Information Security
A piece of malware found on almost 30,000 Macs worldwide was discovered by security researchers from Red Canary and analyzed together with researchers from Malwarebytes and VMWare Carbon Black.
Named Silver Sparrow details how the malware was distributed and infected users are still scarce. It's unclear if it was hidden inside malicious ads, pirated apps, or fake Flash updaters —the classic distribution vector for most Mac malware strains. Furthermore, this malware's purpose is also unclear, and researchers don't know what its final goal is.
"Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice," Red Canary researchers wrote in a blog post published on Friday.
Apple made iOS software upgrades available Tuesday, adding a rare note suggesting it was a serious threat. The company urges iPhone and iPad users to update their devices to fix security flaws that might have been "actively exploited" by hackers.
The company credited anonymous researchers for pointing out the vulnerability but provided little details about the threat's nature.
U.S. drugmaker Pfizer and its German partner BioNTech said on Wednesday that documents related to development of their COVID-19 vaccine had been “unlawfully accessed” in a cyberattack on Europe’s medicines regulator.
.jpg){kind=link}
Gionee, a Chinese manufacturer of low-cost smartphones, has been found guilty by the Chinese courts of installing malware on more than 20 million devices it sold between December 2018 and October 2019.
According to the report, the company used a subsidiary to plant a "Trojan horse" to carry ads without the users' permission.
A new security breach in the Ministry of Health's covid-19 notification system left personal data of over 200 million Brazilians exposed on the internet for at least six months. It was not only patients diagnosed with Covid-19 who had their privacy violated, as occurred in another exposure case reported last week. This time, the personal information of any Brazilian registered with SUS or beneficiary of a health plan was open for consultation.
"Each time you stop and go through the Ministry of Health's information security and data management policy, you find a more serious vulnerability. At the time of our complaint, we asked for an audit and received no response. Clearly, they have not taken and are not yet taking the treatment of data from millions of Brazilians seriously," says Fernanda Campagnucci, executive director of the NGO Open Knowledge Brasil (OKBR).
.jpg){kind=link}
On Sunday, during the city elections, the Brazilian Superior Electoral Court (TSE) has suffered outages (DDOS attack) that delayed the votes counting procedures. An investigation from the Brazilian Federal Public Minister, together with SaferNet declared that TSE has sufferered a coordinated attack and social network campaign to promote a non-existent elections fraud.
On Sunday morning also, there was a data leak of outdated HR information collected until October 23rd.
The criminals demanded from the psychotherapy center Vastaamo 450,000 euros in exchange for stopping publishing the data. The release of patient data - including minors - ceased on Friday, sparking rumors about a possible payment. The information published so far includes the patient's personal data and the content of the therapy sessions.
In an email to developers, Twitter warned of a bug that may have exposed their private application keys and account tokens due to a mistake on how Twitter stored the information in the browser's cache.
"Prior to the fix, if you used a public or shared computer to view your developer app keys and tokens on developer.twitter.com, they may have been temporarily stored in the browser’s cache on that computer," the email read. "If someone who used the same computer after you in that temporary timeframe knew how to access a browser’s cache, and knew what to look for, it is possible they could have accessed the keys and tokens that you viewed."
Twitter shared that it has not yet seen any evidence that these keys were compromised, but alerted developers out of an abundance of caution.
Following an announcement of Facebook Ireland's head of data protection Yvonne Cunnane, it is not clear how the company "could continue to provide the Facebook and Instagram services in the EU" following a preliminary order to stop the data transfer of European customers to servers based in the United States.
Ireland’s Data Protection Commission (DPC) had voiced concerns over possible surveillance of the data by the United States government.
The former Uber's Chief Security Office was charged Thursday with attempting to conceal a 2016 hack that exposed the personal information of 57 million drivers and passangers. The executive is accused of arranging a $100,000 payoff to the hackers responsible for the attack.
