Today, with the upsurge of technological advances which focus on improving data storing and management, controversy regarding leaked personal information also rises. Recently, security researchers have discovered that dozens of companies inadvertently disclosed thousands of customer data from their Box enterprise storage accounts.
Adversis, a cybersecurity firm, has done the report and published it through the firm’s annual paper claiming that during its round of investigation, the company discovered hundreds and thousands of data from Box users were exposed. Although data stored in Box enterprise accounts are private by default; users can share files and documents to almost anyone, making data accessible through a single link.
Box, founded by Aaron Levie in 2005, is a cloud content management and file sharing service for large businesses such as Apple, Discovery, Edelman, Amadeus and more. It is widely available for Windows, MacOS, and several mobile platforms.
The top reason for the exposure of private content is mainly due to employees or staffs who are sharing some individual files in their Box accounts publicly. However, Adversis refused to believe in its excuse and claimed that others could quickly discover these secret links. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found more than 90 companies with accessible folders.
Adversis also indicated on its report that some of the leaked data are passport photos, bank account, social security numbers, passwords, employee list, financial data like invoices and receipts of customers’ purchased items. It has come to the public that the company already warned Box six months after its initial disclosure, but noted that there was little improvement on the latter’s end.
Adversis advice Box to reconfigure the default access of shared links limited to “people in your company only” to reduce accidental exposure of data. However, the company continues to defend itself saying that it is not a showcase of vulnerability on their part. The disclosure of documents to outside entities is mainly because of easy guessing or force entry of Box account shared document URLs, according to Box’s management. In layman’s term, if a user is successful in guessing the URL, they can access the file quickly, and the worst part is, often these links contain sensitive data.
In the firm’s post, aside from giving tips to Box on how to firmly secure its data, Adversis also emphasized that the possibility of guessing or brute forcing Box account shared document URLs was pointed out first in June of last year but gained little attention. As a result, several significant data from private entities were leaked and could be now in the hands of someone who may use it for blackmail or personal purposes.
The thing is, these clients such as Apple, Amadeus, Discovery, Herbalife, and among others, trusted Box to manage its data and even signed a non-disclosure agreement. Despite several warnings from Adversis, the company is confident that its security system is unbreakable, but what happened now, proves that the level of security the company built is still accessible.
The case of Box opened issues on cloud storage services, where FixYa, a technical support website did a survey
What is usually the cause of data leakage given the fact that these companies set a security system that is hard to breach?
In most cases, users do not fully understand how their files or folders can be shared without their consent. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to ‘public’ or open. The tendency is, these users are misinformed and do not have enough knowledge about the technicalities of shared links. If these
Cloud-based file storage is becoming the expected method for file sharing these days both in personal devices and on the workplace. Both the company and the user or client should work hand in hand to prevent leakage of data. With reports on leaked information, companies like Box should implement strict regulation through its privacy settings regarding personal sharing of information, improve admin policies, and introduce additional controls for shared links. After all, knowledge is power; if a user and client are aware of the risk once their sensitive data are compromised, then cases of leaked information will be prevented.
Hackers Can Manipulate Media Files Sent Through WhatsApp And Telegram With A Zero-Day
The vulnerability is dubbed as “Media File Jacking.”
Popular instant messaging apps WhatsApp and Telegram contain an unpatched zero-day vulnerability that can be exploited by threat actors and hackers to manipulate files shared across the messaging platform.
Security researchers from Symantec Modern OS Security team found out that there is an existing vulnerability that can allow hackers and cybercriminals to manipulate images, audio files, documents, and other forms of data sent from one user to another.
Both WhatsApp and Telegram, along with other instant messaging platforms, have end-to-end encryption — which makes the message safe to send and receive. End-to-end encryptions only allow the sender and the receiver to read the contents of the images, and even the company has no human-readable copies of the messages sent.
However, according to the researchers, the vulnerability, dubbed as “Media File Jacking” can bypass the end-to-end encryption in the said apps and works on Android by default for WhatsApp and on Telegram if certain features are enabled.
“It stems from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume. This critical time lapse presents an opportunity for malicious actors to intervene and manipulate media files without the user’s knowledge,” wrote Yair Amit, VP & CTO, Modern OS Security in a blog post together with Alon Gat, a software engineer.
“If the security flaw is exploited, a malicious attacker could misuse and manipulate sensitive information such as personal photos and videos, corporate documents, invoices, and voice memos. Attackers could take advantage of the relations of trust between a sender and a receiver when using these IM apps for personal gain or wreak havoc.”
End-to-end encryption does not make an app immune to threat actors
The researchers said that users of instant messaging platforms are particularly vulnerable in this instance because of the assumptions that because these apps have end-to-end encryption, they are automatically immune from hacking. But that is definitely not the case, as illustrated by Symantec’s discovery.
“As we’ve mentioned in the past, no code is immune to security vulnerabilities. While end-to-end encryption is an effective mechanism to ensure the integrity of communications, it isn’t enough if app-level vulnerabilities exist in the code,” they added.
