computer security

Smart home makers hoard your data, but won’t say if the police come for it

A decade ago, it was almost inconceivable that nearly every household item could be hooked up to the internet. These days, it’s near impossible to avoid a non-smart home gadget, and they’re vacuuming up a ton of new data that we’d never normally think about. Thermostats know the temperature of your house, and smart cameras and sensors know when someone’s walking around your home. Smart assistants know what you’re asking for, and smart doorbells know who’s coming and going. And thanks to the cloud, that data is available to you from anywhere – you can check in on your pets from your phone or make sure your robot vacuum cleaned the house. Because the data is stored or accessible by the smart home tech makers, law enforcement and government agencies have increasingly sought out data from the ...

California passes law that bans default passwords in connected devices

Good news! California has passed a law banning default passwords like “admin,” “123456” and the old classic “password” in all new consumer electronics starting in 2020. Every new gadget built in the state from routers to smart home tech will have to come with “reasonable” security features out of the box. The law specifically calls for each device to come with a preprogrammed password “unique to each device.” It also mandates that any new device “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,” forcing users to change the unique password to something new as soon as it’s switched on for the first time. For years, botnets have utilized the power of badly secured connected devices to pummel s...

DoorDash customers say their accounts have been hacked

Food delivery startup DoorDash has received dozens of complaints from customers who say their accounts have been hacked. Dozens of people have tweeted at @DoorDash with complaints that their accounts had been improperly accessed and had fraudulent food deliveries charged to their account. In many cases, the hackers changed their email addresses so that the user could not regain access to their account until they contacted customer services. Yet, many said that they never got a response from DoorDash, or if they did, there was no resolution. Several Reddit threads also point to similar complaints. DoorDash is now a $4 billion company after raising $250 million last month, and serves more than 1,000 cities across the U.S. and Canada. After receiving a tip, TechCrunch contacted some of the af...

AdGuard resets all user passwords after account hacks

Popular ad-blocker AdGuard has forcibly reset all of its users’ passwords after it detected hackers trying to break into accounts. The company said it “detected continuous attempts to login to AdGuard accounts from suspicious IP addresses which belong to various servers across the globe,” in what appeared to be a credential stuffing attack. That’s when hackers take lists of stolen usernames and passwords and try them on other sites. AdGuard said that the hacking attempts were slowed thanks to rate limiting — preventing the attackers from trying too many passwords in one go. But, the effort was “not enough” when the attackers know the passwords, a blog post said. “As a precautionary measure, we have reset passwords to all AdGuard accounts,” said Andrey Meshkov, AdGuard’s co-founder and chie...

Surveillance camera vulnerability could allow hackers to spy on and alter recordings

In newly published research, security firm Tenable reveals how popular video surveillance camera software could be manipulated, allowing would-be attackers the ability to view, disable or otherwise manipulate video footage. The vulnerability, which researchers fittingly dubbed “Peekaboo,” affects software created by NUUO, a surveillance system software maker with clients including hospitals, banks, and schools around the globe. The vulnerability works via a stack buffer overflow, overwhelming the targeted software and opening the door for remote code execution. That loophole means that an attacker could remotely access and take over accounts with no authorization, even taking over networked cameras connected to the target device. “This is particularly devastating because not only is an att...

British Airways breach caused by credit card skimming malware, researchers say

A security firm says credit card skimming malware installed by hackers on British Airways’ website a few months ago was to blame for a data breach of over 380,000 credit cards. Payments through the airline’s website and mobile app were stolen over the three week period, but a key clue was that travel information wasn’t affected. Yonathan Klijnsma, a threat researcher at RiskIQ, suspected it might be the same group that was behind the Ticketmaster breach, in which hackers targeted a third-party that loaded code on Ticketmaster’s various sites. From there, it could siphon off thousands of transactions. This time, Klijnsma said the group took an even more “highly targeted approach,” describing a wave of attacks that the “Magecart” collective has used to steal thousands of records from various...

Abbyy leaked 203,000 sensitive customer documents in server lapse

Abbyy, a maker of optical character recognition software, has exposed a trove of sensitive customer documents after a database server was left online without a password. The exposed server was found by former Kromtech security researcher Bob Diachenko, who now works independently. In a blog post shared prior to publication, he said one of the company’s MongoDB servers was mistakenly configured for public access. He told TechCrunch that the server contained 203,896 scanned files, including contracts, non-disclosure agreements, memos and other highly sensitive documents dating back to 2012. The data also included corporate usernames and scrambled passwords. The Moscow-based company specializes in document capture products and services, including converting physical documents to searchable an...

Weak passwords let a hacker access internal Sprint staff portal

It’s not been a great week for cell carriers. EE was hit with two security bugs and T-Mobile admitted a data breach. Now, Sprint is the latest phone giant to admit a security lapse, TechCrunch has learned. Using two sets of weak, easy-to-guess usernames and passwords, a security researcher accessed an internal Sprint staff portal. Because the portal’s log-in page didn’t use two-factor authentication, the researcher — who did not want to be named — navigated to pages that could have allowed access customer account data. Sprint is the fourth largest US cell network with 55 million customers. TechCrunch passed on details and screenshots of the issue to Sprint, which confirmed the findings in an email. “After looking into this, we do not believe customer information can be obtained without suc...

Social SafeGuard scores $11M to sell alerts for brand-damaging fakes

Social SafeGuard, a 2014-founded U.S. startup which sells security services to enterprises aimed at mitigating a range of digital risks that lie outside the corporate firewall, has closed an $11 million Series B funding round, from AllegisCyber and NightDragon Security. It’s hoping to ride the surge in awareness around social media fakery — putting the new funding towards sales and marketing, plus some product dev. “As one of the few dedicated cybersecurity venture firms, we know how big this challenge has become for today’s security executives,” said Spencer Tall, MD of AllegisCyber, in a supporting statement. Tall is joining the Social SafeGuard board. “This is no longer a fringe need that can be ignored or deferred. Digital risk protection should be on the shortlist of corporate securit...

A simple solution to end the encryption debate

David Gurle Contributor Bill Harrington Contributor Criminals and terrorists, like millions of others, rely on smartphone encryption to protect the information on their mobile devices. But unlike most of us, the data on their phones could endanger lives and pose a great threat to national security. The challenge for law enforcement, and for us as a society, is how to reconcile the advantages of gaining access to the plans of dangerous individuals with the cost of opening a door to the lives of everyone else. It is the modern manifestation of the age-old conflict between privacy versus security, playing out in our pockets and palms. One-size-fits all technological solutions, like a manufacturer-built universal backdoor tool for smartphones, likely create more dangers than they prevent. Whil...

We love augmented reality, but let’s fix things that could become big problems

Cyan Banister Contributor Cyan Banister is a partner at Founders Fund, where she invests across sectors and stages with a particular interest in augmented reality, fertility, heavily regulated industries and businesses that help people with basic skills find meaningful work. More posts by this contributor Penn Jillette Turns To FundAnything To Become A Bad Guy Despite Flaws, Ashton As Jobs Is Worth Seeing Alex Hertel Contributor Alex Hertel is the co-founder of Xperiel. Augmented Reality (AR) is still in its infancy and has a very promising youth and adulthood ahead. It has already become one of the most exciting, dynamic, and pervasive technologies ever developed. Every day someone is creating a novel way to reshape the real world with a new digital innovation. Over the past couple of dec...

  • 1
  • 2