Airbnb Bans Indoor Security Cameras on Privacy Grounds

Check out my latest CSO column which delves into the Chinese espionage threats of connected cards.

Airbnb is banning indoor security cameras from rental properties listed on its site, citing privacy concerns.

The platform had allowed cameras in common areas like hallways and living rooms as long as they were clearly mentioned in a property's listings. Those will now be banned, too.

“Our goal was to create new, clear rules that provide our community with greater clarity about what to expect on Airbnb," said Juniper Downs, Airbnb’s head of community policy and partnerships. "These changes were made in consultation with our guests, Hosts, and privacy experts, and we’ll continue to seek feedback to help ensure our policies work for our global community.”

Airbnb said the new rules would likely only affect a "smaller subset" of listings, given that most properties don't have cameras.

The company is also revising its rules about outdoor security cameras and other devices, like noise decibel monitors. All of them must now be disclosed in property listings. (Rob Wile / NBC News)

Related: TechSpot, PCMag.com, Metro.co.uk, Technology | The Hill, Boing Boing, Slashdot, AirBnB, Ars Technica, Associated Press, The Hill, Gizmodo, Wired, NBC News, NPR, WAVY.com, WHDH-TV, Metro.co.uk, PetaPixel, TechHive, TechCrunch, Skift, PCMag, Mashable, Engadget, The Verge, The Guardian, ReadWrite, channelnews, Newsy Headlines, Digital Journal, Al Jazeera English, TIME, Silicon Republic, ABC News

Despite car drivers’ reluctance to install devices or download apps that monitor their driving, automakers are collecting information directly from internet-connected vehicles for use by the insurance industry.

Sometimes, this happens with a driver’s awareness and consent, but in other cases, consent is obtained in fine print and murky privacy policies that few read. Some drivers with GM vehicles say they were tracked even when they did not turn on the OnStar Smart Driver feature and that their insurance rates went up as a result.

Often, there is no warning that the data collected by the cars will be shared with third parties. Warnings about the tracking are scattered across online discussion boards dedicated to GM vehicles, and numerous people have complained about the spike in their insurance premiums as a consequence of the tracking.

GM confirmed that it shares “select insights” about hard braking, hard acceleration, speeding over 80 miles an hour, and drive time of Smart Driver enrollees with LexisNexis and another data broker that works with the insurance industry called Verisk.

A GM spokeswoman said customers turn on Smart Driver “at the time of purchase or through their vehicle mobile app.” It is possible that GM drivers who insisted they didn’t opt-in unknowingly signed up at the dealership, where salespeople can receive bonuses for successfully enrolling customers in OnStar services, including Smart Driver, according to a company manual.

Neither the car companies nor the data brokers deny engaging in this practice. However, automakers say the primary purpose of their driver feedback programs is to help people develop safer driving habits.

Policymakers have expressed concern about collecting sensitive information from consumers’ cars. California’s privacy regulator is currently investigating automakers’ data collection practices. Last month, Senator Edward Markey of Massachusetts urged the Federal Trade Commission to investigate. (Kashmir Hill. New York Times)

Related: ZDNet UK, Business Insider, Slashdot, Autoblog, Newsbytes, Gigazine

Several French government departments were hit with a series of powerful DDoS attacks, for which the pro-Russian hacking group Anonymous Sudan took credit.

In response, the government activated a crisis unit to deal with the incident. According to the prime minister's office, the impact has now been reduced, and access to some government websites has been “re-established,” but the attacks are still ongoing.

“Since [Sunday], several government departments have been the subject of cyberattacks whose technical methods are conventional but the intensity unprecedented,” the prime minister’s office said in a statement. “Many ministerial services have been targeted," it added.

Teams mobilized from the interministerial digital affairs department DINUM and France’s cybersecurity agency ANSSI continue to fend off the attacks, added the prime minister’s office. (Antoaneta Roussi / Politico EU)

Related: The Record by Recorded Future, Latest Tech News Articles Today | AP News, The Independent, CTVNews.ca, Tech Xplore, Digital Journal, DAILYSABAH, Slashdot, France24, Reddit cybersecurity, Security Affairs, Japan Today, CTVNews.ca, Slashdot, Le Monde, The Register

The darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transactions and chat records of users who refuse to pay a fee ranging from $100 to $20,000.

