Tag Archive for: confusion

This Week In Security: The Facebook Leak, The YouTube Leak, And File Type Confusion

/in


Facebook had a problem, way back in the simpler times that was 2019. Something like 533 million accounts had the cell phone number associated with the account leaked. It’s making security news this week, because that database has now been released for free in its entirety. The dataset consists of Facebook ID, cell number, name, location, birthday, bio, and email address. Facebook has pointed out that the data was not a hack or breach, but was simply scraped prior to a vulnerability being fixed in 2019.

The vulnerability was in Facebook’s contact import service, also known as the “Find Friends” feature. The short explanation is that anyone could punch a random phone number in, and get a bit of information about the FB account that claimed that number. The problem was that some interfaces to that service didn’t have appropriate rate limiting features. Combine that with Facebook’s constant urging that everyone link a cell number to their account, and the default privacy setting that lets anyone locate you by your cell number, and the data scraping was all but inevitable. The actual technique used may have been to spoof that requests were coming from the official Facebook app.

[Troy Hunt]’s Have i been pwned service has integrated this breach, and now allows searching by phone number, so go check to see if you’re one of the exposed. If you are, keep the leaked data in mind every time an email or phone call comes from someone you don’t know.

Impersonating a TV

[David Schütz] was at a friend’s house, and pulled out his phone to show off a private YouTube video. Google has worked hard to make the Android/Chromecast/Android TV interconnect seamless, and that system was firing on all cylinders. With a simple button press, that private video played on his friend’s smart TV, and it seemed very wrong that this was so easy.

For background, YouTube videos can exist in three states. A normal video shows up for everyone, and there are no restrictions on watching it. An unlisted video doesn’t show up in search results or on the channel’s page. You have to have the link to see it. The third option is a private video. These aren’t visible to anyone, even if…

Source…

BCPS blames ransomware cyberattack for W-2 form confusion

/in


In Baltimore County, there is an issue with employee W-2 statements. It turns out the state of Pennsylvania actually appeared on the forms, which caused quite a bit of confusion.More than 18,000 school employees have been asking for answers as they should expect new W-2 forms online and in the mail.The issue turned up in February: First with a systemwide W-2 statement delay, and that was followed by concerns over why another state’s name was included on Maryland’s employees tax forms. It became a major concern for Baltimore County teachers who make up half of the district’s payroll.“Initially, we were getting the calls because there were wages in Maryland and Pennsylvania and people, of course, did not live in both states,” Teachers Association of Baltimore County President Cindy Sexton said.School officials blame the November 2020 ransomware cyberattack for the form foul up. The apparent breach all but crippled internal school operations, including payroll. So, what went out to employees raised a lot of concerns.“A number of our employees were simply not familiar with the look and feel and the information that was being presented on the new W-2 form,” Baltimore County Public Schools spokesman Charles Herndon said.And now new W-2 tax statements are being re-issued with corrections.“It shouldn’t be a problem with these new W-2 forms that we just released, as well as the current ones we are using as well,” Herndon said.“We’re glad that they are making them available for people. It would have been nice to have it sooner, it would have saved us all a lot of angst, but at least it is in the works now that they will be available,” Sexton said.The union says it’s gotten assurances from Maryland’s comptroller’s office that it’s working with Pennsylvania for employee extensions and the waiving of penalties and interest.Baltimore County said those new statements should be up online in the next day or so if not sooner.Due to the errors made on the W-2 forms, the state comptroller has agreed to extend the period of time for which BCPS employees may report and pay their income taxes to the state from April 15 to July 15. Read the full letter here.Meanwhile, for…

Source…

Microsoft seeks to disrupt Russian criminal botnet it fears could seek to sow confusion in the presidential election – The Washington Post

/in
  1. Microsoft seeks to disrupt Russian criminal botnet it fears could seek to sow confusion in the presidential election  The Washington Post
  2. Microsoft Disrupts Botnet Installing Ransomware  Infosecurity Magazine
  3. Microsoft takes action to disrupt botnet and combat ransomware – Asia News Center  Microsoft
  4. Microsoft takes down massive hacking operation that could have affected the election  CNN
  5. Microsoft attempts takedown of global criminal botnet  The Associated Press
  6. View Full Coverage on read more

“malware news” – read more

Mozilla patches ‘type confusion’ zero-day exploit in Firefox – TechGenix

/in
  1. Mozilla patches ‘type confusion’ zero-day exploit in Firefox  TechGenix
  2. Mozilla fixes second Firefox zero-day exploited in the wild  ZDNet
  3. Mozilla Issues Emergency Zero-Day Firefox Patch  ExtremeTech
  4. Potent Firefox 0-day used to install undetected backdoors on Macs  Ars Technica
  5. Firefox emergency update patches active zero-day exploit  SlashGear
  6. View full coverage on read more

“zero day exploit” – read more