Friday Five: 4/12 Edition
A once defunct hacking forum returns, the New York Times on privacy, and spyware apps - catch up on the week's infosec news with this roundup!
1. 74 screens of legalese don’t protect your data – here’s a blueprint for new laws that could make a difference by Fred H. Cate
Snazzy headline here but Fred Cate, a professor at Indiana University, does a good job recapping some of the privacy legislation churn of late - GDPR, CCPA, some of the problems - consumers want better data protection, companies want national laws, and how to fix them. The piece makes light of how rarely consumers understand the implications of privacy policies, the importance - and lack of - strong enforcement, namely by the FTC, and what Cate thinks the real point of data protection should be: "The real focus for data protection should be on how data is used and shared. Some uses might be permitted, some might be prohibited. Then people could focus more attention on the hard areas in between... It’s important not to overregulate, but that shouldn’t prevent policymakers from addressing uses of data that are widely accepted as inappropriate or even dangerous."
2. Gmail tools up to thwart MitM attacks by John Leyden
Google announced that it’s planning on fortifying Gmail with the SMTP MTA Strict Transport Security (MTA-STS) standard in the near future, something that should aid in thwarting man-in-the-middle attacks. Google, like most email providers, uses SMTP currently, which is fine and good but doesn't prevent attacks that intercept email in transit. The company said Wednesday that its launched MTA-STS adherence in beta in tandem with the SMTP TLS Reporting internet standard, the first major email provider to do so. According to the Internet Engineering Task Force, MTA-STS allows SMTP clients and hosts to negotiate the use of a TLS channel for encrypted mail transmission" and "provides a high barrier against passive man-in-the-middle traffic interception."
3. Researchers uncover spyware app for iOS distributed through phishing sites by Jay Jay
Neither Google's nor Apple's app store has proven to be completely impenetrable from hackers; they always find a way in somehow, some way. The latest example reportedly abused Apple's Developer Enterprise program to sidestep he store's protections to deliver spyware that could exfiltrate contacts, audio recordings, photos, videos, GPS location, and device information from iOS devices. The app, which had Android counterparts that were removed from Google's Play Store last year, managed to linger on Apple's App Store until just recently. According to SC Magazine, Apple has revoked certificates misused by eSurv, the Italian surveillance company behind the apps. "Existing installations of the malware are no longer in operation and no new spyware apps for iOS can be developed by the firm," SC Media's Jay Jay wrote on Tuesday. Italian authorities, for what it's worth, are also looking into the company, per Motherboard.
4. Notorious Hacking Forum And Black Market Darkode Is Back Online by Kate O'Flaherty
Does anything really stay dead on the internet? As part of what it dubbed Operation Shrouded Horizon, the FBI, along with law enforcement in 19 other nations, took down Darkode, a cybercrime forum where malware and credit card data was shared, four years ago. Now, at least according to this Forbes report, the forum's back, boasting "tools, exploits, 0days, accounts that have been cracked, configs for tools, and email/password combinations all available to the public." The site, which unlike its predecessor is on the regular internet, hasn't had an issue attracting users. It launched with 12,411 members and over 55,000 posts according to Forbes. It remains to be seen how long it will continue operating, especially in wake of the blog, in which a hacker seemingly entices the authorities: “Even when the FBI gained access to our web-hosting we had the entire database encrypted with a 4096-bit RSA encryption and some of it was salted. It would take them years to even get that information if they really wanted it."
5. How The Times Thinks About Privacy by AG Sulzberger
The Times launched a big, interactive section all around privacy and technology this week and we'd be remiss if we didn't share it here. The paper says it will continue to update the section and treat it as an evolving repository for stories on how the sharing of information has changed life as we know it. There's a bunch of reads worth pointing to here, including opinion pieces by Emily Chang and Kara Swisher, but to preface everything perhaps it’s worth reviewing how the paper interprets privacy, straight from the publisher himself. Sulzberger breaks down an unavoidable truth: It's pretty difficult to talk about privacy online today without acknowledging the tug of war between organizations and consumers: "As a journalist, I deeply believe that society benefits from the type of free-flowing information that overly broad privacy regulations could unintentionally impede… Countless companies are wrestling with these trade-offs, many of them doing the best they can within a digital ecosystem they can’t hope to unilaterally reform." The Times is not immune from these problems and points out that more than likely, just by visiting the page, you're hit with a deluge of cookies and other tracking mechanisms.