Category Archives: Privacy

Zcash Price Analysis: What is Behind the Recent Surge in Price?

Zcash had jumped over 17% over the period of 12-18th October, before running into sellers. The foundation set to launch the Sapling protocol upgrade. To improve efficiency for shielded transactions. Zcash over a 6-day period from 12-18th October gained a whopping 17%. Moving quickly from as low as $108, to then be above $126. Since, the price […]

The post Zcash Price Analysis: What is Behind the Recent Surge in Price? appeared first on Hacked: Hacking Finance.

Facebook’s confusion about its Portal camera is concerning

Facebook couldn't have picked a worse time to introduce Portal, a camera-equipped smart display designed to make video chatting in your home easier. And, if the rumors are true, the company is reportedly also preparing to launch a video chat camera for your TV, based on the same system as Portal. Not only does news of this hardware come at a time when when Facebook is under major scrutiny after suffering a massive data breach in September, which exposed private information of 29 million users, including usernames, birth date, gender, location, religion and the devices used to browse the site. But the most concerning part about Portal, is that Facebook's own executives don't seem to have a basic understanding of what types of data the company will be collecting or what it will be using it for.

How to Make the Payment Process Easy for Online Customers

By Carolina

If you want to increase conversions and sales, a good place to start is to make it as easy as possible for them to pay for your services or products. If your checkout page isn’t easy to use, it won’t matter how good your products or services are. Your checkout page is where they get […]

This is a post from HackRead.com Read the original post: How to Make the Payment Process Easy for Online Customers

Top strategic predictions for IT organizations and users in 2019 and beyond

Gartner revealed its top predictions for 2019 and beyond. Gartner’s top predictions examine three fundamental effects of continued digital innovation: artificial intelligence (AI) and skills, cultural advancement, and processes becoming products that result from increased digital capabilities and the emergence of continuous conceptual change in technology. “As the advance of technology concepts continues to outpace the ability of enterprises to keep up, organizations now face the possibility that so much change will increasingly seem chaotic. … More

The post Top strategic predictions for IT organizations and users in 2019 and beyond appeared first on Help Net Security.

Smashing Security #100: One flippin’ hundred

Smashing Security #100: One flippin' hundred

Yes, it’s the 100th edition of the “Smashing Security” podcast.

There’s a little celebration at both ends of this week’s podcast - but the meat of the sandwich is our normal look at the security stories of the last week - including an alarming IoT failure and a dating app disaster for Donald Trump devotees.

Seattle Startup Vets Takes on Google with Helm, a New $499 Personal Email Server

A Seattle-area startup is aiming to take on giants such as Google and change the way we do email with a new physical personal email server. From a report: Helm today unveiled its $499 device that lets consumers send and receive email from their own domain, in addition to saving contacts and calendar events. It's a bold bet that aims to provide comfort at a time when privacy and security issues related to personal data hosted by big tech companies in the cloud are top of mind. The idea comes from Giri Sreenivas and Dirk Sigurdson, two entrepreneurs who already sold a security startup and raised a $4 million seed round from top venture capital firms last year. The device is about the size of a router and looks like an upside-down book placed on a table. It connects to a home network and pairs with a mobile app that lets users create their own domain name, passwords, and recovery keys. Helm support standard protocols and works with regular email clients such as Outlook or the Mail app, with encryption protecting connection between the device and the apps.

Read more of this story at Slashdot.

Privacy and Permissions | Google+

With Google making headlines about the privacy of apps and the breaking news of the Facebook data breach earlier this year, the apps on our phones are now holding, and disseminating, large amounts of data and are doing so most of the time. We don’t know what they are sharing or what we have given consent for these apps to do.

We have become lax in accepting terms and conditions and often trade privacy and data usage agreements we might not be comfortable with, for a membership to an online community, an app, or a network.

Kit Walsh, a staff attorney with the Electronic Frontier Foundation, a digital rights advocacy group mentioned, “It would take you two months to read all of the agreements that you click through in a year. The PayPal terms of service is longer than ‘Hamlet’ and lot less interesting to read.”

In this age of data prevalence and machine learning, permission is an increasingly valuable asset. Privacy permissions are supposed to provide a barrier between information shared and the app creators – but these permissions are often vague, and at times withhold functionality of permissions you are granting.

Where once companies created seemingly intentionally long privacy policies, the increased scrutiny from federal regulators caused tech companies to take steps in improving and clarifying privacy policies for their users. With the latest announcement of Google discovering a bug that allowed app developers to access users data as well as their friends, Google is taking steps to up its protections.  

Customers have expectations for who they do business with, and if they are willing to trust their data with a company, privacy and protection should be upheld. Transparency in security measures is especially important today because fraudsters evolve with and know the in’s and out’s to authentication and security measures. In efforts to keep customer experience a priority, privacy policies and security measures need to reflect this, with technology like machine learning and AI – rather than easily surpassed traditional methods of authentication.

 

The post Privacy and Permissions | Google+ appeared first on Pindrop.

How corporate boards are navigating cybersecurity risks and data privacy

Digital transformation initiatives have transcended beyond the sole domain of IT to involve the entire organization, elevating digital strategy to the top of the board agenda, according to BDO USA. “Developing a strategic path for an organization’s digital transformation and devoting company resources and board oversight to cybersecurity and data privacy are now necessities for businesses to survive and thrive during this time of intense change,” said Amy Rojik, national assurance partner and director of … More

The post How corporate boards are navigating cybersecurity risks and data privacy appeared first on Help Net Security.

Amazon Worker Pushes Bezos To Stop Selling Facial Recognition Tech To Police

An anonymous reader quotes a report from The Hill: An Amazon employee is seeking to put new pressure on the company to stop selling its facial recognition technology to law enforcement. An anonymous worker, whose employment at Amazon was verified by Medium, published an op-ed on that platform on Tuesday criticizing the company's facial recognition work and urging the company to respond to an open letter delivered by a group of employees. The employee wrote that the government has used surveillance tools in a way that disproportionately hurts "communities of color, immigrants, and people exercising their First Amendment rights." "Ignoring these urgent concerns while deploying powerful technologies to government and law enforcement agencies is dangerous and irresponsible," the person wrote. "That's why we were disappointed when Teresa Carlson, vice president of the worldwide public sector of Amazon Web Services, recently said that Amazon 'unwaveringly supports' law enforcement, defense, and intelligence customers, even if we don't 'know everything they're actually utilizing the tool for.'" The op-ed comes one day after Amazon CEO Jeff Bezos defended technology companies working with the federal government on matters of defense during Wired's ongoing summit in San Francisco. "If big tech companies are going to turn their back on the U.S. Department of Defense, this country is going to be in trouble," Bezos said on Monday.

Read more of this story at Slashdot.

Bug in Newly Released iOS 12.0.1 Gives Access To Your Photos

By Waqas

An iOS user Jose Rodriguez, who discovered a passcode bypass related flaw in iOS 12 last month, has now identified another passcode bypass bug in the recently released iOS 12.0.1. According to Rodriguez, a Spanish security researcher, the new bug offers an easy access to Photo Library of any locked iPhone. An attacker can select […]

This is a post from HackRead.com Read the original post: Bug in Newly Released iOS 12.0.1 Gives Access To Your Photos

2018 US voter records offered for sale on hacking forum

Somebody is selling US voter registration databases on an English-language speaking dark web hacker forum and the offer comes with the promise they will be updated every week, Anomali and Intel 471 researchers have discovered. About the databases for sale The databases include information about voters of 19 US states: Montana, Louisiana, Iowa, Utah, Oregon, South Carolina, Wisconsin, Kansas, Georgia, New Mexico, Minnesota, Wyoming, Kentucky, Idaho, Tennessee, South Dakota, Mississippi, West Virginia and Texas. Anomali … More

The post 2018 US voter records offered for sale on hacking forum appeared first on Help Net Security.

Major Browsers to Kill TLS 1.0, 1.1

All major web browsers will deprecate support for the older Transport Layer Security (TLS) 1.0 and 1.1 traffic encryption protocols in the first half of 2020.

Apple, Google, Microsoft and Mozilla on Monday announced plans to kill the protocol in their browsers to provide users with better security.

read more

Privacy for Tigers

Ross Anderson has some new work:

As mobile phone masts went up across the world's jungles, savannas and mountains, so did poaching. Wildlife crime syndicates can not only coordinate better but can mine growing public data sets, often of geotagged images. Privacy matters for tigers, for snow leopards, for elephants and rhinos ­ and even for tortoises and sharks. Animal data protection laws, where they exist at all, are oblivious to these new threats, and no-one seems to have started to think seriously about information security.

Video here.

Text Bomb Causing PS4 to Crash

By Uzair Amir

Sony’s most prestigious gaming console till date PlayStation 4 or PS4 contains a bug that exploits and crashes the console through a text message. It is believed that malicious threat actors are sending infected messages to the console to crash it. Reddit is bursting with reports from PS4 users who are complaining about receiving strings […]

This is a post from HackRead.com Read the original post: Text Bomb Causing PS4 to Crash

How DNA Databases Violate Everyone’s Privacy

If you're an American of European descent, there's a 60% chance you can be uniquely identified by public information in DNA databases. This is not information that you have made public; this is information your relatives have made public.

Research paper:

"Identity inference of genomic data using long-range familial searches."

Abstract: Consumer genomics databases have reached the scale of millions of individuals. Recently, law enforcement authorities have exploited some of these databases to identify suspects via distant familial relatives. Using genomic data of 1.28 million individuals tested with consumer genomics, we investigated the power of this technique. We project that about 60% of the searches for individuals of European-descent will result in a third cousin or closer match, which can allow their identification using demographic identifiers. Moreover, the technique could implicate nearly any US-individual of European-descent in the near future. We demonstrate that the technique can also identify research participants of a public sequencing project. Based on these results, we propose a potential mitigation strategy and policy implications to human subject research.

A good news article.

