#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

Privacy | Breaking Cybersecurity News | The Hacker News

Category — Privacy
U.S. Treasury Sanctions Executives Linked to Intellexa Predator Spyware Operation

U.S. Treasury Sanctions Executives Linked to Intellexa Predator Spyware Operation

Sep 17, 2024 Spyware / Privacy
The U.S. Department of Treasury has imposed fresh sanctions against five executives and one entity with ties to the Intellexa Consortium for their role in the development, operation, and distribution of a commercial spyware called Predator. "The United States will not tolerate the reckless propagation of disruptive technologies that threatens our national security and undermines the privacy and civil liberties of our citizens," said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, Bradley T. Smith. "We will continue to hold accountable those that seek to enable the proliferation of exploitative technologies, while also encouraging the responsible development of technologies that align with international standards." The sanctioned individuals and entities are listed below - Felix Bitzios, the beneficial owner of an Intellexa Consortium company that's believed to have supplied Predator to a foreign government client and the
Apple Drops Spyware Case Against NSO Group, Citing Risk of Threat Intelligence Exposure

Apple Drops Spyware Case Against NSO Group, Citing Risk of Threat Intelligence Exposure

Sep 16, 2024 Spyware / Threat Intelligence
Apple has filed a motion to "voluntarily" dismiss its lawsuit against commercial spyware vendor NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information. The development was first reported by The Washington Post on Friday. The iPhone maker said its efforts, coupled with those of others in the industry and national governments to tackle the rise of commercial spyware, have "substantially weakened" the defendants. "At the same time, unfortunately, other malicious actors have arisen in the commercial spyware industry," the company said. "It is because of this combination of factors that Apple now seeks voluntary dismissal of this case." "While Apple continues to believe in the merits of its claims, it has also determined that proceeding further with this case has the potential to put vital security information at risk." Apple originally filed the lawsuit again
Shining a Light on Shadow Apps: The Invisible Gateway to SaaS Data Breaches

Shining a Light on Shadow Apps: The Invisible Gateway to SaaS Data Breaches

Sep 10, 2024SaaS Security / Risk Management
Shadow apps, a segment of Shadow IT, are SaaS applications purchased without the knowledge of the security team. While these applications may be legitimate, they operate within the blind spots of the corporate security team and expose the company to attackers.  Shadow apps may include instances of software that the company is already using. For example, a dev team may onboard their own instance of GitHub to keep their work separate from other developers. They might justify the purchase by noting that GitHub is an approved application, as it is already in use by other teams. However, since the new instance is used outside of the security team's view, it lacks governance. It may store sensitive corporate data and not have essential protections like MFA enabled, SSO enforced, or it could suffer from weak access controls. These misconfigurations can easily lead to risks like stolen source code and other issues. Types of Shadow Apps  Shadow apps can be categorized based on their interac
Pavel Durov Criticizes Outdated Laws After Arrest Over Telegram Criminal Activity

Pavel Durov Criticizes Outdated Laws After Arrest Over Telegram Criminal Activity

Sep 06, 2024 Privacy / Data Security
Telegram CEO Pavel Durov has broken his silence nearly two weeks after his arrest in France, stating the charges are misguided. "If a country is unhappy with an internet service, the established practice is to start a legal action against the service itself," Durov said in a 600-word statement on his Telegram account. "Using laws from the pre-smartphone era to charge a CEO with crimes committed by third-parties on the platform he manages is a misguided approach." Durov was charged late last month for enabling various forms of criminal activity on Telegram, including drug trafficking and money laundering, following a probe into an unnamed person's distribution of child sexual abuse material on the messaging service. He also highlighted the struggles to balance both privacy and security, noting that Telegram is ready to exit markets that aren't compatible with its mission to "protect our users in authoritarian regimes." Durov also blamed &q
cyber security

DevOps Security Best Practices

websiteWizDevOps / Secure Coding
Develop securely from code to cloud with this DevOps Security Cheat Sheet from Wiz. Take a deep dive into secure coding, infrastructure security, and vigilant monitoring and response.
French Authorities Charge Telegram CEO with Facilitating Criminal Activities on Platform

