Tag Archive for: Sixth

Survey: Every sixth American avoids using the internet in public

/in


Shopping malls and public event venues are considered to have the most cyber threats

Almost 16% of American internet users avoid going online in public places and nearly 70% of Americans prefer their mobile internet for online activities in public, according to a survey conducted by NordVPN. Cybersecurity experts say that these measures help to mitigate cyberthreats, but issues raised by using public Wi-Fi can also be managed by other means.

Cyberthreat of shopping malls

In the new survey, most American internet users mentioned shopping malls (51%), public event venues (50%), and cafeterias, bars, or restaurants (49%) among the places where devices are exposed to cybersecurity threats the most. Home and workplace are mentioned as the safest places from cybersecurity threats with only 20% of respondents concerned about internet security and privacy in each location.

“Internet users should evaluate cybersecurity risks in every location because the scope of threats varies depending on a place. While universities or offices tend to put more effort into cybersecurity, it might not be the case with cafeterias and shopping malls,” says Marijus Briedis, CTO at NordVPN.

Americans trust in themselves more than in technology

The survey reveals that Americans tend to rely more on their behavior online to protect themselves from cybersecurity threats in public places rather than technology. 45% of respondents claim that they avoid entering or accessing sensitive information when they are connected to public Wi-Fi. At the same time, 42% of respondents go only to safe websites, and 35% verify if the public Wi-Fi is legitimate before joining.

Regarding the usage of cybersecurity and privacy tools, the numbers are more modest. Only 27% of Americans use a VPN service, and 33% choose antivirus software. While a VPN is a more popular solution among younger generations, older generations tend to trust antivirus software.

“Cybersecurity literacy is important, and it is great that internet users avoid entering or accessing sensitive information, like banking accounts, clicking on pop-ups, or going to suspicious websites. But a human mistake is an important factor in cybersecurity and even experts do…

Source…

Sixth Member of International Hacking Community Sentenced in SIM Card Scheme

/in


A U.S. court sentenced a member of an international hacking organization to 10 months in prison along with heavy fines in connection with a multi-million dollar hacking scheme.

The perpetrator, Garrett Endicott, 22, of Warrensburg, Mo., pleaded guilty to cyber crimes affiliated with a large-scale SIM hijacking plot, acting U.S. Attorney Saima Mohsin confirmed on Tuesday. Endicott is the sixth and final defendant to be tried in connection with an international hacking group known as The Community.

Members of The Community are known to engage in SIM hijacking or SIM swapping, which is an identity theft technique rooted in exploiting cell phone numbers. The group’s objective is to steal cryptocurrency from victims nationwide, with incidents spanning California, Missouri, Michigan, Utah, Texas, New York and Illinois.

SIM hijacking is usually carried out through bribing an employee of a cell phone provider to have access to certain phone numbers. In other instances, members of the group contacted a cellular service provider pretending to be a victim, and requested that a phone number registered to another user would be switched to a separate SIM card, effectively stealing the number and cell phone account.

From here, the hackers can access sensitive personal information, such as email addresses and financial criteria. Cryptocurrency exchange account information is particularly of interest to hackers within The Community. By having access to the victims’ cell phone numbers, The Community could pass stronger security measures such as a two-factor authentication.

In total, law enforcement officials estimate that the range of cryptocurrency theft value stands at over $9 million among sentenced defendants. 

“The actions of these defendants resulted in the loss of millions of dollars to the victims, some of whom lost their entire retirement savings,” Mohsin said.  “This case should serve as a reminder to all of us to protect our personal and financial information from those who seek to steal it.”

Endicott was ordered to pay $121,549.37 in restitution fees. 

Other defendants convicted in association with The Community’s SIM hijacking schemes were based in Florida, South Carolina,…

Source…

Google fixes sixth Chrome zero-day exploited in the wild this year

/in


Google Chrome

Google has released Chrome 91.0.4472.101 for Windows, Mac, and Linux to fix 14 security vulnerabilities, with one zero-day vulnerability exploited in the wild and tracked as CVE-2021-30551.

