At a glance.
- GoDaddy breached.
- Contact-tracing app development.
- Privacy principles for contact tracing apps.
- Data retained in used, resold components.
- Adult streaming site exposes data online.
GoDaddy has been breached.
GoDaddy, the world's largest domain registrar, disclosed yesterday that it had sustained a data breach. BleepingComputer reports that GoDaddy noticed it had a problem on April 23rd, when its security team discovered "an altered SSH file in GoDaddy's hosting environment and suspicious activity on a subset of GoDaddy's servers." The attackers had apparently been inside since October 19th of this past year. Approximately 28,000 hosting accounts were compromised.
Contact-tracing app development.
The UK has begun to pilot its contact-tracing app on the Isle of Wight. Matt Hancock, Secretary of State for Health and Social Care, gave the islanders a bucking up. “We’ll learn a lot, we’ll use it to make things better, and we want to hear from you,” the Telegraph quotes him as saying. “Where the Isle of Wight goes, Britain follows.”
The British system is something of an outlier among the more recent approaches to contact tracing in that it represents a centralized approach to collection and analysis of data. The Telegraph has a description of how the app is intended to work. It's an opt-in system that uses Bluetooth for sensing proximity, and that depends upon self-reporting of positive diagnoses. A skeptical piece in the Register outlines some of the challenges confronting the NHSX-developed app, and a second Register article reports that NHS has informed Parliament that it intends to retain the data it collects even after the pandemic passes. The centralized collection and analysis, and the plans to continue to use data for research, has led to calls, ComputerWeekly says, for close legislative oversight of the system.
The inadvertent exposure of a contact tracing database in India has aroused suspicion of such efforts' security and privacy, SC Magazine observes. The Washington Post has an overview of how such suspicions are currently being manifested around the world. In the US, while there are other projects under development, the joint Apple-Google exposure notification app has attracted the most interest. It's decentralized, opt-in, and will not, Reuters reports, use location tracking.
Suggested principles for building contact tracing apps that respect privacy.
FireEye offers a security firm's perspective on the guidelines within which contact tracing ought to be developed. In brief, the company argues that these principles should be followed:
- Secure consent for tracking data "on an individual level." This includes familiar strictures on transparency and disclosure: what's collected, why it's collected, how it's collected, what it's used for, and who gets to see it.
- Establish time restrictions: when do collection and analysis stop?
- "Use the right technology." GPS? Bluetooth? Video surveillance? Mobile antenna location? Different technologies are better adapted to different purposes.
- "Properly secure the collected data."
- "Prepare to facilitate data protection rights, including deletion rights."
Lawyers have their own perspective, and in Law360 Cooley offers a good example of the principles and practices they would recommend for a "cautious approach to contact tracing." They focus on transparency, and that includes clarity about the mission of any contact-tracing system. They urge devoting a good deal of attention to communicating effectively with the people who'll be affected by data collection—this is no time for hundred-page EULAs, but it would be a good time to get help from marketing specialists who know how to communicate with brevity and clarity. Minimize data collection, use, and retention. Anonymize any data collected. Limit the third-parties with whom data are shared, and make sure the users know who those third-parties are. Treat data collected as sensitive, and protect it accordingly.
Replaced and resold, but with data still on board.
Inside EVs reports that Tesla components replaced during servicing of the electric cars have been turning up for sale on eBay (and presumably elsewhere) with the previous owners' data still on the devices. Tesla offers retrofitting services for its vehicles' autopilot and media control units, and the units swapped out appear, according to the researcher who checked some units, to have retained personal data.
The findings prompted a surprising number of comments from the cybersecurity sector, many of which suggest ways of avoiding the problem. Mark Bower, senior vice president at comforte AG, sent these comments: "Tesla always push[es] boundaries of driverless technology, so it’s quite unexpected to hear of data leakage of personal data from automotive components like this, especially those at the edge of powerful online network systems that drive modern intelligent vehicles. The question on my mind is, could Tesla avoid personal data storage like this using modern data-centric security technology? Very probably. There are new data security methods that are ideal for dynamic edge telemetry systems and online analytic platforms to avoid retention of personal data while still enabling full customer experience, engagement, and even machine learning analytics without live data leakage risks. That would take care of both the disposal and recycling of parts, but also a myriad of security and privacy compliance issues and data breach risks for them.”
Paul Bischoff, privacy advocate with Comparitech, wrote, “Tesla seems to have an operational security issue at its service centers that allow its computers to be resold without wiping the previous owners data. The service centers are either not destroying them well enough to make data unrecoverable, or technicians are selling the old computers to make a profit, or both. If you plan on upgrading the computer in your Tesla, be sure to use the factory reset option to wipe all of the data beforehand.”
And Javvad Malik, Security Awareness Advocate at KnowBe4, pointed out that, "Second-hand electronics can be a treasure trove of information for criminals. If organisations do not adequately wipe previous information, any information stored relating to previous owners or organisations can be viewed, resulting in a security and privacy breach. It's therefore essential that organisations which provide devices have mechanisms that allow users to easily and securely erase all data contained prior to returning or selling it."
The curious dialectic of privacy and exhibitionism.
Not that this would affect anyone reading this, but you may as well know that the adult streaming site CAM4, which belongs to Granity Entertainment, has let more hang out than it no doubt intended. Researchers at the Safety Detectives found an unsecured Elastic Search database containing more than seven terabytes of data, most of it personal, affecting an unknown number of users. If email addresses are taken to be a reliable proxy for users, then eleven-million email addresses were among the data on display.
Also out there was the sort of personal information one would expect to be shared by those wishing to customize and optimize their user experience. It's not known how many users CAM4 has, but it enjoys an international clientele. Americans, Brazilians, and Italians appear to be the friskiest of those represented in the database, with the Russians bringing up a sad and distant rear.
CAM4 is said to feature mostly amateur models who work for tips, although how one could work, even for tips, and remain a true amateur is unclear. Not that you would, of course, but don't go there.