Subject: U.S. government urging to update Galaxy phones due to vulnerability
Source: Android Headlines
https://www.androidheadlines.com/2024/08/us-government-urging-to-update-galaxy-phones-due-to-vulnerability.html
The US government is urging federal employees who use Samsung Galaxy devices to update their devices as soon as possible. Apparently, there are a couple of bugs that could allow potential attackers to access private data that would normally not be accessible.
In June, Google listed a vulnerability in Pixel phones as CVE-2024-32896. The vulnerability had the “High Severity” label, and its complementary notes said that it would be “under limited, targeted exploitation.” After that, the US government gave federal employees 21 days to update their Pixel devices. Otherwise, they would have to stop using them.
U.S. federal employees should update their Galaxy devices as soon as possible – A new CISA warning includes a deadline for Galaxy phones for the same vulnerability seen on Pixels. Now, US government employees must update their Galaxy devices before August 28. You might be wondering why the first CISA warning targeting Pixel phones didn’t include Samsung Galaxy devices as well. That’s because, at the time, the CVE-2024-32896 vulnerability was thought to only affect Google phones. However, it was later found to affect all Android phones, but the original warning was never updated with that information. The Galaxy update that addresses the vulnerability includes a fix for a couple of bugs that would enable privilege escalation-based attacks.
…
Filed: https://www.androidheadlines.com/category/news
Subject: ‘They had no fear’: Group tracked Florida business owners, broke into their homes, stole $1.7M, sheriff says
Source: Nexstar Media Wire
https://www.nxsttv.com/nmw/news/they-had-no-fear-group-tracked-florida-business-owners-broke-into-their-homes-stole-1-7m-sheriff-says/
TAMPA, Fla. (WFLA) — Authorities say a “South American theft group” made up of four Colombian citizens targeted the homes of business owners in multiple Florida counties.The suspected thieves made off with $1.69 million in cash, jewelry and clothes stolen from homes in gated communities, according to Judd. The “sophisticated” group was accused of surveilling homes and businesses to learn the owners’ routines and track them.
“Once they have their victim’s pattern, then they attack,” Polk County Sheriff Grady Judd said.
They were accused of disguising themselves as lawn care workers and joggers, as well as wearing burkas. According to Judd, they used Wi-Fi jammers and technology to bypass security systems.
Subject: Cox Communications Battles Copyright Case That Could Disrupt TV Streaming for Millions
Source: Cord Cutters News
https://cordcuttersnews.com/cox-communications-battles-copyright-case-that-could-disrupt-tv-streaming-for-millions/
Why This Matters for Streaming TV Users – For those who love streaming their favorite TV shows and movies, the outcome of this case is crucial. Imagine losing your internet connection because someone in your household was accused of illegally downloading content. This isn’t just about losing access to the internet—this is about losing the ability to stream on platforms like Netflix, Hulu, or Disney+, potentially cutting you off from the entertainment you rely on.
Currently, ISPs like Cox provide the infrastructure that makes streaming possible, offering high-speed internet connections that allow you to binge-watch series or catch the latest movies in high definition. But if the lower court’s ruling stands, ISPs might be forced to monitor your online activities more closely or even cut off your service if there’s a suspicion of copyright infringement. This could lead to interruptions in your streaming service, all based on unproven allegations.
The Threat to Streaming in Rural and Urban Areas – The potential impact isn’t limited to individual households. Streaming is a big deal everywhere, from bustling cities to remote rural areas. But in places where internet service options are limited, the consequences could be even more severe. If ISPs are forced to terminate services based on accusations, entire communities might find themselves unable to stream, with no viable alternative providers to turn to. This would be especially devastating in rural areas, where reliable internet service is already a challenge.
