At a glance.
- Clearview AI discloses a breach that exposed its customer list.
- Kr00k Wi-Fi vulnerability could expose encrypted traffic to snoopers.
- Pasteboard could expose geolocation data to malicious apps.
- Ransomware gang urges its affiliates to steal data before encrypting them.
Clearview AI reports "unauthorized access."
Clearview AI, whose controversial scraping of the Internet enabled it to compile a database that's believed to include some three-billion images, disclosed that someone “gained unauthorized access” to its customer list. Most of Clearview's customers are law enforcement agencies, several of whom have been pleased with the service's usefulness in criminal investigations, particularly in child abuse cases. The data that was exposed in the incident included, in addition to the customer list, the number of accounts the customers had established and the number of searches they'd conducted. The image database itself was apparently not compromised, and Clearview says that no search histories were exposed, either. The Daily Beast says that Clearview claims its servers were not breached and that the vulnerability has been closed.
Kr00k could expose Wi-Fi traffic to crooks.
ESET researchers report finding encryption flaws in Cypress Semiconductor and Broadcom Wi-Fi chips. While the risk is relatively limited, it remains possible that attackers could intercept data transmitted wirelessly. They call the bug Kr00k, and it’s been assigned the identifier CVE-2019-15126. ESET says Kr00k can cause “vulnerable devices to use an all-zero encryption key to encrypt part of the user’s communication. In a successful attack, this vulnerability allows an adversary to decrypt some wireless network packets transmitted by a vulnerable device.”
Pasteboard could compromise geolocation.
An app developer who blogs as "Myst" says that Apple's Pasteboard functionality in iOS could in principle compromise a user's geolocation. A user who copied a photo to Pasteboard also copies the GPS coordinates embedded in the photo's data, and those data are in turn (and, again, in principle) accessible to any app the user might subsequently employ. Naked Security points out that Apple doesn't see this as a flaw, since it's simply Pasteboard functioning as it's designed. But they also take Myst's point: it would be better if Pasteboard were integrated into Apple's general permissions system, which would give the user the opportunity to approve or disapprove access to image data on an app-by-app basis.
Gangland wants its soldiers to steal your files before they let their ransomware encrypt them.
Any ransomware attack should now be regarded as also a data breach. Extortionists now get additional leverage by threatening to release their victims’ sensitive files. According to BleepingComputer, the gang behind Sodinokibi, which operates as an affiliate marketing scheme, is telling its criminal associates that data theft should now be a routine part of their attacks. They've also added one more lever: if the target is a publicly traded company, the gang advises its affiliates to say they'll tell the stock market.