Facebook data breach: Victims will not be offered free identity theft protection

Facebook announced that the recent data breach it has suffered is a little less massive than initially thought: “only” 30 million users have been affected. But, although highly personal information has been harvested from the profiles of 14 millions of the victims, Facebook has told the BBC that it does not plan, at this time, to provide them with free identity theft protection services. New information On Friday, while still insisting on calling this data … More

The post Facebook data breach: Victims will not be offered free identity theft protection appeared first on Help Net Security.

Tech Giants Concerned About Australia’s Encryption Laws

Cyber law changes proposed in Australia specifically state that companies will not be required to implement encryption backdoors, but tech giants are still concerned that the current form of the legislation is too vague and leaves a lot of room for interpretation.

read more

SecurityWeek RSS Feed: Tech Giants Concerned About Australia’s Encryption Laws

Cyber law changes proposed in Australia specifically state that companies will not be required to implement encryption backdoors, but tech giants are still concerned that the current form of the legislation is too vague and leaves a lot of room for interpretation.

read more



SecurityWeek RSS Feed

Hackers steal Pentagon personnel’s PI and credit card data

The U.S. Department of Defense confirmed on Friday that personal information and credit card data of some 30,000 U.S. military and civilian personnel has been compromised in a breach affecting a DoD’s third party contractor. Apparently, no classified information was accessed by the attackers. What is known about the breach The Associated Press cited an unnamed U.S. official who says that the breach might end up involving the information of more that 30,000 workers, but … More

The post Hackers steal Pentagon personnel’s PI and credit card data appeared first on Help Net Security.

Google Maps: Hubby divorces wife after finding her on Street View with another man

By Carolina

Google Maps is full of surprises, primarily thanks to some of its funniest, creepiest, and strangest street view images. In 2013, a father found his son’s dead body image and crime scene on Google Maps but who could have imagined this seemingly harmless technology would force a married couple to divorce? A woman in Peru was […]

This is a post from HackRead.com Read the original post: Google Maps: Hubby divorces wife after finding her on Street View with another man

NBlog Oct 13/2 – CERT NZ goes phishing

CERT NZ (apparently) has once again circulated an email warning about phishing, containing a distinctly phishy link to "READ MORE INFORMATION". The hyperlink leads from there to certnz.cmail20.com with a tracker-type URL tail.

Unlike most of the intended audience, I guess, I'm cyber-smart enough to check out the whois record: cmail20.com domain is registered to Campaign Monitor Pty Ltd of New South Wales - presumably a legitimate mass emailer/marketing company whose services are being used by CERT NZ to circulate the warnings - but that's not the point: the fact is that the embedded link target is patently not CERT NZ's own domain.

What's more, the body of the email is a rather vaguely-worded warning, not entirely dissimilar to many a classic phisher. "Nasty stuff is going to happen unless you do something" just about sums it up. It isn't even addressed to me by name, despite me being required to supply my name and email address when I signed up for CERT NZ's "updates". They know who I am.

I've notified CERT NZ about this kind of thing privately before, to no avail, so this time around I'm going public, here on the blog.

CERT NZ, you are perpetuating the problem. Wake up guys! It's simply not good enough. I expect more of you. Your sponsors, partners and taxpayers expect more of you. NZ expects more of you.

Is it really that difficult to either drop the marketing tracking, or at least to route clickers via cert.govt.nz first, with a redirect from there to the tracker?

Is there nobody in CERT NZ with sufficient clue to appreciate and respond to such an obvious concern? 

Am I wasting these bytes? Hello, CERT NZ! Anyone home?

Ironically, CERT NZ has allegedly been promoting the past five days as "Cyber Smart Week 2018", which as far as I can make out appears to consist of a single web page on CERT NZ's website expanding a little on these four simple tips:
  1. Use unique passwords
  2. Turn on 2FA
  3. Update your apps
  4. Check your privacy

Admirably brief ... but there's nothing explicit about phishing or business email compromise, nor social engineering, scams and frauds. No obvious links to further information. 

Ironically, again, the Cyber Smart page ends: 
"Report any cyber security issue you experience to CERT NZ. We’ll help you identify it and let you know what the next steps are to resolve it. We’ll also use the information to create advice and guidance for others who might be experiencing the same issue."
Been there, done that, got precisely nowhere. I despair.

Next time I receive a phishing-like email from CERT NZ, I'll take it up with the news media. Maybe they care as much as me.

Kaspersky Lab official blog: 5 tips to protect your home network

For the second year in a row, Kaspersky Lab has signed on as an official Champion of National Cyber Security Awareness Month (NCSAM). Over the course of the month, we will be focusing on security topics that can be used by both businesses and consumers alike. For the first week, we will focus on securing your home.

So, let’s get started. Do you:

  1. Have Wi-Fi in your house?
  2. Have at least one device connected to the Internet?
  3. Ever have friends or family over?

Now, the big one:

  1. Are you sure everything is secure?

Go ahead and answer — no one is watching (or are they? We’ll come back to that a bit further down). By the end of this post, you will have a more sound answer for No. 4 than you probably do now.

1. Secure your computer

Perhaps the simplest place to start with home security is to secure your actual devices. Computers, tablets, and phones are all susceptible to malicious infections from the Internet or from apps that are more than meets the eye — or that are free, but with a catch.

To protect your devices, the best advice is to install a good antivirus solution. There’s no shortage of capable products reviewed by trusted, independent professionals. They range greatly in price, and you can even get some free. I recommend our Kaspersky Security Cloud product because it offers the most advanced protection and covers multiple devices including PC, Mac, Android, and even iOS devices.

On top of a good antivirus program, it is also a good rule of thumb to download apps only from official sources — Google Play, Apple’s App Store, or the app’s site. Doing otherwise, you risk ending up with a somewhat modified version of the app you were looking for, with extra features like filling your screen with ads, spying on you, mining cryptocurrencies at your expense, or even stealing your bank account login.

2. Secure your Wi-Fi

When you had Internet connectivity added to your home, your provider probably installed its own combination modem/router, named your home network, and set up a password for you. If you didn’t change that name and set a new password afterwards, now’s the time. The main reason is that you are paying for the service, why let someone take it from you?

Most routers have a default username and password like admin/admin or admin/password. A simple Google search for your router model will yield those default credentials. From there, they can rename the network, set a new password, and reconfigure any other available options. Or, you can. Do that now. While you’re in there, be sure to update the router’s firmware.

You should also set up a guest network for friends and family who visit your home. I named mine “FBI Van” just to mess with people — I won’t mention the name of the main Wi-Fi here — and, obviously, gave it a different password.

3. Secure smart devices / Internet of Things

Now, if you are connecting IoT devices to your network, I would suggest hooking them up to your guest network rather than the main one, and also changing their default passwords. You may be wondering why you should change the password.

The answer lies in the same issue as the router defaults mentioned earlier. Most IoT devices have a default password that is just a Google search away. Go ahead and check it out for yourself, and then work on changing yours.

A reason this issue causes concern is that many criminals have infected these devices and are adding them to botnets at an alarming rate.

4. Blindfold Big Brother

Earlier, we asked if anyone was watching you. In some ways, it was a small joke, but it really is sensible to be cautious when it comes to your computer’s webcam. Many apps and websites ask for access to your camera and microphone. What are they doing with it? Well, you never know for sure, but there is a chance that someone, somewhere in the world is actually watching you.

How can you avoid this? You can throw a piece of tape over the camera or buy a webcam protector that you open only when you want to use your camera. Good antivirus programs also offer the ability to restrict access to cameras — a feature I highly recommend.

5. Keep out USB threats

One other threat needs to be mentioned, something that affects not only businesses, but also everyday people like you or me.

Have you ever found a USB stick in a parking lot, park, office lobby, or somewhere else? If I shook my Magic 8-Ball, I think it would say signs point to yes. With the amount of trade-show swag and giveaways we all encounter, these devices are basically a dime a dozen, so dropping one won’t cause too much angst.

Now, if you find one, should you plug it into your computer and see what surprises lie within? The answer is just two letters long: No! You see, not only will curiosity probably kill the cat, but it can also bring malware or a hidden cryptocurrency miner onto your device. Don’t believe me? Look no farther back than 2010, when the Stuxnet virus infected the network of an Iranian nuclear facility through a good old USB stick.

Fast-forward to 2018 and recent research from Kaspersky Lab shows that USB sticks and other removable media are still very popular among cybercriminals as a means of infection.

I hope these tips help you and bring you a few steps closer to a secure home network. I would also suggest reading up on the tips we offer on Kaspersky Daily to further boost your levels of security.



Kaspersky Lab official blog

Blog | Avast EN: Google+ ending and CA is no state for weak passwords | Avast

Google+ to go offline after security breach discovered

Following an exposé by WSJ that revealed Google had kept a huge bug in their Google+ social network under wraps, the search giant has decided to shut it down by late 2019. The bug might have enabled malicious apps to extract profile data such as name, gender, email address, occupation, and age. To make matters worse, Google isn’t sure how many profiles could have been compromised as they only keep log data for two weeks.



Blog | Avast EN

MindBody-Owned FitMetrix Exposed Millions of User Records — Thanks To Servers Without Passwords

An anonymous reader writes: FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, has exposed millions of user records because it left several of its servers without a password. The company builds fitness tracking software for gyms and group classes -- like CrossFit and SoulCycle -- that displays heart rate and other fitness metric information for interactive workouts. FitMetrix was acquired by gym and wellness scheduling service Mindbody earlier this year for $15.3 million, according to a government filing. Last week, a security researcher found three FitMetrix unprotected servers leaking customer data. It isn't known how long the servers had been exposed, but the servers were indexed by Shodan, a search engine for open ports and databases, in September. The servers included two of the same ElasticSearch instances and a storage server -- all hosted on Amazon Web Service -- yet none were protected by a password, allowing anyone who knew where to look to access the data on millions of users. Bob Diachenko, Hacken.io's director of cyber risk research, found the databases containing 113.5 million records -- though it's not known how many users were directly affected. Each record contained a user's name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more. Many of the records were not fully complete.

