Subscribe to this bi-weekly newsletter here!
Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.
Well, that escalated quickly.
After alerting users of a change in privacy policy earlier this month and kicking up a storm, WhatsApp has backed down— for now.
The in-app alert on January 6 urged users to agree to the new terms and conditions that grants the app the right to share with Facebook some personal data about them, such as their phone number and location. Users failing to agree to the revised policy by February 8 were cautioned they would completely lose access to the service.
The announcement ended up creating so much confusion about the data-sharing arrangement that WhatsApp has decided to postpone the enforcement until May 15, a three month delay which it hopes will “clear up the misinformation.”
The Facebook-owned company has since clarified that the update does not expand its ability to share personal user chats or other profile information with Facebook and is instead simply providing further transparency about how user data is collected and shared when using the messaging app to interact with businesses.
Whether intentional or not, this ‘all-or-nothing’ approach backfired, leading to a surge in sign-ups for rival messaging apps such as Signal and Telegram.
Dealing yet another blow to WhatsApp, India’s technology ministry asked Facebook to withdraw the update, saying “the proposed changes raise grave concerns regarding the implications for the choice and autonomy of Indian citizens.”
With more than 400 million active users, India is WhatsApp’s largest market.
If anything, the development only serves to highlight the urgent need for more countries to pass European GDPR-like data protection regulations that explicitly spell out how data of users are collected, processed, and shared with other parties.
What’s trending in security?
Google researchers detailed a sophisticated hacking operation that exploited vulnerabilities in Chrome and Windows to install malware on Android and Windows devices, a Muslim prayer app called Salaat First was found selling location datato Predicio, and Amazon-owned Ring begins testing end-to-end video encryption.
- Internet of Things or Internet of Shit? A hacker locked internet-connected chastity cages manufactured by Qiui and demanded ransom from its users. [Vice Motherboard]
- Google researchers detailed a sophisticated hacking operation that exploited vulnerabilities in Chrome and Windows to install malware on Android and Windows devices. They were all addressed as of April 2020. [Google Project Zero]
- Whistleblower site DDoSecrets “has made available about 1 terabyte of that data, including more than 750,000 emails, photos, and documents from five companies.” The corporate information was amassed from dark web sites after ransomware operators leaked them. [WIRED]
- Android and iOS don’t extend encryption protections as far as they could, allowing for potentially unnecessary security vulnerabilities, according to researchers at Johns Hopkins University. [WIRED / Data Security on Mobile Devices]
- While Amazon-owned Ring is testing end-to-end video encryption, it also fixed a security flaw in its Neighbors app that exposed the precise locations and home addresses of users who had posted to the app. [TechCrunch]
- A popular Muslim prayer app called Salaat First has been found to sell location data to Predicio, which is linked to a US contractor which works with the Immigration and Customs Enforcement (ICE). The incident highlights how apps not only harvest location data, but also the ease with which this information is traded in the location data industry. [Vice Motherboard]
- Before Parler got shut of out of all platforms, it emerged that a hacker had managed to scrape 99% of the posts from the “free speech” social network. But how did she do it? It all came down to “abysmal coding and security” practices. [Ars Technica / WIRED]
- Microsoft says it’s planning to fix a bizarre Windows 10 bug that could corrupt a hard drive just by encountering an icon. [Bleeping Computer]
- The operators of the Ryuk ransomware are believed to have earned more than $150 million worth of Bitcoin from ransom payments by hacking companies all over the world. The payments were made from 61 deposit addresses. [Advanced Intelligence]
- Personal information of Americans sell on dark web marketplaces for the cheapest prices ($8 per record), per an analysis of stolen information across 40 different dark web marketplaces. Japan and the UAE have the most expensive identities at an average of $25. [Comparitech]
- The past fortnight in data breaches, leaks, and ransomware: European Medicines Agency, Nitro PDF, Pixlr, Scottish Environment Protection Agency, Ubiquiti, and the United Nations.
Data Point
Ransomware is now responsible for 46% of healthcare data breaches, a new research from Tenable has found. What’s more, over 35% of all breaches are linked to ransomware attacks, often at a financial cost.
According to cybersecurity company Emsisoft’s ‘State of Ransomware‘ report, in 2020 alone, 113 federal, state and municipal governments and agencies, 560 healthcare facilities, and 1,681 schools, colleges and universities were impacted.
“While organizations can never completely eliminate the possibility of human error, they can design their networks in such a way that they do not collapse like houses of cards when those errors occur,” Emsisoft researchers said.