CafePress Users Are Latest To Have Information Breached

CafePress Users Are Latest To Have Information Breached

Hardly a week goes by that we don’t see another major data breach making the headlines. The latest company to fall victim to hackers is CafePress. They are well-known on the internet for offering a platform where users can create their own customized coffee mugs, tee shirts and the like. The company didn’t make a formal announcement about the breach, and users only became aware of it when they started getting notifications from Troy Hunt’s “Have I Been Pwned” service. Once word started leaking out, Hunt joined forces with security researcher Jim Scott, who had worked with Hunt in the past tracking down other data breaches. Working together, they discovered a de-hashed CafePress database containing nearly half a million accounts was being sold on black hat forums.  The researchers could not confirm, however, if these records were related to the most recent breach, or some previous one. In any case, as they probed more deeply, they discovered that the company was actually hacked back in February of this year (2019), and that it was a significant breach. That breach exposed more than 23 million user records.  Based on their findings, the hack exposed email addresses, names, passwords, phone numbers and physical locations. To date, CafePress has not made a formal announcement about the matter, nor acknowledged the breach in any way. Although if you are a CafePress user, you will be forced to reset your password the next time you log on. While that’s a good step, it’s completely at odds with the company’s clumsy handling of the issue.  Password resets are not breach disclosures and notifications, and shouldn’t...
Apple Will Stop Listening To Siri Recordings For Now

Apple Will Stop Listening To Siri Recordings For Now

Not long ago, both Google and Apple found themselves in hot water when it came to light that both companies had been making use of third-party partners to review Siri recordings. As the companies explained at the time, their goal was to make their voice recognition software more efficient and more effective. After they found themselves at the center of a controversy over it, Apple has announced that they have formally suspended the program worldwide while they conduct a review. A company spokesman had this to say: “We are committed to delivering a great Siri experience while protecting user privacy. While we conduct a thorough review, we are suspending Siri grading globally.  Additionally, as part of a future software update, users will have the ability to choose to participate in grading.” In a similar vein, Google announced that it was putting its evaluation program on hold in Europe only for three months. Johannes Casper, the Hamburg Commissioner for Data Protection and Freedom of Information, had this to say with regards to Google’s current policy and a possible conflict with Europe’s GDPR data-protection laws: “The use of language-assistance systems in the EU must follow the data-protection requirements of the GDPR.  In the case of the Google Assistant, there are currently significant doubts. The use of language-assistance systems must be done in a transparent way, so that an informed consent of the users is possible.  In particular, this involves providing sufficient information and transparently informing those affected about the processing of voice commands, but also about the frequency and risks of mal-activation.” Kudos to the EU for making a big enough...
Apple Is Launching Their Own Credit Card Soon

Apple Is Launching Their Own Credit Card Soon

Apple has partnered with Goldman Sachs and their long-awaited “Apple Card” begins rolling out in limited fashion. The card becomes available to all iPhone owners in the United States toward the end of August. According to CEO Tim Cook, a random selection of people who signed up to be notified about the Apple Card are getting an early-access sneak peek. However, the company has been tight-lipped about exactly how many people are being invited into the preview group. If you’re one of the lucky winners, know that the sign-up process will involve upgrading to iOS 12.4 and entering your address, your birthday, income level and the last four digits of your Social Security number.  That information is sent on to Goldman Sachs, which will approve or deny your credit application in real time and in under a minute. Note that part of the approval process also involves a TransUnion credit check, so if you have that information locked, you’ll need to unlock it (at least long enough to get approval). Once you’ve been approved, your card will show up in your Apple Wallet immediately and be available for use.  If you want one, you can request a physical card from Apple for free during the setup and it will arrive in the mail in a few days. The cool thing about the physical card is the fact that it has an NFC tag on it, so you can activate it simply by tapping the phone against it. Also note that you’ll have three different credit card numbers associated with your Apple Card: The number assigned to your phone The...
Update Your iPhone To Avoid Latest iMessage Security Vulnerability

Update Your iPhone To Avoid Latest iMessage Security Vulnerability

If you own an iPhone, be aware that a new iMessage vulnerability has been recently found and patched by Apple. This was part of the iOS 12.4 update. The flaw allowed hackers to access and read the contents of files stored on iOS devices remotely. They could access files the same way as the device owner with no sandbox, and with no user interaction needed. The issue was discovered by Natalie Silvanovich, who is a security research with Google’s Project Zero.  As a proof of concept, she created a demo that only works on devices running iOS 12 or later. She describes it as “a simple example to demonstrate the reach-ability of the class in Springboard. The actual consequences of the bug are likely more serious.” In describing the issue itself, Silvanovich had this to say: “First, it could potentially allow undesired access to local files if the code deserializing the buffer ever shares it (this is more likely to cause problems in components that use serialized objects to communicate locally than in iMessage).  Second, it allows an NSData object to be created with a length that is different than the length of its byte array.  This violates a very basic property that should always be true of NSData objects.  This can allow out of bounds reads, and could also potentially lead to out-of-bounds writes, as it is now possible to create NSData objects with very large sizes that would not be possible if the buffer was backed.” As mentioned, this bug has already been patched, along with two other iMessage vulnerabilities that Silvanovich recently discovered. All of them...
Security Issue Found In Multiple Devices Is Called ‘Urgent 11’

Security Issue Found In Multiple Devices Is Called ‘Urgent 11’

Let’s take a little time to talk about the vast numbers of smart devices in use around the world. You probably have several in your home or office. Smart devices need operating systems, just like your phone and your PC. Of course, mobile device operating systems must be much smaller and more compact. After all, they don’t really need to do a lot of computing, and they don’t need a GUI, so the code tends to be on the lean side. The odds are excellent that you’ve never even heard of most of the IoT’s operating systems, nor the companies that make them. Take VxWorks by a company called Wind River, for example.  It’s the most popular Real Time Operating System (RTOS), used in a wide range of smart devices today.  They don’t get a lot of attention or oversight because almost nobody has heard of them. That’s beginning to change, however.  Recently, security researchers disclosed the details of the “Urgent 11”, which are 11 vulnerabilities found in VxWorks that can be used by hackers to take control of a variety of devices. These devices range from medical systems to printers, industrial equipment, routers, and more. The company has been in existence for 32 years. Yet, in that time, only 13 security flaws with a MITRE-assigned CVE have been found in the VxWorks RTOS, because again, nobody’s paying attention. The good news is that when someone finally started paying attention, Wind River responded quickly and resolved all eleven of the security flaws, issuing a patch to correct them.  There’s just one rather significant catch, however. The company is claiming that...