Google Chrome 91.0.4472.101 has started rolling out worldwide and will become available to all users over the next few days.

Google Chrome will automatically attempt to upgrade the browser the next time you launch the program, but you can perform a manual update by going to Settings > Help > ‘About Google Chrome

Google updated to version 91.0.4472.10
Google updated to version 91.0.4472.10

Six Chrome zero-days exploited in the wild in 2021

Few details regarding today’s fixed zero-day vulnerability are currently available other than that it is a type confusion bug in V8, Google’s open-source and C++ WebAssembly and JavaScript engine.

The vulnerability was discovered by Sergei Glazunov of Google Project Zero and is being tracked as CVE-2021-30551.

Google states that they are “aware that an exploit for CVE-2021-30551 exists in the wild.”

Shane Huntley, Director of Google’s Threat Analysis Group, says that this zero-day was utilized by the same threat actors using the Windows CVE-2021-33742 zero-day fixed yesterday by Microsoft.

Today’s update fixes Google Chrome’s sixth zero-day exploited in attacks this year, with the other five listed below:

  • CVE-2021-21148 – February 4th, 2021
  • CVE-2021-21166 – March 2nd, 2021
  • CVE-2021-21193 – March 12th, 2021
  • CVE-2021-21220 – April 13th, 2021
  • CVE-2021-21224 – April 20th, 2021 

In addition to these vulnerabilities, news broke yesterday of a threat actor group known as Puzzlemaker that is chaining together Google Chrome zero-day bugs to escape the browser’s sandbox and install malware in Windows.

“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” the researchers said.

Microsoft…

Source…

The Sixth Circuit Also Makes A Mess Of Section 230 And Good Internet Policy

/in

Yesterday we wrote about a bad Section 230 decision against Amazon from the Third Circuit. But shortly before it came out the Sixth Circuit had issued its own decision determining that Section 230 could not protect Amazon from another products liability case. But not for the same reason.

First, the bad facts, which may even be worse: the plaintiffs had bought a hoverboard via Amazon, and it burned their house down (and while two of their kids were in it). So they sued Amazon, as well as the vendor who had sold the product.

From a Section 230 perspective, this case isn’t quite as bad as the Third Circuit Oberdorf decision. Significantly, unlike the Third Circuit, which found Amazon to be a “seller” under Pennsylvania law, here the Sixth Circuit did not find that Amazon qualified as a “seller” under the applicable Tennessee state law. [p. 12-13] This difference illustrates why the pre-emption provision of Section 230 is so important. Internet platforms offer their services across state lines, but state laws can vary significantly. If their Section 230 protection could end at each state border it would not be useful protection.

But although this case turned out differently than the Third Circuit case and the Ninth Circuit’s decision in HomeAway v. City of Santa Monica, it channeled another unfortunate Ninth Circuit decision: Barnes v. Yahoo. In Barnes Yahoo was protected by Section 230 from liability in a wrongful user post. After all, it was not the party that had created the wrongful content. Because it couldn’t be held liable for it, it also couldn’t be forced to take it down. But Yahoo had offered to take the post down anyway. It was a gratuitous offer, one it didn’t have to make. But, per the Ninth Circuit, once having made it, Section 230 provided no more protection from liability arising from how Yahoo fulfilled that promise.

Which may, on the surface, sound reasonable, except consider the result: now platforms don’t offer to take posts down. It just doesn’t pay to try to be so user-friendly, because if the platform can’t get things exactly right on that front, they can be sued since, per the Ninth Circuit, Section 230 ceases to provide any protection. (And even if the platform might not ultimately face liability, it would still have to face an expensive lawsuit to get there.) So thanks to this case the Ninth Circuit ended up chilling platform behavior that we would have been better off instead encouraging to get more of. It may have won the battle for this person (their lawsuit could proceed) but it lost the war for the rest of the public.

