Subject: Privacy of biometric data in DHS hands in doubt, inspector general says
Source: Roll Call
The report found that Perceptics, a subcontractor hired to help CBP collect biometric data on border crossers, violated DHS privacy policies when an employee used an unencrypted USB drive to transfer a set of facial scans to its own networks without the agency’s authorization or knowledge. The data set was later obtained by hackers during a ransomware attack on Perceptics’ servers.
If that’s the case, the report has arrived at a tricky moment for DHS, which earlier this month proposed new regulations that would require both U.S. citizens and foreign nationals to submit biometric data in order to apply for a variety of immigration services, such as visas for themselves or family members. The proposal would allow for the collection of facial, iris and voice scans, along with DNA samples.
Apple has anointed itself privacy protector-in-chief. “The people who track on the internet know a lot more about you than if somebody’s looking in your window, a lot more,” CEO Tim Cook said last year. And iOS 14 is a testament to its privacy-first approach. Just look at the battle between Apple and Facebook over ad tracking. Exploitation of our personal data has become a commodity traded between the world’s largest organizations.
And so, with that in mind, many iOS users are surprised when some of Apple’s own location tracking is explained. Yes, maybe what happens on an iPhone stays on an iPhone, but some data should not be captured in the first place. Nothing more so than the significant invasiveness of Apple’s significant locations concept—a perfect illustration of just because you can, doesn’t mean you should. This is a continually building data repository of the locations you visit, along with times and dates, detailed maps, even the mode of transport to get you there and how long it took.
Source: Business Insider
- Ransomware attacks — in which hackers take over an organizations’ computer systems and demand ransom payments to return them — have reached an unprecedented new high.
- The attacks have proliferated under COVID-19, when more businesses than ever are relying on online systems to function. Experts say the only way to stop the pattern is to cease paying ransoms.
- The US Treasury issued new guidance this month urging people not to pay hackers, and noting that businesses could face civil penalties if they pay ransoms to hacker groups affiliated with sanctioned nation-states.
- But some cybersecurity experts think governments should go further by passing an outright ban on paying ransoms to hackers.
Last week, a hack that bore signs of a ransomware attack debilitated the computer systems of one of the largest hospital chains in the US, taking computer systems offline and delaying procedures at more than 250 hospitals. The hospital chain, Universal Health Systems, is still attempting to restore its systems.
Source: Business Insider
- The IRS is under investigation by the US Treasury’s Inspector General for reportedly buying Americans’ smartphone location data in order to track them.
- Democratic Sens. Ron Wyden and Elizabeth Warren called for the investigation last month after IRS agents told the senators that the agency bought people’s smartphone location data from a company called Venntel.
- Venntel sells location data scraped from people’s smartphones that are gathered from normal apps like games, exercise apps, and weather apps.
- While government agencies typically need to obtain a search warrant before gathering personal information from people’s phones, buying location data directly from private companies like Venntel lets them sidestep that requirement.
In the letter, first reported by Motherboard, Inspector General J. Russel George writes that his office will investigate the IRS’ data collection practices after Democratic Sens. Ron Wyden and Elizabeth Warren voiced concerns that the agency could have violated the Constitution. Wyden’s office provided Business Insider with a copy of the letter Tuesday.
Venntel aggregates location data mined by normal weather apps and games that people download, then sells it in bulk to its clients. Because this location data is collected through apps and then sold by a middleman, there’s no way for individual users to check whether their location data has been collected.
Venntel is already the subject of a separate probe by House Democrats over similar contracts with the Department of Homeland Security. DHS used data from Venntel to track people unlawfully crossing the US-Mexico border, The Wall Street Journal revealed earlier this year.
Source: Homeland Preparedness News
TrustMS, developed by the DHS Science and Technology Directorate (S&T) and Intelligent Automation, is designed to protect operating systems and apps on embedded platforms against most cyberattacks. It provides protections against exploits such as stack manipulation, buffer overflows, execution of unintended code, and even execution of an app’s code in the wrong order.
Thousands of apps and driver updates are released each year, which makes verifying that devices are secure a daunting challenge. More than 12,000 new common vulnerabilities were identified in 2019 alone.
The technology monitors a software’s execution as the program runs and detects attack scenarios. When a vulnerability is exploited, the system can detect the manipulation and prevent attackers from taking advantage of them, inoculating a device against most cyberattacks.
Kantara Initiative will assess the conformity of Login.gov’s identity proofing and authentication with the National Institute of Standards and Technology‘s Special Publication (SP) 800-63-3, the government’s digital identity guidelines.
Source: C|net via beSpacific
Cnet – Court records in an arson case show that Google gave away data on people who searched for a specific address. “There are few things as revealing as a person’s search history, and police typically need a warrant on a known suspect to demand that sensitive information. But a recently unsealed court document found that investigators can request such data in reverse order by asking Google to disclose everyone who searched a keyword rather than for information on a known suspect…”
Source: AP via CBS News