The Category5.TV Newsroom

Here are the stories we're following for the week of Wednesday September 4, 2019

The co-founder and chief executive of Twitter had his own account on the service briefly taken over by hackers.

The co-founder and chief executive of Twitter had his own account on the service briefly taken over by hackers.

A group referring to itself as the Chuckling Squad said it was behind the breach of Jack Dorsey's account.

The profile, which has more than four million followers, tweeted out a flurry of highly offensive and racist remarks for about 15 minutes.

Twitter says its own systems were not compromised, instead they blame an unnamed phone service provider, saying "The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorised person to compose and send tweets via text message from the phone number. That issue is now resolved."

A source at the company confirmed the hackers had used a technique known as "simswapping" (or "simjacking") in order to control Mr Dorsey's account.

This isn't the first simswapping attack we've reported on. You may remember several months ago when we talked about how an AT&T allowed an attacker to steal bitcoin. Simswapping itself is most often a social engineering attack at its onset. It allows an existing phone number - in this case one associated with Mr Dorsey's account - to be transferred to a new Sim card. It's usually after attackers trick or bribe customer support staff at a mobile provider to make the switch.

In this case, by taking control of the number, the attackers were able to post tweets via text message directly on to Mr Dorsey's Twitter account.

While the security lapse appears to have happened outside the company, it is still an embarrassing incident for Twitter.

Source: www.bbc.com

Sent to us by: Roy W. Nash

Microsoft has announced that it’s bringing its exFAT filesystem support to the Linux kernel, and licensing the contributed code under GPLv2.

Microsoft has announced that it’s bringing its exFAT filesystem support to the Linux kernel, and licensing the contributed code under GPLv2.

Microsoft’s exFAT file system is prevalent throughout a lot of modern technology, regardless of whether you (or your device) use the Windows operating system.

This simple, but proprietary and patented file system was created by Microsoft for use, primarily, in ‘flash’ memory products back in 2006.

Since then the format has seen colossal adoption throughout the electronics industry, with USB drives, SD cards, digital cameras, and MP3 players among the many, many devices that make use of it.

However, to use the filesystem means paying Microsoft a fee. Until now.

It’s long been possible to read, write, manage, edit, resize, and format exFAT partitions and file systems on Linux distros thanks to open source efforts like the FUSE-based exFAT.

But patent issues have prevented these ‘workaround’ solutions from shipping as part of the regular Linux kernel, out of the box, ready to go. But now, Microsoft is lifting the restrictions and releasing the code that will allow exFat to be included in the kernel, with no fees, and nobody getting sued.

Source: www.omgubuntu.co.uk

Sent to us by: Roy W. Nash

The rash of ransomware infiltration continues with 13 new victims—most of them schools.

The rash of ransomware infiltration continues with 13 new victims—most of them schools.

Yes, that's right: as investigations into the recent coordinated ransomware attack against local governments in Texas continues, 13 new victims of ransomware attacks have been publicly identified. Besides schools, the victims also include an Indiana county, a hospice in California, and a newspaper in Watertown, New York.

The ransomware involved in the Texas attacks, which hit 22 local-level government entities, has not yet been identified. Multiple sources have suggested that the Texas attacker gained access through a managed service provider that the local governments all had in common, but that has not been confirmed by state officials.

In the case of this latest batch of attacks, Ryuk ransomware has been identified as the malware used on at least three occasions.

The Rockville Center School District initially received a ransom demand of $176,000. The district's insurance company negotiated with the ransomware operator, reducing the payout to $88,000. The school district paid a deductible of $10,000.

There's no word on whether other victims have paid the ransom yet.

As new attacks become public, it's worth remembering the fallout from such attacks can add up quickly in terms of dollars and require a lengthy recovery period. The leadership of Baltimore City—hit by a ransomware attack in May—recently announced that $6 million of the money needed to cover the city's more than $10 million ransomware cleanup operation would be pulled from funds earmarked for upkeep of city parks and public facilities. So far, the RobbinHood ransomware cost the city over $8 million in lost revenue and interest on deferred revenue.

Baltimore has also been considering a contract for a $20 million "cyber liability" insurance plan.

Source: arstechnica.com

Sent to us by: Roy W. Nash

A watchdog has penalised a local authority for trialling facial recognition on high-school students in Sweden to keep track of attendance.

A watchdog has penalised a local authority for trialling facial recognition on high-school students in Sweden to keep track of attendance.

The Swedish Data Protection Authority (DPA) fined the Skelleftea municipality the equivalent of about $20,000 USD for ignoring a privacy law.

The trial involved tracking 22 students over three weeks and detecting when each pupil entered a classroom.

This is the first time that Sweden has ever issued a fine under GDPR.

The General Data Protection Regulation, which came into force last year, classes facial images and other biometric information as being a special category of data, with added restrictions on its use.

The DPA indicated that the fine would have been bigger had the trial been longer.

According to technology magazine ComputerSweden, Swedish authorities decided to investigate after reading media reports of Anderstorp's High School's trial.

The local authority told Swedish state broadcaster SVT Nyheter in February that teachers had been spending 17,000 hours a year reporting attendance, and the authority had decided to see whether facial-recognition technology could speed up the process.

The trial, which took place in autumn 2018, had been so successful that the local authority was considering extending it.

Although the school secured parents' consent to monitor the students, the regulator did not feel that it was a legally adequate reason to collect such sensitive personal data.

It said there were less intrusive ways that their attendance could have been detected without involving camera surveillance.

As a result, the DPA found that Skelleftea's local authority had unlawfully processed sensitive biometric data, and failed to complete an adequate impact assessment, which would have included consulting the regulator and gaining prior approval before starting the trial.

Source: www.bbc.com

Sent to us by: Roy W. Nash