WebProNews

Category: CybersecurityUpdate

CybersecurityUpdate

  • Huawei and ZTE Excluded From India’s 5G Trials

    Huawei and ZTE Excluded From India’s 5G Trials

    Huawei and ZTE are in an all-too-familiar situation, both of them being excluded from a country’s 5G trials.

    Huawei and ZTE have both been under international scrutiny over their ties to Beijing. Governments and intelligence agencies around the world have warned that the companies, especially Huawei, pose a threat to national security and could be an avenue for the Chinese government to spy on others.

    The US, in particular, has been aggressive in its dealings with both companies. The firms are banned from US networks, and officials have pressured allies to do the same — often with great success.

    Although India has not officially banned any company from its wireless networks, BBC News is reporting Huawei and ZTE were not included in 5G trials involving a dozen other companies. Despite not implementing an outright ban, Delhi has indicated it would focus more on security and “trusted” vendors for telecom equipment rollouts.

    India’s stand is another blow to the Chinese firms, and illustrates why Huawei is increasingly looking to diversify outside the telecoms industry.

  • Microsoft Will Keep EU Data in the EU

    Microsoft Will Keep EU Data in the EU

    Microsoft has upped its commitment to EU data privacy, promising to keep EU data within the bloc.

    Data privacy is a bigger concern than ever before, as individuals and lawmakers start holding companies accountable. As part of the shift toward more data responsibility, some jurisdictions have passed legislation requiring companies to take certain steps to protect user data.

    The EU’s GDPR is one of the strictest such laws, providing far more protection than US federal laws currently do. As a result, EU states and citizens have become increasingly concerned about their data being transferred to the US and coming under the scope of US surveillance efforts.

    Microsoft is working to address those concerns, promising it will go beyond existing agreements and keep EU data within the bloc. Brad Smith, President and Chief Legal Officer, announced the pledge on the company’s blog.

    Today we are announcing a new pledge for the European Union. If you are a commercial or public sector customer in the EU, we will go beyond our existing data storage commitments and enable you to process and store all your data in the EU. In other words, we will not need to move your data outside the EU. This commitment will apply across all of Microsoft’s core cloud services – Azure, Microsoft 365, and Dynamics 365. We are beginning work immediately on this added step, and we will complete by the end of next year the implementation of all engineering work needed to execute on it. We’re calling this plan the EU Data Boundary for the Microsoft Cloud.

    The new step we’re taking builds on our already strong portfolio of solutions and commitments that protect our customers’ data, and we hope today’s update is another step toward responding to customers that want even greater data residency commitments. We will continue to consult with customers and regulators about this plan in the coming months, including adjustments that are needed in unique circumstances like cybersecurity, and we will move forward in a way that is responsive to their feedback.

    While individual states have passed privacy laws, there have been increasing calls for for the US to address the issue on a federal level. Microsoft’s pledge, along with the increased challenges of doing business in the EU, will likely add increased pressure for measurable change.

  • IBM Announces SaaS Cloud Pak for Zero Trust Security

    IBM Announces SaaS Cloud Pak for Zero Trust Security

    IBM is going all-in on zero trust security, with the introduction of a Software as a Service (SaaS) version of Cloud Pak for Security.

    In the age of cloud computing, zero trust security is viewed as an essential component. Traditional security focuses on maintaining a perimeter, within which the devices connected to that network are trusted. In cloud computing, however, there is no clear perimeter. As a result, each device must be treated with zero trust.

    “Our customers need to secure their rapidly changing business environments without causing delays or friction in their daily operations,” said Mary O’Brien, General Manager, IBM Security. “It’s not uncommon to have users, data and applications operating in different environments. They all need to connect to one another quickly, seamlessly, and securely. A zero trust approach offers a better way to address the security complexity that is challenging businesses today.”

    IBM is helping companies embrace zero trust security for their operations, with its SaaS Cloud Pak for Security.

    “With a mobile workforce and data residing everywhere, the Internet has become our primary network,” said Mauricio Guerra, CISO for The Dow Chemical Company who will participate in IBM Think on May 11. “Embracing a zero trust architecture enables us to add new capabilities and strengthen security. Working with partners like IBM Security and Zscaler can help us provide users with secure remote access to all of our locations, as well as access to applications wherever and however they are hosted.”

    “Working from anywhere, combined with enterprises’ move to SaaS and the cloud, has effectively rendered the perimeter security model obsolete and traditional security defenses ineffective,” said Jay Chaudhry, Chairman, CEO and Founder of Zscaler. “The only way to truly secure today’s digital businesses is to adopt a zero trust security model where validated user identity is combined with business policies for direct access to authorized applications and resources. Our alliance partnership with IBM Security, as part of the Zscaler Zero Trust Ecosystem, is helping organizations and their employees fully embrace working from anywhere while protecting enterprise data.”

  • Messaging App Signal Experiencing Issues

    Messaging App Signal Experiencing Issues

    Popular messaging app Signal is experiencing issues, with messages either not being delivered, or taking a long time to arrive.

    Signal is a popular messaging app that is widely considered to be one of the most secure communication platforms in the world. It is used by governments and military units, as a result of its strong security and encryption.

    Signal experienced meteoric growth in recent months, thanks to Facebook’s decision to share WhatsApp data with other Facebook-owned companies. The social media giant faced immediate backlash, with many users switching to Signal.

    The growth hasn’t been without challenges, however, as Signal has sometimes struggled to keep up with demand. It appears the service is experiencing another outage, with users on Twitter reporting problems with severely delayed messages.

    Downdetector is also showing a spike in issues with Signal, although the company has not yet issued a statement on the problem.

  • ’Fourth Amendment Is Not For Sale Act’ Tackles Warrantless Surveillance

    ’Fourth Amendment Is Not For Sale Act’ Tackles Warrantless Surveillance

    A proposed piece of legislation would tackle surveillance and the warrantless purchase of individual location data.

    The “Fourth Amendment Is Not For Sale Act” is a bill that has wide bipartisan support and would address some of the biggest challenges in the realm of surveillance. Clearview AI made headlines in early 2020 as it built a business model on scraping images from social media networks and using them to build an AI-powered facial recognition database.

    Clearview AI sold access to its database to law enforcement agencies all over the country, transactions that were performed without a warrant. Other companies have been accused of doing the same thing, selling location data to law enforcement agencies without due process or authorized warrants.

    The Fourth Amendment Is Not For Sale Act would address that loophole, ensuring courts have a say in the process.

    “Doing business online doesn’t amount to giving the government permission to track your every movement or rifle through the most personal details of your life,” Senator Ron Wyden said. “There’s no reason information scavenged by data brokers should be treated differently than the same data held by your phone company or email provider. This bill closes that legal loophole and ensures that the government can’t use its credit card to end-run the Fourth Amendment.”

    “The Fourth Amendment’s protection against unreasonable search and seizure ensures that the liberty of every American cannot be violated on the whims, or financial transactions, of every government officer,” Senator Rand Paul said. “This critical legislation will put an end to the government’s practice of buying its way around the Bill of Rights by purchasing the personal and location data of everyday Americans. Enacting the Fourth Amendment is Not For Sale Act will not only stop this gross abuse of privacy, but also stands for the fundamental principle that government exists to protect, not trade away, individual rights.”

  • Huawei Could Monitor Calls on One of the Largest Dutch Wireless Networks

    Huawei Could Monitor Calls on One of the Largest Dutch Wireless Networks

    Huawei is facing accusations that it had the access and ability to monitor all the calls made on KPN’s wireless network, one of the largest in the Netherlands.

    Huawei has been facing accusations for years that it serves as a conduit for Beijing to spy on governments and companies around the world. The US ultimately banned the Chinese firm from participating in its networks, and many of its allies did the same.

    Dutch newspaper De Volkskrant saw a confidential report prepared for KPN in 2010 by the Capgemini consultancy firm. According to The Guardian, the report found that Huawei and China could have monitored calls by then prime minister Jan Peter Balkenende, as well as Chinese dissidents.

    KPN has downplayed the report, saying it “never observed that Huawei took client information.” At the same time, it did acknowledge that one of its suppliers had “unauthorised, uncontrolled or unlimited access to our networks and systems”.

    The report was originally commissioned after the Dutch intelligence service warned of potential espionage. Despite the findings, KPN continued to use Huawei for its 3G and 4G deployments, although it excluded the company from its 5G network.

    The report concluded that the findings put “the continued existence of KPN Mobile in serious danger” since customers “may lose confidence … if it becomes known the Chinese government can monitor KPN mobile numbers.”

    It remains to be seen what fallout KPN may still face now that the report has become public.

