USC Informatics Program 529 (INF 529): Security and Privacy in Informatics - Spring 2020

Lecture Friday - Noon to 3:20PM PM, OHE 100C
Clifford Neuman

Current Events for February 7 24 2020

Privacy Regulations

Some US Senators have proposed a bill titled "The Safeguarding Americans' Private Records Act" that would reform NSA surveillance practices and increase oversight of government surveillance. This bill would prohibit the warrantless collection of certain data, such as cell site location, GPS information, browsing history and internet search history to help preserve citizens' Fourth Amendment rights. Among other things, this bill would also establish the Foreign Intelligence Surveillance Act (FISA) as the only process that the government can follow to carry out surveillance, which would help to close any loopholes that have allowed the government to get around the FISA process in the past. - Doug Platt

Google received complaints from consumer rights groups across Europe. The rights groups are concerned that google uses the data to draw our personality, religion or sexual orientation. Sharing users' location data is not valid under EU law.---Zhejie Cui

Google and Tinder have become the targets of two separate probes in the EU. Google is being investigated for breaching the GDPR in its handling of consumers' location data. As for Tinder, individuals have complained about the company's "ongoing processing of users' personal data." –John Melloy III

Salesforce.com Inc. and a children's clothing company named Hanna Andersson LLC faces data-breach allegation in a federal court lawsuit that is among the first to cite California's landmark privacy. The plaintiff Bernadette Barnes brought her suit after Hanna Andersson announced that the hacker had scraped customer names, payment card information, and other personal information which was hosted by Salesforce on its e-commerce platform, that was found to be infected with malware. The stolen information was later found for sale on the dark web. - Vaidhyanathan Swaminathan

Due to Salesforce data breach, Salesforce, and Hanna Andersson fails to protect user data. The hacked data was found sold on the dark web. The plaintiff Bernadette Barnes asked the court whether the Salesforce and Hanna Andersson violates the CCPA.– YiTing Lin

Awareness and Education

Social media posts give criminals an easy opportunity for taking advantage of unaware users. This article shares some tips on ways to protect your data when you go on vacation. These tips include: not logging onto hotel wifi, not syncing your phone with your rental car, not charging your phone with a charging station in a hotel room, limiting screen time for children, and generally ensuring that third parties to whom you give your information protect it to the same standards that you do. –Carlin Cherry

Facial Recognition

A page from the European parliament’s intranet was leaked which was seen by the Guardian, The page suggested that facial recognition could be used “for biometric-based security and services to members". This was denied by the parliament. -- Shagun

Google

Google admits to accidentally sharing people's videos stored in Google Photos with strangers. Google Takeout function had a technical issue last November leading to videos being incorrectly exported to unrelated users' archives. Actual numbers haven't been disclosed, but apparently less than 0.01% of users were affected. - Malavika Prabhakar

Google admits that Google Photos sent private videos to strangers and allowed them to download it. Google says it conducted an in-depth analysis after resolving the issue to prevent it from happening again in the future. However, nowhere did they reveal what was the cause of the issue and how it was fixed. - Abhishek Tatti

Google confirmed that some users received private videos of strangers while using Google Takeout between November 21 and November 25. Google says they have fixed the issue and are notifying affected people. Less than 0.01% of people who exported data in that time frame were affected. - Amarbir Singh

Apparently ones instance in the cloud is not as secure as one would think. Recently an issue was brought to light with a technical issue in a feature of Google Takeout. When unsuspecting users request to download their images via the Google Takeout service, some users inadvertently received images and videos from other users. The issue was from November 21st - November 25th and per Google affected a small subset of users. The issue was reported via an email sent to affected users in February 2020 – Dwayne Robinson

Due to a technical issue in Google's Takeout service (which backs up all our google account data into a single file) between 21st November and 25th November last year, your private videos stored on the company's servers might have been accidentally shared with other Google users. - Vraj Patel

Recently Google has announced that customers private videos may had been distributed on company servers or databases. This is a result of bug within the Google Takeout platform. This service basically backs up the google user account data to one file for ease of access. Furthermore, how should we move forward with these types of mistakes companies are making with our data(Privacy Violations)? --Anthony Cassar

Google continued to offer advertisements for scam fishing licenses even after several states including California, New York, and Texas reported the fraudulent activity to Google. Texas received a response back from Google stating that they disagreed with the fraudulent claims. According to this article, Google did not remove the advertisements until asked for comment by CNN. Exact intentions of the scam sites are unknown, but they could have been used to collect sensitive information as well as collecting money. – Chris Samayoa

