included information pertaining to state-owned enterprises, mobile phone operators, and the general election commission. The stolen data was found to be sold on a BreachForums for the past few weeks. The hacker has also leaked confidential logs of incoming and outgoing documents between Indonesia's President Joko Widodo and the State Intelligence Agency.  
 
The hacker has been tweeting for the past weeks with regards to the leaks, he boldly made statements like “stop being an idiot” directed towards the government. The day after a senior informatics applications official appealed to Bjorka to stop leaking the country’s personal data, at a press conference on September 5th. Bjorka also mentioned in another tweet about how easy it is “to get into various data protection policy [...] primarily if it is managed by the government.” 
 
In the wake of the incident, at least three of Bjorka’s Twitter accounts have been suspended by the government. 
 
Bjorka’s Hunt initiated by the data protection task force has led to the arrest of a man in Madiun, East Java who is believed to be Bjorka. The 21-year-old man, going by the initials MAH, is being interrogated by the force, though he has not been formally charged with any criminal offense as of yet. Currently, the real identity of Bjorka remains unknown as there is no credible information regarding his whereabouts.
 
Chief executive of Jakarta-based Digital Forensic Indonesia, Mr. Ruby stated that instead of focusing only on the latest data breach, the task force should also investigate similar leaks and related cases since 2019.  It will allow the lessons from past cases to prevent any such incidents that may happen in the future. 
 
“It’s better for the task force to improve data management. Relevant institutions just denied data leaks in the past few years and did not enhance their data protection and therefore, there have been recurring data leaks,” states Mr. Alfons Tanujaya, IT security specialist at Vaksincom. 

With regard to the recent surge in data breaches and particularly the aforementioned case, the Indonesian Parliament passed the Personal Data Protection Bill on Tuesday. The Communications minister Johnny G Plate stated that the bill “marks a new era in the management of personal data in Indonesia, especially on the digital front.” The bill includes corporate fines and up to six-year imprisonment for those who are found to have mishandled data for breaching rules on distributing or gathering personal data.

LastPass Hacked, Customer Data and Vaults Secure

The password manager, LastPass recently unveiled that the attackers who breached its security in August 2020 also had access to its network for four days. 
 
As per the latest statements by LastPass, the company suffered from the interference of cyber attackers for four days in august 2022. Luckily, the company was able to detect and remove malicious actors during this period. 

With regards to the investigation updates concerning the security breach, the CEO of LastPass, Karim Toubba published a notice, stating, “We have completed the investigation and forensics process in partnership with Mandiant.” 
 
Furtermore, the company also stated, “There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.” 
 
During the investigation, the company found that the malicious actors got access to the development environment by compromising a developer’s endpoint. After the developer completed its multi-factor authentication, the cyber attackers used their persistent access in imitating the developer and entered the development environment. 
 
However, the company commented that the system design and controls of the developer environment prevented threat actors from meddling with customer data or coded password vaults. 
 
The security measures of LastPass include a master password, which is required to access the vaults and decrypt the data. However, LastPass does not store that master password, which invalidates any other attempt of accessing other than by the user himself. In essence, LastPass does not have access to its users' master passwords. 

In an analysis of source code and production, it was found that as LastPass does not allow any developer from the development environment to push source code into a production environment without a fixed process, the threat actors were also unable to inject any code-poisoning or malicious code. 
 
In order to extend support to LastPass’s customers, Toubab further assured in the notice that they "have deployed enhanced security controls including additional endpoint security controls and monitoring.” The company has worked jointly with Mandiant, an American cybersecurity firm and a subsidiary of Google – to conclude that no sensitive data has been compromised. 

In 2015, the company witnessed a security incident that impacted email addresses, authentication hashes, and password reminders along with other data. Today, LastPass has approximately 33 million customers, thus a similar security breach would have a more jarring impact and hence is a matter of utmost concern. LastPass persuaded customers that their private data and passwords are safe with them as there was no evidence suggesting that any customer data was compromised. 


TikTok Android Vulnerability Identified by Microsoft 

 

In the TikTok Android app, Microsoft has described a high-severity weakness that might have enabled a hacker to take over an account by luring users into clicking on a link.

The bug's current identification is CVE-2022-28799. According to Microsoft, the flaw has not yet been exploited by the public, despite the app having an estimated 1.5 billion downloads on the Play Store. Microsoft advises all TikTok users on Android to upgrade the app to the most recent version while it is being patched.

In fact, Microsoft detected over 70 vulnerable JavaScript methods that, when combined with a bug to take control of WebView, might be exploited to provide the attacker's capability.

Threat actors could execute authenticated HTTP queries or access or modify the private information of TikTok users using the ways that were publicly disclosed.

