New Eurpoean Privacy Standards Comming into Effect

Two years ago the European Union passed the General Data Protection Regulation (GDPR), on May 25th these regulations become enforceable. The GDPR aims to increase the number of privacy controls users have on the web through new privacy standards. Although the regulations were specifically passed by the EU, due to the international nature of the web many people from all over the world will feel its impacts.

These regulations aim to increase user privacy through expanding the scope of consent that sites are required to request. First, consent has to be explicitly given for each specific use of data provided by a customer – meaning web services must implement gradual permission systems. The user must be told exactly what the data is being used for and has a right to access all the information the company has on the user. Companies must also have the ability to prove that consent was given for a particular use of data. Second, a user must be able to withdraw their consent at any time. Lastly, all users have the right to be forgotten. This final provision means that a user can request that any data associated with them to be permanently erased from a companies database.

It is unknown at this time how willing the EU will be to enforce these provisions. However, breaking any of these cars large penalties on per-violation bases. These rules could potentially change the global playfield as many advertising, social media, and other businesses that rely heavily on data collection will be massively affected.

https://www.theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice

https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html

https://www.huntonprivacyblog.com/2017/12/15/article-29-working-party-publishes-guidance-on-consent-under-the-gdpr/

Advertisements

2020 Online Census

In two years the United States will be conducting the census like they do every 10 years. This time though will be different. The United States will be doing a primarily online census. This could be a giant security risk.

Back in 2016, Australia decided to try an online census. As soon as the survey was posted hackers performed a giant denial-of -service attack that caused the system to go down for 2 days. Though no information was breached it still was an embarrassment for the country and proved that they weren’t ready.

The United States has been toying around with the idea of doing an online census since 2000 but it wasn’t used in 2010 do to a lack of trust in data collection effectiveness and security. It seems that the lack of trust hasn’t gone away but the pressure to move digital has caused this change.

Problems are already popping up in this census. The bureau is rushing it out which has prevented thorough testing of the security. In the tests that were conducted the data had issues being transmitted and received.

Not receiving the data could be the least of our worries though. Hackers could flood the census with phony data or breach data and release it. Both of these outcome won’t look good on our government and will further a distrust people already have since the election. Maybe it is best to wait another 10 years until our platform is more secure and trustworthy.

—- Bailey Pearson

Sources:

https://www.motherjones.com/politics/2018/03/the-2020-census-is-a-cybersecurity-fiasco-waiting-to-happen/

Recently Found Glitch in iOS 11.2.6

In Apple’s latest iOS version, there’s a major security breach involving Siri.

To protect user’s privacy, users can set their notification contents to hidden, requiring them to unlock their phone in order to see the messages. However, if the user asks Siri to read the notifications, Siri will read the contents of the message. This is a pretty big issue, as anyone could access those messages when they were supposed to be secured.

Apparently the bug only works with third party apps such as Facebook Messenger, Skype, WhatsApp, Telegram, and Signal. The only app not affected is Apple’s own SMS texts and iMessage.

Email information can also be read directly off the lock screen. Details such as sender, subject, and message content are accessible.

According to Apple, the issue will be resolved in a future update.

iphone-x-lock-screen-notifications

-Jessica Prost

Sources:

https://threatpost.com/apple-to-fix-glitch-allowing-siri-to-read-hidden-messages-out-loud/130721/

https://mashable.com/2018/03/21/siri-iphone-lock-screen-bug-exposes-messages/#rRWd0iW6Saqa

AMD Acknowledges new exploits in new processors

Earlier this month, a lab based in Israel was able to find 13 critical exploits in AMDs new line of processors that would allow hackers to install persistent malware and access sensitive information.

Although the labs have not publicly stated how the exploits are to be done, people are still criticizing them for publicly stating that there are exploits in general because when exploits are found, the researchers usually give the company a 30-60 day grace period to find out how to fix the hole. However, the CTO of the labs believes that it is important to notify the public immediately because there is a history of companies notifying their customers of the potential risks to their machines.

The CTO of the CTS labs believes that their approach of notifying both the company and public gives more reason for the company to work on a patch because there is now public pressure to create a patch to their exploits. He also believes that it poses no threat to the consumers because they never actually publicly release the technical aspects of the exploit. Going public on Day 0 also allows for third parties to start to try and work on a fix for the exploit as well.

For these specific set of exploits on the new line of processors, a hacker would need administrative privileges to even use these exploits. AMD stated that even without these exploits, a hacker would have a wide range of attacks they could do on your machine if they administrative access and that there are bigger worries than their processor exploits if someone managed to gain administrative access to your computer. However, these new exploits could stop preventative measures put into place like Windows Credential Guard which is supposed to stop even administrative level access from getting to certain information.

AMD has since then been working on creating firmware patches to roll out to the general public, which they said would not affect performance at all.

Ryan Lei

 

Sources:

https://thehackernews.com/2018/03/amd-processor-hacking.html

https://www.theinquirer.net/inquirer/news/3028922/amd-says-security-flaws-do-exist-in-ryzen-and-epyc-cpus-but-updates-are-incoming

Social Networks are not Designed for Privacy

This might seem a tad common sense, but it seems that many people are upset over how Facebook has been mishandling data as of late. Specifically how much of the information on the site is not well protected by “privacy” settings.

Basically, Aleksandr Krogan, a UK citizen, used a Facebook personality test app to harvest information of Facebook profiles. Notably it could harvest data of the friends of people that took the personality test. Krogan would then go on to send all of this data to Cambridge Analytica. Its not clear how this information was used, but with the many political organizations that pay for Cambridge Analytica’s services, many people have found this revelation to be disturbing.

Now, there will no doubt be a long period of finger pointing and upset users for the rest of the week. WhatsApp co-founder Brian Acton has suggested that people delete their Facebook account with the trending hashtag “#DeleteFacebook”. Mark Zuckerburg is expected to break silence on this matter soon, so far Facebook’s response has been to say that Dr. Krogan violated site policy. This is also not Facebook’s first incident of their platform getting inadvertently involved in politics. In the last year incidents with Russian run campaign ads during the US election, and incidents with “fake news” have caused much turmoil for the company’s public opinion.

I personally think that this whole situation begs a new question. Should we honestly be surprised that information that we put on social media is actually not private? Facebook’s business model relies on gathering userdata and using it for advertising. Beyond mischievous motives, the service is exists to allow users to share data with other users. With that in mind, you have to realise that you not only trust Facebook to enforce your privacy settings, but every single person on your friendslist. Each one of your friends has to keep their account secure, whether it be from intrusion or just a malicious app such as this personality test from Aleksandr Krogan. Its unrealistic honestly, making user data harder to access hampers the social part of a social network; and as it is, there are plenty of vectors for someone to harvest “private” information. Hopefully with each one of these large events people can learn the value of their own personal information, and maybe show restraint towards what they share online. People can’t expect the facade of account visibility to keep their information truly private, it can only delay the inevitable breach.

https://www.theguardian.com/news/2018/mar/18/what-is-cambridge-analytica-firm-at-centre-of-facebook-data-breach
https://www.washingtonpost.com/opinions/i-worked-at-facebook-i-know-how-cambridge-analytica-could-have-happened/2018/03/20/edc7ef8a-2bc4-11e8-8ad6-fbc50284fce8_story.html?utm_term=.622969e33044