Latest Tech Alert

If you just bought a smart Television on Black Friday or plan to buy one for Cyber Monday tomorrow, the Federal Bureau of Investigation wants you to know a few things. The Smart Televisions that you use for the entertainment are like regular Television sets but with the extra facility of internet connection. This now includes the growth of streaming platforms such as Hulu, Netflix and Amazon Prime; now each of these services requires internet connection. But like anything that connects to the internet, it opens up smart Televisions to security vulnerabilities and Cyber-Criminals. Not only have that, but many smart Televisions also come with a camera and a microphone. However, most of the internet-connected device producers, care very little about the core security of their gadgets. That’s the key takeaway from the Federal Bureau of Investigation’s Portland field office, which just ahead of some of the biggest shopping days of the year posted a warning on its website about the risks that smart Televisions pose. Beyond the risk that your Television manufacturer and app developers may be listening and watching you, that Television can be a gateway for Cyber-Criminals to come into your home. A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured Television can give them an easy way in the backdoor through your router, wrote the Federal Bureau of Investigation. The Federal Bureau of Investigation warned those Cyber-Criminals can take control of your unsecured smart Television and in worst cases, take control of the camera and microphone to watch and listen in. Active strikes and exploits against smart Televisions are rare, but not unheard of. Every Smart Television set comes equipped with the software designed by their manufacturer and every consumer is at the mercy of their provider’s unreliable and irregular security patches, which also makes some devices more vulnerable than other gadgets. Recently, Cyber-Criminalsdisplayed how Google’s Chromecast streaming stick can be compromised and broadcast random videos to millions of victims. In fact, some of the biggest exploits targeting smart Televisions in recent years were developed by the Central Intelligence Agency but were stolen. Those files were later uploaded on WikiLeaks. But as much as the Federal Bureau of Investigation’s warning is responding to genuine fears, arguably one of the bigger issues that should cause as much if not greater concerns are how much tracking data is collected on smart Television owners. Recent study declared that many manufacturers of smart Televisionincluding LG, Sony and Samsung collects immense amount of information about what users are watching, so that the advertisers can develop their ads strategy, for instance, The Television tracking issue has become so complex in this few years and the Television maker Vizio had to pay fine of millions of dollar, when they were caught secretly collecting customer viewing data. Earlier this year, all because of a separate class-action suit related to the tracking again Vizio was allowed to continue. The Federal Bureau of Investigation recommends placing black tape over an unused smart Television camera, keeping your smart Television up-to-date with the latest patches and fixes, and to read the privacy policy to better understand what you’re smart Television is capable of.

A massive Data-Archives storing tens of millions of text messages, most of which were sent by businesses to potential customers, has been found online.

Data archives operated by a company that is an SMS service provider for businesses and higher education providers and allows universities, companies, colleges to send bulk text messages to their customers and students. The company based in Austin, Texas declared that of the benefits to its services is that the recipients can also text back. It basically allows them to achieve two-way communication with businesses. The Data-Archives stored years of sent and received text messages from its customers and processed by TrueDialog. But because the Data-Archives were left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside. Earlier this month security researchers found that the exposed Data-Archives the part of their internet scanning efforts and observed that a portion of the data, which had detailed logs of messages sent by customers, including phone numbers and text-message contents. 

The Data-Archives had information about marketing messages from businesses with discount codes, university finance applications, and job alerts. However, the data also had sensitive text messages, such as security codes and two-factor codes. The viewer can easily achieve online access to that person’s online accounts and the list goes on and on with the codes to access online medical services and password reset and login credentials for various websites such as Gmail and Facebook accounts. It is extremely easy to read the entire chain of conversations with the help of the unique conversation code in two-way message conversations only one log table had millions of text-messages. When Security Researchersinformed TrueDialog about their exposure, they rapidly pulled the Data-Archives offline. The worst part is that in this entire dilemma chief executive officer of the company was silent and was not ready to acknowledge the trespass neither returned any promising answer to the comment. He didn’t even answer, whether the company would follow state data trespass notification laws and inform their customers about the security lapse.

Unfortunately, this is only one company amongst others who have sensitive consumer information on stake and cared less to take necessary security measures and left sensitive text-messages on the internet, so that it can be accessed by anyone. It is yet another example of how the text-messages can be convenient, but it can be compromised so easily due to the carelessness of various text-message service providers.

