At a glance.
- iOS zero-days disclosed.
- Telework and privacy.
- Hardware retailer data breach.
- Payment transaction solution data exposure.
- Exercise video provider data exposure.
iOS zero-days disclosed.
Researchers at the digital forensics shop ZecOps reported yesterday that they'd discovered two iOS zero-days that were undergoing active exploitation in the wild. Vice says the researchers think it likely that those doing the exploitation may be working on behalf of a nation-state, and that they may have been purchased from an exploit broker: “It's someone who’s spending budgets on buying exploits but they don’t really have the technical capabilities to change those exploits for better OPSEC." Apple declined to comment to Reuters on ZecOps research, but did say that the vulnerabilities would be closed in the next release of iOS.
Telework and privacy.
Zoom remains widely used even as some large organizations, especially governmental organizations, decide that it's too risky to entrust their data to the teleconferencing service. The Telegraph writes that the UK's National Health Service has asked doctors to steer clear of Zoom for their remote conferences with patients.
But Zoom has also continued to work on its security. It's pushing out version 5.0 this week, the Verge reports, and as the company promised, that update concentrates on security to the exclusion of other product enhancements. Zoom blogged yesterday that the new version would include both better network security, including a phased upgrade to the AES 256-bit GCM encryption (intended to be complete by May 30th) and data routing control (for users who are skittish about their data passing through Chinese hands, or at least through Chinese servers).
Users of Zoom will also see some new security features in their ordinary experience with the platform, most of them involving hosts receiving more control over who joins the meetings, stronger default password policies, and more visibility into security on the dashboard.
Hardware retailer experiences data breach.
Computing reports that British hardware chain Robert Dyas has notified customers that an unknown third party obtained access to its systems during March of this year. The users' confidential details, including their names, addresses and paycard data, were exposed in the breach. The retailer expressed its regret, and advised customers to check their accounts for unauthorized activity.
Data exposure at mobile payment provider.
New York-based Paay, a card payments processor startup, inadvertently left a database exposed to the Internet, according to TechCrunch. The researcher who found the database estimated that it contained some two-and-a-half-million card transactions dating back to September 1st, 2019. Paay took the database down after it was notified of the issue. The records are said to have included plaintext credit card numbers, expiration dates, and the amount spent in the particular transaction made with the card. It's not known if any improper use of the data were made, but their utility would be limited, given that they didn't include either cardholder names or card verification values.
And another exposed database, this at a fitness firm.
vpnMentor has reported finding an unsecured database belonging to Kinomap, a French fitness firm that makes immersive exercise videos used in more than eighty countries. About 40GB of data containing some forty-two million records. The personally identifiable information they contained included: full names, home country, email addresses, Kinomap usernames, gender, exercise timestamps, and the date the customer joined Kinomap.