In essence, attackers who would have been successful in exploiting this vulnerability might have easily:
  • Retrieved the users' authentication tokens by triggering a request to a server under their control and logging the cookie and the request headers.
  • Retrieved or modified the users' TikTok account data, including private videos and profile settings by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callback.
"The TikTok Android app was revealed to have a WebView Hijacking vulnerability due to an unvalidated deep link on an invalid argument. Through a JavaScript interface, this may have led to account hijacking, " The HackerOne  explained in an article.

Only about a month after Microsoft first revealed the security flaw, TikTok version 23.7.3 was launched with a patch to address the CVE-2022-28799 tracking number.

Microsoft further said that "Once the targeted TikTok user clicks the hacker's specially constructed malicious link, the attacker's server is granted total access to the JavaScript bridge and can activate any accessible functionality."

The server of the attacker sends back an HTML page with JavaScript code that modifies the user's profile biography and sends video upload tokens back to the attacker.

Attackers with complete access to users' accounts could modify their profile information, send messages, upload movies, and even post private videos.

Tiktok has also fixed further security vulnerabilities that might have let hackers steal customers' personal details or take over their accounts to tamper with footage.

Austria: Google Breached a EU Court Order

The Austrian advocacy group noyb.eu complained to France's data protection authorities on Wednesday that Google had violated a European Union court judgment by sending unsolicited advertising emails directly to the inbox of Gmail users. 

One of Europe's busiest data regulators, the French CNIL, has imposed some of the largest fines on companies like Google and Facebook. The activist organization gave CNIL screenshots of a user's inbox that displayed advertising messages at the top.

The French word 'annonce,' or 'ad,' and a green box were used to identify the messages. According to the group, that type of marketing was only permitted under EU rules with the users' consent.

When referring to Gmail's anti-spam filters, which place the majority of unsolicited emails in a separate folder, Romain Robert, program director at noyb.eu, said, "It's as if the mailman was paid to eliminate the ads from your inbox and put his own instead."

Requests for comment from Google did not immediately receive a response. A CNIL spokeswoman acknowledged that the organization had received the complaint and was in the process of registering it.

The CNIL was chosen by Vienna-based noyb.eu (None Of Your Business) over other national data privacy watchdogs because it has a reputation for being one of the EU's most outspoken regulators, according to Robert.

Even while any CNIL ruling would only be enforceable in France, it might force Google to examine its methods there. 

Max Schrems, an Austrian lawyer and privacy activist who won a prominent privacy case before Europe's top court in 2020, formed the advocacy group Noyb.eu.

This year, the CNIL fined Google a record-breaking 150 million euros ($149 million) for making it challenging for people to reject web trackers. Facebook (FB.O), owned by Meta Platforms, was also penalized 60 million euros for the same offense.

The firms are constantly under investigation for their practice of transmitting the private details of EU citizens to databases in the US. Numerous complaints have been made by NOYB to authorities throughout the bloc, claiming that the practice is forbidden.

A crucial tenet of the European Union's data privacy policy and a primary goal for the CNIL is the prior agreement of Internet users for the use of cookies, which are small bits of data that aid in the creation of targeted digital advertising campaigns. 

Upcoming Crimeware is Driven by Cobalt Strike

Threat actors are transitioning away from the Cobalt Strike suite of penetration testing tools in favor of less well-known frameworks that are similar.

Sliver, an open-source, cross-platform kit, is emerging as a viable replacement for Brute Ratel. Utilizing research queries derived by examining the toolkit, how sliver functions, its components, and malicious activity using it can be found.

Cobalt Strike, a toolkit enabling attackers to deploy "beacons" on compromised machines to conduct remote network surveillance or issue instructions, has long been one of the most well-liked tools in red team engagements.

Hackers are attempting various methods that can avoid Endpoint Detection and Response (EDR) and antivirus solutions because defenders have learned to detect and block assaults depending on this toolkit.

Hackers have developed alternatives as Cobalt Strike's defenses have gotten stronger. They switched to Brute Ratel, an adversarial attack simulation program meant to avoid security products, as seen by Palo Alto Networks.

According to a Microsoft analysis, hackers of all stripes—from state-sponsored organizations to cybercrime gangs—are increasingly employing the Go-based Sliver security testing tool created by experts at BishopFox cybersecurity firm in their attacks.

Microsoft tracks one group that adopted Sliver as DEV-0237. The gang, also known as FIN12, has been connected to several ransomware developers. The gang in the past, has used malware, such as TrickBot, to spread ransomware payloads from other ransomware operators.

State-sponsored actors in Russia, especially APT29 also known as Cozy Bear, The Dukes, and Grizzly Steppe, have reportedly also used Sliver to keep access to compromised environments, according to a report from the UK's Government Communications Headquarters (GCHQ).

