Next Up, Amazon Will Track Your Innermost Dreams, Subconscious Fears and Crippling Regrets…

Amazon probably knows everything else about you at this point, so why not let it track your emotions, too? The company is said to be working on a wearable wellness device said to be able to determine a user’s emotional state. Word arrives from a Bloomberg story based on “internal documents.”

This comes on the heels of a patent issued for the company designed to let Alexa determine a speaker’s mood and respond accordingly based on how they’re feeling. That filing highlighted relevant emotions like “happiness, joy, anger, sorrow, sadness, fear, disgust, boredom [and] stress.” That’s a pretty wide range of reactions for a smart assistant.

The smartphone-connected, wrist-worn device is said to be the product of the Alexa and Lab126 hardware team. It’s currently being tested, internally, under the code name “Dylan.” It’s worth noting that Amazon has recently been encouraging a lot of experimentation among its internal hardware team, especially when it comes to Alexa products. Among other things, that experimentation has led to the creation of Echo Buttons. Most, however, haven’t made it past the trial phase.

Brian Heater in TechCrunch on a Bloomberg (behind a firewall) story about how Amazon is developing an emotion-tracking Alexa wearable.

4 hours ago

Around 885 Million Mortgage Deal Documents Were Leaked From Website of Real Estate Title Insurance Giant First American Financial, Bank Records, SSNs, Drivers License Images Exposed

Serving up an invaluable cache for phishers, scammers and cybercriminals, the web site for Fortune 500 real estate title insurance giant First American Financial Corp. leaked an estimated 885 million documents related to mortgage deals going back to 2003, Brian Krebs discovered after being tipped off by real estate developer Ben Shoval. The digitized records included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. These records were available without authorization to anyone on the Internet. Any visitor to the website who knew the URL for a valid document could view other documents just by modifying a single digit in the link, including anyone who had ever been sent a document link via email by First American. Most of the exposed files were wire transactions with bank account numbers and other information from home or property buyers and sellers. Shoval was able to view other people’s records by modifying document numbers in a link sent to him by moving the numbers up or down. As of the morning of May 24, First American was returning sensitive documents for strangers up to the present day, including many PDFs and post-dated forms for upcoming real estate closings. By Friday afternoon, First American Financial disabled the site that exposed the records. (Krebs on Security)
4 hours ago

Top License Plate Reader Company Perceptics Has Been Hacked, Internal Files Stolen and Offered for Free on the Internet

Tennessee-based Perceptics, which makes vehicle license plate readers used extensively by the US government and cities to identify and track citizens and immigrants, has been hacked, with its internal files stolen and currently offered for free on the Internet. Perceptics recently announced it had landed “a key contract by US Customs and Border Protection to replace existing LPR technology and to install Perceptics next generation License Plate Readers (LPRs) at 43 US Border Patrol checkpoint lanes in Texas, New Mexico, Arizona, and California.” Someone named Boris Bullet-Dodger, who might be the same person who flagged the hack of German IT management company CityComp las month, drew attention to the hack. The stolen files fill hundreds of gigabytes and include Microsoft Exchange and Access databases, ERP databases, HR records, Microsoft SQL Server data store and more. Perceptics acknowledged it was hacked and said it is investigating the matter. (The Register)
10 hours ago

Multiple Snap Employees Used Privileged Access to Spy on Snapchat Users Using Internal Tools, Including One to Respond to Law Enforcement Requests

Multiple employees inside social media giant Snap have abused their privileged access to dedicated tools for accessing user data to spy on Snapchat users according to sources and internal company emails obtained by Motherboard. The internal tools allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses. One of the tools, called SnapLion, which purportedly provides “the keys to the kingdom,” was originally used to gather information on users in response to valid law enforcement requests, such as a court order or subpoena. (Motherboard)
12 hours ago

In a First, Moody’s Slashes Equifax’s Credit Rating From Stable to Negative Due to Fallout From Massive 2017 Breach

Investor rating giant Moody’s slashed its rating outlook on consumer credit rating company Equifax from stable to negative as the company experiences the fallout from its massive 2017 consumer data breach, the first time cybersecurity issues have been cited as the reason for a downgrade. Moody’s cited Equifax’s recent $690 million first-quarter charge for ongoing legal costs and regulatory fines as contributing to the downgrade. Looking ahead, Moody’s doesn’t see the breach-related cost picture improving for Equifax, estimating the company will incur breach-related expenses and capital investments of $400 million in 2019 and 2020. (CNBC)
13 hours ago

