#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Privacy | Breaking Cybersecurity News | The Hacker News

Facebook Launches 'Privacy Center' to Educate Users on Data Collection and Privacy Options

Facebook Launches 'Privacy Center' to Educate Users on Data Collection and Privacy Options

Jan 08, 2022
Meta Platforms, the company formerly known as Facebook, on Friday announced the launch of a centralized Privacy Center that aims to "educate people" about its approach with regards to how it collects and processes personal information across its family of social media apps. "Privacy Center provides helpful information about five common privacy topics: sharing, security, data collection, data use and ads," the social technology firm  said  in a press release. The first module, Security, will offer easy access to common tools such as account security settings and two-factor authentication. Sharing will provide specifics about post visibility and settings to archive or trash old posts. Collection and Use will give users a quick glance into the type of data Meta harvests and learn how and why it's used, respectively. Lastly, the Ads section will furnish information regarding a user's ad preferences. The learning hub is expected to be initially limited to a s
France Fines Google, Facebook €210 Million Over Privacy Violating Tracking Cookies

France Fines Google, Facebook €210 Million Over Privacy Violating Tracking Cookies

Jan 07, 2022
The Commission nationale de l'informatique et des libertés (CNIL), France's data protection watchdog, has slapped Facebook (now Meta Platforms) and Google with fines of €150 million ($170 million) and €60 million ($68 million) for violating E.U. privacy rules by failing to provide users with an easy option to reject cookie tracking technology. "The websites facebook.com, google.fr and youtube.com offer a button allowing the user to immediately accept cookies," the  authority   said . "However, they do not provide an equivalent solution (button or other) enabling the Internet user to easily refuse the deposit of these cookies." Facebook told  TechCrunch  that it was reviewing the ruling, while Google said it's working to change its practices in response to the CNIL fines. HTTP cookies are small pieces of data created while a user is browsing a website and placed on the user's computer or other device by the user's web browser to track online
Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu
Facebook Bans 7 'Cyber Mercenary' Companies for Spying on 50,000 Users

Facebook Bans 7 'Cyber Mercenary' Companies for Spying on 50,000 Users

Dec 17, 2021
Meta Platforms on Thursday revealed it took steps to deplatform seven cyber mercenaries that it said carried out "indiscriminate" targeting of journalists, dissidents, critics of authoritarian regimes, families of opposition, and human rights activists located in over 100 countries, amid mounting scrutiny of surveillance technologies. To that end, the company  said  it alerted 50,000 users of Facebook and Instagram that their accounts were spied on by the companies, who offer a variety of services that run the spyware gamut from hacking tools for infiltrating mobile phones to creating fake social media accounts to monitor targets. It also removed 1,500 Facebook and Instagram accounts linked to these firms. "The global surveillance-for-hire industry targets people across the internet to collect intelligence, manipulate them into revealing information and compromise their devices and accounts," Meta's David Agranovich and Mike Dvilyanski said. "These compa
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
Russia Blocks Tor Privacy Service in Latest Censorship Move

Russia Blocks Tor Privacy Service in Latest Censorship Move

Dec 10, 2021
Russia has stepped up its censorship efforts in the country by fully blocking access to the Tor web anonymity service, coinciding with the  ban  of six virtual private network (VPN) operators, as the government continues its efforts to control the internet and crack down on attempts to circumvent locally imposed web restrictions. The Federal Service for Supervision of Communications, Information Technology and Mass Media, also known as Roskomnadzor, the watchdog responsible for monitoring, controlling and censoring Russian mass media, announced the block, accusing it of enabling access to illegal content, Reuters  reported  this week. Russia  accounts  for 15% of all Tor users, with more than 310,000 daily users, second only to the U.S. Tor, short for The Onion Router,  enables  users to automatically encrypt and reroute their web requests through a network of Tor relays for anonymizing network traffic, as well as help bypass censorship and protect their identities from the intern
Twitter Bans Users From Posting ‘Private Media’ Without a Person's Consent

Twitter Bans Users From Posting 'Private Media' Without a Person's Consent

Dec 01, 2021
Twitter on Tuesday announced an expansion to its private information policy to include private media, effectively prohibiting the sharing of photos and videos without express permission from the individuals depicted in them with an aim to curb doxxing and harassment. "Beginning today, we will not allow the sharing of private media, such as images or videos of private individuals without their consent. Publishing people's private info is also prohibited under the policy, as is threatening or incentivizing others to do so," the company's Safety team  said  in a tweet. To that end, the policy also  discourages  users from sharing information such as sign-in credentials that would enable malicious actors to gain access to a person's sensitive information without their authorization. It also forbids users from seeking financial compensation in exchange for posting (or not posting) another individual's private information as part of blackmail schemes. As part o
Italy's Antitrust Regulator Fines Google and Apple for "Aggressive" Data Practices

Italy's Antitrust Regulator Fines Google and Apple for "Aggressive" Data Practices

Nov 27, 2021
Italy's antitrust regulator has fined both Apple and Google €10 million each for what it calls are "aggressive" data practices and for not providing consumers with clear information on commercial uses of their personal data during the account creation phase. The Autorità Garante della Concorrenza e del Mercato (AGCM)  said  "Google and Apple did not provide clear and immediate information on the acquisition and use of user data for commercial purposes," adding the tech companies chose to emphasize the data collection as only necessary to improve their own services and personalize user experience without offering any indication that the data could be transferred and used for other reasons. The concerns have to do with how the companies omit relevant information when creating an account and using their services, details which the authority said are critical to making an informed decision as to whether or not to give permission for utilizing their data for comme
Facebook Releases New Tool That Finds Security and Privacy Bugs in Android Apps

Facebook Releases New Tool That Finds Security and Privacy Bugs in Android Apps

Sep 29, 2021
Facebook on Wednesday announced it's open-sourcing  Mariana Trench , an Android-focused static analysis platform the company uses to detect and prevent security and privacy bugs in applications created for the mobile operating system at scale. "[Mariana Trench] is designed to be able to scan large mobile codebases and flag potential issues on  pull requests  before they make it into production," the Menlo Park-based social tech behemoth said . In a nutshell, the utility allows developers to frame rules for different data flows to scan the codebase for in order to unearth potential issues — say,  intent   redirection   flaws  that could result in the leak of sensitive data or injection vulnerabilities that would allow adversaries to insert arbitrary code — explicitly setting boundaries as to where user-supplied data entering the app is allowed to come from (source) and flow into (sink) such as methods that can execute code and retrieve or interact with user data. Dat
Apple's New iCloud Private Relay Service Leaks Users' Real IP Addresses

Apple's New iCloud Private Relay Service Leaks Users' Real IP Addresses

Sep 24, 2021
A new as-yet unpatched weakness in Apple's iCloud Private Relay feature could be circumvented to leak users' true IP addresses from iOS devices running the latest version of the operating system. Introduced as a beta with iOS 15, which was officially released this week,  iCloud Private Relay  aims to improve anonymity on the web by employing a dual-hop architecture that effectively shields users' IP address, location, and DNS requests from websites and network service providers. It achieves this by routing users' internet traffic on the Safari browser through two proxies in order to mask who's browsing and where that data is coming from in what could be viewed as a simplified version of Tor.  However, the feature is available only to iCloud+ subscribers running iOS 15 or macOS 12 Monterey and above. "If you read the IP address from an HTTP request received by your server, you'll get the IP address of the egress proxy," FingerprintJS researcher Se
Google to Auto-Reset Unused Android App Permissions for Billions of Devices

Google to Auto-Reset Unused Android App Permissions for Billions of Devices

Sep 20, 2021
Google on Friday said it's bringing an Android 11 feature that auto-resets permissions granted to apps that haven't been used in months, to devices running Android versions 6 and above. The expansion is expected to go live later this year in December 2021 and enabled on Android phones with Google Play services running Android 6.0 (API level 23) or higher, which the company said should cover "billions more devices." Google officially released Android 6.0 Marshmallow on October 5, 2015. With Android 11 that came out last year, the internet giant introduced a permission auto-reset option that helps improve user privacy by automatically resetting an app's permissions to access sensitive features like storage or camera if the app in question is left unopened for a few months. "Some apps and permissions are automatically exempted from revocation, like active Device Administrator apps used by enterprises, and permissions fixed by enterprise policy," Google
Apple Delays Plans to Scan Devices for Child Abuse Images After Privacy Backlash

