At a glance.
- Database exposure in Thailand.
- SQL databases stolen, used in extortion of e-commerce sites.
- Port scans, privacy, and security.
- Privacy concerns and COVID-19 contact tracing.
- Remote work and data privacy protections.
- GDPR on its second anniversary.
Database exposure in Thailand.
Advanced Info Service (AIS), Thailand's largest cellular service provider, has pulled an inadvertently exposed database from the Internet. The data it included, TechCrunch reports, could have revealed a user's online activity in realtime to an interested third-party that came upon it. Researcher Justin Payne, credited with discovering the incident, wrote that it was a case of a misconfigured ElasticSearch database.
SQL databases stolen, used in extortion of e-commerce sites.
TechNadu and other outlets are reporting that at least thirty-one SQL databases have been stolen from a range of online shops, many of them located in Germany. The hackers are using the stolen data as leverage to extort ransom from the e-commerce sites. The information in the databases varies, but the compromised records can include names, usernames, email addresses, hashed passwords, date of birth, physical addresses, gender, account status, shopping history, and so forth.
Ilia Kolochenko, CEO of ImmuniWeb, commented that the sophistication of online extortion has advanced considerably over the last five years. "Many cyber gangs now leverage Machine Learning capabilities to better and faster detect outdated web applications in the Internet," he said in an email, adding that, "They rapidly compromise, backdoor and even patch the vulnerability in a silent and seamless manner to preclude rival hacking groups from taking over the victim’s website. In today's pandemic bolstered e-commerce sector, however, most of the newly deployed web applications are insecure and vulnerable. We will likely see a protracted surge of new attacks targeting careless web shops. Most of them are unfortunately poised to be highly successful, and costly for the victims."
Portscans, privacy, and security.
NullSweep reports that various legitimate sites are conducting local host port scans of visiting computers. The motivation appears to be checking for potentially malicious bots. The site that's drawn the most attention is eBay. BleepingComputer says that the site is running a script that seems to be checking for remote access and remote support tools. It's part of a fraud-detection effort. As Forbes points out, active detection of fraud is something most would welcome, but it's harder to justify this sort of scanning when it's done without user consent, and, indeed, when it's done to users who aren't even logged into the site, but are simply visiting it, often in an incognito mode.
Privacy concerns and COVID-19 contact tracing.
COVID-19 contact-tracing systems have faced related questions about their efficacy, adoption, and privacy. For an app to work it would require either effective geolocation or at least proximity detection. This has usually been realized by taking smartphones as surrogates for natural persons, which would be an arguably useful but admittedly imperfect association. No one can reasonably expect perfection from any system, and the high rates of smartphone use make it a reasonable approximation, but of course not everyone has a smartphone, and not all who do carry them at all times. (Singapore is considering adopting wearable devices worn on a lanyard as an alternative and more visible approach to contact tracing, ZDNet reports.)
And this approach to contact tracing would require adoption by a significant fraction of the population. Estimates naturally differ, but most of them put this number somewhere north of 40%, and many estimates place it higher. That degree of voluntary adoption has proven difficult to achieve in practice. A survey Checkmarx commissioned early this month found that 48% of American respondents said they would either be unlikely to download a contact-tracing app, or that they would flatly refuse to do so.
Why would such adoption be voluntary in the first place? Because of data privacy laws, and their surrounding culture of informed consent. In this regard people have worried more about opting into a centralized contact-tracing system like the one developed by the UK's NHSX than they have about signing onto the decentralized exposure notification system proposed by Google and Apple (although that approach hasn't seen a popular rush to adoption, either). In the case of the NHSX system, popular suspicions have been further aroused by the involvement of US big data company Palantir, itself a lightning rod for conspiracy theories. In their respectable and defensible form, such theories argue, as the New Statesman summarizes, that centralized contact tracing could prove to be the entering wedge of a larger, more intrusive, and above all permanent state surveillance apparatus. According to ComputerWeekly, privacy advocates are pressing Her Majesty's Government for information about the form such plans are assuming.
Such concerns aren't confined to the UK. Reuters reports that on Sunday the Israeli cabinet decided that plans to involve the domestic security service Shin Bet in contact tracing would be relegated to a last resort.
Remote work and data privacy protections.
Remote work involves exposure to some forms of legal risk. The Information Commissioner's Office in the UK has offered guidance on how it intends to treat data protection regulations during periods of widespread remote work. ComputerWeekly's gloss on that guidance is simple: "In practice, this means that remote working is not an excuse to implement less stringent security measures than you would have otherwise had in place. The standard remains that organisations must ensure that an appropriate level of security is applied to the personal data that they process."
GDPR on its second anniversary.
The second anniversary of the European Union's General Data Protection Regulation was yesterday. An interview in Marketplace Tech gives the GDPR on balance a mixed review, in part because the fines weren't large enough to drive Big Tech out of business, which seems in some respects to miss the point: GDPR was after all intended to protect personal data, not bankrupt tech firms. What GDPR has undeniably done is to globalize, to a surprising extent, privacy protections. As Grant Geyer, Chief Product Officer at Claroty put it in an emailed comment:
“Just as important as the principles the regulation stands for, the European Union’s global enforcement of blatant and willful violations of the rights of European citizens to have their personal data safeguarded has raised its prominence to the gold standard of data protection regulations worldwide. In today’s global economy, GDPR has swiftly created a replicable regulatory blueprint that represents a win for citizens to maintain ownership over their personal data. That’s a sacred right in a digital economy where for many years personal data has been abused and monetized without awareness, consent, or recourse.”