Showing posts with label Warning. Show all posts
Showing posts with label Warning. Show all posts

Tuesday, July 26, 2016

FRANCE Warns Microsoft to stop collecting Windows 10 users Personal data



We have heard a lot about privacy concerns surrounding Windows 10 and accusations on Microsoft ofcollecting too much data about users without their consent.


Now, the French data protection authority has ordered Microsoft to stop it.


France's National Data Protection Commission (CNIL) issued a formal notice on Wednesday, asking Microsoft to "stop collecting excessive data" as well as "tracking browsing by users without their consent."


The CNIL, Commission Nationale de l’Informatique et des Libertés, ordered Microsoft to comply with the French Data Protection Act within 3 months, and if fails, the commission will issue a sanction against the company.


Moreover, the CNIL notified Microsoft that the company must also take "satisfactory measures to ensure the security and confidentiality" of its users' personal data.


The notice comes after a series of investigations between April and June 2016 by French authorities, revealing that Microsoft was still transferring data to the United States under the "Safe Harbor" agreement that a European Court court invalidated in October last year.



Allegations on Windows 10


The CNIL's list of complaints about Windows 10 does not end there, as it goes on to read:




  • Microsoft is collecting data on "Windows app and Windows Store usage data," along with monitoring apps its user's download and time spent on each app, which according to the CNIL, is irrelevant and "excessive" data collection.
  • Microsoft is also criticized for its lack of security, since there is no limit set on the number of guesses for entering the four-digit PIN used to protect your Microsoft account.
  • After Windows 10 installation, Microsoft also activates a user's advertising ID by default, which enables Windows apps as well as other third-party apps to monitor user browsing history and to offer targeted ads "without obtaining users' consent."
  • Windows 10 does not give you any option to block cookies.
  • And as I mentioned above, Microsoft is transferring its users' personal data to the United States under the "Safe Harbor" agreement.
 In a statement, the CNIL said: "It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory)."

Microsoft Response on the CNIL Notice


Microsoft has responded to the notice, saying the company is happy to work with the CNIL to"understand the agency's concerns fully and to work toward solutions that it will find acceptable." 


What's more interesting is that Microsoft does not deny the allegations set against it and does nothing to defend Windows 10 excessive data collection, as well as fails to address the privacy concerns the CNIL raises.


However, the tech giant does address concerns about the transfer of its users' personal data to the U.S. under the "Safe Harbor" agreement, saying that "the Safe Harbor framework is no longer valid for transferring data from European Union to the United States."


The company says it still complies with the Safe Harbor agreement up until the adoption of Privacy Shield.


"Microsoft has in fact continued to live up to all of its commitments under the Safe Harbor Framework, even as the European and US representatives worked toward the new Privacy Shield," says Microsoft. "We're working now toward meeting the requirements of the Privacy Shield."

Windows 10 Privacy concerns seem to be a never ending topic. Over the last year, Microsoft has annoyed users with a number of weird practices around Windows 10, including aggressive upgrades and transferring too much information about users back to Redmond.


Since there is the promise of a statement about privacy next week, let's see what happens next. You can read Microsoft's full statement, courtesy of David Heiner, vice president and deputy general counsel, on VentureBeat.

Wednesday, July 13, 2016

Warning - Millions of Xiaomi Phones Vulnerable, Remote Hacking



Millions of Xiaomi smartphones are vulnerable to a dangerous remote code execution (RCE) vulnerability that could grant attackers complete control of handsets.


The vulnerability, now patched, exists in MIUI – Xiaomi's own implementation of the Android operating system – in versions prior to MIUI Global Stable 7.2 which is based on Android 6.0.


The flaw, discovered by IBM X-Force researcher David Kaplan, potentially allows attackers with privileged network access, such as cafe Wi-Fi, to install malware remotely on the affected devices and fully compromise them.


Researchers found some apps in the analytics package in MIUI, which can be abused to provide malicious ROM updates remotely through a man-in-the-middle attack.


"The vulnerability we discovered allows for a man-in-the-middle attacker to execute arbitrary code as the highly privileged Android 'system' user," researchers say.

Researchers say they discovered vulnerable analytics packages in at least four default apps provided by Xiaomi in its MIUI distributions, one of those apps being the default browser app.


The flaw allows an attacker to inject a JSON response to force an update by replacing the link and MD5 hash with a malicious Android application package containing malicious code, which is executed at the system level.



Since there is not any cryptographic verification of the update code, the analytics package (com.xiaomi.analytics) will replace itself with "the attacker-supplied version via Android's DexClassLoader mechanism."


In order words, the analytics package neither uses HTTPS to query an update server for updates, nor it downloads the package over HTTPS, thus allowing attackers to modify the updates.


The custom ROM ships on devices manufactured by developer Xiaomi – World's third largest smartphone maker with over 70 Million devices shipped just last year alone – and is also ported to over 340 different handsets including Nexus, Samsung, and HTC.


Since the company has patched the flaw and released a over-the-air update, users are strongly recommended to update their firmware to version 7.2 as soon as possible in order to ensure they are not vulnerable to this issue that plagues Millions of Xiaomi devices.