Archive for the ‘Privacy’ Category

Google, Mozilla, Apple Block Kazakhstan’s Root CA Certificate to Prevent Spying

August 21st, 2019
In a move to protect its users based in Kazakhstan from government surveillance, Google, Apple and Mozilla finally today came forward and blocked Kazakhstan's government-issued root CA certificate within their respective web browsing software. Starting today, Chrome, Safari and Firefox users in Kazakhstan will see an error message stating that the "Qaznet Trust Network" certificate should not

Posted in HTTPS encryption, interception tool, Kazakhstan, Online Security, Privacy, root CA certificate, root certificate, website security | Comments (0)

Kaspersky AV injected unique ID into webpages, even in incognito mode

August 16th, 2019
Kaspersky AV injected unique ID into webpages, even in incognito mode

(credit: Aurich Lawson / Thinkstock)

Antivirus software is something that can help people be safer and more private on the Internet. But its protections can cut both ways. A case in point: for almost four years, AV products from Kaspersky Lab injected a unique identifier into the HTML of every website a user visited, making it possible for sites to identify people even when using incognito mode or when they switched between Chrome, Firefox, or Edge.

The identifier, as reported Thursday by c't Magazine, was part of a blob of JavaScript Kaspersky products injected into every page a user visited. The JavaScript, presented below this paragraph, was designed to, among other things, present a green icon that corresponded to safe links returned in search results.

<script type="text/javascript" src="https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.js" charset="UTF-8"></script>

Read 11 remaining paragraphs | Comments

Posted in A/V, antivirus, Biz & IT, Privacy, unique identifiers | Comments (0)

Kaspersky Antivirus Flaw Exposed Users to Cross-Site Tracking Online

August 15th, 2019
In this digital era, the success of almost every marketing, advertising, and analytics company drives through tracking users across the Internet to identify them and learn their interests to provide targeted ads. Most of these solutions rely on 3rd-party cookies, a cookie set on a domain other than the one you are browsing, which allows companies including Google and Facebook to fingerprint

Posted in advertisement retargeting, antivirus software, browser cookies, cookies stealing, internet security, Kaspersky, Kaspersky Antivirus, Privacy, super cookies, tracking cookies | Comments (0)

Found: World-readable database used to secure buildings around the globe

August 14th, 2019
Passwords stored in a database for BioStar 2.

Enlarge / Passwords stored in a database for BioStar 2. (credit: vpnMentor)

Researchers said they have found a publicly accessible database containing almost 28 million records—including plain-text passwords, face photos, and personal information—that was used to secure buildings around the world.

Researchers from vpnMentor reported on Wednesday that the database was used by the Web-based Biostar 2 security system sold by South Korea-based Suprema. Biostar uses facial recognition and fingerprint scans to identify people authorized to enter warehouses, municipal buildings, businesses, and banks. vpnMentor said the system has more than 1.5 million installations in a wide range of countries including the US, the UK, Indonesia, India, and Sri Lanka.

According to vpnMentor, the 23-gigabyte database contained more than 27.8 million records used by Biostar to secure customer facilities. The data included usernames, passwords and user IDs in plaintext, building access logs, employee records including start dates, personal details, mobile device data, and face images.

Read 8 remaining paragraphs | Comments

Posted in Biz & IT, databases, Privacy | Comments (0)

Airline tracks Twitter user’s real-world ID, publishes her flight number

August 9th, 2019
Airline tracks Twitter user’s real-world ID, publishes her flight number

Enlarge

A security consultant who took to Twitter to call out inappropriate comments made by a Southwest Airline flight attendant received a surprising response when the airline’s official Twitter account included her flight number in its reply while the flight had yet to take off.

The consultant, peeved that the airline tracked down her real-world identity and then broadcast her location, sent a follow-up saying the number amounted to personally identifiable information that the airline was obligated to keep private. The airline’s response: flight numbers aren’t PII. The conversation started out with a tweets like this one, reporting that an attendant on the flight she was boarding was making jokes some passengers found to be offensive:

A Southwest representative using the name Emilia responded with this:

Read 7 remaining paragraphs | Comments

Posted in personally identifiable information, Policy, Privacy, southwest airlines | Comments (0)

Binance KYC Data Leak — Crypto Exchange Sets $290,000 Bounty On Blackmailer

August 7th, 2019
Malta-based cryptocurrency exchange Binance has become a victim of a ransom demand from a scammer who claimed to have hacked the KYC (Know Your Customer) data of thousands of its customers. The unknown attacker threatened the world's largest cryptocurrency exchange by volume to release KYC information of 10,000 users if the company did not pay 300 Bitcoins—that's equivalent to almost $3.5

Posted in Binance, cryptocurrency, cryptocurrency exchange, data breach, data leaked, hacking news, Privacy | Comments (0)

iOS 13 privacy feature will force total overhaul for Facebook apps

August 6th, 2019
Apple's Craig Federighi unveils iOS 13 at WWDC 2019.

