Tag Archives: Candy drops

Security News for the Week Ending January 14, 2022

Hackers Sending Malware Filled USB Sticks in the Mail

Old, tried and true techniques continue to work as hackers have been sending malware-filled USB sticks in the mail and UPS to defense, transportation and insurance companies, hoping someone did not do their security awareness training and plugs the drive into their computer. It just shows that hackers do not need to keep inventing new tricks; the old ones continue to work. Credit: Gizmodo

Norton Installs Cryptomining Software on Users’ Computers

Norton and its sister company Avira, both owned by the same parent, are installing cryptomining software as part of the default install. Norton turns it on automatically since they get 15% of anything you earn, Avira has it off by default. If Norton was still on your approved list (it went off our list years ago), you should probably remove it. Credit: Brian Krebs

White House Hosts Open Source Security Summit

In the wake of the Log4j and other open source software attacks, the White House hosted a summit this week with the likes of Akamai, Amazon, Apache, Apple, Cloudflare, Facebook, Google, IBM and others to discuss how to improve open source security. While no “results” have been announced yet, the fact that the summit was called and led by Anne Neuberger is an acknowledgement that “Houston, we have a problem”. With open source used throughout the IT world including critical infrastructure and many times that software is either not maintained at all or maintained by volunteers – there is no easy solution as there are millions of open source packages. Stay tuned; we might be able to do something for a few of the larger, more important packages. Ultimately, it is both the responsibility and liability for the companies that use open source and that should not be much comfort to anyone. Credit: Data Breach Today

Canon’s Printer DRM Comes Back to Haunt Them

Consumer printer makers make most of their money selling you toner and ink, so years ago they came up with the idea of putting chips in the cartridges to try and stop you from using low cost supplies. But now they can’t get chips so they are making cartridges without the chips, causing their customers’ printers to alarm. As a result, Canon is telling their customers how to break their own DRM. Not to worry though, Canon says they will go back to trying to hurt their competitors when the chip market eases up. Credit: Gizmodo

Car Makers Say Giving Owners Data From Their Cars Will Embolden Sexual Predators

Car owners have been trying for years to force car makers to give them the tools they need to repair their own cars. One of those tools is the data that their cars generate. If car owners could repair their own cars, car makers would lose billions of dollars in revenue. Massachusetts voters overwhelmingly voted in a right to repair law in 2020, even though car makers spent $26 million explaining why letting people repair their own cars was bad, even claiming it would embolden sexual predators. Now they are saying the law is unconstitutional. Anything to try and stop the revenue drain. Credit: Vice

Security News for the Week Ending Friday August 3, 2018

Old Hacks Never Die

Brian Krebs is reporting that state government agencies are receiving malware laced CDs in the mail, hoping that someone is curious enough to place it in their computer and infect it.  This is an older version of a ploy that is still common of dropping malware infected flash drives in areas outside businesses like break areas, again hoping that curious workers will plug them into their computers and infect them.

The simple solution is  not to do it and hand the media to your information security team to review. Source: Krebs on Security.

 

23 and Me Licensed All Customer’s DNA to Big Pharma

In case you thought you owned your DNA, you might, sort of, but apparently not exclusively.

23 and Me made a deal with Glaxo Smith Kline (GSK) to provide all of their customer’s DNA for “research”, whatever that means.  The deal lasts for four years.  I am not sure what happens after four years – do they have to give back everyone’s DNA?  Probably not.

And, kind of like Google, 23 and Me got a check for $300 million, but did not share that the the people who’s DNA they sold.

23 and Me says that you can opt out of letting them sell your DNA when you sign up.  Apparently I opted out.  You can also change that option at any time but it is not obvious how to do that.  It is buried in the research tab after you sign in.  I assume that change is not retroactive.  If you didn’t opt out, GSK has a copy of your DNA.  Source: Motherboard.

More Woes for CCleaner

Ccleaner, the popular utility for cleaning up your computer, has added some more woes to it’s basket.

Piriform sold CCleaner to security firm Avast a few months ago.  Right after the sale CCleaner was found to be distributing a malware laced version of the software.  Over a million copies of the infected software were downloaded but it only targeted a handful of victims.  That was done by an attacker.

This problem is self inflicted.  The new version of CCleaner has a data collection feature which vacuums up information about the victims computer with no way to disable it and no way to opt out.

Apparently someone must have explained that this nifty feature was likely a violation of the new EU data privacy law GDPR which could result in a fine of the larger of 20 million Euros or 4% of their global revenue.  They are rethinking the wisdom of doing this and will release a new version of the software.  Real soon.  Source: ZDNet.

Idaho Inmates Hack Prison Issued tablets

Prisons in Idaho issue inmates specially locked down tablets to send emails to loved ones and other limited functions.  Some of those functions cost money and that is where the rub comes in.  The tablets, managed by a vendor called JPay were hacked by several hundred inmates to the tune of almost a quarter million bucks.  Now JPay is trying to get their money back.  At least it is not taxpayer money.  Source: TechCrunch.