Tag: security

Categories
Mobile Syrup

Government tracked Canadians’ movement via smartphones amid the pandemic

A new report sent to the House of Commons ethics committee has revealed that Canadians’ movements were tracked by the government via their smartphone amid the still ongoing COVID-19 pandemic.

According to The Canadian Press’ reporting, outbreak intelligence analyst BlueDot created reports for Public Health Canada using anonymized movement data pulled from Canadians’ smartphones. The public health agency then utilized this anonymized data to gain an understanding of Canadians’ travel patterns during the height of the pandemic in an effort to better manage its response.

The report goes on to reveal that the data included trips to the grocery store, visits to family and friends, time spent at home and movement outside of provinces and the country. Members of Parliament that are part of the ethics committee stated that they were surprised by the amount of detail included in the report.

“Questions remain about the specifics of the data provided, if Canadians’ rights were violated, and what advice the Liberal government was given,” said Damien Kurek, Conservative MP for Battle River-Crowfoot, Alberta, in a statement to The Canadian Press. 

Public Health Canada says that it took protecting the privacy of Canadians seriously and emphasized that the analysis of the data wasn’t focused on individual citizens’ activities and instead was focused on “understanding whether the number of visits to specific locations have increased or decreased over time.”

The data given to BlueDot didn’t include names or identifying personal information, said Public Health Canada.

The committee says that in the future the government should inform Canadian if it is collecting data about their movement and allow them to opt-out.

Source: Canadian Government Via: The Canadian Press (CP24) 

Categories
Mobile Syrup

Google expands options to remove personal information from search results

On request, Google will now remove personal information, including addresses and phone numbers, that show up in search results.

According to a blog post, the tech giant is expanding its existing request process that features removing identifiable information used in cases of doxxing and fraud. That information included banking details, credit card numbers, and social security numbers.

The expanded policy also allows other personal information to be removed, such as email addresses and log-in credentials.

Google will evaluate all requests to ensure it doesn’t limit widely helpful information, such as details available in news articles. The tech giant also won’t remove information if it’s a part of the public record on government websites or other official sources.

But Google removing the information doesn’t mean it’ll be erased from the internet. Users will have to contact the hosting website directly to request removal.

“Maximizing access to information while empowering people to be in control of their sensitive, personally identifiable information is a critical balance to strike,” Michelle Chang, Google’s global policy lead for search, wrote in the blog post.

More information on the requirements to have information removed and how to start the process is available on Google’s support page.

Source: Google

Categories
Mobile Syrup

Google released security report stating it blocked over 1 million malicious apps

Google has released a report outlining the ways it fought against malicious apps and developers throughout 2021. In the report, the company states that 1.2 million apps were blocked for policy violations.

“We continue to enhance our machine learning systems and review processes,” team members state in the report. The team continues and states that “We also continued in our efforts to combat malicious and spammy developers.”Google also shut down 190,000 “bad accounts” and 500,000 inactive developer accounts.

Google is adding its new Data safety section for Google Play. Developers now must give users insight into the privacy and security practices within their apps. This also provides transparency into the data the app collects. Google requires developers to complete these sections for their respective apps by July 20th.

Additionally, Google continues to partner with SDK developers to improve app safety. “Last year we introduced multiple privacy focused features, enhanced our protections against bad apps and developers, and improved SDK data safety,” the report states.

Google also confirms that Google Play Protect “continues to scan billions of installed apps each day.” This security measure helps protect users around the world from potentially harmful and otherwise malicious software.

As a result of protecting its platform and users, Google is safeguarding against developers releasing harmful apps. “As a result of new platform protections and policies, developer collaboration and education, 98% of apps migrating to Android 11 or higher have reduced their access to sensitive APIs and user data,” the report notes.

Google Pixels now utilize machine learning models to improve the detection of malware in Google Play Protect. The privacy-preserving technology runs on Google Pixel devices called “federated analytics” to discover malicious apps.

The company closes out by stating to look forward to more “exciting announcements in 2022.”

Source: Google Via: TechRadar

Categories
Mobile Syrup

Telus launches new wearable security line

Telus has launched a new security service that allows users to call for help at a touch of a button.