French Authorities Charge Telegram CEO with Facilitating Criminal Activities on Platform

Aug 29, 2024 Online Crime / Privacy
French prosecutors on Wednesday formally charged Telegram CEO Pavel Durov with facilitating a litany of criminal activity on the popular messaging platform and placed him under formal investigation following his arrest Saturday. Russian-born Durov, who is also a French citizen, has been charged with being complicit in the spread of child sexual abuse material (CSAM) as well as enabling organized crime, illicit transactions, drug trafficking, and fraud. Durov has also been charged with a "refusal to communicate, at the request of competent authorities, information or documents necessary for carrying out and operating interceptions allowed by law," according to an English translation of the press release. The 39-year-old was detained at Le Bourget airport north of Paris at 8 p.m. local time on Saturday after disembarking from a private jet. To avoid pretrial detention, Durov has been ordered to pay a €5 million bail, but he is barred from leaving the country and must rep
Dutch Regulator Fines Uber €290 Million for GDPR Violations in Data Transfers to U.S.

Dutch Regulator Fines Uber €290 Million for GDPR Violations in Data Transfers to U.S.

Aug 26, 2024 GDPR / Data Protection
The Dutch Data Protection Authority (DPA) has fined Uber a record €290 million ($324 million) for allegedly failing to comply with European Union (E.U.) data protection standards when sending sensitive driver data to the U.S. "The Dutch DPA found that Uber transferred personal data of European taxi drivers to the United States (U.S.) and failed to appropriately safeguard the data with regard to these transfers," the agency said . The data protection watchdog said the move constitutes a "serious" violation of the General Data Protection Regulation (GDPR). In response, the ride-hailing, courier, and food delivery service has ended the practice. Uber is believed to have collected drivers' sensitive information and retained it on U.S.-based servers for over two years. This included account details and taxi licenses, location data, photos, payment details, and identity documents. In some cases, it also contained criminal and medical data of drivers. The DPA accu
Sonos Speaker Flaws Could Have Let Remote Hackers Eavesdrop on Users

Sonos Speaker Flaws Could Have Let Remote Hackers Eavesdrop on Users

Aug 09, 2024 IoT Security / Wireless Security
Cybersecurity researchers have uncovered weaknesses in Sonos smart speakers that could be exploited by malicious actors to clandestinely eavesdrop on users. The vulnerabilities "led to an entire break in the security of Sonos's secure boot process across a wide range of devices and remotely being able to compromise several devices over the air," NCC Group security researchers Alex Plaskett and Robert Herrera said . Successful exploitation of one of these flaws could allow a remote attacker to obtain covert audio capture from Sonos devices by means of an over-the-air attack. They impact all versions prior to Sonos S2 release 15.9 and Sonos S1 release 11.12, which were shipped in October and November 2023. The findings were presented at Black Hat USA 2024. A description of the two security defects is as follows - CVE-2023-50809 - A vulnerability in the Sonos One Gen 2 Wi-Fi stack that does not properly validate an information element while negotiating a WPA2 four-wa
DoJ and FTC Sue TikTok for Violating Children's Privacy Laws

DoJ and FTC Sue TikTok for Violating Children's Privacy Laws

Aug 03, 2024 Privacy / Data Protection
The U.S. Department of Justice (DoJ), along with the Federal Trade Commission (FTC), filed a lawsuit against popular video-sharing platform TikTok for "flagrantly violating" children's privacy laws in the country. The agencies claimed the company knowingly permitted children to create TikTok accounts and to view and share short-form videos and messages with adults and others on the service. They also accused it of illegally collecting and retaining a wide variety of personal information from these children without notifying or obtaining consent from their parents, in contravention of the Children's Online Privacy Protection Act (COPPA). TikTok's practices also infringed a 2019 consent order between the company and the government in which it pledged to notify parents before collecting children's data and remove videos from users under 13 years old, they added. COPPA requires online platforms to gather, use, or disclose personal information from children unde
Meta Settles for $1.4 Billion with Texas Over Illegal Biometric Data Collection

