Skip to content

IT News

Hundreds of millions of Facebook records exposed on public servers – report

Wait Wait – I thought old Zuck said he was changing things. I guess his users (including Business users) are really the Zuckers.

Note to Businesses: DROP FACEBOOK, it will hurt you in the long run.
Note to Users: Time to seek addiction counseling because if you still use Facebook, in spite of all the news, you are either mentally challenged or have a serious addiction problem (or simply too apathetic to give a damn).

Editorial — actually my ire is not with the users, it is with the businesses that still patronize Facebook. Customers of these businesses really need to ask this “why is this business still using Facebook?” The answers is clear — they also want your private data and prefer to track and monetize you as opposed to protecting your privacy. And yes, their bedfellows include media like the Washington Post, New York Times, The Guardian, Bloomberg, all of which we often quote here. Shame on them and all others. If companies left Facebook, then this menace (Facebook) would be history. Well that will not happen as they see $$$$$$$$$$$.

What to do? Simple: 1) Delete your Facebook Account, 2) contact those businesses and urge them to drop Facebook.

Quote

Material discovered on Amazon cloud servers in latest example of Facebook letting third parties extract user data

More than 540m Facebook records were left exposed on public internet servers, cybersecurity researchers said on Wednesday, in just the latest security black eye for the company.

Researchers for the firm UpGuard discovered two separate sets of Facebook user data on public Amazon cloud servers, the company detailed in a blogpost.

One dataset, linked to the Mexican media company Cultura Colectiva, contained more than 540m records, including comments, likes, reactions, account names, Facebook IDs and more. The other set, linked to a defunct Facebook app called At the Pool, was significantly smaller, but contained plaintext passwords for 22,000 users.
Zuckerberg’s proposals to regulate Facebook are self-serving and cynical | Roger McNamee
Read more

The large dataset was secured on Wednesday after Bloomberg, which first reported the leak (see article here), contacted Facebook. The smaller dataset was taken offline during UpGuard’s investigation.

The data exposure is not the result of a breach of Facebook’s systems. Rather, it is another example, akin to the Cambridge Analytica case, of Facebook allowing third parties to extract large amounts of user data without controls on how that data is then used or secured.

More than 540m Facebook records were left exposed on public internet servers, cybersecurity researchers said on Wednesday, in just the latest security black eye for the company.

“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control,” the UpGuard researchers wrote in its blogpost. “In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security.”

Facebook said that it was investigating the incident and did not yet know the nature of the data, how it was collected or why it was stored on public servers. The company said it will inform users if they find evidence that the data was misused.

“Facebook’s policies prohibit storing Facebook information in a public database,” a spokeswoman said in a statement. “Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”

Cultura Colectiva did not immediately respond to a request for comment.

The data exposure is just the latest example of how Facebook’s efforts to be perceived as a “privacy-focused” platform are hampered by its own past practices and what UpGuard researchers called “the long tail” of user data. For years, Facebook allowed third-party app developers substantial access to users’ information.

“As these exposures show, the data genie cannot be put back in the bottle,” the UpGuard researchers wrote. “Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.”

The Police State: Ex-Mozilla CTO: I was grilled for three hours at San Francisco airport by US border cops – and I’m an American citizen

The Land of the Free where we respect liberty and the constitution – NOT. Not much different in the U.S. as compared to Venezuela or Turkey or _fill in the blank. Despots rule the day. Note to youth. Put down your entertainment and become active in the political process before all rights are gone.

Quote

Techie raises alarm over ‘detention’ after he refused to unlock work laptop, phone

Former Mozilla CTO Andreas Gal says he was interrogated for three hours by America’s border cops after arriving at San Francisco airport – because he refused to unlock his work laptop and phone.

Gal, now employed by Apple, today claimed he was detained and grilled on November 29 after landing in California following a trip to Europe.

He had attempted to pass through US customs via a Global Entry electronic kiosk. He wasn’t expecting a problem, since the Hungarian-born techie is now an American citizen, but it was not to be.

“On this trip, the kiosk directed me to a Customs and Border Patrol agent who kept my passport and sent me to secondary inspection,” Gal said. “There I quickly found myself surrounded by three armed agents wearing bullet proof vests. They started to question me aggressively regarding my trip, my current employment, and my past work for Mozilla, a non-profit organization dedicated to open technology and online privacy.”

Gal said the g-men were rather interested in his time at Firefox-maker Mozilla, and of his recent trip to Canada. They also went through his wallet and luggage, and this led to a request by the agents for Gal to unlock his Apple-issued iPhone XS and MacBook Pro, it is claimed.