  • VMware Wants to ‘Empower Today’s Anywhere Workforce’

    VMware Wants to ‘Empower Today’s Anywhere Workforce’

    VMware has launched VMware Anywhere Workspace in an effort to help companies and employees thrive in a remote work environment.

    VMware’s virtualization platform already powers some of the biggest names in tech, and now the company is turning its expertise toward helping companies succeed with their remote workforce.

    “Work is what you do, not where you do it. As businesses reimagine where and how teams collaborate and innovate, they must do more than transform. They must reform their mindset to create a digital-first culture that puts employee experience first,” said Sanjay Poonen, chief operating officer, customer operations, VMware. “We developed VMware Anywhere Workspace with this new way of working in mind. It will play an important role in creating stronger, more focused, and more resilient businesses.”

    VMware Anywhere Workspace is designed to provide robust security and make it easier for IT to support remote employees. To achieve this, the platform combines three solutions in one: VMware Workspace One, VMware Carbon Black Cloud and VMware SASE.

    Together the three solutions provide unified endpoint management, desktop and app virtualization, cloud-native endpoint and workload protection, cloud-delivered security functions, and a host of employee productivity, experience and security solutions.

    “A truly hybrid workforce is one that is enabled to work in any location, across any network and device, and with no trade-offs when it comes to employee productivity. However, delivering against this ideal has proven challenging for businesses that often rely on a complex set of legacy security practices and technologies,” said Adam Holtby, Principal Analyst, Omdia. “New security, management, and employee productivity solutions and practices are needed if businesses are to optimally enable and secure a more hybrid, anywhere workforce. This value proposition is at the core of VMware’s new solution, and it is one that has great potential to help the vendor become an important partner for businesses looking to embrace the Future of Work.”

    VMware Anywhere Workspace is available today.

  • Facebook Wants to ‘Normalize’ Its Data Scraping Leaks

    Facebook Wants to ‘Normalize’ Its Data Scraping Leaks

    Facebook is looking to take the heat off itself for the recent leak of 533 million records scraped from its site by normalizing that type of incident.

    Scraping involves pulling data from a target website, often using automated means. In most cases, it’s not technically a major hack since the data is available on the site. However, many membership-based sites, such as Facebook, can take measures to prevent scraping.

    In the case of Facebook’s issue that led to 533 million records being scraped and later released online, it was the result of a vulnerability that allowed the data to be scraped. Facebook was widely criticized for its response, essentially taking the approach that since this was an old issue, it wasn’t a big deal — despite the fact the data was just released into the wild.

    Facebook has now given users even greater reason to be upset, thanks to a memo it accidentally sent to a journalist for Belgian publication Data News (via CNET).

    “Longer term, though, we expect more scraping incidents and think its important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly,” said the email.

    The full content of the email was even more appalling.

    Essentially, Facebook is complaining about the negative coverage it has received over the incident and its response, and is anticipating people’s interest waning and the coverage eventually stopping. Long-term, the company plans to write a post about its anti-scraping activities, and help “normalize the fact that this activity happens regularly.”

    Unfortunately, Facebook’s response is anything but normal — and doesn’t even come close to acceptable or responsible. As one of the single biggest purveyors of people’s data, the company has a responsibility to do a lot more than take the approach: “Oh well…stuff happens, data gets scraped, there’s not much we can do about…so deal with it.”

  • EFF Partners With DuckDuckGo, Adopts Its HTTPS Dataset

    EFF Partners With DuckDuckGo, Adopts Its HTTPS Dataset

    The Electronic Frontier Foundation (EFF) is partnering with DuckDuckGo to include the latter’s HTTPS dataset in its HTTPS Everywhere browser extension.

    The EFF and DuckDuckGo are closely aligned in their commitment to protecting user privacy. DuckDuckGo’s privacy browser extension for the desktop, and its standalone privacy browser for iOS, rely on the company’s Smarter Encryption technology.

    Smarter Encryption upgrades a standard unencrypted (HTTP) website connection to an encrypted (HTTPS) connection where possible. Smarter Encryption is more advanced than many competing options, since DuckDuckGo crawls and re-crawls the web to keep its dataset current.

    The EFF is now adopting DuckDuckGo’s Smart Encryption dataset for use in its own HTTPS Everywhere browser extension. Like Smart Encryption, HTTPS Everywhere is designed to help upgrade insecure connections. The EFF’s solution previously used “a crowd-sourced list of encrypted HTTPS versions of websites,” a less efficient and less comprehensive solution than DuckDuckGo’s.

