Search This Blog

Showing posts with label Private Data. Show all posts

Apple is Tracking Your Every Move, Here's All You Need to Know


Tech giant Apple projects itself as a privacy-focused firm, but according to the latest research, the company might be contradicting its own practices when it comes to collecting App Store data. 

According to a Twitter thread published by an iOS developer and security researcher Tommy Mysk, Apple tracks customers' activity via 'Directory Services Identifier' or DSLD which is linked to the customer’s iCloud and is able to collect private data like name, email address, and contacts. 

What’s more worrying is that the revelations reported in the thread state that even if customers switch off device analytics in the ‘Settings menu, the company deploys this dsId to other apps too. 

“Apple’s analytics data include an ID called “dsId”. We were able to verify that “dsId” is the “Directory Services Identifier”, an ID that uniquely identifies an iCloud account. Meaning, Apple’s analytics can personally identify you,” Mysk tweeted. 

However, the tech giant’s Device Analytics & Privacy document says that none of the user information collected is linked to that individual, suggesting that as a user, you would appear anonymous.

“None of the collected information identifies you personally. Personal data is either not logged at all, is subject to privacy preserving techniques such as differential privacy, or is removed from any reports before they’re sent to Apple. You can review this information on your iOS device by going to Settings > Privacy & Security > Analytics & Improvements and tapping Analytics Data,” the document reads.

Even though Apple continues to prattle that it is a privacy-oriented firm that values customers’ privacy and focuses to give them more control over what data they want to share or not share with advertisers and app designers, it can still employ DSLD for its own personal benefits, whatever those may be. 

Earlier this month, Gizmodo reported that a lawsuit was filed against Apple, with the plaintiff stating that Apple illegally siphons user data even when the firm's own privacy settings promise not to. The lawsuit was filed based on Mysk’s research; however, the researcher was unable to analyze the data in iOS 16 due to its encryption.

Data of 1.3M Patients of Novant Health was Leaked on Meta

More than 1.3 million users have received notices from healthcare provider Novant Health that their private health data (PHI) had unintentionally been leaked to Facebook parent firm Meta.

Facebook marketers can add JavaScript a monitoring script known as Meta Pixel to their website to monitor the effectiveness of their advertising. Unauthorized patient records access and disclosure started in May 2020, when Novant launched Facebook ad-based marketing campaigns to promote the COVID-19 vaccine.

The company said that Novant Health was employing a misaligned pixel on both its website as well as the Novant Health MyChart patient interface and the pixel carried code that allowed businesses to track website activity.

The healthcare company placed the Meta Pixel code on its website to track these advertisements and evaluate their effectiveness.

After a reporter contacted and questioned about the use of MetaPixel, the pixel was introduced to the portals in May 2020 and disabled in May 2022, after Novant Health learned of the potential data exposure.

Depending on a user's activity on the Novant Health website and MyChart interface, it was possible PHI would have been shared to Meta, Novant Health decided in June 2022.

Email addresses, phone numbers, computer IP addresses, contact information patients entered into Advanced Care Planning or Emergency Contacts, appointment information, the doctor they chose, and data like button/menu selections and or content typed into free text boxes were all potentially impacted information.

64 healthcare service providers in the United States use the MyChart portal, which enables their users to schedule medical appointments, ask for prescription refills, get in touch with their clinicians, and more.

Unfortunately, this means that due to the tracker's improper setting, even people who haven't actually used Novant's services may nonetheless have been exposed.

"Advertisers shouldn't send private data about individuals through our business tools. This is against our policies, and to avoid it from happening, we instruct advertising on how to set up business tools correctly. Our technology is built to weed out any potentially sensitive information it can find. We'll keep trying to get in touch with Novant," a Meta spokeswoman stated.

Only those who received notices may consider themselves victims of a breach, according to the company, which claims it has identified the affected persons following a thorough investigation that was finished on June 17, 2022. Novant claimed that it's not aware of any "improper or attempted use" of the information by Meta or any other third party. 

T-Mobile Agrees to Pay $350M to Users in Data Breach Settlement


This week, T-Mobile agreed to pay $350 million to settle litigation brought over an August 2021 cyberattack in which a hacker siphoned private information belonging to an estimated 76.6 million people. 

According to an SEC filing Friday afternoon, the company also promised to make an additional $150 million investment in data security and related technologies this year and next. The $350 million payout will fund claims by class members, the legal fees of plaintiffs’ counsel, and the costs of administering the settlement. 

If the court approves the settlement, it “will resolve substantially all of the claims brought by the Company’s current, former and prospective customers who were impacted by the 2021 cyberattack,” T-Mobile said in its SEC filing. 

