Tag Archives: Privacy

Security News for the Week Ending October 29th, 2021

Smartphone Counterespionage Tips for Travellers

Most people say “who would be interested in me?” but the reality is that foreign governments track Americans for a variety of reasons, both good and bad. Read this article to find some tips that could keep you below the radar and your information safer.

Are Surveillance Cameras the Answer to Worker Productivity

ZDNet wrote a story this week about a boss who texted an employee at night about what the boss perceived was employee laziness. Apparently the boss was completely uninformed and when the employee pointed out what was really happening, the boss doubled down. The employee told the boss to take his job and shove it. That doesn’t mean that management should ignore what they think they see, but as we are seeing in this recovery after the pandemic shutdowns, employees seem a lot more empowered and your employees may tell you to shove it. Read the details here.

State Department Recreates Cybersecurity Effort After Trump Disbanded it

Cybersecurity will be a core part of the State Department’s mission with the new Bureau of Cyberspace and Digital Policy. Congress forced the issue by legally creating the department after Trump eliminated the position of cyber coordinator in State. State will also add 50% to it tech budget and new civil service positions. Credit: Dark Reading

Britain’s Privacy Commissioner Calls for More End to End Encryption

Britain’s privacy protection agency, the ICO, has called for video conferencing companies to implement end to end encryption at the same time that police and politicians are calling for the elimination of any secure end to end encryption. The ICO attempted to do some spin after the fact, but their statement still stands. Police say that having to get warrants to obtain information is inconvenient for them. This follows last year’s call by British, Canadian, Australian, Chinese, Swiss, Gibraltarian and Hong Kong data protection regulators also asking for end to end encryption. The police have vocally asked for a master decryption key because, of course, you can trust them. This week the master encryption key used to secure Covid passports in the EU was publicly exposed. Covid vaccine passports for Adolf Hitler and Mickey Mouse have been found and fake Covid passports signed with this key are now available on the web. Not to worry, if we give the thousands of police agencies access to these keys, I am sure this would never happen. Credit: The Register

Proton Wins Swiss Appeal Over Surveillance Rules

Weeks after Proton Mail was force to capture the IP address of a user after receiving a Swiss subpoena, they won a different court battle. Swiss courts had earlier ruled that companies like Whatsapp and Zoom were not Internet providers and did not have to maintain surveillance records of their users’ actions, but for some reason, the Swiss Post thinks that Proton does have to. The appeals court said no to that and remanded the case back to a lower court to “change their mind” so to speak. Credit: Cybernews

Google Reveal Data It Captures

Since Apple doesn’t make a lot of money by selling your data to others (or selling targeted ads to others based on data that it captures), it loves poking Google in the eye about its data collection practices.

Apple required “privacy nutrition labels” by vendors, including themselves, for all new releases of software distributed in the app store as of December 8th of last year.

Google’s response was to stop updating its software. Some people said that was because Google didn’t want to tell people what they were collecting. I suspect that it is more likely that Google was trying to figure out exactly what data they were collecting.

Here is an example of some of the data that Google collects:

This is an effort on Apple’s part to give people more information and help them understand whether they want use an app or not. But this is not where they are ending and the next step will hurt Google (and others) even more.

The graphic below compares the data the the search engine Duck-Duck-Go collects compared to the data collected by Google Chrome and the Google App. Click on the graphic below to expand it. Even before that you can see just by the number of bullets the difference between Duck-Duck-Go and Google.

Starting with iOS 14, all apps will not only have to tell users what data they are collecting but also get their permission to do it – what is known as “OPT-IN”. Opt-in is the advertiser’s nightmare. Basically, it requires the advertiser to say to the user “we want to collect, store forever and sell all this data we collect about you and your browsing or other habits, use it however we want without telling you how, not give you any control over that and in exchange – in exchange we are going to give you this app or maybe shove a bunch of ads in your face that you don’t want to see”.

In fairness, if you say no you will still see ads – they just won’t be targeted to you.

This means that the companies won’t be able to get as much money for those ads since the advertisers won’t know who those people are that are seeing those ads. WHAT IS UNKNOWN IS HOW MANY PEOPLE WILL ACTUALLY OPT IN.

Add to that, consumers have to trust app makes to tell the truth. After all, what is the downside if you lie? If Apple finds out, they could ban you from the App Store.

In iOS 14.5, Apple will require apps to get your permission to track you across other apps and websites. Apple has something called an ID for advertising or IDFA. Using IDFA, if Facebook showed you an ad for say a phone and you did not click on it, but you went to Google and searched for that phone.

Then you bought the phone. That vendor has your IDFA, can share it with Facebook and then Facebook gets credit an ad that was converted to a sale.

All this goes away, in stages, with iOS version 14 and 14.5 if the user does not opt in.

The reason this is a problem for Google and other advertisers is that users usually choose the default. The default is that if I don’t do anything, I effectively opt out and Google and the advertisers can’t target me.

That alone might be a reason to buy an iPhone.