Read more of this story at Slashdot.

Security Affairs: Hackers can compromise your WhatsApp account by tricking you into answering a video call

Hackers can compromise your WhatsApp account by tricking you into answering a video call, the company fixed the flaw in September.

WhatsApp has addressed a vulnerability in the mobile applications that could have been exploited by attackers to crash victims instant messaging app simply by placing a call.

The vulnerability is a memory heap overflow issue that was discovered by Google Project Zero white hat hacker Natalie Silvanovich in August.

Whatsapp has fixed the flaw on September 28 and Silvanovich published the technical details of the vulnerability.

The news of the flaw was also shared by popular Google researcher and bug hunter Tavis Ormandy.

The exploitation of the flaw was very trivial, a malformed RTP (Real-time Transport Protocol) packet sent to a user, a call request, could have been used to trigger the memory heap overflow and cause the crash of the application.

“This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients.” reads the report published by Silvanovich.

WhatsApp

An attacker could completely hijack a target’s WhatsApp account and spy on its conversations by simply video calling it.

Silvanovich published the proof-of-concept in the security advisory.

Latest versions of both popular instant messaging app for both Android and iOS include the fix for this vulnerability.

Pierluigi Paganini

(Security Affairs – instant messaging, hacking)

The post Hackers can compromise your WhatsApp account by tricking you into answering a video call appeared first on Security Affairs.



Security Affairs

Hackers can compromise your WhatsApp account by tricking you into answering a video call

Hackers can compromise your WhatsApp account by tricking you into answering a video call, the company fixed the flaw in September.

WhatsApp has addressed a vulnerability in the mobile applications that could have been exploited by attackers to crash victims instant messaging app simply by placing a call.

The vulnerability is a memory heap overflow issue that was discovered by Google Project Zero white hat hacker Natalie Silvanovich in August.

Whatsapp has fixed the flaw on September 28 and Silvanovich published the technical details of the vulnerability.

The news of the flaw was also shared by popular Google researcher and bug hunter Tavis Ormandy.

The exploitation of the flaw was very trivial, a malformed RTP (Real-time Transport Protocol) packet sent to a user, a call request, could have been used to trigger the memory heap overflow and cause the crash of the application.

“This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients.” reads the report published by Silvanovich.

WhatsApp

An attacker could completely hijack a target’s WhatsApp account and spy on its conversations by simply video calling it.

Silvanovich published the proof-of-concept in the security advisory.

Latest versions of both popular instant messaging app for both Android and iOS include the fix for this vulnerability.

Pierluigi Paganini

(Security Affairs – instant messaging, hacking)

The post Hackers can compromise your WhatsApp account by tricking you into answering a video call appeared first on Security Affairs.

German Art Activists Get Passport Using Digitally Altered Photo of Two Women Merged Together

An anonymous reader shares a report: Last month, an activist from the German art collective Peng! walked into her local government office in Berlin and applied for a new passport. "I probably have broken the law," the woman, a chemist living in the Western Saxony region, told Motherboard, "but our lawyers don't know which one." The woman applied for a passport using a photo of two separate people. Using specialized software created by Peng!, the collective merged the facial vectors from two different faces from two different images into one. Billie Hoffman (a pseudonym used by everyone in the Peng! Collective when talking to journalists), she told me how easy the whole process was: "Officials didn't mention fraud at any point." Hoffman's passport application was approved, and now she has an official German passport using the digitally altered photo. The photo is half her, half Federica Mogherini, an Italian politician who is the High Representative of the European Union for Foreign Affairs and Security Policy. "The software calculated an authentic average of the faces and that's it," Hoffmann recalls. Hoffman's passport is part of an artwork called "Mask ID," a campaign that's encouraging ordinary citizens to "flood government databases with misinformation" and disrupt mass surveillance programs. Ironically, the project is funded by the Bundeskulturstiftung, the German Federal cultural fund, part one was recently on show in Hamburg accompanied by a photo booth where anyone could upload their image and create their own distorted passport picture in an attempt to confuse government surveillance and circumnavigate facial recognition software. "Passports are tools of oppression" another member of the collective who declined to give me their real name told me.

Read more of this story at Slashdot.

21% of Large Employers Collect Health Information From Employees’ Mobile Apps or Wearable Devices, Report Says

An anonymous reader writes: The Kaiser Family Foundation's annual review of employer-based insurance shows that 21% of large employers collect health information from employees' mobile apps or wearable devices, as part of their wellness programs -- up from 14% last year. Wellness programs are voluntary, and so is contributing your health information to them. But among companies that offer a wellness program, just 9% of employers (including 35% of large employers) offer workers an incentive to participate.

Read more of this story at Slashdot.

Project Strobe, what will change after the Google security breach?

Google announced a security breach that may have exposed data of over 500,000 users of its Google+ social network, these are the measures in response to the incident.

Yesterday Google announced a security breach that may have exposed data of over 500,000 users of its Google+ social network.

Security experts and privacy advocated criticized the company because it did not disclose the flaw in the Google+ when it first discovered the issue in March because it feared regulatory scrutiny and reputational damage.

.Now the company in order to prevent potential leakage of sensitive data to third-party app developers implemented significant changes to give users a granular control over the data they allow to share with each app.

Google has updated its Account Permissions system in order to allow users to grant individual permission rather than grant a full set of permissions at once.

Google project-strobe privacy

The company introduced several changes as a result of the work of its internal group Project Strobe, an internal task force charged of conducting a companywide audit of the company’s APIs in recent months.

The team reviewed the third-party developers access to Google account and Android device data, the IT giant has changed the way permissions are approved for Android apps to prevent the abuse and potential leakage of sensitive call and text log data by third-party developers.

While the apps are only supposed to request permission those are required for functioning properly, any Android app can ask permission to access your phone and SMS data unnecessarily.

The new rule is part of the Google Play Developer Policy and aims to prevent the abuse of  Call Log and SMS permission usage to your “default” phone or SMS apps only.

“Some Android apps ask for permission to access a user’s phone (including call logs) and SMS data. Going forward, Google Play will limit which apps are allowed to ask for these permissions.” reads a blog post published by Google on the Project Strobe.

“Only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests. (There are some exceptions—e.g., voicemail and backup apps.),” 

Google has also limited access to Gmail API only for apps expressly developed to improve/implement email features, including email clients and email backup services.

The measure aims at limiting APIs access to data from your Gmail email account.

What will happen from today?

The developers will have to update their application in compliance with the new policy within January 6th, 90 days from now.

Pierluigi Paganini

(Security Affairs – Google, Project Strobe)

The post Project Strobe, what will change after the Google security breach? appeared first on Security Affairs.

Google’s failure to disclose user data leak prompts closure of Google Plus

By Waqas

Google has admitted that a bug was present in the API for the consumer version of Google Plus (Google+) that let third-party developers’ access data of not just its users but also of their contacts and friends. Reportedly, data of up to 500,000 users could have been exposed to external developers. The bug was present […]

This is a post from HackRead.com Read the original post: Google’s failure to disclose user data leak prompts closure of Google Plus

The end of Google+: Low usage and an API bug that exposed user data

Google has announced that it will be closing down the consumer version of Google+, its failed answer to Facebook, and is introducing more granular Google Account permissions, new limits for third-party apps that seek permission to access users’ Gmail data, and new limits for apps’ abilities on Android devices. The Google+ problem Ben Smith, Google Fellow and VP of Engineering, cited “significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations” and … More

The post The end of Google+: Low usage and an API bug that exposed user data appeared first on Help Net Security.

From Now On, Only Default Android Apps Can Access Call Log and SMS Data

A few hours ago the company announced its "non-shocking" plans to shut down Google+ social media network following a "shocking" data breach incident. Now to prevent abuse and potential leakage of sensitive data to third-party app developers, Google has made several significant changes giving users more control over what type of data they choose to share with each app. The changes are part of

Health websites routinely share your activity with 57 third-parties

B9 Systems conducted research into the use of cookies by health websites and discovered that all the major players share your private information with, on average, 57 other websites. These include advertising & marketing websites, social media outlets and resellers. For many with a health problem, the first port of call is a quick online search in hope of self-diagnosis. Research has revealed that your activity doesn’t always stay with the website you visited. “It’s … More

The post Health websites routinely share your activity with 57 third-parties appeared first on Help Net Security.

Body Camera Maker Will Let Cops Live-Stream Their Encounters

tedlistens writes: Police officers wearing new cameras by Axon, the U.S.'s largest body camera supplier, will soon be able to send live video from their cameras back to base and elsewhere, potentially expanding police surveillance. Another feature of the new device -- set to be released next year -- triggers the camera to start recording and alerts command staff once an officer has fired their weapon, a possible corrective to the problem of officers forgetting to switch them on. (The initial price of $699 doesn't include other costs, like a subscription to Axon's Evidence.com data management system.) But adding new technologies to body camera video introduces new privacy concerns, say legal experts, who have cautioned that a network of live-streaming cameras risks turning officers into roving sentinels for a giant panopticon-like surveillance system. Harlan Yu, the executive director of Upturn, a Washington nonprofit consultancy that has studied body cameras, says that live-streaming could erode community trust and help enable more controversial technologies like real-time face recognition. "The capability to live stream all BWC footage back to a department- or precinct-wide command center... will further entrench body-worn cameras as tools for police surveillance of communities, rather than tools for transparency," he said.

Read more of this story at Slashdot.

Google was aware of a flaw that exposed over 500,000 of Google Plus users, but did not disclose it

This is a very bad news for Google that suffered a massive data breach that exposed the private data of over 500,000 of Google Plus users to third-party developers.

As a consequence of the data exposure, the company is going to shut down the social media network Google+.

The root cause of the data breach is a security vulnerability affecting one of Google+ People APIs that allowed third-party developers to access data for more than 500,000 users.

