Tag: Failed | SpinSafe

23andMe Failed to Detect Account Intrusions for Months

January 27, 2024/in Computer Security

Police took a digital rendering of a suspect’s face, generated using DNA evidence, and ran it through a facial recognition system in a troubling incident reported for the first time by WIRED this week. The tactic came to light in a trove of hacked police records published by the transparency collective Distributed Denial of Secrets. Meanwhile, information about United States intelligence agencies purchasing Americans’ phone location data and internet metadata without a warrant was revealed this week only after US senator Ron Wyden blocked the appointment of a new NSA director until the information was made public. And a California teen who allegedly used the handle Torswats to carry out hundreds of swatting attacks across the US is being extradited to Florida to face felony charges.

The infamous spyware developer NSO Group, creator of the Pegasus spyware, has been quietly planning a comeback, which involves investing millions of dollars lobbying in Washington while exploiting the Israel-Hamas war to stoke global security fears and position its products as a necessity. Breaches of Microsoft and Hewlett-Packard Enterprise, disclosed in recent days, have pushed the espionage operations of the well-known Russia-backed hacking group Midnight Blizzard back into the spotlight. And Amazon-owned Ring said this week that it is shutting down a feature of its controversial Neighbors app that gave law enforcement a free pass to request footage from users without a warrant.

WIRED had a deep dive this week into the Israel-linked hacking group known as Predatory Sparrow and its notably aggressive offensive cyberattacks, particularly against Iranian targets, which have included crippling thousands of gas stations and setting a steel mill on fire. With so much going on, we’ve got the perfect quick weekend project for iOS users who want to feel more digitally secure: Make sure you’ve upgraded your iPhone to iOS 17.3 and then turn on Apple’s new Stolen Device Protection feature, which could block thieves from taking over your accounts.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out…

Source…

UK election watchdog failed to discover system hack for 15 months

August 8, 2023/in Internet Security

The UK’s Electoral Commission today announced it suffered a cyberattack in August 2021, with attackers gaining access to registers that contained the names and addresses of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.

In a statement issued by the Electoral Commission via its website, the election watchdog said that although attackers first gained access to electoral registers and the commission’s email system in August, the hack wasn’t identified until October 2022, when the electoral body became aware of a suspicious pattern of log-in requests being made to its systems.

The commission said while it is “not able to know conclusively” what information had been accessed, the personal data most likely to have been accessible includes names, addresses, email addresses, and any other personal data sent to the commission by email or held on the electoral registers. Due to large parts of the UK’s electoral system still being paper based, however, “it would be very hard to use a cyber-attack to influence the [electoral] process.” The Commission also sought reassure those that might have been affected by the breach by noting that the hack will not impact an individual’s ability to take part in the democratic process or affect their current registration status or eligibility to vote.

“We regret that sufficient protections were not in place to prevent this cyber-attack. Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems,” Shaun McNally, the Electoral Commission chief executive, said in a statement.

In line with requirements under the law, McNally said the Electoral Commission notified the Information Commissioner’s Office (ICO) within 72 hours of identifying the breach and the ICO is currently investigating the incident.

“The Electoral Commission has contacted us regarding this incident and we are currently making enquiries,” a spokesperson for the ICO said in a statement. “We recognise this news may cause alarm to those who are worried they may be affected and we want to…

Source…

The Uber Hack Exposes More Than Failed Data Security

October 16, 2022/in Computer Security

BKC Fellow Bruce Schneier writes about the Uber hack.

“In all of these cases, the victimized organizations could have very likely protected our data better, but the reality is that market does not reward healthy security.”

Read more in The New York Times.

Source…

Opinion | The Uber Hack Exposes More Than Failed Data Security

September 26, 2022/in Computer Security

Uber was hacked this month. The company said that the attacker — a teenager possibly linked to the incident was just arrested in London — most likely obtained the corporate password of an Uber contractor. Using that person’s access, the hacker gained access to some of Uber’s internal systems: internal Slack messages, a finance tool for invoices and the dashboard where the company’s security researchers report bugs and vulnerabilities. It’s a big deal, and an embarrassment to the company.

Uber has said that it believes that the attacker is affiliated with a hacking group called Lapsus$, whose members are mostly teenagers and which has recently targeted several technology companies. Uber also said it had not seen any evidence that user data was compromised during the incident. In the lawsuits that will invariably result, we will learn more about what happened.

But any litigation against the company, whether it be by government agencies like the Federal Trade Commission, or class-action lawsuits by shareholders or perhaps even customers, will focus on the proximate causes of the hack. More fundamental are the underlying causes of security breaches: current economic and political forces incentivize companies to skimp on security at the expense of both personal and national security. If we are to ever have a hope of doing better, we need to change the market incentives.

When you’re a high-tech start-up company, you are likely to cut corners in a lot of areas. It makes business sense — your primary focus is to earn customers and grow quickly enough to remain in business when your venture capital funding runs out. Anything that isn’t absolutely essential to making the business work is left for later, and that includes security culture and practices. It’s a gamble: spending money on speed and features rather than security is a more likely path to success than being secure yet underfunded, underfeatured, or — worst of all — a year later to market.

Security can be improved later, but only if necessary. If you’ve survived the start-up world and become a runaway success, you’ve had to scale to accommodate your customers or users. You’ve been forced to improve…

Source…

Tag Archive for: Failed