Don’t expect Google to do that on Android any time soon. Or ever.

Credit: The Hacker News

A Bridge Too Far?

Okay, gonna do some local humor. What bridges are these?

TappanZeeBridgeFromBelow.JPG

The first one is the Verrazzano-Narrows Bridge between Brooklyn and Staten Island. The second one is the Tappan Zee Bridge between Tarrytown (NY) and Nyack. Neither of these are a bridge too far and both of which I have traveled over many times.

But New York is following in the footsteps of California and State Sen. Leroy Comrie has introduced the “It’s Your Data Act” (SB 9073). Who knows if it will pass but it sounds a lot like CCPA/CCRA/GDPR.

In particular it:

  1. Amends New York’s civil rights law to create a new “right of privacy”. That is something Facebook would be thrilled about.
  2. It also would amend the state’s general business law to add features similar to these other privacy laws.
  3. Like CCPA, it would affect businesses with more than $50 million in revenue -OR- who buy/sell/disclose information on more than 50,000 consumers, households or devices -OR- who derives more than 50% of the company’s revenue from selling your data.

It requires businesses to disclose:

  1. Your rights as a consumer
  2. Categories of sources from which information was collected
  3. Categories of third parties with whom your data is shared
  4. Length of time information is retained
  5. And several more rights

The retention disclosure requirement is new to New York and does not exist in CCPA or CCRA.

Among consumers new rights are:

  1. Right to deletion
  2. Access to retained personal information
  3. Access to disclosure of personal information to third parties
  4. Consent to additional collection or sharing of personal information
  5. Right to not be discriminated against for exercising these rights

Unlike California’s law, it requires reasonable security practices and procedures to protect that information (reasonable to a jury, that is).

Lastly, unlike CCPA, which only allows for a private right to sue a business in case of a breach, the IYDA proposes that same $750 damages (or more if actual damages are more) per consumer, per violation FOR ANY VIOLATION OF THE LAW BY A BUSINESS. That could change the equation of whether it is cheaper to be breached than be secure.

Of course, bills come and go and change a lot, so do not assume that this is what it will look like IF and WHEN it comes out the other end.

Businesses need to rethink the relationship they have towards security and privacy practices because even if this bill does not become law, others like it will. There was another bill introduced in New York earlier this year that proposed that companies that collect your data would have a fiduciary responsibility around using and protecting that data.

In light of that bill, is the IYDA a bridge too far? Seems pretty tame by comparison. Credit: JDSupra and Hinshaw Law Firm

Security News for the Week Ending July 3, 2020

Apple Likely to Make Charger, Earphones Extra on Next iPhone

Before everyone goes crazy, first this is a rumor – a likely accurate rumor, but a rumor, and second, it is likely aligned with the EU’s directive to reduce electronic waste. Your old charger and old earphones probably still work and if, say, 50% of people agree with that, that is a lot of electronic waste avoided. People who are less Apple-friendly say that Apple reduces costs, improves its environmental image and gets many people to buy unbundled, high margin accessories. Do not expect Apple to reduce the price over this. Credit: The Register

Apple Says NO to Advertisers

And now another Apple story. Apple has decided not to implement 16 new web APIs because they might enable advertisers to track users. This only applies to Safari, the default browser on Apple devices, which represents 17% of web users and since Apple doesn’t make it’s livelihood by selling people’s data, it is a win-win. It doesn’t cost Apple anything and it helps their customers. It is OK if everyone wins. Credit: Metacurity

Hackers Selling 100 Million+ Hacked Credentials

A seller of stolen credentials is flooding the black market with stolen userids and passwords. 14 companies worth of breached databases from 2020 represent 130+ million userids. Sites affected include Homechef, Minted, Tokopedia and almost a dozen more. That is just from the first 6 months of this year. In case that is not enough, the broker is selling a number of older databases. Beware of password reuse (also called stuffing) attacks where hackers try those passwords on other sites. Credit: Bleeping Computer

Location Data Used on Specific Voters So Candidates Knew Who Voted

Money is money. A data broker sold location data on Black Lives Matters protesters so that (police) could track their movements and also sold location data on evangelicals so that the (Trump campaign) knew whether people who were favorable to them had not voted so that they could get out the vote in a very targeted manner. All legal. Expect it to be used this year, likely by many candidates. I put the names in parentheses because the broker didn’t exactly say who they sold the data to. Credit: Vice

Denial of Service Attacks up 542% in First Quarter

Distributed Denial of Service attacks jumped more than 500% between fourth quarter last year and first quarter of this year and more than 250% year to year according to NexusGuard. Likely this is due to work from home. The attacks are going after businesses and ISPs. Are you ready? Credit: Dark Reading

Tips to Keep Remote Workers Safe(Safer)

As my son likes to say, nothing it bulletproof – it all depends on the size of the bullet.  Likewise, nothing is 100% secure (except the computer that has never been taken out of the box)  but your actions can improve the odds dramatically.