The company’s SmartWear Security line offers personal safety devices disguised as wearable accessories.

Users can purchase the safety feature in the form of a necklace, bracelet, keychain, or charms.

“By simply double-clicking your wearable device, you can immediately alert selected contacts and share your geolocation,” Zainul Mawji, president of home solutions and customer excellence at Telus, said.

“It’s empowering our customers with technology that immediately connects them to the support they need in an emergency.”

Telus is partnering with U.S-based invisaWear, which creates the devices. It’s connected through Telus’ wireless network and monitored by the SmartHome Security team.

Once the user clicks the device twice, the user’s pre-selected emergency contacts will be alerted, or they’ll be put in touch with the monitoring team for emergency assistance.

Users can manage SmartWear Security through an app that provides round-the-clock monitoring and alert modes users can personalize.

Prices start at $12 a month if bundled with another Telus service.

Source: Telus

Categories
Mobile Syrup

Chinese hackers use VLC to launch malware on Windows: report

Chinese hacking group ‘Cicada’ is reportedly using popular media player VLC to launch malware on Windows machines.

As reported by cybersecurity researchers at Symantec (via Android Police), the hacking group targeted governments and related organizations, legal and non-profit businesses, and organizations with religious connections. The group hit targets in the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy.

Symantec explained that Cicada — which also goes by Stone Pandar or APT10 — exploits legitimate versions of VLC by launching a “custom loader” via the software’s ‘Exports’ function. Then, it uses the ‘WinVNC’ tool to gain remote control of the victim’s machine.

Once Cicada has remote control, it can deploy a hacking tool called ‘Sodamaster’ to evade detection and scan systems, download more malicious packages, and conceal communications between compromised systems and the hackers’ command-and-control servers.

Symantec believes the VLC attacks may be ongoing, and that they began in 2021 after hackers exploited a known vulnerability with Microsoft Exchange.

The best thing for users to do to protect themselves is to keep software up-to-date, use strong passwords, and back up important data.

Source: Symantec Via: Android Police

Categories
Mobile Syrup

Hackers breached Mailchimp, targeted crypto holders with phishing scams

Email marketing firm Mailchimp confirmed over the weekend that hackers breached an internal tool and used it to access 300 user accounts and steal audience data from 102 of those accounts.

The breach was outed first by Trezor (via Bleeping Computer), a company that makes hardware wallets for cryptocurrency. Trezor used Mailchimp to send newsletters to customers.

Following the breach, several customers received phishing emails that appeared to be from Trezor and warned of a “security incident.” The emails prompted users to download a malicious version of Trezor’s app to reset their hardware wallet PIN. If installed, the malicious app could have allowed hackers to steal users’ cryptocurrency.

Mailchimp’s chief information security officer (CISO), Siobhan Smyth, told TechCrunch that the company became aware of the breach on March 26th. Smyth explained that the company a malicious actor accessed a tool used by its customer support staff and account administration teams through a successful social engineering attack — social engineering refers to manipulating people and exploiting human error to gain private information, such as login credentials.

“We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected,” Smyth said in the statement.

Although Mailchimp declined to share with TechCrunch what data hackers accessed in the breach, it did say that the attack targetted customers in the cryptocurrency and finance sectors. Moreover, Mailchimp said that the attackers gained access to API keys for an undisclosed number of customers — those keys potentially allow attackers to send spoofed emails that appear to be from legit Mailchimp customers.

Mailchimp says it has disabled those API keys and they can no longer be used. However, Smyth told TechCrunch that the company received reports that hackers used the information they obtained from user accounts to send phishing campaigns to accounts’ contacts.

Smyth declined to answer TechCrunch’s questions about whether Mailchimp would implement additional security measures. Further, Mailchimp wouldn’t disclose how many other cryptocurrency or finance customers were impacted by the breach.

As it stands, anyone subscribed to newsletters should be on alert for possible phishing scams, especially if subscribed to crypto or finance newsletters. It’s best to avoid clicking any links in emails you receive.

Moreover, MobileSyrup uses Mailchimp for its weekly newsletter but has not seen any indication that it was impacted by the breach.

