At a glance.
- China's equivalent to the GDPR.
- Handling Autodiscover risk.
- Data breach at large Colombian realtor.
- The persistence of data fingerprinting.
How does China’s PIPL differ from the GDPR?
China’s Personal Information Protection Law (PIPL) comes into effect on November 1, and Data Matters offers an overview of what to expect. While the PIPL is similar to the EU’s General Data Protection Regulation, one key difference involves data localization. The PIPL requires that a company collecting large-scale personal data store that data within China, and any cross-border transfer must be assessed by the Cyberspace Administration of China (CAC). Furthermore, the PIPL states that companies must obtain standalone consent (usually denoted by a separate signature or a separate checkbox) from users when processing sensitive personal data, and a data protection impact assessment must be conducted when contracting a third-party processor.
Microsoft’s Autodiscover bug: What can be done?
As we noted yesterday, a bug was discovered in the Microsoft Exchange Autodiscover feature that could expose users’ email addresses and passwords. MSSP Alert discusses exactly how threat actors could exploit this flaw and how users can protect themselves. Suggestions include blocking Autodiscover domains in the firewall, and disabling support for basic authentication when setting up Exchange configuration. It’s worth noting that this issue is just the latest flaw plaguing Exchange users; the US Cybersecurity and Infrastructure Security Agency (CISA) recently issued guidance regarding ProxyShell vulnerabilities.
Real estate firm leaves the house unlocked.
The Hacker News reports that Coninsa Ramón H, a Colombia-based real estate firm, exposed the data of more than 100,000 of its customers in a misconfigured Amazon Web Services Simple Storage Service bucket. Researchers found the 5.5 million unencrypted files include full names, addresses, profile pictures, hashed passwords, and even details regarding “$140 to $200 billion in transactions, or an annual transaction history of at least $46 billion" which amounts to approximately 14% of Colombia's total economy. Most alarmingly, the bucket also included backdoor code that, in the wrong hands, could be exploited to hijack the firm’s website and redirect customers to malicious pages.
Despite Apple’s efforts, digital fingerprinting persists.
As part of Apple’s App Tracking Transparency initiative, iPhone apps now allow users the option to “ask app not to track” with just one easy click. But researchers at privacy software firm Lockdown found that apps like mobile game Subway Surfers are still sending phone data like internet address, free storage, volume level, and battery life to third-party ad tracking companies like Chartboost 29. The Washington Post explains that while Apple’s tracking rules prevent apps from sharing a device’s ID for Advertisers (or IDFA), some apps are gathering seemingly harmless technical details that, when compiled, create a digital fingerprint of the device. According to Lockdown co-founder Johnny Lin, “When it comes to stopping third-party trackers, App Tracking Transparency is a dud. Worse, giving users the option to tap an ‘Ask App Not To Track’ button may even give users a false sense of privacy.” When asked for response, the makers of Subway Surfers claimed the data must be sent to ad companies in order for the game to “function properly,” but failed to explain why. It’s unclear whether Apple will take steps to prevent digital fingerprinting, but there’s hope: the company’s new Private Relay service can hide IP addresses (a key data point for fingerprinting) from web trackers in the Safari browser.