New bill would give parents an ‘Eraser Button’ to delete kids’ data

By Lisa Vaas

Two US senators on Tuesday proposed a major overhaul of the Children’s Online Privacy Protection Act (COPPA) that would give parents and kids an “Eraser Button” to wipe out personal information scooped up online on kids.

The bipartisan bill, put forward by Senators Edward J. Markey (D-Mass.) and Josh Hawley (R-Mo.), would also expand COPPA protection beyond its current coverage of children under 13 in order to protect kids up until the age of 15.

The COPPA update also packs an outright ban on targeting ads at children under 13 without parental consent, and from anyone up until the age of 15 without user consent. The bill also includes a “Digital Marketing Bill of Rights for Minors” that limits the collection of personal information on minors.

The proposed bill would also establish a first-of-its-kind Youth Privacy and Marketing Division at the Federal Trade Commission (FTC) that would be responsible for addressing the privacy of children and minors and marketing directed at them.

Read more at https://nakedsecurity.sophos.com/2019/03/13/new-bill-would-give-parents-an-eraser-button-to-delete-kids-data/

Facebook sues developers over data-scraping quizzes

By Lisa Vaas

Facebook on Friday sued two Ukrainian men, Andrey Gorbachov and Gleb Sluchevsky, for allegedly scraping private user data through malicious browser extensions that masqueraded as quizzes.

The company also alleges that the deceptive extensions injected unauthorized ads into Facebook users’ News Feeds when their victims visited through the compromised browsers.

From Facebook’s civil complaint:

As a result of installing the malicious extensions, the app users effectively compromised their own browsers because, unbeknownst to the app users, the malicious extensions were designed to scrape information and inject unauthorized advertisements when the app users visited Facebook or other social networking site as part of their online browsing.

According to the complaint, from 2016 to 2018, Sluchevsky and Gorbachov allegedly ran at least four web apps: “Supertest,” “FQuiz,” “Megatest,” and “Pechenka.”

The apps ran quizzes promising answers to questions such as “Do you have royal blood?, “You are yin. Who is your yang?” and “What kind of dog are you according to your zodiac sign?” among many others.

Read more at https://nakedsecurity.sophos.com/2019/03/12/facebook-sues-developers-over-data-scraping-quizzes/

Study throws security shade on freelance and student programmers

By Lisa Vaas

Security researchers often dump on users for their cruddy password practices. But what about the developers who write the code that’s supposed to keep our passwords safe?

…as in, what’s up with the developers who fail to properly encrypt/salt/hash, who use outdated password storage methods, who copy-and-paste code they found online (vulnerabilities and all), who leave passwords sitting around in plain text, or who don’t understand the difference between encryption and hashing?

There have only been a few studies looking at how developers handle end-user password storage, even though such work is primarily involved with the security of those passwords. After all, reusing a password can have dire results for an individual, but a developer failing to hash and salt a database can lead to a far more widespread problem.

One such study, from 2017-2018, used computer science students as lab rats to examine how developers deal with secure password storage.

Read more at https://nakedsecurity.sophos.com/2019/03/12/study-throws-security-shade-on-freelance-and-student-programmers/

Citrix admits attackers breached its network – what we know

By John E Dunn

On Friday, software giant Citrix issued a short statement admitting that hackers recently managed to get inside its internal network.

According to a statement by chief information security officer Stan Black, the company was told of the attack by the FBI on 6 March, since when it had established that attackers had taken “business documents” during the incident:

The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.

No mention of when the attackers gained access, nor how long that had lasted. As to how they got into the network of a company estimated to manage the VPN access of 400,000 large global organisation’s:

While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security.

If you’re a customer of Citrix, apart from the lack of detail, two aspects of the statement will have unsettled you: the idea that attackers could bypass “additional layers of security” at a major tech company and the fact that the company didn’t know about the compromise until the FBI contacted it.

Read more at https://nakedsecurity.sophos.com/2019/03/12/citrix-admits-attackers-breached-its-network-what-we-know/

Email list-cleaning site may have leaked up to 2 billion records

By Danny Bradbury

The number of records exposed online by an email list-cleaning service in February may be far higher than originally anticipated, according to experts. The number of records available for anyone to download in plaintext from a breach at Verifications.io may have been closer to two billion.

Security researcher Bob Diachenko, who found the exposed data and worked on the breach investigation with research partner Vinny Troia, originally explained that on 25 February 2019, he discovered a 150Gb MongoDB instance online that was not password protected.

There were four separate collections in the database. The largest one contained 150Gb of data and 808.5 million records, he said in his blog post on the discovery. This included 798 million records that contained users’ email, date of birth, gender, phone number, address and Zip code, along with their IP address.

He then did some due diligence:

As part of the verification process, I cross-checked a random selection of records with Troy Hunt’s HaveIBeenPwned database. Based on the results, I came to conclusion that this is not just another ‘Collection’ of previously leaked sources but a completely unique set of data.

Exposed MongoDB instances don’t always clearly indicate who uploaded them, but Diachenko’s research turned up a likely suspect: Verifications.io. This company, which has now taken down its website, offered what it called enterprise email validation services, along with free phone number lookup.

Read more at https://nakedsecurity.sophos.com/2019/03/12/researchers-disagree-on-volume-of-exposed-verificationsio-records/

John Oliver bombards the FCC with anti-robocall robocall campaign

By Maria Varmazis

Americans are fed up with robocalls, and John Oliver of Last Week Tonight wants to do something about it.

Despite the existence of a do-not-call list and tools like call-blocking apps and caller ID to slow down incoming call spam, these tools have barely made a dent in the flood of harassing phone calls most Americans receive on their phones, with no real recourse to stop them.

Unfortunately it just seems to be getting worse year after year – in 2018 alone robocall volume in the US increased by 56.8% to 48 billion calls, and the Federal Communications Commission (FCC) reports that about half the phone calls made to cell phones in the US in 2019 will be robocalls.

Enough is enough of that, says John Oliver, comedian and host of TV show Last Week Tonight. He and his show are known for stunt activism to make a larger point about various societal and political ills in America.

Last Week Tonight has also gone after the FCC a few times in the past, namely in highlighting net neutrality and how it would affect the average internet user. The first time the show aired a net neutrality segment, the FCC’s website was DoSed into silence by angry viewers.

In the 10 March episode of Last Week Tonight, Oliver reported that 60% of the complaints registered to the FCC are about robocalls. So in his show’s tradition, Oliver announced that he’s hoping to spur the FCC into real action by giving them a taste of the annoyance of everyday Americans by subjecting the FCC commissioners with this message every 90 minutes:

Hi FCC! This is John from Customer Service. Congratulations! You’ve just won a chance to lower robocalls in America today. Haha… sorry, but I am a live person. Robocalls are incredibly annoying, and the person who can stop them is you! Talk to you again in 90 minutes. Here’s some bagpipe music.

So, if robocalls are such a problem, what is the FCC doing about it?

Read more at https://nakedsecurity.sophos.com/2019/03/12/john-oliver-bombards-the-fcc-with-anti-robocall-robocall-campaign/

US Army clarifies its killer robot plans

By Danny Bradbury

The US Army has been forced to clarify its intentions for killer robots after unveiling a new program to build AI-powered targeting systems.

The controversy surrounds the Advanced Targeting and Lethality Automated System (ATLAS). Created by the Department of Defense, it is a program to develop:

Autonomous target acquisition technology, that will be integrated with fire control technology, aimed at providing ground combat vehicles with the capability to acquire, identify, and engage targets at least 3X faster than the current manual process.

That text comes from the US Army, which has announced an industry day taking place next week to brief industry and academia on its progress so far, and to source new expertise.

To translate, ATLAS is a project to make ground robots that are capable of finding and shooting at targets more quickly than people can. This raises the Spectre of lethal AI once again.

Ethicists and scientists are already hotly debating this issue. Some 2,400 scientists and other AI experts including Elon Musk and DeepMind CEO Demis Hassabis signed a pledge under the banner of the Boston-based Future of Life Institute protesting the development of killer AI.

The UN has not yet taken decisive action, but Secretary-General Antonio Guterres has called for an outright ban.

Read more at https://nakedsecurity.sophos.com/2019/03/11/us-army-clarifies-killer-robot-plans/