Vacuum cleaner proof-of-concept. Advertising and social media research. Nitro PDF breach spreads.

Summary

By the CyberWire staff

At a glance.

The vacuum cleaner may be listening to you...
Facebook objects to advertising research.
Nitro PDF breach effects spread to New Zealand.

Hush, darling—not in front of the vacuum cleaner.

Well, this would suck. A research team from the University of Maryland and the National University of Singapore have discovered your robot vacuum cleaner could be spying on you, Threatpost reports. The “LidarPhone” attack takes advantage of robot vacuums that use Light Detection and Ranging (LiDAR) distance sensors to navigate around your dirty socks as they clean up last night’s cookie crumbs. A proof-of-concept tested on a Xiaomi Roborock determined that a hacker could program those sensors to instead detect acoustic signals, allowing the vacuum to decipher sounds like human voices and even music. The complexity of the hack, which in the PoC involves reverse-engineering the vacuum’s firmware and exploiting a flaw in the Dustcloud server, would make the exploit difficult to pull off, but if successful, the attacker could suck up your private conversations along with your dust bunnies. The researchers, who presented a paper at SenSys 2020 based on prior research from DEFCON 26, assert that a similar tactic could be used to hack other light sensors, including the ones in smartphones.

Facebook faces off with advertising researchers.

Facebook has given the researchers behind the Online Political Ads Transparency Project’s Ad Observatory Program an ultimatum, Wired reports: cease their work by the end of November or face possible legal action. The project, run by an academic team at New York University’s Tandon School of Engineering, is “focused on improving the transparency of online political advertising.” Volunteers can opt into the research by installing Ad Observer, a browser plug-in that collects information about the ads a user sees and then sends that data to the Ad Observatory for analysis. Facebook has asked the Observatory to halt their work and delete their findings, claiming that the gathering of this info is a risk to user privacy. In a Twitter statement, Facebook spokesperson Rob Leathern stated “Collecting personal data via scraping tools is an industry-wide problem that’s bad for people’s privacy & unsafe regardless of who is doing it.” But Facebook’s motivations could be less than altruistic, as in the past the social media giant has been called out by US and European officials for allowing advertisers to use Facebook ads to spread disinformation and target the audiences who are most likely to believe it.

New Zealanders exposed in Nitro PDF breach.

A threat actor infiltrated the systems of PDF creation software provider Nitro PDF and stole the data of at least 2.6 million users, 4,000 of which are New Zealanders, reports RNZ. The stolen data, which includes email addresses and hashed passwords, was published by the threat actor online, and it’s possible there’s more where that came from. CERT-NZ, New Zealand’s cybersecurity watchdog organization, released an alert describing the nature of the breach and advising those affected about next steps.

Selected Reading

Marriott Investor Looks To Save Data Breach Suit (Law360) A shareholder is fighting Marriott International Inc.'s bid to toss his lawsuit filed on the hotel giant's behalf in Maryland federal court following a 2018 customer data breach, saying he has successfully argued that most of the company's board members have a personal interest in the suit's outcome.

2 Lakeland Lowe's Workers Accused Of Employee Data Breach (Lakeland, FL Patch) Two people face multiple charges including fraud after deputies accused them of stealing from their employer's payroll.

An analysis of the Monetary Penalty Notice issued by the Information Commissioner’s Office to Marriott International, Inc. dated 30 October 2020 (Lexology) On 30 October 2020, the Information Commissioner’s Office (the “ICO”), acting as Lead Supervisory Authority for the purposes of Article 56 of the…

Salesforce May Dodge Payment in Retailer’s Data Breach Suit (Bloomberg Law) Hanna Andersson LLC and cloud provider Salesforce.com Inc. have reached a proposed settlement with plaintiffs in a class action stemming from a 2019 data breach.

Salesforce, Clothier Ring Up $400K Data Breach Deal (Law360) Hanna Andersson and Salesforce.com asked a California federal court Thursday to grant preliminary approval of a $400,000 settlement with customers of the clothing retailer over a data breach they say led to the information of over 200,000 being compromised.

Fraudsters Use Free Google Services in Phishing Campaigns (BankInfo Security) Fraudsters are increasingly using free Google services to create more realistic phishing emails and malicious domains that circumvent security filters, the

Hoard of Spotify user data exposed by hackers' careless security practices (CNET) A crime ring compiles a huge list of Spotify passwords, but stores it on an unsecured cloud database.

Hacker posts exploits for over 49,000 vulnerable Fortinet VPNs (BleepingComputer) A hacker has posted a list of one-line exploits to steal VPN credentials from almost 50,000 Fortinet VPN devices.

New Malware Named ModPipe Is Targeting Hospitality Sector (Social News XYZ) Internet security company ESET discovered a new malware called ModPipe that’s targeting Point-of-Sale (PoS) devices popular in the hospitality sector, especially in the US. The malware is a modular backdoor that allows hackers to access...

Exploiting Oracle: Analysis of the Recent RCE Vulnerability in WebLogic Server (Netsparker) In October 2020, a critical vulnerability in Oracle WebLogic Server was discovered that allowed for easy remote code execution. Assigned CVE identifier CVE-2020-14882, the issue prompted an out-of-band security update from Oracle. This article takes a closer look at the security flaws that make exploitation possible and demonstrates typical attack payloads.

Google reports over 2 million phishing sites in 2020 YTD (Atlas VPN) According to data analyzed by the Atlas VPN research team, Google registered 2.02 million phishing websites in 2020 Year-to-Date (YTD). An average of 46 thousand phishing sites are detected every week, according to Google’s Transparency Report.

Australian online data breach may affect thousands of NZers (RNZ) Thousands of New Zealanders may have been caught up in a massive online data breach connected to Nitro PDF software.

Nitro PDF users’ email addresses and hashed passwords leaked (CERT-NZ) Nitro PDF, a PDF enterprise document creation and sharing web application, has experienced a significant data breach.

Looking behind the Vertafore data breach (Includes interview) (Digital Journal) Vertafore, a provider of insurance software, has recently disclosed details of a data breach, admitting that a third-party accessed the details of 27.7 million Texas drivers.

LSU Health Care Services Division: Patient records possibly compromised in data breach (The Advertiser) Any questions concerning this matter should be directed to LSU Health Care Services Division’s Compliance and Privacy Department at 1-800-735-1185.

Could patients be at risk during a hospital cyberattack? It depends how far hackers are willing to go, expert says (FierceHealthcare) Could patient safety be caught in the crosshairs with the rise of cyberattacks? It depends how far attackers are willing to go for financial or disruptive gain, one health IT expert said.

This Successful Lawyer Had To Sell His House Because Of A Cyber Attack (Forbes) My colleague just told me something so crazy it could be on 60 Minutes.

Female athletes hacked in 'reprehensible' naked photo leak (Yahoo Sports) Hundreds of professional athletes and celebrities have had explicit photos and videos leaked online.

Travel Booking Sites Hit by Massive Data Breach: How Can You Protect Yourself? (MakeUseOf) Here's what to do if you think you're victim of the data breach that's affected 8 major travel sites.

Retail giant E-Land closes nearly half of stores due to ransomware attack (Korea Times) Retail giant E-Land closes nearly half of stores due to ransomware attack

()