Tag Archives: Privacy

Security News Bites for the Week Ending February 1, 2019

GDPR Gone Crazy

I think we’re gonna need a bigger boat!

According to the European Commission, Europe’s data protection regulators received more than 95,000 complaints about possible data breaches in the first 8 months of GDPR.

At the same time businesses reported over 41,000 breaches.

But regulators only opened 255 investigations.

Many of the complaints were related to email marketing,  telemarketing and video surveillance.  Source: Bleeping Computer.

 

1987 and 1999 DNS Standards to be Enforced Soon

We often think about things moving at Internet speed.  Except when it comes to Internet standards.

On or about February 1, 2019, many major DNS resolver vendors are going to release upgrades that will stop supporting many DNS band-aids that have been implemented over the years to allow non-compliant DNS software to work – albeit slowly.  Major DNS providers such as Google, Cisco, Quad 9, Cloudflare and others have all agreed to rip off these band-aids in the next few weeks.  If your DNS vendor does not operate a fully 1987 or 1999 compliant DNS service, your web site will go dark to users of these major DNS resolvers.

You can test your DNS service provider by going to www.DNSFlagDay.Net and entering your domain name.  If it passes then there is nothing to worry about.  If it fails, talk to your DNS provider ASAP.  Source: DNSFlagDay .

 

Alastair Mactaggart Says He Thinks CCPA Will Survive

Alastair Mactaggart, who is the reason that the California Consumer Protection Act was passed, says that he believes that the CCPA will survive the attacks by telecom companies and the tech industry.  After all, with all of the negative news about tech companies, Congressional investigations, etc., the tech companies need to watch out for negative press.  Also, people are getting used to Europe’s GDPR.  Stay tuned – it doesn’t mean that they won’t try. Source: The Recorder.

 

Russia Targeting Robert Mueller’s Investigation Directly

Prosecutors revealed this week that The Kremlin sent reporters a trove of documents supposedly leaked from the Mueller investigation.

In reality, the Kremlin mixed documents that had actually been leaked or filed with the courts with fake documents that they created in an attempt to change the narrative around the investigation.

The reporters were very excited to receive the trove of documents but equally disappointed when they figured out that they were being targeted by a Russian disinformation campaign.

Obviously, the Russians have not given up their old ways and will continue to try and create disinformation if it works to their best interest.   Source: NBC.

 

FBI is Notifying Victims of North Korea Joanap Malware

The FBI and the Air Force have gotten the U.S. courts approval to infiltrate a North Korean botnet to create a map of Americans whose computers are infected.

While the malware is very old and can be detected by anti virus software, there are still large numbers of infected computers.

The FBI is using the map to get ISPs to notify users of infected computers and in some cases is directly contacting the infected users to clean up their computers.  Source:  Ars Technica.

 

Facebooktwitterredditlinkedinmailby feather

Facebook 0, Apple 1; Google is Collateral Damage

You would think that in light of all of the negative publicity that Facebook has had, it would reign in some of it’s badder practices, but maybe they are just daring Congress to regulate them.

Facebook created a VPN product called Onavo Protect.  The public claim was that it was designed to protect your traffic, but in reality, it was a data collection tool since every web site that you visited, every search query you made and every link that you clicked on while using their VPN was visible and captured (and sold) by Facebook.

When the Ka-Ka hit the proverbial rotating air movement device (AKA the sh*t hit the fan) Apple banned the product from the iWorld.

Well Facebook is not easily deterred.

Unlike Android, Apple makes it difficult for developers to bypass the Apple store, in part to protect users and in part so that Apple can control developers.  But, in order to get enterprises to allow employees to use iPhones for work, Apple created an Enterprise signing certificate.  According to the rules, apps signed with those certificates can only be used inside a company.

Facebook decided that those rules did not apply to them and used that enterprise certificate to distribute an app to users age 13 to 35 where Facebook paid users up to $20 a month plus referral fees to install an app called Facebook Research.  Under the hood, it is just Onavo Protect that collects all of a user’s Internet activity so that they can better target that high value demographic.  To hide what they were doing, they offered it through several “beta testing” firms.

