Right before you Thanksgiving and some of the biggest shopping days of the year, Amazon sent emails to affected customers, revealing that it had “inadvertently disclosed your name and email address due to a technical error.” The lackluster email caused some people to worry it might be a phishing attack.
Amazon failed to say how many people were affected by the data exposure or what the technical error actually was; instead, Amazon claimed the issue was fixed and impacted customers were notified.
More cybersecurity news
Security hole leads to data exposure of 60 million USPS customers
First we had a U.S. Secret Service warning saying the U.S. Postal Service's Informed Delivery service was being abused by identity thieves. Now Brian Krebs says the USPS closed a security hole in the API for “Informed Visibility” that exposed data on 60 million users.
Multiple flaws in TP-Link routers
Speaking of security holes, Cisco Talos Intelligence disclosed four vulnerabilities in TP-Link’s TL-R600VPN routers, including a remote code execution hole.
Linux servers targeted with non-IoT Mirai variants
Botmasters are branching out from routers, security cameras, and other Internet of Things (IoT) devices and are now trying to use a Hadoop vulnerability to target Linux servers with Mirai variants. Netscout said, “This is the first time we’ve seen non-IoT Mirai in the wild.”
Ghostscript flaw
The Ghostscript interpreter used to process PDF files and postscripts, which is shipped with most flavors of Linux distribution and is commonly used by sites, services, apps, and cloud platforms, has a remote code execution flaw (pdf). The vulnerability discovered by Semmle is a variant of the critical vulnerability discovered by Google Project Zero’s Tavis Ormandy in August.
DirtyCOW and backdoor into Drupal servers
Do you use Drupal? Imperva researchers spotted a campaign using DirtyCOW, Drupalgeddon2 and system misconfigurations to “persistently infect vulnerable Drupal web servers and take over user machines.”
Facebook and LinkedIn privacy fails
Facebook may be facing more woes as the British Parliament seized a cache of internal Facebook documents to determine the truth of Facebook’s data and privacy control decisions.
LinkedIn is also in hot water, as Ireland’s Data Protection Commissioner found (pdf) that “LinkedIn’s practices leading up to GDPR implementation in Europe were not only uncanny, but actually violated data protection rules, in LinkedIn’s case concerning some 18 million email addresses.”
U.S. government security and privacy fails
A recent audit found that the IRS failed to apply consumer protections for victims of at least 89 data breaches, leaving at least 11,406 U.S. taxpayers unprotected.
In addition, Sen. Ron Wyden (D-Ore.) pointed out that the public has waited decades for the Department of Defense (DoD) to be audited as is required by law. Now it has been revealed that the DoD failed its first-ever full-scale audit.
Irony
Japan’s cybersecurity minister, who admitted to not using computers, has now admitted that he’s “not that familiar” with cybersecurity matters. Japan’s head honcho for cybersecurity said his main job “is to read out written replies (prepared by bureaucrats) without making any mistakes.”
Meanwhile in North Korea, with the government-sponsored hacking group Lazarus, which allegedly has stolen $571 million of the $882 million total in heisted crypto from online exchanges:
North Korea is hosting a conference on blockchain and cryptocurrency next year. Organizers say U.S. citizens are welcome to attend the despite travel ban. @nknewsorg @ColinZwirko @OliverHotham https://t.co/4ORhrbhQWH
— CSIS Korea Chair (@CSISKoreaChair) November 21, 2018
Surveillance
The social credit system Citizen Score is part of China’s over-the-top surveillance. Now, apparently, the U.S. Department of Homeland Security (DHS) is taking a page from China with its new credit score-checking proposal. Slate revealed, “The agency charged with safeguarding the nation would like to make immigrants submit their credit scores when applying for legal resident status.”
Speaking of surveillance, Google’s new patents reveal that the search giant wants to data mine your bedroom: “Google wants to scan your clothing and listen to your brush your teeth.”
While letting Google into your bedroom is optional, some people with health disorders are already under “secret” surveillance in their bedrooms. Millions of people with sleep apnea use CPAP breathing machines, and ProPublica explained that health insurance companies, starting with Medicare, use surveillance – without users’ knowledge – to keep track of how long the machines are used each night. If a user fails to comply by using the device for the required time period, insurers can deny payment.
Others argue we will invite surveillance by agreeing to be microchipped.
Shop smart
When shopping, be sure to shop smart. Be aware of internet-connected devices that could allow hackers to watch you.