May 13, 2020
TikTok’s handling of child privacy gets another watchdog’s attention
By Lisa Vaas
TikTok: sometimes it’s funny, sometimes it’s cringey, pretty much all times it’s addictive (particularly for young people, and particularly during lockdown).
Also pretty much all the time, the app – which lets users share their short videos – is being investigated for how it handles children’s data. This time around, it’s the Dutch privacy watchdog’s turn.
On Friday, the Dutch Data Protection Authority (DPA) announced that it’s launched an investigation into how TikTok handles user privacy.
As it is, millions of children and teenagers all over the world are sharing their videos on the social media app, the DPA said. It’s grown to be a particularly important tool for staying in touch and spending time with friends, particularly during the coronavirus crisis. But what kind of danger is it exposing our children to?
From the DPA’s announcement:
In the Netherlands many children now have TikTok on their phones. The rise of TikTok has led to growing concerns about privacy.
Are the kids alright?
The watchdog noted that under Dutch law and under the EU General Data Protection Regulation (GDPR), children are seen as particularly vulnerable because they’re “less aware of the consequences of their actions, especially when it comes to sharing personal data on social media.”
Read more at https://nakedsecurity.sophos.com/2020/05/13/tiktoks-handling-of-child-privacy-gets-another-watchdogs-attention/
Criminal forum trading stolen data suffers ironic data breach
By John E Dunn
Someone on the dark web is touting for sale an unusual database a lot of people might pay handsomely to get their hands on.
Another rich cache full of sensitive company data, or perhaps something stolen from a military power?
In fact, according to the security company that verified its authenticity, Cyble, this is data that a specialized group of internet users will find far more interesting – a database of criminal account holders of the now defunct WeLeakData.com breach data trading forum.
Read more at https://nakedsecurity.sophos.com/2020/05/13/criminal-forum-trading-stolen-data-suffers-ironic-data-breach/
Thunderspy – why turning your computer off is a cool idea!
By Paul Ducklin
This month’s Bug with An Impressive Name, or BWAIN for short, is Thunderspy.
As well as a cool name, Thunderspy also has its own logo, its own domain name, its own website and a “recorded live” video showing a Thunderspy attack in action.
There’s also a technical paper that’s detailed but nevertheless readable, by security researcher Björn Ruytenberg from Eindhoven University of Technology in The Netherlands.
As you’ve probably guessed, Thunderspy gets its name from Thunderbolt, a type of hardware interconnection system for plugging high-performance external devices into your computer.
You might wonder why Thunderbolt ever came along in a world that already has USB, Display Port, HDMI and other methods of connecting almost any peripheral to your computer that you might want, including microphones, webcams, headphones, screens, keyboards, mobile phones, scanners, printers, memory sticks and hard disks.
The answer, as with so many features in modern devices, is performance.
Thunderbolt doesn’t just let you plug devices into your computers so they can communicate with one another – it pretty much lets you hook up devices directly to the internal memory bus of the computer, as if you had taken the lid off your gaming desktop and plugged a PCI card directly into one of the slots on the motherboard.
Read more at https://nakedsecurity.sophos.com/2020/05/12/thunderspy-why-turning-your-computer-off-is-a-cool-idea/
Huge toll of ransomware attacks revealed in Sophos report
By John E Dunn
Ransomware might be a dreadful enterprise, but nobody could accuse the criminals behind these attacks of being weak on customer service.
They’re always easy to communicate with – just email the address on the screen. And while it’s true they don’t offer many payment options, the one they do, Bitcoin, is fast and reliable to transact in.
Best of all, according to The State of Ransomware 2020 global study conducted earlier this year on behalf of Sophos, organization’s that decide to pay to get their data back, do so in an efficient 94% of cases.
What’s the catch? Only greater expense in the long run, major business disruption, the possibility of ongoing regulatory oversight for years, and the small matter of public humiliation and lost business should an attack come to light (which increasingly it does thanks to the attackers).
The research questioned 5,000 IT managers from 26 countries (500 from the US and 200 from the UK) in a range of sectors and company sizes from 100 to 5,000 employees.
That’s a healthy sample size, whose results underline one of the most interesting facts about ransomware that can get lost in the headlines – it now affects anyone, anywhere.
It doesn’t seem to matter how big an organisation is, nor which sector or country you look at. Ransomware is ubiquitous, with half of organization’s in the research having experienced an attack during 2019, three quarters of which had their data encrypted.
Read more at https://nakedsecurity.sophos.com/2020/05/12/huge-toll-of-ransomware-attacks-revealed-in-sophos-report/