Google Pulls Two Malicious Apps Masquerading As Cryptocurrency Apps on Play Store, One Impersonated Popular Wallet Trezor

Two malicious apps masquerading as cryptocurrency apps on Android’s app store, Google Play, were found by security firm ESET. One of the apps was a dud but the other app impersonated Trezor, a hardware cryptocurrency wallet. Although that app couldn’t be used to steal cryptocurrency, it was connected to a second Android app that could have been used to scam funds out of unsuspecting victims by tricking users to turn over their login credentials. Both apps were collectively downloaded more than 1,000 times and after ESET contacted Google, the apps were pulled down. (TechCrunch)
13 hours ago

U.S. Indicts Julian Assange on 17 Counts of Violating Espionage Act in Case That Raises Profound First Amendment Fears of Government Intrusion on a Free Press

In a case that has roiled journalists and First Amendment lawyers because it raises profound issues of government intrusion on First Amendment rights, Wikileaks leaders and co-founder Julian Assange has been indicted by the Justice Department on 17 counts of violating the Espionage Act for his role in obtaining and publishing secret military and diplomatic documents in 2010. The new charges raise the legal stakes for Assange who has already been indicted on an earlier hacking-related count brought by federal prosecutors in Northern Virginia. Legal experts and free speech advocates are raising the alarm bells that this latest indictment against the former but now disgraced and widely despised government transparency activist could open the door to criminalizing activities that are crucial to American investigative journalists who write about national security matters. The case focuses on Mr. Assange’s role in the leak of hundreds of thousands of State Department cables and military files by the former Army intelligence analyst Chelsea Manning, with prosecutors arguing that the publication of sensitive government documents cultivated from a source without government authorization, a bread-and-butter everyday activity for journalists across the globe, constitutes a crime. Top journalists and First Amendment legal experts fear this rationale could establish a precedent used to criminalize future acts of national-security journalism. (New York Times)
1 day ago

Researcher and Exploit Seller SandboxEscaper Publishes Two New Windows Zero-Day Flaws, Proof-of-Concept Code, Marking Third Day in a Row for Revealing Previously Unknown Windows Vulnerabilities

The security researcher and exploit seller who calls herself SandboxEscaper has published today new Windows zero-days, representing the third day in a row she has published Windows zero-days. On her Github account, she published proof-of-concept code for two zero-days, but also short explainers on how to use the two exploits, marking the seventh and eight zero-days the researcher has published in the last ten months. Her first exploit published today is a bypass for Microsoft’s current patch for CVE-2019-084, a vulnerability that allows low privileged users to hijack files that are owned by NT AUTHORITY\SYSTEM. The second zero-day she published today targets the Windows Installer folder (C:\Windows\Installer). Over the last three days, SandboxEscaper has published a local privilege escalation exploit in the Windows Task Scheduler process, a sandbox escape for Internet Explorer and a local privilege exploit in the Windows Error Reporting service, which is technically not a zero-day given that Microsoft has already patched the problem. (ZDNet)
1 day ago

Google Disabled Gmail Accounts Created by Baltimore Officials Used as Workaround While City Recovers From Ransomware Attack but Upon Appeal Restored Them

Gmail accounts used by Baltimore officials as a workaround while the city recovers from the Robbinhood ransomware attack that struck the city on May 7 were disabled because the creation of a large number of new accounts in one place triggered Google’s automated security system. Initially, Google said that the accounts were “circumventing their paid service” and the city would need to pay for a business account. But after city employees were able to talk to Google executives, Google resolved the situation in the city’s favor and restored their access to the accounts. (Baltimore Sun)
1 day ago

UK Foreign Secretary Calls out Russia for Its Cyber Warfare Campaign Against Critical Infrastructure, Says UK Has Worked With 16 NATO States to Track Russia’s Hunt for Vulnerabilities

In a keynote speech at the Nato Cyber Defence Pledge Conference today, UK foreign secretary Jeremy Hunt will say that Russia has been engaged in a systematic and malicious “global campaign” of cyber warfare targeting critical national infrastructure with Britain providing help to allied states to counter the threat. Hunt will point to the UK’s National Cyber Security Centre, which he says has been working with 16 other Nato states, and even more nations outside the alliance, over the past 18 months to chart how Russia has been looking for vulnerabilities in cyber systems and seeking to compromise government networks. (Independent)
1 day ago

