Weekly Privacy Roundup #15
“We will have more Internet, larger numbers of users, more mobile access, more speed, more things online and more appliances we can control over the Internet.” - Vinton Cerf
Primary Indian ticket vendor suffers crippling data breach
One of India’s most popular travel booking hubs was left exposed without adequate security measures, and subsequently, suffered a significant data breach that exposed all production server information and led to the loss of over 43GB of data.
The affected Elastic search server was left publicly exposed without password protection or encryption for several days which meant anyone with the server’s IP address, could have gained access to the entire database.
Our security team, led by Anurag Sen, discovered the server vulnerability on 10 August 2020 after it became exposed on the Internet on 9 August 2020. Three days later on 12 August 2020, our team reviewed the data, the server became the target of a Meow bot attack, leading to the deletion of almost all server data.
Most of the affected users were based in India with our team estimating that around 700,000 individuals were likely to be directly affected by the breach.
NSA offers advice on how to reduce location tracking risks
The U.S. National Security Agency (NSA) today has published guidance on how to expose as little location information as possible while using mobile and IoT devices, social media, and mobile apps.
As the agency explains, protecting your geolocation data can be the difference between being tracked wherever you go or knowing that your location can't be used to monitor your movements and daily routine.
Adam Schiff Accused of Protecting a Suspected FBI Surveillance Dragnet
Nearly a dozen civil liberties organizations have accused Congressman Adam Schiff and other Democratic leaders of purposely undermining the online privacy of U.S. citizens and immigrants; possibly in an effort, they say, to conceal the unlawful surveillance of Americans’ web browsing activity by the FBI’s national security branch.
Qualcomm Snapdragon Bugs Leave 40% Of World’s Smartphones Exposed To Spying Threat
Security researchers from Check Point have found an incredible 400 vulnerabilities within code sections of the Qualcomm Snapdragon digital signal processor (DSP) chip found in approximately 40% of the world's smartphones: high-end devices from Google, OnePlus and Samsung included. Indeed, that's most nearly all Android smartphones, or hundreds of millions of devices, to put the gravity of this into some context.
Intel leak: 20GB of source code, internal docs from alleged breach
Classified and confidential documents from U.S. chipmaker Intel, allegedly resulting from a breach, have been uploaded earlier today to a public file sharing service.
The cache of secret information is 20GB large and comes from an unknown source. It was announced as the first part in a series of Intel leaks.
The Department of Justice wants to stop California from having net neutrality
The US Department of Justice has filed for an injunction to stop Claifornia from implementing their own net neutrality laws. Net neutrality has been repealed in the United States Federal Communication Commission (FCC) effective since summer 2018, and now the effort of states to bring their citizens back under net neutrality protections is being challenged by federal law. In the wake of the FCC repeal of net neutrality laws in 2017, many states sought to pass their own net neutrality laws. The same thing occurred after the repeal of broadband privacy laws in 2017. In the case of broadband privacy which was passed at the state level in Maine, the internet service providers (ISPs) actually tried to stop the law from being enacted by claiming that their right to selling profiles of user internet activity and history is part of their constitutional right to free speech. In the case of net neutrality, California was the largest state to pass net neutrality rules for internet companies and users within its borders. As part of the FCC repeal of net neutrality laws, the FCC actually included language that would forbid individual states or smaller jurisdictions from passing their own net neutrality laws.
Satellite Internet connections can easily be intercepted by hackers
Black Hat USA 2020 took place from 1 to 6 August and has brought rather interesting yet unnerving cybersecurity briefings from experts and professionals alike. A recent press release published, explains how threat actors can intercept internet traffic even if they are a continent away.
James Pavur, a researcher and doctoral candidate at Oxford University whilst speaking at the virtual event explained the vulnerability in global satellite internet communication.
SANS infosec training org suffers data breach after phishing attack
The SANS cybersecurity training organization has suffered a data breach after one of their employees fell victim to a phishing attack.
The SANS Institute is one of the largest organizations that offer information security training and security certification to users worldwide.
In a notification posted to their site today, SANS states that one of their employees fell for a phishing attack that allowed a threat actor to gain access to their email account.
In one click: Amazon Alexa could be exploited for theft of voice history, PII, skill tampering
Amazon's Alexa voice assistant could be exploited to hand over user data due to security vulnerabilities in the service's subdomains.
The smart assistant, which is found in devices such as the Amazon Echo and Echo Dot -- with over 200 million shipments worldwide -- was vulnerable to attackers seeking user personally identifiable information (PII) and voice recordings.
Check Point Research said on Thursday that the security issues were caused by Amazon Alexa subdomains susceptible to Cross-Origin Resource Sharing (CORS) misconfiguration and cross-site scripting (XSS) attacks.
350 million email addresses exposed on misconfigured AWS S3 bucket
Running out of introductions for reporting on something that happens so often. Just yesterday it was reported that a medical software firm exposed 3.1 million patients’ data to the public. In the latest, it has been found that 350 million unique email addresses were sitting exposed on a misconfigured Amazon S3 bucket for public access without any security authentication.