web analytics

Privacy Roundup: Week 1 of Year 2025 – Source: securityboulevard.com

privacy-roundup:-week-1-of-year-2025-–-source:-securityboulevard.com
Rate this post

Source: securityboulevard.com – Author: Avoid The Hack!

This is a news item roundup of privacy or privacy-related news items for 29 DEC 2024 – 4 JAN 2024. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional “security” content mixed-in here due to the close relationship between online privacy and cybersecurity – many things overlap; for example, major vulnerabilities in popular software, which may compromise the security of user’s devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or “popular” stories.

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

fingerprint scan on blue background

DivestOS, Mull, Mulch, and Hypatia discontinued

DivestOS Mobile

The developer behind DivestOS (a privacy-oriented Android operating system forked from LineageOS), Mull (a privacy browser for Android), Mulch (security-oriented webview for Android), and Hypatia (an open source virus scanner for Android) has announced these projects will no longer be supported/updated as of December 2024.

For years DivestOS was a recommended alternative privacy-oriented Android operating system on avoidthehack. In a future site update, I will regretfully remove it as an official recommendation due to its EOL status.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

padlock with bullet hole on circuit board

Hackers exploit Four-Faith router flaw to open reverse shells

Bleeping Computer

Attackers are exploiting an OS command injection vulnerability, tracked as CVE-2024-12856, to open reverse shells, which can be used for further exploitation of the device. Specifically, a command used for adjusting the system time can be manipulated (via HTTP POST request) to include a shell command.

As of writing, there is no security update available. It appears that primarily internet-facing devices are vulnerable (they typically have remote management interfaces exposed to the internet in most cases). Users should keep routers updated, use strong admin passwords (avoid using the default credentials), and avoid exposing the admin login page to the internet.

Note that affected router models are typically deployed in some critical infrastructure sectors, but may apply to some users.

Malware botnets exploit outdated D-Link routers in recent attacks

Bleeping Computer

Two botnets (Ficora and Capsaicin) continue to target D-Link routers that are EOL or running outdated firmware. Commonly, these botnets exploit CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112 for initial access to vulnerable D-Link routers. They then execute their payloads, which can steal data and/or recruit the device into the botnet.

Users should be sure to keep their devices updated – especially routers. EOL devices should be replaced as soon as possible, as they are no longer supported by the manufacturer. For EOL devices, depending on model and/or submodel, users may be able to flash firmware (such as OpenWRT) to extend the life of the device.

red virus detection on dark background

New details reveal how hackers hijacked 35 Google Chrome extensions

Bleeping Computer

A phishing campaign targeting Chrome extension developers (including a cybersecurity firm, Cyberhaven) has enabled attackers to compromise multiple Google Chrome extensions. The compromised extensions were injected with data-stealing code.

Developers were sent phishing emails pretending to be from Google; the emails linked to Google’s OAuth authorization flow for the threat actor controlled app “Privacy Policy Extension,” requesting permissions such as editing/updating Chrome store extensions users have access to. Naturally, after permissions are granted, the threat actors publish an “updated” (malicious version of the extension).

It appears threat actors in this campaign were specifically interested in targeting and hijacking Facebook business accounts, attempting to grab information such as the user’s Facebook ID, access token, account info, account information, and any CAPTCHA mechanisms/QR code images associated with MFA.

This section is dedicated to notable changes or developments in popular/large service provider’s privacy practices.

Service providers listed here are not necessarily “privacy-focused,” but may have privacy practice changes positively (ex: adopting end-to-end encryption for messaging or) or negatively (ex: increased sharing of data with affiliates) affecting a large amount of users.

gray typewriter on desk with typed out word

Apple auto-opts everyone into having their photos analyzed by AI for landmarks

The Register

Apple appears to have auto-opted users into a new feature, likely introduced in an iOS 18.1 update, known as Enhanced Visual Search. The auto opt-in is believed to have happened in late October 2024.

Apparently, the process by which this feature works is “private enough,” but the lack of notification and not seeking consent from users is concerning.

Predominately focused on legal/regulation privacy practices outlined in US law (ex: FTC banning certain companies from sharing location data), but large enough changes in EU law may also be covered here. Also notable privacy-related lawsuits (again, predominately in the US) are found here.

gavel on dark background

Apple to pay $95 million to settle Siri privacy lawsuit

Reuters

Lawsuit alleges Apple used Siri to listen to what people were saying – ads were then targeted at them based on what they mentioned.

Apple pays the settlement but continues to deny any “wrongdoing.” Interestingly, Google is being sued by the same law firm for similar concerning Google Assistant (Google’s answer to Siri).

purple and blue scale on dark background

The US proposes rules to make healthcare data more secure

The Verge

US Department of Health and Human Services has proposed new cybersecurity requirements for covered entities (healthcare organizations). This is in response to the severity and scale of data breaches in the healthcare sector in the last ~3 years.

The requirements will require these organizations to encrypt patient data (I’m assuming both in transit and at rest), use multifactor authentications (MFA) for accessing systems, and keep compliance documentation.

Will be the first update to HIPAA in over a decade (the last update was in 2013)

Data Breaches and Leaks

Generally covers large data breaches (or data leaks) exposing sensitive information of users – typically the focus is on US companies and on data breaches…

*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at: https://avoidthehack.com/privacy-week1-2025

Original Post URL: https://securityboulevard.com/2025/01/privacy-roundup-week-1-of-year-2025/

Category & Tags: Security Bloggers Network,privacy roundup – Security Bloggers Network,privacy roundup

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

SCYTHE
Better Cybersecurity Metrics – SOC Metrics – Threat Hunting Metrics – Cyber Threat Intelligence (CTI) Metrics – Incident Response (IR) Metrics for CISOs by SCYTHE
Better Cybersecurity Metrics – SOC...
Joas Antonio
100 Security Operation Tools for SOCs by Joas Antonio
100 Security Operation Tools for...
Joas Antonio
Guide for Multi-Cloud Read Team AWS – GCP – AZURE by Joas Antonio
Guide for Multi-Cloud Read Team...
SANS
SANS Faculty Cybersecurity Free Tools – SANS Instructors have built more than 150 open source tools that support your work and help you implement better security.
SANS Faculty Cybersecurity Free Tools...
Ciso Council
CISO Security Officer Handbook
CISO Security Officer Handbook
Splunk
81 Siem Very important Use Cases for your SOC by SPLUNK
81 Siem Very important Use...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos