Weekly Axis Of Easy #119
- NordVPN hacked
- Ecommerce payments company hit by ransomware
- Alexa and Google can be used to phish passwords
- New privacy bill will jail CEOs who lie about data usage
- Open database leaks 178Gb of gov and military data
- WSJ: Tech giants have hijacked the internet
Podcast Edition for this week:
VPN provider NordVPN has confirmed a breach following reports on Twitter that a private key had been exposed which would enable attackers to spin up imposter nodes posing as them. The exposed key occurred against a backdrop of a breach of multiple VPN services that occurred in 2018. NordVPN states that the breach impacted a single POP in a Finland data facility. Other VPN providers affected were TorGuard and VikingVPN.
B2B payments provider Billtrust was hit with a ransomware attack last week. The company CTO, Steven Pinado confirmed to KrebsOnSecurity that the company suffered a malware attack on October 17th. A report via BleepingComputer said that the ransomware strain is known as Bitpaymer, which is typically targeted toward medium and larger enterprises and carries a high ransom pricetag.
Here’s the good part: Billtrust has acknowledged a disruption to their business pending a full restore, currently underway from their backups.
Good on them. They had backups, do you?
The continuing theme here: network connected devices in your home are a privacy concern, as recordings and videos are sent to third-party platforms and perused by vendor employees or contractors. Beyond that, there are also the obvious security implications. White-hat hackers from Germany’s Security Research Labs developed 8 proof-of-concept apps for use in Google and Alexa home automation devices.
The apps ostensibly had benign functions such as horoscopes and random number generators (as in “Alexa, give me a random number between 1 and 10 billion”). The apps passed inspection by both Amazon and Google.
In reality, they were eavesdropping on home occupants, listening for passwords, “the apps gave the impression they were no longer running when they, in fact, silently waited for the next phase of the attack.”
The researchers concluded their study and reported their findings to both vendors, who both say they will change the way they approve third-party apps in unspecified ways.
US Senator Ron Wyden (D-Oregon) has introduced a bill dubbed the “Mind Your Own Business Act” (MYOBA) which levies stiff sanctions on companies that misrepresent their use of consumer data. It updates his previously introduced Wyden’s Consumer Protection Act which was introduced last November and is reputedly tougher than Europe’s recent GDPR legislation.
Under the bill, quoting Wyden: “Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences. A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government”.
Security researchers from vpmMentor have issued a report on an open database they’ve discovered which contains 179GB of hotel customers, including US military personnel and officials. The data was part of an Elasticsearch database owned by Autoclerk, a reservations system used by hotels and resorts which is owned by Best Western. The database was unprotected, unencrypted and required no authentication to access and was discovered as part of vpnMentor’s web mapping project.
“Hundreds of thousands of booking reservations for guests were available to view and data including full names, dates of birth, home addresses, phone numbers, dates and travel costs, some check-in times and room numbers, and masked credit card details were also exposed. “
There is an op-ed in the Wall Street Journal about how, despite Mark Zuckerberg’s widely reported speech of last week in which he claimed to have put power back into the hands of the users, tech giants like Facebook have hijacked the spirit and workings of the world wide web. The piece opines that even though there are regulatory initiatives, such as US antitrust investigations into Facebook, Google, et al, the solution is more likely to be attained through increased public perception of what’s going on with it, an impetus toward more decentralized, privacy-centric platforms. Mentioned in the article are Elixxir (which I had not previously heard of), WWW inventor Tim Berners-Lee’s Solid (which we reported on in #AxisOfEasy 68) and Blockstack. Not mentioned, Mastodon, of which easyDNS is a gold sponsor and operates a free node at nojack.easydns.ca.
The article is behind a paywall and I didn’t find a suitable non-paywalled rendition of it that wasn’t an outright copy, but I do recommend in the spirit of what it’s talking about, the book by George Gilder “Life After Google” does a very deep dive into this premise.