Friday Five: 6/29 Edition
A massive marketing firm data leak, a new data privacy bill in California, and more. Catch up on the week's infosec news with this roundup!
1. Maker of popular quiz apps on Facebook exposed personal data of 120 million users by Nick Statt
Cambridge Analytica redux? NameTests, a developer of quizzes for Facebook was caught mining users' information like names, birthdays, photos, and friend lists this week. Inti De Ceukelaire, a self-proclaimed hacker, first broke the news in a post on his personal Medium blog. For what it's worth the company says it stopped the way it processed user data in June, likely in wake of April’s Cambridge Analytica debacle, and says in its eyes never misused the data, or disclosed any of it to third parties. Facebook, meanwhile, told publications this week it handled the issue via its Data Abuse Bounty Program, a program the company launched in April to reward users for reporting data abuse.
2. The IEEE is against mandated encryption backdoors by Zeljka Zorz
Better late than never: The IEEE (The Institute of Electrical and Electronics Engineers) has finally weighed in on Going Dark, a concept that first surfaced way back in 2014 to describe whether or not the government should have a back door to access a users' data. In a three page paper released on Sunday the IEEE said its firmly in the corner of encryption - "unfettered strong encryption" at that. “We oppose efforts by governments to restrict the use of strong encryption and/or to mandate exceptional access mechanisms such as ‘backdoors’ or ‘key escrow schemes’ in order to facilitate government access to encrypted data,” (.PDF) the consortium said. Law enforcement agencies have what the IEEE calls a "range of other investigative tools" to gain access to systems. In reality It will likely continue to be a cat and mouse game between device makers and law enforcement for the unforeseeable future. Apple rolled out a fix in its most recent iOS to prevent the usage of GrayKey, one of those tools, earlier this month.
3. Marketing Firm Exposes 340 Million Records on US Consumers by Jeremy Kirk
One of, if not the largest data breach story of the second half of the week, was disclosed on Wednesday. A researcher stumbled upon a cache of data exposed to the public - two terabytes in total – belonging to Exactis, a little known marketing firm based in Florida. Data, 340 million records on users, including the number of children they have, what type of payment cards they own, whether they own stock, their credit rating, and so on, was leaked. While the database doesn't include critically sensitive data like Social Security numbers or bank account data, the information that is in there could easily be used to craft phishing emails. Bankinfosecurity.com's Jeremy Kirk talked to Vinny Troia, the researcher who discovered the leak, and does a good job digging into the story, the latest involving sensitive information left on internet-exposed databases.
After WannaCry - Getting Ahead of Ransomware
4. Exclusive: Ukraine says Russian hackers preparing massive strike by Pavel Polityuk
This could ultimately turn into a game of he said she said but since it was reported by Reuters we’re listening. Ukraine's cyber police chief told the news agency on Tuesday that Russian hackers are preparing to strike the nation again and this time they’ve narrowed their sights on banks and energy infrastructure firms. If an attack were launched soon it would come a year after NotPetya, a strain of ransomware that originated in Ukraine, infected thousands of machines, and took down companies like FedEx, Merck, and Maersk. While there's not much credence behind the looming "large, coordinated attack," the fact the country decided to come clean about the threat means it could have a big impact and that it wants the public to be ready.
5. Sweeping data privacy bill approved in California by Sophia Bolla
The countdown is on for Californians; they have a year and a half until a comprehensive new data privacy bill, the California Data Privacy Protection Act, takes effect. The bill, which some are naturally likening to the EU's General Data Protection Regulation, was signed by the state's Governor on Thursday. While there's plenty of time for the bill to get modified between now and then, in its current iteration the bill could act as template for other states looking to clampdown on how its consumers' data is handled. As part of the bill big companies like Google and Facebook will have to disclose what kind of data they collect and allow consumers to opt out of having it sold.