The Bellevue, Wash.-based wireless carrier will continue to cooperate with various regulators who are separately investigating the incident, according to a T-Mobile spokesperson. “As we continue to invest time, energy, and resources in addressing this challenge, we are pleased to have resolved this consumer class action filing,” T-Mobile issued a statement Friday regarding the settlement on its website. 

According to the SEC filing, T-Mobile expects to record a pre-tax charge of about $400 million in the second quarter as a result of the settlement. The filing notes that the charge and the $150 million investment in security were anticipated in its prior financial guidance to investors. 

Last year in August, T-Mobile announced a data breach after a hacking organization infiltrated its computer systems to steal sensitive data relating to millions of customers, and sold some of the information on the dark web. 

The motherboard was given access to some of the data, and the publication confirmed that it contained correct details on T-Mobile subscribers. The seller told Motherboard that they had infiltrated multiple T-Mobile servers. A subset of the data, containing around 30 million social security numbers and driver's licenses, is being sold on the forum for six bitcoins, while the rest is being sold privately.

T-Mobile is the brand name for the mobile communications companies of Deutsche Telekom AG, a German telecommunications firm. In the Czech Republic (T-Mobile Czech Republic), the Netherlands (T-Mobile Netherlands), Poland (T-Mobile Polska), and the United States (T-Mobile US). 

Owner of CafePress Penalized $500,000 for Hiding a Data Breach


CafePress's past owner Residual Pumpkin firm has been fined $500,000 by U.S. Federal Trade Commission (FTC) in their final order over a 2019 data breach that impacted 23 million customers.

CafePress is a US site that sells print-on-demand items like apparel, housewares, and kitchenware. Sellers can register on the website and upload their designs, and CafePress takes a percentage of every sale. 

Social Security numbers and password recovery responses were kept in plain text and for a longer period by the Residual Pumpkin firm. Additionally, the organization did not implement existing safeguards and react to security vulnerabilities. After several attacks on its servers, it attempted to hide the significant data breach carried on by its inadequate security protocols. 

A unanimous 5-0 vote accepted the FTC's order. The FTC has mandated that the corporations immediately implement multi-factor authentication of stored data and set an encryption key for all social security numbers, in addition to imposing fines on the businesses. 

As a result, the company's current owner PlanetArt, who acquired CafePress in 2020, has set up an alert system to notify all customers and vendors whose private information has been compromised.

Unknown attackers acquired access to files stored as SHA-1 hashes during a February 2019 breach of CafePress' servers, exploited, and later sold 23,205,290 CafePress users' personal information on the dark web. However, after receiving notifications via Troy Hunt's Have I Been Pwned service, several users became aware of the situation. The fact the users seemed to reset their passwords on checking in without being informed of the data breach was the only indication that something was wrong. 

Since some of its merchants' accounts had been hacked since at least January 2018, as per FTC's claim, CafePress was aware that it had vulnerabilities even before the 2019 incident.

Instead of letting users acknowledge the instances, CafePress terminated their accounts and assessed a $25 account closure fee to each of them. Before the 2019 security breach, the company's network was again affected by several malware infestations, and CafePress once again neglected to look into the attacks.

Former Amazon Employee Found Guilty in 2019 Capital One Data Breach


Paige Thompson, a 36-year-old former Amazon employee has been found guilty for her role in the theft of private data of no fewer than 100 million people in the 2019 Capital One breach. A Seattle jury convicted her of wire fraud and five counts of unauthorized access to a protected computer. 

Thompson, who operated under the online name "erratic" and worked for the tech giant till 2016, is scheduled for sentencing on September 15, 2022. Cumulatively, the offenses are punishable by up to 25 years in prison. 

"Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency," stated U.S. Attorney Nick Brown. "Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself." 

The data breach, which came to light in July 2019, involved Thompson infiltrating into Amazon's cloud computing systems and stealing the private data of nearly 100 million individuals in the U.S. and six million in Canada. That included names, dates of birth, Social Security numbers, email addresses and phone numbers, and other critical financial data, such as credit scores, limits and balances. 

According to the Department of Justice, Thompson employed a custom tool she designed herself to search for misconfigured Amazon Web Services (AWS) accounts. Subsequently, she exfiltrated sensitive data belonging to over 30 entities, counting Capital One, and deployed cryptocurrency mining software onto the bank's servers, and sent the earnings straight to her digital wallet. 

Additionally, the hacker left an online trail for authorities to follow as she boasted about her illegal activities to others via text and online forums, the Justice Department noted. The stolen data was also shared on a publicly accessible GitHub page. 

