Congress Considers Creating Privacy Bureau at FTC

In a Senate hearing Wednesday, consumer privacy advocates said that Congress should pass new sweeping laws and policies to protect against data breaches, unwanted data collection, and identity theft. Back in September, Democrats included $1 billion for the FTC in a proposed spending bill to fund a new bureau overseeing “unfair or deceptive acts or practices relating to privacy, data security, identity theft, data abuses, and related matters.”

However, Republicans say that throwing money at the issue won’t solve the problem, and that bi-partisan legislation is needed. Senator Roger Wicker, R-Miss said that fixing the problem any other way would “create significant regulatory uncertainty for businesses and confuse consumers.” We will continue to monitor progress on this issue.

Expiring Certificates May Cause Devices to Lose Internet Connectivity

A widely used digital certificate that verifies secure internet connections is set to expire on September 30th, leaving millions of older devices, such as SmartTVs, phones, and video game consoles, at risk. Updates to address this issue are available, but if they are not implemented before the 30th, devices may have permanent connectivity issues.

The certificate at hand is called DST Root CA X3, which cross-signs with the even more commonly used ISRG Root X1 certificate. Root certificates are considered a backbone of encrypted web usage, and their expiration could lead to entire chains of certificates failing, wreaking havoc across the internet.

Serious Security Vulnerability Found in 11 Routers Related to Parental Control Software

In a blog post published this week, researchers at security firm GRIMM outlined a flaw found on at least 11 popular Netgear routers, including the R6400v2, R6700, R6700v3, R6900, R6900P, R7000, R7000P, R7850, R7900, R8000, RS400. The vulnerability allows hackers to launch a Man in the Middle Attack and remotely take over a user’s network.

According to GRIMM’s research, the flaw is related to parental-control software from Circle Media Labs. The Circle parental controls feature is an optional service that users need to activate. However, the software that runs and updates it comes pre-programmed into the router. In other words, the flaw affects anyone running standard Netgear router firmware.

While Netgear released emergency patch fixes for the issue on the models listed above, we can flash your router to an alternative firmware that includes many extra security features and fixes this vulnerability.

Governments Control Online Information

Internet censorship continues globally, as governments around the world have restricted their citizens’ access to information and tools. While Russians went to vote on Friday, Putin’s government pressured Google and Apple employees with prosecution if they did not block the Navalny app. The app had been used to distribute voting information to supporters of the opposition candidate. After the app was blocked, organizers attempted to disseminate information through Telegram, who also terminated their account. 

Elsewhere, the Chinese government has effectively erased the online presence of actress Zhao Wei overnight, who had over 86 million followers on Weibo. She is not the first instance of this, as the government has been attempting to censor other online celebrities and business leaders, as well as any content seen as negatively portraying their economy.

WhatsApp Might Not Be As Secure As You Think

Though advertising their messaging protocol as secured by end-to-end encryption, sometimes WhatsApp can still read your messages. If you report someone else’s comments, recent conversations between you and that person will be shown to WhatsApp moderators. Though they claim it is to provide context for the report, it still raises questions.

Originally, ProPublica had reported that WhatsApp broke end-to-end encryption and could read all of your messages. While they now say that their wording led to confusion, it doesn’t change the fact that not every message you send on WhatsApp is hidden from prying eyes. If you’re worried, there are some WhatsApp alternatives out there. Unfortunately, they are not nearly as widely used, so your contact list may be limited!

Locast Suspends All Operations

“Non-profit” streaming service Locast has suspended operations after losing a copyright infringement lawsuit brought on by NBC, ABC, Fox, and CBS. While Locast offered free streams of local network channels in multiple markets, these streams would cut after 15 minutes unless users “donated” $5 per month. The ruling rejected Locast claims that it could legally operate under a 1976 law which allowed “secondary transmissions by nonprofit organizations if they receive no ‘commercial advantage’ and do not charge users anything more than what’s necessary to defray…costs of maintaining and operating” the service.

Because Locast used revenues to expand into new markets, and not just to maintain and operate the service, their defense was considered invalid. While many thought that Locast would continue operations while it appealed the decision, they instead suspended both their free and paid service. It is possible that Locast changes the way they operate, either by not charging, or by obtaining retransmission licenses; however it is possible that they may just disappear forever.

ISPs Sell Netflow Data Allowing Users To Be Tracked Across the Internet

Despite claiming not to, ISPs are still at it, selling your data. Using netflow data, ISPs are able to sell traffic information that can track users across the internet, even through VPN connections. Of course, the end data would have already be identified and unencrypted, so not everything is up for grabs.
Netflow data allows insight on what is occurring on the entire internet as a whole, instead of just a single ISPs network. As such, this is how data can be tracked back to specific users. Thankfully, this means that eavesdroppers will have to parse through huge amounts of data just to make a dent. Moreover, using a VPN is still the best way to keep your information private.

