Search This Blog

Showing posts with label Data protection. Show all posts

Swiss Army Bans WhatsApp at Work

 

A spokesman for the Swiss army announced Thursday that the use of WhatsApp while on duty has been prohibited, in favour of a Swiss messaging service regarded more safe in terms of data security. 

Using other messaging applications like Signal and Telegram on soldiers' personal phones during service activities is likewise barred. 

Commanders and chiefs of staff got an email from headquarters at the end of December advising that their troops switch to the Swiss-based Threema. According to army spokesman Daniel Reist, the recommendation applies "to everyone," including conscripts serving in the military and those returning for refresher courses. 

Switzerland is known for its neutrality. However, the landlocked European country's long-standing position is one of armed neutrality and has mandatory conscription for men.

During operations to assist hospitals and the vaccination campaign in Switzerland's efforts to prevent the Covid-19 pandemic, the concern of using messaging apps on duty came up, as per Reist. The Swiss army will bear the cost of downloading Threema, which is already used by other Swiss public agencies, for four Swiss francs ($4.35, 3.85 euros). 

Other messaging services, such as WhatsApp, are governed by the US Cloud Act, which permits US authorities to access data held by US operators, even if it is stored on servers located outside of the nation. Threema, which claims to have ten million users, describes itself as an instant messenger that collects as little data as possible. It is not supported by advertisements. 

The company states on its website, "All communication is end-to-end encrypted, and the app is open source." 

According to an army spokesman mentioned in a Tamedia daily report, data security is one of the reasons for the policy change. As per local surveys, WhatsApp is the most popular messenger app among 16- to 64-year-olds in Switzerland.

Flaw on Voters’ Portal Patched, Possible Data Leak Avoided

 

An independent security researcher discovered a significant flaw in the National Voters Service Portal (NVSP) and notified the Computer Emergency Response Team (CERT), which collaborated with technical specialists to patch the vulnerability. 

Sai Krishna Kothapalli, the founder and CEO of Hackrew, a Hyderabad-based cybersecurity business, states he discovered the flaw while downloading his Elector Photo Identity Card (EPIC), which provided him accessibility to other voters' registered phone numbers. A simple script could make available the phone numbers of all the voters in a Lok Sabha or Assembly constituency. 

Mr Kothapalli, a graduate of the Indian Institute of Technology, Guwahati, alerted the CERT on October 22, 2021, through a vulnerability submission. Though that he was supposed to receive an acknowledgement within 72 hours, he received a response on December 7, 2021, stating that the emergency response team was in contact with the relevant officials to take appropriate measures. He confirmed that the vulnerability had been addressed on December 14, 2021. 

Mr Kothapalli stated, “The plugging of the loophole has not only prevented a major data leak — exposing the personal mobile phone numbers of several crores of voters across the country — but averted a possible scam during the process of elections. By accessing a mobile number, and using another vulnerability I found, we can send an SMS that will appear as if it came from credible Government IDs. For instance, we can send a message to a voter giving some misleading information that could deprive him/her of casting the vote. So one can imagine this on a larger scale, impacting crores of votes across India.” 

The security researcher explained that he discovered the flaw after visiting the NVPS portal to download his e-EPIC. The system would send an OTP to the registered mobile phone for further authentication after submitting the EPIC number and State name. 

“This is where the vulnerability got exposed. While the OTP went to the voter’s mobile number, the response sent to the browser had the voter’s un-redacted phone number. While this is not visible on the screen, any person with the basic technical know-how of how websites work can figure out how to get it,” he added. 

Since electoral rolls containing EPIC numbers, names, and other election-related and personal details of a voter are published and accessible online for anyone to access, all that is required is to write a simple script to obtain all voters in a constituency's personal phone numbers, names, father/name, husband's EPIC numbers, and constituency names. 

He further added, “This is the most dangerous and highly effective way you can abuse the vulnerability. Since names are visible, huge sections of the country can be targeted based on religion, caste or language in election-related scams in this way.”

