fbpx

Download free GDPR compliance checklist!

Category Archives for "Security"

Multi-part Android spyware lurked on Google Play Store for 4 years, posing as a bunch of legit-looking apps

A newly uncovered strain of Android spyware lurked on the Google Play Store disguised as cryptocurrency wallet Coinbase, among other things, for up to four years, according to a new report by Bitdefender.

The malware, named Mandrake by the threat intelligence agency, featured a three-part structure that allowed its operators to evade detection by routine Google scanning.

Beginning with an innocuous-looking dropper hosted on the Google Play store, masquerading as one of a number of legitimate apps, Mandrake allowed its Russian operators to snoop on virtually everything unsuspecting targets did on their mobile phone.

Source: Multi-part Android spyware lurked on Google Play Store for 4 years, posing as a bunch of legit-looking apps • The Register

Criminal forum trading stolen data suffers ironic data breach

Someone on the dark web is touting for sale an unusual database a lot of people might pay handsomely to get their hands on.

According to the security company that verified its authenticity, Cyble, this is data that a specialised group of internet users will find far more interesting – a database of criminal account holders of the now defunct WeLeakData.com breach data trading forum.

Source: Criminal forum trading stolen data suffers ironic data breach – Naked Security

Xiaomi Devices Found Tracking And Recording Browsing Data Of Millions

Xiaomi has been tracking and recording an insane amount of private data, from user’s phone habits to queries in the Xiaomi’s default browsers.

According to the researcher, Xiaomi records all the search queries and items viewed on its default browser (Mi Browser Pro) as well as on the Mint browser. The tracking extends to Incognito mode as well.

Source: [Update: Toggle To Opt-Out] Xiaomi Devices Found Tracking And Recording Browsing Data Of Millions

94% of Those Who Pay the Ransom Get the Data Back

According to The State of Ransomware 2020 global study conducted earlier this year on behalf of Sophos, organisations that decide to pay to get their data back, do so in an efficient 94% of cases.

Overall, the research found that while a malicious file download or link was still the biggest danger (29% of successful attacks), other methods such as remote attacks on servers (21%), unsecured Remote Desktop Protocol (9%), external suppliers (9%), and infected USB drives (7%) were also popular.

The research questioned 5,000 IT managers from 26 countries (500 from the US and 200 from the UK) in a range of sectors and company sizes from 100 to 5,000 employees.

Source: Huge toll of ransomware attacks revealed in Sophos report – Naked Security

ICO Issues New Guidance On Covid-19 Testing And Monitoring In The Workplace

The Information Commissioner’s Office (ICO) has published guidance for employers on complying with data protection law when taking steps to manage Covid-19 health and safety risk in the workplace.

The Guidance focuses on ‘testing’ of employees (which includes collecting data about symptoms and the conducting of temperature checks, and well as collecting data about Covid-19 test results), but also touches on other measures which businesses might be considering in order to monitor employee movements within the workplace.

Source: Uk: Ico Issues New Guidance On Covid-19 Testing And Monitoring In The Workplace

Washington, D.C. Adds Security Requirements in New Data Breach Notification Law

Washington, D.C. amended its data breach notification law (D.C. Act 23-268) on March 26, 2020, expanding the definition of personal information covered by the law and requiring businesses collecting data from D.C. residents to implement “reasonable security safeguards.”

Because D.C. law already provides a private right of action for violations of the data breach law, the updates will enable lawsuits in the event that an entity fails to meet the “reasonable security” standard—though recovery is limited to actual damages.

Source: Washington, D.C. Adds Security Requirements in New Data Breach Notification Law | Privacy & Security Law Blog | Davis Wright Tremaine

Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking

The so-called Thunderspy attack takes less than five minutes to pull off with physical access to a device, and it affects any PC manufactured before 2019.

On Thunderbolt-enabled Windows or Linux PCs manufactured before 2019, this technique can bypass the login screen of a sleeping or locked computer—and even its hard disk encryption—to gain full access to the computer’s data. And while attack in many cases requires opening a target laptop’s case with a screwdriver, it leaves no trace of intrusion and can be pulled off in just a few minutes.

Source: Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking | WIRED

More than 160 million user records from 11 companies for sale on dark web

A new individual or group that appears to be a reincarnation of GnosticPlayers is offering millions of user records for sale on the dark web.

The records offered by “ShinyHunters” on a well-known dark web market appear to come from 11 firms: Tokopedia (91 Million), HomeChef (8 Million), Bhinneka (1.2 Million), Minted (5 Million), StyleShare (6 Million), Ggumim (2 Million), Mindful (2 Million), Star Tribune (1 Million), Chatbooks (15 Million), Chronicle of Education (3 Million), and Zoosk (30 Million).

Source: “ShinyHunters” lists more than 160 million user records from 11 companies for sale on dark web

NHS contact-tracing app must not be released to public without privacy protections, MPs say

The NHS contact-tracing app must not be released in its current form without increased privacy and data protections, a parliamentary committee has said.

The Joint Committee on Human Rights said it had “significant concerns” that must be addressed before it is rolled out to the general public nationwide.

The app, which is currently being trialled on the Isle of Wight, records users’ movements and can be used to alert people if they have had contact with someone who has developed coronavirus symptoms.

Source: Coronavirus: NHS contact-tracing app must not be released to public without privacy protections, MPs say | The Independent

Zoom Agrees to Step Up Security After New York Probe

New York state’s top prosecutor announces that the company Zoom would improve security measures, after flaws were detected as the video conferencing platform soared in popularity amid the coronavirus pandemic.

The agreement wraps an investigation launched in March by New York Attorney General Letitia James into vulnerabilities in the California-based company’s software. In a statement, James said Zoom would institute new security measures for the millions of users using the platform, including enhanced privacy controls.

Source: Zoom Agrees to Step Up Security After New York Probe | SecurityWeek.Com

>