This Week's Best Internet Privacy & Security News Stories
It’s a slightly different newsletter this week as we’re all busy working on some brand new research. But don’t worry, we’ve still been following the most important stories of the week. Here they are!
VPN News
Bleeping Computer: Microsoft says April Windows updates break VPN connections
Microsoft has confirmed that their April 2024 security updates are causing VPN connection issues on various Windows platforms. While the company is investigating these problems and promises more information soon, there is currently no workaround available, and the only temporary fix is to uninstall the updates which also removes all recent security fixes.
Private Internet Access: PIA Concludes Second Security Audit
Private Internet Access (PIA) announced the completion of its second security audit, conducted by Deloitte Audit Romania, confirming that its VPN server network and management systems comply with its strict no-logs policy and ensure user privacy. The audit reviewed network configurations and a dedicated IP token-based system, affirming that these setups neither track nor store user activity, with the full audit report available to PIA account holders.
Cyber Security News: Threat Actors Claiming of 0-Day Vulnerability in Zyxel VPN Device
Threat actors have claimed to have discovered a zero-day vulnerability in Zyxel VPN devices, which are extensively utilized in critical sectors like government, finance, and healthcare, posing a significant security risk for unauthorized access to sensitive data. The cybersecurity group MonThreat reported this vulnerability, although Zyxel has not yet confirmed it nor issued any mitigation guidance. We recently found that Zyxel suffered more vulnerabilities than any other VPN vendor last year.
Cybersecurity Essentials
BBC: Smart gadgets: Tougher rules for sellers of internet-enabled devices in the UK
The UK has introduced new regulations for the sale of IoT gadgets to enhance their security, in response to increasing cyber threats that exploit these devices to infiltrate home networks and access private data. The new law mandates more secure password practices, clear procedures for reporting security flaws, and requires manufacturers to inform consumers about the duration of support and updates for purchased devices, with non-compliance subject to fines.
Bleeping Computer: Google rejected 2.28 million risky Android apps from Play store in 2023
In 2023, Google intensified its security measures on the Play Store, blocking 2.28 million Android apps that violated policies potentially compromising user security and suspending 333,000 developer accounts linked to malware or severe policy infractions. These efforts are part of Google's broader strategy under its 'SAFE' principles, aimed at safeguarding users, advocating for developers, fostering innovation, and evolving platform defenses, including more stringent app review processes and enhanced real-time malware scanning.
Forbes: Dropbox Warns Hacker Accessed Customer Passwords And 2FA Data
Dropbox has confirmed that a hacker accessed its Dropbox Sign production environment, compromising customer information including emails, usernames, phone numbers, hashed passwords, OAuth tokens, and multi-factor authentication details. The company is contacting all affected users with instructions to secure their accounts, while there is no evidence that documents or agreements were accessed, and API customers are advised to rotate their keys immediately to maintain security.
CBS: UnitedHealth data breach caused by lack of multifactor authentication, CEO says
During a congressional hearing, UnitedHealth Group CEO Andrew Witty disclosed that a data breach at its subsidiary Change Healthcare was due to the absence of multifactor authentication, enabling hackers to deploy ransomware after stealing a password. The breach, attributed to the Russian ransomware gang ALPHV or BlackCat, resulted in the theft of over six terabytes of data, causing significant disruptions in healthcare payment systems across the U.S. and, despite paying a $22 million ransom in bitcoin, some stolen data appeared on the dark web.
Ars Technica: Hacker free-for-all fights for control of home and office routers everywhere
Cybercriminals and nation-state spies have been found coexisting in compromised routers, utilizing these devices for both financial gains and espionage activities, as reported by Trend Micro researchers. In certain cases, these actors coexist peacefully by exchanging access to compromised routers for a fee, while in other situations, nation-state actors take control of devices initially compromised by cybercriminals, demonstrating a complex dynamic where both sets of actors leverage the same infrastructure for differing motives.
CNBC: Privacy breach at Australian airline Qantas gives access to other customers’ details
Qantas experienced a privacy breach when some users of its app were inadvertently shown the personal details of other passengers, including names, flight details, and loyalty statuses. The Australian airline attributed the issue to a technical problem related to recent system updates, confirming that no financial information was exposed and that there was no misuse of loyalty points or unauthorized boardings as a result of the breach.
The Hacker News: New Cuttlefish Malware Hijacks Router Connections, Sniffs for Cloud Credentials
New and highly-sophisticated malware called Cuttlefish is targeting home routers, silently monitoring traffic and stealing login credentials. This poses a significant threats to internet privacy and security by enabling attackers to hijack DNS and HTTP connections and potentially gain deeper access into cloud ecosystems.
Oversecured: 20 Security Issues Found in Xiaomi Devices
A security analysis by Oversecured has identified 20 vulnerabilities in Xiaomi devices that pose a threat to all Xiaomi users. These issues, found across various system applications and components, could enable attackers to execute privileged operations, steal data and compromise device security.
The Guardian: Police arrest Sydney man for blackmail over major data breach affecting up to 1 million NSW and ACT residents
A major data breach in New South Wales, managed by Outabox and affecting up to a million residents, led to a Sydney man's arrest on charges of blackmail. The data breach exposed personal details of over a million NSW club patrons, potentially including names, addresses, and driver's licenses.
Our Rights Online
Amnesty International: New technologies in automated social protection systems can threaten human rights
Amnesty International has issued a technical explainer on the Samagra Vedika system used in India’s Telangana state, highlighting the human rights risks associated with automated social protection systems. The system, which employs machine-learning algorithms for "entity resolution" to assess welfare eligibility and identify fraud, has been criticized for its lack of transparency and potential for denying vital benefits to thousands, thus impacting people's rights to social security.
N Sullivan et al: A File Format to Aid in Consumer Privacy Enforcement, Research, and Tools
This proposal from Network Working Group outlines a new file format, privacy.txt, aimed at enhancing consumer privacy enforcement and compliance on websites. The file format is designed to be machine-parsable and includes detailed information on privacy policies, consumer rights actions, and cookie usage, structured to facilitate ease of access and understandability, enhancing transparency and accountability in digital privacy practices.
The Register: Apple's 'incredibly private' Safari is not so private in Europe
Apple's implementation of third-party app store support in Safari on iOS 17.4 in Europe has raised serious privacy concerns, as it allows websites to track user activity across different sites by linking a unique per-user identifier to approved third-party marketplaces. Security researchers Talal Haj Bakry and Tommy Mysk criticized Apple's method for being insecure and potentially exposing users to cross-site tracking and targeted advertising, despite Apple's claims of prioritizing user privacy.
TechCrunch: US fines telcos $200M for sharing customer location data without consent
The U.S. Federal Communications Commission (FCC) has imposed fines totaling $200 million on the four major U.S. wireless carriers—AT&T, Verizon, T-Mobile, and Sprint—for illegally sharing customers' real-time location data without their consent. This series of unauthorized data sharing created a gray market for customer location information, with third-party companies further reselling this data, often without the knowledge or consent of the consumers involved.
The Record: Digital rights watchdogs warn against internet shutdowns in Togo ahead of elections
Digital rights organizations are closely monitoring Togo as the country approaches national elections, urging the government to ensure uninterrupted internet access amidst historical instances of politically motivated shutdowns. The groups argue that maintaining open digital communication channels is crucial for a fair and transparent electoral process and have publicly appealed to Togo's government and local ISPs to avoid internet shutdowns, which they contend are harmful to both democracy and business.
VOI: Russia Requires Amazon Web Services And Other Foreign Technology Companies To Open Local Offices
Russia has added Amazon Web Services to the list of foreign tech companies it is demanding establish local offices, raising concerns about data privacy and operational freedom. This requirement could impact how these companies handle Russian user data and adapt to local regulations, potentially affecting their services and user privacy in the region.
Amnesty International: A Web of Surveillance – Unravelling a murky network of spyware exports to Indonesia
A major investigation has revealed substantial exports of invasive spyware to Indonesia, with the national police and cyber agency among the main recipients. This situation underscores the potential for surveillance technology misuse against civil society and highlights the challenge of regulating and tracking international spyware transactions.
Keep your eyes peeled for next week’s edition where we will talk about our brand new research!