Tag Archives: Google

Security News for the Week Ending March 11, 2022

Trump is Not Happy About Launch of Twitter-Like Truth Social

Apparently not happy is a bit of an understatement. He has a lot to lose if this is not successful. As part of the SPAC deal with Digital World, he has a lot of shares. If the stock, which is still going up slowly, tanks, he stands to lose a bunch of dough. Many people who downloaded the app said that they could not create accounts or were waitlisted. The reality is that people use social media to stay connected and if you have a choice between Twitter’s billions of users and Truth Social’s thousands of users, the choice is pretty clear. Analysis suggests that it is doing about the same as or worse than Gab and Gettr, which is also a problem. Twitter won because it was the only player. Now you have 3 players all going after the same highly targeted slice of market. At least it has not been hacked (publicly) since it’s launch which is more than Gab and Gettr can say. Credit: MSN

Hackers Targeted US LNG Producers in Run-Up to Ukraine Invasion

In February hacjkers penetrated computers belonging to current and former employees at nearly two dozen major natural gas suppliers including Chevron and Kinder Morgan.

Security firm Rescurity discovered a small group of hackers including one linked to Strontium, nickname for a hacking group inside Russia’s GRU military intelligence.

The wanted to gain and maintain access into the U.S. energy supply so that they could destabilize the world energy market when Russia invaded Ukraine. Unfortunately for Putin, while these early attacks were successful, they were discovered before they could do any significant damage. Credit: Bloomberg Quint

 Google Acquires Mandiant for $5 Billion in Cash

It is nice to be able to write a check for $5 billion.  Mandiant, best known for its breach response and threat intelligence services, is being acquired by Google.  Depending on what Google does with it, that could be good news for Google cloud services users. Mandiant does have its own cloud security products and together, if Google doesn’t do anything stupid, it will give Mandiant access to a lot of capital.  Credit: CSO Online

Alexa, Go Hack Yourself

The good news is that Amazon patched this feature after researchers demonstrated that they could get an Alexa to unlock your door, set your microwave to run with nothing in it, possibly causing a fire and other cute stuff. The attack is very simple, so it is good that it has been patched now. Aren’t you glad that you don’t have any smart devices in your house? Credit: Ars Technica

Chinese Use Herd Management App to Hack State Networks

Mandiant says that the Chinese hackers APT41 AKA Barium used a bug in an app that many state governments use to track animal diseases in livestock herds called USAHERDS. Mandiant warned the developer of the high severity bug and they have patched it. In the meantime, Mandiant thinks the Chinese have successfully hacked at least 6 state government networks. Maybe as many as 18 states. Think about that before you install that next app. Credit: Wired

Security News for the Week Ending Feb. 11, 2022

Google Decreased Account Takeovers by 50% by Mandating 2FA

Late last year Google forced about a hundred fifty million users to start using multi-factor authentication. What results did they see? Account takeovers in that group were reduced by 50%. Google has previously said that only 10% of their users were using MFA. Now they are forcing the issue. Credit: Cybernews

Attacks on Crypto Continue – $320 Million in Ethereum Stolen

The Wormhole token bridge that allows users to send and receive cryptocurrency between Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra without a centralized exchange experienced a security exploit resulting in the loss of 120,000 wETH tokens worth $321 million from the platform. Again, the hackers found a bug in the software that allowed them to hack the company. This is the root problem with decentralized finance – it is counting on software being bug free and that just does not exist. In their case, they are very lucky because the Jump Trading Group, which is an investor in Wormhole ponied up the $320 mil to make their customers whole. That doesn’t happen often. Credit: Metacurity and Decrypt.co

Apple Says It Won’t Do Biz With Companies that Use Conflict Minerals

According to a report that Apple filed with the SEC, they have terminated relationships with 163 smelters and refiners since 2009 for failing to pass human rights and mineral standards. This is the seventh year of requiring these firms to pass a third party audit. This year 12 companies got axed from the vendor list. Good for Apple. Credit: Vice

French Data Protection Authority Says Google Analytics Violates GDPR

The problem, the French privacy folks say, is that Google transfers your data to the U.S. and, after Shrems II, in which the EU high court struck down the US-EU Privacy agreement called Privacy Shield, the US was deemed to not have equivalent privacy protections. They would like you to forget that they are playing with a stacked deck because the European intelligence agencies do the same stuff the US does, but they don’t have to comply. They suggest anonymizing the data, which is okay for stats but not targeted ads or kicking Google to the curb, which was kind of the EU’s goal in the first place. I think Google could choose to leave EU data in the EU, which simplifies the privacy stuff, but it makes life more complicated for Google because the probably could not do a number of things with your data that they would like to. Credit: The Record

