Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security. Mobile network operators have a wide leeway when it comes to what kinds of data they can collect when you use their service. Despite this, Indian carrier Airtel kicked up a storm last week after it emerged that its privacy policy allowed it to collect users’ sensitive personal information, such as sexual orientation, genetic information, and political opinion, and share all of this with third-parties. This is what was mentioned in the privacy policy: Now here’s the problem: Most people don’t bother reading privacy policies and terms of service agreements. They are often long, complicated, and mired in obtuse legalese, as if deliberately designed to confuse users. So by clicking “agree,” you’re consenting for your data to be traded for a service, without really understanding what exactly you’re signing up for. This also means the company has the right to collect, store, and process your data as quid pro quo for the service it offers. Plus, it doesn’t help that India doesn’t have a comprehensive data protection law like GDPR, thereby making it easy for private companies to overstep their bounds with regards to data collection. In response to the complaint, Airtel characterized the incident as a “clerical error”, but not before revising its privacy policy to state that it doesn’t hoover personal information relating to genetic data, religious or political beliefs, health, or sexual orientation. For now. “The generic content of the definitions of what constitutes personal data as laid down by the IT Act are expansive, which had been inadvertently put on to our website,” the company said in a statement. Privacy policies need to be simplified, and Apple is taking a big step to address this with its privacy label approach for third-party apps. But it’s still in its infancy and is limited to the iOS ecosystem. Until then, make sure you take the time to read those privacy policies and terms of service agreements. Trust me, it’s worth all the hassle.
What’s trending in security?
The US, UK, Canada, Australia, New Zealand, India, and Japan make renewed calls for encryption backdoors, Microsoft and an alliance of cybersecurity companies took down TrickBot malware infratsructure, and Zoom officially gains support for end-to-end encryption in video calls.
Vietnamese state-sponsored hackers, aka “OceanLotus,” have been linked to a cyberespionage campaign that involved spying on dissidents for years. [BR24] The US, UK, Canada, Australia, New Zealand, India, and Japan make fresh call for encryption backdoors citing “challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children.” [US Department of Justice] The operators of “Darkside” ransomware, who have extorted millions of dollars from victims, donated $20,000 in Bitcoin to charities to “make the world a better place.” [BBC] Microsoft and an alliance of cybersecurity companies disrupt 94% of TrickBot’s infrastructure, a week after orchestrating a global take down of the notorious malware. [Microsoft]
A Russian-speaking hacking group called “MontysThree” has been tied to a series of highly-targeted attacks directed against governmental entities, diplomats, and telecom operators for industrial espionage. [Kaspersky] Zoom is officially beginning to roll out end-to-end encryption in video calls. But you will have turn it on manually. [TNW] In July, French authorities took down Encrochat, an encrypted phone network used almost exclusively by criminals, by deploying malware on thousands of devices and eavesdropping on the messages exchanged between criminal suspects. But the hack is now facing a new legal challenge, including whether the messages gathered using the malware is in fact admissible as evidence. [Motherboard] Google said it delivered over 33,000 alerts to its users during the first three quarters of 2020 to warn them of state-sponsored phishing attacks targeting their accounts. [Google]
Norway blamed Russia for carrying out a cyberattack against the Norwegian parliament in August in which attackers stole data from lawmakers’ email accounts. [Government.no] Brandon Azad, a security engineer working for Google’s Project Zero hacking team who has been instrumental in uncovering a number of zero-day flaws in iOS, has joined Apple. [Motherboard] The FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned that cyberbaddies are chaining multiple security vulnerabilities to compromise IT networks and applications. [CISA] The US government charged 6 Russian military intelligence officers for carrying out some of the “most disruptive and destructive series of computer attacks ever attributed to a single group.” [The Hacker News] The last fortnight in data breaches, leaks and ransomware: Barnes & Noble, Crytek, Docsketch, Dr Lal PathLabs, and Software AG.
Data Point
As data breaches continue to become the norm, Verizon’s 2020 Data Breach Report summarized 3,950 confirmed incidents spanning across 81 countries. It found 45% of the breaches involved hacking, while errors and social engineering attacks made up 22% of the attacks. What’s more, 70% of the breaches were perpetrated by external actors, with organized crime groups behind 55% of the attacks. Troublingly, 30% involved internal actors.
That’s it. See you all in two weeks. Stay safe! Ravie x TNW (ravie[at]thenextweb[dot]com)