News

Some scholars are inflating their reference counts by sneaking them into metadata:

Citations of scientific work abide by a standardized referencing system: Each reference explicitly mentions at least the title, authors’ names, publication year, journal or conference name, and page numbers of the cited publication. These details are stored as metadata, not visible in the article’s text directly, but assigned to a digital object identifier, or DOI—a unique identifier for each scientific publication.

References in a scientific publication allow authors to justify methodological choices or present the results of past studies, highlighting the iterative and collaborative nature of science.

However, we found through a chance encounter that some unscrupulous actors have added extra references, invisible in the text but present in the articles’ metadata, when they submitted the articles to scientific databases. The result? Citation counts for certain researchers or journals have skyrocketed, even though these references were not cited by the authors in their articles.

[…]

In the journals published by Technoscience Academy, at least 9% of recorded references were “sneaked references.” These additional references were only in the metadata, distorting citation counts and giving certain authors an unfair advantage. Some legitimate references were also lost, meaning they were not present in the metadata.

In addition, when analyzing the sneaked references, we found that they highly benefited some researchers. For example, a single researcher who was associated with Technoscience Academy benefited from more than 3,000 additional illegitimate citations. Some journals from the same publisher benefited from a couple hundred additional sneaked citations.

Be careful what you’re measuring, because that’s what you’ll get. Make sure it’s what you actually want.

At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain.

The Squarespace domain hijacks, which took place between July 9 and July 12, appear to have mostly targeted cryptocurrency businesses, including Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains. In some cases, the attackers were able to redirect the hijacked domains to phishing sites set up to steal visitors’ cryptocurrency funds.

New York City-based Squarespace purchased roughly 10 million domain names from Google Domains in June 2023, and it has been gradually migrating those domains to its service ever since. Squarespace has not responded to a request for comment, nor has it issued a statement about the attacks.

But an analysis released by security experts at Metamask and Paradigm finds the most likely explanation for what happened is that Squarespace assumed all users migrating from Google Domains would select the social login options — such “Continue with Google” or “Continue with Apple” — as opposed to the “Continue with email” choice.

Taylor Monahan, lead product manager at Metamask, said Squarespace never accounted for the possibility that a threat actor might sign up for an account using an email associated with a recently-migrated domain before the legitimate email holder created the account themselves.

“Thus nothing actually stops them from trying to login with an email,” Monahan told KrebsOnSecurity. “And since there’s no password on the account, it just shoots them to the ‘create password for your new account’ flow. And since the account is half-initialized on the backend, they now have access to the domain in question.”

What’s more, Monahan said, Squarespace did not require email verification for new accounts created with a password.

“The domains being migrated from Google to Squarespace are known,” Monahan said. “It’s either public or easily discernible info which email addresses have admin of a domain. And if that email never sets up their account on Squarespace — say because the billing admin left the company five years ago or folks just ignored the email — anyone who enters that email@domain in the squarespace form now has full access to control to the domain.”

The researchers say some Squarespace domains that were migrated over also could be hijacked if attackers discovered the email addresses for less privileged user accounts tied to the domain, such as “domain manager,” which likewise has the ability to transfer a domain or point it to a different Internet address.

Monahan said the migration has left domain owners with fewer options to secure and monitor their accounts.

“Squarespace can’t support users who need any control or insight into the activity being performed in their account or domain,” Monahan said. “You basically have no control over the access different folks have. You don’t have any audit logs. You don’t get email notifications for some actions. The owner doesn’t get email notification for actions taken by a ‘domain manager.’ This is absolutely insane if you’re used to and expecting the controls Google provides.”

The researchers have published a comprehensive guide for locking down Squarespace user accounts, which urges Squarespace users to enable multi-factor authentication (disabled during the migration).

“Determining what emails have access to your new Squarespace account is step 1,” the help guide advises. “Most teams DO NOT REALIZE these accounts even exist, let alone theoretically have access.”

