Cybersecurity and data privacy: 8 recent developments

Global cyberattacks like the WannaCry ransomware outbreak grab headlines. And rightly so. Yet one of the biggest cybersecurity threats out there isn’t software, it’s people. In one cybersecurity study, 60% of corporate cyberattacks were carried out by insiders, and 25% of those by “inadvertent actors” like employees who accidentally reveal passwords or other security credentials. While the lion’s share of cyber threats continue to be hackers, a lot of progress could be made if well-intentioned people made fewer security errors.

This thinking is behind a movement to introduce cybersecurity education into schools. The goal would be to educate children early about the need to protect personal data and generally stay safe online. As a secondary goal, this type of education might contribute over the long term to increasing the number of cybersecurity professionals, an area where there is an estimated shortfall of 2 million workers.

As part of Entefy’s commitment to increasing awareness of the many forms that cyber threats can take, we’re sharing another roundup of 8 recent developments in cybersecurity and data privacy.

  1. Researchers have demonstrated a vulnerability in the dating app Tinder. By just entering a user’s phone number the researchers could gain control of an entire account. The attack works by exploiting vulnerabilities on both Tinder and Facebook’s Account Kit System, which Tinder uses to manage logins. Both Facebook and Tinder have since patched the vulnerability.
  2. The Mi-Cam baby monitor has numerous vulnerabilities that allow hackers access to anything the camera sees or hears. Via the Mi-Cam’s Android application, hackers can bypass the password login by setting up a proxy server to intercept and modify HTTP requests between a phone and the Mi-Cam. Hackers can also exploit vulnerabilities with the application programming interfaces (APIs), allowing them access to information on how to connect to the Mi-Cam cloud network. "Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied [user ID]", said Johannes Greil, head of the SEC Consult Vulnerability Lab. The Mi-Cam has approximately 50,000 users.
  3. According to data from the Princeton Web Transparency & Accountability Project, 76% of websites contain hidden Google trackers, 24% have hidden Facebook trackers, and 12% contain Twitter trackers. Google, Facebook, and Twitter create large data profiles for all tracked individuals that can include interests, purchases, searches, and browsing and location history.  These data profiles are then made available to advertisers and fed into their proprietary AI algorithms. These algorithms in turn create filters of what they think an individual is most likely to click on, creating an echo chamber effect that can distort one's perception of reality.
  4. Even state-of-the-art neural networks can be hacked. Two researchers at the University of California, Berkeley have managed to “trick” a neural network into transcribing almost any type of audio into whatever they want. "With powerful iterative optimization-based attacks applied completely end-to-end, we are able to turn any audio waveform into any target transcription with 100 percent success by only adding a slight distortion. We can cause audio to transcribe up to 50 characters per second (the theoretical maximum), cause music to transcribe as arbitrary speech, and hide speech from being transcribed.", the researchers report.
  5. The data collected by one fitness tracking company was found to inadvertently reveal sensitive information about the location and staffing of military bases and spy outposts around the world. Users of the app record and upload their exercise routines, which the company then shares on global heat maps showing trillions of individual data points. However, military analysts noticed that the heat maps for places like Afghanistan, Djibouti, and Syria revealed the position of U.S. military personnel in those regions. If you knew what to look for, “U.S. bases are clearly identifiable and mappable”, said Nathan Ruser, an analyst with the Institute for United Conflict Analysts.
  6. A hack on ATMs known as “jackpotting” is making the rounds. The exploit involves hackers using off-the-shelf tools to force ATMs to spit out cash, affecting drive-thru ATMs and standalone ATMs located at pharmacies and big box retailers. Hackers gain physical access to the ATMs by replacing its hard drive or using an industrial endoscope to reset the device by pressing an internal button. Diebold Nixdorf and NCR Corp, two of the largest ATM makers, issued a warning about the hack, writing that “This should be treated by all ATM deployers as a call to action to take appropriate steps to protect their ATMs against these forms of attack.”
  7. A global cybersecurity report shows that a new class of malware has taken the dubious honor of the most prevalent global cyber threat: Coinhive. Coinhive is a form of cryptojacking malware, software that embeds itself secretly on computers and other devices then uses the device’s processing power to mine cryptocurrency. In an unfortunate case of market dynamics, hackers are apparently finding better ROI with cryptojacking than ransomware, malware that takes over computers until a ransom is paid. Ransomware is ineffective in many cases because victims won’t or can’t pay the ransom, or they simply don’t understand how to pay ransoms that must be paid in…cryptocurrencies. In contrast, cryptojacking miners save on energy costs and receive the mining rewards of Bitcoin or other cryptocurrencies. “The problem is that cryptojacking is simply everywhere—on websites, servers, PCs, and mobile”, explains Lotem Finkelstein, a threat intelligence analyst. 
  8. Flaws in the WhatsApp messaging app allow hackers to infiltrate group chat, according to research from a German team of cryptographers. Infiltrators are able to insert new users into private group chats without permission of administrators by controlling WhatsApp servers. Paul Rösler, co-author of the paper, said "The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them." Because having control of WhatsApp servers is required for the hack, likely only very sophisticated hackers, WhatsApp staff, or governments who legally pressure WhatsApp to give them access could pursue this hack. The researchers found that even if an infiltration occurred, messages sent prior to the attack would still remain encrypted.

Be sure to read our previous article on cybersecurity and data privacy threats and solutions.