Are You Having A Technology Emergency?

True North Networks Blog

True North Networks has been serving the Swanzey area since 2002, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Google Warns LastPass Users Were Exposed To ‘Last Password’ Credential Leak

Google Project Zero is a team of highly talented security analysts with a brief to uncover zero-day vulnerabilities. If a vulnerability is found, Project Zero reports to the vendor concerned and starts a 90-day countdown for a fix to be issued before full public disclosure is made. LastPass is also in the security business, being one of the most popular password management solutions with more than 16 million users, including 58,000 businesses. Project Zero has just disclosed that a security vulnerability left some of those 16 million users exposed to the risk of credential compromise as, in an ironic twist, LastPass could leak the last password used to any website visited.

Google Project Zero analyst Tavis Ormandy stated that "LastPass could leak the last used credentials due to a cache not being updated," adding "this was because you can bypass the tab credential cache being populated by including the login form in an unexpected way!"

Ormandy reported the vulnerability on August 29, as Project Zero" style="box-sizing: border-box; background-color: transparent; cursor: pointer; color: rgb(0, 56, 145); text-decoration: none; -webkit-tap-highlight-color: rgba(0, 0, 0, 0);">issue 1930, which showed how the credentials previously filled by LastPass could be exposed to any website under certain circumstances.

Ferenc Kun, the security engineering manager for LastPass at LogMeIn, which owns LastPass, said in an" style="box-sizing: border-box; background-color: transparent; cursor: pointer; color: rgb(0, 56, 145); text-decoration: none; -webkit-tap-highlight-color: rgba(0, 0, 0, 0);">online statement that this "limited set of circumstances on specific browser extensions" could potentially enable the attack scenario described.

"To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times," Kun said, "any potential exposure due to the bug was limited to specific browsers (Chrome and Opera.)"

The answer, thankfully, is nothing. LastPass has already patched the vulnerability, and the fix was comprehensively verified with Project Zero. Indeed, the fix was rolled out on September 13, and Kun confirmed that "we have now resolved this bug; no user action is required and your LastPass browser extension will update automatically."

As a precaution, the LastPass update was deployed to all web browsers and not just Chrome and Opera.

Let's deal with the last part of that question first; there's absolutely no reason to stop using LastPass or your preferred password manager for that matter. "Although password managers like any other software have flaws, the benefits of using one far outweigh the risks," says ethical hacker John Opdenakker. "It’s far more likely that your accounts will get compromised by attacks that exploit poor passwords," Opdenakker says, "such as through credential reuse, than by attacks against password managers themselves."

OK, so how serious was this particular vulnerability? It certainly sounds serious enough, right? Tavis Ormandy at Project Zero allocated the vulnerability a "high" severity rating. Opdenakker isn't so sure it merits that. "I think it's most important that LastPass fixed this bug, which is certainly not a critical one, within a reasonable amount of time," Opdenakker says, "it's debatable whether it's high or medium because, as Ormandy says, it doesn't work for all URLs."

Ferenc Kun said that LastPass continues to recommend the following best practices for added online security:

  • Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
  • Always enable Multi-Factor Authentication (MFA) for LastPass and other services like your bank, email, Twitter, Facebook, etc.
  • Never reuse your LastPass master password and never disclose it to anyone, including us.
  • Use different, unique passwords for every online account.
  • Keep your computer malware-free by running antivirus with the latest detection patterns and keeping your software up-to-date.




Continue reading

Google Is Fined $170 Million for Violating Children’s Privacy on YouTube


Google agreed on Wednesday to pay a record $170 million fine and make changes to protect children’s privacy on YouTube, as regulators said the video site had knowingly and illegally harvested personal information from children and used it to profit by targeting them with ads.

Critics denounced the agreement, dismissing the fine as paltry and the required changes as inadequate for protecting children’s privacy.

The penalty and changes were part of a settlement with the Federal Trade Commission and New York’s attorney general, which had accused YouTube of violating the federal Children’s Online Privacy Protection Act, or COPPA.

Regulators said that YouTube, which is owned by Google, had illegally gathered children’s data — including identification codes used to track web browsing over time — without their parents’ consent.

The site also marketed itself to advertisers as a top destination for young children, even as it told some advertising firms that they did not have to comply with the children’s privacy law because YouTube did not have viewers under 13. YouTube then made millions of dollars by using the information harvested from children to target them with ads, regulators said.

To settle the charges, YouTube agreed to the $170 million penalty, with $136 million going to the trade commission and $34 million to New York State. It is the largest civil penalty ever obtained by the commission in a children’s privacy case, dwarfing the previous record fine of $5.7 million against the owner of the social video-sharing app TikTok this year.

