U.S. senator exposes data purchases

Plus, 700 million LinkedIn profiles get their data scraped, and a new report on facial recognition shows little accountability

Responding to an inquiry from U.S. Senator Ron Wyden, several ad tech companies provided lists of the foreign firms, including some based in Russia and China, that purchase sensitive data on millions of Americans. “This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns,” Wyden said in a statement before launching the inquiry, asking ad tech companies which foreign entities are buying their “bidstream” data, which includes information such as GPS location, device identifiers, and browsing history. Wyden sent the question to Google, Verizon, Magnite, Pubmatic, Index Exchange, and OpenX, among others. 

While Google and Verizon did not respond to Wyden’s inquiry, Magnite submitted a list of 150 companies, some of which Wyden’s team discovered were based in Russia and China. The revelation highlighted potential privacy issues, and Wyden’s team is still assessing whether or not it constitutes a security risk. 

“It’s curious that trafficking sensitive data on Americans is only considered a security risk in certain cases,” commented Avast Security Evangelist Luis Corrons. “I think it’s time to prioritize privacy. If there is absolutely no control over the information that is being managed by ad tech companies, anything can happen. And while there could be useful tools through legislation to handle this, it’s better for users to take control of their privacy and avoid digital tracking by using what we already have: secure browsers, VPNs, etc.” For more, see the story on Motherboard

700 million users exposed in LinkedIn data scrape

A sale notice has appeared on an underground cybercrime forum offering buyers the data of up to 700 million LinkedIn users. The seller claims they pulled the information using LinkedIn’s own API, meaning it was not a data breach but a data scraping, collecting all the publicly available information that can be found on LinkedIn’s site. The information includes full names, email addresses, birth dates, work addresses, phone numbers, Facebook and Twitter IDs, job titles, location, and, in some cases, specific GPS coordinates (most likely captured from mobile users who allowed LinkedIn to access their GPS location). More on this story at Tom’s Guide.  

Hackers infect and factory-reset My Book Live devices

In a statement this week, Western Digital analyzed a series of cyberattacks on My Book Live storage devices, where hackers exploited two vulnerabilities, one to install malware and the other to completely wipe the device clean with a factory reset. In it’s analysis, Western Digital wrote, “The log files we reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device.” The motivation behind a hacker launching each of these opposite attacks remains unknown. For more, see Ars Technica.

U.S. agencies use facial recognition without accountability

The Government Accountability Office (GAO) has learned that 15 federal agencies use non-federal systems of facial recognition for law enforcement purposes, and very few are keeping track and logging its use. The GAO surveyed 42 federal agencies that employ law enforcement officers about their use of facial recognition and learned that 20 do make use of the federal system, while 15 use privately built systems. Of those 15, the GAO has made recommendations that 13 of the agencies “track employee use of non-federal systems and assess the risks these systems can pose regarding privacy, accuracy, and more.” For further details, see the GAO report

Microsoft signs driver loaded with rootkit malware

Hackers have tricked Microsoft into signing a malicious driver that a bad actor has been distributing within gaming environments. “The actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments,” Microsoft Security Response Center wrote on its blog, stating that it is not attributing the malware to a nation-state group. “The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keylogger,” it added. Microsoft has suspended the account that submitted the driver and checked all previous submissions from that account for additional signs of malware. 

This week’s ‘must-read’ on The Avast Blog

Tech support fraud is a big business and the people behind it use a number of techniques to try and convince victims that they need their help. We take a look at some of the tricks that tech support fraudsters use to deceive people and steal their money.