Tag: Computer crime

The biggest security risks of using fitness trackers and apps to monitor your health

[ad_1]

Fitness trackers, which help keep tabs on sleep quality, heart rate and other biological metrics, are a popular way to help Americans improve their health and well-being.

There are many types of trackers on the market, including those from well-known brands such as Apple, Fitbit, Garmin and Oura. While these devices are growing in popularity — and have legitimate uses — consumers don’t always understand the extent to which their information could be available to or intercepted by third parties. This is especially important because people can’t simply change their DNA sequencing or heart rhythms as they could a credit card or bank account number.

“Once the toothpaste is out of the tube, you can’t get it back,” said Steve Grobman, senior vice president and chief technology officer of computer security company McAfee.

The holiday season is a popular time to purchase consumer health devices. Here’s what you should know about the security risks tied to fitness trackers and personal health data.

Stick to a name brand, even though they are hacked

Fitness devices can be expensive, even without taking inflation into account, but don’t be tempted to skimp on security to save a few dollars. While a less-known company may offer more bells and whistles at a better price, a well-established provider that is breached is more likely to care about its reputation and do things to help consumers, said Kevin Roundy, senior technical director at cybersecurity company Gen Digital.

To be sure, data compromise issues, from criminal hacks to unintended sharing of sensitive user information, can — and have — hit well-known players, including Fitbit, which Google bought in 2021, and Strava. But even so, security professionals say it’s better to buy from a reputable manufacturer that knows how to design secure devices and has a reputation to upkeep.

“A smaller company might just go bankrupt,” Roundy said.

Fitness app data is not protected like health information

There can be other concerns beyond having a person’s sensitive information exposed in a data breach. For example, fitness trackers generally connect to a user’s phone via Bluetooth, leaving personal data susceptible to hacking.

What’s more, the information that fitness trackers collect isn’t considered “health information” under the federal HIPAA standard or state laws like California’s Confidentiality of Medical Information Act. This means that personally revealing data can potentially be used in ways a consumer might never expect. For instance, the personal information could be shared with or sold to third parties such as data brokers or law enforcement, said Emory Roane, policy counsel at Privacy Rights Clearinghouse, a consumer privacy, advocacy and education organization.

Some fitness trackers may use consumers’ health and wellness data to derive revenue from ads, so if that’s a concern, you’ll want to make sure there’s a way to opt out. Review the provider’s terms of service to understand the its policies before you buy the fitness tracker, Roundy said.

Default social, location settings may need to be changed

A fitness tracker’s default settings may not offer the most stringent security controls. To boost protection, look at what settings can be adjusted, such as those related to social networking, location and other sharable information, said Dan Demeter, security researcher at cybersecurity provider Kaspersky Lab.

Depending on the state, consumers can also opt out of the sale or sharing of their personal information to third parties, and in some cases, these rights are being expanded, according to Roane.

Certainly, device users should be careful about what they post publicly about their location and activities, or what they allow to become public by default. This data could be searchable online and used by bad actors. Even if they aren’t acting maliciously, third parties such as insurers and employers could get access to this type of public information.

“Users expect their data to be their data and use it how they want it to be used,” Roane said, but that’s not necessarily the case.

“It’s not only about present data, but also about past data,” Demeter said. For instance, a bad actor could see all the times the person goes running — what days and hours — and where, and use it to their advantage.

There are also a number of digital scams where criminals can use information about your location to make an opportunity seem more plausible. They can claim things like, “I know you lost your wallet at so and so place, which lends credibility to the scammer’s story,” Grobman said.

Location data can prove problematic in other ways as well. Roane offers the example of a women seeking reproductive health care in a state where abortion is illegal. A fitness tracker with geolocation services enabled could collect information that could be subpoenaed by law enforcement or be purchased by data brokers and sold to law enforcement, he said.

Use strong password, two-factor authentication, and never share credentials

Be sure to secure your account by using a strong password that you don’t use with another account and enabling two-factor authentication for the associated app. And don’t share credentials. That’s never a good idea, but it can have especially devastating consequences in certain circumstances. For example, a domestic violence victim could be tracked by her abuser, assuming he had access to her account credentials, Roane said.

Also be sure to keep the device and the app up-to-date with security fixes.