Pegasus Spyware Reportedly Hacked iPhones of U.S. State Department & Diplomats

 

An unidentified party used NSO Group's Pegasus spyware to attack the Apple iPhones of at least nine US State Department officials, as per a report published Friday by Reuters. 

After receiving a query about the incident, NSO Group indicated in an email to The Register that it had barred an unnamed customer's access to its system, but it has yet to determine whether its software was engaged. 

An NSO spokesperson told The Register in an email, "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations." 

"To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case." 

The Israel-based firm, which was recently sanctioned by the US for reportedly selling intrusion software to repressive regimes and is being sued by Apple and Meta's (Facebook's) WhatsApp for allegedly assisting the hacking of their customers, says it will work cooperatively with any relevant government authority and share what it learns from its investigation. 

NSO's spokesperson stated, “To clarify, the installation of our software by the customer occurs via phone numbers. As stated before, NSO’s technologies are blocked from working on US (+1) numbers. Once the software is sold to the licensed customer, NSO has no way to know who the targets of the customers are, as such, we were not and could not have been aware of this case." 

According to Reuters, the impacted State Department officials were situated in Uganda or were focused on Ugandan issues, therefore their phone numbers had a foreign nation prefix rather than a US prefix. When Apple launched its complaint against the NSO Group on November 23rd, the iPhone maker also stated that it will tell iPhone customers who have been the target of state-sponsored hacking. On the same day, Norbert Mao, a communist, was assassinated. On the same day, Norbert Mao, a lawyer and the President of Uganda's Democratic Party, tweeted that he'd gotten an Apple threat notification. 

According to the Washington Post, NSO's Pegasus software was involved in the attempted or accomplished hacking of 37 phones linked to journalists and rights activists, including two women connected to Saudi journalist Jamal Khashoggi. The findings contradicted NSO Group's claims that their software was only licenced for battling terrorists and law enforcement, according to the report. 

The NSO Group released its 2021 Transparency and Responsibility Report [PDF] the same month, insisting that its software is only used against groups with few sympathisers, such as terrorists, criminals, and pedophiles. 

Several reports from cybersecurity research and human rights organisations, not to mention UN, EU, and US claims about the firm, have disputed that assertion. The US State Department refused The Register's request for confirmation of the Reuters claim but said the agency takes its obligation to protect its data seriously. They were also told that the Biden-Harris administration is seeking to limit the use of repressive digital tools.

Amazon Fined With EUR 746 Million By Luxembourg Over Data Protection

 

Amazon has been fined 746 million ($880 million) Euros by the Luxembourg government over data protection rules. Despite its powerful presence across the globe, the American multinational technology company that focuses on e-commerce, digital streaming, cloud computing, and artificial intelligence, has continued to make headlines for various reasons, at times even serious allegations. Interestingly, it also falls under the category of "frightful five" which is a name given to the five most valuable tech giants that collectively influence almost everything that happens in the tech world. Amazon has undoubtedly become an integral part of most households, not only just American but worldwide. In terms of power, Amazon is a leading player both economically and socially. 

According to authorities, Amazon broke the EU’s data protection rules. It is assumed that the fine that has been charged for a data protection violation is the largest since the passage of the regulation. 

The Luxembourg National Commission for Data Protection had issued a notice on July 16. In the wake of which, Amazon said in a securities filing, "Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation."

"We believe the CNPD's decision to be without merit and intend to defend ourselves vigorously in this matter," the company added, using the organization's French acronym. 

The Securities and Exchange Commission (SEC) document did not disclose any further technical details, but Amazon was sued by a European consumer group for using personal credentials for marketing purposes without authorization. Also, the Luxembourg agency declined to comment on further inquiries by saying that its investigations are confidential. 

Following the allegations, Amazon was already fined by French authorities 35 million Euros last year for not following laws on browser "cookies" that track users. Meanwhile, Google (another of "frightful five") had also been charged with a fine of 100 million Euros for similar data protection rules. Alongside, Facebook, yet another giant firm labeled under "frightful five" is also under investigation in Ireland for leaked data.