Gal believes the ordeal was not a random search gone awry, but rather a targeted attempt by the government to send a message. Certainly more and more security researchers report being grilled by US border patrol, if they can even get a visa to enter the country, that is.

“My past work on encryption and online privacy is well documented, and so is my disapproval of the Trump administration and my history of significant campaign contributions to Democratic candidates,” Gal noted. “I wonder whether these CBP [Customs and Border Patrol] programs led to me being targeted.”

Given the devices were emblazoned with big red stickers reading “PROPERTY OF APPLE. PROPRIETARY,” and he had signed confidentially agreements with Cupertino, Gal said he asked for permission to call his bosses and/or a lawyer to see if he would get into trouble by handing over access. When this request was repeatedly refused, we’re told, he clammed up, taking the Fifth, and citing constitutional rights against unwarranted searches.

Irked by Gal’s refusal, it is claimed, the border agents told him he had no constitutional nor any legal protections, and threatened him with criminal charges should he not concede to the search. He said he was eventually allowed to leave with his belongings, the devices still locked, and no charges were pressed. Gal said the agents did take away his Global Entry pass, which allows express entry through customs, as punishment for not complying with their demands.
How random is random?

Gal believes the ordeal was not a random search gone awry, but rather a targeted attempt by the government to send a message. Certainly more and more security researchers report being grilled by US border patrol, if they can even get a visa to enter the country, that is.

“My past work on encryption and online privacy is well documented, and so is my disapproval of the Trump administration and my history of significant campaign contributions to Democratic candidates,” Gal noted. “I wonder whether these CBP [Customs and Border Patrol] programs led to me being targeted.”

Now, Gal has enlisted the help of the ACLU to probe into the brouhaha, and determine whether his civil rights were violated. The civil-liberties watchdog has filed a complaint [PDF] with the Department of Homeland security to determine whether the search violated the US Constitution and demand an investigation of whether the CBP’s entry policies are illegal.

“CBP’s baseless detention and intrusive interrogation of Andreas Gal and the attempted search of his devices violated his Fourth Amendment rights,” ACLU Northern California senior counsel William Freeman said of the complaint.

“Furthermore, CBP’s policies lack protections for First Amendment rights by allowing interrogation and device searches that may be based on a traveler’s political beliefs, activism, nation of origin, or identity.”

CBP declined to comment. ®

Google Fined $1.7 Billion by E.U. for Unfair Advertising Rules

The Monopolists and Oligopolists party that keeps rolling on. The U.S. needs to get on board NOW with Europe. In fact even Europe is a bit weak. It is time to break up the monopolies and oligopolies and spur real competition across many sectors.

This article underlies just one example. It is not just Google, but several other tech companies including those in Telecoms, shopping, and so on. The U.S. is now the land of Oligopolies and Monopolies. Vigorous anti-trust enforcement is needed now!
Quote

LONDON — European authorities on Wednesday fined Google 1.5 billion euros for antitrust violations in the online advertising market, continuing its efforts to rein in the world’s biggest technology companies.

The fine, worth about $1.7 billion, is the third against Google by the European Union since 2017, reinforcing the region’s position as the world’s most aggressive watchdog of an industry with an increasingly powerful role in society and the global economy. The regulators said Google had violated antitrust rules by imposing unfair terms on companies that used its search bar on their websites in Europe.

Europe’s regulatory approach was once criticized as unfairly focusing on technology companies from the United States, but is now viewed as a potential global model as governments question the influence of Silicon Valley. Europe is at the forefront of a broad debate about the role of tech platforms like Apple, Amazon, Facebook and Google, and whether their size and power hurt competition.

With the announcement on Wednesday, the European fines against Google total roughly 8.2 billion euros, or $9.3 billion. But the bloc has not received any of the money yet; Google is appealing the earlier decisions, and is mulling whether to appeal the most recent ruling.

“Google has cemented its dominance in online search adverts and shielded itself from competitive pressure by imposing anticompetitive contractual restrictions on third-party websites,” Margrethe Vestager, Europe’s top antitrust watchdog, said in a statement. “This is illegal under E.U. antitrust rules.”

The fine centers on contracts that license the use of Google’s search bar on websites run by newspapers, blogs, travel services and other companies. European regulators said the operators of the third-party websites using Google’s search bar had been required to display a disproportionate number of text ads from Google’s own advertising services over competing digital advertising companies.