"She wanted data, she wanted money, and she wanted to brag," Assistant U.S. Attorney Andrew Friedman told the jury in the closing arguments, according to a press statement from the Justice Department. 

In August 2020, the banking giant was fined $80 million by the Office of the Comptroller of the Currency (OCC) for failing to implement proper risk management measures before shifting its IT operations to public cloud-based service. In December 2021, CapitalOne agreed to pay $190 million to settle a class-action lawsuit over the hack.

Millions of Loan Applicant's Data is Leaked via an Anonymous Server

The security team at SafetyDetectives, led by Anurag Sen, revealed the specifics of a misconfigured Elasticsearch server that exposed the personal information of millions of loan applicants. The information primarily came from individuals who applied for microloans in Ukraine, Kazakhstan, and Russia. 

The server was identified randomly on December 5th, 2021, while monitoring specific IP addresses. Since the anonymous server lacked authentication mechanisms, it was left vulnerable and unprotected, resulting in the loss of over 870 million records and 147GB of data. 

SafetyDetectives couldn't identify the server's host. Customers' logs from a variety of microloans providers' websites were stored on a server, however, the majority weren't financial services like lenders or banks, but rather third-party intermediates who operate as a link between the loan firm and the applicant. The majority of the data in the server's logs were in Russian which led experts to conclude that the server is owned by a Russian corporation. 

Different types of personal information (PII) and sensitive user data were revealed in this leak, according to SafetyDetectives researchers, including details of users' "internal passports" and other types of data. Internal passports are used to substitute for national IDs in Russia and Ukraine. They are only valid within the country's borders. 

The internal passport details revealed in the exposed data include Marital status Gender, Birthdate, location, physical address, full name, including first, middle, and patronymic names. Number of passports, issue/expiration dates, and serial number. Some of the disclosed information, including cities, names, addresses, and issued by places, was written in Cyrillic script, which is generally utilized in Asia and Europe.

This vulnerability is estimated to affect around 10 million users. Most INNs belonged to Ukrainians, but several server logs and passport numbers belonged to Russians. The server was based in the Dutch city of Amsterdam. 

On December 14th, 2021, SafetyDetectives contacted the Russian CERT, and the Dutch CERT on December 30th, 2021. Both, though, declined to assist. On January 13th, 2022, the server's hosting company was informed, and the server was secured the same day. Given the scope and type of the data exposed, the event might have far-reaching consequences.

Private Data of Europeans Shared 376 Times Daily in Ad Sales


Private information about every internet user is shared hundreds of times each day as companies bid for online advertising slots. A brand-new report by the Irish Council for Civil Liberties (ICCL), uncovered that the average European user's data is shared 376 times per day and the figure rises to 747 times daily for US-based users. 

Currently, ICCL is engaged in a legal battle with the digital ad industry and the Data Protection Commission against what it describes as an epic data breach, arguing that nobody has ever specifically consented to this practice. 

The data is shared between brokers acting on behalf of those wishing to place adverts, in real-time, as a web page loads in front of someone who is reading it. The brands in the adverts themselves are not involved. 

That data can be practically anything based on the Interactive Advertising Bureau's (IAB) audience taxonomy. The basics, of course, like age, sex, location, income, and the like are included, but it doesn't stop there. All sorts of websites fingerprint their visitors and those fingerprints can later be used to target ads on unrelated websites. 

It is used to secure the most relevant bidder for the advert space on the page. This all happens automatically, in a fraction of a second, and is a multimillion-dollar industry. Personally-identifying information is not included, but campaigners argue that the volume of the data is still a violation of privacy.  

"Every day the RTB [Real Time Bidding] industry tracks what you are looking at, no matter how private or sensitive, and it records where you go. This is the biggest data breach ever recorded. And it is repeated every day," said Dr. Johnny Ryan, senior fellow at the ICCL. 

According to the ICCL report, the source of the data was a Google feed covering a 30-day period. It is made available to the industry, but not the public. The data about US web users' habits are shared in advert sales processes 107 trillion times per year and European users' data is shared 71 billion times.  

"If the exhaust of our personal data could be seen in the same way pollution can, we'd be surrounded by an almost impenetrable haze that gets thicker the more we interact with our phones.,” tech reporter Parmy Olson, said. 

Spanish FA Reported a Cyber Attack, Private Texts Seized


Police have been informed that the Royal Spanish Football Federation (RFEF) has witnessed a cyber attack. In recent months, top leaders of the union, particularly president Luis Rubiales, have had documents and information from private email accounts, private texts, and audio calls taken.