    “DuckDuckGo Smarter Encryption has a list of millions of HTTPS-encrypted websites, generated by continually crawling the web instead of through crowdsourcing, which will give HTTPS Everywhere users more coverage for secure browsing,” said Alexis Hancock, EFF Director of Engineering and manager of HTTPS Everywhere and Certbot web encrypting projects. “We’re thrilled to be partnering with DuckDuckGo as we see HTTPS become the default protocol on the net and contemplate HTTPS Everywhere’s future.”

    “EFFs pioneering work with the HTTPS Everywhere extension took privacy protection in a new and needed direction, seamlessly upgrading people to secure website connections,” said Gabriel Weinberg, DuckDuckGo founder and CEO. “We’re delighted that EFF has now entrusted DuckDuckGo to power HTTPS Everywhere going forward, using our next generation Smarter Encryption dataset.”

  • Reddit Launches Public Bug Bounty Program

    Reddit Launches Public Bug Bounty Program

    Reddit has launched a public bug bounty program, an acknowledgment of its increased growth and visibility.

    Bug bounty programs are a popular method of tackling cybersecurity issues. Many of the world’s largest companies rely on the programs to find and address bugs and security vulnerabilities before bad actors can exploit them.

    Reddit has maintained a private program with HackerOne for the last three years, but the company is taking the next step and making it public.

    With our continued growth and visibility, we’re now ready to make the program public and expand the participation to anyone wanting to make a meaningful security impact on Reddit. As we scale the program, our priority will remain focused on protecting the privacy of our user data and identities. We know each security researcher has their own skills and perspective that they bring to the program, and we encourage anyone to submit a report that shows security impact. We’re super excited to hit this milestone and have prepared our team for what’s to come.

    Interested parties can find more information at redditinc.com or HackerOne, and submissions can be sent to [email protected].

  • Huawei Blames US for Global Semiconductor Shortage

    Huawei Blames US for Global Semiconductor Shortage

    Huawei has laid the blame for the global semiconductor shortage squarely on the US, saying sanctions against Chinese firms have hurt the industry.

    The US has waged a long battle against Huawei and other Chinese firms, claiming they represent a threat to national security. US officials were joined by governments and intelligence agencies around the world that came to similar conclusions. Huawei, in particular, was seen as having extremely close ties to Beijing, and was believed to serve as a conduit for spying by the Chinese government.

    Huawei is hitting back, claiming the the sanctions against it and other Chinese companies are hurting the semiconductor industry, according to Nikkei.

    “Because of the U.S. sanctions against Huawei, we have seen panic stockpiling among global companies, especially the Chinese ones. In the past, companies were barely stockpiling, but now they are building up three or six months’ worth of inventory … and that has disrupted the whole system,” Rotating Chairman Eric Xu said at the company’s 18th Huawei Analyst Summit.

    “Clearly the unwarranted U.S. sanctions against Huawei and other [Chinese] companies are creating an industry-wide supply shortage, and this could even trigger a new global economic crisis,” Xu continued

    Xu said the sanctions had also hurt the trust that must exist between companies along the supply chain. This has led companies and countries to make changes, including bolstering their own semiconductor capabilities rather than rely on Chinese companies.

    In the meantime, however, the world is suffering from a massive shortage of semiconductors, impacting everything from computers to auto manufacturing.

  • EU Set to Ban AI-Based Mass Surveillance

    EU Set to Ban AI-Based Mass Surveillance

    The European Union is preparing to pass rules that would ban AI-based mass surveillance, in the strongest repudiation of surveillance yet.

    According to Bloomberg, the EU is preparing to pass rules that would ban using AI for mass surveillance, as well as ranking social behavior. Companies that fail to abide by the new rules could face fines up to 4% of their global revenue.

    The rules are expected to tackle a number of major and controversial areas where privacy is concerned. AI systems that manipulate human behavior, or exploit information about individuals and groups, would be banned. The only exceptions would be some public security applications.

    Similarly, remote biometric ID systems in public places would require special authorization. Any AI applications considered ‘high-risk’ — such as ones that could discriminate or endanger people’s safety — would require inspections to ensure the training data sets are unbiased, and that the systems operate with the proper oversight.

    Most importantly, the rules will apply equally to companies based within the EU or abroad.

