National Consumers League

The #DataInsecurity Digest | Issue 101

Google warns of new iPhone hacking scheme while Texas towns continue to struggle with ransomware attack

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note:As Texas continues to reel from its ransomware attack, Google researchers discovered a massive attempt to hack into consumers’ iPhonevia booby trapped websites. Google admitted its own security problems, too, with a vulnerability in its calendar app potentially affecting 1.5 billion users. In other news, Facebook received additional negative headlines after word spread that hundreds of millions of users’ phone numbers were compromised by being stored on aunsecured server.

And now, on to the clips! 

-----------------

Hackers attempt mass iPhone hack. Google security researchers "discovered a small collection of hacked websites ‘that exploited vulnerabilities in Apple's smartphone software. ... Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant." Google estimates that these hacked websites received thousands of visitors each week. @Iyengarish reports that, “the implant was capable of giving hackers access to iPhone users' contacts, photos and location, as well as data from apps like iMessage, WhatsApp, Telegram, Gmail and Google Hangouts.” (Source: CNN) 

Texas ransomware update: Half of affected agencies are still not back up and running. Texas authorities have admitted that at least 10 of the 20+ local agencies have still not recovered from the ransomware attack, which took place on August 16. (Source: Associated Press) 

Google confirms vulnerability of calendar app to phishing attacks. After a spate of news stories noting that a security vulnerability could impact the 1.5 billion users of its calendar app, Google confirmed it. “When a calendar invitation is sent to a user, a pop-up notification appears on their smartphone. The threat actors craft their messages to include a malicious link, leveraging the trust that user familiarity with calendar notifications brings with it,” writes @happygeek. “Those links can lead to a fake online poll or questionnaire with a financial incentive to participate and where bank account or credit card details can be collected.” (Source: Forbes) 

Bolton's departure leaves murky cyber legacy for Trump Administration. Earlier this week, John Bolton made a dramatic exit from the Trump Administration. Bolton's cyber legacy as the national security advisor will likely be mixed; on one hand Bolton was something of a cyber hawk, repeatedly warning "U.S. adversaries that the Trump administration would use its cyber warriors to punish them for jeopardizing American interests." And yet, on the other hand, he undermined U.S. ability to respond to cyber threats by "eliminating the White House cybersecurity coordinator position and downgrading the rank of the homeland security adviser, who supervised the coordinator and oversaw all cyber policy matters." (Source: Morning Cybersecurity)

Breach du jour: Hundreds of millions of phone numbers linked to Facebook accounts. @zachwhittaker reports that "the exposed server contained more than 419 million records. ... But, because the server wasn’t protected with a password, anyone could find and access the database. Each record contained a user’s unique Facebook ID and the phone number listed on the account.” Facebook’s latest cyber incident places its users at risk of spam calls and SIM-swapping attacks.” Source: Tech Crunch 

Perspective: Why is Mitch McConnell blocking all election security bills? One former Obama official speculated to @Joseph_Marks_ that Leader McConnell could be “concerned about the political fallout for Republican senators, several of whom have supported and even co-sponsored election security bills in the past. ‘It would put Republican senators in an awkward spot of having to vote against election security or vote for it and potentially anger Trump or anger some of his base if he were to tweet how bad the bill is.” (Source: Washington Post 

Google agrees to pay $170 million to settle allegations that it illegally collected children’s data. The settlement comes after Google “bragged to toy makers such as Mattel and Hasbro about its popularity among children. In one boast cited by regulators, YouTube claimed to be watched by 93 percent of tweens.” @washingtonpost reports that the fine amounts “to less than two days’ worth of profits for the tech giant.” (Source: Washington Post 

REMINDER: Multi-factor authentication still blocks 99.9 percent of all automated attacks. (Source: ZD Net) 

IRS identity theft enforcement actions plummet by more than 75 percentA new audit from the Treasury Inspector General for Tax Administration found that the IRS opened a mere 75 identity theft cases in 2017 compared with 263 in 2013. @DerekDoesTech reports that “the Criminal Investigations Division has been squeezed over the past decade, losing more than 380 special agents (15% of the division's total workforce)[.] (Source: FCW 

Your state’s DMV could be selling your personal information to private investigators. @josephfcox found that departments of motor vehicles in states across the country are selling the personal data of their customers to private investigation firms, sometimes for as little as one cent per record. Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, commented that “[t]he selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking... For survivors, their safety may depend on their ability to keep this type of information private." (Source: Motherboard 

National Consumers League
Published September 12, 2019