Another government system breached; 75,000 people affected

On Friday, the Centers for Medicare & Medicaid Service admitted to a breach in which attackers made off with the sensitive and personal information of 75,000 people. The “anomalous activity” was detected on October 13; the breach in Federally Facilitated Exchanges that agents and brokers use to help people signup for healthcare plans was declared on October 16. What exact sensitive and private info the hackers made off with was not explained, although people hand over a great deal of both types of information when signing up for healthcare.

Apple calls out Bloomberg; researcher calls out Apple

Apple CEO Tim Cook told BuzzFeed that Bloomberg needs to do the “right thing and retract” the story about Chinese spies managing to implant a malicious backdoor chip in a Super Micro motherboard server used by Apple. According to Bloomberg, Apple allegedly discovered the bugged hardware in 2015, cut ties with Super Micro and reported it to the FBI.

Cook, however, told BuzzFeed, “There is no truth in their story about Apple. They (Bloomberg) need to do that right thing and retract it.”

On a different front, Google Project Zero researcher called out Apple for failing to assign CVEs or publicly acknowledge flaws which were fixed in iOS 12. “In my opinion a security bulletin should mention the security bugs that were fixed. Not doing so provides a disincentive for people to update their devices since it appears that there were fewer security fixes than there really were.”

Apple did make it possible for you to request access to your data via its Data and Privacy page.

Ransom paid by Connecticut city

West Haven, Connecticut paid a $2,000 ransom demand to unlock 23 servers. According to the Associated Press, DHS said the attack was launched from a foreign country and an investigation is ongoing.

Flaws in 8 D-Link routers make it ‘easy’ for remote hackers to gain full control

Security researcher Blazej Adamczyk disclosed three vulnerabilities in D-Link routers which, when chained together, makes it “easy to gain full router control including arbitrary code execution.”

The following eight D-Link models are affected: DWR-116, DWR-140L, DWR-512, DWR-640L, DWR-712, DWR-912, DWR-921, and DWR-111. He added that there were probably other vulnerable D-Link routers “with the same type of firmware.”

Despite contacting D-Link about the flaws back in May, he was told that only two (DWR-111 and DWR-116) and would be patched as the others were no longer supported. After hearing nothing more, he warned D-Link in September that it had one month to announce fixes or he would go public.

And so when D-Link failed to comply, he did reveal the flaws as well as post a proof-of-concept video showing a full takeover of vulnerable D-Link routers.

1.2 million email addresses in leaked file from 8 hacked adult websites

Ars Technica warned that a hack of eight adult websites led to a leaked 98MB file with IP addresses of those who visited, user passwords, names and 1.2 million unique email addresses – although it is not clear if the email addresses really belonged to users.

Hackers can access pictures, video feeds in vulnerable telepresence robots

There are five vulnerabilities in Vecna Technologies telepresence robots, which are often used by kid patients in hospitals. ZDNet reported that the flaws can be combined “to allow an attacker full control over a robot, giving an intruder the capability to alter firmware, steal chat logs, pictures, or even access live video streams.”  

North Korean Lazarus hackers have stolen over half a billion dollars in cryptocurrencies

The state-sponsored North Korean hacking crew Lazarus has managed to steal a whopping $571 million in cryptocurrencies and is responsible for more than half of cryptocurrencies stolen since 2017.

Do Not Track ignored

If you think that taking the time to turn on the Do Not Track feature in your browser to demand privacy actually means something to companies, think again. Gizmodo reported that despite Do Not Track being used by millions, most sites opt to ignore your privacy preference. DuckDuckGo founder Gabe Weinberg suggested that unless there is a federal law to give DNT some teeth, then it “should be removed from all browsers because it is otherwise misleading, giving people a false sense of security.”

Other interesting security and privacy tidbits:

You can check out a comparison of messenger systems by security, privacy, compatibility, and features.

There is also on interesting interactive example of how Facebook leaked millions of access tokens and a blog post about how Facebook was hacked.