Cloudflare Mitigates Largest DDoS Attack Ever

An unprecedented volumetric DDoS attack was mitigated by internet infrastructure giant Cloudflare, it has disclosed. Attackers used a Mirai botnet to send over 17.2 million requests per second in an effort to take down the website of one of Cloudflare’s financial clients. In all, over 330 million http requests were made, resulting in an attack three times larger than any previous.

Botnets are formed when malware infects improperly secured devices, ranging from IoT appliances like thermostats & doorbells to phones & laptops. Thankfully, most malware can be stopped and networks secured using a VPN-enabled FlashRouter. Cloudflare said that over 20,000 devices were involved in the botnet attack.

Data Thieves Target 49 Million T-Mobile Customers

T-Mobile says that 49 million people had their data stolen by hackers recently. Of those, 7.9 million were current customers, while the rest were former or possible future customers. Furthermore, neither the hackers nor T-Mobile say if credit card info was leaked. 

In an effort to help victims, T-Mobile is offering 2 years of free identity protection services from McAfee through their ID Theft Protection Service. News of the data theft came to light when hackers offered the information for sale this weekend for 6 bitcoins. Still, T-Mobile has not informed the public when the leak actually occurred.

Hackers Attack Flaw on Millions of IoT Devices and Routers

A recently disclosed zero-day has been the target of cyber criminals from China. Devices using the same code base from at least 17 different manufacturers are being exploited via a path traversal vulnerability. First disclosed on August 3rd, researchers discovered only two days later that hackers were already trying to infiltrate systems.
As most companies do not have policies to make firmware update on a timely basis, hackers have been given free reign to implement the Mirai malware on affected devices. By deploying on millions of devices, this gives the attackers easy access to a botnet that can create DDoS attacks at will.

Zoom Settles on $85 Million In Privacy and Zoombombing Lawsuit

Following accusations of sharing personal user data with Google, Facebook, and LinkedIn, Zoom has agreed to pay $85 million. In addition, they will also enact better security practices, including employee training on privacy and data handling. 

The settlement also addressed the security flaws that were exploited when they allowed ‘Zoombombing’ to occur early in the pandemic. Unauthorized persons infiltrated Zoom meetings, caused disruptions, and presented inappropriate material to all attendees. The company claims that “The privacy and security of our users are top priorities for [us].” Members of the class action should receive $25 or $15, in exchange for their privacy.

Massive Data Leak Alleges Governments Spied on Opponents

Authoritarian governments have allegedly used spyware sold by an Israeli surveillance company to target journalists, human rights activists, and lawyers worldwide. According to a data leak, the NSO Group made malware called Pegasus that infects Android devices and iPhones, allowing access to messages, photos, and emails. The software also allowed users to record phone calls and covertly activate microphones.
Multiple governments, including Azerbaijan, Morocco, Rwanda, Saudi Arabia, Hungary, India, the UAE, and Mexico are implicated in targeting people for surveillance. While NSO claims that it only sells to military, law enforcement, and intelligence agencies from vetted countries, it appears that those targeted are pro-democracy activists, political opponents, and those investigating corruption.

Tencent Uses Facial Recognition to Stop Overnight Gaming

Tencent has started using facial recognition in an attempt to combat video game addiction in China. Users will be booted from games if they fail a facial scan to prove they are over 18 between the hours of 10 p.m. and 8 a.m. The company claims their rules are within regulations of the Chinese government. 

Bringing facial scanning requirements into the home is a huge privacy invasion, also opening up users to having their personal information open to security leaks. Additionally, these measures can further assist the Chinese government in monitoring its citizens for whatever reasons they’d like, even within their own homes. If you’re unsure who Tencent is, they have a stake of over 48% in Epic Games, the company that created Fortnite.

Zyxel VPN & Firewall Targeted by Threat Actors

Zyxel has made their customers aware that their services have been the subject of remote access attempts. While the attacker has not gotten through, it was clearly enough for the company to warn its users about, which is saying something. Zyxel has gone on to urge all customers to “maintain a proper security policy for remote access” to try to waive off the threat.
Were the hacker to get through, they could bypass authentication protocols and connect to unknown accounts in devices through WAN. Always remember to use a reputable VPN service, such as ExpressVPN, Nord, or IPVanish to maintain the best network security.

Supply Chain Ransomware Attackers Ask For $70 Million

A massive ransomware attack occurred over the weekend as hackers targeted Kaseya, a software provider that offers IT services to medium and small-sized businesses. Companies around the world found themselves victims as the REvil hacking group asked for at least $70 million total from the affected organizations, with some requests as low as $45,000. 

By infecting the network-management package from Kaseya, the attack was spread through cloud-service providers to unsuspecting companies. Many in the U.S. were short-staffed over the holiday weekend, making the infection harder to contain. President Joe Biden says that if the Russian government is involved, that the U.S. will respond.