By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents. The effective date of the CCPA is January 1, 2020. It is the first law of its kind in the United States. CCPA applies to any for-profit businesses in the world that sells the personal information of more than 50,000 California residents annually, or have annual gross revenue exceeding $25 million, or derives more than 50 percent of its annual revenue from selling the personal information of California residents. Sale of PI is defined in the CCPA as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” (1798.140.t1). If a company shares common branding (i.e. shared name, service mark or trademark) with another business that is liable under the CCPA, the company will be subject to CCPA compliance too. Under the CCPA, California residents (“consumers”) are empowered with the right to opt-out of having their data sold to third parties, the right to request disclosure of data already collected, and the right to request deletion of data collected. Additionally, California residents have the right to be notified and the right to equal services and price (i.e. cannot be discriminated against based on their choice to exercise their rights). Failure to comply with the CCPA can result in fines for businesses of $7,500 per violation and $750 per affected user in civil damages for businesses. The power to enforce the CCPA lies with the office of the Attorney General of California, who has until July 2020 to specify enforcement regulation. However, the interim period between January and July 2020 is not a grace period, and businesses are liable for civil lawsuits from their data collection and selling from January 1, 2020. If your business meets any of the three CCPA thresholds above and has an online domain, you are required to implement certain changes to your website. Your website must inform its users at or before the point of data collection about the categories of personal information that it collects and for what purposes. Your website must feature a Do Not Sell My Personal Information link that users can use to opt-out of third-party data sales. If your website has minors under the age of 16 among its users, you are required to obtain their opt-in (consent) before you are allowed to sell or disclose their personal information to third parties. If the minor is under the age of 13, a parent or legal guardian must opt-in for them. Your business must also update its website’s privacy policy to include a description of the consumer’s rights and how to exercise these rights. Your privacy policy must also contain an annually updated list of the categories of personal information that your company collects, sells and discloses. Complete details, plus the Full Text of CCPA can be found on OUR FORUM.

   

The smartphone in our pockets has become our dirty secret. The next time you grab a friend's smartphone to stare at a picture or to watch the video on YouTube they simply had to share, you might want to think again. Or, even better, take a look at your own mobile device and wonder: when did I last clean it? On January 17, ZDNet took to Twitter to ask a simple question: How often do you disinfect your phone? The results surprised us and certainly revealed a disturbing truth: the majority of us are filthy creatures. In total, 18.5% of you said your smartphone was subject to a weekly clean, whereas 14% said their mobile device was subject to a monthly spruce-up. A whopping 60% of you admitted you never cleaned your mobile device. 7.4% inferred you would clean it after you've been sick. Our readers aren't alone, either, in grim habits: a 2019 report (.PDF) of 1,200 US residents and their hygiene practices found that 88% of adults use their phones in the bathroom. If you're a parent, you are even more likely to do so with the figure climbing to 93%; perhaps in a bid to snatch a few minutes of peace to check social media feeds and emails. (All in all, there are probably only two types of smartphone users: those who admit to using their device in the bathroom, and those who lie about it.) Your smartphone goes everywhere with you. The lounge, the bathroom, the kitchen, the bedroom, the pub. You touch the screen after you've washed up with the germ-infested kitchen sponge that really should have been thrown away days ago. You refill the dog bowl, perhaps receive an affectionate lick in gratitude and then accept a call, thereby pressing the screen to your face. You unlock your phone in the pub garden to check a notification after you've used the restroom. (You've washed your hands but how many reprobates have you seen while you're in there bypass the sink entirely to grab the door handle on their way out?) It's no wonder that smartphones are now comparable to toilet seats when it comes to the germs and viruses that claim them as home. Other recent studies confirm high colony-forming units (CFU) per square inch levels on our mobile devices. If you're like me and travel often with a smartphone glued to your hip, you really might want to take a wipe with you. Outstripping everything else on the list, a study into airport self-check-in kiosks showed they contain a massive 253,857 CFU per square inch, thanks to our grubby hands. We can't get rid of our smartphones, despite the breeding grounds of germs they have become, and it's important we don't sterilize our lives to the point we hamper our own immune systems. But it might be about time we think about cleaning our devices a little more often, especially in the winter season when cold and flu bugs are rampant and when touch can be enough to transfer contagious illnesses to our nearest and dearest. The now global challenge posed by the coronavirus is an additional wake-up call. Learn the proper way to clean your phone by visiting OUR FORUM.

