At a glance.
- Ransomware attacks should be assumed to be data breaches.
- Israel's Likud Party leaks voter database.
- Badly configured Docker registries exposed to the Internet.
- Privacy policies continue to be surprisingly permissive.
- Australian Human Rights Commission wants to limit data retention to six months.
- Belfast parking management company exposes UK drivers' personal information.
Ransomware has become a threat to privacy, not just to operations.
The ransomware underworld has now added a second threat. The more advanced and widely used ransomware strains no longer simply encrypt data and hold it hostage. They now steal data and threaten to sell them, or release them publicly. Much of the information being held at risk is personal. Ars Technica looks at this trend and concludes that we've seen the end of "no-breach"" ransomware. Back-ups remain necessary but are no longer sufficient: effective data loss prevention is now essential as well.
Usecured Likud app leaks Israeli voter database.
Haaretz reports that Israel's Likud Party's unsecured Elector app uploaded and exposed "names, identification numbers and addresses" of more than six-million voters. Likud had no immediate comment, but Feed-b, the company that developed the Elector app, called the issue a “one-off incident that was immediately dealt with." and that security measures have since been boosted. Feed-b says the data are now secure, but it's not known who may have accessed them before the problem was addressed. Haaretz says Elector has users in the US, China, Russia and Moldova as well as within Israel itself.
Improperly configured Docker registries expose source code and sensitive data.
Palo Alto Networks' Unit 42 warns that it's found one-hundred-seventeen Docker registries exposed to the Internet that lack the authentication controls necessary to prevent unauthorized access. Cloud infrastructures continue to be compromised by failures in their configuration. The researchers write that "a misconfigured Docker registry could leak confidential data, lead to a full-scale compromise, and interrupt the business operations." They add that remediation is conceptually simple, but that as the number of applications grow and an organization's infrastructure grows more complex, configuration missteps become difficult to detect manually.
Privacy policies remain worth reading.
A software developer, Robert Heaton, has found that Wacom drawing tablets track the third party apps users open and collect other surprising forms of information to be fed into Google Analytics. The collection is disclosed in Wacom's privacy policy, and as Naked Security points out, companies find it useful to collect the sort of data Wacom is interested in. They wish to see how customers are in fact using their products, and in determining whether those products can be improved. And Wacom's policies appear to be in substantial compliance with applicable regulations. The discussion, however, shows how attractive and irresistible data collection can be.
Telecommunications data retention in Australia.
The Australian Human Right Commission thinks current regulations, which authorize retention of "undifferentiated" telecommunications data for up to two years, should be revised to limit such data retention to six months, and that accessing personal information should be limited to investigation of serious crimes, ZDNet reports. Currently law enforcement agencies have warrantless access to citizens' telecommunications data. "We can, and we need, to do better in making this legislation very targeted in combating serious crimes and serious crimes only, and advancing national security, bringing that within that scope," Commissioner Edward Santow told the Parliamentary Joint Committee on Intelligence and Security. The Commissioner received a relatively sympathetic hearing, with the Joint Committee expressing its sense that the data should be accessible only to "serious organisations looking at serious crimes." While Labor seems ready to vote for a briefer retention period, law enforcement and anti-corruption agencies have lined up in favor of the existing two-year limit, ZDNet reports.
JustPark just exposed British drivers' data.
JustPark, a Belfast company that last month took over the operation of the UK's Department of Infrastructure's parking app, reported that it had left personal data of British drivers exposed. The BBC reports that "names, email addresses, mobile numbers, car makes and registrations" were published to the app's commercial website. JustPark notified the Information Commissioner's Office and has apologized for the security lapse.