Source: Washington Post
https://www.bespacific.com/dont-trust-google-for-customer-service-numbers-it-might-be-a-scam/
Washington Post [unpaywalled]: “Scams just keep popping up when you Google. On Monday, I found what appeared to be impostors of customer service for Delta and Coinbase, the cryptocurrency company, in the “People also ask” section high up in Google. A group of people experienced in Google’s intricacies also said this week that it took about 22 minutes to fool Google into highlighting a bogus business phone number in a prominent spot in search results. This fits a persistent pattern of bad guys finding ways to trick Google into showing scammers’ numbers for airlines, hotels, local repair companies, banks or other businesses. The toll can be devastating when people are duped by these bogus business numbers. Fortune recently reported on a man who called what a Google listing said was Coinbase customer support, and instead it was an impostor who Fortune said tricked the man and stole $100,000. Scammers impersonate businesses and government agencies all over the internet. But Google search is unique …
—
Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.
Source: Help Net Security
https://www.helpnetsecurity.com/2024/08/19/digital-wallet-stolen-card/
Fraudsters can add stolen payment cards to digital wallet apps and continue making online purchases even after victims’ report the card stolen and the bank blocks it, computer engineers with University of Massachusetts Amherst and Pennsylvania State University have discovered.Convenience > security
Different users can add the same card to different digital wallets on different mobile devices. The feature is exists to make it easier to share a card within a family, but can be easily exploited by malicious individuals.
Adding the card to a different wallet and making fraudulent purchases is made possible by the trust banks have in the digital wallet apps’ security mechanisms.
[4 or 5 weaknesses or assumptions?]
Banks rely on the app to chose the authentication scheme (usually the weaker, knowledge-based one) to authorize the linking of the card with the app, and the rely on in-device biometric verification methods to identify the cardholder authorizing the transactions (but it assumes that the owner of the phone is the cardholder).
Finally, the banks allow payments for subscription-based services even on lost / stolen cards so that the cardholder doesn’t incur late payment fees / penalties. Fraudsters can make one-time transactions but mark it as a recurring payment, thus bypassing the bank’s transaction authorization restrictions.
As an added drawback, once stolen card numbers are saved in a fraudster’s digital wallet, they are there and will continue to work even if the cardholder requests a card replacement and the bank issues a new card.
“Banks do not re-authenticate the cards stored in the wallet. What they do is they simply change the virtual number mapping to the new physical card number,” Raza explained. Thus, fraudulent purchases continue to go through.
Advice for banks – The only potential barier to adding a stolen card to a new wallet app is if the victim locks the card before that can be done. Barring that, the attackers can covertly make fraudulent purchases that can ultimately only be recognized and disputed by the victim.
They advised banks not to rely on the wallet apps and their preferred legacy authentication methods when it comes to adding cards into wallets. They suggest using push notifications or passcodes.
Banks should also periodically re-authenticate the wallet and refresh the payment token issued to it, especially after events like card loss. And, finally, banks should evaluate the metadata of transactions so they can “see” whether a payment is one-time or recurring (and not rely on merchants for that info).
…
Tags:
Source: Android Headlines
https://www.androidheadlines.com/2024/08/meta-crawler-new.html
Meta has emerged from the Metaverse to become a major player on the AI court. As such, the company has its own team of web crawlers that scrape pages that don’t have the Robots.txt protocol. Or, at least, we thought as much. According to some new reports, it seems that Meta’s new crawlers aren’t afraid of any robots, as they’ve been bypassing that protocol. Major corporations have been using web crawlers to dive into and scrape data from websites across the internet for years. However, the people have made their stance clear; they do not want companies scraping their data without their consent. Of course, the companies all obey our wishes and avoid scraping data from websites without the Robots.txt file… right?
These are major corporations we’re talking about. Obviously, they’ve found ways of spitting in the faces of people who trust them. There have been reports of companies like Perplexity, OpenAI, and Anthropic AI all finding ways to scrape sites that have the Robots.txt file.
If you think that Meta is a perfect angel when it comes to data acquisition, you’d be mistaken. Among the other companies that bypass the file, a new report points to a duo of crawlers that might also avoid the Robot to train its chatbot.
…
Source: FedScoop
https://fedscoop.com/irs-taxpayer-data-leak-security-privacy-tigta-report/
The Treasury Inspector General for Tax Administration said the agency has taken steps in the right direction after a contractor shared thousands of tax returns with two media outlets.