Under the settlement, which the F.T.C. approved in a 3-to-2 vote, YouTube also agreed to create a system that asks video channel owners to identify the children’s content they post so that targeted ads are not placed in such videos. YouTube must also obtain consent from parents before collecting or sharing personal details like a child’s name or photos, regulators said.

The move is the latest enforcement action taken by regulators in the United States against technology companies for violating users’ privacy, indicating the Trump administration’s willingness to aggressively pursue the powerful corporations. It follows a $5 billion privacy settlement between the trade commission and Facebook in July over how the company collected and handled user data.

But critics of the settlement, including Senator Edward J. Markey, Democrat of Massachusetts, described the $170 million penalty as a slap on the wrist for one of the world’s richest companies.

“The F.T.C. let Google off the hook with a drop-in-the-bucket fine and a set of new requirements that fall well short of what is needed to turn YouTube into a safe and healthy place for kids,” Mr. Markey said in a statement.

Children’s advocates who lodged their own privacy complaint against YouTube with the F.T.C. last year said that Google had simply agreed to abide by a children’s privacy law it was already obligated to comply with. COPPA prohibits operators of online services from collecting personal data, like home addresses, from children under 13 without a parent’s verifiable permission.

“Merely requiring Google to follow the law, that’s a meaningless sanction,” said Jeffrey Chester, the executive director of the Center for Digital Democracy, a nonprofit group whose efforts in the 1990s helped lead to the passage of the children’s privacy law. “It’s the equivalent of a cop pulling somebody over for speeding at 110 miles an hour, and they get off with a warning.”

The agreement split the trade commission along partisan lines, with the agency’s three Republican commissioners voting to approve it and the two Democratic commissioners dissenting.

In a statement, two of the Republican commissioners, Joseph J. Simons, the agency’s chairman, and Christine S. Wilson, said that the settlement “achieves a significant victory for the millions of parents whose children watch child-directed content on YouTube.” They said it was the first time a platform would have to ask its content producers to identify themselves as creators of children’s material.

The agreement, they added, “sends a strong message to children’s content providers and to platforms about their obligation to comply with the COPPA rule.”

Although the settlement prohibits YouTube and Google from using or sharing children’s data they have already obtained, Rohit Chopra, a Democratic commissioner, said that it did not hold company executives personally accountable for illegal mining of children’s data. The other Democratic commissioner, Rebecca Kelly Slaughter, said that the agreement did not go far enough by requiring YouTube itself to proactively identify children’s videos on its platform.

“No individual accountability, insufficient remedies to address the company’s financial incentives and a fine that still allows the company to profit from its lawbreaking,” Mr. Chopra wrote in his dissent. “The terms of the settlement were not even significant enough to make Google issue a warning to its investors.”

COPPA, the strongest federal consumer privacy statute in the United States, gives the trade commission the authority to level fines of up to $42,530 for each violation.

Noah Phillips, a Republican member of the commission, argued that Congress should give the agency more guidance about how to levy fines.

In a blog post on Wednesday about the settlement, YouTube’s chief executive, Susan Wojcicki, said that “nothing is more important than protecting kids and their privacy.” She added, “From its earliest days, YouTube has been a site for people over 13, but with a boom in family content and the rise of shared devices, the likelihood of children watching without supervision has increased.”

YouTube said that not only had it agreed to stop placing targeted ads on children’s videos, it would also stop gathering personal data about anyone who watched such videos, even if the company believed that the viewer was an adult. The company also said it would eliminate features on children’s videos, like comments and notifications, that involved the use of personal data.

In addition to relying on reports from video creators, Ms. Wojcicki said that YouTube planned to use artificial intelligence to try to identify content that targeted young audiences, like videos featuring children’s toys, games or characters.

Under the settlement, YouTube must adopt the changes by early next year.

The privacy case against YouTube began in 2016 after the New York attorney general’s office, which has been active in enforcing the federal children’s privacy law in the state, notified the trade commission about apparent violations of the law on the site.

“Google and YouTube knowingly and illegally monitored, tracked and served targeted ads to young children just to keep advertising dollars rolling in,” Letitia James, New York’s attorney general, said in a statement on Wednesday. “These companies put children at risk and abused their power.”

Google has been forced to deal with privacy violations repeatedly in recent years. The company is subject to a 20-year federal consent order signed in 2011 for deceptive data-mining related to Buzz, a now-defunct social network. The order required Google to establish a comprehensive privacy program and prohibited it from misrepresenting how it handles personal data.

