Jump to content

Search the Community

Showing results for tags 'data'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 117 results

  1. (Reuters) - Amazon.com Inc has a promotion for U.S. shoppers on Prime Day, the 48-hour marketing blitz that started Monday: Earn $10 of credit if you let Amazon track the websites you visit. The deal is for new installations of the Amazon Assistant, a comparison-shopping tool that customers can add to their web browsers. It fetches Amazon’s price for products that users see on Walmart.com, Target.com and elsewhere. In order to work, the assistant needs access to users’ web activity, including the links and some page content they view. The catch, as Amazon explains in the fine print, is the company can use this data to improve its general marketing, products and services, unrelated to the shopping assistant. The terms underscore the power consumers routinely give to Amazon and other big technology companies when using their free services. In this case, Amazon gains potential insight into how it should tailor marketing and how it could stamp out the retail competition. “This data is often used for training machine learning models to do better ad targeting,” said Bennett Cyphers, a technologist at the nonprofit Electronic Frontier Foundation. “But in the U.S., there aren’t really restrictions on what you can do with this kind of data.” Amazon already has more than 7 million customers using its assistant via Google Chrome and Mozilla Firefox, according to data published by those web browsers. Other companies offer similar shopping tools. While another technology known as tracking pixels shows Amazon information from visitors to roughly 15 percent of the top 10,000 websites, the assistant lets Amazon follow a smaller set of users from page to page, Cyphers said. Amazon’s combination of tools still pales in comparison to data collection by Alphabet Inc’s Google, which has tracking pixels on most web pages. Amazon did not discuss how it uses the data it gathers via the assistant for any unrelated purposes, but a job listing for an affiliated team known as Browser Integration Technologies says the group’s influence “spans across advertising and marketing, pricing and selection.” “Customer trust is paramount to Amazon, and we take customer privacy very seriously,” a company spokeswoman said, noting compliance with the assistant’s privacy policy, which says data collection is for websites that users visit “where we may have relevant product or service recommendations.” The policy also notes that customers can disable certain features of the assistant, and that Amazon only links browsing data to an individual’s account when the assistant is in active use. U.S. lawmakers have recently increased their scrutiny of Silicon Valley’s data collection practices. A bill introduced in the Senate last month proposed requiring that big platforms disclose what information they gather from users and how much that is worth. Source
  2. PARIS (Reuters) - Facebook has agreed to hand over the identification data of French users suspected of hate speech on its platform to judges, France’s minister for digital affairs Cedric O said on Tuesday, adding the deal was a world first. The move by the world’s biggest social media network comes after successive meetings between Facebook’s founder Mark Zuckerberg and French President Emmanuel Macron, who wants to take a leading role globally on the regulation of hate speech and the spread of false information online. So far, Facebook has cooperated with French justice on matters related to terrorist attacks and violent acts by transferring the IP addresses and other identification data of suspected individuals to French judges who formally demanded it. Following a meeting between Nick Clegg, Facebook’s head of global affairs, and O last week, the social media company has extended this cooperation to hate speech. “This is huge news, it means that the judicial process will be able to run normally,” O, a former top adviser to Macron, told Reuters in an interview. “It’s really very important, they’re only doing it for France.” O, who said he had been in close contact with Clegg over the last few days on the issue, said Facebook’s decision was the result of an ongoing conversation between the internet giant and the French administration. Facebook declined to comment. The discussions started off with a Zuckerberg-Macron meeting last year, followed by a report on tech regulation last month that Facebook’s founder considered could be a blueprint for wider EU regulation. Facebook had refrained from handing over identification data of people suspected of hate speech because it was not compelled to do so under U.S.-French legal conventions and because it was worried countries without an independent judiciary could abuse it. France’s parliament, where Macron’s ruling party has a comfortable majority, is debating legislation that would give the new regulator the power to fine tech companies up to 4% of their global revenue if they don’t do enough to remove hateful content from their network. Source
  3. BEIJING/HANGZHOU, China (Reuters) - In China, the sales maxim of ‘know your customer’ is being taken to new lengths. One of the first firms to join an Alibaba Group Holding Ltd program that provides years of consumer shopping history, snack food chain Bestore Co Ltd plans to link facial recognition technology with the e-commerce giant’s account data by the year’s end. For customers opting to have their facial data in Bestore’s systems, that means shop assistants will be able to check on what food they like the moment they enter one of its stores. Bestore, which already offers customers the option of paying with Alibaba’s face scanning tablets, has also started using Alibaba’s other services for more successful marketing. It can now arrange for a person who likes salty food, owns an SUV and probably has a family to receive an ad suggesting suitable Bestore snacks for a Spring holiday road trip, Huang Xiao, Bestore’s head of e-commerce, told Reuters. “With the partnership, our strategies are more focused, sales behaviors are more targeted and resources are better allocated,” Huang said. The Alibaba program, called A100 and which counts Nestle SA and Procter & Gamble Co as clients, is part of a major push by e-commerce giants in China to retool their relationship with merchants - offering them a trove of shopper data in return for broader and closer partnerships. The shift is integral to what Chinese e-commerce firms call ‘new retail’ or ‘boundary-less retail’ - the marrying of data available from internet shopping and gathered through brick-and-mortar stores to provide highly personalized services. It has been enabled by the widespread use of payments by smartphone, the rise of facial recognition technology and Chinese consumer tolerance of data-sharing between businesses. Other services Alibaba offers to retail clients include shopper movement ‘heat maps’ to help stores better design the layout of products, as well as its chat app Dingtalk to communicate within their own companies and with customers. SEEKING MORE DATA Keeping merchants happy and signing them up for more services has taken on added urgency for Alibaba and rival JD.com. Both are seeking to diversify amid slowing e-commerce revenue growth at home - due in part to saturated markets in China’s biggest cities, flagging consumer confidence from the U.S.-China trade war and increased competition from rivals such as newly listed Pinduoduo Inc. “For Alibaba and JD.com this is critical for their overall ecosystem because they have pretty much already exhausted the online growth,” said Beijing-based Jason Ding, partner at consulting firm Bain & Company. By providing data-driven tools to retail stores, e-commerce firms can expand the amount of data collected. “It’s not just about money, it’s about continuing to grow, and hopefully they will find a way to monetize that,” he said. JD.com, which provides similar services to Alibaba, says it helped U.S. diaper brand “Huggies” work out why Chinese competitors were rising in popularity, prompting Huggies to change to a material that is more absorbent and comfortable when wet. That contributed to a 60% percent rise in Huggies sales on JD.com in 2018, the Chinese firm said. A spokesman for Kimberly Clark, which owns the Huggies brand, declined to comment on the details of its partnership with JD.com. After a trial run of a new product, JD.com said it creates a ‘profile’ of a potential buyer based on early sales that is cross-checked with its entire userbase, before targeted ads are sent to close matches. Other tools JD.com offers to retail clients include an customer service chatbot powered by artificial intelligence that can the “sense” the mood of customers, and adjust its tone to appear more empathetic. It has also rolled out checkouts in some Hong Kong convenience stores that can scan several items at once and charge customers using their ID-linked accounts, which it says cuts the average checkout time by 30%. FREE FOR NOW Both JD.com and Alibaba executives say they are not charging companies for most data services at the moment, noting the new partnerships facilitate sales of other services such as cloud computing and logistics. Nestle, which sells Haagen Daaz and Nespresso through third-party retail locations in China, says it now has one warehouse instead of four after tapping into data at Alibaba distribution centers which give real-time updates on orders. “You don’t have to carry huge inventory in your warehouse,” said Rashid Qureshi, chief executive of Nestle’s Greater China business, adding it’s the first time Nestle has integrated an e-commerce firm’s data into its own systems. Where previously Bestore and Nestle would have dealt with different parts of the Alibaba empire for delivery, payments, cloud computing and messaging, they now work with one Alibaba team dedicated to their company which organizes a range of tailored services. “It’s a change that subverts the way our entire company has operated,” Alibaba’s Jet Jing told Reuters in an interview. Jing, formerly president of Alibaba’s retail site Tmall, has since become assistant to CEO Daniel Zhang. Alibaba has not disclosed how many companies are currently participating in its A100 program, but some analysts say for now only big firms will be able to benefit as smaller firms do not have the funds to justify major organizational changes. One risk for retailers, however, is that they may become overly dependent on their e-commerce partners. The Chinese market remains tough for brands to crack independently and Alibaba and JD.com represent the two biggest online retail channels into the country. In the face of such tough competition, Amazon.com Inc said in April it is shutting its China online store. “It’s a must for the brands to be involved,” says Bain & Company’s Ding. “But everyone would like to have a balance and not put their eggs in one basket.” More broadly, questions remain over how big e-commerce firms manage their data in a way that is fair to all parties using their services. EU regulators in September launched a preliminary antitrust investigation into Amazon over concerns it is collecting similar data from brands that it might use to boost competing products of its own. Alibaba and JD.com do not produce their own products but both have made significant investments in retail stores including experimental grocery and convenience store formats. Source
  4. Data including a purported list of clients was reportedly stolen from the leading antivirus maker Symantec in a breach the company has downplayed as having no ramifications. The Guardian reported on the incident Thursday, saying the stolen data included passwords and Symantec account numbers. The list of ostensible clients included the Australian federal police, major banks, universities, and retailers, among others, that paper said. According to Symantec, though, the data is largely phony. The company said the incident was contained to a test environment it used for demonstration purposes. According to the Guardian, Symantec described the data as “low-level and non-sensitive” and the email accounts involved as “dummy e-mails.” A Symantec spokesperson told the paper that the client list itself was also fake and that the entities “are not necessarily Symantec customers.” The Guardian did confirm that some of them, including Australia’s Department of Social Services, are users of Symantec’s products. Another government agency listed among the stolen files, however, hasn’t existed in six years. The use of such “dummy data” is not uncommon, and it affords companies the ability to relax security protocols while testing new products. Developers on a project may not all work in the same building or even on the same continent. Using fake customer information allows them to share access to their work more quickly without fear of leaking sensitive data. Companies that use real customer data for testing often suffer for it. The anonymous workplace app Blind, for instance, temporarily exposed sensitive information last year after it transferred a portion of its customers’ data to a test environment. The data was not immediately encrypted or deleted, as was protocol. A data-breach hunter quickly discovered the data online and shared news of it with a reporter. Last year, the weight-loss company Weight Watchers also left a test environment accessible online. The company claimed that no personally identifiable information had been exposed, though the security team that discovered it remained skeptical. Symantec was among a list of three major antivirus companies that a hacking group claimed to have penetrated last month, as Gizmodo first reported. The hackers, known collectively as Fxmsp, were attempting to sell the stolen data on the black market for $300,000. “There is no indication that Symantec has been impacted by this incident,” the company said at the time. AdvIntel, the cybersecurity firm that had been tracking Fxmsp’s activities, told Gizmodo on Thursday that there didn’t appear to be a connection between the two incidents. “It doesn’t seem that this is related to our guys,” they said. Source
  5. Academics detail new Rowhammer attack named RAMBleed. A team of academics from the US, Austria, and Australia, has published new research today detailing yet another variation of the Rowhammer attack. The novelty in this new Rowhammer variety -- which the research team has named RAMBleed -- is that it can be used to steal information from a targeted device, as opposed to altering existing data or to elevate an attacker's privileges, like all previous Rowhammer attacks, have done in the past. What is Rowhammer? For readers unfamiliar with the term "Rowhammer," this is the name of a class of exploits that takes advantage of a hardware design flaw in modern memory cards (also known as RAM). By default, a memory card stores data inside storage cells, which are arranged on the RAM's actual silicon chip in rows, in the form of a grid. Back in 2014, academics found that by reading data stored on one row repeatedly, over and over again, they could create an electrical charge that would alter data stored in nearby memory rows. By coordinating these repeated read operations, in an operation named row hammering, they could either cause data corruption or manipulate data in malicious ways. Throughout the years, academics greatly expanded the methods and exploitation scenarios of the original Rowhammer research, taking a crazy experiment and showing how the technique could be used in the real world: They showed how a Rowhammer attack could alter data stored on DDR3 and DDR4 memory cards alike They showed how a Rowhammer attack could be carried out via JavaScript, via the web, and not necessarily by having access to a PC, physically, or via local malware They demoed a Rowhammer attack that took over Windows computers via the Microsoft Edge browser They demoed a Rowhammer attack that took over Linux-based virtual machines installed in cloud hosting environments They used a Rowhammer attack to get root permissions on an Android smartphone They bypassed Rowhammer protections put in place after the disclosure of the first attacks They showed how an attacker could improve the efficiency of a Rowhammer attack by relying on local GPU cards They developed a technique to launch Rowhammer attacks via network packets They developed a Rowhammer attack that targets an Android memory subsystem called ION, and which broke the isolation between the OS and local apps, allowing data theft and total device control They developed a Rowhammer attack named ECCploit that works even against modern RAM cards that use error-correcting code (ECC) New RAMBleed attack But in a research paper published today, academics unveiled RAMBleed, the first Rowhammer attack that can actively deduce and steal data from a RAM card. To do this, researchers had to come up and combine different techniques, which, when assembled, would permit a RAMBleed attack to take place. This included: Researchers found a way to abuse the Linux buddy allocator to allocate a large block of consecutive physical addresses memory on which they could orchestrate their attack. Researchers designed a new mechanism, which they called "Frame Feng Shui," for placing victim program pages at a desired location on the physical memory. Researchers developed a new method of arranging data in memory and hammering memory rows to infer what data is located in nearby memory cells, rather than just produce a bit flip from 0 to 1, and vice versa. As shown in the image above, a RAMBleed attack happens when the attacker hammers rows A0 and A2 and reads the bit flips (modifications) on row A1, near the "secret" blocks, in the "sampling area." The idea is that by carefully arranging data inside RAM in a format the attacker wants and knows, the attacker can read bit flips in an area adjacent to the "secret" data it wants to steal. By combining these novel techniques, researchers said they were able to steal an RSA key from an OpenSSH server in a demo Linux environment. ECC doesn't stop RAMBleed attacks Furthermore, modern RAM cards that use ECC protections don't stop RAMBleed attacks. ECC memory, which works by reversing rogue Rowhammer-induced bit flips back to their original states, does not protect data integrity, but merely corrects it. "RAMBleed does not necessarily require the attacker to read the bit to determine if it has flipped. Instead, all the attacker requires for mounting RAMBleed is an indication that a bit in the sampling page has flipped (and subsequently corrected)," academics said. "[T]he synchronous nature of the ECC correction algorithm typically exposes such information through a timing channel, where memory accesses that require error correction are measurably slower than normal accesses." This allows academics/attackers to know what memory bits have been corrected, and deduce the value they've been corrected from/to -- making the RAMBleed attack possible. The academic team said it notified Intel, AMD, OpenSSH, Microsoft, Apple, and Red Hat about their findings. More details about the RAMBleed attack -- tracked as CVE-2019-0174 -- are available in a research paper entitled "RAMBleed: Reading Bits in Memory WithoutAccessing Them." Source
  6. Facebook shut down its Research and Onavo programs after TechCrunch exposed how the company paid teenagers for root access to their phones to gain market data on competitors. Now Facebook is relaunching its paid market research program, but this time with principles — namely transparency, fair compensation and safety. The goal? To find out which other competing apps and features Facebook should buy, copy or ignore. Today Facebook releases its “Study from Facebook” app for Android only. Some adults 18+ in the U.S. and India will be recruited by ads on and off Facebook to willingly sign up to let Facebook collect extra data from them in exchange for a monthly payment. They’ll be warned that Facebook will gather which apps are on their phone, how much time they spend using those apps, the app activity names of features they use in other apps, plus their country, device and network type. Facebook promises it won’t snoop on user IDs, passwords or any of participants’ content, including photos, videos or messages. It won’t sell participants’ info to third parties, use it to target ads or add it to their account or the behavior profiles the company keeps on each user. Yet while Facebook writes that “transparency” is a major part of “Approaching market research in a responsible way,” it refuses to tell us how much participants will be paid. “Study from Facebook” could give the company critical insights for shaping its product roadmap. If it learns everyone is using screensharing social network Squad, maybe it will add its own screensharing feature. If it finds group video chat app Houseparty is on the decline, it might not worry about cloning that functionality. Or if it finds Snapchat’s Discover mobile TV shows are retaining users for a ton of time, it might amp up teen marketing of Facebook Watch. But it also might rile up regulators and politicians who already see it as beating back competition through acquisitions and feature cloning. An attempt to be less creepy TechCrunch’s investigation from January revealed that Facebook had been quietly operating a research program codenamed Atlas that paid users ages 13 to 35 up to $20 per month in gift cards in exchange for root access to their phone so it could gather all their data for competitive analysis. That included everything the Study app grabs, but also their web browsing activity, and even encrypted information, as the app required users to install a VPN that routed all their data through Facebook. It even had the means to collect private messages and content shared — potentially including data owned by their friends. Facebook’s Research app also abused Apple’s enterprise certificate program designed for distributing internal use-only apps to employees without the App Store or Apple’s approval. Facebook originally claimed it obeyed Apple’s rules, but Apple quickly disabled Facebook’s Research app and also shut down its enterprise certificate, temporarily breaking Facebook’s internal test builds of its public apps, as well as the shuttle times and lunch menu apps employees rely on. In the aftermath of our investigation, Facebook shut down its Research program. It then also announced in February that it would shut down its Onavo Protect app on Android, which branded itself as a privacy app providing a free VPN instead of paying users while it collected tons of data on them. After giving users until May 9th to find a replacement VPN, the Onavo Protect was killed off. This was an embarrassing string of events that stemmed from unprincipled user research. Now Facebook is trying to correct its course and revive its paid data collection program but with more scruples. How Study from Facebook works Unlike Onavo or Facebook Research, users can’t freely sign up for Study. They have to be recruited through ads Facebook will show on its own app and others to both 18+ Facebook users and non-users in the U.S. and India. That should keep out grifters and make sure the studies stay representative of Facebook’s user base. Eventually, Facebook plans to extend the program to other countries. If users click through the ad, they’ll be brought to Facebook’s research operations partner Applause’s website, which clearly identifies Facebook’s involvement, unlike Facebook Research, which hid that fact until users were fully registered. There they’ll be informed how the Study app is opt-in, what data they’ll give up in exchange for what compensation and that they can opt out at any time. They’ll need to confirm their age, have a PayPal account (which are only supposed to be available to users 18 and over) and Facebook will cross-check the age to make sure it matches the person’s Facebook profile, if they have one. They won’t have to sign and NDA like with the Facebook Research program. Anyone can download the Study from Facebook app from Google Play, but only those who’ve been approved through Applause will be able to log in and unlock the app. It will again explain what Facebook will collect, and ask for data permissions. The app will send periodic notifications to users reminding them they’re selling their data to Facebook and offering them an opt-out. Study from Facebook will use standard Google-approved APIs and won’t use a VPN, SSL bumping, root access, enterprise certificates or permission profiles you install on your device like the Research program that ruffled feathers. Different users will be paid the same amount to their PayPal account, but Facebook wouldn’t say how much it’s dealing out, or even whether it was in the ball park of cents, dollars or hundreds of dollars per month. That seems like a stern departure from its stated principle of transparency. This matters, because Facebook earns billions in profit per quarter. It has the cash to potentially offer so much to Study participants that it effectively coerces them to give up their data; $10 to $20 per month like it was paying Research participants seems reasonable in the U.S., but that’s enough money in India to make people act against their better judgment. The launch shows Facebook’s boldness despite the threat of antitrust regulation focusing on how it has suppressed competition through its acquisitions and copying. Democrat presidential candidates could use Study from Facebook as a talking point, noting how the company’s huge profits earned from its social network domination afford it a way to buy private user data to entrench its lead. At 15 years old, Facebook is at risk of losing touch with what the next generation wants out of their phones. Rather than trying to guess based on their activity on its own app, it’s putting its huge wallet to work so it can pay for an edge on the competition. Source
  7. MOSCOW (AP) — Dating app Tinder is now required to provide user data to Russian intelligence agencies, the country’s communications regulator said Monday. The app was included on a new list of online services operating in Russia that are required to provide user data on demand to Russian authorities, including the FSB security agency. Russia adopted a flurry of legislation in recent years tightening control over online activity. Among other things, Internet companies are required to store six months’ worth of user data and be ready to hand them over to authorities. The communications regulator said Monday that Tinder had shared with them information about the company and that it is now on the list of online apps and websites that are expected to cooperate with the FSB. Russian authorities last year issued an order to ban messaging app Telegram after it refused to provide the user data as required by the Russian law. Tinder was not immediately available for comment. Source
  8. DUBLIN (Reuters) - The European Court of Justice (ECJ) will hear a landmark privacy case regarding the transfer of EU citizens’ data to the United States in July, after Facebook’s bid to stop its referral was blocked by Ireland’s Supreme Court on Friday. The case, which was initially brought against Facebook by Austrian privacy activist Max Schrems, is the latest to question whether methods used by technology firms to transfer data outside the 28-nation European Union give EU consumers sufficient protection from U.S. surveillance. A ruling by Europe’s top court against the current legal arrangements would have major implications for thousands of companies, which make millions of such transfers every day, including human resources databases, credit card transactions and storage of internet browsing histories. The Irish High Court, which heard Schrems’ case against Facebook last year, said there were well-founded concerns about an absence of an effective remedy in U.S. law compatible with EU legal requirements, which prohibit personal data being transferred to a country with inadequate privacy protections. The High Court ordered the case be referred to the ECJ to assess whether the methods used for data transfers - including standard contractual clauses and the so called Privacy Shield agreement - were legal. Facebook took the case to the Supreme Court when the High Court refused its request to appeal the referral, but in a unanimous decision on Friday, the Supreme Court said it would not overturn any aspect the ruling. The High Court’s original five-page referral asks the ECJ if the Privacy Shield - under which companies certify they comply with EU privacy law when transferring data to the United States - does in fact mean that the United States “ensures an adequate level of protection”. Facebook came under scrutiny last year after it emerged the personal information of up to 87 million users, mostly in the United States, may have been improperly shared with political consultancy Cambridge Analytica. More generally, data privacy has been a growing public concern since revelations in 2013 by former U.S. intelligence contractor Edward Snowden of mass U.S. surveillance caused political outrage in Europe. The Privacy Shield was hammered out between the EU and the United States after the ECJ struck down its predecessor, Safe Harbour, on the grounds that it did not afford Europeans’ data enough protection from U.S. surveillance. That case was also brought by Schrems via the Irish courts. “Facebook likely again invested millions to stop this case from progressing. It is good to see that the Supreme Court has not followed,” Schrems said in a statement. Source
  9. Government says hackers breached 30 computers and stole data from 10. Hackers have breached the computer systems of a South Korean government agency that oversees weapons and munitions acquisitions for the country's military forces. The hack took place in October 2018. Local press reported this week[1, 2, 3] that hackers breached 30 computers and stole internal documents from at least ten. The breached organization is South Korea's Defense Acquisition Program Administration (DAPA), an agency part of the Ministry of National Defense. It is believed that the stolen documents contain information about arms procurement for the country's next-generation fighter aircraft, according to a news outlet reporting on the cyber-attack. Reports claim that hackers gained access to the server of a security program installed on all government computers. Named "Data Storage Prevention Solution," the app is installed on South Korean government computers to prevent sensitive documents from being downloaded and saved on internet-connected PCs. According to reports, hackers gained admin access to the software's server and used it to siphon documents from connected workstations. The country's intelligence agency (NIS, National Intelligence Service) investigated the breach in November and reported its findings to government officials, who disclosed the cyber-attack to the public this week. Government officials didn't pin the blame on North Korean hackers, as they usually do, although it wouldn't surprise anyone if they did, as North Korea has often launched cyber-espionage and intelligence collection operations against its southern neighbor. For example, in October 2017, South Korea accused North Korea of hacking and stealing the South's secret joint US war plans, which included detailed plans to attack the North in case diplomatic relations deteriorated to a point where military action was needed. Source