The practice, regulators said, undercut competitors, such as Microsoft and Yahoo, that were trying to challenge Google in search.

“There was no reason for Google to include these restrictive clauses in its contracts, except to keep its rivals out of the market,” Ms. Vestager said at a news conference in Brussels. She said the ruling covered 2006 to 2016, when Google stopped the practices.

Europe’s actions against Silicon Valley are influencing policy debates around the world, but some critics question the overall effectiveness of the penalties.

The European Union spent a decade investigating Google, a slow and deliberate process, during which the company’s business and power continued to grow. Annual revenue at Google’s parent company, Alphabet, reached $137 billion last year, compared with $22 billion a decade earlier. On Wednesday, Google shares rose 2 percent.

The Google cases highlight a larger question policymakers face in overseeing the digital economy.

“As it becomes increasingly clear that antitrust fines or after-the-fact remedies are not enough to bring vibrant competition to the market, governments will need to move to deeper tech sector regulation to remedy problems,” said Gene Kimmelman, a former antitrust official in the Justice Department who is now president of Public Knowledge, a consumer advocacy group. He suggested rules preventing tech platforms like Google from favoring their own services.

In the United States, where there has been limited regulation of tech companies, Senator Elizabeth Warren, Democrat of Massachusetts, has made breaking up Google and other tech giants a priority in her presidential campaign. This week, Representative David Cicilline, Democrat of Rhode Island and chairman of the House Subcommittee on Antitrust, Commercial and Administrative Law, called for a federal antitrust investigation of Facebook.

In response to the ruling on Wednesday, Google said, “Healthy, thriving markets are in everyone’s interest.”

“We’ve already made a wide range of changes to our products to address the commission’s concerns,” Kent Walker, Google’s senior vice president for global affairs, said in a statement. “Over the next few months, we’ll be making further updates to give more visibility to rivals in Europe.”

The case is the last of three investigations the European Commission has pursued against Google, which has headquarters in Mountain View, Calif.

Last year, Ms. Vestager fined Google a record €4.34 billion for using its ownership of the Android mobile operating system to unfairly undercut rivals in the mobile phone market, a decision that also forced the company to change how it bundled its apps on smartphones. In 2017, the company was fined 2.4 billion euros for unfairly favoring its own shopping services over those of rivals.

The two previous rulings have not had a big impact on Google’s financial health, but they have forced the tech giant to adjust some business practices.

After the Android ruling last year, Google for the first time began charging handset makers to pre-install Gmail, Google Maps and other popular applications for Android devices in the European Union.

Perhaps in an attempt to head off additional inquiries, Google announced a number of further changes to services across Europe on Wednesday, after rivals complained that it continued to benefit from anticompetitive business practices.

For the first time, the company said, it will ask Android phone users in Europe if they want to switch to a web browser and search engine not owned by Google. To allow more competition when customers shop with Google, it will give other shopping sites more prominence in its search results, the company also said. Google said it would do the same with local search queries in Europe, such as when a person searches for a restaurant, a move that could help companies like TripAdvisor and OpenTable.

Outside of its review of practices by Google and others, the European Union has adopted tough new privacy rules that many countries outside Europe now view as a template. Regulators here have also investigated tech companies’ tax practices and called for more scrutiny of artificial intelligence.

The decision on Wednesday against Google will be one of the final major antitrust rulings in the five-year term of Ms. Vestager, whose crackdown on Silicon Valley while competition commissioner has made her a minor celebrity in the often-staid world of European politics.

Ms. Vestager has expressed openness to serving another term as the bloc’s top antitrust watchdog, but she is also considered a contender to become president of the European Commission, the most powerful executive position in the European Union. Her future will depend in part on the outcome of European parliamentary elections in May.

Even with her possible departure, pressure on the technology industry is not easing.

The European Union is expected to adopt new copyright regulations as early as next week that would impose restrictions to stop unlicensed content, like music and videos, from being shared on tech platforms like Google and Facebook. Another proposal tries to block the sharing of hate speech and extremist content, a policy that some critics say could lead to censorship.

At the same time, regulators across Europe are pursuing several lines of inquiry.

Ms. Vestager’s office announced last year that Amazon was under investigation for its treatment of independent sellers who use its website to reach customers.

Apple, which in 2016 was ordered to pay Ireland $14.5 billion in back taxes, is now under scrutiny for its App Store policies. Facebook is facing separate inquiries related to its business practices and handling of user data. Google’s advertising practices are also being monitored by privacy advocates who are urging regulators to begin a new investigation for violating privacy rights.

“Businesses and consumers, they depend on platforms to get the best out of digitization,” Ms. Vestager said. “Illegal behavior in these cases is a very serious affair.”

How to Stop Facebook’s Dangerous App Integration Ploy

Here is a great op. ed. piece by Sally Hubbard who is a former assistant attorney general in the New York State Attorney General’s Antitrust Bureau and an editor at The Capitol Forum, where she covers technology and monopolization. She makes two points 1) Facebook is a monopolist and 2) the FTC is toothless. Both need to change.
Quote

In response to calls that Facebook be forced to divest itself of WhatsApp and Instagram, Mark Zuckerberg has instead made a strategic power grab: He intends to put Instagram, WhatsApp and Facebook Messenger onto a unified technical infrastructure. The integrated apps are to be encrypted to protect users from hackers. But who’s going to protect users from Facebook?

Ideally, that would be the Federal Trade Commission, the agency charged with enforcing the antitrust laws and protecting consumers from unfair business practices. But the F.T.C. has looked the other way for far too long, failing to enforce its own 2011 consent decree under which Facebook was ordered to stop deceiving users about its privacy claims. The F.T.C. has also allowed Facebook to gobble up any company that could possibly compete against it, including Instagram and WhatsApp.

Not that blocking these acquisitions would have been easy for the agency under the current state of antitrust law. Courts require antitrust enforcers to prove that a merger will raise prices or reduce production of a particular product or service. But proving that prices will increase is nearly impossible in a digital world where consumers pay not with money but with their personal data and by viewing ads.

The integration Mr. Zuckerberg plans would immunize Facebook’s monopoly power from attack. It would make breaking Instagram and WhatsApp off as independent and viable competitors much harder, and thus demands speedy action by the government before it’s too late to take the pieces apart. Mr. Zuckerberg might be betting that he can integrate these three applications faster than any antitrust case could proceed — and he would be right, because antitrust cases take years.

Luckily, the F.T.C. has a way to act quickly. Prompted by the Cambridge Analytica scandal, the agency has been investigating Facebook for violating that 2011 consent decree, which required it, among other things, to not misrepresent its handling of user information and to create a comprehensive privacy program. The F.T.C. can demand Facebook stop the integration as one of the conditions for settling any charges related to the consent decree, rather than just imposing an inconsequential fine.

If not stopped, the integration will cement Facebook’s monopoly power by enriching its data trove, allowing it to spy on users in new ways. Facebook might decide to sync data from one app to another so it can better track users. And Facebook needs user data: The reason it commands such a large share of digital advertising is that it tracks users — and even people without Facebook accounts — across millions of sites. It gathers data that allows it to target ads more precisely than many of its rivals for digital ad dollars, including news media sites and content creators.

After stopping Mr. Zuckerberg’s integration plan, the F.T.C. should reverse the WhatsApp and Instagram acquisitions as illegal under the Clayton Act, which prohibits mergers and acquisitions where the effect “may be substantially to lessen competition, or to tend to create a monopoly.” Undoing the mergers would give consumers an alternative to Facebook-owned apps and force Facebook to do better.

Without meaningful competition, Facebook has little incentive to protect users by making changes that could reduce profits. Users unhappy about data collection and algorithms that promote fake news and political polarization don’t have anywhere to go.

Any future Facebook acquisitions, no matter what the size, should be strictly reviewed because of the company’s history of deceiving users. Facebook uses technology, like its Onavo and Research apps, that monitor consumers’ app usage to identify potential rivals even before they are big enough to get on antitrust enforcers’ radars. Internal Facebook documents published by the British Parliament show Facebook used Onavo data to identify WhatsApp as a competitive threat, only to convince regulators otherwise.

Congress also should write legislation to overrule misguided cases that have neutered antitrust enforcement, and pass a strong privacy law with enough resources to enforce it. Only then, perhaps, will we be protected from Facebook.

Avast Highlights the Threat Landscape for 2019

Heads up, it will not get easier.

Quote
The Dawn of Adversarial AI

We foresee the emergence of a class of attacks known as ‘DeepAttacks’, which use AI-generated content to evade AI security controls. In 2018, the team observed many examples where researchers used adversarial AI algorithms to fool humans. Examples include the fake Obama video created by Buzzfeed where President Obama is seen delivering fake sentences, in a convincing fashion.

We have also seen examples of adversarial AI deliberately confounding the smartest object detection algorithms, such as fooling an algorithm into thinking that a stop sign was a 45-mph speed limit sign.

In 2019, we expect to see DeepAttacks deployed more commonly in an attempt to evade both human detection and smart defenses.

IoT Threats Will Become More Sophisticated

The trend toward smart devices will be so pronounced in the coming years that it will become difficult to buy appliances or home electronics that are not connected to the internet.

Avast research has shown that security is often an afterthought in the manufacturing of these devices. While the big name smart devices often do come with embedded security options, some producers skimp on security either to keep costs low for consumers or because they are not experts in security. Considering a smart home is only as secure as its weakest link, this is a mistake. History tends to repeat itself, so we can expect to see IoT malware evolve and become more sophisticated and dangerous, similar to how PC and mobile malware developed.

Router Attacks Will Advance

Routers have proven to be a simple and fertile target for a growing wave of attacks. Not only have we seen an increase in router-based malware in 2018, but also changes in the characteristics of those attacks.

In 2019, we expect to see the increased hijacking of routers used to steal banking credentials, for example, where an infected router injects a malicious HTML frame to specific web pages when displayed on mobile. This new element could ask mobile users to install a new banking app, for instance, and this malicious app will then capture authentication messages. Routers will continue to be used as targets of an attack, not just to run malicious scripts or spy on users, but also as an intermediate link in chain attacks.

The Evolution of Mobile Threats

In 2019, well known tactics such as advertising, phishing and fake apps will continue to dominate the mobile threat landscape. In 2018, we tracked and flagged countless fake apps using our apklab.io platform. Some were even found on the Google Play Store. Fake apps are the zombies in mobile security, becoming so ubiquitous that they barely even make the headlines as new fake apps pop up to take the place of the ones already flagged for removal. They will continue to persist as a trend in 2019, exacerbated by fake versions of popular app brands doing their rounds on the Google Play Store.

In 2018, the return of banking Trojans was also particularly pronounced on the mobile side, growing 150 percent year-on-year, from three percent to over seven percent of all detections we see worldwide. While perhaps not a big shift in terms of the overall volume, we believe that cybercriminals are finding banking to be a more reliable way to make money than cryptomining.

“This year, we celebrated the 30th anniversary of the World Wide Web. Fast forward thirty years and the threat landscape is exponentially more complex, and the available attack surface is growing faster than it has at any other point in the history of technology,” commented Ondrej Vlcek, President of Consumer at Avast.

“PC viruses, while still a global threat, have been joined by a multitude of malware categories that deliver more attacks. People are acquiring more and varied types of connected devices, meaning every aspect of our lives could be compromised by an attack. Looking ahead to 2019, these trends point to a magnification of threats through these expanding threat surfaces.”

These trends form part of Avast’s annual Threat Report. To download the full report please click here.

Marriott Concedes 5 Million Passport Numbers Lost to Hackers Were Not Encrypted

Just maybe, I am not saying for sure, but just maybe, that reason for such stupidity is the companies like Marriot are hiring too many newbies to save money and ignoring the more senior members of the IT community. Or maybe that there is no real hard financial penalties for breaches. Maybe both.

But the real story here is not only Marriot, but the continued onslaught from China. No surprise.

Quote

WASHINGTON — Marriott International said on Friday that the biggest hacking of personal information in history was not quite as big as first feared, but for the first time conceded that its Starwood hotel unit did not encrypt the passport numbers for roughly five million guests. Those passport numbers were lost in an attack that many outside experts believe was carried out by Chinese intelligence agencies.

What made the Starwood attack different was the presence of passport numbers, which could make it far easier for an intelligence service to track people who cross borders. That is particularly important in this case: In December, The New York Times reported that the attack was part of a Chinese intelligence gathering effort that, reaching back to 2014, also hacked American health insurers and the Office of Personnel Management, which keeps security clearance files on millions of Americans.

Taken together, the attack appeared to be part of a broader effort by China’s Ministry of State Security to compile a huge database of Americans and others with sensitive government or industry positions — including where they worked, the names of their colleagues, foreign contacts and friends, and where they travel.

“Big data is the new wave for counterintelligence,” James A. Lewis, a cybersecurity expert who runs the technology policy program at the Center for Strategic and International Studies in Washington, said last month.

One top official of the Chinese Ministry of State Security was arrested in Belgium late last year and extradited to the United States on charges of playing a central role in the hacking of American defense-related firms, and others were identified in a Justice Department indictment in December. But those cases were unrelated to the Marriott attack, which the F.B.I. is still investigating.