In 2012, Google agreed to pay $22.5 million to settle trade commission charges that it had violated the 2011 order by deceiving users of Apple’s Safari browser about its data-mining practices.

The company is also the subject of a lawsuit brought by Hector Balderas, New Mexico’s attorney general, over accusations that it violated children’s privacy. The suit says the company failed to ensure that children’s apps available through its Google Play store complied with the children’s privacy law. Google has asked that the case be dismissed.

The settlement on Wednesday is likely to have implications beyond YouTube. The changes required under the agreement could limit how much video makers earn on the platform because while they still make money on some kinds of ads on children’s videos, they no longer be able to profit from ads targeted at children.

To offset some of the expected losses, YouTube said it would funnel $100 million to creators of children’s content over the next three years. It said it would also heavily promote YouTube Kids, its child-focused app, to shift parents away from using the main YouTube app when allowing their children to watch videos.

The crackdown on creators of children’s content could make it financially difficult to produce such videos, said Maureen Ohlhausen, a former acting chairwoman of the trade commission.

“There is a lot of free content available for children,” she said. “You want to be sure that you don’t kill the goose that lays the golden egg.”


Continue reading

Facebook Accidentally Leaks Phone Numbers of 419 Million Users


The phone numbers of hundreds of millions of Facebook users have been discovered online in the latest major data breach for the social network.

A security researcher found 419 million records on an unsecured server, meaning no password was needed to access them.

A total of 18 million were from" users in the UK, while around 133 million were from American accounts. 

The records contained not only the users’ phone numbers but also their Facebook identification, which can be used to discern a person’s Facebook username.

Some records included the person's gender and location details, according Sanyam Jain, the security researcher who first reported the database to the TechCrunch website.

Security experts said a succession of previous Facebook data breaches should not detract from the severity of the latest scandal.

“With 419 million phone numbers exposed, the volume of this data leak is huge,” Richard Walters, chief technology officer of Censornet, told The Independent. “These details provide cyber criminals with a head start for carrying out fraudulent activity and identity theft... It is unacceptable for companies to suffer data leaks in this way. Once again, Facebook has let its users down.”

One way the phone numbers could be exploited is through so-called SIM-swap attacks, whereby hackers intercept passcodes sent to the numbers for two-factor authentication logins.

This would allow them to break into the personal accounts of Facebook users and view private messages or hijack the user’s posts. They could also intercept one time passcodes to break into any number of personal accounts.

Facebook users whose numbers were exposed will also be vulnerable to spam calls, while one security researcher warned that hackers could actually use the data to hijack someone’s phone.

“In terms of the damage that could be done – the more a hacker knows about you the more powerful they are,” Dmitry Kurbatov, CTO of Positive Technologies, told The Independent.

“For instance, if he has information like name, surname, phone number, birth date, id number – this would probably be enough impersonate you to your mobile carrier. Then he can ask to setup call and SMS forwarding, or to swap the SIM. Essentially from there the number is hijacked.”

Facebook said the phone numbers have now been taken down and claims there is no evidence that any accounts were compromised with SIM-swapping attacks.

“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” a Facebook spokesperson said. “The underlying issue was addressed as part of a Newsroom post on 4 April 2018 by Facebook’s chief technology officer.”



Continue reading

Taking Health Care Out of the Ransomware Hot Seat

For the second straight year, ransomware attacks accounted for over 70% of all malware incidents in the healthcare sector, according to the “2019 Verizon Breach Investigations Report.” Beazley reported that almost half of the ransomware incidents reported in 2018 involved healthcare companies, while CSO Online estimates that healthcare-related malware attacks will likely quadruple by 2020.

Adding salt to the wounds, a private practice in Battle Creek, Michigan, was forced to close its doors in the aftermath of a devastating healthcare ransomware attack in 2019—the first public report of a ransomware-related business failure.


Being in the ransomware hot seat is a lot to swallow for an industry responsible for the security of our most sensitive data. And therein lies part of the problem. Cybercriminals are always after the most lucrative targets and they have learned that healthcare providers are more likely to pay the ransom to get their patients’ data back.

CEO of A1care, Percy Syddall, a 25-year healthcare veteran who helps grow and manage businesses in the home care field, is sharing his story to help others avoid the business disruption and financial woes caused by cybercriminals. “I always strive to do what is best for my clients, which includes leveraging innovative technologies and maintaining the privacy of their personal data,” he said. “Still, our company was attacked by ransomware, which almost forced us out of business. The cybercriminals threatened to expose private client data if we did not pay the ransom.