The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an “exit scam” that left users unable to withdraw millions of dollars worth of funds from the platform.

The homepage for the Incognito Market was updated to include a blackmail message from its owners, saying they will soon release purchase records of vendors who refuse to pay to keep the records confidential.

“We got one final little nasty surprise for y’all,” reads the message to Incognito Market users. “We have accumulated a list of private messages, transaction info, and order details over the years. You’ll be surprised at the number of people that relied on our ‘auto-encrypt’ functionality. And by the way, your messages and transaction IDs were never actually deleted after the ‘expiry’….SURPRISE SURPRISE!!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up.”

Incognito Market says it plans to publish the entire dump of 557,000 orders and 862,000 cryptocurrency transaction IDs at the end of May.

The message said, “Whether or not you and your customers’ info is on that list is totally up to you,” the Incognito administrators advised. “And yes, this is an extortion!!!!”

The extortion message includes a “Payment Status” page that lists the darknet market’s top vendors by their handles, saying at the top that “you can see which vendors care about their customers below.” The names in green supposedly correspond to users who have already opted to pay.

The message continued, “We’ll be publishing the entire dump of 557k orders and 862k crypto transaction IDs at the end of May, whether or not you and your customers’ info is on that list is totally up to you. And yes, this is an extortion!!!!

Incognito Market said it plans to open up a “whitelist portal” for buyers to remove their transaction records “in a few weeks.” (Brian Krebs / Krebs on Security)

Related: Cointelegraph, The Cyber Express, Wccftech

Roku disclosed a data breach that affected over 15,000 customers after hacked accounts were used to make fraudulent purchases of hardware and streaming subscriptions, with threat actors selling stolen accounts for as little as $0.50 per account, allowing purchasers to use stored credit cards to make illegal purchases.

Roku warned that 15,363 customer accounts were hacked in a credential-stuffing attack. The company says that once an account was breached, threat actors could change its information, including passwords, email addresses, and shipping addresses. This would lock a user out of the account and allow the threat actors to make purchases using stored credit card information without the legitimate account holder receiving order confirmation emails.

Roku says it secured the impacted accounts and forced a password reset upon detecting the incident.

Additionally, the platform's security team investigated for any charges due to unauthorized purchases performed by the hackers and took steps to cancel the relevant subscriptions and refund the account holders. (Bill Toulas / Bleeping Computer)

Related: OAG.ca.gov, Cybernews, PC Mag, The Record, Cyber Daily

Researchers at Check Point report that a financially motivated hacking group named Magnet Goblin uses various 1-day vulnerabilities, or vulnerabilities for which patches have been released, to breach public-facing servers and deploy custom malware on Windows and Linux systems.

Check Point says that Magic Goblin is quick to exploit newly disclosed vulnerabilities, sometimes exploiting flaws a day after a PoC exploit is released.

Some of the devices or services targeted by the hackers are Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893., Apache ActiveMQ, ConnectWise ScreenConnect, Qlik Sense (CVE-2023-41265, CVE-2023-41266, CVE-2023-48365), and Magento (CVE-2022-24086).

Magnet Goblin exploits the flaws to infect servers with custom malware, particularly NerbianRAT and MiniNerbian, as well as a custom variant of the WARPWIRE JavaScript stealer.

Check Point says identifying specific threats like Magnet Goblin's attacks among the sheer volume of 1-day exploitation data is challenging, allowing these groups to hide in plain sight in the chaos that follows the disclosure of flaws. (Bill Toulas / Bleeping Computer)

Related: Check Point, The Register, Tech Radar, SC Media, CSO Online, Security Week, Infosecurity Magazine, Security Affairs, HackRead

JetBrains, the developer of the TeamCity build management and continuous integration server, maintains that a TeamCity vulnerability disclosed recently in controversial circumstances is being exploited in ransomware attacks.

Rapid7, whose researchers discovered the vulnerabilities, made public details of CVE-2024-27198 and CVE-2024-27199 a few hours after JetBrains announced fixes.

Full disclosure seems to have occurred due to miscommunication between the two companies. Rapid7 was concerned that JetBrains would try to silently patch the vulnerabilities and the vendor was concerned that Rapid7 would disclose details too quickly. JetBrains informed customers about patches without notifying Rapid7, which decided to disclose details immediately.