Senators Say CIA is Collecting Bulk Data on US Citizens

Executive Order 12333, issued by Reagan in 1981, covers, among many activities, the data collection practices of the intelligence agencies who operate outside the rules of the FISA court. There is a group that is supposed to watch over the CIA called the PCLOB, but many people think it has a pretty cozy relationship with the CIA and doesn’t have the same level of (very limited) transparency that the FISA Court does. Unlike the Patriot Act and USA Freedom Act, which have to be reauthorized, EO 12333 lives forever with no public discussion. Senators Wyden and Heinrich wrote the Director of National Intelligence asking for more transparency. Credit: Data Breach Today

Schools (And Others) Will Pay More for Cyber Insurance

As a result of the massive increase in cyberattacks against schools (and others), cyber insurance premiums will likely face major premium hikes this year, assuming that you can even get coverage. Hikes of from 100% to 300% are likely if you don’t have the best security controls. One California insurance executive said her school clients were declined for insurance 37 times, saw deductibles climb from $25,000 to a million dollars and premiums increase by up to ten times. This will force some organizations to become self insured, making cybersecurity practices even more important. Credit: The Journal

News Flash: Google Tracks Your Location

That is probably not news to most people.

What is probably news – maybe – is that even when you think you tell Google not to collect and store your location data – it does so anyway.

Or, at least, that is the several lawsuits claim.

In the lawsuit filed Monday in a District of Columbia court, D.C. Attorney General Karl Racine alleges Google has “systematically” deceived consumers about how their locations are tracked and used. He also says the internet search giant has misled users into believing they can control the information the company collects about them.

https://www.securityweek.com/dc-3-states-sue-google-saying-it-invades-users-privacy

The DC AG says “in reality, consumers who use Google products cannot prevent Google from collecting, storing and profiting from their location”.

And, just in case you think the DC AG has gone crazy…

The Attorneys General of Texas, Indiana and Washington state have all filed similar lawsuits.

If you think about it, Google makes 80% of their revenue from selling ads. Location is an important part of selling targeted ads. Showing me an ad for a restaurant or retail store a thousand miles away is unlikely to translate to a sale. Location is very important to them.

Google, of course, says these Attorneys General are wrong and Google deeply cares about your privacy. I would add to that …. unless it affects our profitability.

In December 2020, ten states filed a federal lawsuit accusing Google of anticompetitive conduct.

In October 2020, the U.S. Justice Department joined by 11 states filed an antitrust lawsuit against Google for abusing its online search dominance.

European regulators have imposed multi-billion dollar fines for anti-competitive practices.

In May 2020, Arizona filed a lawsuit accusing Google of deceiving customers about protections for their personal data. Documents unsealed in this case showed some Google engineers were troubled by the way the company secretly tracked movements of users who did not want to be followed.

There seems to be an awful lot of smoke here for there to be no fire, but it will be years before all of this plays out. Still, get some popcorn. It will be interesting.

Credit: Security Week

Do You Like Multi-Factor Authentication?

Do you use multi-factor authentication? Google says that less than 10 percent of its users use MFA. They were concerned that if they made people use MFA they would leave. Not sure what they would leave to? Who else offers as compelling a suite of software. For free. Or at least just for stealing all of your information.

Google announced this week that by the end of this year they are going to automatically enroll 150 million Google users and 2 million YouTube creators in two factor authentication.

Google is not telling you which method of MFA you are going to use. You can use an app on your phone. Or you can get it emailed to you. Or a hardware token. Or even via text message.

If you sign up for a new account, you will automatically be enrolled in two factor authentication.

Given that Google has, probably, a billion users, they are being selective in terms of which 150 million users are being auto-enrolled.

On the other hand, if you want to post stuff on YouTube, MFA is not optional.

So, if you have been hesitant to use MFA, you might want to try it now. Before it gets turned on for you.

What is not clear is whether you can turn it off once it has been turned on. My guess is that you can, just like you can now, but it sounds like Google is going to be persistent.

Credit: Bleeping Computer

Security News for the Week Ending January 22, 2021

Parler Finds A New Home With Russian Hosting Provider in Belize

“Hello world, is this thing on? With that message Parler’s website is back online. Well at least a one page website is back online. The site is being hosted by Russian-owned DDoS-Guard, a company that apparently also hosts ISIS web sites. Whether the folks who invaded the Capitol earlier this month are going to be willing to post their content on a Russian hosted server is not clear. It is unlikely that their hosting provider would respond to a US subpoena, but whether they would steal the posts for their own purpose is a different question. Credit: Cybernews

Capitol Terrorist Who (Allegedly) Planned to Sell Pelosi’s Laptop to Russian Intelligence Arrested

