October 21, 2019
Mind your own business! CEOs who misuse data could end up in jail
By Danny Bradbury
CEOs who lie about misusing consumers’ data could face up to 20 years in jail under a new piece of US legislation proposed last week.
The Mind Your Own Business Act, authored by Senator Ron Wyden, would jail top executives for 20 years if their companies were found lying about misusing citizens’ information.
The legislation follows a draft version known as the Consumer Data Protection Act, released for consultation on 1 November 2018.
The bill requires companies to submit annual data protection reports confirming that they’ve complied with the regulations, and explaining any shortcomings. This applies to any companies holding data on more than 50m people, or over a million people if they make more than $1bn in revenue.
The CEO or chief privacy officer must personally certify that annual report. If they deliberately certify something that isn’t true, then the courts can fine them up to $5m, or a quarter of the largest payment they received from the company across the last three years. They can also face up to 20 years in prison.
Companies would have to describe to consumers what information they were collecting and what they were going to do with it. They would also have to provide a site that enables consumers to opt out of any personal data collection, either through a web form or an application programming interface (API) which would let them do this via a piece of software, like a mobile app.
Read more at https://nakedsecurity.sophos.com/2019/10/21/bill-threatening-privacy-flouting-ceos-with-jail-time-hits-senate/
Phishy text message tries to steal your cellphone account
By Paul Ducklin
Lots of people still think of phishing as a type of scam that arrives by email.
That’s because most phishing attacks do, indeed, arrive in your inbox – sadly, spamming out emails is cheap and easy for crooks, and it delivers results simply because of the volume they can achieve.
But phishing isn’t only about email – it’s a scamming technique that applies to every form of electronic messaging, including social media, instant messaging…
…and even, or perhaps especially, good old SMS texts.
One of the delightful simplicities of SMS is that it was designed back when mobile phones first came out, and thus when network bandwidth was limited.
So SMSes are short, simple, and text-only, and this stripped-down nature actually makes them ideal for crooks.
Messages sent via SMS unexceptionably use a brief and direct style that means crooks don’t need to master the grammatical niceties of English to create believable texts.
The brevity of SMSes also means that shortened or unusual-looking URLs are commonplace, so we’re more inclined to accept them than we would be if they showed up in an email.
Read more at https://nakedsecurity.sophos.com/2019/10/18/phishy-text-message-tries-to-steal-your-cellphone-account/
Some Android adware apps hide icons to make it hard to remove them
By John E Dunn
Uninstalling an Android app caught pushing adware is normally simple to deal with – click and drag it to the top right of the screen and into the trash can.
App gone, ideally followed up with a public-spirited one-star rating on the Google Play store to alert others to its bad behavior.
But what happens if there’s no home screen or app tray icon?
New research by SophosLabs has discovered 15 apps on Google Play that install without icons as part of a campaign to keep themselves on the user’s device.
The motivation is to keep pushing obtrusive ads for as long as possible. But for some of the apps, the evasion doesn’t stop with disappearing icons.
For example, Flash On Calls & Messages (1 million installs since January 2019) tries to convince users it never installed properly in the first place.
When first launched, users are greeted with the message “This app is incompatible with your device!” The app then opens the Play store and navigates to the page for Google Maps to distract users from the nature of this failure.
Read more at https://nakedsecurity.sophos.com/2019/10/18/some-android-adware-apps-hide-icons-to-make-it-hard-to-remove-them/
Bitcoin money trail leads cops to ‘world’s largest’ child abuse site
By Lisa Vaas
US, British and South Korean police announced on Wednesday that they have taken down Welcome To Video: a Darknet market that had what the US Department of Justice (DOJ) says is the world’s most voluminous offerings of child abuse imagery.
The DOJ called this the largest market for child sexual abuse videos, and that this is one of the largest seizures of this type of contraband. The 8 terabytes worth of child sexual abuse videos, which are now being analyzed by the National Center for Missing and Exploited Children (NCMEC), comprise over 250,000 unique videos, 45% of which contain new images that weren’t previously known to exist.
The global crackdown, which has so far led to the arrest of 337 alleged users and the indictment of the website’s admin, has led to the rescue of at least 23 victims living in the US, Spain and the UK. The DOJ says that the minors were actively being abused by site users.
The admin of Welcome to Video, who was indicted on Wednesday, is Jong Woo Son, 23, a South Korean national who was previously charged and convicted in South Korea. He’s now serving his sentence in South Korea.
The global dragnet has scooped up 337 alleged site users who’ve been arrested and charged worldwide: throughout the US, the UK, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia. About 92 individuals’ home and businesses in the US have been searched.
Five search warrants issued in the Washington, D.C. metropolitan area have led to the arrests of eight people suspected of both conspiring with Jong Woo Son and of being website users themselves. The DOJ says that two suspected users committed suicide after the search warrants were executed.
Read more at https://nakedsecurity.sophos.com/2019/10/18/bitcoin-money-trail-leads-cops-to-worlds-largest-child-abuse-site/
Much-attacked Baltimore uses ‘mind-bogglingly’ bad data storage
By Lisa Vaas
Many staffers in the IT department of the much-hacked US city of Baltimore have been storing files on their computers’ hard drives – as in, they haven’t kept properly backed-up data, stored in the cloud or off-site, an audit has found.
The Baltimore Sun reports that Baltimore City Auditor Josh Pasch, who presented his findings last month to a City Council committee, told the committee that because of (outdated and strongly inadvisable) data backup habits, the city hasn’t been able to provide documentation regarding the IT department’s performance goals, which include modernizing mainframe apps.
Some key personnel kept files on their computers – files that were lost in a May 2019 ransomware attack that reportedly involved a strain of ransomware called RobbinHood. The attack partially paralyzed the city’s computer systems.
The Baltimore Sun quoted Pasch:
Performance measures data were saved electronically in responsible personnel’s hard drives. One of the responsible personnel’s hard drive was confiscated and the other responsible personnel’s selected files were removed due to the May 2019 ransomware incident.
The newspaper quoted an alleged exchange between Pasch and City Councilman Eric T. Costello, a former government IT auditor himself:
Costello: That can’t be right? That’s real?
Pasch: One of the things I’ve learned in my short time here is a great number of Baltimore City employees store entity information on their local computers. And that’s it.
Costello: Wow. That’s mind-boggling to me. They’re the agency that should be tasked with educating people that that’s a problem.
Read more at https://nakedsecurity.sophos.com/2019/10/18/much-attacked-baltimore-uses-mind-bogglingly-bad-data-storage/