JetBrains blames Rapid7 for the targeting of CVE-2024-27198 shortly after disclosure on March 4. By March 6, LeakIX, a project that scans the web for vulnerable and misconfigured systems, started seeing mass exploitation, with signs of rogue user creation seen in 1,400 instances.

GuidePoint Security reported that a ransomware group named BianLian, known to target critical infrastructure, may have exploited CVE-2024-27198 for initial access. However, it’s possible that the cybercriminals exploited a different TeamCity flaw. (Eduard Kovacs / Security Week)

Related: GuidePoint Security, JetBrains, GBHackers, Security Affairs, CSO Online

A lengthy investigation into the European Union’s use of Microsoft 365 found that the Commission breached the bloc’s data protection rules using the cloud-based productivity software.

The European Data Protection Supervisor (EDPS) said the Commission infringed “several key data protection rules when using Microsoft 365”.

“The Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365,” the data supervisor, Wojciech Wiewiórowski, wrote, adding: “The Commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf.”

The EDPS has imposed corrective measures requiring the Commission to address the compliance problems it has identified by December 9, 2024, assuming it continues to use Microsoft’s cloud suite. (Natasha Lomas / TechCrunch)

Related: Europa.eu, The Register, The Stack, Gigazine, CXO Today, The Paypers, WebProNews, ReadWrite, Slashdot

President Joe Biden released his budget proposal for fiscal year (FY) 2025, allocating $13 billion in cybersecurity funding across the Federal government.

This request includes an additional $103 million for the Cybersecurity and Infrastructure Security Agency (CISA).

To protect against foreign adversaries and safeguard Federal systems, Biden’s proposed budget bolsters cybersecurity by providing $13 billion in cybersecurity funding across civilian departments and agencies, a slight increase from his FY24 request of $12.7 billion.

The budget provides $3 billion for CISA to advance the administration’s commitment to making cyberspace more resilient and defensible, an increase of $103 million compared to the FY23 enacted budget. This includes $470 million to deploy Federal network tools, including endpoint detection and response capabilities; $394 million for CISA’s internal cybersecurity and analytical capabilities; $41 million for critical infrastructure security coordination; and $116 million for critical infrastructure cyber event reporting. (Cate Burgan / Meritalk)

Related: C4ISRNet, Cyberscoop

The Texas Health and Human Services Office of Communications said that nearly 3,400 East Texans potentially had their personal information disclosed when a staff member emailed spreadsheets to their personal email account between September and October 2023.

The spreadsheets contained confidential information such as full names, home addresses, telephone numbers, health information, services, financial information, Medicaid ID numbers, and at least one individual’s social security number.

HHSC took immediate steps to mitigate a potential breach by investigating the reported privacy incident, identifying the confidential information involved, and referring the incident to the Texas Health and Human Services Office of Inspector General for investigation.

The agency is unaware of any unauthorized disclosure or misuse of personal information. However, an unintended recipient may have acquired or viewed the personal information.

HHSC is providing one year of free credit monitoring services to individuals affected by the breach. (KLTV)

Related: CBS19, KETK, Longview News Journal

House Republican leaders are moving this week to pass legislation that would force ByteDance, the Chinese owners of TikTok, to sell the platform or face being barred in the United States, even after Donald Trump came out against targeting the popular social media app he once vowed to ban.

Representative Steve Scalise, Republican of Louisiana and the majority leader, said that the House would try to speed the bill to passage under special procedures reserved for noncontroversial legislation requiring a two-thirds majority for passage. The approach reflected the bill’s growing momentum on Capitol Hill during an election year in which members of both political parties are eager to demonstrate a willingness to be tough on China.

“We must ensure the Chinese government cannot weaponize TikTok against American users and our government through data collection and propaganda,” Scalise said. (Annie Karni and Jonathan Swan / New York Times)

Related: The Guardian, Axios, The Hill, Business Insider, The Daily Dot, Chinanews.net

Cloud identity and access management solutions provider Okta denies that its company data was leaked after a threat actor shared files allegedly stolen during an October 2023 cyberattack on a hacker forum.

In October 2023, Okta warned that its support system was breached by hackers using stolen credentials, allowing attackers to steal cookies and authentication for some customers. After the internal investigation was completed in late November, it was revealed that the incident impacted all users of the customer support system.

