CyberSecurity news
FlagThis - #privacy
|
Pierluigi Paganini@Security Affairs
//
A hacker has successfully breached TeleMessage, an Israeli company that provides modified versions of secure messaging apps such as Signal, WhatsApp and Telegram to the U.S. government. The breach resulted in the exfiltration of sensitive data, including archived messages from these modified apps. TeleMessage has suspended all services and is currently investigating the incident. The breach highlights the vulnerabilities associated with modifying secure messaging applications, especially concerning the preservation of end-to-end encryption.
The compromised data includes the contents of direct messages and group chats, as well as contact information for government officials. 404 Media reported that the hack exposed data related to U.S. Customs and Border Protection (CBP), the cryptocurrency exchange Coinbase, and several other financial institutions. The hacker claimed the entire process of accessing TeleMessage’s systems took only 15-20 minutes, underscoring the ease with which the security was circumvented. Despite the breach, there are reports that messages from top US government officials and cabinet members were not compromised. TeleMessage, which was recently in the spotlight after former U.S. National Security Advisor Mike Waltz was seen using their modified version of Signal, offers archiving services for messages. However, the hack revealed that the archived chat logs were not end-to-end encrypted between the modified app and the ultimate archive destination controlled by the TeleMessage customer. Smarsh, the parent company of TeleMessage, has engaged an external cybersecurity firm to support the investigation and has temporarily suspended all TeleMessage services as a precaution. A Coinbase spokesperson stated that the company is closely monitoring the situation, but has not found any evidence of sensitive customer information being accessed or accounts being at risk. Recommended read:
References :
@cyberinsider.com
//
VeriSource Services, a Houston-based employee benefits administration firm, has disclosed a significant data breach impacting four million individuals. The company, which provides HR services, revealed that an "unknown actor" gained access to sensitive personal data during a digital break-in that occurred in February 2024. This incident has expanded considerably from initial estimates, highlighting the challenges organizations face in accurately assessing the scope of cyberattacks. VeriSource began notifying affected individuals on April 23, providing more details in a filing with the Maine Attorney General's office.
The exposed information includes names, addresses, dates of birth, genders, and Social Security numbers, although not all data points were compromised for every individual. The discovery that gender and home address data were potentially accessed represents a significant update from previous notifications. VeriSource initially believed that only around 112,000 individuals were affected, according to a filing made in August 2024 with the US Health and Human Services Office for Civil Rights. This initial assessment followed the first round of investigations, which focused on determining if sensitive data had been stolen. The latest disclosure follows VeriSource's collaboration with its "client companies" to gather more information, concluding on April 17. The VeriSource data breach underscores the critical need for organizations to enhance their cybersecurity detection and response capabilities. Delayed detection can lead to substantial financial repercussions, including higher costs associated with data recovery, legal fees, and regulatory fines. Furthermore, reputational damage and the need for extensive post-breach audits add to the financial strain. Implementing advanced threat detection technologies, such as behavioral analytics and machine learning, can significantly reduce detection times. VeriSource is working with the FBI and stated that it has not seen "evidence" to suggest any of the stolen data has yet been misused. Recommended read:
References :
@The DefendOps Diaries
//
A vulnerability in Verizon's Call Filter feature exposed customers' incoming call history, allowing unauthorized access to call logs. Security researcher Evan Connelly discovered the flaw in the Verizon Call Filter iOS app, revealing that it was possible to access the incoming call logs for any Verizon Wireless number through an unsecured API request. The vulnerability was reported to Verizon on February 22, 2025, and acknowledged by the company two days later. The flaw was subsequently fixed by March 25, 2025.
The vulnerability was rooted in the backend API used by the Verizon Call Filter app, which failed to verify that the phone number requested for call history matched the authenticated user’s number. An attacker with a valid JSON Web Token (JWT) could manipulate the request header and retrieve call logs for any Verizon customer. This oversight allowed modification of the phone number being sent, and data could be received back for Verizon numbers not associated with the signed-in user, raising significant privacy and safety concerns for Verizon Wireless customers. Recommended read:
References :
@The DefendOps Diaries
//
Vivaldi browser has integrated Proton VPN directly into its system, offering users a seamless way to protect their data from 'Big Tech' surveillance. The integration means users can now access VPN services without the need for external downloads or plugin activations. This move signifies a commitment to enhancing user privacy and challenging the data collection practices of major tech firms. The VPN button is available directly in the toolbar to improve user experience.
