Pete Recommends – Weekly highlights on cyber security issues March 3, 2019

Subject: Apps are sending sensitive data to Facebook, despite company policies
Source: Business Insider

  • Some 11 popular apps are sharing the highly personal data they collect with Facebook, The Wall Street Journal reported Friday.
  • Among the data the apps shared with Facebook were users’ weight and whether they were menstruating, according to the report.
  • The apps generally didn’t give users an easy way to opt out of such sharing and many didn’t explicitly disclose what data they were uploading to Facebook.
  • Facebook bars developers from sharing certain sensitive data with it ,and deletes such information when it finds it, a spokeswoman said.
  • But sharing of app data generally is a standard industry practice, she said.

The Journal found that at least 11 apps were transferring such sensitive data to Facebook; they included Flo Health’s Flo Period & Ovulation Tracker, Move’s, and Instant Heart Rate: HR Monitor. All of the apps named by the Journal — and thousands of others besides — include code from Facebook that allow their developers to track how people are using them and use that information to target ads at them.

The Journal found that at least 11 apps were transferring such sensitive data to Facebook; they included Flo Health’s Flo Period & Ovulation Tracker, Move’s, and Instant Heart Rate: HR Monitor. All of the apps named by the Journal — and thousands of others besides — include code from Facebook that allow their developers to track how people are using them and use that information to target ads at them.

The Federal Trade Commission has in the past cracked down on companies whose actual privacy practices differed significantly from what they disclosed to their users. Meanwhile, Europe’s new General Data Protection Regulation typically requires companies to gain users’ explicit consent before collecting or sharing their personal data.

Subject: Biometrics key to White House strategy on combating terrorist travel
Source: FCW via GCN

On Feb. 20, the White House released the National Strategy to Combat Terrorist Travel, which will rely on validating identities and leveraging biometric ID systems to detect and stop terrorists as they travel.

The whole-of-government approach aims to equip state, local and tribal partners with “terrorism-identity and travel data, as well as the tools and technology necessary to identify terrorists at the earliest opportunity,” the strategy said. That information will come from improved identity-management systems and the expanded collection of suspicious travel indicators as well as “biometric, biographic, and derogatory data for vetting and screening.”

Vetting, according to the document, includes “automated biographic and/or biometric matching against watchlists and threat information as well as manual and automated processes used to resolve potential matches and false positives.”

The system at the San Luis crossing flagged a mismatch when it compared a facial image of a supposed 22-year-old Colorado man who presented a valid U.S. passport travel card to the CBP officer at the crossing. The man’s image captured on the facial recognition system didn’t match the passport’s historical record photo when the two images were compared by customs officers at the crossing.

Subject: ICANN: There is an ongoing and significant risk to DNS infrastructure
Source: ZDNet

The Internet Corporation for Assigned Names and Numbers (ICANN), the organization in charge of the internet’s Domain Name System (DNS) infrastructure, has issued a foreboding warning on Friday about the dangers facing the DNS system.ICANN said it “believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure,” and urged domain owners and DNS services to migrate to using DNSSEC as soon as possible.

DNSSEC stands for Domain Name System Security Extensions, an extension for the DNS protocol that allows domain owners to digitally sign DNS records. Cryptographically signing DNS recoand prevents unauthorized third-parties from modifying DNS entries without a private DNSSEC signing key that’s usually in the possession of the legitimate domain owner only. ICANN officials said DNSSEC would have prevented the recent DNS hijacking attacks that have made headlines in the past two month.

This attacks –called DNS hijacking– allowed the crooks to redirect legitimate traffic to their own malicious servers, where they performed man-in-the-middle attacks to intercept login credentials and then forwarded the traffic back to the legitimate email servers.

Topic: Security

Subject: While Putting Your Boots On – Fake News Detection Tools & Strategies
Source: Practice Innovations via LLRX

For more on spotting fake news, please check the guides that librarians across the country have created. This list is originally from an article published and updated in AALL Spectrum, July/August 2017,[4] and reprinted in Law and Technology Resources for Legal Professionals (LLRX). These guides are a great place to find tools, browser extensions, fact-checking sites, articles, books, and other material devoted to anyone who is interested in learning how to spot fake news.

