Spotify resets some account passwords citing ‘suspicious activity’

From techcrunch.com

Music Streaming Service Spotify Goes Public On The New York Stock Exchange

Music streaming giant Spotify  has notified an unspecified number of users that the company has reset their account password, but has left dozens of users asking why.

In an email, some Spotify users were told their password was reset “due to detected suspicious activity,” but gave no further details.

When reached, Spotify spokesperson Peter Collins said: “As part of our ongoing maintenance efforts to combat fraudulent activity on our service, we recently shared a communication with select users to reset their passwords as a precaution. As a best practice, we strongly recommend users not to use the same credentials across different services to protect themselves.”

Read more…

New Software Skims Credit Card Info From Online Credit Card Transactions

From blog.malwarebytes.com

Criminals continue to target online stores to steal payment details from unaware customers at a rapid pace. There are many different ways to go about it, from hacking the shopping site itself, to compromising its supply-chain.

A number of online merchants externalize the payment process to a payment service provider (PSP) for various reasons, including peace of mind that transactions will be handled securely. Since some stores will not process payments on their own site, one might think that even if they were compromised, attackers wouldn’t be able to steal customers’ credit card data.

But this isn’t always true. RiskIQ previously detailed how Magecart’s Group 4 was using an overlay technique that would search for the active payment form on the page and replace it with one prepped for skimming.

The one we are looking at today adds a bogus iframe that asks unsuspecting customers to enter their credit card information. The irony here is that the shopping site itself wouldn’t even ask for it, since visitors are normally redirected to the external PSP.

Read more…

Google Tracks Purchases For Paying G Suite Users, Doesn’t Show It

From bleepingcomputer.com

Google Tracks Purchases For Paying G Suite Users, Doesn’t Show It

Google is also tracking all purchases made by G Suite users just as is it does for users of the free Gmail email service, although the Google Account’s Purchases page will not list them for review for the paid accounts.

As BleepingComputer reported during the weekend, Gmail users can see all their email receipts and confirmations from orders placed “using Google services, like Google Play Store, Google Express, or through the Google Assistant” or received from brick-and-mortar stores on the Google Account Purchases page, located at https://myaccount.google.com/purchases.

At the time the previous report was published, BleepingComputer thought that the purchase extraction process was not enabled for users of paid G Suite accounts after seeing that the Google Account Purchases page was empty for two G Suite accounts frequently used to make online purchases.

Read more…

DNS Flag Day 2020: DNS servers must support both UDP and TCP queries

From zdnet.com

DNS Flag Day

An industry group of the world’s biggest DNS service providers has agreed on a plan to improve the state of the DNS ecosystem by forcing certain configuration changes upon the smaller server operators that are affecting the speed and performance of the entire internet.

According to this group, starting with February 1, 2020, DNS servers that can’t handle DNS queries over both UDP and TCP may be pushed out of the DNS ecosystem and stop working.

The idea is to get DNS server operators to update their server software and configurations and ensure their servers can handle DNS queries received as either UDP or TCP packets.

Read more…

Siemens, Alphabet’s Chronicle forge cybersecurity partnership

From zdnet.com

Siemens and Alphabet’s Chronicle are teaming up to secure energy infrastructure.

Under the pact, Siemens will use Chronicle’s Backstory platform to provide security visibility across information and operational technology. Chronicle’s platform will be combined with Siemens’ cybersecurity tools for the energy industry. Backstory launched in March.

As the industrial Internet of things takes off, more utilities and critical infrastructure will be more connected and potentially vulnerable. The energy industry is a big target for cyber terrorism and threats from nation-states and affiliated actors. Securing critical infrastructure is a hot topic and large industrial companies are taking different approaches to the problem. For instance, GE launched a technology called digital ghost to secure the industrial Internet. 

Read more…

We listened to more than 3 hours of US Congress testimony on facial recognition so you didn’t have to go through it

From theregister.co.uk

facial

Analysis AI experts, lawyers, and law enforcement urged US Congress to regulate the use of facial recognition technology during a hearing held by the House Committee on Oversight and Reform on Wednesday.

The technical issues and social impacts of using AI software to analyse images or videos are well known. There have been repeated reports of how inaccuracies lead to people being misidentified in research and in real life. San Francisco just passed an ordinance banning the local government using facial recognition technology.

Read more…

Alphabet’s Chronicle Explores Code-Signing Abuse in the Wild

From darkreading.com

A new analysis highlights the prevalence of malware signed by certificate authorities and the problems with trust-based security.

Researchers with Chronicle, the cybersecurity company and Alphabet subsidiary, today published an analysis of its investigation into the trend of signed malware being exploited in the wild.

The process of cryptographically signing code was created to give the Windows operating system a means to distinguish good code from bad. Certificates are signed/issued by trusted certificate authorities (CAs), backed by a trusted parent CA. The purpose behind signing a Windows executable file was to mark the authenticity of code published on the Internet.

The problem is, this system is based on trust, and cybercriminals are taking advantage of it.

Malware authors buy these certificates, directly or through resellers. While a CA can revoke a certificate deemed untrustworthy — and more of them are — this remains the only way to cut down on abuse. The process creates a window during which malware has a trusted certificate.

Read more…