David Anderson, U.S. Attorney for the Northern District of California, announced: "Sullivan is being charged with a corporate cover-up and Sullivan is being charged with the payment of hush money to conceal something that should have been revealed."
Matt Kallman, Uber spokesman, said: "We continue to cooperate fully with the Department of Justice's investigation. Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability."
Researchers from security firm Check Point found vulnerabilities, affecting Amazon Echo, in certain Amazon and Alexa subdomains that could have allowed outsider access to user's voice history, including all voice searches and conversation history.
Alexa users could have been easily tricked into falling for the vulnerability, which reportedly needed a single click on a malicious link crafted and sent by the hacker.
Amazon has already patched the flaw.
The Wall Street Journal reported Tuesday TikTok’s Android app collected its users’ MAC addresses for 18 months in violation of the platform rules. The MAC address serves as a unique identifier for each user’s device.
Since 2015, both the App Store and the Google Play Store had banned the collection of MAC addresses as a matter of policy, but the video app used a loophole. According to the Journal, nearly 350 apps on the Google Play Store used a similar loophole, generally for ad-targeting purposes.
More than 20GB worth of Intel internal documents have been leaked, and it was publicly available on BitTorrent feeds. The leak contains data that Intel makes available to partners and customers under NDA.
The leak, posted Thursday night by Tillie Kottman, an IT consultant based in Switzerland, included source code, development and debugging tools and schematics, tools and firmware for the company’s unreleased Tiger Lake platform.
A misconfigured Akamai CDN server and files with the password “intel123” have been pinpointed as the apparent cause of the leak.
TikTok announced Thursday it would invest €420million in establishing a data centre in Ireland. The company states all European user data will be stored in this new location when the data centre is operational in early 2022.
In a press release, the company states: "Protecting our community's privacy and data is and will continue to be our priority. Today's announcement is just the latest part of our ongoing work to enhance our global capability and efforts to protect our users and the TikTok community."
Twitter announced Wednesday a security vulnerability in its Android app. The company stated the problem relates to an Android security issue in versions 8 and 9 of the popular mobile operating system, and that it doesn't have evidence attackers exploited the vulnerability.
According to Twitter, around 96% of all their Android users already have installed the necessary security protections, leaving 4% still vulnerable to attackers through outside apps accessing private data on their devices.
The "No TikTok on Government Devices Act" bill by Senator Josh Hawley (R-Mo.) was unanimously approved bu the Senate Homeland Security and Governmental Affairs Committee on Wednesday. The bill states U.S. federal employees would be barred from using Chinese-owned mobile video app TikTok on government-issued devices.
The bill now moves to the Senate floor.
The UK government announced Tuesday a ban on Huawei 5G wireless network equipment. The ban requires all existing Huawei 5G tech to be purged entirely from the country's network by the end of 2027.
UK Digital Secretary Oliver Dowden said: "Following US sanctions against Huawei and updated technical advice from our cyber experts, the government has decided it is necessary to ban Huawei from our 5G networks.".
Huawei said in a statement: "Regrettably our future in the UK has become politicised, this is about US trade policy and not security."
Wells Fargo, United States fourth-largest bank, has instructed employees who installed TikTok on company devices to remove the app over privacy concerns.
“We have identified a small number of Wells Fargo employees with corporate-owned devices who had installed the TikTok application on their device,” Wells Fargo said in a statement to NBC News. “Due to concerns about TikTok’s privacy and security controls and practices, and because corporate-owned devices should be used for company business only, we have directed those employees to remove the app from their devices.”
Five hours after requiring employees to delete TikTok from their mobile devices, Amazon backtracked saying the email to workers had been sent by mistake.
A spokesperson for the company said, "This morning’s email to some of our employees was sent in error, there is no change to our policies right now with regard to TikTok.".
The New York Times reports Amazon officials, in a memo, required employees to delete TikTok from any mobile devices that "access Amazon email.". The removal is due to "security risks" posed by the app.
According to the memo, workers are still allowed to user TikTok from their laptop browser.