China has denied any knowledge of the Marriott attack. In December, Geng Shuang, a spokesman for its Ministry of Foreign Affairs, said, “China firmly opposes all forms of cyberattack and cracks down on it in accordance with the law.”

Do make me laugh

The Marriott investigation has revealed a new vulnerability in hotel systems: What happens to passport data when a customer makes a reservation or checks into a hotel, usually abroad, and hands over a passport to the desk clerk. Marriott said for the first time that 5.25 million passport numbers were kept in the Starwood system in plain, unencrypted data files — meaning they were easily read by anyone inside the reservation system. An additional 20.3 million passport numbers were kept in encrypted files, which would require a master encryption key to read. It is unclear how many of those involved American passports, and how many come from other countries.

Yes you read that correctly. Morons asleep at the switch

Marriott said for the first time that 5.25 million passport numbers were kept in the Starwood system in plain, unencrypted data files — meaning they were easily read by anyone inside the reservation system.

It was not immediately clear why some numbers were encrypted and others were not — other than that hotels in each country, and sometimes each property, had different protocols for handling the passport information. Intelligence experts note that American intelligence agencies often seek the passport numbers of foreigners they are tracking outside the United States, which may explain why the United States government has not insisted on stronger encryption of passport data worldwide.

Asked how Marriott was handling the information now that it has merged Starwood’s data into the Marriott reservations system — a merger that was just completed at the end of 2018 — Connie Kim, a company spokeswoman, said: “We are looking into our ability to move to universal encryption of passport numbers and will be working with our systems vendors to better understand their capabilities, as well as reviewing applicable national and local regulations.”


“We are looking into our ability to move to universal encryption of passport numbers and will be working with our systems vendors to better understand their capabilities, as well as reviewing applicable national and local regulations.”

 

Which means 1) they are still NOT encrypted and 2) They need to fire the person(s) managing the vendors and the vendors themselves (assuming vendors haven’t been screaming at Marriot to do something which may indeed be plausible.)

The State Department issued a statement last month telling passport holders not to panic, because the number alone would not enable someone to create a fake passport. Marriott has said it would pay for a new passport for anyone whose passport information, hacked from their systems, was found to be involved in a fraud. But that was something of a corporate sleight of hand, since it provided no coverage for guests who wanted a new passport simply because their data had been taken by foreign spies.

So far the company has ducked addressing that issue by saying it has no evidence about who the attackers were, and the United States has not formally accused China in the case. But private cyberintelligence groups that have looked at the breach have seen strong parallels with the other, Chinese-related attacks underway at the time. The company’s president and chief executive, Arne Sorenson, has not answered questions about the hacking in public, and Marriott said he was traveling and declined a request from The Times to talk about hacking.

The company also said that about 8.6 million credit and debit cards were “involved” in the incident, but those are all encrypted — and all but 354,000 cards had expired by September 2018, when the hacking, which went on for years, was discovered.

So far, there are no known cases in which stolen passport or credit card information was found in fraudulent transactions. But to cyberattack investigators, that is just another sign that the hacking was conducted by intelligence agencies, not criminals. The agencies would want to use the data for their own purposes — building databases and tracking government or industrial surveillance targets — rather than exploiting the data for economic profit.

Idiots, And the U.S. and State Governments are just as culpable. We need very strong laws that mandate extremely stiff penalties for breaches.

Google shifted $23bn to tax haven Bermuda in 2017, filing shows

“Do No Harm” …errh should be “behave like pigs”

Quote
Google’s owner, Alphabet, has seen an effective tax rate in the single digits on non-US profits for more than a decade.

Google moved €19.9bn ($22.7bn) through a Dutch shell company to Bermuda in 2017, as part of an arrangement that allows it to reduce its foreign tax bill, according to documents filed at the Dutch chamber of commerce.

The amount channelled through Google Netherlands Holdings BV was about €4bn more than in 2016, the documents, filed on 21 December, showed.

“We pay all of the taxes due and comply with the tax laws in every country we operate in around the world,” Google said in a statement.

“Google, like other multinational companies, pays the vast majority of its corporate income tax in its home country, and we have paid a global effective tax rate of 26% over the last 10 years.”

For more than a decade the arrangement has allowed Google’s owner, Alphabet, to enjoy an effective tax rate in the single digits on its non-US profits, about a quarter of the average tax rate in its overseas markets.

The subsidiary in the Netherlands is used to shift revenue from royalties earned outside the US to Google Ireland Holdings, an affiliate based in Bermuda, where companies pay no income tax.