Exposed data include including usernames, email addresses, occupation, date of birth, profile photos, and gender-related information.

The worse aspect of the story is that the company did not disclose the flaw in the Google+ when it first discovered the issue in this spring because it feared regulatory scrutiny and reputational damage.

“Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.” reported the Wall Street Journal.

“As part of its response to the incident, the Alphabet Inc. unit on Monday announced a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+.”

Google declared that its experts immediately addressed this vulnerability in March 2018 and that they have found no evidence that any developer has exploited the flaw to access users data. The flaw was present in the Google+ People APIs since 2015.

“We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.” reads a blog post published by Google.

“We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.”

Google_Plus

The choice of not disclosing the vulnerability was probably influenced by the Cambridge Analytica scandal that was occurring in the same period.

“A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.” continues the WSJ.

Experts believe that the vulnerability in Google+ is similar to the one recently discovered in Facebook API.

Google will maintain Google+ only for Enterprise users starting from August 2019.

Google also provided information about the Project Strobe program that has seen a privacy internal task force conducting a companywide audit of the company’s APIs in recent months.

“In a blog post on Monday, Google said it plans to clamp down on the data it provides outside developers through APIs. The company will stop letting most outside developers gain access to SMS messaging data, call log data and some forms of contact data on Android phones, and Gmail will only permit a small number of developers to continue building add-ons for the email service, the company said.” concludes the WSJ.
“The coming changes are evidence of a larger rethinking of data privacy at Google, which has in the past placed relatively few restrictions on how external apps access users’ data, provided those users give permission. Restricting access to APIs will hurt some developers who have been helping Google build a universe of useful apps.”

Pierluigi Paganini

(Security Affairs – Google Plus flaw, hacking)

The post Google was aware of a flaw that exposed over 500,000 of Google Plus users, but did not disclose it appeared first on Security Affairs.

EDPB Adopts Opinions on National DPIA Lists in the EU

The European Data Protection Board (“EDPB”) recently published 22 Opinions on the draft lists of Supervisory Authority (“SAs”) in EU Member States regarding which processing operations are subject to the requirement of conducting a data protection impact assessment (“DPIA”) under the EU General Data Protection Regulation (“GDPR”).

National DPIA Lists

Article 35(4) of the GDPR states that the SAs of the EU Member States must establish, publish and communicate to the EDPB a list of processing operations that trigger the DPIA requirement under the GDPR. The following EU Members States have submitted their lists: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Sweden and the United Kingdom.

In some cases, the EDPB requests that the SAs include processing activities in their list or specify additional criteria that, when combined, would satisfy the DPIA requirement. In other cases, the EDPB requests that the SAs remove some processing activities or criteria not considered to present a high risk to individuals. The purpose of the EDPB opinions is to ensure the consistent application of the GDPR’s DPIA requirement and to limit inconsistencies among EU Member States with respect to this requirement. The national lists will not be identical because, in establishing DPIA lists, the SAs must take into account their national or regional context and national legislation.

The EDPB has emphasized that the national DPIA lists are aimed to improve transparency for data controllers, but they are not exhaustive. Importantly, the EDPB requests national SAs to include in their DPIA lists a clear reference to the high risk criteria for conducting DPIAs as established by the Article Working Party 29 in its guidance. The draft lists should aim to rely on and complement these guidelines.

Next Steps

After receiving the EDPB’s opinions, the SAs have two weeks to (1) communicate to the EDPB whether they intend to amend their draft list or maintain it in its current form and (2) provide an explanation for such decision.

View the 22 Opinions of the EDPB on national DPIA lists.

Google Exposed Private Data of Hundreds of Thousands of Google+ Users and Then Opted Not To Disclose, Report Says

Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, WSJ reported Monday, citing people briefed on the incident and documents. From the report: As part of its response to the incident, the Alphabet unit plans to announce a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+, the people said. The move effectively puts the final nail in the coffin of a product that was launched in 2011 to challenge Facebook and is widely seen as one of Google's biggest failures. A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, [Editor's note: the link may be paywalled; alternative source] when internal investigators discovered and fixed the issue, according to the documents and people briefed on the incident. A memo reviewed by the Journal prepared by Google's legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger "immediate regulatory interest" and invite comparisons to Facebook's leak of user information to data firm Cambridge Analytica. Update: In an announcement Monday, Google said it was shutting down Google+ for consumers: We are shutting down Google+ for consumers. Over the years we've received feedback that people want to better understand how to control the data they choose to share with apps on Google+. So as part of Project Strobe, one of our first priorities was to closely review all the APIs associated with Google+. This review crystallized what we've known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds. Google+ still receives north of 200 million page views every month on the web, according to SimilarWeb, a third-party web analytics firm.

Read more of this story at Slashdot.

Critical Data-Loss Bug Identified in New Windows 10 Update

By Waqas

The distribution of latest Windows 10 update for October 2018, released by Microsoft this week, has been halted after reports about it causing grave data loss started emerging. Dubbed version 1089, the update was released for Windows 10 users to check for updates manually but it turns out that it is deleting user data including […]

This is a post from HackRead.com Read the original post: Critical Data-Loss Bug Identified in New Windows 10 Update

#CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity

Identity ProtectionIt wasn’t Kiley’s fault, but that didn’t change the facts: The lending group denied her college loan due to poor credit, and she didn’t have a plan B. Shocked and numb, she began to dig a little deeper. She discovered that someone had racked up three hefty credit card bills using her Social Security Number (SSN) a few years earlier.

Her parents had a medical crisis and were unable to help with tuition, and Kiley’s scholarships didn’t cover the full tuition. With just months left before leaving to begin her freshman year at school, Kiley was forced to radically adjusted her plans. She enrolled in the community college near home and spent her freshman year learning more than she ever imagined about identity protection and theft.

The Toll: Financial & Emotional

Unfortunately, these horror stories of childhood identity theft are all too real. According to Javelin Strategy & Research, more than 1 million children were the victim of identity fraud in 2017, resulting in losses of $2.6 billion and more than $540 million in out-of-pocket costs to the families.

The financial numbers don’t begin to reflect the emotional cost victims of identity theft often feel. According to the 2017 Identity Theft Aftermath report released by the Identity Theft Resource Center, victims report feeling rage, severe distress, angry, frustrated, paranoid, vulnerable, fearful, and — in 7% of the cases — even suicidal.

Wanted: Your Child’s SSNIdentity Protection

Sadly, because of their clean credit history, cyber crooks love to target kids. Also, identity theft among kids often goes undiscovered for more extended periods of time. Thieves have been known to use a child’s identity to apply for government benefits, open bank or credit card accounts, apply for a loan or utility service, or rent a place to live. Often, until the child grows up and applies for a car or student loan, the theft goes undetected.

Where do hackers get the SSN’s? Data breaches can occur at schools, pediatrician offices, banks, and home robberies. A growing area of concern involves medical identity theft, which gives thieves the ability to access prescription drugs and even expensive medical treatments using someone else’s identity.

6 Ways to Build #CyberAware Kids

  1. Talk, act, repeat. Identity theft isn’t a big deal until it personally affects you or your family only, then, it’s too late. Discuss identity theft with your kids and the fallout. But don’t just talk — put protections in place. Remind your child (again) to keep personal information private. (Yes, this habit includes keeping passwords and personal data private even from BFFs!)
  2.  Encourage kids to be digitally savvy. Help your child understand the tricks hackers play to steal the identities of innocent people. Identity thieves will befriend children online and with the goal of gathering personal that information to steal their identity. Thieves are skilled at trolling social networks looking at user profiles for birth dates, addresses, and names of family members to piece together the identity puzzle. Challenge your kids to be on the hunt for imposters and catfishes. Teach them to be suspicious about links, emails, texts, pop up screens, and direct messages from “cute” but unknown peers on their social media accounts. Teach them to go with their instincts and examine websites, social accounts, and special shopping offers.Identity Protection
  3. Get fierce about data protection. Don’t be quick to share your child’s SSN or secondary information such as date of birth, address, and mothers’ maiden name and teach your kids to do the same. Also, never carry your child’s (or your) physical Social Security card in your wallet or purse. Keep it in a safe place, preferably under lock and key. Only share your child’s data when necessary (school registration, passport application, education savings plan, etc.) and only with trusted individuals.
  4. File a proactive fraud alert. By submitting a fraud alert in your child’s name with the credit bureaus several times a year, you will be able to catch any credit fraud early. Since your child hasn’t built any credit, anything that comes back will be illegal activity. The fraud alert will remain in place for only 90 days. When the time runs out, you’ll need to reactivate the alert. You can achieve the same thing by filing an earnings report from the Social Security Administration. The report will reveal any earnings acquired under your child’s social security number.
  5. Know the warning signs. If a someone is using your child’s data, you may notice: 1) Pre-approved credit card offers addressed to them arriving via mail 2) Collection agencies calling and asking to speak to your child 3) Court notices regarding delinquent bills. If any of these things happen your first step is to call and freeze their credit with the three credit reporting agencies: Equifax, Experian, and TransUnion.
  6. Report theft. If you find a violation of your child’s credit of any kind go to  IdentityTheft.gov to report the crime and begin the restoring your child’s credit. This site is easy to navigate and takes you step-by-step down the path of restoring stolen credit.

Building digitally resilient kids is one of the primary tasks of parents today. Part of that resilience is taking the time to talk about this new, digital frontier that is powerful but has a lot of security cracks in it that can negatively impact your family. Getting fierce about identity protection can save your child (and you) hours and even years of heartache and financial loss.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post #CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity appeared first on McAfee Blogs.

Don’t ever use a VPN without paying attention to these five things

By John Mason

Ryan Lin was just recently sentenced to 17 years in prison. He was sentenced for committing a range of crimes including cyberstalking, computer fraud and abuse, aggravated identity theft, and distribution of child pornography. These are all serious crimes that I in no way support or condone, but why am I particularly interested in the […]

This is a post from HackRead.com Read the original post: Don’t ever use a VPN without paying attention to these five things

The State of Security: Net Neutrality Regulation – Does the Past Predict the Future?

