Tag Archive for: Giants

Tech Giants Duped Into Giving Up Data Used to Sexually Extort Minors

/in


(Bloomberg) — Major technology companies have been duped into providing sensitive personal information about their customers in response to fraudulent legal requests, and the data has been used to harass and even sexually extort minors, according to four federal law enforcement officials and two industry investigators.

The companies that have complied with the bogus requests include Meta Platforms Inc., Apple Inc., Alphabet Inc.’s Google, Snap Inc., Twitter Inc. and Discord Inc., according to three of the people. All of the people requested anonymity to speak frankly about the devious new brand of online crime that involves underage victims.

The fraudulently obtained data has been used to target specific women and minors, and in some cases to pressure them into creating and sharing sexually explicit material and to retaliate against them if they refuse, according to the six people.

The tactic is considered by law enforcement and other investigators to be the newest criminal tool to obtain personally identifiable information that can be used not only for financial gain but to extort and harass innocent victims.

It is particularly unsettling since the attackers are successfully impersonating law enforcement officers. The tactic is impossible for victims to protect against, as the best way to avoid it would be to not have an account on the targeted service, according to the people.

It’s not clear how often the fraudulent data requests have been used to sexually extort minors. Law enforcement and the technology companies are still trying to assess the scope of the problem. Since the requests appear to come from legitimate police agencies, it’s difficult for companies to know when they have been tricked into giving out user data, the people said.

Nonetheless, the law enforcement officials and investigators said it appears the method has become more prevalent in recent months.

“I know that emergency data requests get used for in real life-threatening emergencies every day, and it is tragic that this mechanism is being abused to sexually exploit children,” said Alex Stamos, a former chief security officer at Facebook who now works as a consultant.

“Police departments are going to…

Source…

Russian tech giant’s data harvesting raises security concerns

/in


Russia’s biggest internet company has embedded code into apps found on mobile devices that allows information about millions of users to be sent to servers located in its home country.

The revelation relates to software created by Yandex that permits developers to create apps for devices running Apple’s iOS and Google’s Android, systems that run the vast majority of the world’s smartphones.

Yandex collects user data harvested from mobiles, before sending the information to servers in Russia. Researchers have raised concerns the same “metadata” may then be accessed by the Kremlin and used to track people through their mobiles.

Researcher Zach Edwards first made the discovery regarding Yandex’s code as part of an app auditing campaign for Me2B Alliance, a non-profit. Four independent experts ran tests for the Financial Times to verify his work.

Yandex has acknowledged its software collects “device, network and IP address” information that is stored “both in Finland and in Russia”, but it called this data “non-personalised and very limited”. It added: “Although theoretically possible, in practice it is extremely hard to identify users based solely on such information collected. Yandex definitely cannot do this.”

The revelations come at a critical time for Yandex, often referred to as “Russia’s Google”, which has long attempted to chart an independent path without falling foul of Russian president Vladimir Putin’s desire for greater control of the internet.

The company said it followed “a very strict” internal process when dealing with governments: “Any requests that fail to comply with all relevant procedural and legal requirements are turned down.”

But Cher Scarlett, formerly a principal software engineer in global security at Apple, said once user information was collected on Russian servers, Yandex could be obliged to submit it to the government under local laws. Other experts said that the metadata of the sort collected by Yandex could be used to identify users.

Ron Wyden, chair of the US Senate’s finance committee and one of the architects of US internet regulation, heavily criticised Google and Apple for not doing enough to…

Source…

Cressida Dick: Tech giants make it impossible to stop terrorists – BBC News

/in



Cressida Dick: Tech giants make it impossible to stop terrorists  BBC News

Source…

Copycat researchers imitate supply chain attack that hit tech giants

/in


npm supply chain attack

This week, over 150 new packages have been published to the npm open-source repository named after private components being internally used by major companies.

These npm packages are identical to the proof-of-concept packages created by Alex Birsan, the researcher who had recently managed to infiltrate over major 35 tech firms and walk away with over six-figures in bug bounty rewards.

Within 48 hours of Birsan’s disclosure going public, copycat actors began pushing similar packages to npm, likely in a quest to earn bug bounties.

Birsan has confirmed to BleepingComputer that he is not behind these imitation packages and that these are different actors following in his footsteps.

Researcher breaches 35 tech firms in a novel supply chain attack

Recently, BleepingComputer had first reported on a supply chain attack that hit over 35 tech firms, namely Microsoft, Apple, PayPal, Tesla, Uber, Yelp, Shopify, among others.

The researcher, Alex Birsan, had taken advantage of an inherent design flaw of open-source development tools called “dependency confusion” or “namespace confusion” to squat names of private dependencies used by major companies on public open-source repos including npm, PyPI, and RubyGems.

Today, a report from Sonatype reveals, other copycat actors are now imitating Birsan’s research by flooding the npm repository with copycat packages marked “for security research purposes only.”

npm copycat packages birsan
npm copycat packages created in the style of Birsan, with the disclaimer
Source: BleepingComputer

Copycat actors flood npm with identical packages

Within the last 48 hours, the Sonatype Security Research team, of which I am a part, noticed a sudden spike in the volume of suspicious packages caught by our automated malware detection systems and began analyzing these packages.

And then it made sense. The vast majority of 150+ components that were flagged and are continuing to come in at the time of writing, are lookalikes of Birsan’s PoC packages that let him breach over 35-tech companies as a part of his ethical research.

But Birsan tells BleepingComputer he is not behind these copycat “research” packages, although he did admit to uploading a few more packages today under his…

Source…