Apple's Craig Federighi unveils iOS 13 at WWDC 2019. (credit: Ron Amadeo / Ars Technica)

Privacy has been a renewed focus with Apple’s next operating system update. One new feature in iOS 13 that seems centered on user privacy could have sweeping consequences for messaging and online call apps.

In iOS 13, Apple will not allow apps to run voice over Internet protocol (VoIP) in the background when the programs are not actively in use. Many apps that offer VoIP services currently run in the background, and they will need to be rewritten to adjust to Apple’s upcoming rules. The change is slated to roll out when iOS 13 is released in September. However, app developers will get a grace period, and they have until April 2020 to comply.

Apple has been putting privacy at the front and center of its business, especially as many tech companies make headlines for data breaches or misuse of personal information. iOS 13 will include multiple updates centered on giving users more control over how and when apps can get their information, such as one-time location sharing and a “Sign in with Apple” system.

Read 6 remaining paragraphs | Comments

Posted in apple, Facebook, iOS, iOS 13, Privacy, Tech | Comments (0)

Apple’s AirDrop and password sharing features can leak iPhone numbers

August 1st, 2019
Apple’s AirDrop and password sharing features can leak iPhone numbers

Enlarge (credit: Valentina Palladino)

Apple makes it easy for people to locate lost iPhones, share Wi-Fi passwords, and use AirDrop to send files to other nearby devices. A recently published report demonstrates how snoops can capitalize on these features to scoop up a wealth of potentially sensitive data that in some cases includes phone numbers.

Simply having Bluetooth turned on broadcasts a host of device details, including its name, whether it's in use, if Wi-Fi is turned on, the OS version it’s running, and information about the battery. More concerning: using AirDrop or Wi-Fi password sharing broadcasts a partial cryptographic hash that can easily be converted into an iPhone’s complete phone number. The information—which in the case of a Mac also includes a static MAC addresses that can be used as a unique identifier—is sent in Bluetooth Low Energy packets.

The information disclosed may not be a big deal in many settings, such as work places where everyone knows everyone anyway. The exposure may be creepier in public places, such as a subway, a bar, or a department store, where anyone with some low-cost hardware and a little know-how can collect the details of all Apple devices that have BLE turned on. The data could also be a boon to companies that track customers as they move through retail outlets.

Read 6 remaining paragraphs | Comments

Posted in apple, Biz & IT, bluetooth, iPhones, phone numbers, Privacy | Comments (0)

Still available via Google Analytics: Data slurped from 4 million browsers

July 24th, 2019
Still available via Google Analytics: Data slurped from 4 million browsers

Enlarge (credit: Aurich Lawson / Getty)

Six days after Ars revealed an online service selling links to tax returns, prescription refills, and reams of other sensitive information collected from more than four million browsers, the data remains available to existing customers—thanks, in part, to essential assistance from Google Analytics.

In a July 11 email, Nacho Analytics founder and CEO Mike Roberts told customers the site suffered a permanent data outage after its third-party supplier was no longer available. The site would no longer accept new customers or provide new data, he said, but customers who kept accounts open would still be able to access any existing data they bought previously.

As the redacted screenshots below demonstrate, the existing data is imported directly into customers’ Google Analytics accounts. That existing data can include the same sensitive information that led to Nacho Analytics being shut off in the first place. The first image shows the names of medical patients who obtained lab results through a Dr. Chrono, a patient care cloud platform that contracts with medical services. The one below that shows non-public project management issues taken from inside Tesla’s network, funneled to Nacho Analytics, and then imported into Google Analytics.

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, data, personally identifiable information, PII, Privacy | Comments (0)

FTC fines Facebook $5 billion, imposes new privacy oversight

July 24th, 2019
Mark Zuckerberg shrugs while addressing listeners at an event.

Enlarge / The company can afford to shrug it off. (credit: Justin Sullivan | Getty Images)

The Federal Trade Commission today announced a long-rumored, record-smashing $5 billion settlement with Facebook over allegations related to user privacy.

The fine is high, and the settlement demands more privacy oversight at the company. But what the deal does not do is find anyone, including CEO Mark Zuckerberg, personally responsible, nor does it mandate huge changes to the way Facebook collects data⁠—only to the way it makes disclosures and honors user settings.

Facebook repeatedly "subverted users' privacy choices to serve its own business interests," the FTC said in the order (PDF). The company's actions violated a previous settlement requiring Facebook to adhere to certain privacy guidelines.

Read 31 remaining paragraphs | Comments

Posted in Cambridge Analytica, Facebook, Federal Trade Commission, FTC, Policy, Privacy | Comments (0)