Apple and Google questioned by Congress over user tracking

By Lisa Vaas

In May, two weeks before the “we’re not kidding about this protecting user data stuff” General Data Protection Regulation (GDPR) went into effect in the EU, Apple started getting its protecting-user-data ducks in a much straighter row.

It cracked down on developers whose apps share location data, kicking them off the App Store until they cut out any code, frameworks or Software Development Kits (SDKs) that were in violation of its location data policies.

But hang on a minute… members of the US House of Representatives Energy and Commerce Committee asked Apple on Monday: why was it even necessary to limit how much data third-party app developers can collect from Apple device users in the first place?

… given that CEO Tim Cook has repeatedly told the press that Apple believes that “detailed profiles of people that have incredibly deep personal information that is patched together from several sources [shouldn’t] exist”?

Similar question to Alphabet CEO Larry Page: in June 2017, Google announced that Gmail would stop reading our email.

Nonetheless, reports surfaced last week that found the company is still allowing third parties to merrily scan away, giving them access to our email text, signatures, and receipt data, in order to target-market advertising. In fact, a new class action suit was filed against the company on Thursday night over developers’ scanning of millions of users’ private messages.

The committee wants Apple and Alphabet to answer some questions about how they’ve represented all this third-party access to consumer data, about their collection and use of audio recording data, and about location data that comes from iPhone and Android devices.

Inquiring minds want to know, for one thing, whether our mobile phones are actually listening to our conversations, the committee said in a press release.

Read more at https://nakedsecurity.sophos.com/2018/07/11/apple-and-google-questioned-by-congress-over-user-tracking/

England versus Facebook – score currently stands at £500,000-nil

By Paul Ducklin

It’s the hot story right now in Europe…

…no, we’re not talking about the news that France just dumped neighbors Belgium out of the World Series with a 1-0 victory. [Surely you mean the World Cup? – Ed.]

We’re talking about the widespread media coverage that the UK Information Commissioner’s Office (ICO) intends to fine Facebook £500,000 (about $660,000) over the Cambridge Analytica fiasco:

[The ICO intends] to fine Facebook a maximum £500,000 for two breaches of the Data Protection Act 1998.

Facebook, with Cambridge Analytica, has been the focus of the investigation since February when evidence emerged that an app had been used to harvest the data of 50 million Facebook users across the world. This is now estimated at 87 million.

The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others.

Cambridge Analytica (CA) – in cased you missed the saga as it uncoiled itself earlier this year – was a web analytics company started by a group of researchers with connections to Cambridge University in the UK.

Read more at https://nakedsecurity.sophos.com/2018/07/11/england-versus-facebook-score-currently-stands-at-500000-nil/

Think that bitcoins and a VPN keep you anonymous? Think again…

By Paul Ducklin

Lots of people think that a VPN, short for virtual private network, is enough on its own to keep them safe and anonymous online.

If you add some sort of mostly-untraceable digital cash into the mix – a cryptocurrency such as Bitcoin or Monero, for example – then you’d be forgiven for thinking that you’re as good as invisible.

So, it’s easy to assume that VPN + cryptocoins == private && secure.

But VPNs and cryptocoins only go so far in keeping cybercrooks and other undesirables out of your online life, and here’s why.

Simply put, a VPN encrypts your network traffic – every data packet, not just your web browsing or email – and transports it to a server somewhere else on the internet.

That server then strips off the encryption and sends your data on its way, as if it had originated from the VPN operator’s network, not from your phone or your laptop.

Read more at https://nakedsecurity.sophos.com/2018/07/10/think-that-bitcoins-and-a-vpn-keep-you-anonymous-think-again/

Why the airplane romance that went viral should worry everyone

By Lisa Vaas

Last week, a woman named Helen (she asked that her last name not be published, for reasons that will soon be clear to anybody who favors privacy over virally inflicted fame) got on a plane in New York, heading for Texas, and left her privacy on the tarmac.

It all began when a lady with a sweet Southern drawl asked to switch seats so she could sit next to her boyfriend.

Sure. Good deed for the day, Helen must have thought. Why not?

So Helen swapped seats and wound up sitting next to an attractive guy with whom she shared conversation, including showing each other family photos on their cell phones.

I know this, and the internet knows this, because along with her boyfriend, the woman who made the request – her name is Rosey Blair – sat in the row behind Helen, whose privacy the couple was about to roto-rooter.

Blair and her boyfriend, Houston Hardaway, began to chronicle – and publicly post, through photos, videos and commentary – Every. Single. Move. Those. Two. People. Made. …And to interpret every one of those moves, slathering their own alternatively romantic/lascivious storyline onto the interactions of two people they’d never met and whose motivations they could only guess at, like so much sweetened-lard frosting on a cardiac-arrest wedding cake.

Read more at https://nakedsecurity.sophos.com/2018/07/10/why-the-airplane-romance-that-went-viral-should-worry-everyone/

Woman scams scammer, incriminates self in the process

By Lisa Vaas

First, the international scammer hacked a business account and used it to buy a computer.

Then, he put up an ad, offering a “job opportunity” online to somebody who could pick up that computer in Laconia, New Hampshire, and ship it overseas.

Sounded good to Jennifer Wozmak. According to WMUR News, the New Hampshire woman answered the ad. Then, she did, in fact, pick up the fraudulently purchased laptop, promising to send it along.

The laptop would never make it, though – Wozmak sent a stack of old magazines in its place. She eventually turned herself in, telling police that she sold the computer and kept the money.

Now, having allegedly scammed the scammers, she’s facing charges.

WMUR quoted Wolfeboro, NH Police Chief Dean Rondeau, who said that this scenario happens a lot. People should stay away from these come-ons, he said:

What they want you to do is essentially be a straw man in a scam. They may wave money to pick up an item and move it to another location. Don’t do it.

The long and short of it is if you have any questions and you think something might not be legitimate, pick up your phone and call your local police department and ask to talk to an officer and he will help you work through that, there is no harm in that.

The chief didn’t have any advice for the scammer who got scammed, however. Perhaps “Nyah, nyah, nyah” would suffice?

Read more at https://nakedsecurity.sophos.com/2018/07/10/woman-scams-scammer-incriminates-self-in-the-process/

Gas thieves remotely pwn pump with mysterious device

By Lisa Vaas

Last month, in broad daylight, thieves somehow hacked into a Detroit gas pump and, over the course of about 90 minutes, stole 600 gallons of gas.

The gas, worth about $1,800, was pumped into the tanks of 10 cars, all while the station attendant tried and failed to shut the gas pump down.

The attendant, Aziz Awadh, told Fox 2 Detroit that until he finally got an emergency kit to shut down the pump, he couldn’t get the system screen to respond:

I tried to stop it, but it didn’t work. I tried to stop it here from the screen, but the screen’s not working. I tried to stop it from the system, [but nothing was] working.

After Awadh finally got the pump shut down, he called police.

There are plenty of videos available online about button sequences that will get a pump to give you free (also known as stolen!) gas. But police say that the Detroit gas thieves were actually using a remote device to hack the pump. Police also told Fox that it’s an active investigation. As of Thursday, they weren’t sure whether all the people in the 10 cars were in on the theft.

The owner declined to share surveillance video with the TV station. But police told Fox that whatever device was used did, in fact, prevent the pump from being turned off from inside the station.

Police are looking for two suspects.

That’s about all we know at this point. One possible explanation is that the attackers targeted the fuel-management software used by the Marathon gas station.

Read more at https://nakedsecurity.sophos.com/2018/07/10/gas-thieves-remotely-pwn-pump-with-mysterious-device/