Source: Bleeping Computer, TechCrunch

Categories
Mobile Syrup

Microsoft confirms hackers stole partial source code for Bing, Cortana

Microsoft confirmed that hacking group ‘Lapsus$’ compromised a “single account” and accessed partial source code for Bing and Cortana.

The company confirmed the breach in a blog post and detailed what Lapsus$ — or ‘DEV-0537’ as Microsoft calls the group — got from the breach. According to Microsoft, no customer code or data was involved. The company says that Lapsus$ only compromised one account, and Microsoft’s security teams responded quickly to remediate the account and prevent further activity.

Moreover, Microsoft said that it doesn’t rely on the secrecy of source code as a security tool. In other words, Microsoft assumes attackers will access source code, and so relies on other tools to protect itself. The company made a similar remark following the massive Solarwinds breach in 2020.

Lapsus$ claimed it got access to around 45 percent of the code for Bing and Cortana, as well as some 90 percent of code for Bing Maps.

The Verge notes that the Lapsus$ group claimed to be behind several recent security attacks and said it stole data from Okta, Samsung, Ubisoft, and Nvidia. While some of the companies have admitted data was stolen, Okta refuted the group’s claims and said its service hadn’t been breached.

Microsoft wrapped up its blog post by outlining steps organizations can take to improve security, especially in regard to Lapsus$. The company described the Lapsus$ attack pattern as gaining “access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion.”

With that in mind, Microsoft suggests organizations require employees to use multi-factor authentication, or MFA (also called two-factor authentication, or 2FA). MFA involves using multiple methods of authenticating users, such as passwords combined with a one-time passcode (OTP) sent via email, SMS, or through an authentication app. Of the three, Microsoft recommends using a dedicated authentication app to avoid vulnerabilities with email or SMS OTP codes, such as SIM swap attacks commonly used to intercept these codes.

Source: Microsoft Via: The Verge

Categories
Mobile Syrup

Dirty Pipe exploit could let someone take over your phone, fix is on the way

There’s a new Linux vulnerability out there that could give attackers full of control of your Android smartphone.

However, the exploit goes beyond just Android phones — it potentially impacts anything running Linux, including Android phones, Chromebooks, smart home devices, and more.

Although it sounds dire, it’s worth keeping in mind that most people don’t need to panic. For one, the issue has already been patched (although the fix may not have reached your devices yet). The exploit also only impacts some newer Android phones, such as the Pixel 6 series and the Galaxy S22 series (more on that below, along with a way to check if your device is affected).

The exploit, dubbed ‘Dirty Pipe,’ impacts the Linux kernel. The kernel is the core of an operating system and typically acts as an interface between apps and hardware. Because of that, any app that can read files on your device can potentially use the exploit to mess around with files, run malicious code, or gain administrator privileges. Ultimately, attackers could use the exploit to take over a device.

Max Kellermann discovered Dirty Pipe, but also found a way to fix it and already submitted the fix to the Linux kernel project. Additionally, Dirty Pipe was reported to Google’s Android Security team, who introduced the fix to the Android source code. Similarly, the Chrome OS team seems to have a patch poised to roll out in a mid-cycle update to Chrome OS 99. In other words, the Dirty Pipe fix is ready, it just might not have hit your phone or laptop yet.

How to check if my phone/laptop is at risk

Thankfully, checking whether your device could be exploited using Dirty Pipe is fairly easy. We’ve included instructions below:

  • Android: Open Settings > About phone > Android version > Look for Kernel version. If the number is 5.8 or higher, your device is potentially at risk.
  • Chrome OS: Open a new tab > Type ‘chrome://system’ in the address bar > Scroll to ‘uname’ > Look for the ‘Linux localhost’ text and check if the number is higher than 5.8.

In both cases, the number represents the Linux kernel version. Dirty Pipe was introduced in Linux kernel version 5.8 back in 2020, but the exploit wasn’t found until recently. If your device has kernel version 5.8 or higher, it’s potentially at risk for Dirty Pipe (unless you’ve received a patch for it already).