The amazing amount of video footage from the storming of the Capitol is really making the cops’ lives a lot easier. Riley June Williams, 22, from Pennsylvania, was outed by her former boyfriend. She videoed herself committing the felony and then shared that video. She has now been arrested. She has not been charged with espionage, yet. After the events of January 6th, she changed her phone number, deleted her social media accounts and fled. Her public defender wants her released but the feds say that she is a flight risk. Given she disappeared even before she was charged, that doesn’t seem unreasonable. Credit: WaPo

Parler Data Is Available for Download

If you want to be an amateur detective and you have 70 terabytes or so of free disk space on your computer, you too, can download the data that was scraped from the site during its last few hours of its existence. It is chunked down to 4GB chunks and more of it is being uploaded in real time. This will be examined and reexamined for a long time. Details can be found here.

Malware Bytes Joins Club of Those Hacked by SolarWinds Hacking Team

Malware Bytes joins the long and getting longer list of those folks sucked in by the Solar Winds attackers. In their case, they did not use Solar Winds but were compromised by other techniques used by the Solar Winds attackers. They said the damage was minor and limited to some of their emails. Credit: Cyber News

Trump Pardons Google Engineer Who Stole Self Driving Car Trade Secrets and Took Them to Uber

Anthony Levandowski, the Google Engineer who went to work for Uber’s self driving car division, was pardoned by Trump after being sentenced to 18 months for his theft. I am not sure if the pardon relieves him of the obligation to pay Google the $179 million fine, but it probably does. He took 141,000 files with him and likely advanced Uber’s progress by years. Google settled it’s lawsuit against Waymo in 2018 and paid a multi-hundred-million dollar fine. Curiously, Google is an investor in Uber, so they probably don’t want to hurt them too much. Credit: Cyber News

Breaches Down; Record Count Up

According to Risk Based Security, the NUMBER of breaches reported fell 48% in 2020 compared to 2019, but the number of records exposed was UP by 141% to an amazing 37 BILLION records. We don’t believe that the number of breaches was actually down; likely it is just that a lot of breaches are not being reported. Part of it may be that with other important events like the election and Covid, the media is not covering breaches. In addition, we are seeing some really large breaches. Hacking group Shiny Hunters disclosed 129 million hacked records in just five weeks. Credit: Tech Republic

Security News for the Week Ending December 25, 2020

First of all, Merry Christmas and a Happy New Year.

OCC, FRB and FDIC Propose New Rule – Tell Us If You Have a Security Incident

The federal banking regulators are proposing a new rule that banks and tech companies that service banks need to report to their regulator within 36 hours if the have a security incident (like ransomware) that impacts their operations. I suspect that banks have been hiding these in the large stack of forms they file daily, hoping their regulator doesn’t catch what is going on. In *MY* opinion – long past due. It covers everyone who is part of the Federal Reserve System or the FDIC, among others. Credit: FDIC

FBI Says Iran Behind pro-Trump ‘enemy of the people’ Doxing Site

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) say that Iranian actors are “almost certainly” behind the creation of the website (currently down), basing the assertion on “highly credible information.”

The agencies add that in mid-December 2020 the website contained death threats aimed at U.S. election officials. Among them are governors, state secretaries, former CISA Director Christopher Krebs, FBI Director Christopher Wray, and people working for Dominion, the company providing the voting systems. Credit: Bleeping Computer

Facebook and Google Get a Little Too Friendly on Ads

While Google and Facebook supposedly compete in the ad business, with the two of them controlling over half the market, there was a bit of preferential treatment. In 2018 they announced a deal where Facebook’s advertisers could buy ads within Google’s ad network. What they did not announce was a secret deal where Facebook would get preferential treatment if they backed down on getting their advertisers to switch to a Google competitor. These days it is hard to keep secrets that big secret. Credit: Cybernews

Microsoft and McAfee Join Ransomware Task Force

19 tech companies, security firms and non-profits have joined together to fight ransomware. The task force will commission expert papers on the topic, engage stakeholders across industries, identify gaps in current solutions, and then work on a common roadmap to have issues addressed among all members. The result will be a standardized framework for dealing with ransomware attacks across verticals, based on industry consensus. They start playing together next month. Stay tuned to see what they produce. Credit: ZDNet

Homeland Security Releases Guide Warning About Chinese Equipment and Services

The Chinese government, along with Russia, has shown that it has a virtually insatiable appetite for stealing our stuff, whether that is personal information or trade secrets. This DHS document talks about the risks of partnering with Chinese firms and/or allowing your data to be stored in China or Chinese controlled data centers. It talks about how China has constructed it’s laws so that the government can get access to anything that it wants and what you can do to reduce the risk a little bit. A copy of the report can be downloaded here.