Showing posts with label Risk. Show all posts
Showing posts with label Risk. Show all posts

Tuesday, July 26, 2016

FRANCE Warns Microsoft to stop collecting Windows 10 users Personal data



We have heard a lot about privacy concerns surrounding Windows 10 and accusations on Microsoft ofcollecting too much data about users without their consent.


Now, the French data protection authority has ordered Microsoft to stop it.


France's National Data Protection Commission (CNIL) issued a formal notice on Wednesday, asking Microsoft to "stop collecting excessive data" as well as "tracking browsing by users without their consent."


The CNIL, Commission Nationale de l’Informatique et des Libertés, ordered Microsoft to comply with the French Data Protection Act within 3 months, and if fails, the commission will issue a sanction against the company.


Moreover, the CNIL notified Microsoft that the company must also take "satisfactory measures to ensure the security and confidentiality" of its users' personal data.


The notice comes after a series of investigations between April and June 2016 by French authorities, revealing that Microsoft was still transferring data to the United States under the "Safe Harbor" agreement that a European Court court invalidated in October last year.



Allegations on Windows 10


The CNIL's list of complaints about Windows 10 does not end there, as it goes on to read:




  • Microsoft is collecting data on "Windows app and Windows Store usage data," along with monitoring apps its user's download and time spent on each app, which according to the CNIL, is irrelevant and "excessive" data collection.
  • Microsoft is also criticized for its lack of security, since there is no limit set on the number of guesses for entering the four-digit PIN used to protect your Microsoft account.
  • After Windows 10 installation, Microsoft also activates a user's advertising ID by default, which enables Windows apps as well as other third-party apps to monitor user browsing history and to offer targeted ads "without obtaining users' consent."
  • Windows 10 does not give you any option to block cookies.
  • And as I mentioned above, Microsoft is transferring its users' personal data to the United States under the "Safe Harbor" agreement.
 In a statement, the CNIL said: "It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory)."

Microsoft Response on the CNIL Notice


Microsoft has responded to the notice, saying the company is happy to work with the CNIL to"understand the agency's concerns fully and to work toward solutions that it will find acceptable." 


What's more interesting is that Microsoft does not deny the allegations set against it and does nothing to defend Windows 10 excessive data collection, as well as fails to address the privacy concerns the CNIL raises.


However, the tech giant does address concerns about the transfer of its users' personal data to the U.S. under the "Safe Harbor" agreement, saying that "the Safe Harbor framework is no longer valid for transferring data from European Union to the United States."


The company says it still complies with the Safe Harbor agreement up until the adoption of Privacy Shield.


"Microsoft has in fact continued to live up to all of its commitments under the Safe Harbor Framework, even as the European and US representatives worked toward the new Privacy Shield," says Microsoft. "We're working now toward meeting the requirements of the Privacy Shield."

Windows 10 Privacy concerns seem to be a never ending topic. Over the last year, Microsoft has annoyed users with a number of weird practices around Windows 10, including aggressive upgrades and transferring too much information about users back to Redmond.


Since there is the promise of a statement about privacy next week, let's see what happens next. You can read Microsoft's full statement, courtesy of David Heiner, vice president and deputy general counsel, on VentureBeat.

Tuesday, December 29, 2015

Offer Money to install Malware on Raspberry Pi


The Raspberry Pi is now gaining attention from malware distributors who want the popular mini-computers to deliver with pre-install malware.

The Raspberry Pi Foundation has made a shocking revelation that the charitable foundation has been offered money to install malware onto the Raspberry Pi machines before they were shipped out to users

The Raspberry Pi is an extremely simple computer that looks and feels very basic, but could be built into many geeky projects. Due to the low-cost appeal of the Raspberry Pi, the Foundation has sold over 4 million units.

Just Last month, Raspberry Pi unveiled its latest wonder: The Raspberry Pi Zero – a programmable computer that costs just $5 (or £4), may rank as the world's cheapest computer.

Last Wednesday, the Foundation tweeted a screenshot of an email in which "business officer" Linda effectively asked Foundation's director of communications Liz Uptonto to install a suspicious executable file onto Raspberry Pis for which the officer promised to offer a "price per install."

The email further explained that installing the executable file would create a shortcut icon on the user's desktop and opening the shortcut would take the user to the company's website. "Then this is our target,"the email reads.

Here's the screenshot of the full email:
raspberry-pi-malware
However, the name of the company represented by Linda was not revealed by the Raspberry Pi Foundation.

Obviously, the paid-for-malware distributor pitched the wrong organisation, who declined the offer, describing the company as "evildoers," but the incident once again raises the question about this common, widespread issue.

Tuesday, August 18, 2015

Another Critical Flaw of Android Affected Millions At RISK



we reported about a critical mediaserver vulnerability that threatened to crash more than 55 percent of Android devices, making them unresponsive and practically unusable to perform most essential tasks.

Now, security researchers at Trend Micro have uncovered another flaw in the Android's mediaserver component that could be remotely exploited to install malware onto a target device by sending a specially crafted multimedia message.

The vulnerability (CVE-2015-3842) affects almost all the versions of Android devices from Android 2.3 Gingerbread to Android 5.1.1 Lollipop, potentially putting hundreds of Millions of Android devices open to hackers.

Since Google has patched this issue, but hopefully the patch issued by Google this time isn’t incomplete like its patch for the Stagefright vulnerability that affects 950 Million Android devices worldwide.

How the Vulnerability Works?


The security flaw involves a mediaserver component called AudioEffect and uses an unchecked variable that comes from the client, usually an app.

According to a security researcher from Trend Micro, the vulnerability can be exploited by malicious apps.

All a hacker need to do is to convince the victim to install an app that does not ask for "any required permissions, giving them a false sense of security."
"The checking of the buffer sizes of pReplyData and pCmdData is not correct," researchers wrote in a blog post published Monday.

"As the mediaserver component uses these buffers… the mediaserver component assumes the buffer sizes of pReplyData and pCmdData are bigger than this size. We can make the buffer size of pReplyData, which is client-supplied, smaller than the size read from the buffer pCmdData. This causes a heap overflow."

Proof-of-Concept Attack


The researchers have also developed a proof-of-concept (PoC) malicious app that exploits the flaw. They tested their app on a Nexus 6 handset running Android 5.1.1 Build LMY47Z.

Once installed on the device, the app crashes the Android’s mediaserver component by overflowing the buffer pReplyData in the heap. However, if the mediaserver component does not crash, the POC app will be closed and run again.

When will I expect a Fix?


So far, there isn't any indication of active attacks against this vulnerability, but researchers said that the flaw could be exploited to provide full control of the target device.

Google has fixed the issue, but given the shaky history of device manufacturers and carriers rolling out patches, it is not known how long the companies will take to update the vulnerable devices.