Apple Delays Plans to Scan Devices for Child Abuse Images After Privacy Backlash

Sep 04, 2021
Apple is temporarily hitting the pause button on its  controversial plans  to screen users' devices for child sexual abuse material (CSAM) after receiving sustained blowback over worries that the tool could be weaponized for mass surveillance and erode the privacy of users. "Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features," the iPhone maker  said  in a statement on its website. The announcement, however, doesn't make it clear as to the kind of inputs it would be gathering, the nature of changes it aims to devise, or how it intends to implement the system in a way that mitigates the privacy and security concerns that could arise once it's deployed. The changes were originally slated to go live with iOS 15 and macOS Monterey later this year, starting with the U.S. In
Facebook Adds End-to-End Encryption for Audio and Video Calls in Messenger

Facebook Adds End-to-End Encryption for Audio and Video Calls in Messenger

Aug 14, 2021
Facebook on Friday said it's extending end-to-end encryption (E2EE) for voice and video calls in Messenger, along with testing a new opt-in setting that will turn on end-to-end encryption for Instagram DMs. "The content of your messages and calls in an end-to-end encrypted conversation is protected from the moment it leaves your device to the moment it reaches the receiver's device," Messenger's Ruth Kricheli  said  in a post. "This means that nobody else, including Facebook, can see or listen to what's sent or said. Keep in mind, you can report an end-to-end encrypted message to us if something's wrong." The social media behemoth said E2EE is becoming the industry standard for improved privacy and security. It's worth noting that the company's flagship messaging service gained support for E2EE in text chats in 2016, when it added a " secret conversation " option to its app, while communications on its sister platform What
Apple to Scan Every Device for Child Abuse Content — But Experts Fear for Privacy

Apple to Scan Every Device for Child Abuse Content — But Experts Fear for Privacy

Aug 06, 2021
Apple on Thursday said it's introducing new child safety features in iOS, iPadOS, watchOS, and macOS as part of its efforts to limit the spread of Child Sexual Abuse Material (CSAM) in the U.S. To that effect, the iPhone maker said it intends to begin client-side scanning of images shared via every Apple device for known child abuse content as they are being uploaded into iCloud Photos, in addition to leveraging on-device machine learning to vet all iMessage images sent or received by minor accounts (aged under 13) to warn parents of sexually explicit photos shared over the messaging platform. Furthermore, Apple also plans to update Siri and Search to stage an intervention when users try to perform searches for CSAM-related topics, alerting that the "interest in this topic is harmful and problematic." "Messages uses on-device machine learning to analyze image attachments and determine if a photo is sexually explicit," Apple  noted . "The feature is desi
Google Extends Support for Tracking Party Cookies Until 2023

Google Extends Support for Tracking Party Cookies Until 2023

Jun 25, 2021
Google's sweeping proposal to deprecate third-party cookies in Chrome browser is going back to the drawing board after the company announced plans to delay the rollout from early 2022 to late 2023, pushing back the project by nearly two years. "While there's  considerable progress  with this initiative, it's become clear that more time is needed across the ecosystem to get this right," Chrome's Privacy Engineering Director, Vinay Goel,  said  Thursday. In buying extra time, the search giant said it hopes to arrive at a consensus on the right solutions, while simultaneously engaging with regulators, and enabling publishers and the advertising industry to migrate their services to privacy-preserving technologies that prevent "alternative forms of individual tracking, and discourage the rise of covert approaches like  fingerprinting ." The revised timelines comes close on the heels of a fresh regulatory setback in the European Union, after the Euro
Patch Tor Browser Bug to Prevent Tracking of Your Online Activities

Patch Tor Browser Bug to Prevent Tracking of Your Online Activities

Jun 23, 2021
Open-source Tor browser has been updated to version 10.0.18 with fixes for multiple issues, including a privacy-defeating bug that could be used to uniquely fingerprint users across different browsers based on the apps installed on a computer. In addition to  updating  Tor to 0.4.5.9, the browser's Android version has been upgraded to Firefox to version 89.1.1, alongside incorporating patches rolled out by Mozilla for several  security vulnerabilities  addressed in Firefox 89. Chief among the rectified issues is a new fingerprinting attack that came to light last month. Dubbed  scheme flooding , the vulnerability enables a malicious website to leverage information about installed apps on the system to assign users a permanent unique identifier even when they switch browsers, use incognito mode, or a VPN. Put differently, the  weakness  takes advantage of custom URL schemes in apps as an attack vector, allowing a bad actor to track a device's user between different browsers
Russia bans VyprVPN, Opera VPN services for not complying with blacklist request