While nothing is foolproof, the goal is to be as secure as possible. “If somebody tries to profit from our personal information, we just make their lives harder so it’s not that easy to hack us,” Demeter said.

[ad_2]

Source link

November 28, 2022
Feds announce seizure of $3.36 billion in bitcoin stolen a decade ago from illegal Silk Road marketplace—the second-largest crypto recovery

[ad_1]

The crypto market has been battered this year, with nearly $2 trillion wiped off its value since its peak.

Jonathan Raa | Nurphoto | Getty Images

The U.S. Department of Justice announced Monday that it seized about $3.36 billion in stolen bitcoin during a previously unannounced 2021 raid on the residence of James Zhong.

Zhong pleaded guilty Friday to one count of wire fraud, which carries a maximum sentence of 20 years in prison.

U.S. authorities seized about 50,676 bitcoin, then valued at over $3.36 billion, from Zhong during a search of his house in Gainesville, Georgia, on Nov. 9, 2021, the DOJ said. It is the DOJ’s second-largest financial seizure to date, following its seizure of $3.6 billion in allegedly stolen cryptocurrency linked to the 2016 hack of the crypto exchange Bitfinex, which the DOJ announced in February.

According to authorities, Zhong stole bitcoin from the illegal Silk Road marketplace, a dark web forum on which drugs and other illicit products were bought and sold with cryptocurrency. Silk Road was launched in 2011, but the Federal Bureau of Investigation shut it down in 2013. Its founder, Ross William Ulbricht, is now serving a life sentence in prison.

“For almost ten years, the whereabouts of this massive chunk of missing Bitcoin had ballooned into an over $3.3 billion mystery,” U.S. Attorney Damian Williams said in a press release.

According to the Southern District of New York, Zhong took advantage of the marketplace’s vulnerabilities to execute the hack.

Special Agent in Charge Tyler Hatcher, of the Internal Revenue Service – Criminal Investigation, said Zhong used a “sophisticated scheme” to steal the bitcoin from Silk Road. According to the press release, in September 2012, Zhong created nine fraudulent accounts on Silk Road, funding each with between 200 and 2,000 bitcoin. He then triggered over 140 transactions in rapid succession, which tricked the marketplace’s withdrawal-processing system to release approximately 50,000 bitcoin into his accounts. Zhong then transferred the bitcoin into a variety of wallet addresses all under his control.

Public records show Zhong was the president and CEO of a self-created company, JZ Capital LLC, which he registered in Georgia in 2014. According to his LinkedIn profile, his work there focused on “investments and venture capital.”

His profile also states he was a “large early bitcoin investor with extensive knowledge of its inner workings” and that he had software development experience in computer programming languages.

Zhong’s social media profiles include pictures of him on yachts, in front of airplanes, and at high-profile football games.

But these types of hacks didn’t end with the Silk Road’s demise. Crypto platforms continue to be vulnerable to criminals.

In October 2022, Binance, the world’s largest crypto exchange by trading volume, suffered a $570 million hack. The company said a bug in a smart contract enabled hackers to exploit a cross-chain bridge, BSC Token Hub. As a result, the hackers withdrew the platform’s native cryptocurrency, called BNB tokens.

In March 2022, a different hacker found vulnerabilities in the decentralized finance platform Ronin Network and made off with more than $600 million — the largest hack to date. The private keys, which serve as passwords to protect cryptocurrency funds in wallets, were compromised.

According to a Chainalysis report, $1.9 billion worth of cryptocurrency had been stolen in hacks of services through July 2022, compared with just under $1.2 billion at the same point in 2021.

[ad_2]

Source link

November 7, 2022
FTC seeks to hold Drizly CEO accountable for alleged security failures, even if he moves to another company

[ad_1]

The Drizly application on a smartphone.

Tiffany Hagler-Geard | Bloomberg | Getty Images

In a new proposed settlement, the Federal Trade Commission is seeking to hold a tech CEO accountable to specific security standards, even if he moves to a new company.

The agency announced Monday that its four commissioners had voted unanimously to issue a proposed order against alcohol delivery platform Drizly and its CEO James Cory Rellas for allegedly failing to implement adequate security measures, which eventually resulted in a data 2020 breach exposing personal information on about 2.5 million consumers.

Uber acquired Drizly for $1.1 billion in 2021.