Headquartered in Las Rozas, La Ciudad del Ftbol, a community near Madrid, the Royal Spanish Football Federation is Spain's football regulating organization. The Spanish FA won the 2010 FIFA World Cup and two European Championships in a row as a result of these events. 

"It's likely this personally identifiable information, taken unlawfully and with clear criminal purpose, was provided to numerous media," the RFEF added. 

Before the publishing of the information, an unnamed journalist informed the RFEF claiming its media outlet had been provided access to illegally acquired material from an unknown source who communicated over an encrypted voice. 

"Through third parties, the media outlet in issue claimed to have obtained confidential contracts, private WhatsApp conversations, emails, and a variety of documents involving the RFEF management," the journalist told. "If accurate, it would be a crime of secret revelation and a breach of the people attacked's fundamental rights." 

The Spanish FA has condemned such "criminal and mafia" acts to all relevant organizations, as well as appointed a private firm to improve security and prevent future attacks.

Cyberattacks, like hacktivists, can be linked to cyber warfare or cyberterrorism. To put it another way, motivations can differ. And there are three basic types of motivations: criminal, political, and personal. Money theft, data theft, and company disruption are all options for criminally minded attackers.

Personal Details of Las Vegas Cancer Center Patients Leaked in a Ransomware Attack


Las Vegas Cancer Center has announced that it suffered a ransomware attack over the Labor Day weekend. According to the administrators of the cancer center, the security breach was uncovered on September 07 when the entire staff returned to the office after the holiday. In the wake of the incident, the cancer center is notifying patients of ransomware attacks that may have exposed personal details of current and former patients.

“The breach was discovered when the office reopened on September 7th. LVCC immediately notified law enforcement and fully participated in an investigation by the FBI, and conducted its own internal investigation. LVCC also notified its electronic medical records vendor, which relies on the server data to build LVCC’s patient records database,” the news release stated. 

The attackers succeeded in encrypting data on the center's server despite LVCC’s server and computers being shielded by a firewall and multiple malware defense systems. Threat actors were able to access patient names, addresses, dates of birth, social security numbers, medical records, and insurance information as a result of the breach, according to the center. However, the center claims all patient details were stored in a proprietary format and were no longer of any use.

“All patient data was stored on the server in a format proprietary to LVCC’s electronic medical records system, and therefore likely not usable to the hackers. LVCC does not believe that any data was copied or transferred from its server, and has received no ransom demand from the hackers to unlock the data,” LVCC stated. 

Earlier this year in August, Indianapolis-based Eskenazi Health suffered a ransomware attack that compromised the personal details of the patients. Eskenazi officials discovered the attack when they noticed suspicious activity on their network. The ransomware attack led the hospital to go diversion, turning away ambulances, for several days in early August. 

A further investigation revealed that threat actors had secured access to the network on May 19 and launched the attack in a sophisticated manner by disabling the security protections to hide their activities.

Despite the data leak and ransom demand, the Eskenazi Health officials did not pay the hackers’ requested ransom. According to The American Hospital Association’s cybersecurity expert John Riggi, an estimated 30 percent of health care institutions pay the ransom when they are breached by a ransomware attack.

AvosLocker Ransomware Gang Target Motherboard Vendor Gigabyte


Taiwanese computer hardware vendor Gigabyte Technology Co. Ltd. has allegedly been hit by a ransomware attack, the second time in three months. The previous attack on the firm, occurred in August when the RansomEXX gang stole 112 gigabytes of sensitive data. 

The latest attack came to light when DarkWeb Criminal Intelligence noticed on Twitter that a group going by the name of AvosLocker is claiming to have successfully targeted the company and is publishing the samples of stolen data as proof. The ransomware gang was first discovered searching for affiliates on underground forums in late June. 

According to Privacy Sharks, the ransomware gang has released some stolen data as proof that they did indeed successfully target Gigabyte. The stolen data includes passwords and usernames, employee payroll details, human resources documents, and credit card details. 

Additionally, the shared 14.9 MB sample also contains documents linked to the relationship between Gigabyte and several firms including Barracuda Networks Inc., Blizzard Entertainment Inc., Black Magic, Intel Corp., Kingston Technology Corp., Inc., and Best Buy Co. Screenshots. 

If the stolen data is authentic as ransomware gang claims, then it could be a major concern for Gigabyte, especially since a report earlier this month indicated that AvosLocker is planning a twist to the classic double-extortion model to punish non-paying victims by auctioning their data rather than just free release. 

