What is Neopets, you ask? It is a virtual pet website that gives members the ability to “own, raise, and play games with their virtual pets.” According to BleepingComputer, Neopets has experienced a data breach which has exposed the data of up to 69 million Neopets users. That is not an issue when you own, raise and play games with a real pet!

BleepingComputer reports that a hacker “known as ‘TarTarX’ began selling the source code and database for the Neopets.com website for four bitcoins…” The hacker alleged that “sensitive personal information, including birth dates, countries, IP’s genders and names as well as almost 69M unique email addresses” had been stolen from Neopets’ website.

Neopets has confirmed the incident and is working with forensic investigators and law enforcement. Neopets suggests that users change their passwords and is updating its users about the incident on Twitter. However, it appears that changing your password may not be enough in this instance. This is a good reminder to be wary of downloading apps in the first place, checking the apps’ history of security incidents and deleting apps when they are no longer needed or being used [ view related post].

Auterion, a drone software company, commissioned a survey from the market research company, Propeller Insights, of 1,022 adults. The survey was gender-balanced and distributed across age groups from 18 to 65+, living in rural, suburban, and city environments in the United States, and was conducted in May 2022.

In the report summarizing the survey, “Consumer Attitudes on Drone Delivery,” Auterion reveals that 58 percent of Americans like the idea of drone deliveries, and 64 percent think drones are becoming an option for home delivery now or will be in the near future. With more than 80 percent of those surveyed reporting that they have packages delivered to their homes on a regular basis, the survey finds that Americans are generally ready to integrate drone delivery into daily life for ease and speed. Of the 64 percent who see drones becoming a more common option for home delivery, 32 percent think it’s possible now or within the next 1 to 2 years.

Only 36 percent of those surveyed had doubts about this type of drone integration, including some individuals who think the general public or governments will not approve of large-scale drone adoption for delivery and others who just prefer that drone delivery doesn’t happen at all.

With individuals choosing more than one option, the survey found that the most common types of home package deliveries reported by consumers today, by vehicles and trucks, are:

  • 39 percent – groceries
  • 34 percent – clothing
  • 33 percent – household items
  • 31 percent – meals
  • 27 percent – medicine
  • 11 percent – baby food/needs

Based on these findings, those surveyed were also asked if they were willing to consider drones as a “new corner store” for conveniently delivering small and last-minute necessities: 54 percent of the individuals said “yes.”

With regard to concerns related to these drone deliveries, 43 percent of those surveyed fear the drone will break down and they will not receive their item, and 19 percent are worried about not having human interaction with their delivery person. However, drone delivery and systems provide accurate trackability and direct delivery, and, therefore are more capable of accurate delivery timing. Delivery drones are built to analyze the environment with precision, to communicate through control software in a common language and predict safe landing spots for the packages. Air space is becoming a great option in a time when highways are filled with cars and trucks, and fuel prices are rising. Drones can help to reduce our reliance on gas-powered delivery vehicles, and provide safer, more flexible, and more cost-effective delivery.

Like all technology, mobile apps can be infected with malicious code, or malware, which is intended to gain access to your mobile phone when you download the app. Although app stores try their best to not allow malicious apps to get into the store, monitor apps once they are included in the store, and delete ones that they deem malicious, apps infected with malicious code and malware have proliferated and are a continuing problem for users. In one estimate, 2 percent of the top 1,000 App Store apps are malicious, according to a report by the Washington Post.

According to the website The State of Security, “Three million Android users may have lost money and had their devices infected by spyware, after the discovery that the official Google Play store has been distributing apps infected by a new family of malware.”

The Autolycos malware “spies on SMS messages, contact lists, and device information, and subscribes unsuspecting users to expensive wireless application protocol (WAP) services.” A list of the affected apps include: Funny Camera, Vlog Star Video Editor, Creative 3D Launcher, Wow Beauty Camera, Gif Emoji Keyboard, Freeglow Camera, and Coco Camera. Another reason not to download a camera app.

HotHardware suggests to users that they delete a larger list of infested Android Apps, which are part of the Android HiddenAds family, that were installed over 10 million times:

“Here’s a look at the full list of apps that fall into the HiddenAds category…

  • Photo Editor: Beauty Filter (gb.artfilter.tenvarnist)
  • Photo Editor: Retouch & Cutout (de.nineergysh.quickarttwo)
  • Photo Editor: Art Filters (gb.painnt.moonlightingnine)
  • Photo Editor – Design Maker (gb.twentynine.redaktoridea)
  • Photo Editor & Background Eraser (de.photoground.twentysixshot)
  • Photo & Exif Editor (de.xnano.photoexifeditornine)
  • Photo Editor – Filters Effects (de.hitopgop.sixtyeightgx)
  • Photo Filters & Effects (de.sixtyonecollice.cameraroll)
  • Photo Editor : Blur Image (de.instgang.fiftyggfife)
  • Photo Editor : Cut, Paste (de.fiftyninecamera.rollredactor)
  • Emoji Keyboard: Stickers & GIF (gb.crazykey.sevenboard)
  • Neon Theme Keyboard (com.neonthemekeyboard.app)
  • Neon Theme – Android Keyboard (com.androidneonkeyboard.app)
  • Cashe Cleaner (com.cachecleanereasytool.app)
  • Fancy Charging (com.fancyanimatedbattery.app)
  • FastCleaner: Cashe Cleaner (com.fastcleanercashecleaner.app)
  • Call Skins – Caller Themes (com.rockskinthemes.app)
  • Funny Caller (com.funnycallercustomtheme.app)
  • CallMe Phone Themes (com.callercallwallpaper.app)
  • InCall: Contact Background (com.mycallcustomcallscrean.app)
  • MyCall – Call Personalization (com.mycallcallpersonalization.app)
  • Caller Theme (com.caller.theme.slow)
  • Caller Theme (com.callertheme.firstref)
  • Funny Wallpapers – Live Screen (com.funnywallpapaerslive.app)
  • 4K Wallpapers Auto Changer (de.andromo.ssfiftylivesixcc)
  • NewScrean: 4D Wallpapers (com.newscrean4dwallpapers.app)
  • Stock Wallpapers & Backgrounds (de.stockeighty.onewallpapers)
  • Notes – reminders and lists (com.notesreminderslists.app)”

Be wary of these specific apps, but in general, research apps before you download them, only download apps that are needed, understand what data apps are collecting from you, and delete apps when you no longer use them.

According to research by Palo Alto’s Unit 42, the most recent campaign by advanced persistent threat Cloaked Ursa (aka APT 20, Nobelium, or Cozy Bear), “demonstrate[s] sophistication and the ability to rapidly integrate popular cloud storage services to avoid detection.” Cloaked Ursa is believed to be affiliated with the Russian government.

Unit 42 found that Cloaked Ursa “leveraged Google Drive cloud storage services for the first time. The ubiquitous nature of Google Drive cloud storage services—combined with the trust that millions of customers worldwide have in them-make their inclusion in this APT’s malware delivery process exceptionally concerning” because “when the use of trusted services is combined with encryption,…it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign.”

Unit 42 discovered Cloaked Ursa was using an agenda for an upcoming meeting with an ambassador as a lure targeting “Western diplomatic missions between May and June 2022” through phishing campaigns. The phishing documents “contained a link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload.”

Unit 42 provided information about its findings to cloud storage providers and has provided observations, courses of action, and IoCs, which can be accessed here.

Online mortgage lender Lending Tree sent breach notification letters to affected individuals on June 29, 2022. The letter advises those persons that their name, social security number, date of birth, and address were compromised in mid-February 2022 as a result of a code vulnerability that “likely resulted in the unauthorized disclosure of some sensitive personal information.”

Lending Tree is offering affected individuals single bureau credit monitoring.   

INRIX, a company that provides location-based data analytics, has been collecting, analyzing, and selling aggregated vehicle, traffic, and parking data for over 17 years. Now, after the Roe v. Wade decision, INRIX is under scrutiny for its data collection tactics and the ability to view data related to Planned Parenthood clinics. In a brochure for its “Vehicle Trips” product, INRIX details the fact that it “captures over 150 million anonymous trips” and 36 billion “real-time data points” each day, with updates as frequent as every three seconds.

By using only the free trial version of the INRIX IQ Location Analytics platform, a user can locate at least 71 Planned Parenthood clinics in numerous states. The free version of this platform only lists the address, hours, and average annual daily traffic counts on nearby streets for each clinic, but the paid version shows more detailed statistics for sample points of interests in its database, including demographic and ethnic breakdowns of visitors, visitor counts by hour and day, aggregated heat maps of the origins and destinations for visitors, and drive times to and from the business location.

While this type of data collection, and availability and accessibility may seem problematic in the current legal landscape related to reproductive rights, INRIX has publicly stated that it only receives anonymized data and de-identifies it further as necessary, before aggregating those data for use in its products. According to INRIX, individual identities are not relevant to its business – the location analytics only display results based on the census block group level and the data are sourced from map providers, which are commercially available.

Other location-based data analytics companies, such as Safegraph and Placer. AI, also had Planned Parenthood visitor data in their products, but those data have been removed. Even some Internet search engines have pledged to delete visitor location data when a user visits an abortion provider, fertility center, or other sensitive reproductive health location. 

The problem with this data collection and sharing, although inclusive only of location-based data, comes when the individuals seeking an abortion face increased risks to their privacy, and potentially, their own safety and wellbeing. Before the recent overturning of Roe v. Wade, pro-life activists have used software and services like geofencing from the location data industry to dissuade abortion-seeking patients with targeted advertisements. With the procedure criminalized in nine states, the effects could be even more impactful.

As a result of this data collection and use, lawmakers have sent letters to these location data companies to gather details about their data collection and requesting that they stop including abortion clinics in their platforms and reports.

