At a glance.
- New browser privacy standard.
- Fitbit proof-of-concept exploit.
- Virginia school district data leaked.
- Fintech startup Robinhood Markets customers' emails compromised.
- Facial recognition software and the data exposure risk.
- Privacy concerns arrive with Amazon Ring enhancements.
- Software AG's ransomware incident.
New internet browser privacy standard launched.
A game-changing privacy standard called the Global Privacy Control has been released, the result of a collaboration by several tech entities including privacy-focused browsers DuckDuckGo and Mozilla and digital civil liberties nonprofit Electronic Frontier Foundation, Fast Company reports. By flipping a single switch in their browser settings, the standard gives the user the power to universally deny permission to any website seeking to share or sell their data. This will prevent the creation of comprehensive user profiles that track behavior across the web for marketing purposes, while still allowing basic site visit tracking for analytics. The standard is currently available on several browsers including Mozilla Firefox and DuckDuckGo, and is supported by major publishers like the New York Times and Washington Post. Though still in a provisional stage and not yet legally binding, the standard could already be supported by the California Consumer Privacy Act, and proponents are in talks with EU authorities to determine its legality in Europe. “We hope that this is just a stepping stone to federal legislation,” stated DuckDuckGo CEO Gabriel Weinberg.
Fitbit vulnerable to spyware.
Your Fitbit could be transformed into a spyware device, cyber threat researcher Immersive Labs reports. By delivering a malicious app from fitbit.com to the fitness tracker, researchers were able to bypass protections and install spyware on the device, giving them access to user data including location, age, and calendar info. By then connecting to the internet, hackers could transmit that data to any server. Fitbit has been informed of the weakness and is working with Immersive Labs to resolve it.
Virginia school district data leaked to Dark Web.
The Fairfax County Public School District (FCPS), located in the US state of Virginia, informed parents and employees that compromised data from a September ransomware attack has been published on the internet, reports the Washington Post. Though the district has declined to specify exactly what information was stolen, based on what has been posted by cybercriminal group Maze on the Dark Web, the leaked data could include student disciplinary documents and employee insurance information. FCPS superintendent Scott Braband stated that school officials are working with the FBI and local police to identify the hackers and to determine which individuals were impacted.
Robinhood customer emails hacked.
Reuters reports that email accounts belonging to customers of US financial tech company Robinhood Markets Inc have been compromised. However, Robinhood maintains that the company’s systems have not been hacked and that the breach occurred outside of their platform. Still, the company has promised to help the affected customers safeguard their accounts.
Facial recognition software in China associated with data exposure.
COVID-19 has spurred widespread adoption of facial recognition systems in China, but their associated databases have proved unusually susceptible to exposure, the South China Morning Post reports. The problems seem to arise when overworked technicians leave databases exposed to the Internet.
Amazon Ring enhancements arouse privacy concerns.
Ring Always Home Cam, a small indoor drone that walks post inside the user's home, and Amazon One, a palm recognition scanner, have aroused the suspicious attention of privacy hawks. According to WIRED, the concerns arise from the intersection of data collected inside a private space, of biometric information, and Amazon's cloud. While Amazon has accumulated a generally strong security record with its cloud operations, mistakes can happen (and have happened). The two new security products have the effects of upping the ante: the consequences of a breach or an inadvertent data exposure have now grown greater and potentially more damaging.
Software AG sustains ransomware incident.
Software AG, a Darmstadt-based provider of enterprise solutions, updated its ransomware disclosure to acknowledge that the incident had not been as fully contained as initially believed, and that the attackers had indeed succeeded in obtaining data from servers and employee notebooks, SecurityWeek reports. Malware Hunter Team says the specific strain of ransomware involved was Clop.
We heard from Dan Piazza, Technical Product Manager at Stealthbits Technologies, who sees the incident as displaying the ways in which size doesn't necessarily afford protection from ransomware attacks:
"Scale and clout do not make an organization immune from ransomware attacks, and often make them a more vulnerable target. An organization having deep pockets means attackers will devote vast resources towards compromising them, and more employees and networks means a larger attack surface. This also shows that threat actors are more motivated than ever and feel confident requesting exorbitant sums - likely due to past successes.
"This is also another example of how making preemptive positive statements can do more harm than good. Customers want to be reassured their data is safe when an organization they do business with is the victim of ransomware, however when statements need to be later walked back it ends up doing more harm to an organization’s reputation than if they hadn’t issued the statement to begin with (at least until the extent of the attack is known). Although statements such as these are typically done with good intentions, they can still have consequences if proven wrong and sensitive data is leaked."