Microsoft has today announced a data breach that affected one of its customer databases.
The blog article, entitled Access Misconfiguration for Customer Support Databases, admits that between 05 December 2019 and 31 December 2019, a database used for “support case analytics” was effectively visible from the cloud to the world.
Microsoft didn’t give details of how big the database was. However, consumer website Comparitech, which says it discovered the unsecured data online, claims it was to the order of 250 million records containing “logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019“.
According to Comparitech, that same data was accessible on five Elasticsearch servers.
Have you ever received items by courier from people overseas?
If so, you’ll know that sometimes – notably in the case of gifts, where the other person hasn’t told you what they’re sending – the courier company doesn’t deliver the item directly.
Sometimes you get an email saying that the item is delayed because the authorities want to inspect it; or there’s import duty; or there’s a supplementary delivery charge if you can’t collect it from the depot yourself.
And to help you get through the paperwork easily, there’s often a tracking code and a clickable link in the email.
OK, technically, this article is about malware in general, not about viruses in particular.
Strictly speaking, virus refers to a type of malware that spreads by itself, so that once it’s in your system, you may end up with hundreds or even thousands of infected files…
…on every computer in your network, and in the networks your network can see, and so on, and so on.
These days, however, the crooks don’t really need to program auto-spreading into their malware – thanks to always-on internet connectivity, the “spreading” part is easier than ever, so that’s one attention-grabbing step the crooks no longer need to use.
But the word virus has remained as a synonym for malware in general, and that’s how we’re using the word here.
So, for the record, here are seven categories of malware that give you a fair idea of the breadth and the depth of the risk that malware can pose to your organisation.
Did Android users celebrate loudly when Google announced support for Accelerated Mobile Pages for Email (AMP4Email) in its globally popular Gmail service in 2018?
Highly unlikely. Few will even have heard of it, nor have any idea why the open source technology might improve their webmail experience.
They might, however, be interested to learn that a researcher, Michał Bentkowski, of Securitum, recently discovered a surprisingly basic security flaw affecting Google’s implementation of the technology.
If you think brand new Android smartphones are immune from security vulnerabilities, think again – a new analysis by security company Kryptowire uncovered 146 CVE-level flaws in devices from 29 smartphone makers.
Without studying all 146 in detail, it’s not clear from the company’s list how many were critical flaws, but most users would agree that 146 during 2019 alone sounds like a lot.
The sort of things these might allow include the modification of
system properties (28.1%), app installation (23.3%), command execution
(20.5%), and wireless settings (17.8%).
Remember, these devices, which included Android smartphones made by Samsung and Xiaomi, had never even been turned on, let alone downloaded a dodgy app – these are the security problems shipped with your new phone, not ones that compromise the device during its use.
Mozilla on Friday posted a letter urging Congress to take the broadband industry’s lobbying against encrypted DNS within Firefox and Chrome with a grain of salt – they’re dropping “factual inaccuracies” about “a plan that doesn’t exist,” it says.
Both of the entities behind those browsers – Mozilla and Google – have been moving to embrace the privacy technology, which is called DNS over HTTPS (DoH). Also backed by Cloudflare, DoH is poised to make it a lot tougher for ISPs to conduct web surveillance; to hoover up web browsing activity and, say, sell it to third parties without people’s consent; or to modify DNS queries so they can do things like inject self-promoting ads into browsers when people connect to public Wi-Fi hotspots.
Those are just some of the ISP sins that Mozilla listed in its letter, which urged the chairs and ranking members of three House of Representatives committees to examine the privacy and security practices of ISPs, particularly with regards to the domain name services (DNS) ISPs provide to US consumers.
DoH isn’t a panacea – you can check out Paul Ducklin’s explanation of the issues it raises in the Naked Security podcast below – but it promises to at least seriously gum up tracking and monetization of data.
In September, Mozilla announced that it would turn on DoH by default for users of the Firefox browser’s desktop version in the US. Within days, Google issued a me-too, officially announcing its own DoH experiment in Chrome.