After Apple found out about it they REVOKED – aka invalidated – Facebook’s enterprise certificate.  Not only did this shut down the Facebook Research app, but also shut down any iPhone apps that Facebook was using internally to run it’s business.  This gave Apple a huge crowbar to swing at Facebook’s head to get them to change their ways.

As a side note, Google was also doing the same thing (with a product called Screenwise), although not quite so covertly and Apple also revoked their enterprise cert.  Of course, 99% of the people at Google likely use Google or other Android phones, so the impact on Google is likely a lot less than at Facebook.  Google shut down the service before Apple whacked them and apologized.  Facebook did neither of those.

After some behind the scenes begging, no doubt, Apple restored Facebook’s cert after a day and a half.

Facebook is saying that users should trust them.  Some Congress-people are suggesting a new law may be required.  Certainly, they are not doing a great job at building trust.

So what does all this mean to a user?

Since this was targeted, in part, at kids under 18, parents need to educate kids that they should not sell their soul for $20 a month.  Apparently both Facebook and Google think this is a good business model.

It also indicates how much your data is worth.  There were millions of copies installed and if they were paying $20 a month per user plus other perks, that means that the data was worth hundreds of millions of dollars a month to them.

If adults think that selling all of their data – every single click that they make online plus all of the data going up and down – for $20 a month, I guess that is okay, but kids are probably not in a position to make an informed decision.

By the way, because of how the software was installed, they would have the ability to see every password, your banking information and your health information, in addition to your surfing habits.

But trust them;  they wouldn’t keep that data.  Or use it.  Or sell it.

Definitely a case of buyer beware.

Information from the post came from Apple Insider, here and here.

Facebooktwitterredditlinkedinmailby feather

Smart Home Manufacturers Won’t Say if They are Giving Your Data to the Feds

From a sales and branding perspective, the last thing that smart home device manufacturers (think Amazon Echo, Google Home, Apple HomePod and a raft of other) want you to worry about is whether the Feds are snarfing up your data.

We do know of a few highly publicized cases like asking for smart water heater data in a murder case, Fitbit data to charge a 90 year old man with murdering his stepdaughter and a few others, but at least as far as media coverage is concerned, this has not been in the news much.

So Tech Crunch went to a number of players to ask them.  Here is some of what they got:

  • Google’s Nest says it has responded to government requests about 300 times (a pretty small number) since 2015 and has not received any national security letters.  Yet.  Google is the only vendor that currently publishes numbers.
  • Amazon won’t say.  They are burying the requests for Echo data deep in other reports so you can’t tell and has no plans to impact sales by telling you.
  • Facebook also says that it will bury the data for its Portal device and wouldn’t say if it will ever break that data out.
  • Google would not comment on requests for Google Home data and instead tried a slight of hand and said “look at our Nest data”.
  • Apple said there would be nothing to report regarding HomePod because all requests are given a random identifier (such as an IP address?   Nice try Apple!) that can’t be tied to a person.  An IP address might not tie directly to a person, but it does tie directly to a household.
  • Ring refused to answer the question and said they require a legal demand.

Bottom line, everybody is dodging and weaving, so I think it is reasonable to assume that the cops are asking them for data.  Probably a small amount right now because smart homes are still a very small niche, but as it goes more mainstream, expect more requests.  And, probably, no more transparency, at least at first.

So what should you do?

The first question is do you care?  The second is well, exactly what data are they collecting.  We know a couple of TV makers (Vizio and Samsung, I think) paid multi-million dollar fines for snooping.

Will vendors decide to collect more data or less data over time?

We don’t know and the vendors aren’t saying.  Assume the worst.  Probably a safe bet.

Assuming you care, there are limited things that you can do.

For things like smart TVs, there is no easy way to turn recording of you off.  Vizio was required to notify customers that they should not say anything sensitive in the same room as the TV.  So, watch TV in silence.

