Google+ Hack Convinces Google to End Google+

Or maybe it was the backlash after they covered up a data breach. Google+ to shut down after coverup of data-exposing bug.

A security bug allowed third-party developers to access Google+ user profile data since 2015 until Google discovered and patched it in March, but decided not to inform the world. When a user gave permission to an app to access their public profile data, the bug also let those developers pull their and their friends’ non-public profile fields.

They didn’t admit to any of this because – according to a company memo – they didn’t want the Cambridge-Analytica-style publicity. OK, now they have their own bad publicity.

Now Google+, which was already a ghost town largely abandoned or never inhabited by users, has become a massive liability for the company.

When will companies take security seriously? When an executive who makes a boneheaded decision – like either not funding security, or covering it up – is held accountable in a court of law. Nothing else is going to get it done.

Advertisements

Hackers (North Korean) Steal 100s of Millions of Dollars

Banks and security. What, me worry? North Korean hackers accused of stealing millions from global banks.

The FireEye report was made public one day after the U.S. Department of Homeland Security warned of the use of malware by Hidden Cobra, the federal government’s byword for North Korea hackers, in fraudulent ATM cash withdrawals from banks in Asia and Africa. It said that Hidden Cobra was behind the theft of tens of millions of dollars from teller machines in the past two years. In one incident this year, cash had been simultaneously withdrawn from ATMs in 23 different countries, it said.

File this under, “Ways to get around sanctions.”

This appears to be an attack on the SWIFT financial network (Society for Worldwide Interbank Financial Telecommunication). Are we shocked to discover that it is not very secure?

Surge in the Stealing of Credit Cards Online

When you check out online, it says it is secure, but is it? Magecart Attacks Grow Rampant in September.

Magecart is a hack where hackers steal a copy of the credit card data you type into an online form when you purchase something online. It’s also known as formjacking. The data goes both places – to the hacker and to the merchant – so you get whatever you purchased, the vendor gets their money. But the hacker gets everything about your credit card.

The most publicized incidents resulting from these attacks are from cybercriminal campaigns known as Magecart, with one group apparently being responsible for compromising the websites of Ticketmaster, British Airways, Feedify, and Newegg.

Even ESET – the antivirus/web security firm – apparently got hit.

Some of the antivirus companies will detect it, or some of it, but not all. There are people fighting against it, but if the September numbers are an indication, there is some way yet to go.

The Internet was fun while it lasted.

Chrome 69 Won’t Delete Google’s Cookies

Ask to delete all cookies, Google won’t delete all cookies. Chrome 69 Keeps Google’s Cookies After You Clear Browser Data.

Because Google knows better than you. And they dropped their “Don’t Be Evil” goal, and seem to be doubling down on being evil.

It has been discovered that when you try to clear all cookies in the Chrome browser, every cookie will be deleted except for authentication cookies created by Google. This means that after clearing cookies, you will be logged out of every site that you are currently logged into, except for Google.

This “Let’s not delete our own data” behavior from Google is on top of them logging you into the browser, when you didn’t ask them to. If you logged into Gmail or YouTube, Google would log you into Chrome – even if you didn’t want them to. Log out of YouTube, and Google kept you logged into the browser. They say they didn’t scoop up all of your browser history, but given how evil they’ve become, do you believe them?

Chrome 70 will walk back some of these “evil” changes, but I’ve stopped using Chrome in the interim. You may want to reconsider your use of browsers.

I use a bunch of different browsers. Opera and Vivaldi. Firefox. Chrome. Very rarely Microsoft’s Edge (when I need to test something that isn’t working because of all the privacy extensions I have in the other browsers). I even have an old version of Pale Moon installed, though I need to see if there is a new version available. And of course the TOR Browser. I may have to drop the use of Chrome.

I do this because websites love to track you. And one of the ways they do that is by tracking all kinds of things about your browser. Version, size of display, etc.

Seems like I’m not alone: Why I’m done with Chrome. Matthew Green is a cryptographer and professor at Johns Hopkins University. He takes issue with the “forced login” policy.

If you didn’t respect my lack of consent on the biggest user-facing privacy option in Chrome (and didn’t even notify me that you had stopped respecting it!) why should I trust any other consent option you give me? What stops you from changing your mind on that option in a few months, when we’ve all stopped paying attention?

Hat tip to Security Now.

Six Months On From Atlanta Being Hacked

Atlanta was hit with a ransomware attack at the end of March. SamSam to be precise. City of Atlanta: Cyber attack ‘over’.

There is much they don’t know. Who hacked them. What the final cost is going to be. (Though it could be in the millions.)

The CBS46 Bulldog was first to uncover an audit that warned the city of their vulnerability months before the breach. We were the first to report the Atlanta Police Department lost valuable data which could impact the availability of investigative evidence.

No one is talking because there is still an ongoing criminal investigation, and hopes for insurance payouts.

If I was the sort of person to place a bet, I would wager that the audit mentioned in the quote was accompanied by a proposal (either internal or from a consulting company) to remedy at least some of the items that were turned up. I would also wager that the response was either, “We don’t have that kind of money” or “Everything works fine the way it is.”

Some city departments lost 16 years of digital records in the original hack. No word on if they got any of that back. It impacted 911 some, but it didn’t shut them down, though some departments were just closed for a few days.

Have copies of your data. Have copies offline. Have copies offsite. (A fire can be just as devastating as a hack.) Have copies on different media.

The original post on the Atlanta hack can be found at this link.

Security Screw-up By Web Subcontractor That Many States Use

Color me shocked that governments’ use of the internet is not secure. GovPayNow.com Leaks 14M+ Records.

Indianapolis-based GovPayNet, doing business online as GovPayNow.com, serves approximately 2,300 government agencies in 35 states. GovPayNow.com displays an online receipt when citizens use it to settle state and local government fees and fines via the site. Until this past weekend it was possible to view millions of customer records simply by altering digits in the Web address displayed by each receipt.

Because security on the internet is just not important. Or something.

The linked article goes on about the company in question and its parent company and the long (quite long) list of security problems. So are we surprised that a company which does business with so many states is not great on security? Are we shocked to discover that state governments don’t rate security high when they decide who to do business with? Not too shocked.

The 14 million records don’t include quite enough data to execute a transaction on the credit cards involved. But when – WHEN? – are governments and corporations going to take security seriously? Probably never, or not until someone faces some real punishment. (The 100s of millions of dollars that security breaches have cost some companies hasn’t gotten it done.)

Although fixing these information disclosure vulnerabilities is quite simple, it’s remarkable how many organizations that should know better don’t invest the resources needed to find and fix them. In August, KrebsOnSecurity disclosed a similar flaw at work across hundreds of small bank Web sites run by Fiserv, a major provider of technology services to financial institutions.

Tesla Motors’ Cars Can Be Hacked?!

Color me shocked. Tesla’s keyless entry vulnerable to spoofing attack, researchers find: Now is a good time to add a PIN code to your Tesla.

Last week’s Tesla security update may have been more urgent than the company let on. Researchers at KU Leuven have figured out a way to spoof Tesla’s key fob system, as first reported by Wired. The result would let an attacker steal a Tesla simply by walking past the owner and cloning his key.

The attack is particularly significant because Tesla pioneered the keyless entry concept, which has since spread to most luxury cars.

KU Leuven university is in Belgium.

If the door locks and the ignition lock is not secure, does anyone want to take bets on the rest of the computer control being secure?

Keys – especially automotive keys – aren’t always the best security, but this is insane.