Meta Settles for $1.4 Billion with Texas Over Illegal Biometric Data Collection

Jul 31, 2024 Privacy / Social Media
Meta, the parent company of Facebook, Instagram, and WhatsApp, agreed to a record $1.4 billion settlement with the U.S. state of Texas over allegations that it illegally collected biometric data of millions of users without their permission, marking one of the largest penalties levied by regulators against the tech giant. "This historic settlement demonstrates our commitment to standing up to the world's biggest technology companies and holding them accountable for breaking the law and violating Texans' privacy rights," Attorney General Ken Paxton said . "Any abuse of Texans' sensitive data will be met with the full force of the law." The development arrived more than two years after the social media behemoth was sued for unlawfully capturing facial data belonging to Texas without their informed consent as is required by the law. The Menlo Park-based company, however, did not admit to any wrongdoing. Tag Suggestions, as the feature was originally c
How Searchable Encryption Changes the Data Security Game

How Searchable Encryption Changes the Data Security Game

Jul 29, 2024 Data Security / Encryption
Searchable Encryption has long been a mystery. An oxymoron. An unattainable dream of cybersecurity professionals everywhere. Organizations know they must encrypt their most valuable, sensitive data to prevent data theft and breaches. They also understand that organizational data exists to be used. To be searched, viewed, and modified to keep businesses running. Unfortunately, our Network and Data Security Engineers were taught for decades that you just can't search or edit data while in an encrypted state. The best they could do was to wrap that plaintext, unencrypted data within a cocoon of complex hardware, software, policies, controls, and governance. And how has that worked to date? Just look at the T-Mobile breach, the United Healthcare breach, Uber, Verizon, Kaiser Foundation Health Plan, Bank of America, Prudential… and the list goes on. All the data that was stolen in those breaches remained unencrypted to support day-to-day operations. It's safe to conclude that the way we
Google Abandons Plan to Phase Out Third-Party Cookies in Chrome

Google Abandons Plan to Phase Out Third-Party Cookies in Chrome

Jul 23, 2024 Online Privacy / Regulatory Compliance
Google on Monday abandoned plans to phase out third-party tracking cookies in its Chrome web browser more than four years after it introduced the option as part of a larger set of a controversial proposal called the Privacy Sandbox. "Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they'd be able to adjust that choice at any time," Anthony Chavez, vice president of the initiative, said . "We're discussing this new path with regulators, and will engage with the industry as we roll this out." The significant policy reversal comes nearly three months following the company's announcement that it intends to eliminate third-party cookies starting early next year after repeated delays, underscoring the project's tumultuous history. While Apple Safari and Mozilla Firefox no longer support third-party cookies as of early 2020, Go
AT&T Confirms Data Breach Affecting Nearly All Wireless Customers

AT&T Confirms Data Breach Affecting Nearly All Wireless Customers

Jul 13, 2024 Data Breach / Network Security
American telecom service provider AT&T has confirmed that threat actors managed to access data belonging to "nearly all" of its wireless customers as well as customers of mobile virtual network operators (MVNOs) using AT&T's wireless network. "Threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023," it said . This comprises telephone numbers with which an AT&T or MVNO wireless number interacted – including telephone numbers of AT&T landline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month. A subset of these records also contained one or more cell site identification numbers , potentially allowing the threat actors to triang
Apple Removes VPN Apps from Russian App Store Amid Government Pressure

Apple Removes VPN Apps from Russian App Store Amid Government Pressure

Jul 08, 2024 Privacy / Internet Censorship
Apple removed a number of virtual private network (VPN) apps in Russia from its App Store on July 4, 2024, following a request by Russia's state communications watchdog Roskomnadzor, Russian news media reported. This includes the mobile apps of 25 VPN service providers, including Hidemy.name VPN, Le VPN, NordVPN, PIA VPN, Planet VPN, Proton VPN, Red Shield VPN, according to Interfax and MediaZona . It's worth noting that NordVPN previously shut down all its Russian servers in March 2019. "Apple's actions, motivated by a desire to retain revenue from the Russian market, actively support an authoritarian regime," Red Shield VPN said in a statement. "This is not just reckless but a crime against civil society." In a similar notice, Le VPN said the takedown was carried out in accordance with No. 7 of Article 15.1 of the Federal Law dated July 27, 2006, No. 149-FZ "On Information, Information Technologies and Information Protection" and tha
Twilio's Authy App Attack Exposes Millions of Phone Numbers

Twilio's Authy App Attack Exposes Millions of Phone Numbers

Jul 04, 2024 Data Breach / Mobile Security
Cloud communications provider Twilio has revealed that unidentified threat actors took advantage of an unauthenticated endpoint in Authy to identify data associated with Authy accounts, including users' cell phone numbers. The company said it took steps to secure the endpoint to no longer accept unauthenticated requests. The development comes days after an online persona named ShinyHunters published on BreachForums a database comprising 33 million phone numbers allegedly pulled from Authy accounts. Authy, owned by Twilio since 2015, is a popular two-factor authentication (2FA) app that adds an additional layer of account security. "We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data," it said in a July 1, 2024, security alert. But out of an abundance of caution, it's recommending that users upgrade their Android (version 25.1.0 or later) and iOS (version 26.1.0 or later) apps to the latest version. It
New SnailLoad Attack Exploits Network Latency to Spy on Users' Web Activities

New SnailLoad Attack Exploits Network Latency to Spy on Users' Web Activities

Jun 28, 2024 Network Security / Data Protection
A group of security researchers from the Graz University of Technology have demonstrated a new side-channel attack known as SnailLoad that could be used to remotely infer a user's web activity. "SnailLoad exploits a bottleneck present on all Internet connections," the researchers said in a study released this week. "This bottleneck influences the latency of network packets, allowing an attacker to infer the current network activity on someone else's Internet connection. An attacker can use this information to infer websites a user visits or videos a user watches." A defining characteristic of the approach is that it obviates the need for carrying out an adversary-in-the-middle (AitM) attack or being in physical proximity to the Wi-Fi connection to sniff network traffic. Specifically, it entails tricking a target into loading a harmless asset (e.g., a file, an image, or an ad) from a threat actor-controlled server, which then exploits the victim's
U.S. Bans Kaspersky Software, Citing National Security Risks

U.S. Bans Kaspersky Software, Citing National Security Risks

Jun 21, 2024 Software Security / Threat Intelligence
The U.S. Department of Commerce's Bureau of Industry and Security (BIS) on Thursday announced a "first of its kind" ban that prohibits Kaspersky Lab's U.S. subsidiary from directly or indirectly offering its security software in the country. The blockade also extends to the cybersecurity company's affiliates, subsidiaries and parent companies, the department said, adding the action is based on the fact that its operations in the U.S. posed a national security risk. News of the ban was first reported by Reuters. "The company's continued operations in the United States presented a national security risk — due to the Russian Government's offensive cyber capabilities and capacity to influence or direct Kaspersky's operations — that could not be addressed through mitigation measures short of a total prohibition," the BIS said . It further said Kaspersky is subject to the jurisdiction and control of the Russian government and that its software pro
Signal Foundation Warns Against EU's Plan to Scan Private Messages for CSAM

Signal Foundation Warns Against EU's Plan to Scan Private Messages for CSAM

Jun 18, 2024 Privacy / Encryption
A controversial proposal put forth by the European Union to scan users' private messages for detection of child sexual abuse material (CSAM) poses severe risks to end-to-end encryption (E2EE), warned Meredith Whittaker, president of the Signal Foundation, which maintains the privacy-focused messaging service of the same name. "Mandating mass scanning of private communications fundamentally undermines encryption. Full Stop," Whittaker said in a statement on Monday. "Whether this happens via tampering with, for instance, an encryption algorithm's random number generation, or by implementing a key escrow system, or by forcing communications to pass through a surveillance system before they're encrypted." The response comes as law makers in Europe are putting forth regulations to fight CSAM with a new provision called "upload moderation" that allows for messages to be scrutinized ahead of encryption. A recent report from Euractiv revealed that
Expert Insights / Articles Videos
Cybersecurity Resources