August 8, 2024 One of the largest data breaches in history with 2.9 billion records gathered without consent or knowledge, complaints that making Microsoft outlook’s email interface more “user-friendly” has inadvertently left the door wide open for phishing criminals and presentation at Black Hat reveals that could allow attackers to “unpatch” fully updated systems and reintroduce old security flaws.
Welcome to Cyber Security Today for Friday, August 9th. I’m your host, Jim Love,
One of the largest data breaches in history has potentially exposed the personal information of 2.9 billion individuals. Background check company National Public Data, also known as Jerico Pictures, is facing a class action lawsuit over this massive leak.
The company reportedly uses ‘scraping’ to collect sensitive data from non-public sources, including social security numbers, full names, addresses, and information about relatives. Alarmingly, much of this data was gathered without individuals’ knowledge or consent.
The breach came to light when plaintiff Christopher Hofmann was alerted that his information had been leaked onto the dark web. A cybercriminal group called ASDoD is now offering the database for sale at $3.5 million.
The lawsuit accuses National Public Data of negligence and seeks both financial compensation and improved security measures. These include annual third-party cybersecurity assessments for a decade, data segmentation, and encryption of all collected information going forward.
If confirmed, this breach would rival the infamous 2013 Yahoo incident which initially reported 1 billion affected users but subsequently updated that to approximately 3 billion. This breach occurred between 2013 and 2016 and involved the theft of user account information, including names, email addresses, phone numbers, birth dates, passwords, and security questions and answers – and until today was regarded as the largest breach in history.
As investigations continue, this case underscores the urgent need for stricter data protection regulations and highlights the risks of large-scale data collection without permission or proper protection.
Sources include: TechRadar
Microsoft’s Outlook email service is facing some backlash from users over a “feature” that they feel is putting them at risk of phishing attacks.
The issue revolves around how Outlook displays the sender’s email address. Rather than showing the actual address, Outlook will, at least in some views, show a more “friendly” name instead. This makes it easier for scammers to impersonate trusted contacts and trick users into opening malicious emails.
Many users have taken to Microsoft’s support forums, urging the company to address this problem. One user described it as “one of the most common and most under-reported attack methods” that “doesn’t just financially impact companies, it has a devastating impact on the mental health of people all over the world.”=
While there are workarounds to force Outlook to show the real email address, these may not be practical solutions for many enterprises and users.
Cybersecurity experts say Microsoft’s focus on making the email interface more “user-friendly” has inadvertently left the door wide open for phishing criminals. With security being a top priority, users are now demanding that Microsoft provide a simple option to disable this problematic “friendly name” feature once and for all.
An article in the Register noted that Microsoft has not yet responded to their requests for comment on potential plans to address this issue, leaving many Outlook users feeling vulnerable to ongoing scam attempts.
Sources include: The Register
Windows users are facing a serious security vulnerability that could allow attackers to “unpatch” fully updated systems and reintroduce old security flaws.
According to research presented at Black Hat 2024, security researcher Alon Leviev discovered two zero-day vulnerabilities in the Windows Update process that can be exploited in downgrade attacks. These attacks force a device to roll back to older software versions, undoing the latest security patches.
Leviev demonstrated how he could bypass Windows’ Virtualization-Based Security (VBS) features, including Credential Guard and Hypervisor-Protected Code Integrity, to expose the system to thousands of past vulnerabilities. Even after updating, the device would still report as fully patched.
“I was able to show how it was possible to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term ‘fully patched’ meaningless on any Windows machine in the world,” Leviev said.
Microsoft has acknowledged the issues, tracked as CVE-2024-38202 and CVE-2024-21302, and says it is working on a fix. However, the company notes it will take time to test and roll out the update due to the widespread impact on Windows system files.
Leviev’s presentation had another ominous warning: “We believe the implications are significant not only to Microsoft Windows, which is the world’s most widely used desktop OS, but also to other OS vendors that may potentially be susceptible to downgrade attacks.”
A link to the presentation is in the show notes at technewsday.com=
Sources include: Bleeping Computer
That’s our show. You can find the show notes with links at technewsday.com or .ca – take your pick. Check out our weekend edition which will drop just after midnight, ready for your Saturday morning coffee. A great panel covers the week’s top news stories.
I’m your host Jim Love. Thanks for listening.