The Air Force is Investigating a Cyber Intrusion by a Navy Prosecutor Into an Air Force Lawyer’s Computer, ‘Splunk Tool’ Malware Allegedly Sent to Spy on Defense Attorney’s Computer

The Air Force is investigating the Navy for a cyber intrusion into its network, according to a May 19 memo from Navy Capt. David Wilson, chief of staff for the Navy’s Defense Service Offices. The incident stems from a decision by a Navy prosecutor to embed hidden tracking software into emails sent to defense attorneys, including one Air Force lawyer, involved in a high-profile war-crimes case of a Navy SEAL in San Diego in an effort to track the leak of information to the editor of The Navy Times. A similar tracking device was also sent to Carl Prine, the Navy Times editor, who has written many articles about the case. The defense lawyer’s information security manager concluded the malware was a “splunk tool,” which allowed the sender of the malware to gain “full access to his computer and all files on his computer.” The media leaks relate to the separate courts-martial of Special Operations Chief Edward Gallagher, a Navy SEAL, and Lt. Jacob Portier, the commander of Gallagher’s platoon, which had been under a gag under by the judge in Gallagher’s case. (Military Times)
1 day ago

Irish Data Regulator Opens an Investigation Into Whether Google’s Ad Exchange Violates GDPR Privacy Rules

The Irish Data Protection Commission (DPC) has opened up a statutory inquiry into the way Google provides advertising services across the European Union to probe whether the use of personal data to target online advertising is compliant with the European Union’s General Data Protection Regulation (GDPR) in the context of Google’s online Ad Exchange.  Google’s Ad Exchange system is used by companies to target people with personalized advertisements across the Internet. If Google is found to be in violation of the GDPR, it could face fines up to 4% of its annual revenue. (BBC News)
2 days ago

Dutch Authorities, Europol Seize One of Top Cryptocurrency ‘Mixing’ Services BestMixer.io

The Dutch Fiscal Information and Investigation Service (FIOD) along with Europol and investigative support from McAfee has seized BestMixer.io, a bitcoin mixing website that authorities say served as one of the busiest cryptocurrency laundering services in the world. Bestmixer.io was one of the three largest mixing services for cryptocurrencies and offered services for mixing the cryptocurrencies bitcoins, bitcoin cash and litecoins, according to Europol. It offered to launder those currencies that may have been tainted in association with Internet crime. (Cyberscoop)
2 days ago

Florida Governor DeSantis Orders a Cybersecurity Review of All 67 Counties in Wake of New Election-Related Hacking Revelations

Eight days after hosting a press conference to announce that two Florida counties were penetrated by Russian hackers during the 2016 presidential election, Republican Florida Governor Ron DeSantis has directed Secretary of State Laurel Lee to immediately start a review of the security of state and county election systems after disclosures about Russian hacking during the 2016 campaign. The review will focus on cybersecurity and involve all 67 counties. In a letter to Lee, DeSantis directed that the “Department [of State] shall develop a plan to identify and address any vulnerabilities,” the letter said. “You are further directed to make this a top priority of the department and report your findings to the Executive Office of the Governor upon completion of your review.” (News Service Florida)
2 days ago

Baltimore Deploys Forensic and Recovery Teams to Slowly Bring City Systems Back Online After May 7 Ransomware Attack Hobbled Its Digital Infrastructure

In the most extensive comments made by city officials since a Robbinhood ransomware attack struck Baltimore’s municipal systems on May 7, Sheryl Goldstein, a deputy chief of staff given the job of overseeing the response to the cyber attack, said the technical staff dealing with the attack is split into a forensic team and a recovery team. The forensic team is moving slowly to hunt for the malware in nooks and crannies of Baltimore’s network and the recovery team is also moving cautiously to bring back systems such as email and databases. The attackers have demanded $76,000 in Bitcoin but the city has thus far refused to pay. Goldstein has not provided a timeline for when the city will be back and fully functional. (Baltimore Sun)
2 days ago

Amazon Shareholder Proposals to Limit, Study Facial Recognition Technology Fail at Annual Meeting

Two Amazon shareholder proposals about the company’s controversial facial recognition technology, Rekognition, which were promoted by civil rights groups and activist shareholders, failed to pass at the company’s annual shareholder meeting. One proposal would have banned the company from selling the technology to governments and the other called for an independent study of the potential privacy and human rights violations caused by the technology. The proposals were non-binding on the company and proponents of the measures said they would continue to keep pressure on the company. (CNET)