“The details in the file tree should be extremely concerning to Gigabyte as they consider the impact of this breach. In most double extortion schemes, the data theft focuses on quantity rather than quality. The file tree from this dump suggests that in this case, the threat actor focused on quality,” Jake Williams, co-founder and chief technology officer at incident response firm BreachQuest Inc. stated. “To facilitate sales, AvosLocker must steal data that’s worth buying,” he said.

“The file tree (directory listing) teased by AvosLocker certainly appears to be the kind of data that would be valuable to a multitude of cybercriminals.,” he added. Ransomware assaults have been on the surge since the infamous WannaCry attack in 2017. 

According to a report by Comparitech, in 2021 alone US firms suffered a loss of US$21 billion due to ransomware attacks. 

“The selective leaking of information is a method to further entice victims into paying the ransom, noting that this will keep occurring as long as the economics favor paying a ransom John Bambenek, principal threat hunter at information technology and security operations company Netenrich Inc. stated. What will be interesting to see is how this method of auctioning data will change the math, but in the end, crime on the internet still pays,” the report read. 

New SmashEx Attack Breaks Intel SGX Enclaves


A recently disclosed vulnerability affecting Intel CPUs could be used by attackers to get access to sensitive information kept within enclaves and potentially run arbitrary code on vulnerable systems. 

The vulnerability (CVE-2021-0186, CVSS score: 8.2) was found in early May 2021 by a group of academics from ETH Zurich, the National University of Singapore, and the Chinese National University of Defense Technology, who utilized it to perform a confidential data disclosure attack called "SmashEx" that can distort and compromise private data stored in the enclave. 

SGX (short for Software Guard eXtensions) was introduced with Intel's Skylake processors which allow developers to operate selected application modules in a totally isolated secure compartment of memory known as an enclave or a Trusted Execution Environment (TEE). It is designed to be guarded against processes running at higher privilege levels such as the operating system. Even if a computer's operating system has been tampered with or is under assault, SGX assures that data remains safe. 

The research stated, "For normal functioning, the SGX design allows the OS to interrupt the enclave execution through configurable hardware exceptions at any point." 

"This feature enables enclave runtimes (e.g., Intel SGX SDK and Microsoft Open Enclave) to support in-enclave exception or signal handling, but it also opens up enclaves to re-entrancy bugs. SmashEx is an attack which exploits enclave SDKs which do not carefully handle re-entrancy in their exceptional handling safely." 

Outside Calls, or OCALLS, enable enclave functions to call out to the untrusted programme and subsequently return to the enclave. However, when the enclave additionally handles in-enclave exceptions (e.g., timer interrupt or division-by-zero), the vulnerability allows a local attacker to take over the control flow of execution by injecting an asynchronous exception soon after the enclave is entered. 

With this power, the attacker can then damage the in-enclave memory, allowing sensitive data such as RSA private keys to leak or malicious code to be executed. Because SmashEx impacts runtimes that assist in-enclave exception handling, the researchers stated that "such OCALL return flow and the exception handling flow should be written with care to ensure that they interleave safely," and that "when the OCALL return flow is interrupted, the enclave should be in a consistent state for the exception handling flow to progress correctly, and when the exception handling flow completes, the enclave state should also be ready for the enclave to progress correctly." 

Since then, Intel has launched software updates to address this vulnerability, including SGX SDK versions 2.13 and 2.14 for Windows and Linux, respectively. Microsoft fixed the problem (CVE-2021-33767) in its July 2021 Patch Tuesday updates with Open Enclave version 0.17.1 of the SDK. The results of the research team are anticipated to be disclosed next month at the ACM Conference on Computer and Communications Security.  

The researchers stated, "Asynchronous exception handling is a commodity functionality for real-world applications today, which are increasingly utilizing enclaves and highlighted "the importance of providing atomicity guarantees at the OS-enclave interface for such exceptions."

Google Is Supplying Private Data to Advertisers?

A big time accusation on Google is allegedly in the wind that it’s surreptitiously using secret web pages to give away data to advertisers.

Per sources and the evidence provided it’s being said that maybe Google is dealing in data without paying much attention to data protective measures.

The matter is under investigation and is a serious matter of research. Apparently the sensitive data includes race, political and health inclinations of its users.

Reportedly, the secret web pages were discovered by the chief policy officer of a web browser and they’d also found that Google had tagged them with identifying trackers.

Allegedly, using that very tracker, Google apparently feeds data to advertisers. This is possible an attempt at predicting browsing behavior.

According to sources, Google is doing all it can to cooperate with the investigations. The Google representative also said that they don’t transact with ad bidders without users’ consent.

Reportedly, Google has mentioned previously that it shall not “share encrypted cookie IDs in bid requests with buyers in its authorized buyers marketplace”.