Twitter bans sharing private images and videos without consent
Twitter has expanded its private information policy to ban users from sharing photos or videos of private individuals without their permission. The company notes that although anyone can be impacted by private media sharing, it “can have a disproportionate effect on women, activists, dissidents and members of minority communities.” If someone reports a photo or video that violates the policy, Twitter will remove the media and may take additional actions from downranking tweet visibility up to permanently suspending users who violate the policy. The policy leaves some gray area as it doesn’t apply to public figures or others if a photo or video, and the text in the tweet are, “shared in the public interest or add value to public discourse.”
(Engadget)
DNA testing firm discloses data breach affecting over 2 million people
Ohio-based DNA Diagnostics Center (DDC) has disclosed a data breach that occurred from May through July which impacted more than 2,100,000 individuals. Hackers were able to access full names, credit and debit card numbers with CVV code, financial account numbers, and account passwords. The compromised database contained older backups dating between 2004 and 2012 which are not linked to the active DDC systems and databases. While DDC does store highly sensitive data related to paternity, DNA relationship, fertility, COVID-19, ancestry, and testing for immigration purposes, nothing relevant to these services has been compromised according to the company’s notice. DDC is notifying impacted individuals with instructions for enrolling in one year of free credit monitoring through Experian.
Critical ‘Printing Shellz’ bugs impact 150 HP printer models
On the heels of the Windows Print Spooler service vulnerability affectionately known as PrintNightmare and the 16-year-old privilege escalation driver flaw which HP patched back in July, researchers from F-Secure have identified a set multifunction printer (MFP) vulns dubbed “Printing Shellz,” which date back to 2013, and impact an estimated 150 HP products. The first issue, tagged as CVE-2021-39238 and which is assigned a 9.3 CVSS severity score, is a buffer overflow issue which can be attacked directly from a browser via cross-site printing (XSP) and could allow for the creation of a self-propagating network worm. The second, slightly less-severe issue is an information disclosure bug which is caused by exposed physical ports, and therefore would require local access as an avenue for attack. HP was informed of F-Secure’s discoveries on April 29 and issued patches and firmware updates in November.
(ZDNet)
300,000 banking Trojan infections from Google Play
Over a 4-month span, four major Android malware strains were spread via Google Play, resulting in over 300,000 infections via multiple dropper apps. The campaign utilizes reduced malicious footprint loaders which are gaining popularity among threat actors because they are difficult to detect via automation and machine learning techniques. Casey Ellis, Founder and CTO at Bugcrowd, recommends that Google increase bounty rewards for reporting trojan activity within Google Play while John Bambenek, Principal Threat Hunter at Netenrich, explains, “There is only so much protection you can have when app stores are inherently reactive in detecting abusive apps.”
Thanks to our episode sponsor, Votiro
Finland warns of Flubot targeting Android users
Finland’s National Cyber Security Centre (NCSC-FI) has issued a “severe alert” warning of the second large-scale Flubot campaign to hit Finland this year. Like its predecessor, the campaign uses a voicemail theme, enticing targets to click a link claiming to allow access to their messages, but instead directing them to malicious sites which deploy Flubot on their Android devices.The NCSC observed approximately 70,000 messages sent over a 24 hour period and fears that number could increase to hundreds of thousands in the coming days. Since 2020, Flubot banking malware has been used to steal banking credentials, payment information, text messages, and contacts from infected devices. Individuals with infected devices are advised to perform a factory reset or restore from a pre-infection backup, reset passwords for services used and to contact their bank if they have used a banking application or handled credit card information on their infected device.
Texas school district to scan children’s devices
Longview Independent School District (Longview ISD), located in East Texas, has partnered with technology and web-hosting company Gaggle to scour student emails on district-issued devices for a particular set of keywords. With Gaggle’s software, for which the district has paid $60,000, harmful keywords can be detected and reported to school administrators. The district says that the purpose of the virtual searches is to whittle out cyber-bullies and identify students with mental health issues. Francisco Rojas, public information officer for Longview ISD, said, “Mental health issues are on the rise. And we have to keep up with it, we have to be proactive instead of reactive.” Gaggle scanning will begin in the Longview ISD middle and high schools on December 9.
UK competition watchdog orders Meta to sell Giphy
Facebook’s parent company, Meta, has been ordered to sell Giphy by the UK’s Competition and Markets Authority. Meta bought the Gif-sharing search engine last year for a reported $315m (£236m).It planned to integrate Giphy’s vast database with another of its social-media platforms, Instagram, but the CMA ruled the purchase unfair to competing social-media platforms. Giphy also provides Gifs to competitors such as TikTok, Snapchat and Twitter. Experts said the decision by the regulator was a significant one while Meta has expressed their disagreement with the decision and is “considering all options, including appeal.”
(BBC)
Zoom could owe you $25
As part of a class action lawsuit for alleged privacy and security issues, people who used Zoom between 2016 and July 30, 2021 can now file a claim to receive the greater of either $25 or 15% of the core Zoom subscription amount. On Monday, the group that sued Zoom for allegedly sharing user’s information with third parties, not doing enough to prevent unwanted disruptions, also known as Zoom bombings, and falsely advertising Zoom as end-to-end encrypted when it was not, sent emails to eligible Zoom users explaining how they can apply for the compensation. For users who did not have a paid subscription, the compensation will be $15. Users who want the money can file a claim at ZoomMeetingsClassAction.com or send a paper form by March 5, 2022.
(Vice)