The guide also recommends removing unnecessary Squarespace user accounts, and disabling reseller access in Google Workspace.

“If you bought Google Workspace via Google Domains, Squarespace is now your authorized reseller,” the help document explains. “This means that anyone with access to your Squarespace account also has a backdoor into your Google Workspace unless you explicitly disable it by following the instructions here, which you should do. It’s easier to secure one account than two.”

AT&T discloses data breach where hackers accessed customer call logs from a cloud platform in April

Clay County, Indiana, said a ransomware attack has prevented the administration of critical services, leading to a disaster declaration being filed

Advance Auto Parts has confirmed a breach of its Snowflake account will impact millions

NATO members have agreed to develop a new integrated facility to help improve collective cyber-resilience

I didn’t know:

In 1994, Hewlett-Packard released a miracle machine: the HP 200LX pocket-size PC. In the depths of the device, among the MS-DOS productivity apps built into its fixed memory, there lurked a first-person maze game called Lair of Squid.

[…]

In Lair of Squid, you’re trapped in an underwater labyrinth, seeking a way out while avoiding squid roaming the corridors. A collision with any cephalopod results in death. To progress through each stage and ascend to the surface, you locate the exit and provide a hidden, scrambled code word. The password is initially displayed as asterisks, with letters revealed as you encounter them within the maze.

Blog moderation policy.

The NSA has a video recording of a 1982 lecture by Adm. Grace Hopper titled “Future Possibilities: Data, Hardware, Software, and People.” The agency is (so far) refusing to release it.

Basically, the recording is in an obscure video format. People at the NSA can’t easily watch it, so they can’t redact it. So they won’t do anything.

With digital obsolescence threatening many early technological formats, the dilemma surrounding Admiral Hopper’s lecture underscores the critical need for and challenge of digital preservation. This challenge transcends the confines of NSA’s operational scope. It is our shared obligation to safeguard such pivotal elements of our nation’s history, ensuring they remain within reach of future generations. While the stewardship of these recordings may extend beyond the NSA’s typical purview, they are undeniably a part of America’s national heritage.

Surely we can put pressure on them somehow.

When it comes to protecting your privacy, take a close look at your social media use—because sharing can quickly turn into oversharing. 

The term “oversharing” carries several different definitions. Yet in our case here, oversharing means saying more than one should to more people than they should. Consider the audience you have across your social media profiles. Perhaps you have dozens, if not hundreds of friends and followers. All with various degrees of closeness and familiarity. Who among them can you absolutely trust with the information you share? 

And you might be sharing more than you think. Posts have a way of saying more than one thing, like: 

“This is the pool at the rental home I’m staying at this week. Amazing!” Which also tells everyone, “My home is empty for the next few days.” 

“I can’t start my workday without a visit to my favorite coffeeshop.” Which also says, “If you ever want to track me down in person, you can find me at this location practically any weekday morning.”  

One can quickly point to other examples of oversharing. Unintentional oversharing at that. 

A first-day-of-school picture can tell practical strangers which elementary school your children attend, say if the picture includes the school’s reader board in it. A snapshot of you joking around with a co-worker might reveal a glimpse of company information. Maybe because of what’s written on the whiteboard behind the two of you. And in one extreme example, there’s the case an assault on a pop star. Her attacker tracked her down through her selfie, determining her location through the reflection in her eyes.  

The list goes on.  

That’s not to say “don’t post.” More accurately, it’s “consider what you’re posting and who gets to see it.” You have control over what you post, and to some degree, who gets to see those posts. That combination is key to your privacy—and the privacy of others too. 

Three simple steps for protecting your privacy on social media 

1) Be more selective with your settings

Social media platforms like Facebook, Instagram, and others give you the option of making your profile and posts visible to friends only. Choosing this setting keeps the broader internet from seeing what you’re doing, saying, and posting—not to mention your relationships and likes. Taking a “friends only” approach to your social media profiles can help protect your privacy, because that gives a possible scammer or stalker much less material to work with. Yet further, some platforms allow you to create sub-groups of friends and followers. With a quick review of your network, you can create a sub-group of your most trusted friends and restrict your posts to them as needed. 