LLRX Posted in: AI, KM, Legal Research
Legal Executive Institute RSS feed:

Subject: Federal Judge Throws Out Washington State Cyberstalking Law, Writing It Criminalizes Protected Speech
Source: Gizmodo

A federal judge in Washington has thrown out the state’s 2004 law prohibiting cyberstalking after finding that its barriers against speech that is intended to “harass, intimidate, torment, or embarrass” were too vague and violated the Constitution, per the Electronic Frontier Foundation.

In his ruling, United States District Judge Ronald Bruce Leighton wrote that the law’s “breadth—by the plain meaning of its words—includes protected speech that is not exempted from protection by any of the recognized areas just described,” as well as that it “criminalizes a large range of non-obscene, non-threatening speech, based only on (1) purportedly bad intent and (2) repetition or anonymity.” Leighton added:

RSS feed:

Subject: Using Google Maps costs more than you think
Source: Jason Voiovich via LinkedIn via LLRX

Google Maps is free, isn’t it? It seems like a question with an obvious answer, doesn’t it? Of course, Google Maps is free. I’ve never been asked to enter my credit card to look up a new address. There is no subscription plan. There is no pay wall. But just because you are not exchanging money to use Google Maps does not mean you are not exchanging value. I intend to show you just how much. You might not like it. We’ll use Google Maps to help us walk through a basic use case and better understand the value exchange, but there are plenty of other examples. Let’s begin…

Subject: What You Need to Know About Exif Data
Source: Consumer Reports

Details about when, where, and how a photo was taken are captured automatically by smartphones and digital cameras, and stored as Exif (Exchangeable Image File Format) data. Information on everything from exposure settings to altitude may be included. And the Exif data travels with the photo—from the camera to your hard drive or a website.

“People should be aware that when they upload a photo there is more to it than just the pixels that they can see,” says Hany Farid, a professor of computer science at the University of California, Berkeley, and a leading researcher on digital forensics. “A lot of people don’t even know there’s this thing called Exif data that gets shoved along.”

How to Remove Exif Data Yourself…

see other articles:

More on Digital Privacy
Guide to Digital Security and Privacy

How to Spot Manipulative ‘Dark Patterns’ Online

Facebook’s New Location Settings Give Users More Control

How to Use Google Privacy Settings

66 Ways to Protect Your Privacy Right Now

Subject: Kaspersky Lab Really Can’t Catch a Break
Source: Gizmodo

Russian cybersecurity firm Kaspersky Lab has struggled to regain its reputation after it was accused of aiding Russian intelligence operations and its software was banned from use by the U.S. government. But on Tuesday, another layer of mystery was added to the story when a Russian court convicted a senior researcher at Kaspersky Lab of state treason in the interest of the United States.

Reuters reports that Ruslan Stoyanov, the former head of the computer incidents investigation team at Kaspersky Labs, was sentenced to 14 years in prison on Tuesday. The exact details of the charges against Stoyanov aren’t publicly known because the case was classified as secret and the trial was not open to the public. A lawyer involved with the case, Ivan Pavlov, told Reuters that Stoyanov was “accused of cooperating with U.S. intelligence services.”

Subject: Software vulnerabilities are becoming more numerous, less understood
Source: TechRepublic

The Common Vulnerabilities and Exposures (CVE) system, operated by the non-profit Mitre Corporation, with additional government funding. For years, it has been good enough-while any organization or process has room to be made more efficient, curating a database of software vulnerabilities reported through crowdsourcing is a challenging undertaking.

Risk Based Security, the private operator of competing database VulnDB, aired their grievances with the public CVE/NVD system in their 2018 Vulnerability Trends report, released Wednesday, with charged conclusions including “there is fertile grounds for attorneys and regulators to argue negligence if CVE/NVD is the only source of vulnerability intelligence being used by your organization,” and “organizations are getting late and at times unreliable vulnerability information from these two sources, along with significant gaps in coverage.” This criticism is neither imaginative, nor unexpected from a privately-owned competitor attempting to justify their product.

RSS feed for Security topics:

See also:

Posted in: AI, Big Data, Cybersecurity, Privacy