    The new rules could still change in the process of being passed into law but, as it stands now, the EU is clearly establishing itself as a protector of privacy where AI-based mass surveillance is concerned.

  • AI Wars: 96% of Companies Using AI to Combat AI-Powered Cyberattacks

    AI Wars: 96% of Companies Using AI to Combat AI-Powered Cyberattacks

    A new report shows that AI is increasingly being used in a defensive capacity, to combat AI-powered cyberattacks.

    While AI promises to revolutionize many industries, it’s already creating significant problems in the realm of cybersecurity. A new report by MIT Technology Review Insights, in association with AI cybersecurity company Darktrace, shows just how much AI is impacting the field.

    Offensive AI risks and developments in the cyberthreat landscape are redefining enterprise security, as humans already struggle to keep pace with advanced attacks.

    In fact, 60% of respondents said that human response measures were already falling behind automated attacks. As a result, 96% of respondents are deploying AI to help defend against AI attacks.

    Of the various types of threats, email and phishing attacks were the most troubling. Some 40% found email and phishing attacks “very concerning,” with 34% viewing them as “somewhat concerning.” A staggering 94% of detected malware is spread via email. AI makes the problem even worse by creating emails that are almost indistinguishable from legitimate ones.

    Max Heinemeyer, director of threat hunting for Darktrace, saw email phishing attempts adapt as a result of the pandemic. “We saw a lot of emails saying things like, ‘Click here to see which people in your area are infected,’” he says.

    Based on MIT and Darktrace’s report, it appears the industry is entering an AI arms race, one that will have significant implications on the future of cybersecurity.

  • Even Mark Zuckerberg Uses Signal

    Even Mark Zuckerberg Uses Signal

    Signal may not be as popular as Facebook’s WhatsApp, but even Facebook CEO Mark Zuckerberg may use the competing product.

    Facebook caused a furor when it announced it would share WhatsApp user data with other Facebook-owned companies. The fallout was severe, with many users switching to the more secure Signal. Elon Musk also came out as a vocal proponent of Signal in the aftermath, further driving its growth.

    Interestingly, it appears Mark Zuckerberg also uses Signal. Days ago, data for 533 million Facebook users was leaked online. Although the data is from at least a couple of years ago, it still includes a wealth of information. Security researcher Dave Walker perused the data and found Zuckerberg’s information was part of it.

    Even more telling, the phone number listed for Zuckerberg is also associated with a Signal account.

    Obviously, simply having an account doesn’t mean Zuckerberg regularly uses Signal. Nonetheless, it’s an interesting discovery.

  • Signal Adding Privacy-Focused Cryptocurrency Payments

    Signal Adding Privacy-Focused Cryptocurrency Payments

    Signal messaging app is adding payments, using the MobileCoin cryptocurrency and wallet.

    Signal is widely considered to be the most private messaging platform available. It’s used by the US Senate, the EU Commission and various US military units. The platform provides end-to-end encryption, and has seen a major boost in popularity as a result of Facebook’s privacy blunder with WhatsApp.

    Signal is now looking to add payment processing, in a bid to better compete with WhatsApp, Apple iMessage and others. In keeping with its privacy roots, the company is integrating a privacy-focused cryptocurrency and wallet.

    Signal Payments makes it easy to link a MobileCoin wallet to Signal so you can start sending funds to friends and family, receive funds from them, keep track of your balance, and review your transaction history with a simple interface. As always, our goal is to keep your data in your hands rather than ours; MobileCoin’s design means Signal does not have access to your balance, full transaction history, or funds. You can also transfer your funds at any time if you want to switch to another app or service.

    The feature is currently in beta, and Signal actively wants feedbackfrom users.

  • Data for 500 Million Facebook Users Found Online

    Data for 500 Million Facebook Users Found Online

    Data for some 500 million Facebook users has been found online, in the latest incident involving the social media giant.

    The data, involving 533 million Facebook users, was published online Saturday. Alon Gal, cybercrime intelligence firm Hudson Rock’s CTO, was the first to discover the data had been leaked.

    https://twitter.com/UnderTheBreach/status/1378314424239460352?s=20

    According to Gal, the data includes full name, birthdate, phone number, Facebook ID, location, past location, bio, relationship status, account creation date and, in some cases, email address.