2) Say “no” to strangers bearing friend requests

Be critical of the invitations you receive. Out-and-out strangers might be more than just a stranger. They might be a fake account designed to gather information on users for purposes of fraud. There are plenty of fake accounts too. In fact, in Q1 of 2023 alone, Facebook took action on 426 million fake accounts. Reject such requests. 

3) Consider what you post

Think about posting those vacation pictures after you get back so people don’t know you’re away when you’re away. Also consider if your post pinpoints where you are or where you go regularly. Do you want people in your broader network to know that? Closely review the pics you take and see if there’s any revealing information in the background. If so, you can crop it out (think notes on a whiteboard, reflections in a window, or revealing location info). Further, ask anyone you want to include in their post for their permission. In all, consider their privacy too. 

Further ways to make yourself more private online 

While we’re on the topic, you can take a few other steps that can make you more private online. In addition to your social media usage, other steps can help keep more of your private and personal information with you—where it belongs: 

• Skip the online quizzes: Which superhero are you? “What’s your spooky Halloween name?” or “What’s your professional wrestler name?” You’ve probably seen quizzes like these crop up in your feed sometimes. Shadily, these quizzes might ask for the name of the street you grew up on, your birthdate, your favorite song, and maybe the name of a beloved first pet. Of course, these are pieces of personal information, sometimes the answer to commonly used security questions by banks and other financial institutions. (Like, what was the model of your first car?) With this info in hand, a hacker could attempt to gain access to your accounts. Needless to say, skip the quizzes.
• Clean up your personal data trail: When was the last time you Googled yourself? The results might reveal all kinds of things, like your estimated income, the names and ages of your children, what you paid for your home, and, sometimes, your purchasing habits. Who’s collecting and posting this information about you? Online data brokers, which gather information from all manner of public records. Beyond that, they’ll also gather information from app developers, loyalty cards, and from other companies that track your web browsing. Data brokers will sell this info to anyone. Advertisers, background checkers, telemarketers, and scammers too. Data brokers don’t discriminate. Yet you can clean up that information with a Personal Data Cleanup like ours. It scans some of the riskiest data broker sites for your personal info and helps manage the removal for you.
• Spend time online more privately with a VPN: A VPN creates an encrypted “tunnel” that shields your activity from cybercriminals so what you do online remains anonymous.​ It helps make you anonymous to advertisers and other trackers too. By encrypting your web traffic requests, a VPN can hide your search habits and history from those that might use that info as part of building a profile of you—whether that’s for targeted ads or data collection that they might sell to brokers for profit. Comprehensive online protection software like ours includes one. 

More privacy partly comes down to you 

Granted, “social” is arguably the opposite of “private.” Using social media involves sharing, by its very definition. Yet any oversharing can lead to privacy issues.  

Maybe you want close friends to know what’s going on, but what about that so-so acquaintance deep in your friends list? How well do you really know them? And to what extent do you want them to know exacting details about where you are, where your kids go to school, and so on? Those are questions you ultimately must answer, and ultimately have some control over depending on what you share on social media. 

Also important to consider is this: if you post anything on the internet, consider it front page news. Even with social media privacy settings in place, there’s no guarantee that someone won’t copy your posts or pics and pass them along to others. 

The flipside to the topic of social media and privacy is the platform you’re using. It’s no secret that social media companies gather hosts of personal information about their users in exchange for free use of their platforms. Certainly, that’s a topic unto itself. We cover what social media companies know about you in this article here—along with a few steps that can help you limit what they know as well. 

When it comes to your privacy and social media, it depends largely on how you use it. How you use various privacy and audience settings offers one way to manage it. The other is you and the information you put out there for others to see. 

The post How to Help Protect Your Online Privacy appeared first on McAfee Blog.