Here are some recommendations from Dark Reading.  Most people will pick and choose from this list, but pick some today and then come back in a week or a month and pick a few more.  Remember, you are just trying to make life hard enough for the bad guys that they hack someone else.

So here are the tips:

  1. When working remotely, use two computers – one for work and one for personal stuff.  Besides the fact that malware on one might not infect the other, there are many other reasons that you might want to do this (like not wanting your boss to snoop on your personal stuff or backup your nude selfies on the company backups).
  2. Use only approved software on your company computer – many companies won’t let you install other software but many do let you.  There is a reason they approve the software that they do;  it goes through a vetting process.  It might be inconvenient, but so is getting breached.
  3. Don’t rely on a consumer-grade router, Wi-Fi hotspot or Firewall – I could go on all day about this one.  If your router, Wi-Fi or firewall is provided by your home Internet provider, you can assume that it is the best equipment that your provider can buy for $5 or $10.  Some Internet providers require that you use their equipment but there are no rules that say that you can’t put your own  firewall between the box your Internet provider uses and your computers.  That is what I do.  My firewall cost me $200.  But it runs the same software that you use in your office.  This is a case of you get what you pay for.  My Internet provider has not patched their firewall since 2013.    I am sure that there were no bugs fixed in the last 6 years.
  4. Ensure that your Firewall is configured securely – Your Internet provider will configure any equipment that they provide to minimize the number of support calls that they get.  That saves them money.  If that happens to make things more secure, that is a coincidence.  Mostly, it will make things less secure.  YOU are responsible for the security of your home network.
  5. Connect to your corporate network using a VPN – Using a VPN will definitely improve the security of your connection.  If you are a techie and you manage cloud servers from home, use a VPN connection to manage those as well.  Again, many free VPN services are worth exactly what you pay for them.  And some of them are even run by China – I am sure those are very secure.
  6. Be wary of public Wi-Fi – I am sure that your local coffee shop has all the best intentions when they offer you FREE Wi-Fi, but again, you get what you pay for.  Their IT department likely manages the network in between grinding and serving coffee.
  7. Harden your wireless access point(s) – There are lots of ways to improve the security of your Wi-Fi, especially when you are located in a high density location.  A friend of mine lived in New York and never paid for Internet, he only mooched off neighbor’s Wi-Fi.  Wi-Fi 6 is coming soon as is WPA-3.  Both will improve your security but both will require either software or hardware upgrades.
  8. Keep a very close watch on your stuff when you travel – I recently did a TV interview discussing a poor fellow who got his credit cards stolen while he was in the grocery store.  90 minutes later the crooks had racked up $23,000 worth of charges on his cards.  Hotel rooms and hotel safes are notoriously insecure.  If you don’t need to take it when you travel LEAVE IT AT HOME!  Otherwise, secure it as best you can.
  9. Update system and software patches regularly – this includes your phone and your tablet, in addition to your computer and ONLY update from a secure location – NEVER from public Wi-Fi.  Note that this includes all of your apps in addition to your operating system.
  10. Update your system’s firmware – do you even know what firmware is?  It is the software that runs the software that you see.  Almost nothing is done in pure hardware these days.  That includes updating the firmware in your firewall, router, Wi-Fi and especially your phone.  Some equipment can be configured to automatically update (Apple is really good about this) and while that might, occasionally cause problems, overall, auto-update is the way to go.

Come back tomorrow for more tips.  That’s all for now.

Survey Says: Americans Concerned About Data Collection Practices

Well maybe not concerned enough to change their practices, but concerned.

When asked if their data is more secure, less secure or about the same as compared to five years ago, 70 percent said their data was less secure.  6 percent said it was more secure.

On the side of “gee, you mean I have to do something about it?”, 97 percent say they are asked to approve privacy policy notices, but only 9 percent say that they always read it and another 13 percent say they often read it.  That means that three-quarters of the users don’t read what they are agreeing to.  38 percent say they sometimes read the polices and 36 percent say they never read them.

Of those people who say that they at least sometimes read the privacy policies, on 22 percent say they read it to the end.

On top of that 63 percent said that they know very little or nothing about the privacy laws that protect them.

When it comes to being tracked, 72 percent said that all, almost all, or most of what they do on their phone is being tracked with an additional 19% saying that some of what they do is being tracked.  That leaves 9 percent who think that they are not being tracked. Hmm?

47 percent think the government is tracking them.

69 percent feel that their offline behavior including where they are and whom they are talking with – OFFLINE – is being tracked by the government.

84 percent say that they feel that they have little to no control over the information that the government collects and 81 percent feel the same way about information companies collect about them.

81 percent of the people think that the risks of data collection about them outweigh the benefits and 66 percent say the same thing about government data collection.

72 percent say they personally benefit very little or none from the collection of their data by companies and even ore surprisingly, 76 percent say that they don’t get much benefit from government data collection.

Certainly an interesting set of information, which could explain why there was so much support for privacy legislation in a variety of states.

You can find more information about the Pew report here.