The debate over the degree of regulation of broadband Internet providers in the U.S. has been going on almost as long as broadband Internet service has been available. In 2004, the U.S. Federal Trade Commission (FTC) first described a set of non-discrimination principles to ensure that users had access to content on an equal basis. […]… Read More

The post Net Neutrality Regulation – Does the Past Predict the Future? appeared first on The State of Security.



The State of Security

Net Neutrality Regulation – Does the Past Predict the Future?

The debate over the degree of regulation of broadband Internet providers in the U.S. has been going on almost as long as broadband Internet service has been available. In 2004, the U.S. Federal Trade Commission (FTC) first described a set of non-discrimination principles to ensure that users had access to content on an equal basis. […]… Read More

The post Net Neutrality Regulation – Does the Past Predict the Future? appeared first on The State of Security.

China accused of sabotaging thousands of servers at major US companies with tiny microchips hidden on motherboards

Bloomberg thumb

An extraordinary report released by Bloomberg BusinessWeek, which claims that China has been exploiting the supply-chain, planting a tiny microchip on servers which ended up in the server rooms of almost 30 companies, including the likes of Apple and Amazon.

Smashing Security #098: A Facebook omnishambles

Smashing Security #098: A Facebook omnishambles

Millions of Facebook user accounts put at risk after hack! The UK Conservative party’s conference app causes a privacy omnishambles! And Facebook (again) has been doing something naughty with the phone numbers you give it for security reasons! Oh, and Maria gets very excited about something to do with Star Trek.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Chinese surveillance chips found in servers used by US technology giants: Report

By Waqas

This can be one of one of the largest corporate spying and hardware hacking campaigns ever launched by a nation-state. Bloomberg has revealed in its recently published report that a nation-state has launched a significant supply chain attack. It is believed to be one of the largest corporate spying and hardware hacking campaigns ever launched […]

This is a post from HackRead.com Read the original post: Chinese surveillance chips found in servers used by US technology giants: Report

Jigsaw releases Intra, an Android app that encrypts DNS queries to thwart online censorship

Alphabet subsidiary and tech incubator Jigsaw, which concentrates on creating solutions for “the toughest geopolitical challenges,” has released Intra, an Android apps that encrypts DNS queries. About Intra Intra encrypts DNS queries so that they can’t be analyzed or manipulated by oppressive governments. Users can get to the wanted (blocked) website or use the wanted (blocked) app and can be sure that the site they were directed to is the site they wanted to visit, … More

The post Jigsaw releases Intra, an Android app that encrypts DNS queries to thwart online censorship appeared first on Help Net Security.

The Future of Voice, Fraud, and the Impact to CX | A Recap

Voice is growing out of the call center, out of your telephone and is growing into the next interface. In previous years, we have released fraud reports revolving around the call center, but with the expansion of voice, and the fraud that follows, we have shifted our perspective to voice intelligence – after all, voice is everywhere: your digital assistant, your latest kitchen appliance, and even your car.

The eras of economies have passed us by, first characterized by digitalization, then the wave of mobile devices, and now by voice – paving the way to the conversational economy. These economies are accompanied by their own collection of problems – and fraudsters are not letting up. There has been a 350% increase from 2013 to 2017 in phone fraud, and a 47% increase from last year. Banks and the insurance industry are experiencing a higher level of fraud, with a 20% and 36% increase in fraud year over year respectively.

So how did we get to these increased fraud rates?

There have been an increasing amount of data breaches year over year; last year, there were 1,300 data breaches. These breaches make it easy for criminals to commit fraud – ultimately feeding into the $1.5 trillion cybercrime market. Additionally, a lot of enterprises rely heavily on KBAs, or knowledge-based authentication questions, which function as secrets for security. These “secrets” can be easily hacked through social engineering or through the black market.

The arrival of the omnichannel has not helped with containing fraud – consumers want to be able to contact a business through any channel, with the expectations for the experience to remain consistent. However, there are consequences for the omnichannel – it allows fraudsters to use resources from one channel to access an individual’s details in another channel. Lastly, as we build more tools to stop fraud, fraudsters are evolving quickly and learning how to combat these security measures.

Overall, fraud is the ultimate impact to customer experience – your customers have expectations for who they do business with, and if they expect their data to be safe with you, this should be upheld. We’re living in a world where consumers are likely to switch who they do business with if their customer experience expectations are fulfilled.

For more information on the future of voice, fraud in the voice channel, and the impact it has on customer experience, tune into our on-demand webinar here.

The post The Future of Voice, Fraud, and the Impact to CX | A Recap appeared first on Pindrop.

The ultimate fallout from the Facebook data breach could be massive

Less than a week ago, Facebook announced that unknown attackers have managed to string together three bugs affecting the social media platform, which allowed them to steal access tokens of at least 50 million users – and likely more. The tokens allowed the attackers to take over victims’ Facebook accounts but could also have been used to log into accounts the victims opened on other websites and apps by using Facebook Login (i.e. using Facebook … More

The post The ultimate fallout from the Facebook data breach could be massive appeared first on Help Net Security.

You gotta fight, for your right, to erasure

According to Article 17 of the European Union’s General Data Protection Regulation (GDPR), all personal data that is no longer necessary must be removed and deleted. This aspect of the law, also known as “the right to erasure,” grants any user or customer the right to request that an organization deletes all data related or associated to them without undue delay, within 30 days. Moreover, the regulation carries heavy fines if a business does not … More

The post You gotta fight, for your right, to erasure appeared first on Help Net Security.

How to minimize the negative effect of mobile device loss or theft

Have you, like me, become inordinately obsessed with the security of your smartphone? And are you forever checking your pockets to make sure you haven’t left it behind in a coffee shop, your car, office, the airport lounge, the hotel you left for good three hours ago? It’s sad to admit, but too often I’m left panicking by my phone not being in the place I expect it to be. What would happen if I … More

The post How to minimize the negative effect of mobile device loss or theft appeared first on Help Net Security.

Google’s First Urban Development Raises Data Concerns

An anonymous reader quotes a report from The Washington Post: A unit of Google's parent company Alphabet is proposing to turn a rundown part of Toronto's waterfront into what may be the most wired community in history -- to "fundamentally refine what urban life can be." Sidewalk Labs has partnered with a government agency known as Waterfront Toronto with plans to erect mid-rise apartments, offices, shops and a school on a 12-acre (4.9-hectare) site -- a first step toward what it hopes will eventually be a 800-acre (325-hectare) development. High-level interest is clear: Prime Minister Justin Trudeau and Alphabet's then-Executive Chairman Eric Schmidt appeared together to announce the plan in October. But some Canadians are rethinking the privacy implications (Warning: source may be paywalled; alternative source) of giving one of the most data-hungry companies on the planet the means to wire up everything from street lights to pavement. And some want the public to get a cut of the revenue from products developed using Canada's largest city as an urban laboratory. "The Waterfront Toronto executives and board are too dumb to realize they are getting played," said former BlackBerry chief executive Jim Balsillie, a smartphone pioneer considered a national hero who also said the federal government is pushing the board to approve it. "Google knew what they wanted. And the politicians wanted a PR splash and the Waterfront board didn't know what they are doing. And the citizens of Toronto and Canada are going to pay the price," Balsillie said. Complaints about the proposed development prompted Waterfront Toronto to re-do the agreement to ensure a greater role for the official agency, which represents city, provincial and federal governments. So far the project is still in the embryonic stage. After consultations, the developers plan to present a formal master plan early next year. Sidewalk Labs' CEO, Dan Doctoroff, says the company isn't looking to monetizing people's personal information in the way that Google does now with search information. He said the plan is to invent so-far-undefined products and services that Sidewalk Labs can market elsewhere. "People automatically assume because of our relationship to Alphabet and Google that they will be treated one way or another. We have never said anythingâ about the data issue, he said. "To be honest people should give us some time. Be patient."

Read more of this story at Slashdot.

Most Threatening DNS Security Risks And How To Avoid Them

By Zehra Ali

The DNS or Domain Name System is one of the most necessary components for the internet functionality. Most often, the internet businesses are negligent to the security of their digital identity that is the DNS. This poor security of DNS makes it vulnerable to many cyber attacks which are beneficial for the attackers. Fortunately, an […]

This is a post from HackRead.com Read the original post: Most Threatening DNS Security Risks And How To Avoid Them

SecurityWeek RSS Feed: Passcode Bypass Method Exposes Photos, Contacts on iPhone XS

An iPhone enthusiast has disclosed yet another method for bypassing the iPhone lockscreen. The latest technique has been confirmed to work on the new iPhone XS running the latest version of Apple’s mobile operating system, iOS 12.

read more



SecurityWeek RSS Feed

Facebook Is Using Your Two-Factor Authentication Phone Number to Target Advertising

From Kashmir Hill:

Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn't hand over at all, but that was collected from other people's contact books, a hidden layer of details Facebook has about you that I've come to call "shadow contact information." I managed to place an ad in front of Alan Mislove by targeting his shadow profile. This means that the junk email address that you hand over for discounts or for shady online shopping is likely associated with your account and being used to target you with ads.

Here's the research paper. Hill again:

They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user's account, that phone number became targetable by an advertiser within a couple of weeks. So users who want their accounts to be more secure are forced to make a privacy trade-off and allow advertisers to more easily find them on the social network.