Microsoft says that Sliver has been used in more recent attacks in place of BazarLoader using the Bumblebee (Coldtrain) malware loader, which is connected to the Conti syndicate.

Defenders can utilize Microsoft's set of tactics, techniques, and procedures (TTPs) to recognize Sliver and other new C2 frameworks. Hackers can set up listeners to detect anomalies on the network for Sliver infrastructure because the Sliver C2 network supports several protocols DNS, HTTP/TLS, MTLS, and TCP, accepts implants/operator connections, and can host files to imitate legitimate web servers.

Microsoft also provided details on how to recognize Sliver payloads produced from the C2 framework's official, unmodified source.

Microsoft advises removing configurations when they are put into memory for Sliver malware payloads that don't have a lot of contexts because the framework needs to de-obfuscate and decrypt them in order to use them.


PayPal Invoices Used for Data Theft

The past few months have seen an increase in the usage of convincing phishing emails made using an attack on PayPal's invoice system. Scammers are constantly seeking new ways to steal your personal information or money. 

Hackers send bogus invoices from PayPal's website using a free PayPal account they have registered. The emails' bodies contained spoof logos of companies like Norton to make their recipients believe they were authentic.

Emails from PayPal will likely be delivered to your inbox rather than your spam bin because they are not regarded as spam. Because it came from a real Paypal account, the email will appear to be trustworthy so users are advised to stay cautious and not fall for it. You won't receive a worthwhile service if you pay this charge, cybercriminals will receive your money and use it for their own gain. 

The PayPal invoices feature statements like "thank you for purchasing Norton Security Premium package, if you have not authorized this transaction, please call us with your credit card details." They resemble a related fraud that employed phony Quickbooks invoices and was disclosed earlier this month.

The scam, often known as a "double spear" assault, prompts users to call the number, at which point hackers attempt to get them to pay the invoice and steal their credit card information.

Phishing efforts are frequent and come in a variety of shapes, according to a written statement from PayPal.

PayPal stated that it has a zero-tolerance policy for attempted fraud on the platform and that its team is working relentlessly to protect its consumers.

"We are aware of this well-known phishing scheme and have added more measures to help mitigate this particular incidence," the company said. "Nevertheless, we advise clients to exercise constant vigilance online and to get in touch with Customer Service immediately if they believe they are a victim of a scam."

It's astonishing how well-adapted modern fraudsters are at using the very same technologies that financial institutions have long utilized to provide their consumers a sense of security while dealing online. 

Today's scamsters seem to be more interested in hacking your entire computer and online life with remote administration software than they are in stealing your PayPal password, which seems to be at the center of the majority of frauds these days.

Users are advised to follow the guidelines given below in order to safeguard themselves against the aforementioned scam. 
  • To prevent phishing emails from being sent to you, don't rely on email spam filters. Examine emails for warning signs, such as impending deadlines and scare tactics, to spot potential phishing frauds.
  • Use a recognized phone number or email address to get in touch with the service provider directly to confirm the validity of an invoice. To get in touch with the service provider, do not utilize the phone number or link provided in the invoice.
  • The simple notion that an email was delivered via a reputable website should not be used as proof of its validity. To make their schemes seem more credible, cybercriminals can exploit reliable websites.

Over 1,900 Signal User Data Exposed

 

The attacker involved in the latest Twilio data leak may have obtained phone numbers and SMS registration codes for 1,900 Signal users.

“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” the Signal team shared on Monday.

Twilio offers phone number verification services (through SMS) to Signal. Earlier this month, several Twilio employees were duped into receiving SMS messages that seemed to be from the company's IT department. The attacker gained access to information pertaining to 125 Twilio client accounts, including Signal's.

“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” the Signal team explained.

As previously stated, the attacker was able to re-register at least one of the three numbers they specifically sought for.

“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected,” the team noted. That’s because that data is stored on the users’ device and Signal has no access to or copy of it. “And this information certainly is not available to Twilio, or via the access temporarily gained by Twilio’s attackers,” the team added.

Unfortunately, if the attacker was successful in re-registering an account, they might impersonate the user by sending and receiving Signal communications from that phone number.

Signal is immediately contacting potentially affected users of this vulnerability through SMS. The business has unregistered Signal on all devices that these 1,900 users are now using (or that an attacker has registered for them) and is requesting that they re-register Signal with their phone number on their preferred device.

Furthermore, they are advising them to enable registration lock (Signal Settings (profile) > Account > Registration Lock) for their account, which is a function that aids in the prevention of this sort of fraud.

The attacker was able to obtain either the phone numbers of 1,900 registered Signal users or the SMS verification code they used to register with Signal as a result of this.

“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against. We strongly encourage users to enable the registration lock. While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” the team concluded.