Vivaldi's partnership with Proton VPN brings browser-level privacy tools to users, allowing them to encrypt all internet traffic and protect them from persistent tracking. When enabled, browsing activity is transmitted through Proton VPN's encrypted tunnels, which obfuscates the user's IP address. The integration aims to provide enhanced protection against tracking and surveillance and sets new standards in digital security. Recommended read:
References :
Carly Page@TechCrunch
//
The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, has announced a significant data breach affecting over 500,000 members. The breach, which occurred in July 2024, resulted in attackers stealing sensitive personal information. PSEA is now notifying the impacted individuals about the incident and the potential risks.
The stolen data includes highly sensitive information, such as government-issued identification documents, Social Security numbers, passport numbers, medical information, and financial data like card numbers with PINs and expiration dates. Member account numbers, PINs, passwords, and security codes were also accessed. PSEA took steps to ensure, to the best of its ability and knowledge, that the stolen data was deleted. Recommended read:
References :
Dissent@DataBreaches.Net
//
New York Attorney General Letitia James has filed a lawsuit against Allstate Insurance and National General Insurance for allegedly failing to protect the personal information of New York residents. The lawsuit stems from data breaches in 2020 and 2021 that exposed the driver's license numbers of over 165,000 New Yorkers. The Attorney General's office claims that National General's online auto insurance quoting tools were intentionally designed to display consumers' full driver's license numbers in plain text, making them easily accessible to attackers.
The breaches occurred because the company failed to adequately encrypt and secure databases containing personal information. Attackers exploited vulnerabilities in Allstate's National General business unit's websites. The first breach went undetected for two months, and the company allegedly failed to notify affected consumers or relevant state agencies. A second, larger breach occurred due to continued security weaknesses. Attorney General James seeks penalties and an injunction to prevent further violations. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Google has released the March 2025 Android Security Bulletin, which addresses 44 vulnerabilities. Notably, the update includes patches for two zero-day flaws, identified as CVE-2024-43093 and CVE-2024-50302, that are actively being exploited in the wild. The high-severity vulnerability CVE-2024-43093 is a privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories. CVE-2024-50302 is also a privilege escalation flaw in the HID USB component of the Linux kernel that could lead to a leak of uninitialized kernel memory to a local attacker through specially crafted HID reports.
This security update arrives after reports surfaced that Serbian authorities used one of these zero-day vulnerabilities to unlock confiscated devices. Google acknowledged that both CVE-2024-43093 and CVE-2024-50302 have come under "limited, targeted exploitation." The company has released two security patch levels to allow Android partners flexibility in addressing vulnerabilities across devices more quickly. The security patch levels are 2025-03-01 and 2025-03-05. Recommended read:
References :
@techcrunch.com
//
Apple has ceased offering its Advanced Data Protection (ADP) feature for iCloud users in the United Kingdom. This decision follows a reported demand from the UK government for a backdoor that would grant authorities access to encrypted user data. ADP provided end-to-end encryption, ensuring that only the user could decrypt their data stored in iCloud. Apple confirmed that this security feature will no longer be available to new users, and existing UK users will eventually need to disable it.
Apple stated it was "gravely disappointed" that ADP protections would be unavailable in the UK, especially considering the increasing data breaches and threats to customer privacy. The company emphasized the growing need for enhanced cloud storage security with end-to-end encryption. This move highlights a conflict between government surveillance and user privacy, as security experts warn this demand could set a precedent for authoritarian countries. James Baker from Open Rights Group said, "The Home Office’s actions have deprived millions of Britons from accessing a security feature. As a result, British citizens will be at higher risk." Recommended read:
References :
@www.forbes.com
//
A new report by Citizen Lab and the EFF Threat Lab has uncovered critical security vulnerabilities within the popular Chinese social media application, RedNote. The analysis, conducted on version 8.59.5 of the app, revealed that RedNote transmits user content, including viewed images and videos, over unencrypted HTTP connections. This exposes sensitive user data to potential network eavesdroppers, who can readily access the content being browsed.
Additionally, the report highlights that the Android version of RedNote contains a vulnerability that could allow attackers to access the contents of files on a user's device. The app also transmits device metadata without adequate encryption, sometimes even when using TLS, potentially enabling attackers to learn about a user's device screen size and mobile network carrier. Despite responsible disclosures to RedNote and its vendors NEXTDATA and MobTech in late 2024 and early 2025, no response has been received regarding these critical security flaws. Recommended read:
References :
|