The FTC claims that despite being alerted to the security concerns two years before the breach, Drizly and Rellas did not do enough to protect their users’ information.

While settlements like this are not that uncommon for the FTC, its decision to name the CEO and have the stipulations follow him beyond his tenure at Drizly exemplifies an approach favored by Democratic Chair Lina Khan. Some progressive enforcers have argued that naming tech executives in their lawsuits should create a stronger deterrence signal for other potential violators.

The proposed order, which is subject to a 30 day public comment period before the commission votes on whether to make it final, would require Rellas to implement an information security program at future companies where he’s the CEO, a majority owner or a senior officer with information security responsibilities, provided the company collects consumer information from more than 25,000 people.

Though Republican Commissioner Christine Wilson voted with the agency’s three Democrats to impose the proposed settlement against Drizly, she objected to naming Rellas as an individual defendant. In a statement, Wilson wrote that naming Rellas will not result in putting “the market on notice that the FTC will use its resources to target lax data security practices.”

“Instead, it has signaled that the agency will substitute its own judgement about corporate priorities and governance decisions for those of companies,” she wrote, adding that given CEOs’ broad overviews of their businesses, it’s best left to companies rather than regulators to determine what the chief executive should pay regular attention to.

In a joint statement, Khan and Democratic Commissioner Alvaro Bedoya responded to Wilson’s argument, writing that “Overseeing a big company is not an excuse to subordinate legal duties in favor of other priorities. The FTC has a role to play in making sure a company’s legal obligations are weighed in the boardroom.”

Khan’s FTC has named other executives in past complaints, like when it named Meta CEO Mark Zuckerberg as a defendant in a lawsuit seeking to block the company’s proposed acquisition of virtual reality company Within Unlimited. But it later dropped him from the complaint after the company said Zuckerberg would not try to personally buy Within.

The order against Drizly would also require the company to destroy personal data it has collected but no longer needs, limit future data collection and establish a comprehensive security program including training for employees and controls on who can access data.

“We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us,” a Drizly spokesperson said in a statement.

Subscribe to CNBC on YouTube.

WATCH: The changing face of privacy in a pandemic

[ad_2]

Source link

October 24, 2022
$570 million worth of Binance’s BNB token stolen in another major crypto hack

[ad_1]

Binance is the world’s largest crypto exchange by trading volume.

Jakub Porzycki | Nurphoto | Getty Images

Cryptocurrency exchange Binance temporarily suspended its blockchain network late Thursday after hackers made off with around $570 million worth of its BNB token.

Binance said a cross-chain bridge linking with its BNB Chain was targeted, enabling hackers to move BNB tokens off the network. So-called cross-chain bridges are tools that allow the transfer of tokens from one blockchain to another.

The company said it had worked with transaction validators to pause creation of new blocks on BSC, suspending all transaction processing while a team of developers investigates the breach.

Binance is the world’s largest crypto exchange by trading volume.

“An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC,” Changpeng Zhao, Binance’s CEO, said in a tweet Thursday evening.

“The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly.”

BNB Chain has since resumed operations.

In total, hackers drained 2 million BNB tokens — about $570 million at current prices — from the network, Binance’s BNB Chain said in a blog post on Friday.

The exploit was enabled “through a sophisticated forging of the low level proof into one common library,” BNB Chain said.

An earlier estimate from the company placed the total amount withdrawn in a range of $100 million to $110 million.

The company said it managed to freeze $7 million of funds with the help of its security partners..

The value of BNB sank more than 3% Friday morning to $285.36 a coin, according to CoinMarketCap data.

BNB Chain, originally known as Binance Chain, was first developed by Binance in 2019. Like other blockchains, it features a native token, called BNB, that can be traded or used in games and other applications.

It is the latest in a series of major hacks targeting cross-chain bridges, with instances of sloppy engineering making them a prime target for cybercriminals.

A total of around $1.4 billion has been lost to breaches on cross-chain bridges since the start of 2022, according to data from blockchain analytics firm Chainalysis.

The crypto industry has had a rough year, with roughly $2 trillion in value being erased since the peak of a blistering rally from 2020 to 2021. The implosion of $60 billion blockchain venture Terra and a worsening macroeconomic environment have severely impacted market sentiment.

[ad_2]

Source link

October 7, 2022