NordVPN Breach and More Alexa Eavesdropping Made This Week's Headlines
"Cybersecurity Awareness Month is a good time to remind ourselves that the responsibility to secure the customer experience goes beyond our infrastructure and out to the browser. For organizations that are passionate about protecting their customers, browser-based attacks are particularly frustrating because the impact directly affects customers. While some browser-based attacks such as web skimming steal customer data and thus victimize both the organization and the users, other attacks leverage an organization's website to attack the customers or to attack another organization entirely."
By: Drew Harwell
"An artificial intelligence hiring system has become a powerful gatekeeper for some of America’s most prominent employers, reshaping how companies assess their workforce — and how prospective employees prove their worth. Designed by the recruiting-technology firm HireVue, the system uses candidates’ computer or cellphone cameras to analyze their facial movements, word choice and speaking voice before ranking them against other applicants based on an automatically generated “employability” score."
"Whether you’re deleting an app that’s buggy, draining your battery or taking up too much precious phone space, Facebook wants to know. According to archived developer documents from the company and confirmation from multiple sources with knowledge of Facebook’s internal operations, the Menlo Park, Calif., giant at one point beta tested analytics to track app deletions for roughly a year. These analytics, which tracked app deleters and their data regardless of whether they have an active Facebook account or not, had the potential to become the basis of targeted ads across any digital channel where Facebook operated its widespread ad network."
By: Michael Kan
"NordVPN has suffered a breach that may have allowed a hacker to view the customer traffic flowing through a Finland-based VPN server. However, no login credentials were intercepted, the company says. The same hacker also hit rival VPN providers TorGuard and VikingVPN; TorGuard is downplaying the severity of the breach."
TechCrunch: NordVPN Confirms it was Hacked
By: Zack Whittaker
"NordVPN, a virtual private network provider that promises to “protect your privacy online,” has confirmed it was hacked. The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN."
By: K Thor Jensen
"A student broke into Pennsylvania's Downingtown Area School District college preparatory program and obtained personal information including GPAs and SAT scores. They did it to get an advantage in a grade-wide squirt gun game, according to the Philadelphia Inquirer. The data breach was discovered on October 11. Investigators said the suspect used a student portal called Naviance, which bills itself as a "comprehensive college, career and life readiness solution that helps districts and schools align student strengths and interests to postsecondary goals, improving student outcomes and connecting learning to life." They obtained teacher credentials for the system, with which they could access information that would normally be kept secure."
By: Dan Goodin
"By now, the privacy threats posed by Amazon Alexa and Google Home are common knowledge. Workers for both companies routinely listen to audio of users—recordings of which can be kept forever—and the sounds the devices capture can be used in criminal trials. Now, there's a new concern: malicious apps developed by third parties and hosted by Amazon or Google. The threat isn't just theoretical. Whitehat hackers at Germany's Security Research Labs developed eight apps—four Alexa 'skills' and four Google Home "actions"—that all passed Amazon or Google security-vetting processes. The skills or actions posed as simple apps for checking horoscopes, with the exception of one, which masqueraded as a random-number generator. Behind the scenes, these 'smart spies,' as the researchers call them, surreptitiously eavesdropped on users and phished for their passwords."
By: Ylan Q. Mui
"Democratic Sens. Mark Warner of Virginia and Richard Blumenthal of Connecticut and Republican Sen. Josh Hawley of Missouri introduced a bill Tuesday to require the largest social media platforms to give users a way to easily move their data to another service.The proposed ACCESS Act would apply to platforms with products or services with over 100 million monthly active users in the United States. In addition to Facebook’s core platform, the legislation would also hit two of its key products, Facebook Messenger and Instagram. Google’s YouTube would hit the threshold as well."
CyberScoop: DHS is Mulling an Order that would Force Agencies to set up Vulnerability Disclosure Programs
By: Sean Lyngaas
"Department of Homeland Security officials could in the coming months issue an order that would require federal civilian agencies to establish vulnerability disclosure programs that allow independent researchers to find flaws in agency websites and software applications, multiple officials told CyberScoop."
By: Don Clark
"Pentagon officials have been holding private discussions with tech industry executives to wrestle with a key question: how to ensure future supplies of the advanced computer chips needed to retain America’s military edge. The talks, some of which predate the Trump administration, recently took on an increased urgency, according to people who were involved or briefed on the discussions. Pentagon officials encouraged chip executives to consider new production lines for semiconductors in the United States, said the people, who declined to be identified because the talks were confidential."