While most of the data on the free version of the INRIX dashboard are aggregated, risks still remain. Most companies in the location data industry boast that individual privacy is protected due to the fact that they only sell aggregated data (e.g., the number of people visiting a particular business during a specific week). However, even aggregated data might carry risks for individual privacy because individuals could still be identified in some circumstances. If location data show that a particular user frequents one central location (e.g., home or work) while also visiting a Planned Parenthood clinic, it may be easier than you’d think to determine the identity of that individual.

For more on this investigation conducted by The Markup click here.

Making quite the statement on July 15, 2022, the Office for Civil Rights (OCR) announced in a press release that it had recently settled an additional 11 cases under its Right to Access Initiative. These settlements bring the total number of enforcement actions under the Initiative to 38.

The settlements, ranging from $3,500 to $240,000, resolved enforcement actions with 11 medical and dental practices that allegedly did not provide their patients with access to their medical records. Memorial Hermann Health System in Texas paid the largest settlement in the amount of $240,000. The OCR alleged that Memorial Hermann Health System did not respond to a patient’s request for medical records for a total of 564 days.

The patient made five separate requests for her records from the medical records department between June 2019 and January 2020, and she was not provided with her records in full until March 26, 2021.

The OCR reminds covered entities that the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to provide access to patient records, absent an extension, within thirty (30) days of the request. The OCR did not take kindly to a response 564 days after the request was first made.

These settlements reiterate that the OCR continues to focus on the Initiative and covered entities’ compliance with patient request for records. It is timely to revisit processes around responses to patient requests for access to records so the response can be compliant with HIPAA.

FCC Commissioner Brendan Carr asserted that TikTok poses an “unacceptable national security risk” in a letter to the CEOs of Google and Apple urging the companies to remove the app from their mobile app stores. According to Carr, TikTok’s history of “surreptitious access of private and sensitive U.S. user data by persons located in Beijing, coupled with TikTok’s pattern of misleading representations and conduct” should disqualify it under Google’s and Apple’s app store policies.

The popular social media app, owned by Chinese-based company ByteDance, has attracted criticism from security experts for excessive data collection since its 2016 debut. More recently, watchdogs have accused the platform of giving the Chinese government unfettered access to the data it collects. According to the FCC letter, ByteDance “is beholden to the Communist Party of China and required by Chinese law to comply with the PRC’s surveillance demands.”

TikTok has denied cooperating with government surveillance, but has confirmed that employees in China might access American user data.

View the full letter here.

BRINC, a public-safety drone specialist based in Las Vegas, Nevada, announced the formation this week of the BRINC Global Rescue Network, a program committed to aiding in global humanitarian efforts. The network includes 24 public-safety professionals, military veterans and current and former drone racing league professionals. The team has been deployed to over 55 countries.

BRINC has aided war victims in Ukraine and disaster victims during the Champlain Towers collapse in Florida. Those experiences led BRINC to establish this program for drone rescues, creating a formal system for donating the use of its equipment, staffing and expertise to first responders and government agencies during a natural disaster or humanitarian crisis. This program will reduce the response time for rescues and also aid in faster deployment of drones where and when they are needed most.

This BRINC network will be used for emergency response, personnel recovery, route clearance, downed utilities inspection, rescue in GPS-denied and subterranean environments, reconnaissance of debilitated or structurally unsound buildings, search and rescue, and HAZMAT missions.

On July 18, 2022, the FBI issued an Alert advising consumers that fraudulent cryptocurrency apps have caused more than 244 victims to lose nearly $43 million.

The fraudulent apps that cyber criminals used to steal funds from consumers were presented as banking institutions asking investors to deposit funds, and then not allowing them to withdraw the funds until they paid taxes. After paying the taxes, the investors were unable to access the funds.

The criminals reached out to U.S. investors and convinced them to download fraudulent mobile apps that use legitimate bank names and logos or other apps offering crypto wallets. The customers deposited funds, then the threat actors froze the assets. The named apps include YiBit and Supayos, aka Supay.

The FBI issued the following recommendations and precautions to financial institutions and investors:

“The FBI recommends financial institutions take the following precautions:

  • Proactively warn customers about this activity and provide steps customers can take to report it.
  • Inform customers whether the financial institution offers cryptocurrency investment services or other related services along with methods to identify legitimate communications from the institution to customers.
  • Inform customers whether the financial institution has a mobile application.
  • Periodically conduct online searches for your company’s name, logo, or other information to determine if they are associated with fraudulent or unauthorized activity.

“The FBI recommends investors take the following precautions:

  • Be wary of unsolicited requests to download investment applications, especially from individuals you have not met in person or whose identity you have not verified. Take steps to verify an individual’s identity before providing them with personal information or relying on their investment advice.
  • Verify that an app is legitimate before downloading it by confirming the company offering the app actually exists, identifying whether the company or app has a website, and ensuring any financial disclosures or documents are tailored to the app’s purpose and the proposed financial activity.
  • Treat applications with limited and/or broken functionality with skepticism.”