Category Archives: privacy

Donated devices are doxing your data, says new research

This is a common and recurring problem due to lack of awareness and the difficulty of securing data. Think twice before you donate your old devices. At least make an attempt to erase or remove the storage device before doing so.

If you are concern with data compliance, you may refer to
NIST SP 800-88r1 – Guidelines for Media Sanitization. For the rest of us, try to adopt security best practices such as:

  • Full disk encryption
  • Use of dedicated software to wipe, especially those from the manufacturer
  • Physical destruction

In the space of six months, one security researcher found thousands of files from dozens of computers, phones and flash drives — most of which contained personal information. All the researcher did was scour the second-hand stores for donated and refurbished tech. New research published by security firm Rapid7 revealed how problematic discarded technology can […]

Source: Donated devices are doxing your data, says new research

Govt. to access home devices in security survey – News – NHK WORLD – English

Free vulnerability scan by the government for Japan netizens.

Can’t say it’s a bad idea, if it’s well-managed. The fact is there are a lot of devices out there which have default credentials or unpatched vulnerabilities. These devices usually end up being exploited by threat actors for personal gains. Ability to identify vulnerable devices is a necessary first step towards mitigating potential cyber incidents.

Japan will attempt to access Internet-connected devices in homes and offices to find their vulnerabilities. The first-of-its-kind survey is aimed at beefing up cyber-security.

Source: Govt. to access home devices in security survey – News – NHK WORLD – English

Android Security Bulletin — February 2019  |  Android Open Source Project

This is a serious one. A vulnerability exists on Android that will allow the phone to be hacked simply by viewing a malicious PNG image.

The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Source: Android Security Bulletin — February 2019  |  Android Open Source Project

Singapore Business & Consumer Email Databases

This is brazen.

Someone is openly selling aggregated databases containing PII (personally identifiable information) of Singaporeans – names, email, mobile, address, company, job title, etc. and even offering a CNY promotion of “only” SGD 688 for a total of 8 databases.

Some of the sample databases – which I won’t embed here – are not properly blurred out – you can even make out the name, email, mobile and address of the individual.

The FAQ says that:

Q: Is It Legal To Purchase Databases?

Yes. It is legal to purchase database for marketing or advertising purposes. All information in our databases are publicly available data which can be found online or offline.

That is blatantly false.

The organization behind this website claims to be SPADB, which doesn’t appear to be a legitimate company. According to archive.org, they seem to have been operating since 2015. It has another similar looking website which sells databases of registered property agents.

The server hosting the website seems to be based in Singapore, so there’s a possibility that PDPC or SingCert can do something about it.

 

Singapore’s most comprehensive business & consumer databases with over 1 million contact list. Buy 1 Get 6 Free. 7 databases For just one low price. 100% Lowest Price Guaranteed!

Source: CNY Promotion | Singapore Business & Consumer Email Databases

CCPA will hit your dev team harder than GDPR. Here’s why.

The cost of data is not just the bytes that are required to store them. Increasingly laws will target companies for over-collecting, misusing, and not doing enough to protect PII data.

An (incomplete) history of data regulation in California

California recently passed an extremely powerful, far-reaching law, the California Consumer Privacy Act (CCPA), that will likely drive even more change than the GDPR. Here’s what your dev team needs to know and how to prepare.

Source: CCPA will hit your dev team harder than GDPR. Here’s why.

Mondelez Lawsuit Shows the Dangers of Attributing Cyberattacks – Bloomberg

This is a case that will test the limits of exclusion in the brave new world of cybersecurity insurance. Basically, the insurance company is refusing to pay for cybersecurity related damages by citing an exclusion clause which states the malware was created as part of a cyber warfare.

What if courts and lawyers actually start believing the cyberwar narrative and acting as if any damage caused to Western companies is uninsurable war damage?

What will happen to the insurance of cyber risks if any attack could potentially be declared part of a war?

Source: Mondelez Lawsuit Shows the Dangers of Attributing Cyberattacks – Bloomberg

In the New Fight for Online Privacy and Security, Australia Falls:

In a move that has sent shock waves through the cybersecurity and software community, Australia passes new law that could potentially devastate its software industry, by compelling tech companies to help law enforcement break into user’s encrypted data.

Both countries now claim the right to secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers – to re-engineer software and hardware under their control, so that it can be used to spy on their users. Engineers can be penalized for refusing to comply with fines and prison; in Australia, even counseling a technologist to oppose these orders is a crime.

Source: In the New Fight for Online Privacy and Security, Australia Falls:

  1. Response from 1Password
  2. Response from Protonmail

New form of Google banking scam

A novel way of scamming. Make your phone number appear in Google Maps by claiming it. People who clicks on the result of Google Maps gets directed to you. Profit!

When you see any information listed on a website, your first reaction isn’t to immediately question whether or not that information is accurate. It is to blindly trust the technology that has helped you unfailingly countless times in the past. That is precisely why this scam is so potent.

Source: New form of Google banking scam

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies – Bloomberg

Bloomberg’s big story on alleged China hacking through server hardware implants. If true, it would be an absolutely incredible feat, equivalent in terms of impressiveness to the Stuxnet worm.

The attack by Chinese spies reached almost 30 U.S. companies by compromising America’s technology supply chain.

Source: The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies – Bloomberg

At the moment, Bloomberg seems to double-down on its story with the following statement:

“Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews,” a spokesperson told BuzzFeed News in response to a series of questions. “Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”

It’ll be interesting to see who’s telling the truth as the story develops. Meanwhile, governments and companies around the world should be in panic mode, as they try to figure out if they are using Supermicro servers, and if so, whether they are affected by the so-called hacking.

(2018-Oct-04) Apple and Amazon both issued strong denials to the claims of the article.

(2018-Oct-04) Separately, Apple and Amazon both issued even stronger statements on their website to set the record straight on the matter.

(2018-Oct-05) Buzzfeed’s coverage of the story also seem to indicate that even senior staff in Apple doesn’t know about the alleged hacks.

(2018-Oct-20) Apple CEO Tim Cook Is Calling For Bloomberg To Retract Its Chinese Spy Chip Story

(2018-Oct-23) Amazon cloud chief Jassy follows Apple in calling for retraction of Chinese spy chip story