STE WILLIAMS

Security researchers have warned that someone’s obtained copies of code-signing certificates from two Taiwanese companies – and is using them to sign malware.

Abusing code-signing certificates in this way is an attempt to present software nasties as the legitimate product of the vendor whose key signed it.

Security vendor ESET spotted the certificates being used to sign files that its systems were marking as suspicious. One of the certs was from D-Link, and the other from Changing Information Technology (CIT). Both certificates have since been revoked, so eventually machines will pick up the revocations and reject the executables, hopefully.

D-Link’s now-revoked certificate was used to sign code for its mydlink IP cameras. The ESET post doesn’t identify which of CITs products is associated with its key, but noted that it had malware samples still using the cert even after it was revoked.

ESET said the compromised certificates were used to sign Windows malware dubbed Plead, which siphons off passwords entered into infected machines’ web browsers and opens remote-control backdoors. Japan’s CERT analyzed Plead in early June.

The command and control servers associated with Plead, ESET’s post said, are amazon.panasocin[.]com, office.panasocin[.]com, and okinawas.ssl443[.]org.

In late June, Trend Micro dubbed the group involved with the campaign BlackTech, and said its main targets are in Taiwan, Japan, and Hong Kong.

Plead has been active since 2012, Trend Micro’s post said, and all the BlackTech campaigns (as well as Plead, there are Shrouded Crossbow and Waterbear) have at least two CCs in common. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/10/d_link_certs_copied_blacktech_malware_campaign/

Programmers at videoconferencing software house BlueJeans have been living through a developer’s nightmare the past month or so – antivirus packages falsely labeling their code as malware.

A Register reader, who works in corporate IT administration, tipped us off over the weekend that the software had triggered virus alerts on a number of systems they administrate running anti-malware scanners. After submitting the program to VirusTotal, the admin found that 27 security toolkits, including Trend Micro, McAfee, and Avast, were wrongly flagging the application as a malicious nasty.

“My company has independently verified their Windows application version 2.5.660 is indeed being flagged and quarantined by antivirus systems beginning in the last few days,” the tipster wrote.

“This is not the newest version of the software, but it was the active version in June, and undoubtedly was running on the desktops of most BlueJeans customers for at least a few weeks.”

Fortunately, this wasn’t a case of the software being compromised or loaded with malware. The Register was told by BlueJeans CTO Alagu Periyannan that the antivirus alarms were the result of a cryptographically unsigned library that was since replaced.

“The entire executable is signed by BlueJeans. However, one of the libraries of the app was not signed,” Periyannan said. “We have signed that one library and now the virus scanners no longer generate a false positive.”

The false positive was confirmed by Trend Micro, who told El Reg via a spokesperson that it took would look to prevent similar errors from happening again.

“Upon analysis, it appears our automation triggered the initial detection based on some existing rules, and upon further review we found it to be non-malicious,” Trend says.

Wondering where your JavaScript libs went? Spam-detection snafu exiled npm packages

READ MORE

“We are working to refine the rules to account for this type of file in the future.”

In this case, fixing the problem is as simple as updating the BlueJeans software, and many customers should already have the fix, as it was automatically kicked out in June. Anyone still experiencing false positives should be sure they have version 2.6 of the BlueJeans application.

Our tipster has also been able to get the affected user machines fixed, but while the problem has been solved, they are not particularly thrilled with how the issue was handled.

“Maybe it’s just me,” the admin said, “but when a vendor silently replaces a version that appears to be malware infected with a different copy that is clean, without informing customers, who downloaded the former, it does not seem like the vendor is being forthcoming about what is going on.” ®

Spotted any other weirdness with software, security tools, and operating system updates? Let us know so we can investigate.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/10/bluejeans_false_positive/

Companies are realizing that the security posture of an acquired organization should be considered as part of their due diligence process.

Image Source: Shutterstock via Sylverarts Vectors

There’s a growing sense that companies need to take a closer look at security when considering a merger or acquisition.

A global survey of dealmakers by Mandiant, a FireEye company, found that 78% of respondents believe that cybersecurity is not analyzed in great depth or specifically quantified as part of the MA due diligence process.

“Although most security teams feel strongly that the security posture of an acquired organization should be considered in an acquisition decision, it often does not play a significant role in the deal team’s due diligence process,” says Charles Carmakal, vice president and CTO of strategic services at Mandiant. “The reality is that security generally only plays a role during the acquisition if there’s a significant breach. In that situation, the security team would evaluate if the asset is too toxic and has lost value.”

Chad Holmes, chief services and operations officer at Optiv, adds that cybersecurity has risen in importance because many more companies are acquiring digital assets as part of their digital transformation initiatives. He cited a a study from Capgemini Consulting that finds 87% believe that digital transformation gives them a competitive advantage.   

We talked with Carmakal and Holmes to develop this list of MA security tips. For more information, check out the Mandiant study, “The Benefits of Cybersecurity Diligence in Mergers and Acquisitions.”

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/6-manda-security-tips/d/d-id/1332240?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Names, email addresses, and some phone numbers belonging to 21 million people exposed in Timehop intrusion; Macy’s incident impacts ‘small number’ of customers.

Two new data breaches revealed this week — one at Timehop and the other at Macy’s — have once again focused attention on the continuing failure by many enterprises to implement strong authentication for controlling access to critical accounts.

Timehop, a service that helps users of Facebook and other social media platforms share nostalgic moments from old posts, on Sunday said someone using an access credential to its cloud account had illegally accessed names and email addresses belonging to some 21 million users. Phone numbers belonging to about 22%, or 4.7 million of them, were also compromised in the network intrusion the company said.

Timehop blamed the breach on its failure to use strong authentication to protect the cloud administrator account that was beached.

Meanwhile, the intrusion at Macy’s appears to have resulted from a similar authentication weakness. In an emailed statement, the company described the incident as impacting a “small number” of customers who shopped online at macys.com and bloomingdales.com. Macy’s said it had implemented additional security measures and contacted all impacted customers but offered no other details about the incident.

However, MediaPost, the first to report on the breach, said Macy’s had blamed an unnamed third-party for accessing the data from an external location using valid login credentials.

The two breaches are similar to many in recent years involving the use of legitimate credentials to access and steal enterprise data. Often, the threat actors behind the attacks have first stolen the credentials or obtained them via social engineering, and then used them to access the target network.

A May 2018 report by cloud security vendor RedLock found that 27% of organizations in fact have experienced potential account compromises. Over the last year alone, several major enterprises including Uber, Tesla, Gemalto, and Aviva have experienced incidents where access credentials have been leaked or stolen, RedLock noted. Security experts have said that such breaches heighten the need for organizations to use strong authentication for controlling access to critical assets.

“Multi-factor authentication solutions have been around for over a decade. Yet many critical systems remain unprotected,” says Dana Tamir, vice president of market strategy at Silverfort. Many organizations have continued to drag their heels on implementing the measure for a variety of reasons.

Tokens Taken, Too

According to Timehop, in addition to the data on 21 million users, the attackers also managed to steal the unique tokens provided by social media companies to Timehop so it can read other people’s old social media posts. The tokens would have allowed the attacker to view the social media posts of the impacted users, without their permission. However, there is no evidence that the attacker actually used the tokens to illegally access user accounts or any of their data.

Timehop discovered the intrusion while it was in progress and managed to lock out the attackers slightly more than two hours later. Since then the company has implemented multifactor authentication to secure authorization and access controls across all of its internal accounts. Timehop has also deactivated all the compromised access tokens so they can no longer be misused.  

As a result of these changes, users will have to log in and re-authenticate to Timehop’s service for each social media account, the company said.

“Strong MFA can prevent account takeovers, such as the ones seen in the Macy’s and TimeHop breaches,” says Will LaSala, security evangelist at OneSpan.

Just about every IT administrator already knows this, but often there are factors at play that make it hard for organizations to deploy MFA easily, he says. “When breaches like these occur, it is easy to point out that the IT professional missed the obvious security concern. But it is less easy to see why those concerns were overlooked in the first place,” LaSala says.

One challenge is that most multi-factor authentication products require organizations to deploy software on both the server and user endpoints, says Tamir. Modern IT infrastructures are also becoming increasingly dynamic, and new servers are often spun up and down in these environments in just a few minutes.

“This makes it difficult to ensure authentication software is installed and configured for each server,” she notes. Requiring software on various user endpoint platforms similarly is problematic due to BYOD trends and the dynamic nature of mobile device use.

Sometimes, organizations might have to implement MFA products from multiple vendors due to the nature of their technology infrastructure — increasing costs and complexity in the process. And in some environments, as with critical servers on industrial OT networks and SCADA environments or certain financial systems, it isn’t possible to deploy any MFA software at all, she says.

Related Content:

• Why Facebook Security Questions Are no Substitute for MFA
• New Voice MFA Tool Uses Machine Learning
• PCI DSS 3.2: Making the Move to MFA
• 4 Steps to Achieve MFA Everywhere 

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/data-breaches-at-timehop-macys-highlight-need-for-multi-factor-authentication/d/d-id/1332250?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

German hosting company DomainFactory has taken down its forums after someone posted messages alleging to have compromised the company’s computers.

Acknowledging the attack, the GoDaddy-owned (via Host Europe, acquired in 2016) company has advised customers to change their passwords and detailed the extent of the data breach claimed by the hackers.

“While we investigate this data breach, we already know that third parties could have had unauthorised access to the following categories of data: Customer name; Company name; Customer number; Address; E-mail addresses; Phone number; DomainFactory Phone password; Date of birth; Bank name and account number (eg IBAN or BIC); and Schufa score”

The company says it has secured the systems the attacker accessed.

Details of the data breach first emerged via Heise, which viewed the now-deleted forum posts in which the attacker said he had accessed the systems.

Journalist Fabian Scherschel also posted on Twitter (in German) that he was also watching a Twitter thread “in which Lauter #Domainfactory customers ask a hacker about their data because DF does not respond to their requests” (all before DomainFactory’s disclosure).

The Heise article said “when he realised that DomainFactory did not want to communicate the fact that he had broken into the company’s servers, he disclosed his hack”.

Heise said the attacker used a Dirty Cow variant to access the systems, but that wasn’t addressed in DomainFactory’s post.

DomainFactory’s disclosure puts the date of the data breach as January 28, 2018. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/09/domainfactory_in_germany_confirms_brdata_breach/

Updated Police suspect that high-tech thieves may have hacked into a Detroit petrol station before stealing 600 US gallons (2,271 litres) of fuel.

Fox News affiliate WJBK reported that the clerk was unable to shut off a pump that dispensed free fuel for 90 minutes. Ten vehicles took advantage of the security hole to fuel up without paying, leaving the outlet down $1,800 (about £1,360).

The clerk said the system was unresponsive, but he eventually managed to shut it down using “emergency kit” before calling the cops.

Officers reckon the perps used a “remote device” to hack the pump and pull off the scam, which took place in broad daylight at around 1pm on June 23 at a suburban gas station about 15 minutes from downtown Detroit in the US. Police are investigating the drivers involved, whose cars may have been caught on CCTV.

The cops told reporters that whatever device allowed the pumps to dispense fuel without charging customers was also used to stop the pump from being switched off from the petrol station system-side.

Technical details are scant. In the absence of anything solid, cybersecurity experts offered a more prosaic explanation.

“It could just be a faulty pump,” computer security researcher David Litchfield told El Reg.

Nigel Tolley added, dismissively: “A six-foot long drillbit and a pump with a hose would’ve got way more.”

Elsewhere in petrol-pump-tech-gone-wrong news, many BP stations across the UK experienced a three-hour point-of-sale system outage on Sunday afternoon. Customers were asked to pay by cash during the incident, which has now been resolved.

The cause of the outage has become the focus of an investigation. ®

Updated to add

A Reg reader, who says he worked 10 years in tech support for the gas station industry, told us the suspected crooks may have put the pumps into a diagnostics-like mode, so that the equipment stopped reporting fuel pumping to the sales terminals. Our tipster explained:

What the perps will have done is put the pump into standalone mode – this is the removal of communications control, and every pump has it – it’s like an engineering mode, allows dispensing without point-of-sale control.

Here in the UK, I have remote handsets that could easily do the same to most pumps here. It’s only in recent years that some manufacturers have implemented the disabling of standalone mode while the comms cables running proprietary communication protocol are connected. It’s a small industry, and largely self-policed, with rare occurrences of engineers going rogue or letting out the passcodes and handsets.

The shop owner in this case should have simply hit the emergency stop. This would have killed the power, and stopped anything further occurring – it’s likely they weren’t paying full attention.

Bootnote

Security researchers have demonstrated hacks on petrol management systems before. TrendMicro warned more than three years ago that gas-monitoring systems used in petrol stations were easy to find using Shodan, the Internet of Things search engine. Many system were not password-protected, as El Reg reported at the time.

More recent research by Ido Naor, a senior researcher at Kaspersky Lab, and Amihai Neiderman, formerly of Azimuth Security, warned that petrol station software vulnerabilities created a means for hackers to steal fuel, change prices and erase audit logs.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/09/gas_station_hack/

Miscreants have developed the first strain of ransomware worm capable of infecting legacy systems, such as Windows XP and 2003.

The infamous WannaCry outbreak, which severely affected the UK’s NHS, showed just how much damage ransomware can do.

74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+

READ MORE

Subsequent tests showed that in most cases WannaCry could only crash – rather than infect – Windows XP systems, which remained in use by the health service connected to MRI scanners and the like, despite being retired by Microsoft years ago. Extended support for Windows XP ended in April 2014.

A new version of the GandCrab (v4.1) ransomware has an SMB exploit spreader that works against XP and 2003, as well as later versions of Windows. It’s the first ransomware to actually “support” legacy systems, according to UK infosec practitioner Kevin Beaumont.

Though previous versions of Gandcrab haven’t had much of an impact, the latest promises to be more problematic. One of its modules is called “network fucker”, which speaks to the intent of the hackers behind its creation. The nasty no longer needs a command-and-control server, meaning it can operate in air-gapped environments – bad news for industrial plants, where Window XP remains rife.

GandCrab v4.1 spreads via an SMB exploit. Previous versions of the malware were detected by antivirus scanners and this will probably be the case with the latest, which is sold as a kit and spread by script kiddies looking to make a dishonest buck.

This isn’t the work of an intel agency, military unit or even a well-resourced and agile cybercrime group, nonetheless it still poses a threat.

“Being able to spread without internet access and impacting legacy XP and 2003 systems suggests some older environments may end up at risk where there is poor security practice  – e.g. no working antivirus software,” Beaumont warned.

The threat has been seen spreading in the wild, making it a real and present danger, fortunately, mitigation and defence are both relatively straightforward.

Systems should be updated to run MS17-010, a patch for Windows XP and Windows Server 2003 brought out by Microsoft in the wake of WannaCry.  Windows 2000 systems are among the few not protected by this safety net. Running antivirus and segmenting systems will also help.

Admins of networks running newer versions of Windows should consider taking the option of disabling SMB1, an option not available in legacy versions of Windows.

Beaumont’s write-up of the threat and suggested mitigations can be found here. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/09/legacy_windows_ransomware/

A former hedge fund manager and securities trader participated in a scheme that made $30 million by trading on information from stolen press releases.

Two defendants have been convicted for their involvement in an operation that generated about $30 million in illegal profits by trading on information from press releases stolen from major newswires, the Department of Justice announced last week.

Vitaly Korchevsky, a former hedge fund manager, and Vladislav Khalupsky, a securities trader, were convicted on July 6 in a federal court in Brooklyn, New York. Their conviction follows a four-week trial; each defendant could face a maximum prison sentence of 20 years.

The two were found guilty of conspiracy to commit wire fraud, conspiracy to commit securities fraud and computer intrusion, conspiracy to commit money laundering, and two counts of securities fraud. Both used stolen press releases from multiple newswires to trade on non-public information ahead of its release and earn millions of dollars, the DoJ reports.

Korchevsky and Khalupsky worked with cybercriminals to hack major newswire companies and lift press releases ahead of their distribution. Using the stolen data, which included non-public financial information, they traded in the stock market and generated $30M in illicit profit.

Evidence shows between February 2010 and August 2015, Ukranian hackers Ivan Turchynov and Oleksandr Ieremenko broke into the networks of Marketwired, PR Newswire, and Business Wire. The duo was among nine defendants charged in relation to this scheme in August 2015, when both Korchevsky and Khalupsky were also first charged for their involvement. So far all defendants have pleaded guilty or been convicted at trial, save for three who remain at large.

Turchynov and Ieremenko gained access to Marketwired in 2010 via SQL injection and used reverse shells to steal data. They broke into PR Newswire multiple times in 2010, 2011, and 2013, and breached Business Wire to steal data, brute-forcing the credentials of 15 employees.

The two moved through newswire networks to access more than 100,000 press releases about news on earnings, revenues, and other protected data throughout their five-year operation. Publicly traded companies whose announcements were involved included CA Technologies, Caterpillar Inc, Align Technology, Hewlett Packard, Home Depot, Panera Bread, and Verisign.

The threat actors spread their findings to a network of global traders using secure email exchanges and computer servers located overseas. Among them were Korchevsky and Khalupsky, who traded on the press releases before they were made public. There was a small window of time after the traders received stolen data and before the releases were published; investigators noticed spurts of trading activity just prior to their publication.

Most illegal funds were routed to the hackers. Korchevsky used press releases to trade on accounts that benefitted his criminal network and personal accounts, earning more than $15 million. Khalupsky mostly aimed to benefit his criminal network and made at least $500,000.

Investigators found the two attempted to hide their trading activity by using separate phones, computers, and hotspots, regularly deleting emails and destroying hardware containing evidence, and sending illegal profits to offshore shell companies.

Related Content:

• 4 Basic Principles to Help Keep Hackers Out
• Cryptocurrency Theft Drives 3x Increase in Money Laundering
• Ransomware vs. Cryptojacking
• Creating a Defensible Security Architecture

 

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/two-more-convicted-in-$30m-massive-hacking-securities-fraud-operation/d/d-id/1332246?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Lawsuit filed by Lexington Insurance and Beazley Insurance is in response to a Trustwave legal filing that called their claims meritless.

It’s been a decade since the massive Heartland Payment Systems data breach, but the legal fallout continues: Two insurers have filed a lawsuit demanding $30 million in restitution from the security vendor that certified the company as PCI DSS-compliant prior to the attack.

Insurance firms Lexington Insurance Co., of Massachusetts, and Beazley Insurance Co., of Connecticut, on June 28 filed suit in the Circuit Court of Cook County, Ill., claiming professional malpractice by security firm Trustwave Holdings Inc. in the 2008 data breach of Heartland that led to the insurers paying some $30 million in claims. 

The lawsuit came in response to a Trustwave court filing on June 22 in Delaware that petitioned the court to rule the insurers’ demands moot due to statute of limitations on the case, and that Trustwave maintained it did not breach its audit contract with Heartland. Trustwave filed the case after the insurers sent the firm a letter demanding payment for insurance it paid out related to the breach. Lexington and Beazley then intensified the pressure by taking the suit to court in Illinois.

“The insurers’ spurious demand related to a decade-old breach is entirely without merit. Trustwave initiated this lawsuit in order to obtain a judgment accordingly and intends to pursue this matter vigorously,” Trustwave said in a statement provided to Dark Reading.

Trustwave also said its PCI assessment isn’t the equivalent of managing security for Heartland.

“Trustwave filed a lawsuit in Delaware against Lexington and Beazley in response to their time barred and unwarranted attempt to recoup the insurance proceeds they paid associated with Heartland’s 2008 data breach. The insurers subsequently filed a duplicative suit in Illinois regarding the exact same matter,” Trustwave said in the statement.

Trustwave’s PCI DSS assessment of Heartland was no guarantee that the company had not been or would not breached, according to Trustwave. “Trustwave did not manage Heartland’s information security, and at no time did Heartland assign blame or make any claim against Trustwave,” the company said. 

Neither Lexington nor Beazley had responded to press inquiries as of this posting.

Lexington and Beazley’s lawsuit claims Trustwave was responsible for the breach at Heartland and that the security firm had handled PCI DSS assessments, vulnerability scans, and compliance testing services for the payment processor starting in 2005, according to a report by The Cook County Record. The complaint claims the 2009 breach is connected to the SQL injection attack that began on July 24, 2007, on Heartland’s system and slurped magnetic stripe data. Malware was planted on May 14, 2008, the suit said, and Trustwave’s testing didn’t detect it, the report noted.

Trustwave certified Heartland as PCI DSS-compliant in 2007 and 2008 after its audits.

Credit card giant Visa conducted its own investigation of the PCI DSS certification and found multiple PCI DSS violations. In 2015, most of the breach litigation was settled. Lexington forked out $20 million in insurance reimbursements, while Beazley paid out $10 million. 

Heartland reportedly paid out some $148 million in legal fees, settlements, and other costs associated with the breach over time.

Andrew Hay, co-founder and CTO of Leo Cyber Security, says the lawsuit against Trustwave is bad news for security companies.

“I think this sets a very dangerous precedent for security companies providing services. The customer does, and should, have an expectation of protection as a result of deploying mitigating controls. What’s missing in the vendor space, however, are strict rules of engagement related to the proper deployment, management, and monitoring of said controls – both technical and documentation/program,” he says. “It’s one thing to deploy a tool to address an issue, but it’s an entirely different challenge to operationalize the control from a program perspective.”

Security vendors can’t guarantee their products or services a cure, but instead should position their offerings as a way to help lessen the blow of threats if they are properly deployed, for instance, Hay says.

The case is likely just the tip of the iceberg, too. It’s “a huge win for the cyber-liability insurance providers and associated reinsurance companies, as it will likely be touted as justification for protecting your organization against future litigation,” Hay says. “We’ll also see an increase in cyber-liability insurance carried by our security vendors to protect against similar litigation as well.”

Heartland’s hack exposed some 130 million US debit and credit card accounts – the largest breach ever recorded at the time. The incident, which was first made public in January 2009, led the company to up its security game with end-to-end encryption, tokenization, and EMV chip-and-pin payment card technology.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/application-security/insurers-sue-trustwave-for-$30m-over-08-heartland-data-breach/d/d-id/1332248?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Last year, the US Federal Trade Commission (FTC) slapped TV maker Vizio with a $2.2m fine for watching us watch its TVs: the spy boxes were collecting data that included IP addresses and demographic information on 11 million users.

Pffft! Amateurs. Vacuuming our data straight out of our living rooms to see what we’re watching so they can target-market us is so last year. Now, it turns out, one company that’s all about making personalized viewing recommendations is jumping beyond our living rooms in order to sniff out what’s happening on any device that’s on our networks, including our mobile devices, and that of course means following us around.

The New York Times on Thursday published a report about Samba TV, which collects data on 13.5 million TV viewers in order to make its personalized show recommendations. Samba has signed deals with about a dozen TV makers, including Sony, Sharp, Magnavox, Toshiba and Philips, to install its software on certain sets.

It calls that software Automatic Content Recognition (ACR) and says that it delivers “essential TV insights.”

As the Times reports, when a user gets one of these TVs out of the box, a screen urges them to enable a service called Samba Interactive TV. The service promises to recommend shows and provide special offers “by cleverly recognizing onscreen content.” As of 2016, company executives said that more than 90% of people clicked the enable button.

But they were likely agreeing to give away far more data than they realized. What the initial “enable” screen doesn’t include: a terms of service agreement that exceeds 6,500 words and a privacy policy that pushes past 4,000 words. That’s a lot of reading for somebody who just wants to find out if Jon Snow is going to accidentally sleep with his aunt.

With all those words, tucked into screens that Game of Thrones fans clearly aren’t clicking through to pore over, Samba gives itself the go-ahead to create a “device map” that matches TV content to devices sharing a network with a smart TV. And that, according to Jeffrey Chester, executive director of the Center for Digital Democracy, helps the company to leap out of living rooms in order to track users “in their office, in line at the food truck and on the road as they travel.”

Sounds a lot like the internet at large, doesn’t it? Online services follow us around after we leave, taking note of where we go. Facebook, in fact, found itself in quite a bit of hot water over that one: CEO Mark Zuckerberg was in the hot seat in Congress a few months ago, as Florida Rep. Kathy Castor asked whether or not Facebook collects personal data on people who aren’t even Facebook users.

Well, yes, the company eventually admitted, coughing up the reasons why and pointing out that Facebook is far from the only online service to do so: Twitter, Pinterest, LinkedIn, Google, and Amazon all offer services on other sites and apps, and following people around is part and parcel.

This tracking has, justifiably enough, met with forceful pushback. In 2015, a Belgian court gave Facebook 48 hours to stop tracking non-users, which resulted in Belgians who didn’t have Facebook accounts being unable to view any Belgian Facebook pages, including public profiles. In February 2016, the French data protection agency CNIL gave Facebook three months to stop tracking non-users in France. And just last month, to loud applause, Apple introduced the ability to block this type of tracking in Safari.

So yes, we’re all pretty accustomed to saying No when it comes to online tracking. But when it comes to internet TV tracking, the public is still fairly unaware of the extent to which it’s happening, critics say.

The TV industry also hasn’t been subjected to the strict rules and regulations surrounding viewing data that have traditionally applied to cable companies, as Jonathan Mayer, an assistant professor of computer science and public affairs at Princeton University and a former technology adviser at the Federal Communications Commission, told the Times. That’s helped to fuel “this rise of weird ways to figure out what someone’s watching,” he said.

Mayer told the newspaper that smart TV companies are overseen by the FTC, which means that “as long as you’re truthful to consumers, even if you make it really hard to exercise choices or don’t offer choices at all, you probably don’t have much of a legal issue.”

Bill Daddi, a Samba spokesman, told the Times that the company has been upfront about what it’s doing:

Each version has clearly identified that we use technology to recognize what’s onscreen, to create benefit for the consumer as well as Samba, its partners and advertisers.

One TV owner, David Kitchen, a software engineer in London, clearly disagrees. Three months ago, he took to Hacker News to describe how startled he was when his Sony smart TV updated itself and “tried to force me to use a new app” – specifically, Samba.

This is what the Samba opt-in message had told him:

Interact with your favorite shows. Get recommendations based on the content you love. Connect your devices for exclusive content and special offers. By cleverly recognizing onscreen content, Samba Interactive TV lets you engage with your TV in a whole new way.

But when he researched the Samba privacy policy, he found it was “worse than recent facebook stuff.” Kitchen pointed out that Samba’s privacy policy says that it tracks…

…what you watch, when you watch it, your location, your interactions with other apps. And they share this with …well, everyone basically.

This information is then used to market to you within the TV and offer you a ‘hot list’ … but it is also used to ‘Detect, investigate and prevent fraudulent transactions and other illegal activities and protect the rights, safety and property of Samba and others.’

More from Samba’s privacy policy:

Information we receive about you or your household from using one device or Smart TV may be combined with information we receive from use of other devices or Smart TVs. For example, if we know you love watching football on your Smart TV, we may show you real-time football stats on your mobile device.

As Samba points out, you can always opt out of receiving such tailored content by following the instructions set forth in its “Your Rights and Choices” section.

Or, as Kitchen suggests, you can just disable Samba completely. It is, he suggests, “a snitch in your living room, snitching on everything you watch on your TV.”

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5PaDW-5IKpU/