Telegram leaked IP addresses of its desktop app users

By Waqas

The vulnerability affected Telegram’s desktop app for Windows, Mac, and Linux OS. Telegram, a popular privacy-focused instant messaging application, reportedly contained a bug that can leak the IP addresses of users. Known for providing end-to-end encryption, Telegram’s desktop app has been discovered to be leaking not just public but private IP addresses of its users […]

This is a post from HackRead.com Read the original post: Telegram leaked IP addresses of its desktop app users

New Zealand Travelers Refusing Digital Search Now Face $5000 Customs Fine

Travelers in New Zealand who refuse to hand over their phone or laptop passwords to Customs officials can now be slapped with a $5000 fine. From a report: The Customs and Excise Act 2018 -- which comes into effect today -- sets guidelines around how Customs can carry out "digital strip-searches." Previously, Customs could stop anyone at the border and demand to see their electronic devices. However, the law did not specify that people had to also provide a password. The updated law makes clear that travelers must provide access -- whether that be a password, pin-code or fingerprint -- but officials would need to have a reasonable suspicion of wrongdoing. "It is a file-by-file [search] on your phone. We're not going into 'the cloud.' We'll examine your phone while it's on flight mode," Customs spokesperson Terry Brown said. If people refused to comply, they could be fined up to $5000 and their device would be seized and forensically searched. Mr Brown said the law struck the "delicate balance" between a person's right to privacy and Customs' law enforcement responsibilities. "I personally have an e-device and it maintains all my records -- banking data, et cetera, et cetera -- so we understand the importance and significance of it."

Read more of this story at Slashdot.

WWW inventor announces Solid, a push to create a decentralized web users can trust

Tim Berners-Lee, the inventor of the World Wide Web, has not been hiding his disappointment with the direction in which his invention was taken. “The web has evolved into an engine of inequity and division; swayed by powerful forces who use it for their own agendas,” he noted in a recently published post, in which he announced Solid, a new open source project that he hopes will fix what’s currently wrong with the web. About … More

The post WWW inventor announces Solid, a push to create a decentralized web users can trust appeared first on Help Net Security.

More on the Five Eyes Statement on Encryption and Backdoors

Earlier this month, I wrote about a statement by the Five Eyes countries about encryption and back doors. (Short summary: they like them.) One of the weird things about the statement is that it was clearly written from a law-enforcement perspective, though we normally think of the Five Eyes as a consortium of intelligence agencies.

Susan Landau examines the details of the statement, explains what's going on, and why the statement is a lot less than what it might seem.

Cloudflare Launches a Low-Cost Domain Registrar, Which Will Also Offer Free Privacy To Customers

Cloudflare, which is celebrating its eighth birthday has announced yet another service: an at-cost domain registrar. From a report: While Cloudflare had already been handling domain registration through the company's Enterprise Registrar service, that service was intended for some of Cloudflare's high-end customers who wanted extra levels of security for their domain names. The new domain registrar business -- called Cloudflare Registrar -- will eventually be open to anyone, and it will charge exactly what it costs for Cloudflare to register a domain. As Cloudflare CEO Matthew Prince wrote in a blog post this week, "We promise to never charge you anything more than the wholesale price each TLD charges." That includes the small fee assessed by ICANN for each registration. Prince said that he was motivated to take the company into the registrar business because of Cloudflare's own experience with registrars and by the perception that many registrars are in the business mostly to up-sell things that require no additional effort. "All the registrar does is record you as the owner of a particular domain," Prince said. "That just involves sending some commands to an API. In other words, domain registrars are charging you for being a middle-man and delivering essentially no value to justify their markup." Charging overhead for that sort of service, Prince said, "seemed as nutty to us as certificate authorities charging to run a bit of math." (Cloudflare also provides free SSL certificates.)

Read more of this story at Slashdot.

Firefox Monitor Has Begun To Track Breached Email Addresses

Mozilla has finally launched Firefox Monitor a website that connects to the TroyHun’s Have I Been Pwned? (HIBP) one of

Firefox Monitor Has Begun To Track Breached Email Addresses on Latest Hacking News.

Can DuckDuckGo Become the Anti-Google?

"Recently, a privacy-oriented search engine called DuckDuckGo raised $10 million from a Canadian pension fund," reports Marketplace.org, saying the privacy-focused search engine is "trying to establish itself as the anti-Google." An anonymous reader quotes their report: "So it's like Google, except when you search on it, you're completely anonymous," said Gabriel Weinberg, CEO of the company. The searches are encrypted. The site knows where you are, but only while you're searching, and it doesn't store your personal information. "We serve you the search results and we throw away your personal information...so your IP address and things like that. And we don't actually store any cookies by default. And so when you search on DuckDuckGo, it's like every time you're a new user and we know nothing about you..." Weinberg said about a quarter of Americans have taken some action to protect their privacy, and DuckDuckGo searches have been growing about 50 percent a year. "We are proud to have a profitable business model that doesn't rely on collecting personal data," the company tweeted in June, and this week they also shared a quote from a Harvard Business Review article that asked "How far can the surveillance economy go?" "Most consumers are either unaware of the personal info they share online or, quite understandably, unable to determine the cost of sharing it -- if not both."

Read more of this story at Slashdot.

YouTuber reveals iPhone XS passcode bypass bug exposing contacts/photos

By Waqas

With new iPhone XS out, it is a universally believed fact that Apple is committed to improving, and enhancing user privacy and security in its devices. With the new iOS 12 and iOS 12.1 beta, the Cupertino-based company claims to have taken security to a whole new level. However, this claim is questioned after numerous […]

This is a post from HackRead.com Read the original post: YouTuber reveals iPhone XS passcode bypass bug exposing contacts/photos

Facebook: User shadow data, including phone numbers may be used by advertisers

The worst suspect is a disconcerting reality, Facebook admitted that advertisers were able to access phone numbers of its users for enhanced security.

Researchers from two American universities discovered that that phone numbers given to Facebook for two-factor authentication were also used for advertising purposes.

“These findings hold despite all the relevant privacy controls on our test accounts being set to their most private settings,” reads the study published by the researchers. 

“Most worrisome, we found that phone numbers uploaded as part of syncing contacts — that were never owned by a user and never listed on their account – were in fact used to enable PII-based advertising,”

The study investigates the channels used by advertisers can gather personally identifying information (PII) from Facebook, WhatsApp and Messenger services.

The contact lists uploaded to the Facebook platforms could be used by advertisers that once extracted the personal information can leverage it to target people in their networks.

The experts speculate Facebook is using a hidden layer of details it has about its users, like phone numbers used for 2FA authentication, that they called “shadow contact information.”

The study supported concerns that Facebook uses “shadow” sources of data not given to the social network for the purpose of sharing to make money on advertising.

“We use the information people provide to offer a better, more personalized experience on Facebook, including showing more relevant ads.” a spokeswoman told Gizmodo that first reported the news.

Facebook continues to face a severe crisis due to the way it manages data of its users, the Cambridge Analytica case has shocked the world about the way the social network giant has shared the information of its unaware users with third party companies.

At the time of writing, Facebook’s Guy Rosen, VP of Product Management announced that attackers exploited a vulnerability in the “View As” feature to steal Facebook access tokens of 50 Million Users.

Pierluigi Paganini

(Security Affairs – Facebook, privacy)

The post Facebook: User shadow data, including phone numbers may be used by advertisers appeared first on Security Affairs.

Security Affairs: Facebook: User shadow data, including phone numbers may be used by advertisers

The worst suspect is a disconcerting reality, Facebook admitted that advertisers were able to access phone numbers of its users for enhanced security.

Researchers from two American universities discovered that that phone numbers given to Facebook for two-factor authentication were also used for advertising purposes.

“These findings hold despite all the relevant privacy controls on our test accounts being set to their most private settings,” reads the study published by the researchers. 

“Most worrisome, we found that phone numbers uploaded as part of syncing contacts — that were never owned by a user and never listed on their account – were in fact used to enable PII-based advertising,”

The study investigates the channels used by advertisers can gather personally identifying information (PII) from Facebook, WhatsApp and Messenger services.

The contact lists uploaded to the Facebook platforms could be used by advertisers that once extracted the personal information can leverage it to target people in their networks.

The experts speculate Facebook is using a hidden layer of details it has about its users, like phone numbers used for 2FA authentication, that they called “shadow contact information.”

The study supported concerns that Facebook uses “shadow” sources of data not given to the social network for the purpose of sharing to make money on advertising.

“We use the information people provide to offer a better, more personalized experience on Facebook, including showing more relevant ads.” a spokeswoman told Gizmodo that first reported the news.

Facebook continues to face a severe crisis due to the way it manages data of its users, the Cambridge Analytica case has shocked the world about the way the social network giant has shared the information of its unaware users with third party companies.

At the time of writing, Facebook’s Guy Rosen, VP of Product Management announced that attackers exploited a vulnerability in the “View As” feature to steal Facebook access tokens of 50 Million Users.

Pierluigi Paganini

(Security Affairs – Facebook, privacy)

The post Facebook: User shadow data, including phone numbers may be used by advertisers appeared first on Security Affairs.



Security Affairs

Massive Facebook Breach Affects 90 Million Accounts

Facebook forced a reset of more than 50 million user accounts on Thursday and would force another 40 million account resets in the coming days, citing a major breach of the site’s security that allowed unknown attackers to take over people’s accounts. The company said its own engineering team discovered the flaw, which involved the...

Read the whole entry... »

Related Stories

Major Tech Companies Finally Endorse Federal Privacy Regulation

The major tech companies, scared that states like California might impose actual privacy regulations, have now decided that they can better lobby the federal government for much weaker national legislation that will preempt any stricter state measures.

I'm sure they'll still do all they can to weaken the California law, but they know they'll do better at the national level.

Delta’s Fully Biometric Terminal Is the First In the US

In what Delta is calling the first "biometric terminal" in the country, they will reportedly use facial recognition at check-in, security and boarding inside the international terminal at Atlanta's Hartsfield-Jackson airport. Engadget reports: Passengers that want to use facial recognition can approach a kiosk in the lobby and click "Look," or approach a camera at the ticket counter, TSA checkpoint or when boarding. Once a green check mark flashes on the screen, they can proceed. Delta -- which plans to introduce fingerprint scanning to fold, too -- says passengers can use this system instead of the passports to get through these checkpoints, but you'll still need your passport for use in other non-biometric-equipped airports (although maybe one day we'll do away with passports altogether). Privacy advocates are concerned about the security risks present in facial scans, especially as it's an opt-out process. Others, however, say it makes air travel a more streamlined process.

