At a glance.
- NSO product demo exposes private data.
- Livestreaming swatting.
- Fashion influencers' data exposed.
- FBI warns that cybercriminals are also returning to school.
NSO product demo exposes private data.
While pitching a new COVID-19 contact tracing product, Israel-based spyware purveyor NSO compromised the phone data of thousands of individuals, TechCrunch reports. The product, called Fleming, is designed to help governments track the spread of the virus by using cell phone location data. NSO sent a demo to several news outlets to publicize its release, a demo allegedly populated with very real and very private user data. As early as May, a researcher reported that the Fleming demo was not only using genuine data, but also storing the info in an unsecured database.
Although NSO secured the database, they apparently continued to use the data, asserting the info was not extracted from real users—a claim that conflicted with Israeli news reports that NSO had previously stated they were using genuine data acquired from advertising data brokers. If the data are real, as determined by a recent report released by researchers at Forensics Architecture, over 30,000 individuals have been compromised. The irony is that one of Fleming’s features is supposedly its focus on protecting user privacy. When asked for a response, a spokesperson from NSO challenged the validity of the research findings and maintained that “we stand by our previous response of May 6, 2020. The demo material was not based on real and genuine data related to infected COVID-19 individuals.”
Swatting: when practical joking turns dangerous.
The US Federal Bureau of Investigation has released an alert warning that there’s been a rise in the dangerous act of swatting, reports BBC News. Like a twisted mash-up of a fake bomb threat and Candid Camera, swatting is a prank in which hackers send law enforcement to innocent households, usually by reporting a fake crime, then hack into the homeowner’s doorbell cam to observe the fallout via livestream. Often the attackers will interact with the responding officers through the microphone on the camera, and sometimes they’ll even sell tickets to online spectators, but the goal isn’t so much money as entertainment. The cost for victims, however, can be high, with at least one past incident leading to a shooting. The recent cases are likely the result of hackers acquiring stolen user passwords, but security bugs in smart doorbells could also be at fault.
21 Buttons pays the price of fashion.
Fashion app 21 Buttons has exposed the private data of hundreds of European users, vpnMentor reports. A “social commerce” app that blends social media with retail, 21 Buttons provides a platform for influencers to post pictures of themselves wearing merchandise which viewers can purchase through the app, with influencers earning a cut of the sales. Researchers discovered 50 million pieces of data, including invoices for payments to influencers, on an unsecured AWS cloud storage bucket. 21 Buttons was contacted by vpnMentor for comment, but it took over a month for a representative to respond, and so far the company has not actually remedied the issue.
Winter break is over for the cybercriminals as well.
ABC News records warnings from the FBI that schools (and their students, faculty, staff, and parents) should expect cybercriminals to resume various forms of disruption as school resumes after the winter holidays. Since so much instruction is now being delivered remotely because of the continuing pandemic, elementary and secondary schools are especially vulnerable. Motive and modus operandi vary from criminal to criminal. Some will engage in straightforward crime for financial gain (ransomware is the most common form of this) whereas others work for the Iago-like lulz (as in Zoombombing). Both ransomware and Zoombombing represent at least an indirect threat to privacy and personal data.
We received some emailed comments from KnowBe4's James McQuiggan on the criminal threat to schools:
“Last month, the CISA office provided notification of increased ransomware attacks to K-12 and education institutions. The same warning continues to carry, even while students are learning remotely through distance learning. The unfortunate situation is cybercriminals are aware the schools, staff and students are easy targets because of limited funding and resources.
"While the schools can focus on acquiring the technology to prevent phishing emails from entering teacher's, staff’s and student's mailboxes, it will be necessary to also educate them properly against phishing. According to the KnowBe4 2020 Phishing Benchmark Report, in the education sector, we see that one in every two or three people will succumb to a phishing attack (when not given proper training).
"Not only is it essential to educate the teachers and staff, but also the students. Implementing a robust security awareness program will be crucial to help educate staff, teachers and administration to effectively spot a phishing email and report to their IT departments to handle it swiftly.”