Amazon

Amazon's Ring has had a lot of criticism in the past several months for failing to protect its customers’ privacy such as hacks of Ring cameras due to people using the same password on multiple servers. The new Control Center makes two-factor verification mandatory for all new users (unless they opt-out) and optional for existing users. It will also alert you if your account has been compromised and allow you to opt-out of having law enforcement agencies request recordings from your Ring cameras. Future updates will provide users with visibility and the ability to opt-out of third-party service providers working with Ring that have access to your personal information. -Shannon Tee

Elections

The Iowa Caucus of the Democratic Party grabbed national attention due to the reporting app's failure and delayed results. But cybersecurity experts, after carefully reviewing the app, found even more security concerns. The app wasn't thoroughly tested before launching statewide and voter's information could be easily hacked and obtained from it.– Haotian Mai

Apps and Applications

A security flaw was found in Phillips Hue Smart Bulbs. An attacker within 328 feet can use the Zigbee protocol flaw of the IoT device, to execute an attack and gain entrance to the smart home network and install malware. The security concerns among the IoT industry are quietly growing. –Haotian Mai

A California college student Misty Hong sued TikTok for secretly funneling her personal information to China while using her videos to create an online profile for targeted ads. The lawyers said in the filing. “TikTok unjustly profits from its secret harvesting of private and personally-identifiable user data by, among other things, using such data to derive vast targeted-advertising revenues and profits.” But they didn’t provide evidence to back up the allegations. --- Ziwei Zhao

A new study from the University of Texas at San Antonio has found weak points and attack surfaces within the environment and ecosystems of e-scooters. The safety of the rider while using the scooters are of great importance as well as the rider's sensitive information. The UTSA's study found that some of the e-scooters communicate with the rider's smartphone via Bluetooth Low Energy channel. It would be easy for an attacker to eavesdrop on this communication with inexpensive tools and gather the rider's information. In addition, the sensitive information the e-scooters collect from all of their riders is vulnerable.

Data Breaches

GridWorks, was a contractor to Health Share of Oregon, a consortium of local health care and insurance providers. Health Share shared in a statement, on February 05, that GridWorks suffered theft at its Portland office in Nov 18 but did not inform Health Share that a computer containing unprotected client data was among items stolen until January 02. Health Share is notifying members of this breach and will offer those affected a year of free monitoring, fraud consultation and identity restoration services. -- Neekita Salvankar

Customers whose information was sold on the dark web after malware infected retailer Hanna Anderssons Salesforce e-commerce platform will face “a lifetime risk of identity theft," according to a complaint filed Monday in the U.S. District Court for the Northern District of California. -Kriti Jain

Payment and credit card information from more than 30 million Wawa customers was posted for sale Monday via the dark web forum Joker’s Stash, a website used by cybercriminals for fraud. The compromised card data listing was shared under a thread titled “BIGBADABOOM-III,” and it was noted as “the most biggest (sic) breach for the last 5 years” in a screenshot captured by cybercrime research firm Gemini Advisory. – Pavas Navaney

Another data breach… On December 10, 2019, Wawa a grocery store that also has gas stations had 850 stores hit with malware exposing their payment records, specifically ONLY payment card information was leaked, not PINs or CVV2 numbers. It urged its customers to “remain vigilant” in monitoring their financial records. It stopped the breach on the 12th. The investigation is ongoing and customers will be contacted. What will the FTC require Wawa to do for customers that have been affected? – Marco Gomez

An after-effect of the Ashley Madison data breach was that AM site users were targeted by blackmailers in 2015. A second wave of blackmail attempts was found by researchers recently. The extortion messages from the blackmailers contain some details from the targeted users' Ashley Madison profiles. - Brendan Chan

Hackers compromised dozens of United Nations servers last summer in an attack which the world body kept a secret from its own employees, according to a new report. Although it's unclear exactly what other info was taken, the servers in question could have provided access to sensitive details on UN employees. The UN seems to have used its diplomatic immunity to keep the incident a secret, despite it raising serious questions under the GDPR. - Brian Ostler

Law Enforcement Access

There's contention over law enforcement demanding access to encrypted devices/messaging apps in order to battle crime. The US, UK, and Australian justice departments have enlisted the help of companies such as Facebook to install backdoors into the design of their products to allow law enforcement to unlock the phones of criminal suspects and access data. Facebook argues that a backdoor installation cannot be implemented without weakening the product's encryption. – Madhuri Jujare

Following up on the articles in the previous lectures, the FBI has not been able to decipher the encryption on the Pensacola shooter's iPhone which has further heated negotiations between FBI and Apple while bringing into question how the FBI was able to unlock iPhones previously. Could this be the end of the road for the FBI or the start of something else entirely? -- Harshit Kothari