The problem comes from how these apps store media files as end-to-end encryptions don’t work if the files were saved externally. When files are stored on external storage, other apps can access and manipulate them. On WhatsApp, data are stored externally by default, while on Telegram, the vulnerability is present if “Save to Gallery” is enabled.
Additionally, the Media File Jacking vulnerability, as the researchers said, points to a more significant issue of app developers’ non-secure use of storage resources.
Impact of the exploits
Researchers from Symantec raised the alarms as malicious actors can use the discovered vulnerability in different ways. Hackers can fundamentally alter images in a near real-time manner as sent by one user to another just by exploiting the zero-day. In a demo video released by Symantec, the researchers were able to change the faces of two men in an image to that of Nicolas Cage as the picture was being sent from one test account to another.
Furthermore, threat actors can also exploit the vulnerability by altering numbers in invoices in a bid to rewire payments to a different bank account number. To make matters worse, researchers said that the invoice-jacking modus can also be carried out without a specific target and could be broadly distributed, looking for any invoices to manipulate, affecting multiple victims who use IM apps like WhatsApp to conduct business.
“As in the previous scenario, an app that appears to be legitimate but is, in fact, malicious, watches for PDF invoice files received via WhatsApp, then programmatically swaps the displayed bank account information in the invoice with that of the bad actor. The customer receives the invoice, which they were expecting to begin with, but has no knowledge that it’s been altered. By the time the trick is exposed, the money may be long gone,” the report said.
The exploitation of the vulnerability may also come in the form of audio-spoofing where an attacker exploits the relations of trust between employees in an organization a the attacker can also program the new and manipulated file to mimic the voice of another person.
At the end of the day, Symantec is encouraging IM users to by disabling the feature that saves media files to external storage in order the mitigate the possible attacks using the exposed vulnerability.
Huawei Exec Backtracks: Hongmeng OS Is Not For Smartphones
Liang Hua said they prefer Android as the OS of their smartphones.
When Chinese smartphone giant, Huawei, was caught off-guard by Google’s revocation of its Android license following the ban imposed by Washington against the company, the smartphone maker made people believe that they are ready for such situation, and announced that they are developing an alternative operating system called Hongmeng.
However, in an interview, Liang Hua, an executive from the tech superpower, backtracks and says that Hongmeng was developed not as an alternative for Android but for the development of their IoT products instead.
Liang Hua said at a Friday press conference in Shenzhen that the operating system, which was rumored to be 60% faster than android, was not developed for smartphones and that the company still prefers Android as their “first choice” for a smartphone OS.
“The Hongmeng OS is primarily developed for IoT devices that will reduce latency… In terms of smartphones, we are still using the Android operating system and ecosystem as a “first choice.” We haven’t decided yet if the Hongmeng OS can be developed as a smartphone operating system in the future,” said Liang Hua.
Earlier reports revealed that Huawei has been developing Hongmeng since 2012. The company has been testing the new OS on selected devices under a closed door and closed environment. The source also said that the testing was accelerated for the new operating system to be ready for situations such as the latter.
Nonetheless, it is still unclear whether Hongmeng will be the official name of the OS coming from Huawei. Experts note that even if Huawei can successfully launch its operating system, the company will still be faced with the challenge of establishing an app ecosystem. It would take Huawei a lot of time to build apps that are compatible with the new operating system.
When Huawei was subjected to a witch hunt by the US government for allegedly aiding the Chinese government in its efforts to spy on the country, and as a pivotal player to potentially economically sabotage the country, an executive order was launched against the China-based tech giant that effectively forced U.S. tech companies to sever ties with Huawei.
The ban from Google has brought Huawei’s future into limbo; making it uncertain for users, especially concerning security updates for their Huawei and Honor phones —or the general idea whether their devices will still be able to run altogether. Following the announcement, Huawei assured its users that all phones that were sold ahead of the banning and those that are already in stock would continue receiving updates from Android.
Now, Huawei’s backtrack follows the bilateral meeting between Trump and China’s Xi Jinping in the recently concluded G-20 Meeting held in Tokyo; the American president announced that American companies could already resume in selling their products to Chinese companies.
The two presidents, in a closely watched sit-down with each other, have agreed for a truce and cease-fire over the long-disputed trade wars between the two superpowers.
“U.S. companies can sell their equipment to Huawei. We’re talking about equipment where there’s no great national security problem with it. I said that’s O.K., that we will keep selling that product, these are American companies that make these products,” Donald Trump said after his meeting with the Chinese president. “That’s very complex, by the way. I’ve agreed to allow them to continue to sell that product so that American companies will continue.”
While the relief is what Huawei has been looking forward to from the G-20 meeting today, it seems like it could be a temporary relief as negotiations regarding the matter is bound to continue, and the ad hoc decision of Trump may still be overturned at some point of the negotiations. Nonetheless, it’s time for the Chinese smartphone superpower to breathe better.
Washington officials are reportedly holding meetings on how they will implement the new orders from Trump. However, special attention has to be given on how to deal with Huawei and its presence on the “entity list,” as the relief does not explicitly remove Huawei from the said list.
