Tag Archives: Germany

Security News for the Week Ending September 17, 2021

LA Police Collected Social Media Account Info From People They Talked To

I’m sure they were just curious. The LA police watchdog says that officers were instructed to collect civilians’ social media details when they interviewed them. An Email from the Chief dating back to 2015. He said it could be beneficial to investigations and possibly even future outreach programs. These are people who are neither arrested or cited. I am sure that using people’s email addresses for social outreach is far more effective than, say, Twitter, Facebook or even the 6:00 News. Not. For harassing and scaring people, yes. Credit: MSN

Germany Admits Police Used NSO Group Pegasus Spyware

Germany’s Federal Police admitted that they used the Pegasus Spyware, which can totally own a mobile phone and all the data on it, when testifying before Parliament. They said that some features were disabled due to German law. What features and how many people were not revealed. Likely they are not alone – they just got caught at it Credit: Security Week

Taliban and China Are Reportedly in Bed Together

China has reportedly sent its best (?) cyber spies to Kabul to help the Taliban hack land lines and mobile calls, monitor the Internet and mine social media. While all governments, including ours, does this, the Taliban is not likely to put any controls on what gets monitored. China has been, US intelligence sources say, wooing the Taliban for years getting ready for this. One can only assume that the Taliban will reciprocate, like by giving China access to stuff we left behind. CreditL Mirror

FTC Says Health Apps Must Notify Consumers About Breaches

The FTC warned apps and devices that collect personal health information that they must notify consumers if their data is breached in a 3-2 vote, with the two Republicans voting against it. This is designed to specifically address the gap that apps are not considered covered entities for the most part, hence they are not covered by HIPAA. The two Trump appointees who voted against it are not necessarily against having app makers tell users that their data has been compromised, but would prefer to drag the decision out for a few more years as the government does its normal bureaucratic rulemaking process. Credit: FTC

Cop Instructed to Play Loud Music to Disrupt Public Filming of Their Activities

Police – or at least some police – do not like being filmed while performing their job. One Illinois police department officially came up with an interesting tactic. While it doesn’t stop people from filming them, it MIGHT cause the videos to be taken down from social media, which seems to be the goal. When they detect someone filming them, they turn on copyrighted music to be included in the recording. Most social media have been sued enough that they have tech that detects at least popular copyrighted music and if detects it, it removes the post so they don’t get sued. I think it is pretty simple to distort the music a little bit so the filter won’t work while still allowing a listener to hear the interaction with the police. My guess is that if a case like this came to court over copyright, the court would rule in favor of the person filming, but we are talking about the law here, so who knows. Credit: Vice

News Bites for the Week Ending January 4, 2019

Vietnam’s New Cybersecurity Law in Effect

Vietnam’s new “cybersecurity” law which requires companies to remove any content from the Internet that the government finds offensive went into effect on January 1.

It also requires some companies like Facebook and Google to open offices in Vietnam if they want to continue to do business there.

The law prohibits individuals from spreading anti-government information.  The Vietnam Association of Journalists announced a new code of conduct prohibiting reporters from posting anything on the Internet that “runs counter” to the state.

Google has apparently agreed to open an office there, although they are being somewhat sly about it;  Facebook does not seem to have committed to that.

Companies will need to decide if the income from Vietnam is worth the risk.  Source: South China Morning Post.

 

Android Apps Send Data to Facebook without User Permission

Apparently the Facebook software development kit did not even give app developers the option not to send data to Facebook until a month after GDPR went into effect.

Apps that have not updated their software are likely still sending data, probably without user consent, to Facebook, even if the user does not have a Facebook account.

Some apps send data to Facebook the second they are opened; others, like travel apps, send data to Facebook every time you search for a flight.

Integrating the data from various apps, Facebook could determine your religion (prayer app), gender (period app), employment status (job search app) and travel plans including number of children traveling (travel app).

Example apps are prayer apps, MyFitnessPal, Kayak, Indeed, Spotify, TripAdvisor and others.  The test was against Android apps, so it is not clear if the Apple Facebook library does the same thing.

Facebook admitted that they have a problem. Source: Android Police.

Both Facebook and the app developers could be on the hook for fines of $20 million Euros or more for violating GDPR.

Hackers Leak Private Info on 100s of German Politicians

Hackers leaked sensitive data on German Chancellor Angela Merkel and Brandenburg’s prime minister Dietmar Woidke, along with other politicians, artists and journalists.

Leaked information includes private conversations, photo IDs, credit card information,bills and other personal info.

Germany’s Federal Office of Information Security, who is investigating this said that government computers were not affected.  Other than covering their own butts, it is not clear why they would say that since no one suggested that government computers were being attacked.

This does point out that protecting your phones and tablets by making sure they are patched (many older phones do not have patches available and are therefore vulnerable if people use them to log on to web sites that contain email and other personal info), that applications on them are patched and unneeded applications are removed is very important.  Unfortunately, older devices for which there are no patches should be replaced.  Details here.

 

Lloyd’s of London Denies THEY Were Hacked; Throws Partner Hiscox Under the Bus

As a follow up to a blog post from earlier this week, hackers have now posted a sample of docs related to 9/11 lawsuits reportedly hacked from Lloyds and Hiscox.

Lloyd’s claims that they were not hacked but rather their business partner Hiscox was hacked.

Nice of them proclaim themselves innocent while throwing their partner under the bus.  No doubt this was an effort to divert lawsuits from them to Hiscox.  I will point out that this likely won’t work since a client of Lloyd’s has no agreement with or ability to select or control Lloyd’s vendors.  This is yet another reason why we are so adamant about companies implementing robust vendor cyber risk management programs.  Read details here.

Germany Allows Police To Hack Phones, PCs To Get Around Encryption

Last week the German Parliament passed a law that allows hack your computer or phone when investigating anything from murder to betting fraud and many other crimes.

How would this work?  It would allow police to covertly install software on your computer or phone that allows police to siphon data off your phone.  Whether that breaks your phone or steals data that they are not supposed to have – well, that is up in the air.

This is a way to get around the encryption of data and it if done right, is very effective.  Instead of putting a back door in the encryption algorithms, which experts say will weaken protection for everyone, this solution targets on the suspects of crimes.  Of course, it means that the police have to figure out how to hack your phone.

When this law goes into effect, the protections for privacy that German citizens have will be much lower because the bar for allowing the police to hack your phone are relatively low.

Germany has had, until now, a pretty high standard for individual privacy after a 2008 decision by the German Federal Constitutional Court .  What is not clear is whether this law will be in conflict with that ruling and how the high court would rule if asked to.

Similar to the U.S. Congress, the German Parliament sneaked the rules into seemingly unrelated bills and amendments and fast tracked those bills through the legislature.

While we have not seen this technique in the U.S. Congress yet, don’t be surprised if that happens.  Look at the current attempt at a new health care bill.  Draft it in secret – even from your own party – and then try to shove it down the throats of the rank and file very quickly.  While that has not worked so far with the health care bill, that is because Senators have gotten more than an ear full from the constituents.  Absent public interest, these types of bills sail through Congress and then it is up to the courts to sort out the mess.

Information for this post came from the law firm of Morrison Foerster.