Lenovo Settles Over Adware, Contractor Exposes Vets' Resumes, and Hackers Sell Big-Time Instagrammers' Info

In case you missed what happened last week besides the Equifax breach, here's a roundup from Threatwatch, Nextgov's regularly updated index of cyber incidents.

Lenovo Settles with FTC over Security-Disabling Adware

Chinese technology company Lenovo settled a lawsuit with the Federal Trade Commission and 32 states over preinstalled adware that compromised some laptop users’ security, the agency announced Sept. 5.

The FTC said the adware was installed on hundreds of thousands of laptops and operated without consumers’ consent or knowledge.

According to FTC, in 2014 Lenovo started installing a man-in-the-middle software called Visual Discovery made by SuperFish. The software circumvented the user’s browser security protocols—even for encrypted websites—to serve up pop-up ads. Visual Discovery could also collect the information a user entered into a webpage, like names, addresses and more sensitive information such as Social Security numbers and payment information, though FTC said Visual Discovery collected “more limited” information.

This vulnerability, however, could have been exploited by other parties because Visual Discovery swapped out the digital certificates that authenticate websites for its own, a practice that would prevent users from getting a warning about spoofed or possible malicious websites. The affected laptops also had the same “easy to guess” password.

“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen Ohlhausen said in a statement. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”

The settlement requires Lenovo get consumers’ “affirmative consent” before preinstalling software that serves ads in users’ web browsers. The company must implement a comprehensive software security program for most preloaded software for 20 years and is subject to third-party review.

“While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years,” said a Lenovo statement. The company also said it stopped installing the software in early 2015 and worked with anti-virus makers to disable and remove it from existing laptops.

9,400 Veterans' Resumes Sent to Military Contractor Exposed

Sensitive details, including security clearance levels and past operations, about thousands of U.S. veterans were left publicly available by the misconfigured cloud storage of a private security firm.

Cybersecurity firm UpGuard discovered 9,402 resumes for positions at North Carolina-based TigerSwan, a service-disabled veteran owned company that provides a variety of global security services. TigerSwan has worked as a Defense and Homeland Security department contractor and faces a lawsuit over its role surveilling the Standing Rock protests against the Dakota Access Pipeline.

Most of the resumes include details about U.S. military veterans, but also intelligence officers, government contractors, law enforcement and some Iraqi and Afghan nationals who worked as translators for coalition forces. Details include the kind of contact information expected on a resume, but others feature passport numbers, Social Security numbers and driver’s license numbers, UpGuard said.

UpGuard said it notified TigerSwan about the leak in July and multiple times after. TigerSwan said in a Sept. 2 statement that UpGuard’s initial contacts seemed like phishing attempts and “not considered credible” because TigerSwan didn’t use Amazon Web Services. The files remained unsecure for a month until UpGuard contacted AWS and the AWS client removed them in late August.

TigerSwan reached back out to UpGuard when reporters started calling. TigerSwan said the AWS bucket had been operated by a recruiting services provider, TalentPen, whose contract it had terminated in February.

“TalentPen never volunteered this information about their actions to us and only admitted it when we reached out to them after talking to Upguard on August 31st, over a week after they secretly removed the resume files,” the company said.

In recent months, UpGuard has discovered several unsecure AWS buckets, including at Verizon and the data analytics firms used by the Republican National Committee, exposing the data of 6 million Verizon customers and almost 200 million voters, respectively.

Hackers Want to Sell Personal Info of Cristiano Ronaldo, POTUS and Other Instagrammers

Instagram’s battle against hackers attempting to sell personal information attached to some high-profile accounts has turned to registering domain names.

Instagram acknowledged Sept. 1 a security flaw that could be used to access users’ email addresses and phone numbers that were not publicly available. Then Doxagram popped up, a website with a searchable database of alleged personal information from Instagram, The Daily Beast reported. The hackers behind it claimed to have 6 million accounts, including those with millions of followers like soccer star Cristiano Ronaldo, the president of the United States’ official account and other celebrities. They charge $10 per search.

The website went offline Friday, according to The Verge, but Instagram is trying to stop the spread of data.

Instagram and its parent company, Facebook, are registering hundreds of doxagram-related domains—such as .org, .lol and .website—in an attempt to limit the hackers' options, The Daily Beast reported Sept. 5. The Doxagram operators keep sharing new domains on Twitter but also opted to launch a dark web version of their site, which doesn’t require a domain name company.

“Out of an abundance of caution, we encourage you to be vigilant about the security of your account, and exercise caution if you observe any suspicious activity such as unrecognized incoming calls, texts, or emails,” Instagram Co-founder and Chief Technology Officer Mike Krieger wrote in a blog post.