Check for devices with on-off switches.  Check the vendor’s policy statements.  That’s not a guarantee of anything, but better than nothing.

Of course there is the nuclear option – again assuming that you care – do you REALLY need you refrigerator telling you to get milk?  Maybe?  But maybe not!  If you do, then turn the smart device into a dumb device.  If you don’t connect the device to the Internet, it cannot blab.

Information for this post came from Tech Crunch.

 

 

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday June 29, 2018

The Supremes Say Warrant Required For Cell Data

In a 5-4 decision last week, the Supremes said that the police should have gotten a search warrant before they asked for months worth of location data of a suspect.  The suspect in a robbery case was tracked by the police – over 12,000 locations, over 127 days, to correlate robbery locations to the suspect’s location.   Chief Justice John Roberts wrote the opinion, basically saying this this is a search within the bounds of the 4th Amendment.  This is good news for privacy advocates saying the the power of the government is not unbounded.  Source: CNet.

GDPR: One Month In

Not surprisingly, one month in and we have already seen the results of GDPR.

The UK Information Commissioner’s office says they have seen a sharp rise in both complaints and notifications.  In France, they have have seen a 50% rise in complaints compared to last year.

Austria says that they have received 128 complaints and 500 questions, along with 59 breach notifications.  Compare that 59 number to the entire eight months prior to the law going into effect – effectively an 8x increase.

Still numbers in the hundreds and not in the millions means that people are not going crazy.  What we don’t have data on, yet, is how many people requested copies of their information or requested that their information be deleted. Source:  WARC

Exactis Exposes More Than 340 Million Records

And the record for most breached records goes to Exactis.  Well, no, actually that record will hopefully always stay with Yahoo, but still, 340 million records (230 million consumers and 110 million businesses)  is not a drop in the bucket.

Exactis is one of those data aggregation firms that know everything from your name and address to how many kids you have and your income, among literally thousands of data points.

Now it appears that data was exposed because of a lack of controls placed on an Amazon Elastic Search setup.

Given new privacy laws in place and coming in place, this type of breach MAY need to be disclosed.  So far, the company is being quiet about it.  Older privacy laws did not consider things like your kid’s names, ages and genders private.  Newer ones are starting to, hence the requirement for disclosure, possibly.  Source: Wired)

8 States Settle With Equifax Over Breach

8 states – Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas – have come to an agreement with Equifax on security practices.  This is only one of MANY legal actions that Equifax will have to deal with.

The requirements are pretty mild and Equifax is likely doing most of these as a response to the breach: conduct annual security audits, develop written data protection policies and guides, monitor its outside vendors, and improve patch management.  It is actually surprising that a company of their size was not already doing all of these items and more.

The agreement does allow these states to take legal action if Equifax does not implement these controls.  Source; The New York Times

Facebooktwitterredditlinkedinmailby feather

The Spy Among Us

Multiple sources are reporting a feature of iPhone apps that is a major privacy concern.  This is not new and it also is an issue on Android phones, but, for some reason, everyone seems to be highlighting the problem with iPhones.  PERHAPS, that is because it it is being exploited in the wild on iPhones – I don’t know.

The short version goes like this –

IF you EVER allow an app to access your phone’s cameras, you have lost control of it.  That app can access your camera – both front facing and rear facing – whenever it wants to.  It does not have to ask you to access the camera.

You are trusting that app not to abuse that trust.

Actually, it kind of depends on whether YOU installed the app or someone else installed it – with or without your knowledge.  For example, here are 5 spying apps that people intentionally install.  It may be a parent or a spouse, but it is likely not you who installed the app.  Sometimes parents want to track what their kids are doing.  Sometimes a spouse wants to spy on their significant other.

The app could upload the photos to the net and/or it could process the images – say to examine your facial images as you look at the screen.

One part of the problem is that there is no indication that the camera, front or back, is on.  As a side note, while there is a light on many PCs indicating the camera is running, that is a bit of software and the camera COULD be turned on without the light being on.

