Week in security: Home Depot speaks, Gmail and Android ‘leak’

This week, American chain Home Depot admitted its systems had been breached, Gmail users got a fright, and a series of videos showed leaks in Android chat apps. Meanwhile, Facebook freaked out the world.... again.

This week, American chain Home Depot admitted its systems had been breached, Gmail users got a fright, and a series of videos showed leaks in Android chat apps. Meanwhile, Facebook freaked out the world…. again.

American home-improvers haven’t had a great week, with Home Depot once again dominating the security news – and this week, Android and Gmail users have had things to fret over, too. On the home improvement front, not only has Home Depot confirmed that there was a large-scale data breach at the world’s largest home improvement chain, the indefatigable security reporter Brian Krebs uncovered evidence of PIN-protected debit card information stolen in the breach being used for large-scale fraud, due to weak protection against criminals changing PIN codes by phone using basic information such as ZIP codes.

Meanwhile, University of New Haven researchers tormented Android chat app users all week, with a series of videos showing just how leaky chat apps on the platform could be: a dozen apps were shown to have serious privacy issues, including big names such as Instagram, OoVoo, OKCupid and Grindr.

Many Gmail passwords were changed in a hurry, too, as a dump of five million usernames and passwords appeared online. Things turned out not to be QUITE as bad as they seemed, but it might be time to change that dusty old password anyway…

Security news: Home Depot tops the bill, again

The news for anyone who’s shopped in Home Depot’s American stores, and used plastic, started bad, and is just getting worse and worse.

This week, the world’s largest home improvement chain store, Home Depot, confirmed a data breach affecting Home Depot credit cards and debit cards used in stores on the American mainland, which may have continued since April.

Reports by security reporter Brian Krebs broke the even more unwelcome news that large-scale fraud is being perpetrated with stolen debit cards, with $300,000 withdrawn from one bank in under two hours, using what appeared to be debit card numbers used in Home Depot.

In an official release, the company said that anyone who used a payment card at a Home Depot store since April 2014 may have been affected, and the chain is to offer free identity protection and credit monitoring to such customers. Customers who shopped online or in Mexico have not been affected, the chain said in an official release.

ESET senior security researcher Stephen Cobb offers an important reminder about who the real villains are in such hacks: it’s not the beleaguered corporations themselves, but the criminals who install malware in shop POS terminals to steal from the innocent. In a thoughtful blog post, Cobb analyzes where guilt REALLY lies in both the recent leak of celebrity photos and the Home Depot hack.

Gmail: Passwords leaked online, but service ‘not hacked’

Users of Google Mail got a fright earlier this week when a dump of what appeared to be five million username-password combinations for the site appeared online on a Russian Bitcoin security forum.

The truth, however, wasn’t quite as bad as it appeared: although if you haven’t changed your Gmail password in years, it might be worth a quick refresh.

Google pointed out in an official statement that less than 2% of the leaked passwords actually worked – although, as Forbes points out, that’s still 100,000 passwords which do, and that there was speculation that the list had simply been cobbled together from hacks on other sites where Google was used as a login.

ESET senior security researcher Stephen Cobb wrote, “The assumption is that this compromised data is a collection of credentials obtained by phishing campaigns or malware attacks over recent years.”

“A website called isleaked.com appeared during the day purporting to allow people to check if their Gmail address had been compromised. However, as of right now, it does not appear to be functioning correctly and frankly I would not go there. Instead, you can check your email address at this site —Have I been pwned — which is run by Troy Hunt, a trusted Microsoft MVP.”

Chat apps fingered for leaking data

Chat apps on Android are not a particularly good way to have a genuinely private conversation, it seems – University of New Haven researchers spent the week drip-feeding a series of videos showing serious security flaws in everything from Instagram to OoVoo and from OKCupid to Grindr.

With many of the most popular chat apps on Android affected, tech news site CNET calculates that nearly a billion(968 million) users could be putting highly private data in the hands of apps that transmit and store it unencrypted.

Many of the Android apps (the researchers focused on Android rather than iOS, although there is no evidence the iOS apps behave differently), send text wirelessly unencrypted, and store images on servers for weeks without encryption or authentication.

The researchers used PC ‘sniffer’ software such as Wireshark and Network Miner to monitor the data transmitted by the apps, and found images and text transmitted and stored unencrypted – and potentially at risk from snoopers.

Facebook freaks out world… again

A simple case of mistaken identity? Or a dark hint at what Facebook’s algorithms might be able to do? The answer might well be both, after a young data scientist was mistakenly ‘tagged’ in a series of photos he’d posted – of his mother as a young woman.

The case raised several intriguing questions: for instance, if genetic similarities are enough to trigger mistaken identity, could Facebook’s algorithms identify someone who had never used the site?

And could the biometric identification systems in use by law enforcement mistake someoone for a relative?

Fred Benenson, who was mistaken for his (very similar-looking) mother, said that the “oddly compelling” incident “opens the door to larger and more difficult questions,” according to a report in The Verge.

Clearly in this case, they made an error, Fred Benenson, a data scientist at KickStarter, says, but he said the case raises serious questions: “What about the cases where this algorithm isn’t used for fun photo tagging?”

“What if another false positive leads to someone being implicated for something they didn’t do? Facebook is a publicly traded company that uses petabytes of our personal data as their business model — data that we offer to them, but at what cost?”

NEC’s Neoface biometric software is already being used by police forces in the U.S. and the UK to identify people from video footage, as reported by We Live Security.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center