Five years after an IRS contractor began leaking thousands of tax returns to a pair of news organizations, a new watchdog report finds that the agency still has some work to do to ensure the security and privacy of taxpayer data.
The Treasury Inspector General for Tax Administration said in its report [28-page PDF] that the IRS has taken steps to better protect federal tax information and personally identifiable information of taxpayers since ProPublica and The New York Times published stories in 2020 and 2021 containing data on returns from billionaires including Jeff Bezos, Michael Bloomberg and former President Donald Trump.
Among those challenges is determining which users should be granted access to sensitive IRS systems. The agency is “evaluating steps to improve its ability to safeguard data housed on its sensitive systems,” TIGTA reported, no small task given that more than 86,000 current and former employees and 5,000 contractors were authorized to access at least one of those 276 systems as of July 2023.
The IRS’s procedures to cut off users that no longer need access “were not always working as intended,” the watchdog stated. “Our evaluation identified that not all user accesses are timely removed once they are separated from the IRS.”
To further safeguard information, the IRS told TIGTA that it has established a data loss prevention program, which utilizes an automated tool to monitor web traffic and outgoing unencrypted emails from employees and then flag any instances of unencrypted sending of PII. The agency also noted that managers “must periodically recertify that users have a continued need for access to a sensitive system.”
In response to a slew of data security recommendations TIGTA’s Office of Investigations provided to the IRS, the tax agency said it has made moves in that direction, including the categorization of sensitive IRS data, limiting internal sharing of sensitive information, improving audit logging, disabling external storage of data, enhancing encryption methods, and enhancing awareness of data protection responsibilities.
…
More Scoops – Tax watchdog says IRS has work to do on Login.gov security controls
Subject: Senator requests information from TSA on surveillance
Source: Homeland Preparedness News
https://homelandprepnews.com/stories/82278-senator-requests-information-from-tsa-on-surveillance/
On Wednesday, U.S. Sen. Rand Paul (R-KY) requested information from the Transportation Security Administration (TSA) asking for information on whether or not security systems have been improperly surveilling American citizens. Paul, the ranking member of the Senate Homeland Security and Governmental Affairs Committee, sent a letter to TSA Administrator David Pekoske asking for information related to the management of watchlists and screening procedures by TSA. Paul said the request follows disclosures by whistleblowers that the TSA’s Quiet Skies program may be targeting individuals based on their political views, instead of for “legitimate security threats.”
Paul also alleged that the U.S. Department of Homeland Security’s Office of Inspector General had identified deficiencies in TSA’s management of the Quiet Skies program. The senator’s letter is supported by The Air Marshal National Council (AMNC) and Empower Oversight.
Source: Krebs on Security
https://krebsonsecurity.com/2024/08/local-networks-go-global-when-domain-names-collide/
The proliferation of new top-level domains (TLDs) has exacerbated a well-known security weakness: Many organizations set up their internal Microsoft authentication systems years ago using domain names in TLDs that didn’t exist at the time. Meaning, they are continuously sending their Windows usernames and passwords to domain names they do not control and which are freely available for anyone to register. Here’s a look at one security researcher’s efforts to map and shrink the size of this insidious problem.
Consider the hypothetical private network internalnetwork.example.com: When an employee on this network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; entering “\\drive1\” alone will suffice, and Windows takes care of the rest.
But problems can arise when an organization has built their Active Directory network on top of a domain they don’t own or control. While that may sound like a bonkers way to design a corporate authentication system, keep in mind that many organizations built their networks long before the introduction of hundreds of new top-level domains (TLDs), like .network, .inc, and .llc.
For example, a company in 2005 builds their Microsoft Active Directory service around the domain company.llc, perhaps reasoning that since .llc wasn’t even a routable TLD, the domain would simply fail to resolve if the organization’s Windows computers were ever used outside of its local network.
Alas, in 2018, the .llc TLD was born and began selling domains. From then on, anyone who registered company.llc would be able to passively intercept that organization’s Microsoft Windows credentials, or actively modify those connections in some way — such as redirecting them somewhere malicious.
…
Tagged: