STE WILLIAMS

‘This repository is private’ – so what’s it doing on the public internet, GE Aviation?

GE Aviation managed to expose a pile of its private keys on a misconfigured Jenkins instance that was exposed to the public internet, according to a security researcher who found it through Shodan.

“It took me only a couple of clicks to stumble upon a Jenkins server which appeared to be part GE Aviation internal commercial infrastructure,” blogged Bob Diachenko, a researcher for consultancy Security Discovery.

It appeared, from what he found, that Diachenko had got into a backend repository powering GE Aviation’s customer portal. The server, he said, “contained source code, plaintext passwords, configuration details, private keys from a variety of GE Aviation internal infrastructure” and more.

The key to large chunks of this information was contained in a readme file, which read in part: “This repository contains all of the configurations that are managed through Chef that are non application specific and shared between servers and applications… All of the configurations in this repository are potentially security sensitive so this repository is private and *ALL* forks of this configuration code must be private.”

Man vs paperwork. Paper-pusher loses control. Photo by Shutterstock

Back up a minute: Veeam database config snafu exposed millions of customer records

READ MORE

A DNS misconfiguration exposed the repo server. Diachenko told GE and the instance vanished from the publicly accessible internet within the day, following a response from the company within two hours.

GE Aviation builds engines that power a significant number of the world’s airliners, including the Boeing 747 and that company’s 787 Dreamliner. It employs around 40,000 people worldwide and supports 25,000 engines, including the widely used CF6 and CFM56 lines from its joint venture with France’s SNECMA.

The company has not responded to The Register‘s request for comment, though it admitted to Diachenko that “plaintext usernames and passwords were exposed on this server, but these credentials mapped to applications only accessible from our internal network”.

GE Aviation added that no customer data, nor “significant” GE data, was affected, and said a malicious person would need access to the company’s internal environment to exploit them – but it reset all the creds anyway “as a precautionary measure”.

“Our recommendation to other companies is to perform regular auditing of their static DNS mappings to ensure that mappings that no longer need to exist are deleted to avoid a similar situation,” GE Aviation told Diachenko.

The researcher has been behind a number of discoveries of improperly secured data over the years, including a misconfiguration snafu by Veeam which exposed millions of their customers’ records. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/09/ge_aviation_jenkins_dns_snafu/

Marriott’s got 99 million problems and the ICO’s one: Starwood hack mega-fine looms over

The UK’s Information Commissioner’s Office wants to fine Marriott Hotels £99m over its loss of 383 million customer booking records last year.

The almost-but-not-quite-£100m sum (£99,200,396) was disclosed in a US regulatory filing by Marriott, which said: “Marriott has the right to respond before any final determination is made and a fine can be issued by the ICO. The company intends to respond and vigorously defend its position.”

A penitent but combative Arne Sorenson, chief exec of Marriott International, added: “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

In November 2018, Marriott admitted to the world that half a billion customer records had been stolen by miscreants later publicly identified by US foreign secretary Mike Pompeo as coming from China. Though the hotel chain later scaled that down to a mere 383 million reservations, rather than 500 million individuals’ data, the damage had very obviously been done.

Among the types of data stolen were unencrypted names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, genders, arrival and departure information, reservation dates, and communication preferences. The database, which the attackers had been accessing for four years before anyone noticed, was the Starwood Hotels chain’s guest reservation database, since decommissioned.

Marriott bought Starwood for $13.6bn in 2015, with the deal closing a year later. The group made a profit of $1.9bn in FY2018, an increase of nearly $1bn in two years.

Information Commissioner Elizabeth Denham said in response to Marriott’s statement: “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

Marriott did indeed co-operate with the ICO investigation, according to the regulator, which took the lead on the investigation on behalf of other EU states.

People who booked a hotel stay in any Marriott or Starwood hotel (among others, the group also owns the Sheraton, Ritz-Carlton, and Renaissance brands) should go to Starwood’s web page about the data breach for more information on what the chain has promised to do for affected customers. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/09/marriott_hotels_ico_fine_intention_99m_starwood_breach/

DevOps’ Inevitable Disruption of Security Strategy

Black Hat USA programming will dive into the ways DevOps-driven shifts in practices and tools are introducing both new vulnerabilities and new ways of securing enterprises.

With DevOps principles taking root and reaching greater maturity at an increasing number of enterprises today, security strategists are in for some major disruption of the status quo in the coming years. That’s the message being brought forward by a number of talks at next month’s Black Hat USA, which will feature discussions on the impact that DevOps-driven practices and tools will have on the security world.

“The way software is being delivered is fundamentally changing. Security, frankly, just has to catch up,” says Kelly Shortridge, vice president of product strategy for Capsule8, who will be co-presenting a talk titled “Controlled Chaos: The Inevitable Marriage of DevOps Security.” “There is almost a Copernican revolution right now where the primitive models that we’ve held dear for decades and are the basis for a lot of security strategies no longer apply to this cloud and microservices world. So we have to rethink things in a lot of ways.” 

One of the most obvious fronts needing rethinking is with containerized workloads, which are self-encapsulated instances of application components that are changing the face of IT architecture. Containers aren’t explicitly a DevOps tool per se, but the DevOps philosophical push to make small, incremental changes to software through automation and microservices — breaking up large applications into smaller, reusable chunks — has been a catalyst for recent container adoption.

On the whole, enterprises are experiencing a stratospheric explosion in containers and an increasing reliance on container orchestration tools as a crucial part of the software delivery and operational toolchain. As evidenced by sessions scheduled at Black Hat, security researchers are already starting to probe the security and resilience of containers and container orchestration platforms like Kubernetes. For example, Ian Coldwater, lead platform security engineer at Heroku, and Duffy Cooley, staff cloud native architect at VMware, will present “The Path Less Traveled: Abusing Kubernetes Defaults,” a talk that will explore the attack surface exposed by running a default configuration of Kubernetes — essentially exploiting the as-designed features of the platform. 

Early exploration and research such as this notwithstanding, the average security practitioner still remains largely in the dark about container architecture, its unique peccadillos, and its inherent risks, says Shortridge’s colleague, Brandon Edwards, chief scientist for Capsule8.

“A lot of people sort of just group them up with [virtual machines] or similar technology, but they’re not,” says Edwards, who is co-presenting his own talk, “A Compendium of Container Escapes,” which will offer a primer for security professionals to get their arms around the basics of the container attack surface. “Containers have completely different security properties, so we’re just going through a variety of different ways of how they can be broken and where the security properties of containers exist and where they don’t.”

Edwards will also bring forward some predictions about the kinds of hacks and vulnerabilities we’re likely to see in the next 12 months as security researchers and attackers start truly digging into containers.

The mystery of containers for security people is a microcosm of the larger ripples caused by the disruptions wrought by rapidly changing software delivery methods. Security teams struggling to keep up are still wont to apply old models to the new technologies, which comes down to misperceptions about them, Shortridge says. For example, the false equivalency that Edwards mentioned about containers being perceived as lightweight virtual machines will throw off strategists’ thinking. 

“So if you’re operating off that assumption, then your threat models are going to be all wonky and wrong — particularly if you weren’t mapping the workloads and understanding how different systems are working with each other,” she says, explaining that misunderstandings about new technologies also lead to a naïve belief that old technologies can be ported to these modern systems. “So they might think, ‘Is there a firewall just for containers?’ But that doesn’t make any sense, and it’s not what we actually need.” 

That lack of understanding is a microcosm of the larger industry ripples caused by DevOps software delivery methods.

The good news is that for security people who can accept this is where IT is going and are willing to make the pivot to support it, it quickly becomes apparent that DevOps practitioners share many of their goals and that the new mode can open a lot of opportunities to simplify security work, Shortridge explains. This includes foundational principles like system resilience, repeatability, and traceability of processes. She says that the security triad of CIA — confidentiality, integrity, and availability — is likely to morph into what she calls the DIE triad in the modern DevOps world: distributed, immutable, and ephemeral. 

“They roughly involve the same characteristics. Distributed computing is similar to availability — you want to make sure that none of your resources are centralized,” Shortridge says. “For immutable, that’s like integrity. You want to make sure that data stays the same, right? You don’t want tampering or modification. And then for ephemeral, you also want to try to drive the value of assets down to zero, to make persistence less valuable, which you can do with a modern infrastructure. In a lot of ways, your job as a security person becomes a lot easier under this paradigm.” 

Related Content:

 

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/application-security/devops-inevitable-disruption-of-security-strategy/d/d-id/1335170?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Insider Threats: An M&A Dealmaker’s Nightmare

Because data has never been more portable, taking it has never been easier. And that’s a huge problem during mergers and acquisitions.

When it comes to insider threats, business and security leaders are facing a harsh reality. Last year, there were 50,000 mergers and acquisitions (MA) transactions worldwide, with a total value of about $4 trillion. The biggest concerns for dealmakers? They were not what you might expect. For more than a quarter of them, it wasn’t typical issues related to valuation, integration, or execution; instead, it was insider threat and other cybersecurity issues.

The risk of data loss or data theft increases during MA. Employees, especially at the sell-side company, will hedge their bets and prepare for the worst. “What does this deal mean for me? Is my job safe?” In times of uncertainty, even the best employees may take actions that are out of character in order to keep data that they believe belongs to them.

Consider a developer with high-demand skills at an artificial intelligence startup that was just acquired by the market leader. As part of the deal, the buy-side company announces a reorg. Hearing about the pending layoffs, a recruiter for the competition begins poaching talent with the promise of a big compensation package. Worried about losing his job, the developer accepts the offer. Before he leaves, he transfers some source code to personal cloud storage, thinking it might be useful in his new role. Now, your intellectual property (IP) has walked out the door.

Investing big in a merger or acquisition only to discover that you’ve lost valuable data is a dealmaker’s nightmare. And because data has never been more portable, taking it has never been easier. Employees can store hundreds of gigabytes on their mobile devices, put 1TB or more of data on removable media, or, like the developer, quickly transfer data to personal cloud storage services.

When you consider Deloitte’s estimate that IP can account for as much as 80% of a company’s value, it should not be surprising that securing the transition of that data will directly affect the success — or failure — of an MA deal. To better protect their investment, it’s time for buy-side companies to take a more holistic approach to data loss protection from insider threats.

Demise of the Castle Metaphor
Since the dawn of technology, security has been built around a castle metaphor. The idea is that your network and data is inside a castle that you need to fortify and safeguard. If you build a big enough “moat,” everything will be fine. This philosophy assumes that cybercriminals and malicious attacks are outside the moat, and that anything and anyone inside the walls of the castle should be inherently trusted.

However, the notion that you can trust everyone “inside” and prevent all of your sensitive or confidential data from being exfiltrated or compromised is flawed thinking. Data loss “prevention” is a ridiculous promise. Losing data is inevitable.

The Broken Promises of Legacy DLP
To guard against insider threat and data loss during MA, many buy-side companies opt for a traditional data loss prevention (DLP) solution. They install DLP software on the endpoints of the sell-side company and put strict policies in place to ensure sensitive data doesn’t leave the castle.

The problem is that these restrictive policies get in the way of employees getting their jobs done. The policies fail to account for new data being created as the companies work together through the MA process. They also throw off alerts every time a user moves data that has been classified as sensitive. For many employees, however, moving sensitive data is a completely normal and necessary part of their everyday work. The end result for security teams? Rigid classification rules that simply can’t keep up and a flurry of false alerts that are nothing more than noise.

Protect Everything and Trust No One
There is a better way to safeguard data and streamline the MA process. Rather than trying to identify and tag select files as sensitive, organizations should have visibility to all their data and where it lives and moves.

This approach fundamentally shifts the emphasis of a data security program from prevention to protection by focusing on speed of detection and response. It works based on the assumption that all data is important. Sales pipelines, forecasts, competitive campaigns, customer contact information, product road maps, prototype drawings — they’re all critical IP. And when you buy a company, you should be entitled to all the parts.

This next-generation approach to DLP also assumes that you trust no one. In other words, next-gen DLP software doesn’t care if an employee is a trusted user or not. It works at the data level, tracking and monitoring all data activity and flagging anomalies, while keeping copies of all files for fast retrieval and analysis. In an MA situation, you want to see the data you’re paying for, keep it, and protect it if it is threatened. Data blind spots will only leave your deal open to more risk.

When done right, MA is a great way to grow a company and gain a competitive edge. Having the right data security strategy and tools in place will keep your process on track, while protecting your investment. You don’t want to find yourself in the middle of a data security investigation the next time you’re ready to strike a deal.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Joe Payne brings to Code42 more than 20 years of leadership and a proven track record with high-growth software companies. He has a broad experience base in delivering software and software-as-a-service (SaaS) solutions to enterprises across numerous industries. As President … View Full Bio

Article source: https://www.darkreading.com/perimeter/insider-threats-an-manda-dealmakers-nightmare/a/d-id/1335098?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Edge Feature Section

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book

Article source: https://www.darkreading.com/edge-feature-section/d/d-id/1334218?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Marriott Faces $124 Million GDPR Fine in UK

The proposed penalty is for a data breach beginning in 2014 that affected more than 500 million customers worldwide.

The Information Commissioner’s Office (ICO) of the UK said it intends to fine Marriott International £99,200,396, or approximately US$124,000,495, for General Data Protection Regulation (GDPR) violations.

The proposed fine, in response to the massive Starwood Hotels data breach that affected more than 500 million guests around the world, comes on the heels of a record £183 million (US$229 million) fine levied against British Airways for a breach of payment information of more than a half-million customers.

According to the ICO, Marriott has cooperated with the investigation and will now have a chance to present information to the Office regarding the potential fine. After hearing from Marriott and other interested parties, the ICO will decide on the final amount of the fine.

For more, read here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/marriott-faces-$124-million-gdpr-fine-in-uk/d/d-id/1335189?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cybercriminals Target Budding Cannabis Retailers

Companies in the young, rapidly growing industry are targeted for sensitive information they store and immature security practices.

As more US states legalize recreational marijuana, security experts warn lawful cannabis retailers of their vulnerabilities to cyberattacks targeting consumer and patient information.

Thirty-four states sell marijuana for medicinal purposes; in January 2020, Illinois will become the eleventh to sell cannabis via state-licensed dispensaries. As Matthew Dunn, associate managing director for cyber risk at Kroll, says, “legitimate cannabis enterprises have all the responsibilities of a traditional business.” This means being aware of exposure to cybercrime.

“While they share with all retailers the duty to protect customer data and financial records, cannabis businesses must acknowledge a heightened state of sensitivity around privacy issues,” he writes. Dunn argues dispensaries face greater risk due to the controversial product they sell; as a result, it’s “imperative” they develop a mature cybersecurity strategy to mitigate risk.

The threat is greater for medicinal marijuana dispensaries, which store protected health information (PHI) records that are considered more valuable to attackers than typical PII due to the extent of health data they contain. Medicinal dispensaries aren’t covered under HIPAA, which would limit how they use patient data, but they still must comply with state privacy laws.

What should cannabis retailers watch for? Dunn points to the danger of email-based attacks, which affect retailers across industries but may prove especially prevalent among cannabis companies with relatively new workforces. Cyber extortion is another threat: criminals who access a dispensary’s client database could attempt to extort high-profile customers, he adds.

Also top-of-mind is the heightened risk of IoT attacks as many cannabis retailers use video surveillance equipment that connects to the Internet. While IoT devices offer convenience and flexibility of remote access, Dunn points out how many use default login credentials and oftentimes multiple employees will use the same password to access databases and platforms.

Read more details here.

  

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/cybercriminals-target-budding-cannabis-retailers/d/d-id/1335184?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cloud Security and Risk Mitigation

Just because your data isn’t on-premises doesn’t mean you’re not responsible for security.

The cloud certainly offers advantages, but as with any large-scale deployment, the cloud can also offer unforeseen challenges. The concept of the cloud just being “someone else’s data center” makes me cringe because it assumes you’re relinquishing security responsibility because “someone else will take care of it.”

Yes, cloud systems, networks, and applications are not physically located within your control, but security responsibility and risk mitigation are. Cloud infrastructure providers allow a great deal of control in terms of how you set up that environment, what you put there, how you protect your data, and how you monitor that environment. Managing risk throughout that environment and providing alignment with your existing security framework is what’s most important. 

Privacy and Risk
With the EU’s General Data Protection Regulation and similar policies in some US states (Arizona, Colorado, California, and others), organizations face increased requirements when protecting data in the cloud. And the solution isn’t as simple as deploying data loss prevention software in a data center because the data center has become fragmented. You now have a bunch of services, systems, and infrastructures that aren’t owned by you but still require visibility and control.

Cloud services and infrastructures that share or exchange information also become difficult to manage: Who owns the service-level agreements? Is there a single pane of glass that monitors everything? DevOps has forced corporations to go as far as implementing microsegmentation and adjusting processes around firewall rule change management. Furthermore, serverless computing has provided organizations with a way to cut costs and speed productivity by allowing developers to run code without having to worry about infrastructures and platforms. Without a handle on virtual private clouds and workload deployments, however, things can spin out of control and you start to see data leaking from one environment just as you’ve achieved a comfortable level of security in another.

Mitigation
Several steps can be taken to help mitigate risk to an organization’s data in the cloud.

1. Design to align. First, align your cloud environment with cybersecurity frameworks. Often, organizations move to the cloud so rapidly that the security controls historically applied to their on-premises data centers don’t migrate effectively to the cloud. Furthermore, an organization may relax the security microscope on software-as-a-service (SaaS) applications such as Salesforce or Office 365. But even with these legitimate business applications, data may end up being leaked if you don’t have the right visibility and control. Aligning cloud provider technology with cybersecurity frameworks and business operating procedures provides for a highly secure, more productive implementation of a cloud platform, giving better results and a successful deployment.

2. Make yourself at home. Cloud systems and networks should be treated the way you treat your LAN and data center. Amazon’s Shared Responsibility Model, for example, outlines where Amazon’s security responsibility ends and your security responsibility begins. While threats at the compute layer exist — as we’ve seen with Meltdown, Foreshadow, and Spectre — recent cloud data breaches have shown a breakdown in an organization’s security responsibility area, namely operating system security, data encryption, and access control. If your organization has standards that govern the configuration of servers, vulnerability management, patching, identity and access management, encryption, segmentation, firewall rules, application development, and monitoring, see to it that those standards are applied to cloud services and are audited regularly.

3. Stop the “sneaking out at night.” Not too long ago, you would see organizations struggle with employees who set up unsecured wireless access points in an attempt to gain flexibility and efficiency. Fast forward to today — wireless controllers providing rogue detection and intrusion prevention system capabilities have helped rein in that activity. With the cloud, employees are setting up cloud storage accounts, serverless computing environments, and virtual private networks as needed to circumvent cumbersome change control procedures, cut costs, and gain similar flexibility and efficiency. By rearchitecting legacy networks, readjusting decades-old processes and procedures, implementing cloud proxy or cloud access security broker (CASB) technology, and coupling that with strong endpoint security controls and an effective awareness campaign, an organization can provide that level of flexibility and efficiency but still provide for data protection.

4. Keep a close watch. The cybersecurity operations center (CSOC) should no longer be concerned with just the local network and data centers. The operational monitoring procedures, threat hunting, intelligence, and incident response that the SOC uses also apply to cloud environments where the organization’s data resides. Monitoring SaaS applications where corporate data may reside is challenging but can be done using effective endpoint security coupled with the monitoring of cloud access solutions (CASB, proxy, and others). For a serverless environment, depending on your CSOC requirements, this may mean the application of third-party monitoring platforms or solutions beyond what cloud providers offer. In all cases, event logging and triggers need to feed back to the CSOC to be correlated with local event data, analytics, and threat intelligence.

With all the cloud services available, it’s no wonder companies struggle to manage risk. Shifting from a culture of “do whatever it takes to get the job done” to “do what is right for the business” takes a lot of coordinated effort and time but is rooted in security becoming a business enabler rather than continuing to be in the business of “no.”

Organizations must include security in technology decisions if security is to continue to protect the business, and security must understand the needs of the business and changes in technology in order to be that enabler. To help to prevent people from seeking their own solutions to technology problems, IT and security teams must evolve their assets and functions to accommodate that speed and convenience or find themselves constantly trying to keep up. 

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Derrick Johnson is the National Practice Director for Secure Infrastructure Services within ATT Cybersecurity Consulting, responsible for its direction and overall business performance. Derrick’s practice provides strategic and tactical cybersecurity consulting services … View Full Bio

Article source: https://www.darkreading.com/perimeter/cloud-security-and-risk-mitigation/a/d-id/1335100?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Apple aims privacy billboard at Google’s controversial smart-city

Some say that Apple’s strenuous Privacy-R-Us marketing campaign is hypocritical, but that’s not stopping it from continuing to troll Google over the issue.

In January 2019, it was the billboard it erected over Las Vegas during CES, blaring out that “what happens on your iPhone stays on your iPhone.”

The billboard depicted an iPhone and linked to apple.com/privacy: the spot where Apple proclaims that privacy is a “fundamental human right”.

It doesn’t gather and share your data, Apple promises, be it from taking a photo; asking Siri a question; getting directions; what your heart rate is after a run; what news stories you read; where you bought your last coffee; what websites you visit; or who you call, email, or message.

You can do it knowing that Apple doesn’t gather your personal information to sell to advertisers or other organizations.

Apple products are designed to protect your privacy – every Apple product is designed from the ground up to protect that information. And to empower you to choose what you share and with whom.

Quayside: prime site for privacy virtue signaling

But that billboard was then, and this is now: Apple has a new billboard and a far more specific target. This time, the company has erected a privacy billboard at the site of a developing “smart city” called Quayside. Some are calling the neighborhood, on Toronto’s eastern waterfront, a privacy dystopia in the making. It’s going to be sensor-thick, and it’s tangled up with the uber data-collecting Google: the developer is Sidewalk Labs, which is a subsidiary of Google’s parent company, Alphabet.

Apple’s new billboard, positioned outside Sidewalk Toronto headquarters, again depicts an iPhone. The tagline: “We’re in the business of staying out of yours.”

The vision for Quayside is that of a smart city built “from the internet up”. As the Atlantic reported last November, sensor-collected data will be used “to disrupt everything:” traffic congestion, healthcare, housing, zoning regulations, and greenhouse-gas emissions. From the Atlantic’s writeup:

Long before flying cars, smart sensors won’t just be in our mattresses or our bidets, they’ll be embedded in the walls of our homes and the concrete beneath our feet.

This always-data-slurping vision has drawn a storm of backlash against Sidewalk Labs and its real-estate partner, Waterfront Toronto, both of which have been criticized for dismissing privacy concerns and allegedly misinforming residents.

As of November 2018, four prominent people had resigned from Waterfront Toronto’s and Sidewalk Labs’ advisory board over concerns about privacy and lack of public input, including Ontario’s former Privacy Commissioner, Ann Cavoukian.

US venture capitalist Roger McNamee – an increasingly outspoken critic of tech giants’ approach to privacy – has described the development plans as “the most highly evolved version to date” of the type of “surveillance capitalism” that’s central to the business models of Google and Facebook in particular.

From McNamee’s letter to Toronto City Council:

No matter what Google is offering, the value to Toronto cannot possibly approach the value your city is giving up. It is a dystopian vision that has no place in a democratic society.

Perhaps not, but Apple’s no dummy: Quayside definitely has a place in its privacy marketing.

Is Apple really privacy’s Snow White?

Apple may be quite happy to throw stones at Google, but there are those who believe it lives in a glass house. In May 2019, the Washington Post reported that its “privacy experiment” showed that in a single week, 5,400 hidden app trackers were guzzling iPhone data. From the article:

Even though the screen is off and I’m snoring, apps are beaming out lots of information about me to companies I’ve never heard of. Your iPhone probably is doing the same – and Apple could be doing more to stop it.

Technology columnist Geoffrey A. Fowler found that several iPhone apps were tracking him, passing information to third parties while he was asleep, including, perhaps unsurprisingly, IBM’s the Weather Channel – the app that Los Angeles sued over selling users’ location data.

Another investigation earlier this year – this one by TechCrunch – found that some apps were using so-called session replay technology: a type of analytics software that records the screen when an app is open. Apple told developers to knock it off, TechCrunch later reported, noting that apps using the technology included ones built by some big names.

Readers, your thoughts: does Apple have ample privacy cred to sling mud like this?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/syZodMVK7_U/

Firefox to include tracker blocking report feature

Mozilla has introduced a lot of tracker blocking protections into Firefox lately. Now, it is planning a new feature that will let you see how many online snoopers you’ve successfully evaded.

A new feature called the Tracking Protections Panel (aka the Protection Report) will tell users how many trackers Firefox blocked in the prior week, giving them a good sense of how well these protections are working.

To help understand why Mozilla is doing this, it’s worth looking at the tracker protections Firefox has recently added.

Mozilla released the full version of its Enhanced Tracking Protection (ETP) system in Firefox 67.0.1 in June. This introduced default blocking for cross-site trackers, which are the small pieces of code embedded in websites by advertising networks. They watch what you’re reading across the web to generate a profile of you.

Mozilla simultaneously released an updated version of its Facebook Container to stop the social media giant tracking people in a similar way. Those share and like buttons you see on various sites? They tell Facebook what you’re reading across the web – whether you click them or not. The updated container blocks those, along with all other connections to Facebook’s servers.

In May 2019, Firefox also introduced a feature to block any cryptomining scripts that the user runs across. These are JavaScript programs that use the browser’s host computer to mine for cryptocurrency (typically Monero). One or two are legit and ask the user’s permission. Most aren’t, and don’t.

Around the same time, it also officially introduced fingerprint blocking. Fingerprinting is a sneaky technique that websites use to uniquely identify users without using cookies. It does that by measuring things like the colour depth of their machine and the dimensions of their browser windows.

The Protection Report

The Tracking Protections Panel/Protection Report will feature a graph showing users how many trackers their browser has blocked each day. It will break them down into their various types, including ad trackers, cross-site trackers, fingerprinters, and cryptomining scripts.

Finally, the report should tell you how many times Firefox ran across a tracker that a social media site used to follow you across different third party websites and squished it. The results should be illuminating.

The Protection Report feature isn’t out yet. Right now, there’s a mockup in the Nightly build of Firefox 69, which is an in-development version of the browser. You’ll be able to see it by typing about:protections into your Firefox address bar, but only if you download the Nightly build manually.

This is more than just a reminder of what the browser is doing to protect you from online snoops. It will also help you find a balance between privacy and functionality. Mozilla offered cross-site tracker blocking as an option in Firefox 63, released in October 2018, but it took a while to turn it on by default. That’s in part because blocking trackers by default might hinder the functionality of some sites. The Protection Report will help users measure their privacy against their surfing experience and adjust accordingly.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nU66NJPTbUs/