This case from the Sixth Circuit presents a similar problem. Amazon did not have to do anything with respect to hoverboard sales, but it created liability problems for itself when it tried to anyway. Eventually it banned them, but more at issue is that it sent an email to purchasers indicating that there had been reports of problems with them:

“There have been news reports of safety issues involving products like the one you purchased that contain rechargeable lithium-ion batteries. As a precaution, we want to share with you some additional information about lithium-ion batteries and safety tips for using products that contain them.” The email included a link for the “information and safety tips,” a link “to initiate a return,” and a request that the recipient “pass along this information” to the proper person if the hoverboard was purchased for someone else. [p. 5]

The plaintiffs argued that the email Amazon sent was not enough of a warning and that it should have been more clear about the fire hazard. [p. 6] The Sixth Circuit did not decide whether it was adequate or not. What it did decide, however, was that Section 230 was no obstacle to the litigation continuing to explore that question.

Tennessee tort law provides that an individual can assume a duty to act, and thereby become subject to the duty of acting reasonably.

[…]

In this case, Plaintiffs allege that Defendant gratuitously undertook to warn Plaintiff Megan Fox of the dangers posed by the hoverboard when it sent her the December 12, 2015 email, that Defendant was negligent in that undertaking, and that Defendant’s negligence caused them harm. The district court held that § 324A was inapplicable to Plaintiffs’ claims because it “contemplate[d] liability to third parties.” (RE 161, PageID # 2221–22.) And the district court also held that Plaintiffs forfeited any § 323 claim. The first holding was erroneous, and the second we need not address.

[…]

Plaintiffs argue that Defendant undertook to warn Plaintiff Megan Fox when it sent her the December 12, 2015 email, and that Defendant’s negligent warning caused physical harm to the other members of her family. Accordingly, while Defendant’s liability to Plaintiff Megan Fox is properly governed by § 323, Defendant’s liability to the other members of her family is properly governed by § 324A.7 See Grogan, 535 S.W.3d at 872–73. Thus, the district court’s holding that § 324A was inapplicable to Plaintiffs’ Tennessee tort law claim was erroneous.

Applying § 324A to the facts of this case, Defendant chose to send the December 12, 2015 email to Plaintiff Megan Fox, and in doing so plainly sought to warn her of the dangers posed by the hoverboard.

[…]

Thus, we hold that Defendant assumed a duty to warn Plaintiff Megan Fox of the dangers posed by the hoverboard when it sent her the December 12, 2015 email. [p. 13-16]

The decision’s explanation of how tort law works is not striking. The problem is that all sorts of state tort law could reach the Internet, and strangle it, if state tort law could reach platforms. And here is a court saying it can, despite the existence of Section 230 generally saying that it can’t.

In a way, though, this case is much less dire for the Internet than some of the other cases we’ve discussed, like Oberdorf, HomeAway, and the Court of Appeals ruling in Armslist. Platforms can still avoid liability. But they will avoid it by curtailing the sort of beneficial activity Section 230 normally wants to encourage. In letting these state law tort claims go forward the decision reads as a big warning sign for platforms not to bother trying to help their users in similar ways. Amazon did not have to send an email, but by trying to reach out to users anyway it tempted trouble for itself it could have avoided if it had instead done nothing.

But if that fact doesn’t pull at the heartstrings, remember that the precedent will apply to any other platform, no matter how small. The moral of this story is that it is much safer for all platforms to do nothing than to try to do something. If trying to be helpful to users causes platforms pick up duties that they otherwise would not have had and face liability for not fulfilling them well enough, they won’t. They will be discouraged from trying, even though the public would be much better off if they were instead encouraged to continue these efforts. Curtailing Section 230 to allow state tort law to reach platforms now means that instead of getting more of the user-friendly behavior Section 230 tried to encourage, we will now get less.

Permalink | Comments | Email This Story

Techdirt.