A cybercriminal using the alias 'Ddarknotevil' claimed to be releasing an Okta Database containing information of 3,800 customers that was stolen during last year's breach.

"Today, I have uploaded the Okta database for you all, This Breach is being shared in behife @IntelBroker - [Cyber <redacted>] thanks for reading and enjoy!," a threat actor posted to a hacking forum."

However, Okta said the data does not belong to them and appears to be from public information on the internet.

Cyber-intelligence firm KELA also reviewed the shared data and independently corroborated that the data does not belong to Okta but is believed to be from a different company breached in July. (Bill Toulas / Bleeping Computer)

Related: KELA

Meta sued Dipinder Singh Khurana, also known as T.S. Khurana, one of its former vice presidents, for what it called a “stunning” betrayal in his defection to a “stealth” AI cloud computing startup and accused Khurana of stealing a “trove of proprietary, highly sensitive, confidential, and non-public documents about Meta’s business and employees.”

In a complaint filed in California state court in Contra Costa County, Meta alleges that in “brazenly disloyal” conduct, Khurana uploaded documents related to employee pay and performance, as well as non-public business contracts, to his personal Google Drive and Dropbox accounts just before leaving the company. Meta says at least eight employees listed in the documents Khurana uploaded left Meta to work at Khurana’s new company last year.

“Khurana’s conduct while leaving Meta, and since then, reflects an utter disregard for his contractual and legal obligations,” the lawsuit reads. A Meta spokesperson said the company “takes this kind of egregious misconduct seriously. We will continue working to protect confidential business and employee information.” (Kurt Wagner / Bloomberg)

Related: Times of India, The Information, Computerworld, NewsBytes, Cryptopolitan

Tuta Mail has announced TutaCrypt, a new post-quantum encryption protocol to secure communications from powerful and anticipated decryption attacks.

Tuta Mail is an open-source end-to-end encrypted email service with ten million users. Its creator, Tuta, is based in Germany, where it's involved in developing post-quantum secure cloud storage and file-sharing solutions for the government.

TutaCrypt is a new protocol designed to protect currently exchanged communications from 'harvest now, decrypt later' attacks. TutaCrypt combines CRYSTALS-Kyber for post-quantum key encapsulation and X25519 for the Elliptic-Curve-Diffie-Hellmann key exchange.

Like others in the field, including Signal and Apple (iMessage), Tuta has opted for a hybrid model approach, combining state-of-the-art quantum-safe algorithms with traditional algorithms to offer complete protection against current and future threats. (Bill Toulas / Bleeping Computer)

Related: Tuta, Restore Privacy

European cybersecurity startup Eye Security announced it had raised €36 million ($39 million) in a Series B venture funding round.

J.P. Morgan Growth Equity Partners led the round with participation from existing investors Bessemer Venture Partners and TIN Capital. (Isaac Taylor / Wall Street Journal)

Related: Finextra, TNW, Eye Security, FinTech Global, nltimes.nl, Silicon Canals, PYMNTS.com

Reach Security, which provides AI solutions for security operations, announced it had raised $20 million in a new venture funding round.

Ballistic Ventures led the round, joined by Artisanal Ventures, Mark McLaughlin, and Denise Persson. Existing backers Webb Investment Network, Ridge Ventures, and TechOperators also participated. (Kyle Wiggers / TechCrunch)

Related: SC Magazine, FinSMEs, Silicon Angle, Security Week, FinTech Global

Germany-based Steadybit, which helps software developers improve software reliability through chaos engineering, announced it had raised $6 million in a Series A venture funding round.

Paladin Capital Group led the round with participation from existing investors Boldstart Ventures, Angular Ventures, and NewForge. (Kevin Townsend / Security Week)

Related: Tech.eu

Best Thing of the Day: Let’s See They Stick to This

Microsoft said it will train 100,000 Philippine women on artificial intelligence technology and cybersecurity.

Bonus Best Thing of the Day: Yes, Please Explain PQC in More Detail

Google Bug Hunters has launched a blog series on post-quantum cryptography (PQC) in which it hopes to share the internet and technology giant’s latest thoughts and reasons about the PQC migration.

Worst Thing of the Day: This Is Seriously Rich

President Vladimir Putin's foreign intelligence service accused the United States of trying to meddle in Russia's presidential election and said that Washington even had plans to launch a cyber attack on the online voting system.

Closing Thought