“The hardest thing I’ve ever had to do was call each client and explain that the personal information they trusted my business to protect, may have been compromised,” he continued. “At that time, very little was known about ransomware and I ended up paying the ransom to get my client data back.”

Even though medical records contain rich personal health information (PHI) that can be sold for high value, cybercriminals are discovering they can get faster payment through ransomware. Unlike stolen medical records that take time to acquire and commoditize, ransomware locks healthcare professionals out of critical systems and demands payment or immediate action.

Although ransomware has been around more than 10 years, its recent rise in health care is significant as physicians become more dependent on critical, real-time patient data such as scheduling, lab results and pharmacy orders.

Without access to computerized patient data, many hospitals and clinics are frozen in their tracks. Unlike other industries where access to data is not always time-critical, being locked out of patient data can be life-threatening. Data criticality and limited cybersecurity programs make health care a prime target for ransomware, and this risk will continue to increase.

Ransomware on the Rise

A recent survey carried out by the University of Kent found that 41% of respondents hit by this type of malware paid the ransom. Each payment encourages a future generation of attackers. Ransomware takes less time and effort compared to stealing medical records, so the cost versus benefit is favorable for cybercriminals.

Another reason health care is a favorite ransomware target is that many within the industry are using out-of-date systems and applications, and most struggle with asset management, vulnerability management and patch management due to tight budgets and limited information security resources. Easy targets make good targets.

Light at the End of the Tunnel

While it may seem all doom and gloom for an industry that faces so many IT and privacy challenges, there are signs that indicate healthcare organizations are taking the challenge seriously and doing everything within their power to turn the tides.

In several recently reported breaches involving ransomware attacks, providers recovered without paying a ransom to extortionists. This offers a glimmer of hope that healthcare organizations can defend themselves adequately against such incidents.

In Syddall’s situation, he was able to take a proactive stance against ransomware using the advice he gained from a company that specializes in helping SMBs make the most of their information security budget and resources. Being aware of the threats and taking the appropriate actions is key to putting a lid on increasingly sophisticated forms of cyberattacks. While there are no silver-bullet solutions, taking a layered approach to cybersecurity can pay dividends.

“Having a knowledgeable security advisor helped me sort through a jungle of suggestions and products being pushed by vendors,” he said. “This allowed us to develop an innovative strategy that I felt confident could protect my clients’ data using a layered approach and innovative technologies—all within a budget that is reasonable for a business my size.

“Within a few weeks, I had state-of-the-art ransomware and data protection solutions seamlessly installed and configured throughout our office systems,” he added. “Equally important, A1care was able to continue to run business as normal and provide the best care to clients during installation, which was paramount to our success and reputation.”

Syddall’s statements echo the sentiments of many in the industry who just want to focus on helping patients, not triaging ransomware and other cybersecurity emergencies. Getting advice from the right security experts, employing innovative technologies, taking a layered security approach and having appropriate backup procedures are just a few of the steps organizations can take to cure the ransomware epidemic. Equally important is end-user education: Every employee should be aware of proper security protocols.

Broadly speaking, there’s still work to be done in 2019. We’ve seen some small wins, but to take health care out of the ransomware hot seat, it will take a much bigger effort from business and IT leaders in this sector before they can declare any major victories.


Continue reading

Cybercriminals Impersonate Chief Exec's Voice with AI Software


This didn’t take nearly as long as I thought it would to be used for nefarious purposes. You can’t even believe your own eyes or ears anymore.

Scammers leveraged artificial intelligence software to mimic the voice of a chief executive and successfully request $243,000.

Fraudsters are constantly looking for new ways to scam their victims. One unique case gives the security industry a glimpse of what they could do with artificial intelligence (AI) and voice recording.

As part of an incident in March, an attacker called the CEO of a UK-based energy business pretending to be the head of its German parent company. Analysts believe AI-based software was used to impersonate the chief executive's voice, as it had the slight German accent and other qualities the UK CEO recognized in his boss's voice — qualities that led him to believe the call was legitimate. The caller issued an "urgent" request to the CEO, demanding he transfer $243,000 to a Hungarian supplier within an hour's time.

The transfer went through and the money was later moved to other countries. Scammers continued to contact the UK company and make additional payment requests, according to Euler Hermes, the organization's insurer. However, the CEO grew suspicious and did not transfer the funds.

While this incident is still under investigation, the Wall Street Journal cites officials saying this impersonation attack is the first in which fraudsters "clearly" leveraged AI to mimic someone's voice. It's believed this technology could make it easier for scammers to manipulate enterprise victims, complicating matters for defenders who don't yet have the technology to detect them.


Continue reading