The tax strategy, known as the “double Irish, Dutch sandwich”, is legal and allows Google to avoid triggering US income taxes or European withholding taxes on the funds, which represent the bulk of its overseas profits.

However, under pressure from the European Union and the United States, Ireland in 2014 decided to phase out the arrangement, ending Google’s tax advantages in 2020.

Google Netherlands Holdings BV paid €3.4m in taxes in the Netherlands in 2017, the documents showed, on a gross profit of €13.6m.

Asleep at the Switch

Quote

Facebook Data Scandals Stoke Criticism That a Privacy Watchdog Too Rarely Bites

Last spring, soon after Facebook acknowledged that the data of tens of millions of its users had improperly been obtained by the political consulting firm Cambridge Analytica, a top enforcement official at the Federal Trade Commission drafted a memo about the prospect of disciplining the social network.

Lawmakers, consumer advocates and even former commission officials were clamoring for tough action against Facebook, arguing that it had violated an earlier F.T.C. consent decree barring it from misleading users about how their information was shared.

But the enforcement official, James A. Kohm, took a different view. In a previously undisclosed memo in March, Mr. Kohm — echoing Facebook’s own argument — cautioned that Facebook was not responsible for the consulting firm’s reported abuses. The social network seemed to have taken reasonable steps to address the problem, he wrote, according to someone who read the memo, and most likely had not broken its promises to the F.T.C.

“They have been asleep at the switch,” said Senator Richard Blumenthal, the Connecticut Democrat and ranking member of the subcommittee charged with overseeing the agency.

The Cambridge Analytica data leak set off a reckoning for Facebook and a far-reaching debate about the tech industry, which has collected more information about more people than almost any other in history. At the same time, the F.T.C., which is investigating Facebook, is under growing attack for what critics say is a systemic failure to police Silicon Valley’s giants and their enormous appetite for personal data.

Almost alone among industrialized nations, the United States has no basic consumer privacy law. The F.T.C. serves as the country’s de facto privacy regulator, relying on more limited rules against deceptive trade practices to investigate Google, Twitter and other tech firms accused of misleading people about how their information is used.

But many in Washington view the agency as a watchdog that too rarely bites. In more than 40 interviews, former and current F.T.C. officials, lawmakers, Capitol Hill staff members, and consumer advocates said that as evidence of abuses has piled up against tech companies, the F.T.C. has been too cautious. Now, as the Trump administration and Congress debate whether to expand the agency and its authority over privacy violations, the Facebook inquiry looms as a referendum on the F.T.C.’s future.

“They have been asleep at the switch,” said Senator Richard Blumenthal, the Connecticut Democrat and ranking member of the subcommittee charged with overseeing the agency. “It’s a lack of will even more than paucity of resources.”

Long Overdue: It is time for the US to develop strong data privacy along the lines of the EU GDPR ( General Data Protection Regulation). It is also time for US “Netizens” to demand strong data privacy protect laws with extremely stiff penalties for non compliance.

Our Cellphones Aren’t Safe

Great article by Cooper Quintin og the Electronic Frontier Foundation with one glaring omission. Even if the cell networks were 100% secure, the apps people install are an even larger source of malware and privacy leaks.

Quote

America’s cellular network is as vital to society as the highway system and power grids. Vulnerabilities in the mobile phone infrastructure threaten not only personal privacy and security, but also the country’s. According to intelligence reports, spies are eavesdropping on President Trump’s cellphone conversations and using fake cellular towers in Washington to intercept phone calls. Cellular communication infrastructure, the system at the heart of modern communication, commerce and governance, is woefully insecure. And we are doing nothing to fix it.

This should be at the top of our cybersecurity agenda, yet policymakers and industry leaders have been nearly silent on the issue. While government officials are looking the other way, an increasing number of companies are selling products that allow buyers to take advantage of these vulnerabilities.

Spying tools, which are becoming increasingly affordable, include cell-site simulators (commonly known by the brand name Stingray), which trick cellphones into connecting with them without the cellphone owners’ knowledge. Sophisticated programs can exploit vulnerabilities in the backbone of the global telephone system (known as Signaling System 7, or SS7) to track mobile users, intercept calls and text messages, and disrupt mobile communications.

These attacks have real financial consequences. In 2017, for example, criminals took advantage of SS7 weaknesses to carry out financial fraud by redirecting and intercepting text messages containing one-time passwords for bank customers in Germany. The criminals then used the passwords to steal money from the victims’ accounts.

How did we get here, and why is our cellular infrastructure so insecure?

