Pete Recommends – Weekly highlights on cyber security issues August 18 2018

Subject: AP Exclusive: Google tracks your movements, like it or not
Source: AP News,-like-it-or-not

SAN FRANCISCO (AP) — Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to. An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you’ve used privacy settings that say they will prevent it from doing so. Computer-science researchers at Princeton confirmed these findings at the AP’s request.

For the most part, Google is upfront about asking permission to use your location information. An app like Google Maps will remind you to allow access to location if you use it for navigating. If you agree to let it record your location over time, Google Maps will display that history for you in a “timeline” that maps out your daily movements.

Storing location data in violation of a user’s preferences is wrong, said Jonathan Mayer, a Princeton computer scientist and former chief technologist for the Federal Communications Commission’s enforcement bureau. A researcher from Mayer’s lab confirmed the AP’s findings on multiple Android devices; the AP conducted its own tests on several iPhones that found the same behavior.

AP Interactive:


More from Technology

Subject: FBI Warns of ‘Unlimited’ ATM Cashout Blitz
Source: Krebs on Security

The Federal Bureau of Investigation (FBI) is warning banks that cybercriminals are preparing to carry out a highly choreographed, global fraud scheme known as an “ATM cash-out,” in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.

“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’,” reads a confidential alert the FBI shared with banks privately on Friday.

NB RSS feeds:

Tags: atm cashoutfbiNational Bank of Blacksburgunlimited ATM cashoutv

Subject: Credit card fraud is increasing — here’s what to do if you’re scammed
Source: Business Insider

  • Credit card fraud is on the rise — and so are the different types of credit card scams.
  • Credit card scammers are getting smarter — they use all sorts of tricks, from phony phone calls and emails to credit card skimmers and Wi-Fi hotspots— to obtain your personal information.
  • You could be a victim of a credit card scam and not even know it.
  • If you find a fraudulent charge on your credit card, the first thing you should do is contact your credit card company immediately.

Subject: The future of IoT? State-sponsored attacks, say security professionals
Source: ZDNet

“It’s clear that security professionals are beginning to realize that risky unmanaged devices are increasingly dotting their environments,” Armis says. “But the survey shows they don’t feel as prepared as they should be to address the risk, and they see more attacks on the horizon.”

Poorly-protected enterprise networks, energy and city services together with a lack of ability to properly manage or patch IoT devices may become a minefield for cybersecurity professionals in the future — especially if they are faced with the prospect of well-funded and trained state-sponsored threat actors, rather than garden-variety hackers.

Topic: Security


Subject: Hackers can steal data from the enterprise using only a fax number
Source: ZDNet

Researchers have now highlighted this issue by demonstrating how newly-discovered vulnerabilities in fax communications protocols can be used to compromise both enterprise and consumer networks.

On Sunday at Def Con 26 in Las Vegas, Check Point Malware Research Team Lead Yaniv Balmas and security researcher Eyal Itkin presented their findings into fax security.

The researchers demonstrated the existence of the security flaws in the HP Officejet Pro All-in-One fax printer range; specifically, the HP Officejet Pro 6830 all-in-one printer and OfficeJet Pro 8720.

Subject: How to give your Google account to a trusted person when you die
Source: Business Insider

If you’ve ever worried about what would befall your Gmail, photos, documents, YouTube videos, and other digital data in the event of a terrible accident or your own death, you’re not alone.

It’s a little dark to think about, but the good news is that Google has your back.

The service offers a feature that will bequeath your Google account and all of its contents to up to 10 pre-selected trustees, and even let you set your account to self-delete after an extended period of inactivity.

Here’s how to set it up:…

Subject: Researcher study – U.S. House candidates vulnerable to hacks
Source: Reuters via beSpacific

Reuters: “Three of every 10 candidates running for the U.S. House of Representatives have significant security problems with their websites, according to a new study by independent researchers that underscores the threat hackers pose to the November elections…A team of four independent researchers led by former National Institutes for Standards and Technology security expert Joshua Franklin concluded that the websites of nearly one-third of U.S. House candidates, Democrats and Republicans alike, are vulnerable to attacks. NIST is a U.S. Commerce Department laboratory that provides advice on technical issues, including cyber security. Using automated scans and test programs, the team identified multiple vulnerabilities, including problems with digital certificates used to verify secure connections with users, Franklin told Reuters ahead of the presentation. The warnings about the midterm elections, which are less than three months away, come after Democrats have spent more than a year working to bolster cyber defenses of the party’s national, state and campaign operations.

Democratic National Committee officials told Reuters they have completely rebuilt the party’s computer network, including email systems and databases, to avert a repeat of 2016, when Russian intelligence agents hacked into Democratic accounts and then used stolen data to undermine support for Hillary Clinton’s presidential bid…”

Subject: New Wi-Fi attack cracks WPA2 passwords with ease
Source: ZDNet

A new way to compromise the WPA/WPA2 security protocols has been accidentally discovered by a researcher investigating the new WPA3 standard.

The attack technique can be used to compromise WPA/WPA2-secured routers and crack Wi-Fi passwords which have Pairwise Master Key Identifiers (PMKID) features enabled.

Security researcher and developer of the Hashcat password cracking tool Jens “Atom” Steube made the discovery and shared the findings on the Hashcat forum earlier this month.

At the time, Steube was investigating ways to attack the new WPA3 security standard. Announced in January by industry body the Wi-Fi Alliance, WPA3 is the latest refresh of the Wi-Fi standard.

Subject: The Information on School Websites Is Not as Safe as You Think
Source: The New York Times

The home page of Pinellas County Schools in Florida is brimming with information for families, students, staff members and the public: an easy-to-use dashboard of news, shortcuts and links to the district’s Facebook page, Twitter feed and YouTube channel.

But Pinellas’s home page has been supplying information to another audience, an unseen one, as well this year. An array of tracking scripts were embedded in the site, designed to install snippets of computer code into the browsers of anyone clicking on it, to report their visits or track their movements as they traveled around the web.

The trackers were detected last winter during a study by Douglas Levin, a Washington-based expert on educational technology. Asked about them in April, the district expressed surprise and said it would have them removed. But Mr. Levin found 22 trackers when he checked back last month.

But some trackers are also designed to recognize visitors by the I.P. address of their device and to embed cookies in their browsers for the advertising practice known as behavioral targeting. And knowingly or otherwise, many school sites are hosting software from third-party companies whose primary business is buying and selling data for the detailed dossiers of personal information on finances, lifestyle and buying habits that advertisers prize. Those third parties may invite still other trackers onto the site, without the school’s knowledge or control.

NB other NYT Learning articles:
RSS feed:

Posted in: Congress, Cybercrime, Cybersecurity, Privacy, Search Engines