A Cyber-Invasion on Mix-cloud audio streaming platform based in the United Kingdom has threatened the security and privacy of more than million user accounts and after several minutes the stolen data was on sale over the Dark-web. This actually happens earlier in November and as per the statement received from the seller at the Dark-web, who also supplied a portion of the data, allowing us to examine and verify the authenticity of the data. The data contained login credentials, email addresses, and the login credentials that appeared to be scrambled with the SHA-2 algorithm, making the login credentials nearly impossible to unscramble. All those data files contained sensitive details such as sign-up dates for the accounts and the login date. In addition to that is also had the information about the country from which the client accessed the account including their TCP/IP address and a direct link to their profile picture. However, the company doesn’t force its users to verify their email addresses.

The exact amount of data stolen from the companies’ Data-archives is still unknown. But, as per the information disclosed by an anonymous seller on the Dark-Web, that the total amount of stolen data crossed 25 million and all of them were on sale on the Dark-Web. The data was set for an auction on the Dark-Web and the highest bidder in bitcoin can have direct access to the private data of various consumers. It’s the latest in a string of high profile Data Trespass in recent months. The trespassed data came from the same Dark-web seller who also alerted TechCrunch to the StockXtrespass earlier this year. It was earlier stated by the apparel trading company the consumer wide password reset was only for system maintenance. However, later they had to confirm that they were compromised and their incompetence resulted in a Data exposure of an immense amount of records. The spokesperson of Mixcloud maintained her silence and did not comment. She also failed to answer any of the questions, including if the company has any plans to inform customers as per the U.S. state and EU Data Trespass notification laws. The co-founder of the company also maintained his silence. As a London-based company, Mixcloud falls under the U.K. and European data protection rules, the companies will be fined approximately 4% of their yearly turnover. If they violate the rules set by the European GDPR.

In our years of covering web security, there is one lie we have encountered several times. In which many companies state that they take your privacy and security very seriously and the funny thing is that by now most of the consumers known that it’s a blunder. One might have heard that phrase on various occasions and it is basically a common statement used by multiple companies in their wake of a Data-Trespass. The companies always include that quote in their email and also on their website that they care about your privacy.  But, the harsh reality is that they don’t really give a crap about your privacy and instead many companies have been found misusing your data. Many companies have been also fined on selling private information of their consumers for more profits. We never understood the exact meaning of that quote made by various companies. Honestly, if all the companies really cared about your privacy, then the data-hungry companies like Google and Facebook, have to stop selling consumer’s private data to the advertisers. Even after reading all this, if some of you still want to reside under the bubble and want to think that all the allegations are incorrect and the companies are those fluffy angels who can’t lie to you, then you might want to see the data which we have created by scraping each report notified to the California attorney general’s office, which comes under requirements of state law; in the events such as a trespassing of security. Approximately one-fourth of all data trespass notification had some variations stating that the company doesn’t really care about your privacy. It displays that they don’t even know their next step.

Let me just provide you another perfect example of the incompetence of a company: Last week, recently many clients of OkCupid complained that their accounts were compromised. In addition to that their accounts were hit by credential stuffing, where Cyber-Criminals take lists of login credentials and try to brute-force their way into consumer’s accounts. Various organizations have learned from such strikes and took the time to improve their account security, such as rolling out two-factor authentication. Instead, OkCupid’s response was to defend, deflect and deny, the common way for organizations to leave negative stories behind. It looked like this:

  • Deflect

The Company states that almost every website has to deal with attempts related to account takeover

  • Defend

Later Company said to another publication that there is no strong evidence supporting the Story.

  • Deny

The company maintained its silence when asked for further steps to overcome this issue.

Unfortunately, today every company like this one has long neglected security issue and constant denial and assurance is their policy to deal with such issues where the customer who trusted them with their private details is on stake. Most of the trespasses happen, due to careless behavior and weak security measures. Cyber-Criminals have been advancing in their techniques every day and on the other hand, these companies who the customer entrusted with their private information are doing nothing but giving fake assurance. The companies can also reach out to the customer for this and educate their customers about the bugs and they instruct them to report a bug immediately. Every start-up project should take security measures very seriously right from the beginning, so in the future, they can achieve invulnerable security for their data archives. Even most successful companies ignore these issues and rather take an escape window of paying fines. I think by now the companies have to understand the seriousness of these issues and instead of ignoring this, they have to employ a proper development team to strengthen their security measures. However, again with a lack of incentive to change, these organizations will continue to hide their faces beneath the ground stating everything is okay when they have to do something to prevent such negativity.