Skip to main content

Friday Five: 2/1 Edition

by Chris Brook on Tuesday September 15, 2020

Contact Us
Free Demo

Apple vs. Facebook, Ohio's Data Protection Act, and India's largest bank exposes the data of millions - catch up on some of the week's biggest infosec news with this roundup!

1. Facebook Is Paying Teens to Install a 'Research' App That Lets It Monitor Their Phones by Tom McKay

What has to be one of the biggest stories of the week came Wednesday when Apple shut down Facebook’s ability to distribute internal iOS apps after it came to light that the company was exploiting a loophole to essentially harvest data from teenage users. The app, which Facebook paid users $20 a month to have on their phone, appeared to be a reskinned version of Facebook's Onavo, a VPN of sorts that Apple banned from its app store last year after it violated its policies. Apple gave Facebook the boot, revoking its iOS enterprise app certificate for 30 hours, as punishment. It did the same thing to Google on Thursday after it was discovered – incredulously – the company was found doing pretty much the same thing, except with a private app dubbed Screenwise Meter. Google apologized and disabled the app Thursday. Gizmodo’s article does a good job aggregating the news here but if you’re looking for more coverage, you’re going to want to read the pieces by TechCrunch’s Josh Constine, who broke the news.

Read more

2. Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts by Joseph Cox

It’s not that we set out to include a Motherboard story here every week; it's just that pretty much every week the publication manages to crank out a fascinating story that commands the infosec world's attention. This week an article made clear that attackers are exploiting flaws in SS7, a protocol used to coordinate out-of-band signaling in support of texts and calls, to success. While these attacks are nothing new, what's interesting is that the article says that the UK's Metro Bank fell victim to one. "We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA)," The National Cyber Security Centre told the publication. For the uninitiated, the attacks can involve the interception of two factor authentication codes used for banking so hackers – who in this instance would already have a user's username and password - can enter it themselves.

3. Ohio’s 'Data Protection Act' can shield higher ed against breach lawsuits by Joanna Grama

We've documented on the blog before just how in flux state data protection laws can be. Here's a good read on the benefits of one we hadn't heard of, the Ohio Data Protection Act, that went into effect last November. The piece, via SNG Group's EdScoop, suggests that Buckeye educational institutions can use the "affirmative defense," to negate liability of alleged unlawful conduct stemming from data breaches. As long as universities and other orgs have at least some fortifications implemented that meet standards, a la NIST that is. “Higher education institutions can take maximum advantage of the new law by adopting a unified compliance approach for their cybersecurity programs," Joanna Grama, a senior consultant for Vantage Technology Consulting Group wrote Monday.

Read more

4. India’s largest bank SBI leaked account data on millions of customers by Zack Whittaker

The State Bank of India denied that its customers' data had been leaked on Thursday, a day after a TechCrunch report alleged that data belonging to millions of its customers was being stored on a passwordless server. The publication, with the help of an unnamed researcher, discovered that SBI Quick, a text message and call based system, could be easily accessed. The flaw could have allowed anyone to see text messages to customers in real time, their phone numbers, bank balances, recent transactions, and even their partial bank account number. The server was secured after TechCrunch reached out to SBI - and India’s National Critical Information Infrastructure Protection Centre. The bank told The Economic Times that its continuing its investigation but that customers shouldn't worry about their data

Read more

5. Facebook Hires Up Three Of Its Biggest Privacy Critics by Emily Dreyfuss

Facebook, which has had a rocky year on the privacy front to say the least, is still trying to right the ship. Over the past few weeks the company has hired three big privacy advocates, Nathan White, formerly of Access Now, Nate Cardozo, formerly of the Electronic Frontier Foundation, and Robyn Greene, of New Emerica's Open Technology Institute. While Cardozo will technically be working under the WhatsApp umbrella as the privacy policy manager, the other two will work under Facebook proper. White will be the privacy policy manager, Greene will be the privacy policy manager for law enforcement and data protection. Wired talked to a handful of privacy advocates this week to get their take and they're resoundingly positive. It'll be an uphill battle, obviously, but it should be interesting to see how the three impact the company going forward

Read more

Tags:  Privacy Data Protection Vulnerabilities Data Breaches

Recommended Resources

The Definitive Guide to DLP

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives

The Definitive Guide to Data Classification

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business