Most Android phones use an older version of the Linux kernel and likely won’t be impacted. However, as mentioned above, the Pixel 6 series and the Galaxy S22 series are impacted. 9to5Google noted that Android devices that launched with Android 12 have a chance of being impacted.

How to protect yourself from Dirty Pipe

Although there are no known instances of attackers using Dirty Pipe to gain control of phones or computers yet, it’s likely only a matter of time before it starts to happen. The best thing you can do to protect yourself is to make sure your devices are up to date.

As mentioned up top, there are already Android and Chrome OS patches, but they haven’t rolled out yet. Hopefully, they roll out soon — keep an eye out for new security patches and make sure to install them right away.

In the meantime, 9to5 suggests only running apps that you trust on your device. Moreover, it may be a good idea to avoid installing new apps until the patch is made available.

Source: Max Kellermann Via: 9to5Google

Categories
Cottage Life

An outdoor security camera made for off-griders

Photo by Vosker

Our editorial team independently selects these products. If you choose to buy any, we may earn a commission that helps fund our content. Learn more.

If you’re interested in keeping an eye on your cottage when you aren’t around, Quebec-based Vosker’s V150 solar-powered LTE cellular outdoor security camera is a great option—especially if you want a camera that you can set up quickly and easily. 

The weather-resistant, heavy-duty security camera features an easy-to-install articulating mounting arm and a built-in solar panel that powers its sizeable battery, making it perfect for remote spots where power isn’t available. 

Unlike many other options, the V150 doesn’t require Wi-Fi. Instead, if there’s a cell phone signal available at your cottage, the camera transmits photos directly to Vosker’s smartphone app. Images are also backed up on a microSD card that comes with the camera. 

The V150 only snaps photos—still photos—when it detects movement, within a 90-foot range. The camera’s motion detection can be a little over-sensitive, however, sometimes taking photos when it detects shadows shifting. 

If you’re looking for remote video capture, Vosker’s V200 is similar to the V150, but can shoot up to 90 seconds of high-definition video, though the frame rate is a little jumpy.

The V150 costs $349 and requires a $10 monthly subscription that allows for 500 photos, 10 HD photos, and seven days of photo history. More expensive plans allow for additional photos and history.

security

Vosker V150 solar-powered LTE cellular outdoor security camera

Buy from Amazon
$349.99
$249.99

Categories
Mobile Syrup

You should download iOS 15.3 to fix a bug that could reveal your browsing data

Apple dropped a series of updates on January 26th that fix a previously reported WebKit bug that could allow websites to see other sites you accessed on your Apple device.

If you use an iPhone or iPad, you’ll want to update to iOS or iPadOS 15.3 as soon as possible to fix the bug. There’s less of a rush for Mac users to update since they can mitigate the bug by using other web browsers — however, if you regularly use Safari on your Mac, you should download the Safari 15.3 update right away.

The bug, first reported to Apple in late November by FingerprintJS, affects web browsers that use WebKit, the open-source foundation for Apple’s Safari browser. Apple also mandates the use of WebKit on iOS and iPadOS, meaning any browser made for Apple’s mobile OS (including Chrome, Firefox, et al.) is also impacted by the bug.

A short explanation is that WebKit’s implementation of a commonly-used JavaScriptAPI for storing web data on devices allowed websites to view the names of other sites that had stored data on a given device. Typically, browsers apply same-origin policy to prevent this. You can learn more about the bug and how it works here.

The iOS 15.3, iPadOS 15.3, and Safari 15.3 updates all include a fix for the issue. It’s good to see the fix applied, especially after FingerprintJS highlighted Apple’s lack of response earlier this month.

9to5Mac confirmed that a beta version of the update fixed the problem using a demo tool provided by FingerprintJS on its website.

If you use an Apple device, you’ll want to install the update right away. Here’s how:

  • iPhone/iPad – Open Settings > General > Software Update.
  • macOS – Click the ‘Apple’ menu in the top-left corner > System Preferences > Software Update > Update Now (You can also click ‘More info’ to view a list of available updates and specifically install the Safari update).

Source: Apple (iOS/iPadOS | Safari) Via: The Verge