Read more of this story at Slashdot.

UK issues data protection guidance for a no-deal Brexit scenario

In preparation for a possible no-deal Brexit, the UK Government has published guidance about how this will affect data protection. The EU uses a mechanism called an adequacy decision to allow the free flow of personal data to countries outside the EU. BH Consulting CEO Brian Honan has identified the key section of the UK guidance if there is no adequacy decision regarding the UK post-Brexit.

All eventualities

The UK Government said that it needs to prepare for all eventualities, including a no deal scenario in March 2019. As the date nears, preparations for a no deal scenario are speeding up but London insists this doesn’t reflect current discussions between the UK and the EU. “Such an acceleration does not reflect an increased likelihood of a ‘no deal’ outcome. Rather it is about ensuring our plans are in place in the unlikely scenario that they need to be relied upon,” the Government said.

The full guidance is here. Brian says the key section in the event of no adequacy decision is this one:

“For the majority of organisations the most relevant alternative legal basis would be standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations on you and your EU partner, and rights for the individuals whose personal data is transferred. In certain circumstances, your EU partners may alternatively be able to rely on a derogation to transfer personal data. We recommend that you proactively consider what action you may need to take to ensure the continued free flow of data with EU partners.”

Back to the BCRs

Brian Honan interprets this section as applying to all data travelling from the EU into a client’s operations and/or to third party providers or partners based in the UK. “Note the above talks about model data protection clauses but many experts say these will not suffice and we will need to look at binding corporate rules (BCRs) instead,” Brian said.

BCRs are the internal rules for data transfers within multinational companies, as explained by the European Commission. The Irish Data Protection Commissioner also has a brief explanation of BCRs.

Earlier this year, Brian wrote an article for the Irish Independent about data protection in a post-Brexit Britain. He pointed out that GDPR will remain in effect until March 2019 no matter what happens after that date. Stay tuned to our blog for more news about data protection, privacy and GDPR in the weeks ahead.

The post UK issues data protection guidance for a no-deal Brexit scenario appeared first on BH Consulting.

Face Scanning In US Airports Is Rife With Technical Problems

Homeland Security's Inspector General has issued a report warning that its airport face scanning system is struggling with "technical and operational challenges." The report says that Customs and Border Protection "could only use the technology with 85 percent of passengers due to staff shortages, network problems and hastened boarding times during flight delays," reports Engadget. "The system did catch 1,300 people overstaying their allowed time in the U.S., but it might have caught more -- and there were problems 'consistently' matching people from specific age groups and countries." From the report: The watchdog also pointed out uncertainty about help from airlines, such as requiring them buy the cameras needed for taking passengers' photos. That represents a "significant point failure" for the face scanning system, the Inspector General said. As a result, the oversight body warned that Homeland Security might not make its target of having the face scanning system completely ready for use in the top 20 US airports by 2021.

Read more of this story at Slashdot.

Firefox Monitor will Notify you When Your Account is Hacked- Mozilla

By Waqas

Firefox has joined hands with Have I Been Pwned for this project. Mozilla introduced a new service earlier this year called Firefox Monitor, and now the company is adding a new feature to this service. The newly added feature will take scrutiny to a whole new level by allowing users to sign up for getting […]

This is a post from HackRead.com Read the original post: Firefox Monitor will Notify you When Your Account is Hacked- Mozilla

11 million personal unprotected MongoDB records leaked online

By Uzair Amir

Another day, another trove of sensitive data exposed online. This time, a MongoDB database containing a whopping 43.5GB of the dataset used in marketing campaigns has been left exposed for public access. The data was discovered by Bob Diachenko, an independent security researcher who noted that the database was available on an unprotected MongoDB hosted on Grupo-SMS hosting and […]

This is a post from HackRead.com Read the original post: 11 million personal unprotected MongoDB records leaked online

Smashing Security #097: Dash cam surveillance, robocall plague, and Zoho woe

Smashing Security #097: Dash cam surveillance, robocall plague, and Zoho woe

Why was Zoho’s website taken offline by its own domain registrar? How are dash cams making you less secure? And why are robocalls on the rise in the United States?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire’s Dave Bittner.

You should prepare for the next mega data breach

As of September 2018, it’s been one year since the historical Equifax mega data breach that impacted nearly half of all consumers in the U.S. Since this monumental invasion of personal data, fraudsters have shown little to no notion of slowing down as evident by the continued emergence of additional data breaches. In fact, within the past year alone, nearly 30 percent of U.S. consumers have been notified of a breach impacting their own personal … More

The post You should prepare for the next mega data breach appeared first on Help Net Security.

Holes found in Mojave’s privacy protection

macOS Mojave was released on Monday, September 24, with much promise of increased privacy protections. In particular, apps are now required to get permission from users before they can access data in certain locations, such as Mail data, contacts, calendar events, Safari user data, and more.

Blocking access to Safari user data would have prevented the issue brought to light earlier this month, in which apps from the Mac App Store were capturing users’ browsing history. In Mojave, unless the user approves an app like Dr. Battery to access that data—which seems unlikely, considering that the app’s purpose had nothing to do with browsing history—the app would be prevented from accessing that data at all.

What’s the problem?

Although the new privacy protections are well-intended, developers and security researchers have expressed some concerns about the way they have been implemented. In particular, there is a legitimate concern about an issue called “dialog fatigue.” The idea is that people get tired of being hassled when they’re trying to get work done, and will just do whatever is needed to click past a warning dialog without actually reading it.

Dialog fatigue—similar to security fatigue—is real, and after having upgraded to Mojave, I can attest to the fact that it has a tendency to display a lot of these dialogs in the beginning. I had to approve access to data for quite a few of my apps. Chances are, the average person will get tired of doing so, and will simply approve each one without paying attention.

To add confusion, these dialogs simply display “Don’t Allow” and “OK” buttons. Although there’s certainly the implication that OK means “allow,” this is not explicitly stated and could result in mistakes being made.

There are also issues with apps that use background processes not triggering the user approval, which can break those apps in interesting ways, such as causing crashes or silently impairing functionality.

Mojave’s privacy protection is far from perfect so far, but it turns out problems go much deeper than user interface issues. Two security researchers have independently, within 24 hours of the Mojave launch, announced troubling findings.

Patrick Wardle posted a video on Monday demonstrating a zero-day vulnerability that can allow a malicious program to gain access to protected data without needing to get the user’s approval. The video demonstrates how to trigger a request for access to contact data in the Terminal, and shows that request being denied. Subsequent attempts to access that data from the Terminal simply fail.

The video then goes on to show execution of a proof-of-concept app Wardle developed, called breakMojave.app. This app does not trigger any access request, and is able to read and copy that data nonetheless.

Wardle has reported this to Apple, but has not made the details of this vulnerability public at this time. He has promised to discuss them at the upcoming Objective by the Sea, the first ever Mac security conference.

The next day, a blog post from a source at SentinelOne revealed that it is possible for a remote attacker to gain access to protected data via ssh.

ssh is a Unix program, and the name is an abbreviation for “secure shell.” The program allows you to establish a remote connection to another computer and sent Unix commands through that connection. ssh is often targeted by attackers as a way into a system. And if an attacker can get in via ssh, they can have full control of the machine and access to all data.

SentinelOne goes on to point out that many different processes will be highly likely to be given full disk access. For example, the Terminal can be used to access many different parts of the disk, and may be given a global exemption by power users. People who run AppleScripts are likely to give access to programs like System Events, Script Editor, or Automator. Any of these could be hijacked to execute malicious commands.

What does this mean?

As far as actual risk, you’re no worse off in Mojave than you were running any older version of macOS, none of which featured this kind of privacy protection. In fact, despite these bugs, it’s still harder for an app to get access to this data than it was before.

However, these changes continue a troubling trend at Apple. macOS High Sierra began a concerning process of causing significant problems for developers and users alike, via the user approval process for installing kernel extensions. There are many issues in that process involving both the user experience and bugs in macOS. The user ends up confused and frustrated, and the developer ends up working as unpaid Apple support.

The explosion of new approval dialogs produced by these changes to Mojave will be another step down this same road. The friction people experience with these dialogs will result in developers being penalized for doing interesting and innovative things, while many users will continue to click “OK” in warning dialogs without reading them.

Protecting the user’s privacy is an extremely noble goal, but the multiple issues and bugs involved with this particular implementation will likely cause more problems in the short term than they will solve.

The post Holes found in Mojave’s privacy protection appeared first on Malwarebytes Labs.

India’s Top Court Refuses To Scrap Aadhaar, the World’s Largest Biometric ID Database

India's top court refused to scrap Aadhaar, the world's largest biometric database, in a ruling announced Wednesday, upholding the validity of the sprawling digital-identity program but also imposing some restrictions on its use and proliferation. Huffington Post reports: The majority judgement of the court read down Section 57 of the Aadhaar Act of 2016, holding that private companies cannot insist on Aadhaar numbers from citizens to provide services. The court upheld the validity of linking aadhaar to PAN cards, suggesting that -- should the government wish it -- anyone who pays income tax will have to an aadhaar number anyway. However, the court held the linking of aadhaar numbers to bank accounts, as mandated by an amendment to the Prevention of Money Laundering Act of 2002, was unconstitutional. The court also held that educational institutions and bodies like the Central Board for Secondary Education (CBSE) and University Grants Commission (UGC), and schools and colleges, cannot ask for Aadhaar details of potential candidates. Chief Justice of India Dipak Misra, and Justices AK Sikri and AM Khanwilkar delivered a concurrent majority judgement, while Justices DY Chandrachud and Ashok Bhushan delivered separate opinions. The majority judgement, read out in a packed courthouse by Justice Sikri, relied heavily on the court's landmark 2017 Privacy judgement. "Today the Supreme Court has passed a historic judgement on Aadhaar," said Supreme Court Advocate Prashant Bhushan. "They have held several parts of the Aadhaar act to be unconstitutional." The court's decision restricting private companies from demanding Aadhaar numbers, Bhushan said, would come as a relief. The ruling could come as a blow for local companies -- like Jio and Paytm -- that rely heavily (or even exclusively) on technologies such as Aadhaar's eKYC (an Aadhaar-enabled Know Your Customer service) to grow their customer base, analysts say.

