Microsoft says it will honor California’s new privacy law across US

By Lisa Vaas

You know California’s Consumer Privacy Act (CCPA), the tough new privacy law? The sweeping, GDPR-esque legislation set to go into effect on the first day of the new year that’s set off palpitations within the breasts of tech companies and lawmakers, what with its specter of fines and compliance costs?

Microsoft’s cool with it.

In fact, the company said that it plans to “honor” the law throughout the entire country, even though it’s only a state law. That’s similar to what it did in 2018, when the European Union’s comprehensive General Data Protection Regulation (GDPR) went into effect and the company extended the regulation’s data privacy rights worldwide, above and beyond the Europeans it covers.

On Monday, Microsoft chief privacy officer Julie Brill said in a blog post that CCPA is good news, given the failure of Congress to pass a comprehensive privacy protection law at the federal level.

Chalk one up for Microsoft when it comes to privacy signaling in the runup to CCPA’s debut. Here’s Brill:

CCPA marks an important step toward providing people with more robust control over their data in the United States. It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.

Brill reminded the world that Microsoft’s privacy attitude “starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual.”

We will extend CCPA’s core rights for people to control their data to all our customers in the U.S.

True, we don’t know exactly what it’s going to take to digest this enchilada, Brill said:

Under CCPA, companies must be transparent about data collection and use, and provide people with the option to prevent their personal information from being sold. Exactly what will be required under CCPA to accomplish these goals is still developing.

…but we’ll stay on top of it, she said:

Microsoft will continue to monitor those changes, and make the adjustments needed to provide effective transparency and control under CCPA to all people in the U.S.

In spite of the US Federal Trade Commission (FTC) marching down to Capitol Hill to beat the drum for a unified federal privacy law (and more regulatory powers to enforce it), and in spite of both the House and Senate holding hearings on privacy legislation, transparency about how data is collected and shared, and the stiffening of penalties for data-handling violations, any of a slew of online privacy bills that tried to get before Congress this year is not going to make it.

Read more at https://nakedsecurity.sophos.com/2019/11/13/microsoft-says-it-will-honor-californias-new-privacy-law-across-us/

No, YouTube isn’t planning to jettison your unprofitable channel

By Lisa Vaas

YouTube may terminate your access, or your Google account’s access to all or part of the service if YouTube believes, in its sole discretion, that provision of the service to you is no longer commercially viable.

A representative comment from the multiple YouTubers who’ve tweeted out that clause:

So according to Youtube’s new Terms of Service, if your channel isn’t making them enough money, they’ll just terminate it.

To all of the smaller content creators out there, it was nice knowing ya.

In a nutshell, that’s not going to happen. Google isn’t suddenly going to start shutting down channels that aren’t making money. Google released the updated YouTube Terms of Use on Sunday in order to, well, update them, plus to make them easier to read. A YouTube spokesperson says nothing’s changing:

We made some changes to our Terms of Service in order to make them easier to read and to ensure they’re up to date. We’re not changing the way our products work, how we collect or process data, or any of your settings,

Read more at https://nakedsecurity.sophos.com/2019/11/13/no-youtube-isnt-planning-to-jettison-your-unprofitable-channel/

Apple to fix Siri bug that exposed parts of encrypted emails

By Danny Bradbury

Apple may care about your privacy but that doesn’t mean it gets it right all the time, especially when it comes to training its Siri AI assistant. Last week, a researcher went public with a glaring security hole in the way that Siri gets to know you.

Apple IT specialist Bob Gendler was tinkering around in the macOS operating system to understand more about how Apple personalizes Siri for each user. During the process, he found that the operating system was storing portions of user emails in plaintext, even when they were supposed to be encrypted.

According to Gendler’s Medium post revealing the issue, Apple uses a system process called suggestd. Apple explains (as part of a help file system in the underlying BSD OS) that the program, which runs constantly, slurps content from various apps. These include Spotlight (the macOS indexing system), Mail, and Messages. It uses them to learn how you work and what you’re interested in, using it for things like news personalization.

When it read this information, it stores it in the snippets.db file inside the macOS Suggestions folder. Even emails encrypted with Secure/Multipurpose Internet Mail Extension (S/MIME), a technology that uses public and private keys to digitally sign and protect emails, didn’t escape. Suggestd stored the plaintext versions with no encryption at all in the database.

An attacker would need full disk access to your system files to look at this information, because macOS protects it with its System Integrity Protection feature, an OS X El Capitan-era security measure that ring fences important system files. However, we know from recent problems that some people have needed to turn this off, and Gendler says that any program with full disk access in macOS could potentially harvest the data. Because Apple’s Finder (the equivalent of Windows File Explorer) has full access, a rogue AppleScript program could do it.

Read more at https://nakedsecurity.sophos.com/2019/11/12/macos-personalization-tech-leaves-secrets-in-plain-view/

Nvidia patches graphics products and GeForce Experience update tool

By John E Dunn

Nvidia’s November 2019 update just fixed 11 mainly high-severity security flaws in its Windows and GeForce graphics card drivers, including three in the program used to update them.

Users often associate driver updates for graphics cards with performance, stability and general bug fixes but security has become almost as big an issue in recent years.

The three with the highest severity – CVE-2019-5690, CVE-2019-5691 and CVE-2019-5692 – are kernel mode flaws in the Nvidia Windows GPU display driver and which could be exploited to cause a crash or escalation of privileges.

The same component features a further four lower-rated flaws, CVE-2019-5692, CVE-2019-5693, CVE-2019-5695, and CVE-2019-5694, the latter requiring local access.

Read more at https://nakedsecurity.sophos.com/2019/11/12/nvidia-patches-graphics-products-and-geforce-experience-update-tool/

Sextortionist whisks away sex tapes using just a phone number

By Lisa Vaas

A 33-year-old businessman from Toronto got jumped by a sextortionist who got at his phone’s sex tapes via SIM-swap fraud.

CBC News on Sunday reported that the victim, Randall Baran-Chong, knew trouble had come knocking when he got a message last week from his phone carrier about his phone service being cut off.

Baran-Chong said that around 3:30 a.m., he started to get emails warning about changes made to his Microsoft account: his password had been reset, and his email address had been removed as a verification method.

I knew things were about to go badly.

What followed: the attacker locked down his laptop, bought an Xbox video game gift card and charged it to Baran-Chong’s credit card, accessed his personal files, and threatened him with sextortion: all possible because whoever it was had stolen his mobile phone number.

How the crooks swing a SIM swap

As we’ve explained, SIM swap fraud, also known as phone-porting fraud, works because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your telephonic identity.

Read more at https://nakedsecurity.sophos.com/2019/11/12/sextortionist-whisks-away-sex-tapes-using-just-a-phone-number/

ASP.NET hosting provider recovering from ransomware attack

By Lisa Vaas

SmarterASP.NET – a provider that hosts Microsoft’s ASP.NET open-source web framework and reportedly has more than 440,000 customers – suffered a ransomware attack on Saturday.

SmarterASP.NET was blunt in a status update on Monday titled:

Your hosting accounts are under attack

This wasn’t a partial paralysis. The provider advised customers that all data had been encrypted and that it was working with security experts to try to decrypt it, as well as making sure that “this would never happen again.”

Please don’t email us, the company asked, saying that it was (understandably!) being flooded by emails and that it doesn’t employ enough people to answer them all. It directed customers to its Facebook page for updates.

As of Monday morning, the provider said that it had fully restored FTP and control panel services – though, going by comments on its Facebook post, it sounds like the company’s stressed-out servers were still giving off a miasma of 503 Service Unavailable error messages.

In that post, the company warned customers not to download encrypted files. “If you still see encrypted files, we will get to it soon,” SmarterASP.NET said. The malware encrypted customers’ web hosting accounts, from which they access servers that may contain the files and data they need to run their sites. Thus, it’s not just the SmarterASP.NET customers that lost all their data: it’s also their websites that were affected.

SmarterASP.NET’s website was also temporarily knocked offline by the attack, but it was reportedly back online as of Sunday morning.

Read more at https://nakedsecurity.sophos.com/2019/11/12/asp-net-hosting-provider-recovering-from-ransomware-attack/

Microsoft urges us to patch after partially effective BlueKeep attack

By Danny Bradbury

Microsoft has urged people to patch their Windows systems following the report of widespread attacks based on the BlueKeep vulnerability.

BlueKeep is the code name for a security hole dubbed CVE-2019-0708, first revealed in May 2019. The flaw, in Windows 7 and Windows Server 2008, allows attackers to break into a computer through the Windows Remote Desktop Protocol (RDP) – without bothering with the RDP logon screen first.

Exploiting the vulnerability was technically difficult, creating a tense race to patch systems in the wild before someone released an exploit.

Read more at https://nakedsecurity.sophos.com/2019/11/11/microsoft-urges-us-to-patch-after-partially-effective-bluekeep-attack/