  10. The vast majority of televisions available today are "smart" TVs, with internet connections, advertising placement, and streaming services built in. Despite the added functionality, TV prices are lower than ever — especially from companies like TCL and Vizio, which specialize in low-cost, high-tech smart TVs. There's a simple reason that smart TVs are priced so low: Some TV makers collect user data and sell it to third parties. Did you get a 4K, HDR-capable TV this past holiday, perhaps on sale? Millions of Americans did. Massive TVs with razor-thin frames, brilliant image quality, and built-in streaming services are more affordable than ever thanks to companies like Vizio and TCL. If you want a 65-inch 4K smart TV with HDR capability, one can be purchased for below $500 — a price that may seem surprisingly low for such a massive piece of technology, nonetheless one that's likely to live in your home for years before you upgrade. But that low price comes with a caveat most people probably don't realize: Some manufacturers collect data about users and sell that data to third parties. The data can include the types of shows you watch, which ads you watch, and your approximate location. The Roku TV interface on TCL's smart TVs comes with a prominent ad placement on the home screen. A recent interview on The Verge's podcast with Vizio's chief technology officer, Bill Baxter, did a great job illuminating how this works. "This is a cutthroat industry," Baxter said. "It's a 6% margin industry. The greater strategy is I really don't need to make money off of the TV. I need to cover my cost." More specifically, companies like Vizio don't need to make money from every TV they sell. Smart TVs can be sold at or near cost to consumers because Vizio is able to monetize those TVs through data collection, advertising, and selling direct-to-consumer entertainment (movies, etc.). Or, as Baxter put it: "It's not just about data collection. It's about post-purchase monetization of the TV." And there are a few ways to monetize those TVs after the initial purchase. On TCL's Roku TVs, users can opt out of the full scope of ad tracking. How much you're able to block yourself from data tracking varies by TV manufacturer. "You sell some movies, you sell some TV shows, you sell some ads, you know," he said. "It's not really that different than the Verge website." It's those additional forms of revenue that help make the large, beautiful smart TVs from companies like Vizio and TCL so affordable. Without that revenue stream, Baxter said, consumers would be paying more up front. "We'd collect a little bit more margin at retail to offset it," he said. The exchange is fascinating and worth listening to in full — check it out right here. Source
  11. Late last year, the U.S. government accidentally revealed that a sealed complaint had been filed against Julian Assange, the founder of WikiLeaks. Shortly before this was made public, the FBI reconfirmed its investigation of WikiLeaks was ongoing, and the Wall Street Journal reported that the Department of Justice was optimistic that it would be able to extradite Assange. Soon after, portions of sealed transcripts leaked that implicate WikiLeaks and Assange in directing hackers to target governments and corporations. The charges against Assange have not been officially revealed, though it’s plausible that the offenses are related to Russian hacking and the DNC emails. The alleged offenses in the complaint notwithstanding, the government has an abundance of data to work with: over a dozen WikiLeaks’ computers, hard drives, and email accounts, including those of the organization’s current and former editors-in-chief, along with messages exchanged with alleged Russian hackers about DNC emails. Through a series of search warrants, subpoenas, equipment seizures, and cooperating witnesses, the federal government has collected internal WikiLeaks data covering the majority of the organization’s period of operations, from 2009 at least through 2017. The filing that committed a copy and paste error revealing charges against Assange. In some instances, the seized data has been returned and allegedly destroyed, such as in the case of David House, a technologist and friend of Chelsea Manning when she famously became a source for WikiLeaks. In others, the seized materials include communications between WikiLeaks and their sources. Some of these discussions show WikiLeaks discussing their other sources and specific identifying details about them. A copy of a chat log between Chelsea Manning and a WikiLeaks staff member IDed as Assange by government prosecutors and witnesses. Other seizures gave authorities a deeper view of the internal workings of WikiLeaks, including one of the earliest known seizures of WikiLeaks-related data, executed on December 14, 2010, when the messages and user information of several WikiLeaks-linked Twitter accounts were ordered. This search-and-seizure order included direct messages associated with WikiLeaks and its founder, former Army private first class and WikiLeaks source Chelsea Manning, WikiLeaks editor Rop Gongrijp, former WikiLeaks associate Jacob Appelbaum, and former WikiLeaks associate and Icelandic MP Birgitta Jonsdottir, between November 1, 2009, and the order’s execution. A couet order for information relating to people associated with WikiLeaks. On January 4, 2011, a sealed order filed in the Eastern District of Virginia requested all emails, address book, subscriber information, and other account information associated with Appelbaum’s email address [email protected], and another order would target his internet traffic. Appelbaum was a friend and confidant of Assange as well as a WikiLeaks volunteer. In 2010, Appelbaum was known as “the American WikiLeaks hacker,” and he was, at that time, referred to as WikiLeaks’ only known American member. In a private chat in 2015, WikiLeaks described Appelbaum as being “sort of” part of the group, though following multiple accusations of sexual abuse, the group publicly distanced itself from him. The emails obtained by the government extended from November 2010 at least through January 2011. The timing of the government’s acknowledgment of the order, along with other similar orders, suggest that the monitoring of the account may have continued through late 2014, when it and several orders were made public. A copy of a court order for information relating to Jacob Appelbaum, a hacker who worked with WikiLeaks (now credibly accused of multiple sexual assaults). Publicly released and leaked documents from Assange and his legal team allege that several laptops and hard drives belonging to the organization were intercepted by an intelligence agency during this time period. According to an affidavit from Assange, “three laptops ... assorted electronics [and] additional encrypted hard drives” were taken along with his suitcase in late September 2010. Assange’s legal team produced several additional affidavits and supporting documents detailing the existence and disappearance of the suitcase. The suitcase contained at least five hard drives, all of which were encrypted, according to Assange. However, the government has had eight years to guess or recover the passwords or break the encryption on the hard drives. Several other drives, numerous emails, and at least one cooperating witness may have aided in the process. Affadavit from Julian Assange. In mid-2011, the FBI had developed a major source who would become at least their second information with an eye into WikiLeaks’ operations. Soon after the arrest and cooperation of Hector Xavier Monsegur, a.k.a. Sabu, his hacking group (LulzSec) made contact with WikiLeaks. Sabu and LulzSec would become some of WikiLeaks’ most significant sources. The Syria files and Global Intelligence files LulzSec provided WikiLeaks increased their number of publications tenfold and still account for roughly half of their total number of publications. Communications between Sabu and WikiLeaks were monitored by the FBI. And some of the group’s communications with others were later seized in their arrest or turned over by Sigurdur Thordarson, a WikiLeaks volunteer who became an informant for the FBI that August. A section from the sentencing document for “Sabu.” It was later ID’d by WikiLeaks as about them. In addition to briefing the FBI in a series of meetings, Thordarson reportedly provided them with thousands of pages of WikiLeaks chat logs. Further, in March 2012, Thordarson allegedly provided the FBI with eight WikiLeaks hard drives containing up to 1020GB of data, according to a purported FBI document. Officials have not confirmed the authenticity of the document, though the amount of data provided is corroborated by additional sources. In an interview with Ars Technica, Thordarson claimed that Icelandic authorities had seized an additional 2 TB of WikiLeaks-related data from him, which he assumed was then shared with the U.S. American and Icelandic authorities had previously cooperated on Thordarson’s case and portions of the WikiLeaks investigation. According to leaked letters from WikiLeaks’ legal team, at least some of the hard drives had belonged to Assange. Thordarson’s debriefings and the hard drives of up to 3 TB of data may have contained the decryption keys or passwords needed to decrypt the hard drives Assange alleged had been seized earlier. A receipt given to Sigurdur Thordarson from the FBI for WikiLeaks hard drives. There are several hints as to the contents of these drives. According to the affidavit from Assange, the information on the hard drives included, in addition to the possible staff emails, “chat communications ... copies of passports [and] video footage taken in secret.” Following an Associated Press article based off of a cache of “WikiLeaks emails, chat logs, financial records, secretly recorded footage and other documents” from within the organization, WikiLeaks alleged that the cache was the same that had been provided to the FBI. In October 2011, amidst Thordarson and Sabu’s tenure as cooperating witnesses, American authorities issued a search warrant for the contents of WikiLeaks volunteer Herbert Snorrason’s Gmail account. The warrant requested all of the account’s information, “including stored or preserved copies of e-mails sent to and from the account, draft e-mails, deleted e-mails, emails preserved pursuant to a request made under 18 U.S.C. § 2703(f), the source and destination addresses associated with each e-mail, the date and time at which each e-mail was sent, and the size and length of each e-mail.” The volunteer had helped WikiLeaks with a minor technical issue. After learning that his account’s contents had been seized by the U.S. government, Snorrason told Mother Jones that he thought “pretty much everyone with both a Google account and a WikiLeaks connection will be getting one of those notices eventually.” Snorrason was correct in that other WikiLeaks-associated Google accounts had their information seized by the government. Six months after the order for Snorrason’s emails was issued, a trio of search orders were issued for the email accounts of senior WikiLeaks personnel. On April 5, 2012, sealed warrants were executed for the Google accounts of WikiLeaks editors Sarah Harrison and Joseph Farrell, as well as then-spokesman and future editor-in-chief Kristinn Hrafnsson on suspicion of espionage and violating the Computer Fraud and Abuse Act, as well as conspiracy and theft of government property. The warrants appear to have covered the entirety of the accounts and were disclosed by Google at the close of 2014. A court order for information relating to Kristinn Hrafnsson, current editor in chief of WikiLeaks, on suspicion if charges including but not limited to espionage. In late October 2017, a new government request was issued for portions of WikiLeaks’ communications. A letter from Sen. Diane Feinstein requested that Twitter provide copies of all direct messages that were over 180 days to or from the accounts belonging to WikiLeaks, the WikiLeaks Task Force, “Guccifer 2.0,” Assange, and Margaret Ratner Kunstler. As written, the request would include some of my communications with WikiLeaks and “Guccifer 2.0.” Ultimately, at least some messages between WikiLeaks and the “Guccifer 2.0” were obtained by the U.S. government, although the method of communication for those messages remains unconfirmed. In late October 2017, a new government request was issued for portions of WikiLeaks’ communications. A letter from Sen. Diane Feinstein requested that Twitter provide copies of all direct messages that were over 180 days to or from the accounts belonging to WikiLeaks, the WikiLeaks Task Force, “Guccifer 2.0,” Assange, and Margaret Ratner Kunstler. As written, the request would include some of my communications with WikiLeaks and “Guccifer 2.0.” Ultimately, at least some messages between WikiLeaks and the “Guccifer 2.0” were obtained by the U.S. government, although the method of communication for those messages remains unconfirmed. According to what’s informally known as “the GRU indictment,” WikiLeaks sent Guccifer 2.0 a message on June 22, 2016. The message instructed Guccifer 2.0, a persona the U.S. government believes was used by Russian operatives, to send new material to them so it would “have a much higher impact.” On approximately July 6, the organization sent another message encouraging Guccifer 2.0 to send “anything [H]illary related” in time for the Democratic National Convention, which WikiLeaks thought Clinton would use to solidify support. The quoted portion of the exchange ends with WikiLeaks saying they thought conflict between Sen. Bernie Sanders and Clinton would be “interesting.” These exchanges, about maximizing impact and damage, are relevant to one of the theories of Assange’s potential prosecution outlined by noted national security journalist Marcy Wheeler. An excerpt from a Mueller indictment. If the charges against Assange are related to Russian hacking and the Democratic National Committee email leak, this exchange could be one of the most likely pieces of evidence to be directly relevant to the initial charges against him. However, the entirety of the government’s evidence, including materials seized from alleged Vault 7 leaker Joshua Schulte and the alleged recordings of him transferring additional files to WikiLeaks regarding the organization, may be used to help make the case. Past statements and communications may be used to help establish a modus operandi, a pattern or an intent. As noted by the AP, some of the materials may point to the early beginnings of Assange’s reported relationship with Russia. Leaked copies of sealed files, statements by people familiar with the grand juries, and documents released through FOIA by independent journalist Alexa O’Brien—who also identified a number of sealed search orders—all indicate that the investigations converged and pooled evidence at times. The government’s information could be further augmented by recent surveillance of Assange in the Ecuadorian Embassy, where he has lived under asylum since 2012, the fruits of which may have reportedly been shared with the United States. Regardless of what the charges against Assange are, the government has terabytes of data with which to try to make its case, data that’s come from WikiLeaks supporters, sources, key personnel, and Assange himself. The full depth of the government’s sources, however, have yet to be revealed. Emma Best is a national security reporter and transparency activist. She has published millions of pages of government documents and is a member of the leak collective Distributed Denial of Secrets (DDoSecrets). Source
  12. Marketing firm parts with massive trove of customer data The last time an Apollo effort went this badly, Tom Hanks made a movie about it. Marketing intelligence (read: data broker) startup Apollo fessed up to being the victim of a massive theft that saw it reveal something in the neighborhood of nine billion points of data and contact information of 212 million people. As per usual, the massive trove was discovered online in a misconfigured database that had mistakenly been set to be accessible by anyone. Those "data points" include things like addresses and contact information, as well as contacts and connections on services like LinkedIn. Not particularly sensitive information, but a fairly valuable cache of data for marketers or, in the worst case, potential attackers looking to build spear-phishing emails. Source
  13. Hacker was selling 141.5GB of data from Huazhu Hotels Group. He also attempted to blackmail the hotel chain to pay for its own data. Huazhu Hotels Group Ltd, a China-based hotel chain, announced this week that Shanghai police arrested the hacker who was selling data on millions of its customers online, on the dark web. The arrest was announced on Monday, September 17, by the hotel group in an investors message, and confirmed two days later by Shanghai police for Chinese media. Police did not release the man's man, but according to local reports, the hacker is a 30-year-old man named Liu. Investigators did not reveal any other details about the investigation, but according to previous reports, it appears that Liu may have gotten hold of the hotel chain's data when a developer accidentally uploaded part of its database on GitHub. The hacker put the Huazhu data up for sale on a dark web hacking forum in mid-August, asking for 8 Bitcoin, which was worth around $56,000, at the time. The data was sold in three file packages, for a total of 141.5GB. The data trove contained over 500 million records, comprising of 240 million pieces of content related to hotel stays such as name, credit card details, and mobile number; 123 million pieces of registration data recorded on the group's official website such as userID and login pin; and 130 million pieces of check-in data, including birthday and home address. China hotel data sold on the dark web The Huazhu Hotels Group is one of China's largest hotel chains, operating 5,162 hotels across 13 hotel brands across in 1,119 Chinese cities. The data sold online was advertised to have originated from customers who stayed at Huazhu's hotel brands, such as Hanting Hotel, Grand Mercure, Joye, Manxin, Novotel, Mercure, CitiGo, Orange, All Season, Starway, Ibis, Elan, and Haiyou. The hotel chain filed a police complaint on the same day news of the hack broke in Chinese media --August 28. In its message to investors, the hotel chain said Liu was unsuccessful in selling the stolen data. They also said the hacker attempted to blackmail the hotel into paying for its own data by leveraging public pressure surrounding the public disclosure of the hack. "To comply with laws and police protocols, the Company cannot disclose additional information on the case at this time," a Huazhu spokesperson said. Source
  14. LC Technology International, Inc. is a global leader in data recovery, photo recovery, data recovery services , and SD card/flash media data recovery. Our mission is designed to help our clients resolve catastrophic problems. LC Technology International maintains the highest quality standards with award winning customer service and support as noted by the many awards and articles in the media. We have developed outstanding products that recover data and files in the event of data loss or hard drive failure. Home: https://www.lc-tech.com PHOTORECOVERY PRO 2018 5.1.7.0 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/0DP5OEJE/PHOTORECOVERY_PRO_2018_5.1.7.0_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links Solid State Doctor 3.1.4.2 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/1GD0HMM6/Solid_State_Doctor_3.1.4.2_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links FILERECOVERY Enterprise 5.5.9.8 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/LQDLYW4N/FILERECOVERY_Enterprise_5.5.9.8_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links Digital Media Doctor PRO 3.1.5.3 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/IOETLXR3/Digital_Media_Doctor_PRO_3.1.5.3_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links RescuePRO Deluxe for SSD 6.0.2.3 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/1CAOSRHH/RescuePRO_Deluxe_for_SSD_6.0.2.3_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links RescuePRO Deluxe 6.0.2.3 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/FBYIUNN2/RescuePRO_Deluxe_6.0.2.3_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links Versions Commercial RescuePRO Deluxe Commercial 6.0.2.3 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/2D23APRM/RescuePRO_Deluxe_Commercial_6.0.2.3_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links FILERECOVERY Enterprise Commercial 5.5.9.8 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/16T2EYXQ/FILERECOVERY_Enterprise_Commercial_5.5.9.8_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links PHOTORECOVERY PRO 2018 Commercial 5.1.7.0 AIO Keygen by Lord Blix-TSZ Repack JCVO Site: https://www.mirrorcreator.com Sharecode[?]: /files/3OTC3KZQ/PHOTORECOVERY_PRO_2018_Commercial_5.1.7.0_AIO_Keygen_by_Lord_Blix-TSZ_Repack_JCVO.zip_links installers original with keygen integrated eye are tested and work at the end of the installation will be marked 2 options please do not topen to open and run the program and the keygen that can register it, remember it is a false positive.
  15. Second worst stingray in history (RIP Steve Irwin) Someone may have spied on smartphones in or near the White House using a fake cellphone tower – and miscreants are said to have abused SS7 weaknesses to swipe US citizens' private information, it emerged this week. On Friday, Senator Ron Wyden (D-OR) revealed a letter he received from the US government's Department of Homeland Security earlier this month that suggested someone deployed a Stingray-like IMSI-capturing device to track and snoop on phones near the White House in Washington DC. This equipment works by pretending to be a real cellphone mast, connecting to passing handhelds to collect their owners' unique subscriber ID numbers, and potentially snooping on their chatter. Specifically, Homeland Security officials said they had detected activity that "appeared consistent" with Stingray devices within the capital region "including locations in proximity to potentially sensitive facilities like the White House." The DHS tempered that claim, though, by noting that it could not attribute the IMSI spying to any specific group, and that some of the transmissions turned out to be signals sent from legitimate cellphone towers. The news of a possible foreign stingray near the White House is of particular concern giving reports that the President isn’t even using a secure phone to protect his calls," Wyden said. "The cavalier attitude toward our national security appears to be coming from the top down." Separately, Wyden said he had been told by a big-name mobile network that malicious attackers are believed to have used SS7 – the 40-year-old protocol that glues cellular networks together – to obtain customer data. The Homeland Security letter indeed said it had received reports of "nefarious" types leveraging SS7 to spy on American citizens by targeting their calls, text messages, and other information. SS7 is typically abused by criminals hacking into phone networks, or rogue insiders, to swipe private info. State-owned carriers can also exploit SS7 on behalf of government snoops, or networks can be compelled by administrations to use the protocol to surveil targets. In any case, SS7 is a system that can be exploited by a phone network in one country to screw around with people using a network in another country, or within the same nation, and intercept calls and messages. Wyden released Uncle Sam's letter as part of his push to get America's comms watchdog the FCC, and US telcos, to conduct a more thorough investigation and report on the use of both SS7 exploits and Stingray devices within their networks. Not a useful Ajit Earlier this week, Wyden sent FCC boss Ajit Pai a letter calling for a probe, and blasted the chairman for seemingly refusing to do anything about security holes present in mobile networks. "One year ago I urged you to address serious cybersecurity vulnerabilities in US telephone networks," Wyden's letter [PDF] reads. "To date, your Federal Communications Commission has done nothing but sit on its hands, leaving every American with a mobile phone at risk." The senator added: "This threat is not merely hypothetical – malicious attackers are already exploiting SS7 vulnerabilities. One of the major wireless carriers informed my office that it reported an SS7 breach, in which customer data was accessed, to law enforcement." Wyden thus demanded to know what the regulator did in response to multiple reports of SS7 attacks. Source
  16. Google is reminding organizations to review how much of their Google Groups mailing lists should be public and indexed by Google.com. The notice was prompted in part by a review that KrebsOnSecurity undertook with several researchers who’ve been busy cataloging thousands of companies that are using public Google Groups lists to manage customer support and in some cases sensitive internal communications. Google Groups is a service from Google that provides discussion groups for people sharing common interests. Because of the organic way Google Groups tend to grow as more people are added to projects — and perhaps given the ability to create public accounts on otherwise private groups — a number of organizations with household names are leaking sensitive data in their message lists. Many Google Groups leak emails that should probably not be public but are nevertheless searchable on Google, including personal information such as passwords and financial data, and in many cases comprehensive lists of company employee names, addresses and emails. By default, Google Groups are set to private. But Google acknowledges that there have been “a small number of instances where customers have accidentally shared sensitive information as a result of misconfigured Google Groups privacy settings.” In early May, KrebsOnSecurity heard from two researchers at Kenna Security who started combing through Google Groups for sensitive data. They found thousands of organizations that seem to be inadvertently leaking internal or customer information. The researchers say they discovered more than 9,600 organizations with public Google Groups settings, and estimate that about one-third of those organizations are currently leaking some form of sensitive email. Those affected include Fortune 500 companies, hospitals, universities and colleges, newspapers and television stations and U.S. government agencies. In most cases, to find sensitive messages it’s enough to load the company’s public Google Groups page and start typing in key search terms, such as “password,” “account,” “hr,” “accounting,” “username” and “http:”. Many organizations seem to have used Google Groups to index customer support emails, which can contain all kinds of personal information — particularly in cases where one employee is emailing another. Here are just a few of their more eyebrow-raising finds: • Re: Document(s) for Review for Customer [REDACTED]. Group: Accounts Payable • Re: URGENT: Past Due Invoice. Group: Accounts Payable • Fw: Password Recovery. Group: Support • GitHub credentials. Group: [REDACTED] • Sandbox: Finish resetting your Salesforce password. Group: [REDACTED] • RE: [REDACTED] Suspension Documents. Group: Risk and Fraud Management Apart from exposing personal and financial data, misconfigured Google Groups accounts sometimes publicly index a tremendous amount of information about the organization itself, including links to employee manuals, staffing schedules, reports about outages and application bugs, as well as other internal resources. This information could be a potential gold mine for hackers seeking to conduct so-called “spearphishing” attacks that single out specific employees at a targeted organization. Such information also would be useful for criminals who specialize in “business email compromise” (BEC) or “CEO fraud” schemes, in which thieves spoof emails from top executives to folks in finance asking for large sums of money to be wired to a third-party account in another country. “The possible implications include spearphishing, account takeover, and a wide variety of case-specific fraud and abuse,” the Kenna Security team wrote. In its own blog post on the topic, Google said organizations using Google Groups should carefully consider whether to change the access to groups from “private” to “public” on the Internet. The company stresses that public groups have the marker “shared publicly” right at the top, next to the group name. “If you give your users the ability to create public groups, you can always change the domain-level setting back to private,” Google said. “This will prevent anyone outside of your company from accessing any of your groups, including any groups previously set to public by your users.” If your organization is using Google Groups mailing lists, please take a moment to read Google’s blog post about how to check for oversharing. Also, unless you require some groups to be available to external users, it might be a good idea to turn your domain-level Google Group settings to default “private,” Kenna Security advises. “This will prevent new groups from being shared to anonymous users,” the researchers wrote. “Secondly, check the settings of individual groups to ensure that they’re configured as expected. To determine if external parties have accessed information, Google Groups provides a feature that counts the number of ‘views’ for a specific thread. In almost all sampled cases, this count is currently at zero for affected organizations, indicating that neither malicious nor regular users are utilizing the interface.” Source
  17. In just under a week, on Friday the 25th of May, the new European Union data protection directive, GDPR, comes into effect. One aspect of the GDPR is that citizens now have the right to reach out to companies to get the data that it holds on them. Despite this, actually initiating the process of getting your data can be tedious. To aid with this, My Data Request is now providing “codified” guides to get your data from various online services. My Data Request offers guides for requesting your data from over 100 online services. The list of services includes many of the most popular apps from categories like social media, banking, dating, gaming, and much more. There’s a good chance that most of the services you care most about are listed on the website. Big companies such as Facebook and Google let you download archives of your data, these pages are linked to in the guides offered by My Data Request. Smaller services, however, don't have dedicated tools and require you to email them. In order to make your life simple, My Data Request has built an email template tool so you can grab your data more quickly. The website builds different email templates depending on your location, the four categories include ‘In the EU’, ‘In California’, ‘Everywhere’, and ‘Other’. While the GDPR legally only applies to people in the EU, companies may give people outside the bloc access to their data too even if they’re not covered by GDPR. More details < Here >
  18. The agency collected a staggering 534 million domestic phone records last year, up threefold on the year earlier. New figures reveal a sharp increase in the number of searches of Americans' calls and messages by the intelligence community during the Trump administration's first year in office. The figures, published Friday by the Office of the Director of National Intelligence (ODNI), show a rise in targeted surveillance and searches of people's data. It's the latest annual report from the government's chief spy, which has faced calls to be more transparent in the wake of the Edward Snowden disclosures into its surveillance programs. According to the figures, 7,512 searches of Americans' calls and messages without a warrant, up by 42 percent on the year prior. The government gets these search powers under the controversial section 702 authority, which allows the National Security Agency (NSA) to gather intelligence on foreigners overseas by collecting data from choke points where fiber optic cables owned by telecom giants enter the US. The powers also authorize the collection of data from internet giants and tech companies. But data collected under section 702 is near indiscriminate, and it also sweeps up large amounts of data on Americans, who are constitutionally protected from warrantless surveillance. The actual number of searches on Americans is likely significantly higher, because the reported figures don't account for searches by other civilian agencies, like the FBI or the Drug Enforcement Administration -- which also don't require a warrant to search the database. "We're almost certainly talking about tens of thousands of Americans being queried by FBI but have no clear info on that or the number of Americans whose data is collected," said Jake Laperruque, senior counsel at the Project On Government Oversight. Congress has long asked the government to reveal how many Americans have their data inadvertently collected by the NSA. Both the Obama and Trump administrations refused to disclose how many Americans are caught up in the dragnet. "Overall the numbers show that the scale of warrantless surveillance is growing at a significant rate, but ODNI still won't tell Americans how much it affects them," said Laperruque. It's not the only figure in the report to see a massive increase. The NSA targeted 129,080 foreign individuals or groups, representing a rise of 20 percent in the number of targets on the year earlier. Patrick Toomey, staff attorney at the ACLU's National Security Project, tweeted that the figure was the "biggest jump on record." The report also shows a massive spike in the number of collected phone records last year. The details of who calls who and when, collected under the NSA's phone metadata collection programs, was later curtailed when the Freedom Act was ratified in 2015. Last year, a staggering 534 million call detail records were collected, up from 151 million -- more than a three-fold increase on the year earlier. The figures don't represent the number of Americans whose phone records were collected, and likely includes duplicates, the report said. The number of orders to collect phone records, however, remained the same on the previous year. Robyn Greene, policy counsel and government affairs lead at New America's Open Technology Institute, said the intelligence community may have changed interpretations of their legal authorities. "The report raises some serious questions if the intelligence community, and the courts may be interpreting their authorities in an overbroad manner to permit too much collection," said Greene. "It's hard to imagine how you get the same number of targets yet over three-times as many records collected unless you've reinterpreted what constitutes a call detail record," Greene added. The report also showed a similar pattern with national security letters, a subpoena-like power that can compel tech and phone companies to turn over data on grounds of national security. Although the number of letters increased marginally by 5 percent to 12,762 last year, the number of requests for information more than tripled, indicating that the FBI sought more data per letter than in previous years. These letters are particularly controversial because they require no court approval and almost always include a gag order, which prevents the subject of the letter from being informed. In recent years, several companies including Apple, Facebook, Microsoft, Twitter, and Yahoo have fought to have details of the secretive letters publicly revealed. In 2008, a US court found the National Security Letter statute, amended by the Patriot Act in 2001, was unconstitutional. A separate case in 2013 found that the gag order provision was found to be in breach of the First Amendment, though the government appealed the ruling. Source
  19. WhatsApp cofounder Brian Acton expressed outrage at Facebook’s privacy policies last month by tweeting “It is time. #deletefacebook.” But WhatsApp’s Facebook-like group chat features also have design flaws that jeopardize user privacy. Maybe it’s also time to #DeleteWhatsApp. WhatsApp differentiates itself from parent company Facebook by touting its end-to-end encryption. “Some of your most personal moments are shared with WhatsApp,” the company writes on its website, so “your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands.” But WhatsApp members may not be aware that when using the app’s Group Chat feature, their data can be harvested by anyone in the group. What is worse, their mobile numbers can be used to identify and target them. WhatsApp groups are designed to enable groups of up to 256 people to join a shared chat without having to go through a central administrator. Group originators can add contacts from their phones or create links enabling anyone to opt-in. These groups, which can be found through web searches, discuss topics as diverse as agriculture, politics, pornography, sports, and technology. Not all groups have links, but in those that do, anyone who finds the link can join the group. While all new joining members are announced to the group, they are not required to provide a name or otherwise identify themselves. This design could leave inattentive members open to targeting, as a new report from European researchers shows. The researchers demonstrated that a tech-savvy person can easily obtain treasure troves of data from WhatsApp groups by using nothing more than an old Samsung smartphone running scripts and off-the-shelf applications. This is not a security breach — the app is working exactly as designed. Kiran Garimella, of École Polytechnique Fédérale de Lausanne, in Switzerland sent me a draft of a paper he coauthored with Gareth Tyson, of Queen Mary University, U.K. titled “WhatsApp, doc? A first look at WhatsApp public group data.” It details how they were able to obtain data from nearly half a million messages exchanged between 45,794 WhatsApp users in 178 public groups over a six-month period, including their mobile numbers and any images, videos, and web links they had shared. The groups had titles such as “funny”, “love vs. life”, “XXX”, “nude”, and “box office movies”, as well as the names of political parties and sports teams. The researchers obtained lists of public WhatsApp groups through web searches and used a browser automation tool to join a few of the roughly 2,000 groups they found — a process requiring little human intervention and easily applicable to a larger set of groups. Their smartphone began to receive large streams of messages, which WhatsApp stored in a local database. The data are encrypted, but the cipher key is stored inside the RAM of the mobile device itself. This allowed the researchers to decrypt the data using a technique developed by Indian researchers L.P. Gudipaty and K.Y. Jhala. Note: The method Garimella and Tyson used only allowed them to access data posted to each of the groups after they’d joined them; they weren’t able to access any earlier data posted in the groups. The researchers’ goal was to determine how WhatsApp could be used for social-science research (they plan to make their dataset and tools publicly available after they anonymize the data). But their paper demonstrates how easily marketers, hackers, and governments can take advantage of the WhatsApp platform — with no contractual restraints and for almost no cost. This can have a much darker side. The New York Times recently published a story on the Chinese Government’s detention of human-rights activist Zhang Guanghong after monitoring a WhatsApp group of Guanghong’s friends, with whom he had shared an article that criticized China’s president. The Times speculated that the government had hacked his phone or had a spy in his group chat; but gathering such information is easy for anyone with a group hyperlink or access to a server. Earlier this year, Wired reported that researchers from Ruhr-University Bochum, in Germany, found a series of flaws in encrypted messaging applications that enable anyone who controls a WhatsApp server to “effortlessly insert new people into an otherwise private group, even without the permission of the administrator who ostensibly controls access to that conversation.” Gaining access to a computer server requires sophisticated hacking skills or the type of access only governments can gain. But as Wired wrote, “the premise of so-called end-to-end encryption has always been that even a compromised server shouldn’t expose secrets.” Researcher Paul Rösler reportedly said, “The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them. … If I hear there’s end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little.” Facebook and its family of companies are being much too casual about privacy, as we have seen from the Cambridge Analytica revelations, harming freedom and democracy. They need to be held to higher standards. Editor’s note: VentureBeat reached out to WhatsApp regarding the researchers’ findings, but the company did not provide a statement. Vivek Wadhwa is Distinguished Fellow at Carnegie Mellon University Engineering at Silicon Valley and author of The Driver in the Driverless Car: How Our Technology Choices Will Create the Future. Source
  20. Updated at 6:30 p.m. ET Facebook CEO Mark Zuckerberg issued a lengthy post Wednesday on his personal Facebook page promising to protect the data of platform users. He said Facebook will provide users with tools to show who has access to their data and how it is shared. Facebook will also "restrict developers' data access even further to prevent other kinds of abuse." "We have a responsibility to protect your data, and if we can't, then we don't deserve to serve you," he wrote. The post marks the first public comments made by Zuckerberg about the controversy involving Cambridge Analytica's use of personal data posted by Facebook users. Zuckerberg said there was a "breach of trust" involving Cambridge Analytica, Facebook, and a Cambridge University researcher named Aleksandr Kogan, who created an app to collect data that was later shared with Cambridge Analytica. "But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that," he wrote. Zuckerberg said Facebook will restrict third-party developers from accessing data beyond names, profile photos and email addresses. The company will also require developers to sign a contract before asking Facebook users for access to their posts or other private data. Users will also see a tool at the top of their news feeds showing the what apps they have used and will have an easy way to revoke the apps' access to their data. Zuckerberg concluded, Sen. Richard Blumenthal, D-Conn., a member of the Senate Judiciary and Commerce Committees, said he was not satisfied with Zuckerberg's statement, calling it "damage control." Blumenthal told NPR's Ailsa Chang on All Things Considered: Source
  21. AccuWeather is still sending precise geolocation data to a third-party advertiser, ZDNet can confirm, despite updating its app earlier this week to remove a feature that collected user's location data without their permission. In case you missed it, AccuWeather was until this week sending the near-precise location of its iPhone app users to Reveal Mobile, a data monetization firm -- even when location sharing was switched off. Security researcher Will Strafach, who first reported the issue, also accused the company of sharing a user's precise GPS coordinates under the guise of providing local weather alerts. The news sparked outrage and anger. AccuWeather responded with a forced apology, which one leading Apple critic John Gruber called a "bulls**t response." However, tests conducted by Strafach show that the updated app, released Thursday, still shares precise geolocation data with a data monetization and advertising firm. ZDNet independently verified the findings. We found that AccuWeather was still, with location sharing enabled, sending precise GPS coordinates and altitude albeit to a different advertiser, without the user's explicit consent. That data can be used to pinpoint down to a few meters a person's location -- even which floor of a building they are on. Article
  22. When it comes to what works and doesn’t work for protecting critical data, nearly one third (32%) of respondents at the recent Black Hat conference said that accessing privileged accounts was the number one choice for the easiest and fastest way to get access to critical data. The survey, carried out by Thycotic, found that was followed closely by 27% indicating access to user email accounts was the easiest path to disclosing sensitive data. Additionally, 85% of respondents blame humans for security breaches, more so than the lack of security or unpatched software. For instance, more than a third (35%) said that remembering and changing passwords is the top source of cybersecurity fatigue. The focus on hacking privileged and email accounts reflects a recognition on the part of hackers that traditional perimeter security is no longer an effective barrier to getting inside networks and gaining access to critical data. Findings from the survey indicate that 73% of hackers believe traditional security perimeter of firewalls and antivirus are irrelevant or obsolete. In fact, antivirus and anti-malware are considered the “least effctive and easiest to get past” security technologies by 43% of the Black Hat survey respondents, followed by firewalls (cited by 30% of Black Hat respondents). “Given that privileged accounts are prime targets for hackers, IT professionals should consider the opinions of the hackers themselves when it comes to protecting privileged accounts,” said Joseph Carson, chief security scientist, Thycotic. “In today’s connected world, organizations can no longer rely only on the traditional cybersecurity perimeter controls.” Hackers also view threat Intelligence solutions as one of the least effective security protections, along with reputation feeds and education/awareness; however, multi-factor authentication (38%) and encryption (32%) are their biggest obstacles, according to the survey. “Hackers are focusing more on gaining access to privileged accounts and email passwords by exploiting human vulnerabilities allowing the hacker to gain access abusing trusted identities,” noted Carson. “More than ever, it is critical for businesses to mitigate these risks by implementing the right technologies and process to ward off unsuspecting attacks and access to sensitive data.” Article source
  23. Soon after being found to have worm-like spreading capabilities, the TrickBot banking Trojan has expanded its attack surface to target Outlook and Web browsing data. While TrickBot has been an active threat for less than a year, its developers, supposedly the Dyre group, have been actively adding new capabilities to it. Earlier this year, they expanded the target list to hit private banking and payment processors, in addition to CRM providers. Independent researcher and programmer Hasherezade now reveals that the malware authors have added new modules to their creation and might have also added new developers to its team. A newly observed Outlook.dll module, for example, is written in Delphi, unlike most of the components, which are written in C++. The security researcher says that the current run comes with 5 modules: SystemInfo.dll and loader.dll (injectDll32), which have been observed in TrickBot since the very beginning, mailsearcher.dll, added in December 2016, and two modules that haven’t been observed before, namely module.dll and Outlook.dll. According to Hasherezade, module.dll/importDll32 is written in C++ and compiled with Qt5 and OpenSSL. It also incorporates SQLite. The compilation timestamp suggests it was written in May 2017. The module was designed to steal data from the browsers, including Cookies, HTML5 Local Storage, Browsing History, Flash LSO (Local Shared Objects), and URL hits, among other info. The module is bulky and doesn’t hide its intentions. “In contrary to loader.dll/injectDll, which is modular and stores all the scripts and targets in dedicated configuration files, module.dll/importDll32 comes with all the data hardcoded. For example, we can find inside the binary a very long list of targets – websites from countries all around the world – France, Italy, Japan, Poland, Norway, Peru and more,” the researcher reveals. The module creates a hidden desktop and uses it as a workspace to open and fingerprint browsers in such a way that the user isn’t aware of the malicious activity. Written in Delphi, the Outlook.dll module contains a hardcoded configuration that follows a pattern typical for TrickBot modules. Designed to steal data saved by Microsoft Outlook, the module opens relevant registry keys, then attempts to retrieve saved credentials. “TrickBot’s new modules are not written very well and they are probably still under development. The overall quality of the design is much lower than the quality of the earlier code. For example, module.dll is bulky and does not follow the clean modular structure introduced by TrickBot before. Also, they make use of languages and libraries that are easier – Qt instead of native sockets for module.dll, Delphi language for Outlook.dll,” Hasherezade points out. The findings are in line with Flashpoint’s report last week, which revealed that TrickBot’s authors were working on implementing a worm module to abuse the Server Message Block (SMB) protocol to spread locally, but that the logic to randomly scan external IPs for SMB connections wasn’t yet ready. The changes suggest that new members were added to the TrickBot development team, but that some of them are lower quality programmers, or that the team is only experimenting with new capabilities. “TrickBot is still actively maintained and it is not going to leave the landscape any soon,” Hasherezade concludes. Article source
  24. A journalist and a data scientist secured data from three million users easily by creating a fake marketing company, and were able to de-anonymise many users A judge’s porn preferences and the medication used by a German MP were among the personal data uncovered by two German researchers who acquired the “anonymous” browsing habits of more than three million German citizens. “What would you think,” asked Svea Eckert, “if somebody showed up at your door saying: ‘Hey, I have your complete browsing history – every day, every hour, every minute, every click you did on the web for the last month’? How would you think we got it: some shady hacker? No. It was much easier: you can just buy it.” Eckert, a journalist, paired up with data scientist Andreas Dewes to acquire personal user data and see what they could glean from it. Presenting their findings at the Def Con hacking conference in Las Vegas, the pair revealed how they secured a database containing 3bn URLs from three million German users, spread over 9m different sites. Some were sparse users, with just a couple of dozen of sites visited in the 30-day period they examined, while others had tens of thousands of data points: the full record of their online lives. Getting hold of the information was actually even easier than buying it. The pair created a fake marketing company, replete with its own website, a LinkedIn page for its chief executive, and even a careers site – which garnered a few applications from other marketers tricked by the company. They piled the site full of “many nice pictures and some marketing buzzwords,” claiming to have developed a machine-learning algorithm which would be able to market more effectively to people, but only if it was trained with a large amount of data. “We wrote and called nearly a hundred companies, and asked if we could have the raw data, the clickstream from people’s lives.” It took slightly longer than it should have, Eckert said, but only because they were specifically looking for German web surfers. “We often heard: ‘Browsing data? That’s no problem. But we don’t have it for Germany, we only have it for the US and UK,’” she said. The data they were eventually given came, for free, from a data broker, which was willing to let them test their hypothetical AI advertising platform. And while it was nominally an anonymous set, it was soon easy to de-anonymise many users. Dewes described some methods by which a canny broker can find an individual in the noise, just from a long list of URLs and timestamps. Some make things very easy: for instance, anyone who visits their own analytics page on Twitter ends up with a URL in their browsing record which contains their Twitter username, and is only visible to them. Find that URL, and you’ve linked the anonymous data to an actual person. A similar trick works for German social networking site Xing. For other users, a more probabilistic approach can deanonymise them. For instance, a mere 10 URLs can be enough to uniquely identify someone – just think, for instance, of how few people there are at your company, with your bank, your hobby, your preferred newspaper and your mobile phone provider. By creating “fingerprints” from the data, it’s possible to compare it to other, more public, sources of what URLs people have visited, such as social media accounts, or public YouTube playlists. A similar strategy was used in 2008, Dewes said, to deanonymise a set of ratings published by Netflix to help computer scientists improve its recommendation algorithm: by comparing “anonymous” ratings of films with public profiles on IMDB, researchers were able to unmask Netflix users – including one woman, a closeted lesbian, who went on to sue Netflix for the privacy violation. Another discovery through the data collection occurred via Google Translate, which stores the text of every query put through it in the URL. From this, the researchers were able to uncover operational details about a German cybercrime investigation, since the detective involved was translating requests for assistance to foreign police forces. So where did the data come from? It was collated from a number of browser plugins, according to Dewes, with the prime offender being “safe surfing” tool Web of Trust. After Dewes and Eckert published their results, the browser plugin modified its privacy policy to say that it does indeed sell data, while making attempts to keep the information anonymous. “We know this is nearly impossible,” said Dewes. Article source
  25. Data on millions of Dow Jones customers was potentially exposed to unauthorized access on Amazon Cloud due to a configuration error, a spokesman for the publishing and financial information giant confirmed Monday. The spokesman told The Hill that personal data on 2.2 million customers had been over-exposed on Amazon Cloud as a result of an internal error. There is no evidence that malicious actors accessed the information, however. The data included customers’ names, email addresses and some financial details — including the last four digits of some credit cards — though Dow Jones said that neither full account login credentials nor full credit card information was exposed. “This was due to an internal error, not a hack or attack,” the spokesman said. “We have no evidence any of the over-exposed information was taken.” Cybersecurity firm UpGuard discovered the exposure and notified Dow Jones of it in early June. Those affected include subscribers to Dow Jones publications like The Wall Street Journal. UpGuard put the number of affected accounts closer to 4 million. When asked whether the company had notified customers caught up in the data exposure, the Dow Jones spokesman indicated that the information was not sensitive enough to require it. “The customer information included basic contact information; it did not include full credit card or account login information that could pose a significant risk for consumers or require notification,” the spokesman said. However, UpGuard argued in a blog post published Monday that the data “could be exploited by malicious actors employing a number of attack vectors already known to have been successful in the past,” such as phishing scams tailored to individual targets. UpGuard also discovered that exposed data was related to the Dow Jones Risk & Compliance databases, which are used primarily by financial organizations to comply with anti-money laundering, anti-bribery and other regulations. Dow Jones said that the exposed risk and compliance data included only publicly available information, such as that from news articles, and not customer information. The Amazon Cloud repository was inadvertently configured to allow for “semi-public” access, letting any authenticated user of Amazon Web Services (AWS) download the data, UpGuard said. That included any user who has a free Amazon AWS account. The information on the exposure was passed on to Dow Jones on June 6, and the company’s cybersecurity firm worked to secure the data in less than two hours, the Dow Jones spokesman said. “We immediately secured the data once we became aware of the problem. We take the security of Dow Jones information very seriously,” the spokesman added. The Wall Street Journal first reported the data exposure on Sunday. The revelation comes a week after a cloud server problem resulted in personal information on as many as 14 million Verizon customers being publicly accessible. Wall Street Journal (requires subscription) Article (for us without subscriptions)
×
×
  • Create New...