Read more of this story at Slashdot.

Millennials More Likely To Fall For Scams Than Baby Boomers

A new report from the Better Business Bureau suggests that millennials are now more likely to fall victim to a scam than Baby Boomers. Washington Examiner reports: The Better Business Bureau reports that 69 percent of scam victims are under the age of 45. Young adults heading off to college are especially gullible, the group says. "College students can be easy targets for scammers and identity thieves. They are old enough to have money, young enough to be vulnerable and are likely unsupervised as many are away from home for the first time," writes Heather Massey of the Better Business Bureau. Phishing scams now target cell phones as well as email and social media. "Millennials spend a lot of time on Facebook or other social media sites, where they can target them with these messages," said Jim Hegarty, Better Business Bureau president and CEO. College students also use sensitive information frequently, like student IDs, Social Security numbers, and banking information.

Read more of this story at Slashdot.

Almost Every Major Free VPN Service is a Glorified Data Farm

By John Mason

If you are a VPN user it is time to come out from the myth that every VPN is here to secure your privacy. Internet censorship is on the rise, and data from Freedom on the Net, based on an annual assessment of the situation of Internet freedom in 65 countries, reveals that not only […]

This is a post from HackRead.com Read the original post: Almost Every Major Free VPN Service is a Glorified Data Farm

Security and privacy improvements in macOS Mojave

Apple has released macOS Mojave, which comes with a new Dark Mode, a redesigned Mac App Store, and many new and modified features. It also sports changes aimed at enhancing users’ privacy and security. Improvements in Safari Some of these have been already unveiled as they are included in Safari 12, which was released only a week ago. The browser now comes with a new Passwords section in the browser’s Preferences, which flags password reuse … More

The post Security and privacy improvements in macOS Mojave appeared first on Help Net Security.

Thousands of stolen frequent flyer miles of top airlines sold on Dark Web

By Waqas

Dark Web has become a business hub for malicious hackers and cybercriminals. It seems like there is nothing that is spared from the prying eyes of cybercriminals and the Dark Web has become a thriving ground for all types of illegally acquired data and criminals activities. However, this time around researchers from CompariTech haven’t identified […]

This is a post from HackRead.com Read the original post: Thousands of stolen frequent flyer miles of top airlines sold on Dark Web

Understanding California’s Consumer Privacy Act: The ‘American GDPR’

As enterprises around the world deal with legislative backlash following years of unfettered data collection, companies are confused about how to achieve compliance not only with the General Data Protection Regulation (GDPR), but also with California’s Consumer Privacy Act (CCPA). If you are one of them, rest assured that you are not alone in your confusion — and you’d better believe there’s more to come.

Several months after GDPR went into effect, 27 percent of companies reported that they had yet to start the GDPR compliance process, according to GDPR.Report. Still, the threat of additional regulations looms.

When the California legislation goes into effect on Jan. 1, 2020, more than 500,000 American businesses will be subject to the CCPA, according to a recent report from Varonis. In addition, 58 percent of companies have more than 100,000 folders open to everyone. Sensitive data is at risk, and in 15 months, companies will be required to allow consumers to review the data they have collected on them, demand deletion of data and opt out of having the data sold to third parties. Organizations face fines of $7,500 for violations.

Navigating the ‘American GDPR’

Since Labor Day weekend, two new state law amendments have come into effect. In its privacy statute, Colorado expanded the terms of what data will be protected. Additionally, the statute now includes a mandated 30-day breach notification. The clock starts ticking the moment the company discovers the breach. New York’s department of financial services similarly updated its cybersecurity guidance under NY State 23 NYCRR 500 Law.

The new requirements mandate risk assessments by application, as well as limits on data retention. The revisions added information access monitoring requirements and stipulated that all private information be encrypted, both at rest and in transit.

“The web of cyber data privacy laws continues to grow both in volume and complexity,” said Pravin Kothari, CEO of cloud security vendor CipherCloud, in an email interview. “These sort of regulations will need to be handled by Federal omnibus. The expense and risk to businesses in attempting to implement a rolling thunder of different regional and/or state data privacy laws will be overpowering.”

With increasing focus on regulations, the burden is falling on companies to manage and secure sensitive data while also providing customers greater control over their sensitive information. As if complying with GDPR and CCPA were not complicated enough, additional legislation is likely forthcoming in the U.S. — other states are bound to introduce their own laws, which sets a high bar for U.S. companies when it comes to data privacy.

There’s Still Time to Prepare for the Consumer Privacy Act

The good news is that Jan. 1, 2020 is still about 15 months away. While companies are all over the spectrum in terms of how far they have to go, there is still time to work through some of the confusion the market is sensing to iron out the compliance wrinkles.

“Determining the best practices for compliance with the upcoming laws depends in large part [on] how risk-averse companies are,” said Arshad Noor, creator and chief technology officer (CTO) of StrongKey. “Those companies that are already compliant with GDPR will find themselves well-prepared to deal with new acts across the U.S. in different states.”

While GDPR defines a data subject as a human being and any data above them, California defines the person as a human, business, entity or object, according to Noor.

“We tend to think of consumer privacy as my information, name, date of birth, gender, but California has created categories of data which include metadata, IP addresses and more,” Noor said. “It’s an interesting notion about privacy that I don’t think anyone has thought of.

Between now and 2020, a lot will be clarified about the different categories of data and the fundamentals of what needs to be protected. But don’t wait for clarification to begin moving toward compliance. The first step is to establish a policy that guides the company’s day-to-day practices. Once that policy is defined, Noor said, “Look at specific requirements of the law. Companies will have to have a link or button on the home page that allows a consumer to say ‘Please delete all my information.'”

Currently, the law requires that websites or businesses dealing with California customers allow those users to make a direct request of their right to be forgotten. That will be mandatory, so processes must be in place for compliance. Others stipulations are not as explicitly stated, so now is the time to start thinking about what companies should be doing. The law does provide for companies to collect data they need for doing business, which is why each organization needs to be able to identify what information they actually need.

Take a Minimalist Approach to CCPA Compliance

To start your CCPA compliance journey, identify where and how your organization’s data is stored and then begin the process of permanently deleting any clutter out of those systems and clearing it up.

“If it’s not necessary to conduct business, consider getting rid of that information,” Noor advised. “They need to know which applications use what data and where they have stored it. So, they should begin to take an inventory of the data, starting now.”

In addition, there may be residual information left after your cleanup, so it’s important to think about protecting what is left. At a minimum, companies should encrypt the information and eliminate user passwords from web applications. Many applications may have sensitive information, so companies need to identify that data and choose whether to keep what they have collected.

“They should define how they use the data and make that visible in their policy as well as in their notices to consumers,” Noor explained. “Be clear about what information is being collected, how it is used and to whom it is sold.”

Improving Compliance — and Guidelines

Once a policy is in place, the next step is to implement procedures. Identifying appropriate procedures requires asking questions such as:

  • How do I address requests from consumers in my ecosystem?
  • How do consumers delete their data?
  • What is the process for identifying all information across all systems?

By addressing these gaps now, you can keep from getting caught in the regulatory cold.

When California’s data breach prevention law was made public, most jurisdictions didn’t want to go anywhere near it. The legislature didn’t take long to issue federal law. While the U.S. government could choose not to propose federal privacy protection legislation, businesses should be working with congress to try to bring uniform law. Waiting for congress to act may take too long and could result in 48 more different pieces of legislation. Talk about a compliance nightmare.

The post Understanding California’s Consumer Privacy Act: The ‘American GDPR’ appeared first on Security Intelligence.

Cloudflare Ends CAPTCHAs For Tor Users

Cloudflare announced on Monday a new service named the "Cloudflare Onion Service" that can distinguish between bots and legitimate Tor traffic. The main advantage of this new service is, said Cloudflare, that Tor users will see far less, or even no CAPTCHAs when accessing a Cloudflare-protected website via the Tor Browser. A reader writes: The new Cloudflare Onion Service needed the Tor team to make "a small tweak in the Tor binary," hence it will only work with recent versions of the Tor Browser -- the Tor Browser 8.0 and the new Tor Browser for Android, both launched earlier this month. Tor users have been complaining about seeing too many CAPTCHAs when accessing a Cloudflare-protect site for years now. In February 2016, Tor Project administrators went as far as to accuse Cloudflare of "sabotaging Tor traffic" by forcing Tor users to solve CAPTCHA fields ten times or more, in some cases. Cloudflare responded to accusations a month later, claiming the company was only showing CAPTCHAs because 94 percent of all Tor traffic was either automated bots or originating from malicious actors. Half a year later, in October 2016, Cloudflare started looking into methods of removing CAPTCHAS for Tor users. Their first foray was the Challenge Bypass Specification and a Tor Browser extension, but that project didn't go too far, and has been eventually replaced by the new Cloudflare Onion Service today.

Read more of this story at Slashdot.

New Magecart victims ABS-CBN and Newegg are just the tip of the iceberg

With the Magecart attackers compromising web shops left and right, online shopping is becoming a risky proposition. After Ticketmaster, British Airways and Feedify, two new Magecart victims have been identified: the broadcasting giant ABS-CBN and online retailer Newegg. Compromised shops Security researcher Willem de Groot flagged the ABS-CBN compromise a few days ago and he believes the attackers added the payment card skimming script on or before August 16th. RiskIQ and Volexity researchers shared details … More

The post New Magecart victims ABS-CBN and Newegg are just the tip of the iceberg appeared first on Help Net Security.