The popular security website Have I Been Pwned (HIBP) “is a database of usernames or email addresses that have been exposed in data breaches. At the time of writing, it contains 9,543,096,417 records, which happens to be more than the population of Earth, showing the extent of such breaches.”
More » The Register
If the headline surprises you, you haven’t been paying attention. This has been going on for years. Ask Snowden.
What I’d like to know is how much tracking is DHS doing outside it’s borders?
US Department of Homeland Security (DHS) acknowledges tracking millions of smartphone users within the USA, despite a Supreme Court order limiting it’s authority to do so. DHS will not state how the data is being used.
Byron Tau and Michelle Hackman, Wall Street Journal »
The Trump administration has bought access to a commercial database that maps the movements of millions of cellphones in America and is using it for immigration and border enforcement, according to people familiar with the matter and documents reviewed by The Wall Street Journal.
The location data is drawn from ordinary cellphone apps, including those for games, weather and e-commerce, for which the user has granted permission to log the phone’s location.
More » Apple Insider
Statistics Canada states British Columbia had a population of 5.071 million last year.
This is what happens when companies prioritize profit over their duty to look after customer’s personal information.
Kendra Mangione, CTV News »
The massive cyberattack targeted a laboratory testing company with locations across Canada – primarily in B.C. and Ontario.
The company’s website claims more than a million Canadians use its services, and more than 112 million tests are performed by its labs each year.
Earlier Friday, Alberta’s privacy commissioner said nearly 22,000 Albertans may have been part of the estimated 15 million Canadians that could have had their data compromised.
LifeLabs president and CEO Charles Brown called the hack a “wake-up call,” and said “We all need to up our game to protect our customer data.”
Read the whole article at CTV »
Companies and their officers have a duty of care they are not meeting. This will happen again and again until businesses do much more than just speak about security. The number of breaches shows that self-regulation and self-policing often does not work. Stronger legislation, that include public accountability, hefty fines, and perhaps even criminal penalties need to be legislated to prevent this from happening.
Justine Calma, The Verge »
United States Army soldiers can no longer use TikTok on government-owned phones following a decision to ban the app. The move comes amidst ongoing worries that the video app owned by Beijing-based company ByteDance could compromise national security or be used to influence or surveil Americans.
“It is considered a cyber threat,” Army spokeswoman Lt. Col. Robin Ochoa told Military.com, which broke the news on December 30th. The army reportedly used TikTok to recruit members prior to the ban.
Both the Navy and Defense Department sounded alarms on TikTok earlier this month. The Navy previously told its members not to add the app, and to delete it from government-issued devices if it was already installed. The Defense Department also instructed employees to “be wary of applications you download, monitor your phones for unusual and unsolicited texts etc., and delete them immediately and uninstall TikTok to circumvent any exposure of personal information,” according to military.com.
More » CNN
Related » US Navy Bans TikTok From Military Devices » Security Boulevard (Dec 27, 2019)
More » BoingBoing, The Next Web, SecurityAngle
Related » TikTok eyes global headquarters outside of China as US scrutiny mounts – Tech in Asia (Dec 24, 2019)
More » WSJ
Cyber security researchers at Dutch firm Fox-IT has found evidence showing a Chinese government sponsored hacking group APT20 has been bypassing two-factor authentication (2FA) in a recent wave of attacks against government entities and managed service providers.
Catalin Cimpanu, ZDNet »
According to researchers, the hackers used web servers as the initial point of entry into a target’s systems, with a particular focus on JBoss, an enterprise application platform often found in large corporate and government networks.
APT20 used vulnerabilities to gain access to these servers, install web shells, and then spread laterally through a victim’s internal systems.
While on the inside, Fox-IT said the group dumped passwords and looked for administrator accounts, in order to maximize their access. A primary concern was obtaining VPN credentials, so hackers could escalate access to more secure areas of a victim’s infrastructure, or use the VPN accounts as more stable backdoors.