    The data includes users in over 100 countries, including the data of more than 32 million US users.

    https://twitter.com/UnderTheBreach/status/1378724412334219265?s=20

    According to Business Insider, the first to report the story, Facebook says the information was gathered as a result of a vulnerability that allowed data to be scraped. The company says the issue was fixed in 2019, making this ‘old data.’ Nonetheless, the fact that it includes so much personal information makes it just as dangerous now as when it was scraped.

    Facebook is already under increased government scrutiny, and this is sure to bring even more.

  • NSA Hacking Tool Was Stolen by Chinese Hackers and Used Against US

    NSA Hacking Tool Was Stolen by Chinese Hackers and Used Against US

    A National Security Agency (NSA) hacking tool was stolen by Chinese hackers in 2014 and used against US targets, according to researchers.

    The NSA is tasked with protecting US digital communications and resources, as well as trying to crack the communications of entities the US considers hostile. The agency also engages in signal intelligence gathering, both foreign and domestic. As part of its activities, the NSA develops tools to help it crack encryption and hack into systems. The Tailored Access Operations (TAO) NSA unit, also known as the “Equation Group,” is primarily responsible for the latter realm of operations.

    According to researchers at Check Point Research, it appears that one of the Equation Group’s tools was stolen by Chinese hackers in 2014. The group, APT31, is a state-sponsored hacking group.

    This isn’t the first time NSA tools have been suspected of being stolen and used. In 2017, a group called the “Shadow Brokers” managed to gain access to and leak Equation Group tools. What makes this latest revelation so interesting, and disturbing, is that it predates the Shadow Brokers leak by more than two years.

    APT31 used the NSA’s code and modified it to create their own version of the exploit called “Jian.”

    We began with analyzing “Jian”, the Chinese (APT31 / Zirconium) exploit for CVE-2017-0005, which was reported by Lockheed Martin’s Computer Incident Response Team. To our surprise, we found out that this APT31 exploit is in fact a reconstructed version of an Equation Group exploit called “EpMe”. This means that an Equation Group exploit was eventually used by a Chinese-affiliated group, probably against American targets.

    Check Point Research came to some disturbing conclusions regarding exactly how APT31 gained access to the NSA code.

    The case of EpMe / Jian is different, as we clearly showed that Jian was constructed from the actual 32-bits and 64-bits versions of the Equation Group exploit. This means that in this scenario, the Chinese APT acquired the exploit samples themselves, in all of their supported versions. Having dated APT31’s samples to 3 years prior to the Shadow Broker’s “Lost in Translation” leak, our estimate is that these Equation Group exploit samples could have been acquired by the Chinese APT in one of these ways:

    • Captured during an Equation Group network operation on a Chinese target.
    • Captured during an Equation Group operation on a 3rd-party network which was also monitored by the Chinese APT.
    • Captured by the Chinese APT during an attack on Equation Group infrastructure.

    Needless to say, it’s disconcerting that an agency with the goal of protecting US communications seems to have such an issue keeping its most dangerous tools secure — tools that end up being used against the very targets its tasked with protecting.

  • Hackers Access 150,000 Security Cameras: Tesla, Hospitals and Prisons Exposed

    Hackers Access 150,000 Security Cameras: Tesla, Hospitals and Prisons Exposed

    A groups of hackers has gained access to roughly 150,000 Verkada security cameras, exposing a slew of customer live feeds.

    Verkada is a Silicon Valley startup that specializes in security systems. The company’s cameras are used by a wide range of companies and organizations, including Tesla, police departments, hospitals, clinics, schools and prisons.

    The group responsible is an international collective of hackers. They claim to have hacked Verkada to shed light on how pervasive surveillance has become.

    In one of the videos, seen by Bloomberg, eight hospital staffers are seen tackling a man and restraining him. Other video feeds include women’s clinics, as well as psychiatric hospitals. What’s more, some of the feeds — including those of some hospitals — use facial recognition to identify and categorize people.

    The feeds from the Madison Country Jail in Huntsville, Alabama were particularly telling. Of the 330 cameras in the jail, some were “hidden inside vents, thermostats and defibrillators.”

    The entire case is disturbing on multiple fronts. It’s deeply concerning that a company specializing in security, and selling that security to other organizations, would suffer such a devastating breach. It’s equally concerning, however, to see the depth of surveillance being conducted, as well as the lengths being taken to hide the surveillance.

  • Android Phones Home 20x More Than iOS

    Android Phones Home 20x More Than iOS

    A computer researcher at Trinity College Dublin has released a report showing Android phones home to Google 20x more than iOS does to Apple.