Russia bans VyprVPN, Opera VPN services for not complying with blacklist request

Jun 18, 2021
Russia's telecommunications and media regulator Roskomnadzor (RKN) on Thursday introduced restrictions on the operation of VyprVPN and Opera VPN services in the country. "In accordance with the regulation on responding to threats to circumvent restrictions on access to child pornography, suicidal, pro-narcotic and other prohibited content, restrictions on the use of VPN services VyprVPN and Opera VPN will be introduced from June 17, 2021," the state agency  said  in a statement. The watchdog described them as threats in accordance with the Decree of the Government of the Russian Federation No. 127 dated February 12, adding the restrictions will not affect Russian companies using VPN services in continuous technological processes. The development comes a little over a month after  RKN sent a request  to enterprises and organizations that use the two VPN services to inform the  Center for Monitoring and Management of the Public Telecommunications Network  and seek e
Strengthen Your Password Policy With GDPR Compliance

Strengthen Your Password Policy With GDPR Compliance

Jun 17, 2021
A solid password policy is the first line of defense for your corporate network. Protecting your systems from unauthorized users may sound easy on the surface, but it can actually be quite complicated. You have to balance password security with usability, while also following various regulatory requirements. Companies in the EU must have password policies that are compliant with the General Data Protection Regulation (GDPR). Even if your company isn't based in the EU, these requirements apply if you have employees or customers residing in the EU or customers purchasing there. In this post, we will look at GDPR requirements for passwords and provide practical tips on how to design your password policy. Remember, even if GDPR isn't required for you now, the fundamentals of a data protection regulation plan can help strengthen your organization's security.  Password requirements for GDPR compliance You may be surprised to discover that the GDPR laws do not actually mentio
Instagram‌ ‌Bug Allowed Anyone to View Private Accounts Without Following Them

Instagram‌ ‌Bug Allowed Anyone to View Private Accounts Without Following Them

Jun 15, 2021
Instagram has patched a new flaw that allowed anyone to view archived posts and stories posted by private accounts without having to follow them. "This bug could have allowed a malicious user to view targeted media on Instagram," security researcher Mayur Fartade  said  in a Medium post today. "An attacker could have been able to see details of private/archived posts, stories, reels, IGTV without following the user using Media ID." Fartade disclosed the issue to Facebook's security team on April 16, 2021, following which the shortcoming was patched on June 15. He was also awarded $30,000 as part of the company's bug bounty program. Although the attack requires knowing the media ID associated with an image, video, or album, by brute-forcing the identifiers, Fartade demonstrated that it was possible to craft a POST request to a GraphQL endpoint and retrieve sensitive data. As a consequence of the flaw, details such as like/comment/save count, display_
Mozilla Says Google's New Ad Tech—FLoC—Doesn't Protect User Privacy

Mozilla Says Google's New Ad Tech—FLoC—Doesn't Protect User Privacy

Jun 11, 2021
Google's upcoming plans to replace third-party cookies with a less invasive ad targeted mechanism have a number of issues that could defeat its privacy objectives and allow for significant linkability of user behavior, possibly even identifying individual users. "FLoC is premised on a compelling idea: enable ad targeting without exposing users to risk,"  said  Eric Rescorla, author of TLS standard and chief technology officer of Mozilla. "But the current design has a number of privacy properties that could create significant risks if it were to be widely deployed in its current form." Short for Federated Learning of Cohorts,  FLoC  is part of Google's fledgling  Privacy Sandbox  initiative that aims to develop alternate solutions to satisfy cross-site use cases without resorting to third-party cookies or other opaque tracking mechanisms. Essentially, FLoC allows marketers to guess users' interests without having to uniquely identify them, thereby eli
Cybersecurity Resources