This App Uses AI To Track Dogs By Their Unique Nose Prints
Authorities can also use it to monitor “uncivilized dog keeping.”
There’s no denying: facial recognition and biometrics identification is everywhere. They are in airports to help passengers board faster, in smartphones to allow users to unlock their devices automatically, in conservation reservoirs to track endangered animals, and in law enforcement agencies to help catch criminals.
And the development of artificial intelligence (AI) that allows facial recognition technology to evolve is moving faster every day. This time, a China-based start-up has developed an AI that has the capability of identifying and recognizing dogs through their nose prints.
Similar to how human fingerprints are unique to every human, dog nose prints are also unique to every dog. That is why, Megvii, a Chinese start-up, who is also an independent surveillance system contractor for the Chinese government, have developed and trained an AI to recognize dogs using their nose prints.
The identification system is available through the Megvii app, and users need to scan their dog’s noses from multiple angles — same as how users register their fingerprint credentials to use the biometric unlock system of a smartphone.
The company says, that unlike previous identification methods like chip implants to pets the Megvii nose print identification app is much cheaper and is less invasive.
Apps that could identify and recognize animals like dogs aren’t new in the market at all. An app called Finding Rover uses facial recognition and machine learning to match photos of dogs submitted by owners of lost pets to a massive database of shelters and dog homes to recognize and find lost dogs.
Moreover, using nose prints to identify and recognize dogs and other pets aren’t new as well. Kennel clubs around the world are known to use nose prints to match lost dogs with shelter dogs. One primitive way to take a nose print is by coating the nose with ink and pressing it against white cardboard.
What’s new with Megvii’s market offering is the method by which dog prints are collected. In the new app, coating dog’s nose isn’t necessary anymore, as the AI only need photos of dog noses to locate key identifying markers — creating a unique profile of a dog in the database.
The company claims that amidst the differences in camera resolution, their identification system can verify a dog’s identity against an existing record with 95% accuracy. It also says that the system could identify a dog with “high precision” by checking it against records from a larger database, although the company didn’t elaborate on the accuracy rate in that scenario.
Aside from identifying lost dogs, Megvii says that their apps can also be used to track inappropriate pet-owner behaviors, and authorities can monitor “uncivilized dog keeping.” In China, actions, like walking a dog in public without a leash and not scooping after a dog has pooped, are considered uncivilized, and in some instances in several cities, are considered illegal.
Biometrics identification tech application on animals
The advent of facial recognition and biometric identification technology has not only helped pet owners in keeping track of their beloved pets. The technology has also been known to be used by conservators in China to track the movement of endangered animals like the endemic panda population.
A group of researchers from the China Conservation and Research Centre for Giant Pandas have developed an app that could recognize individual pandas using facial recognition technology. The app will draw from more than 120,000 images and video clips of giant pandas to identify the animals that are living in the wild.
Camera traps in China have captured images and video footage of giant pandas that are often difficult to see in the wild. The photographs and video are some of the most amazing photos ever of pandas and other species in their remote habitat, which were caught on film as part of long-term wildlife monitoring projects set up in panda nature reserves by the Chinese government and WWF.
The development of the new facial recognition app will presumably help conservationist monitor their programs by keeping track of how many pandas are left. It will also provide significant insight regarding the breeding program that conservationist has been implementing to encourage an increase in the panda population.
Check Out What’s New:
- Hackers Can Manipulate Media Files Sent Through WhatsApp And Telegram With A Zero-Day
- LOOK: The King’s Man, A Kingsman Prequel
- PlayStation 5 Roundup: Most Exciting Technologies
- Political Stand-Off: Chinese-Canadian Goods
- [Breaking] Democrats Move To Ban Big Techs From Issuing Digital Money
- Trump Adviser Peter Thiel Wants FBI And CIA To Investigate Google’s ‘Treasonous’ Behavior
- Recent Effect Of ‘Entity List’ Issue: Huawei Will Lay-off Hundreds Of Employees
- Ireland To Investigate Google’s Potential Data Breach
- Huawei Exec Backtracks: Hongmeng OS Is Not For Smartphones
- This App Uses AI To Track Dogs By Their Unique Nose Prints
Technology1 week ago
Google Stops Trends Alerts In New Zealand Following Criticisms From NZ Government
Arts & Entertainment2 weeks ago
‘Criminal Minds’ Season 15: A Tear-Jerking Finale Is Coming
Science1 month ago
Norway’s Celebrity Beluga Whale ‘Hvaldimir’; A Russian Spy Or Child Therapist?
Technology2 weeks ago
Cloud Service Provider, ‘PCM’ Fell Victim To A Data Breach Aimed To Collect Gift Cards
Technology2 weeks ago
‘Google,’ ‘University of Chicago’ Faces Class Action Over ‘Electronic Health Record’ Breach
Technology2 weeks ago
‘Uncall’ Promises To Remove Your Number From Generic Robocall Lists And Dark Web Databases
Advertising2 months ago
MailChimp Updates Pricing Policy, Now Charging Unsubscribed Emails In The Mailing List
Science2 weeks ago
Summer Penis Is Giving Men Big Dick Energy