Former Uber security chief charged with paying hush money to conceal breach

Federal prosecutors have charged Joe Sullivan, Uber’s former chief security officer, with paying hackers $100,000 to keep quiet about a 2016 data breach that affected 57 million users and drivers. The suit alleges that Sullivan “engaged in a scheme” to hide the payout from regulators, law enforcement, and the public. A former federal prosecutor who specialized in computer hacking and intellectual property crimes, Sullivan is currently the CSO for Cloudflare.

(NPR)

Google fixes severe Gmail bug only after researcher goes public

Google patched a vulnerability in Gmail and G Suite that would have allowed hackers to mimic their identities and spoof their email on Wednesday, but only because the researcher who found the bug published the research on her blog. Allison Husain notified Google in April, but the company hadn’t planned to release the fix for the bug until September. They blocked the vulnerability from being exploited yesterday, with the full patch still expected next month.

(ZDNET)

Pandemic work-from-home empowers voice phishers 

A group of hackers is seeing a high success rate targeting the virtual private networks of businesses large and small. They mix custom phishing sites with phone calls to steal VPN credentials from unsuspecting employees. However, companies that require their employees to use two-factor authentication hardware keys appear immune to the bait, so far.

(Krebs on Security)

How legal is client-side scanning to stop child pornography?

Stopping the proliferation of child sexual assault material is a serious task, one which U.S. Attorney General Bill Barr and others think can only be done by backdooring encryption. Client-side scanning, where data on a user’s device is scanned for CSAM content before it is sent across the Internet. But this raises serious legal and policy concerns that defy easy answers.

(Lawfare)

New smart lock research shows that they’re as vulnerable as ever

Although the smart door lock market is hopping, worth more than $1.2 billion today, these Internet-connected devices continue to be built with poor security right out of the door. Cybersecurity company BitDefender says that door lock maker August has claims to have issued a fix for their August Smart Lock, but hasn’t been able to verify that the patch exists. Another researcher found multiple severe, basic vulnerabilities in the crowd-funded U-Tec Ultraloq that, while now fixed, shouldn’t have existed in the first place, he claims.

(Dark Reading)

Israeli military vets may have a way to stop the spread of ‘deepfakes’

It’s getting harder to tell real photos and videos online from faked ones. 11 Israeli army vets have come together to create the technology behind Cyabra, which claims to be able to identify 91 percent fake videos and images, and 98 percent real ones.

(Observer)

College contact-tracing app leaks student data

Albion College in Michigan is requiring all of its students to install Aura, a Covid-19 contact-tracing app on their phones. However, researchers found the app to be easily hacked, and were able to find private student medical data, as well as using real-time tracking of students’ locations.

(Ars Technica)