Archive for the ‘Privacy’ Category
Antivirus software is something that can help people be safer and more private on the Internet. But its protections can cut both ways. A case in point: for almost four years, AV products from Kaspersky Lab injected a unique identifier into the HTML of every website a user visited, making it possible for sites to identify people even when using incognito mode or when they switched between Chrome, Firefox, or Edge.
Researchers said they have found a publicly accessible database containing almost 28 million records—including plain-text passwords, face photos, and personal information—that was used to secure buildings around the world.
Researchers from vpnMentor reported on Wednesday that the database was used by the Web-based Biostar 2 security system sold by South Korea-based Suprema. Biostar uses facial recognition and fingerprint scans to identify people authorized to enter warehouses, municipal buildings, businesses, and banks. vpnMentor said the system has more than 1.5 million installations in a wide range of countries including the US, the UK, Indonesia, India, and Sri Lanka.
According to vpnMentor, the 23-gigabyte database contained more than 27.8 million records used by Biostar to secure customer facilities. The data included usernames, passwords and user IDs in plaintext, building access logs, employee records including start dates, personal details, mobile device data, and face images.
A security consultant who took to Twitter to call out inappropriate comments made by a Southwest Airline flight attendant received a surprising response when the airline’s official Twitter account included her flight number in its reply while the flight had yet to take off.
The consultant, peeved that the airline tracked down her real-world identity and then broadcast her location, sent a follow-up saying the number amounted to personally identifiable information that the airline was obligated to keep private. The airline’s response: flight numbers aren’t PII. The conversation started out with a tweets like this one, reporting that an attendant on the flight she was boarding was making jokes some passengers found to be offensive:
Forgive me because I don’t often fly this airline, but are there boundaries around jokes made by FAs or is that totally at their discretion?@SouthwestAir
— Jackie (@find_evil) August 8, 2019
A Southwest representative using the name Emilia responded with this:
Privacy has been a renewed focus with Apple’s next operating system update. One new feature in iOS 13 that seems centered on user privacy could have sweeping consequences for messaging and online call apps.
In iOS 13, Apple will not allow apps to run voice over Internet protocol (VoIP) in the background when the programs are not actively in use. Many apps that offer VoIP services currently run in the background, and they will need to be rewritten to adjust to Apple’s upcoming rules. The change is slated to roll out when iOS 13 is released in September. However, app developers will get a grace period, and they have until April 2020 to comply.
Apple has been putting privacy at the front and center of its business, especially as many tech companies make headlines for data breaches or misuse of personal information. iOS 13 will include multiple updates centered on giving users more control over how and when apps can get their information, such as one-time location sharing and a “Sign in with Apple” system.
Apple makes it easy for people to locate lost iPhones, share Wi-Fi passwords, and use AirDrop to send files to other nearby devices. A recently published report demonstrates how snoops can capitalize on these features to scoop up a wealth of potentially sensitive data that in some cases includes phone numbers.
Simply having Bluetooth turned on broadcasts a host of device details, including its name, whether it's in use, if Wi-Fi is turned on, the OS version it’s running, and information about the battery. More concerning: using AirDrop or Wi-Fi password sharing broadcasts a partial cryptographic hash that can easily be converted into an iPhone’s complete phone number. The information—which in the case of a Mac also includes a static MAC addresses that can be used as a unique identifier—is sent in Bluetooth Low Energy packets.
The information disclosed may not be a big deal in many settings, such as work places where everyone knows everyone anyway. The exposure may be creepier in public places, such as a subway, a bar, or a department store, where anyone with some low-cost hardware and a little know-how can collect the details of all Apple devices that have BLE turned on. The data could also be a boon to companies that track customers as they move through retail outlets.
Six days after Ars revealed an online service selling links to tax returns, prescription refills, and reams of other sensitive information collected from more than four million browsers, the data remains available to existing customers—thanks, in part, to essential assistance from Google Analytics.
In a July 11 email, Nacho Analytics founder and CEO Mike Roberts told customers the site suffered a permanent data outage after its third-party supplier was no longer available. The site would no longer accept new customers or provide new data, he said, but customers who kept accounts open would still be able to access any existing data they bought previously.
As the redacted screenshots below demonstrate, the existing data is imported directly into customers’ Google Analytics accounts. That existing data can include the same sensitive information that led to Nacho Analytics being shut off in the first place. The first image shows the names of medical patients who obtained lab results through a Dr. Chrono, a patient care cloud platform that contracts with medical services. The one below that shows non-public project management issues taken from inside Tesla’s network, funneled to Nacho Analytics, and then imported into Google Analytics.
The Federal Trade Commission today announced a long-rumored, record-smashing $5 billion settlement with Facebook over allegations related to user privacy.
The fine is high, and the settlement demands more privacy oversight at the company. But what the deal does not do is find anyone, including CEO Mark Zuckerberg, personally responsible, nor does it mandate huge changes to the way Facebook collects data—only to the way it makes disclosures and honors user settings.
Facebook repeatedly "subverted users' privacy choices to serve its own business interests," the FTC said in the order (PDF). The company's actions violated a previous settlement requiring Facebook to adhere to certain privacy guidelines.