Subterms
Getty Images/iStockphoto I remember, back in the day, when the browser wars had reached a fit of pique such that no one could believe. A big part of this was driven by profit and how so many websites seemed hellbent on focusing on one browser or another. Some sites functioned only with Internet Explorer and […] More
Image: Getty Images/Westend61 The European Commission has proposed cyber-resilience legislation that could lead to cybersecurity labels and penalties for device manufacturers with shoddy cybersecurity features and practices. The proposed law covers hardware and software of “products with digital elements” sold in the European Union and connected to any network. The Cyber Resilience Act (CRA) proposal […] More
Image: Evolv Have you ever gone to a sporting event and spent what seems like an eternity just trying to get in? Security technologies can slow lines down to a grinding halt, and they’re not always effective – your necklace, keys, and belt may set the metal detector off, while weapons can still get through. […] More
Starbucks says personal data of some customers in Singapore has been compromised, including names, birthdates, and mobile numbers. While credit card details and passwords have not been leaked, it has advised customers to change their password. The US F&B chain sent email messages to multiple customers on Friday, notifying them that it had detected “unauthorised activity online” as well as “some unauthorised access to customer details”. These included names, dates of birth, mobile numbers, and residential addresses, if the personal data had been provided to Starbucks.It said details related to its Rewards customer loyalty programme, such as stored value and credits, were unaffected. Credit card data also had not been compromised since it did not store such information, according to Starbucks. The retailer said local authorities had been informed and it was assisting them on the security incident. While passwords were not compromised, the company urged its customers to reset their password immediately. ZDNET understands that hackers already are peddling the data on an online forum that specialises in the trading of stolen databases. In a September 10 post, the hackers claimed to have access to Starbucks Singapore’s “full database” containing more than 553,000 records and offered a sample dump. In its email, Starbucks said it had implemented additional measures to safeguard customer information, but did not provide details on what these entailed. ZDNET has reached out to the US retailer for more information, including how many customers were affected by the breach, what systems were breached, and when the breach was first uncovered. This article will be updated if and when Starbucks responds. RELATED COVERAGE More
Uber reportedly has suffered another massive security incident, which is likely more extensive than its 2016 data breach and potentially may have compromised its entire network. It also can result in access logs being deleted or altered. A hacker on Thursday was believed to have breached multiple internal systems, with administrative access to Uber’s cloud services including on Amazon Web Services (AWS) and Google Cloud (GCP). “The attacker is claiming to have completely compromised Uber, showing screenshots where they’re full admin on AWS and GCP,” Sam Curry wrote in a tweet. The security engineer at Yuga Labs, who corresponded with the hacker, added: “This is a total compromise from what it looks like.”Uber since had shut down online access to its internal communications and engineering systems, while it investigated the breach, according a report by The New York Times (NYT), which broke the news. The company’s internal messaging platform, Slack, also was taken offline. The hacker, who claimed to be 18 years old, told NYT he had sent a text message to an Uber employee and was able to persuade the staff member to reveal a password after claiming to be a corporate information technology personnel. The social engineering hack allowed him to breach Uber’s systems, with the hacker describing the company’s security posture as weak. With the employee’s password, the hacker was able to get into the internal VPN, said Acronis’ CISO Kevin Reed in a LinkedIn post. The hacker then gained access to the corporate network, found highly privileged credentials on network file shares, and used these to access everything, including production systems, corporate EDR (endpoint detection and response) console, and Uber’s Slack management interface. It was not known, though, how the hacker was able to circumvent the two-factor authentication after obtaining the employee’s password, Reed noted.”This looks bad,” he said, noting that it was likely hackers now could access whatever data Uber had. Asked if the impact was similar or potentially greater than Uber’s 2016 data breach, Reed told ZDNET the latest compromise was certainly large and “as big as it could be”. Every system Uber operated might have been compromised, he said. While it was unclear what data the ride-sharing company retained, he noted that whatever it had most likely could be accessed by the hacker, including trip history and addresses. Given that everything had been compromised, he added that there also was no way for Uber to confirm if data had been accessed or altered since the hackers had access to logging systems. This meant they could delete or alter access logs, he said. In the 2016 breach, hackers infiltrated a private GitHub repository used by Uber software engineers and gained access to an AWS account that managed tasks handled by the ride-sharing service. It compromised data of 57 million Uber accounts worldwide, with hackers gaining access to names, email addresses, and phone numbers. Some 7 million drivers also were affected, including details of more than 600,000 driver licenses.Uber later was found to have concealed the breach for more than a year, even resorting to paying off hackers to delete the information and keep details of the breach quiet. The ride-sharing company in 2018 reached a $148 million settlement to pay $148 million over the breach and coverup, with the monies distributed across the US. RELATED COVERAGE More
Image: Joe Raedle/Getty Images Every year, thousands of Americans have their phones and other devices searched at the border before they travel abroad. Now, a US senator has revealed that when it searches these devices, US Customs and Border Protection (CBP) downloads their contents — which can include text messages, pictures, and other personal information — […] More
CNET Chrome OS has become quite the platform for users of all types. Whether you’re a typical user who spends most of your time within an operating system browsing social media, writing ad hoc papers, and shopping for the latest trends, or if you’re an administrator who has to work on remote machines throughout the […] More
Image: Shutterstock Microsoft on Tuesday disclosed 64 vulnerabilities, including five critical ones and one that has been exploited. The patches released address common vulnerabilities and exposures (CVEs) in: Microsoft Windows and Windows Components; Azure and Azure Arc; .NET and Visual Studio and .NET Framework; Microsoft Edge (Chromium-based); Office and Office Components; Windows Defender; and Linux […] More