Update:

AT&T announced a cybersecurity breach on July 12th that exposed call records and text data for a significant portion of its customer base. This includes customers on mobile virtual network operators (MVNOs) that use AT&T’s network, like Cricket, Boost Mobile, and Consumer Cellular.

The compromised data covers a period between May 1, 2022, and October 31, 2022, with a small number of records from January 2, 2023, also affected. According to AT&T, hackers gained access through a third-party cloud platform account, similar to breaches at Ticketmaster and Santander Bank.

What Information Was Exposed?

The stolen data reveals the phone numbers customers communicated with, along with the frequency and total duration of calls/texts for specific periods. However, AT&T assures customers that the content of calls or texts, timestamps, Social Security numbers, dates of birth, or other personal details were not compromised.

What AT&T is Doing

AT&T claims the data isn’t publicly available and has secured the access point used by the hackers. They’re collaborating with law enforcement to apprehend those involved, with one arrest already reported. AT&T will notify affected customers and offer resources to protect their information.

This incident follows a previous leak earlier this year that exposed data of over 70 million AT&T customers, details of that leak can be found below.

AT&T, one of the largest telecom giants, recently acknowledged a significant data leak that has affected millions of its customers. The leaked dataset, which includes personal information such as names, addresses, phone numbers, and Social Security numbers, has raised concerns about privacy and security. In this blog post, we will provide an overview of the situation, explain the steps AT&T is taking to address the issue, and offer guidance on how you can protect yourself.

The Data Leak: AT&T has confirmed that the leaked dataset contains information from over 7.6 million current customers and 65 million former customers. The compromised data may include full names, email addresses, mailing addresses, phone numbers, Social Security numbers, dates of birth, AT&T account numbers, and passcodes. The company has reset the security passcodes of affected active customers.

AT&T’s Response: AT&T is actively reaching out to affected customers via email or letter to inform them about the data that was included in the leak and the measures being taken to address the situation. The company has also initiated a thorough investigation, working with external cybersecurity experts to analyze the incident. So far, there is no evidence of authorized access to AT&T’s systems resulting in data exfiltration.

Protecting Yourself: If you are an AT&T customer, it is crucial to take steps to protect yourself from potential fraud or identity theft. AT&T recommends setting up free fraud alerts with credit bureaus Equifax, Experian, and TransUnion. These alerts can help notify you of any suspicious activity related to your personal information. Additionally, consider implementing the following measures:

1. Monitor Your Accounts: Regularly review your bank statements, credit card statements, and other financial accounts for any unauthorized transactions.
2. Change Passwords: Update your passwords for all online accounts, including your AT&T account. Use strong, unique passwords and consider using a password manager to securely store them.
3. Enable Two-Factor Authentication: Enable two-factor authentication whenever possible to add an extra layer of security to your accounts.
4. Be Cautious of Phishing Attempts: Stay vigilant against phishing emails, calls, or texts that may try to trick you into revealing sensitive information. Be skeptical of any unsolicited communications and verify the source before sharing any personal data
5. Enroll in an Identity Monitoring service. McAfee+ can help keep your personal info safe, with early alerts if your data is found on the dark web. We’ll monitor the dark web for your personal info, including email, government IDs, credit card and bank account numbers, and more

McAfee+ automatically monitors your personal data, including your:

✓ Social Security Number / Government ID
✓ Driver’s license number
✓ Passport number
✓ Tax ID
✓ Date of birth
✓ Credit card numbers
✓ Bank account numbers
✓ Usernames
✓ Insurance ID cards
✓ Email addresses
✓ Phone numbers

AT&T’s data leak is a concerning incident that highlights the importance of safeguarding personal information in the digital age. By staying informed, taking proactive measures to protect yourself, and remaining vigilant against potential threats, you can minimize the risk of falling victim to fraud or identity theft. Remember, your privacy and security are paramount, and it’s crucial to stay one step ahead of cybercriminals.

The post UPDATED: AT&T Data Leak: What You Need to Know and How to Protect Yourself appeared first on McAfee Blog.