Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter’s contacts upload feature. “If you upload your phone number, it fetches user data in return,” he told TechCrunch.
He said Twitter’s contact upload feature doesn’t accept lists of phone numbers in sequential format — likely as a way to prevent this kind of matching. Instead, he generated more than two billion phone numbers, one after the other, then randomized the numbers, and uploaded them to Twitter through the Android app. (Balic said the bug did not exist in the web-based upload feature.)
The Apple Platform Security guide is a 157-page document that gives an overview of how Apple treats security across its entire ecosystem.
“Every Apple device combines hardware, software, and services designed to work together for maximum security and a transparent user experience in service of the ultimate goal of keeping personal information safe,” Apple writes. “Apple devices protect not only the device and its data, but the entire ecosystem, including everything users do locally, on networks, and with key Internet services.”
This documentation provides details about how security technology and features are implemented within Apple platforms. It also helps organizations combine Apple platform security technology and features with their own policies and procedures to meet their specific security needs.
Apple continues to push the boundaries of what is possible in security and privacy. For example, Find My uses existing cryptographic primitives to enable the groundbreaking capability of distributed finding of an offline Mac — without exposing to anyone, including Apple, the identity or location data of any of the users involved. To enhance Mac firmware security, Apple has leveraged an analog to page tables to block inappropriate access from peripherals, but at a point so early in the boot process that RAM hasn’t yet been loaded. And as attackers continue to increase the sophistication of their exploit techniques, Apple is dynamically controlling memory execution privileges for iPhone and iPad by leveraging custom CPU instructions — unavailable on any other mobile devices — to thwart compromise. Just as important as the innovation of new security capabilities, new features are built with privacy and security at their center of their design.
Masks and simple photographs are enough to fool some facial recognition technology, highlighting a major shortcoming in what is billed as a more effective security tool.
More alarming were the tests deployed at transportation hubs. At the self-boarding terminal in Schiphol Airport, the Netherlands’ largest airport, the Kneron team tricked the sensor with just a photo on a phone screen. The team also says it was able to gain access in this way to rail stations in China where commuters use facial recognition to pay their fare and board trains.
The transportation experiments raise concerns about terrorism at a time when security agencies are exploring facial recognition as a means of saving money and improving efficiency. In the case of the payment tablets, the ability to fool WeChat and AliPay with masks raises the specter of fraud and identity theft.
Technology many use every day to make their lives easier is being weaponized. A tank that drives itself. A drone that picks its own targets. A machine gun with facial recognition software. Sounds like science fiction? These weapons already exist.
Apple, a company that prides itself on customer privacy, seems to have been caught with it’s privacy pants down around it’s ankles. It’s collecting user location data when it’s preaching to it’s customers that it’s better than everyone else.
Security researcher Brian Krebs has discovered Apple’s current flagship, the iPhone 11 Pro, continues to share a location data even after the functionality was turned off in iOS 13.
Apple’s response to Kerbs »
“We do not see any actual security implications,” an Apple engineer wrote in a response to KrebsOnSecurity. “It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings” [emphasis added].
The changes, which will take effect on Jan. 1, 2020, will comply with the California Consumer Privacy Act (CCPA).
The California law requires large businesses to give consumers more transparency and control over their personal information, such as allowing them to request that their data be deleted and to opt out of having their data sold to third parties.
Twitter also announced on Monday that it is moving the accounts of users outside of the United States and European Union which were previously contracted by Twitter International Company in Dublin, Ireland, to the San Francisco-based Twitter Inc.
The company said this move would allow it the flexibility to test different settings and controls with these users, such as additional opt-in or opt-out privacy preferences, that would likely be restricted by the General Data Protection Regulation (GDPR), Europe’s landmark digital privacy law.
For more than a year, police departments partnered with Amazon’s Ring unit had access to a map showing where its video doorbells were installed, down to the street they were on, public documents revealed. So while Ring said it didn’t provide police with addresses for the devices, a feature in the map tool let them get extremely close. The feature was removed in July.
The heat maps feature was one of several surveillance tools that Ring told police “should not be shared with the public.” The first Ring police partnership listed started in March 2018, and the video doorbell company had at least 335 police partners by the time it disabled the feature, records show.
Ring, which Amazon purchased for $839 million in February 2018, has now partnered with up to 631 law enforcement agencies in the US, creating a public surveillance tool for police departments through its video doorbells.
The case involved Facebook messages that police in London, Ont., wanted to access in order to proceed with a homicide investigation and trial.
Because Facebook is an American company, the usual legal process involves Canadian authorities applying for evidence, in this case from the Facebook Messenger app, through a mutual legal assistance treaty (MLAT). The treaty has been used for decades by police on both sides of the border to get access to physical evidence.
In this case, a judge issued a production order — essentially a legal order for Facebook to give up the information. Authorities thought that would be quicker than the treaty process, which takes about four months.
But when it became clear this fall Facebook would fight tooth and nail against having to comply with a Canadian judge’s order, the Crown applied through the MLAT for the messages and received them.
Antitrust regulators in the European Union are investigating Google’s data collection practices, according to “exclusive” reporting at Reuters.
Over the last couple of years, European Competition Commissioner Margrethe Vestager has handed down fines totalling more than €8 billion (~ C$11 billion) to Google and ordered it to change its business ways.
“The Commission has sent out questionnaires as part of a preliminary investigation into Google’s practices relating to Google’s collection and use of data. The preliminary investigation is ongoing,” the EU regulator told Reuters in an email.
Victoria-based AggregateIQ Data Services broke Canadian and B.C. privacy laws in work it carried out on behalf of the 2016 pro-Brexit Vote Leave campaign, as well as political campaigns in the U.S. and Canada, according to findings by the B.C. and federal privacy commissioners.
According to the reort, AIQ failed to obtain adequate consent for use and disclosure of the personal information of voters, which was used to produce microtargeted political ads.
It also said that AIQ “failed to take reasonable security measures” to protect personal information it collected in a database containing the names and contact information of 35 million people.
At a news conference, B.C. Information and Privacy Commissioner Michael McEvoy and Privacy Commissioner of Canada Daniel Therrien said even though AIQ works globally, it still must follow Canadian and B.C. privacy laws.
Every day I dive into the internet cesspool and go through hundreds of news sources and extract the most fascinating stories. All stories are curated by hand. No large media organizations. No bots. No unambiguous algorithms deciding what you get to read.
The most fascinating technology related stories are published on Tech Letter.
The material on Tech Letter and across the Joe Public Network is for informational purposes only, and is not a substitute for good judgment and/or common sense.