Apple (and Google) could change the camera rules and require the user to approve camera access every single time the camera wants to turn on – but that would be inconvenient.

One of my contacts at the FBI forwarded an alert about this today, so I suspect that this is being actively exploited.

The FBI gave a couple of suggestions –

  1. Only install apps from the official app store, not anyplace else.
  2. Don’t click on links in emails

In reality, the only recommendation that the FBI made that will actually work is this next one:

3. Place a piece of tape over the front and rear camera.

Ponder this thought –

The camera sits on your table in front of you;  it is in your bedroom, potentially capturing whatever you do there; it is in your bathroom. You get the idea.

Just in case your were not paranoid enough before.

Information for this post came from The Hacker News and The Register.

Facebooktwitterredditlinkedinmailby feather

How To Digitally Erase All Your Stuff When You Quit Your Job

Wired ran a piece a few weeks ago with the title of this post.  An alternative title might be “How to get yourself arrested and prosecuted“.

While Wired’s heart was in the right place, they probably should have consulted an attorney before they published the article.

The basic premise of the article is that you should copy all of your personal stuff off your work computer and then wipe your work computer.

The problem is that your work computer is not your property and wiping it could be considered destroying company property and you could be prosecuted under any of a number of laws.  You could be liable for all of the costs to reconstruct the data that was stored on your computer.

That being said, lets look at what they suggested:

  1. Before wiping out your computer entirely, make sure to back up anything important.  PDFs, photos, your resume, anything dear to your heart.  Do it with a flash drive or USB disk.

The problem is that this is about protecting YOUR stuff and not your employer’s stuff.  And, if you do this without your employer’s permission you could be ACCUSED of stealing company information – even if you didn’t.  Remember, being charged with a crime is different than being convicted, other than both will cost you a lot of money, damage your reputation and distract your attention from a new job.

2, Check USB slots for cables, flash drives, etc.

That is probably OK as long as you only take stuff which is yours, personally.

3. Shut down your Voicemail.  Record a new greeting telling people that you left the company and who to bug.  Delete all the messages in your voicemail inbox.

Don’t do this unless your employer approves.  Those voice mails are not your property – they belong to the company.  Ask your employer what they want you to do regarding your voice mails.  More than likely they will want you to preserve them until they have a chance to go through them.  They may or may not want to make your departure public right now, so they may not want you to change your greeting.  In any case, it is their choice, not yours.

4. Shut down your email.  Delete all your emails.  In Wired’s defense, at least here they say make sure it is within your company’s policies to do so.

I doubt your company is going to want to you to delete ANY emails.  They are going to want to back everything up first, then probably they are going to want to go through them.

5.  Wipe your computer.  Wipe the puppy clean, they say.

I say that doing this could subject you to a felony.

6. Wipe your phone.  Here they are partially right.  If the phone is your property, the company cannot tell you what to do with it, but if it is yours, you are probably not going to want to wipe it.

If it is company property, you don’t have the right to destroy the data on it.  Again, potential felony charges, depending on how much it costs the company to reconstruct the data and if they consider it willful destruction of company property or sabotage.

7.  Log out of any applications like Slack, Hipchat or your browser.

I think this one is safe.  If it a company account, they will have the means to log back in.

Bottom line, if the device is owned by the company, coordinate with your manager, HR and/or IT.   If in doubt, don’t do it.  If you own the device you have a lot more latitude in terms of what you can do with it.

One simple way to do things, if your company allows it, is to store YOUR stuff on your own personal flash drive.  Also don’t comingle work and personal email messages.  Keep personal personal and work work.  That way, you don’t store anything on the company computer and you don’t have to remove anything.  Don’t log on to your personal email or social media accounts from your work computer.  Remember, even if log out from social media or email accounts or delete your social media and email passwords, your company may have them anyway in a variety of different ways.

If in doubt, contact an attorney.  Before you act.

Information for this post came from Wired.

 

Facebooktwitterredditlinkedinmailby feather