    Apple and Google have fundamentally different approaches to data. Apple is a hardware and, increasingly, a software and services company. Unlike Google, however, Apple charges for the majority of its products and services. As a result, the company has repeatedly said it has no interest in consumer data, or viewing that data as the product.

    In contrast, Google offers much of its services completely free of charge. To make a profit, the company is primarily a data-driven company, where the customer — and their data — is Google’s primary product.

    Researcher Doug Leith shows how different the two companies’ approach is to how their phones transmit data, mirroring their approach to consumer data, according to Ars Technica.

    Where Android stands out, Leith said, is in the amount of data it collects. At startup, an Android device sends Google about 1MB of data, compared with iOS sending Apple around 42KB. When idle, Android sends roughly 1MB of data to Google every 12 hours, compared with iOS sending Apple about 52KB over the same period. In the US alone, Android collectively gathers about 1.3TB of data every 12 hours. During the same period, iOS collects about 5.8GB.

    Needless to say, Google has disputed the findings, with a spokesperson providing the following statement to Ars:

    We identified flaws in the researcher’s methodology for measuring data volume and disagree with the paper’s claims that an Android device shares 20 times more data than an iPhone. According to our research, these findings are off by an order of magnitude, and we shared our methodology concerns with the researcher before publication.

    This research largely outlines how smartphones work. Modern cars regularly send basic data about vehicle components, their safety status and service schedules to car manufacturers, and mobile phones work in very similar ways. This report details those communications, which help ensure that iOS or Android software is up to date, services are working as intended, and that the phone is secure and running efficiently.

    Despite Google’s protestations, Leith’s research is no surprise to anyone who has followed Google’s data-mining and collection practices.

  • Cloudflare Rolls Out API Abuse Detection

    Cloudflare Rolls Out API Abuse Detection

    Cloudflare, one of the leading content delivery networks, has announced API Discovery and API Abuse Detection.

    Application programming interfaces (APIs) are used by companies in every industry. APIs provide a way for different programs and platforms to communicate with each other or hardware components. Many companies use hundreds, or even thousands, of APIs. Unfortunately, despite their value, APIs can be easily abused.

    Cloudflare is looking to address that issue with two tools: API Discovery and API Abuse Detection.

    API Discovery is designed to help companies keep track of the APIs they have. In some cases, companies have so many that they lose track of them, or easily confuse similar ones.

    API Abuse Detection uses a two-prong approach to detecting abuse: volume and sequence. Based on the estimated volume a company should realistically expect on a given API, Cloudflare can detect when volume is higher than it should be.

    Similarly, an API has a valid sequence of events when it’s used properly. Cloudflare can monitor an API for calls that are out of sequence, a likely indication it’s being abused.

    The new tools are currently available in early access.

  • Verizon and T-Mobile Complete STIR/SHAKEN Rollout

    Verizon and T-Mobile Complete STIR/SHAKEN Rollout

    T-Mobile and Verizon announced they have both rolled out the STIR/SHAKEN protocols in an effort to fight robocalls and spam.

    The STIR/SHAKEN protocols are designed to provide a way for carriers to verify the origin and authenticity of a call, and then pass that verification on to the carrier on the receiving end of the call, who then verifies it again. If the call is verified by all carriers involved, the recipient phone will display a “Caller Verified” badge.

    The first and second largest carriers announced they have both completed their STIR/SHAKEN implementation, offering an additional layer of protection to their customers.

    “This latest STIR/SHAKEN milestone is a key part of our overall efforts to combat these unwanted calls,” said Ronan Dunne, EVP and CEO of Verizon Consumer Group. “There is always more to be done, but this is yet another important step for the industry and customers should rest assured that we remain vigilant in our efforts to take down the bad guys and protect them.”

    “T-Mobile was first to implement number verification in 2019 because protecting customers against scammers and spammers is one of the most important things we can do as an industry,” said Mike Sievert, CEO T-Mobile. “To date, T-Mobile has protected over 80 million customers from more than 33 billion suspect calls – and counting. With the combination of Number Verification, free Caller ID and the scam blocking tools in Scam Shield, and by working with network providers of all sizes, we are providing the industry’s most comprehensive scam and spam protection for free to all our customers and working every day to make scammers jobs impossible.”

    The implementation of the protocol is good news for consumers.