Security News for the Week Ending Friday August 3, 2018
Old Hacks Never Die
Brian Krebs is reporting that state government agencies are receiving malware laced CDs in the mail, hoping that someone is curious enough to place it in their computer and infect it. This is an older version of a ploy that is still common of dropping malware infected flash drives in areas outside businesses like break areas, again hoping that curious workers will plug them into their computers and infect them.
The simple solution is not to do it and hand the media to your information security team to review. Source: Krebs on Security.
23 and Me Licensed All Customer’s DNA to Big Pharma
In case you thought you owned your DNA, you might, sort of, but apparently not exclusively.
23 and Me made a deal with Glaxo Smith Kline (GSK) to provide all of their customer’s DNA for “research”, whatever that means. The deal lasts for four years. I am not sure what happens after four years – do they have to give back everyone’s DNA? Probably not.
And, kind of like Google, 23 and Me got a check for $300 million, but did not share that the the people who’s DNA they sold.
23 and Me says that you can opt out of letting them sell your DNA when you sign up. Apparently I opted out. You can also change that option at any time but it is not obvious how to do that. It is buried in the research tab after you sign in. I assume that change is not retroactive. If you didn’t opt out, GSK has a copy of your DNA. Source: Motherboard.
More Woes for CCleaner
Ccleaner, the popular utility for cleaning up your computer, has added some more woes to it’s basket.
Piriform sold CCleaner to security firm Avast a few months ago. Right after the sale CCleaner was found to be distributing a malware laced version of the software. Over a million copies of the infected software were downloaded but it only targeted a handful of victims. That was done by an attacker.
This problem is self inflicted. The new version of CCleaner has a data collection feature which vacuums up information about the victims computer with no way to disable it and no way to opt out.
Apparently someone must have explained that this nifty feature was likely a violation of the new EU data privacy law GDPR which could result in a fine of the larger of 20 million Euros or 4% of their global revenue. They are rethinking the wisdom of doing this and will release a new version of the software. Real soon. Source: ZDNet.
Idaho Inmates Hack Prison Issued tablets
Prisons in Idaho issue inmates specially locked down tablets to send emails to loved ones and other limited functions. Some of those functions cost money and that is where the rub comes in. The tablets, managed by a vendor called JPay were hacked by several hundred inmates to the tune of almost a quarter million bucks. Now JPay is trying to get their money back. At least it is not taxpayer money. Source: TechCrunch.