The international mobile communications system is built on top of several layers of technology, parts of which are more than 40 years old. Some of these old technologies are insecure, others have never had a proper audit and many simply haven’t received the attention needed to secure them properly. The protocols that form the underpinnings of the mobile system weren’t built with security in mind.

SS7, invented in 1975, is still the protocol that allows telephone networks all over the world to talk to one another. It was built on the assumption that anyone who can connect to the network is a trusted network operator. When it was created, there were only 10 companies using SS7. Today, there are hundreds of companies all over the world connected to SS7, making it far more likely that credentials to the system will be leaked or sold. Anyone who can connect to the SS7 network can use it to track your location or eavesdrop on your phone calls. A more recent alternative to SS7 called Diameter suffers from many of the same problems.

Another protocol, GSM, invented in 1991, allows your cellphone to communicate with a cell tower to make and receive calls and transmit data. The older generation of GSM, known as 2G, doesn’t verify that the tower that your phone connects to is authentic, making it easy for anyone to use a cell-site simulator and impersonate a cell tower to obtain your location or eavesdrop on your communications.

Larger carriers have already begun dismantling their 2G systems, which is a good start, since later generations of GSM such as 3G, 4G and 5G solve many of its problems. Yet our phones all still support 2G and most have no way to disable it, making them susceptible to attacks. What’s more, research has shown that 3G, 4G, and even 5G have vulnerabilities that may allow new generations of cell-site simulators to continue working.

Nobody could have envisioned how deeply ingrained cellular technology would become in our society, or how easy and lucrative exploiting it would be. Companies from China, Russia, Israel and elsewhere are making cell-site simulators and providing access to the SS7 network at prices affordable even to the smallest criminal organizations. It is increasingly easy to build a cell-site simulator at home, for no more than the cost of a fast-food meal. Spies all over the world — as well as drug cartels — have realized the power of these technologies.
Editors’ Picks
Forget the Suburbs, It’s Country or Bust
Dorm Living for Professionals Comes to San Francisco
This Town Once Feared the 10-Story Waves. Then the Extreme Surfers Showed Up.

So far, industry and policymakers have largely dragged their feet when it comes to blocking cell-site simulators and SS7 attacks. Senator Ron Wyden, one of the few lawmakers vocal about this issue, sent a letter in August encouraging the Department of Justice to “be forthright with federal courts about the disruptive nature of cell-site simulators.” No response has ever been published.

The lack of action could be because it is a big task — there are hundreds of companies and international bodies involved in the cellular network. The other reason could be that intelligence and law enforcement agencies have a vested interest in exploiting these same vulnerabilities. But law enforcement has other effective tools that are unavailable to criminals and spies. For example, the police can work directly with phone companies, serving warrants and Title III wiretap orders. In the end, eliminating these vulnerabilities is just as valuable for law enforcement as it is for everyone else.

As it stands, there is no government agency that has the power, funding and mission to fix the problems. Large companies such as AT&T, Verizon, Google and Apple have not been public about their efforts, if any exist.

This needs to change. To start, companies need to stop supporting insecure technologies such as 2G, and government needs a mandate to buy devices solely from companies that have disabled 2G. Similarly, companies need to work with cybersecurity experts on a security standard for SS7. Government should buy services only from companies that can demonstrate that their networks meet this standard.

Finally, this problem can’t be solved by domestic regulation alone. The cellular communications system is international, and it will take an international effort to secure it.

We wouldn’t tolerate gaping potholes in our highways or sparking power lines. Securing our mobile infrastructure is just as imperative. Policymakers and industries around the world must work together to achieve this common goal.

Cooper Quintin is a senior staff technologist with the Electronic Frontier Foundation, where he investigates digital privacy and security threats to human-rights defenders, journalists and vulnerable populations.

Microsoft Issues Emergency Fix for IE Zero Day

Quote

Microsoft today released an emergency software patch to plug a critical security hole in its Internet Explorer (IE) Web browser that attackers are already using to break into Windows computers.

The software giant said it learned about the weakness (CVE-2018-8653) after receiving a report from Google about a new vulnerability being used in targeted attacks.

Satnam Narang, senior research engineer at Tenable, said the vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.

“As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise,” Narang said.

According to a somewhat sparse advisory about the patch, malware or attackers could use the flaw to break into Windows computers simply by getting a user to visit a hacked or booby-trapped Web site. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft says users who have Windows Update enabled and have applied the latest security updates are protected automatically. Windows 10 users can manually check for updates this way; instructions on how to do this for earlier versions of Windows are here.