A humorous — however true — joke at TechCrunch is that the safety desk may as effectively be referred to as the Division of Dangerous Information, since, effectively, have you seen what we’ve covered of late? There’s a unending provide of devastating breaches, pervasive surveillance and dodgy startups flogging the downright harmful.
Typically although — albeit hardly ever — there are glimmers of hope that we need to share. Not least as a result of doing the correct factor, even (and particularly) within the face of adversity, helps make the cyber-realm that little bit safer.
Bangladesh thanked a safety researcher for citizen knowledge leak discovery
When a safety researcher discovered {that a} Bangladeshi authorities web site was leaking the non-public data of its residents, clearly one thing was amiss. Viktor Markopoulos discovered the uncovered knowledge due to an inadvertently cached Google search consequence, which uncovered citizen names, addresses, cellphone numbers and nationwide id numbers from the affected web site. TechCrunch verified that the Bangladeshi authorities web site was leaking knowledge, however efforts to alert the federal government division were initially met with silence. The info was so delicate, TechCrunch couldn’t say which authorities division was leaking the info, as this may expose the info additional.
That’s when the nation’s laptop emergency incident response crew, often known as CIRT, acquired in contact and confirmed the leaking database had been fixed. The info was spilling from none apart from the nation’s start, demise and marriage registrar workplace. CIRT confirmed in a public notice that it had resolved the data spill and that it left “no stone unturned” to grasp how the leak occurred. Governments seldom deal with their scandals effectively, however an electronic mail from the federal government to the researcher thanking them for his or her discovering and reporting the bug exhibits the federal government’s willingness to interact over cybersecurity the place many different nations is not going to.
Apple throwing the kitchen sink at its adware drawback
It’s been greater than a decade since Apple dropped its now-infamous claim that Macs don’t get PC viruses (which whereas technically true, these phrases have plagued the corporate for years). As of late essentially the most urgent risk to Apple units is business adware, developed by non-public firms and offered to governments, which might punch a gap in our telephones’ safety defenses and steal our knowledge. It takes braveness to confess an issue, however Apple did precisely that by rolling out Rapid Security Response fixes to fix security bugs actively exploited by spyware makers.
Apple rolled out its first emergency “hotfix” earlier this yr to iPhones, iPads and Macs. The concept was to roll out crucial patches that may very well be put in with out at all times having to reboot the machine (arguably the ache level for the security-minded). Apple additionally has a setting referred to as Lockdown Mode, which limits sure machine options on an Apple machine which are sometimes focused by adware. Apple says it’s not aware of anyone using Lockdown Mode who was subsequently hacked. In truth, security researchers say that Lockdown Mode has actively blocked ongoing targeted hacks.
Taiwan’s authorities didn’t blink earlier than intervening after company knowledge leak
When a safety researcher instructed TechCrunch {that a} ridesharing service referred to as iRent — run by Taiwanese automotive big Hotai Motors — was spilling real-time updating buyer knowledge to the web, it appeared like a easy repair. However after per week of emailing the corporate to resolve the continuing knowledge spill — which included buyer names, cellphone numbers and electronic mail addresses, and scans of buyer licenses — TechCrunch by no means heard again. It wasn’t till we contacted the Taiwanese government for help disclosing the incident that we acquired a response instantly.
Inside an hour of contacting the federal government, Taiwan’s minister for digital affairs Audrey Tang instructed TechCrunch by electronic mail that the uncovered database had been flagged with Taiwan’s laptop emergency incident response crew, TWCERT, and was pulled offline. The pace at which the Taiwanese authorities responded was breathtakingly quick, however that wasn’t the top of it. Taiwan subsequently fined Hotai Motors for failing to protect the data of greater than 400,000 prospects, and was ordered to enhance its cybersecurity. In its aftermath, Taiwan’s vice premier Cheng Wen-tsan stated the effective of about $6,600 was “too gentle” and proposed a change to the regulation that might improve knowledge breach fines by tenfold.
Leaky U.S. court docket file techniques sparked the proper of alarm
On the coronary heart of any judicial system is its court docket information system, the tech stack used for submitting and storing delicate authorized paperwork for court docket instances. These techniques are sometimes on-line and searchable, whereas limiting entry to recordsdata that might in any other case jeopardize an ongoing continuing. However when safety researcher Jason Parker discovered several court record systems with incredibly simple bugs that were exploitable using only a web browser, Parker knew they needed to see that these bugs had been mounted.
Parker discovered and disclosed eight safety vulnerabilities in court docket information techniques utilized in 5 U.S. states — and that was simply in their first batch disclosure. A few of the flaws had been mounted and a few stay excellent, and the responses from states had been combined. Florida’s Lee County took the heavy-handed (and self-owning) place of threatening the safety researcher with Florida’s anti-hacking legal guidelines. However the disclosures additionally despatched the proper of alarm. A number of state CISOs and officers answerable for court docket information techniques throughout the U.S. noticed the disclosure as a possibility to examine their very own court docket file techniques for vulnerabilities. Govtech is damaged (and is desperately underserved), however having researchers like Parker finding and disclosing must-patch flaws makes the web safer — and the judicial system fairer — for everybody.
Google killed geofence warrants, even when it was higher late than by no means
It was Google’s greed pushed by advertisements and perpetual development that set the stage for geofence warrants. These so-called “reverse” search warrants enable police and authorities businesses to dumpster dive into Google’s huge shops of customers’ location knowledge to see if anybody was within the neighborhood on the time a criminal offense was dedicated. However the constitutionality (and accuracy) of these reverse-warrants have been called into question and critics have referred to as on Google to place an finish to the surveillance apply it largely created to start with. After which, simply earlier than the vacation season, the present of privateness: Google stated it will start storing location knowledge on customers’ units and never centrally, successfully ending the ability for police to obtain real-time location from its servers.
Google’s transfer shouldn’t be a panacea, and doesn’t undo the years of harm (or cease police from raiding historic knowledge saved by Google). Nevertheless it may nudge different firms additionally topic to those sorts of reverse-search warrants — howdy Microsoft, Snap, Uber and Yahoo (TechCrunch’s father or mother firm) — to observe swimsuit and cease storing customers’ delicate knowledge in a manner that makes it accessible to authorities calls for.
Trending Merchandise