Don't use a mobile authenticator app on an old smartphone, because the app is only as secure as the operating system in which it's running, two security researchers said at the RSA Conference here earlier this week. Aaron Turner and Georgia Weidman emphasized that using authenticator apps, such as Authy or Google Authenticator, in two-factor authentication was better than using SMS-based 2FA. But, they said, an authenticator app is useless for security if the underlying mobile OS is out-of-date or the mobile device is otherwise insecure. "You don't want the risk associated with 32-bit iOS," said Turner, adding that you should use only iPhones that can run iOS 13. "In Android, use only the Pixel class of devices. Go to Android One if you can't get Pixel devices. I've had good experiences with Motorola and Nokia Android One devices." And he warned the audience to stay away from one well-known Android brand. "[German phone hacker] Karsten Nohl showed that Samsung was faking device updates last year," Turner said. "Stop buying their stuff." To be fair, Samsung was far from the worst offender among phone makers in the study Turner cited, and the study authors later said "they got it wrong" regarding Samsung's issues, without going into further detail. (Slides for Turner and Weidman's presentation are available on the RSA website.) The problem is that if an attacker or a piece of mobile malware can get into the kernel of iOS or Android, then it can do anything it wants, including presenting fake authenticator-app screens. "One of my clients had an iPhone 4 and was using Microsoft Authenticator," Turner said, indicating another authenticator app. "All an attacker would need to do is to get an iPhone 4 exploit. My client was traveling in a high-risk country, his phone was cloned and then after he left the country, all sorts of interesting things happened to his accounts." And don't think iOS devices are safer than Android ones -- they're not. There are just as many known exploits for either one, and Weidman extracted the encryption keys from an older iPhone in a matter of seconds onstage. The iPhone's Secure Enclave offers "some additional security, but the authenticator apps aren't using those elements," said Weidman. "iOS is still good, but Android's [security-enhanced] SELinux is the bane of my existence as someone who's building exploits." "We charge three times as much for an Android pentest than we charge for an iOS one," Turner said, referring to an exercise in which hackers are paid by a company to try to penetrate the company's security. "Fully patched Android is more difficult to go after."Looking for more details on this, visit OUR FORUM.

As Huawei takes the initiative to create its own homegrown alternative to the Play Store, Google has reportedly pleaded with the White House to offer it an exemption to again work with the Chinese tech giant. Huawei's inclusion on the Trump administration's Entity List has had dramatic consequences for the company's handset business, preventing it from using Google Mobile Services (GMS) on its latest phones and tablets. According to German wire service Deutsche Press Agentur, Android and Google Play veep Sameer Samat has confirmed that Google has applied for a license to resume working with Huawei. It's not clear when a decision will be made, or indeed if Google will get its wish. Other firms, most notably Microsoft, have been given a pass. This has allowed Huawei to ship its latest crop of laptops, including the freshly updated Matebook X Pro, with Windows 10. Huawei has said that if Google got an exemption, it would promptly update its newest phones to use Google Mobile Services. Earlier this month, Huawei released its latest flagship, the Mate 30 Pro, in the UK. Due to the embargo, this comes with the open-source version of Android, with punters encouraged to download apps from the Huawei AppGallery, or a separate third-party app store like Amazon's. That said, Huawei's strategy has focused on hoping for the best, but preparing for the worst. These preparations have seen the firm invest over $1bn on its app ecosystem, with more than 3,000 engineers working on the AppGallery, according to a statement from the company released earlier this week. It has also made deals with Western app developers and content providers, most notably Sunday Times publisher News UK, to make its services appear less barren. Huawei has also introduced the ability to download progressive web apps, dubbed "Quick Apps" by the firm, through the AppGallery, which should bump up the app availability numbers – even if they lack the sophistication of a dedicated native app. It's likely this that has motivated Google to take the initiative. Although losing Huawei as a customer is a significant financial body blow to Mountain View, given its enduring popularity in Europe and Asia, it would pale compared to the damage caused by a new product that starts to loosen its stranglehold on the Android sphere. For more turn to OUR FORUM.

It has been a tough few weeks for online payments giant PayPal. First came the confirmation that an authentication hack would enable an attacker to access an account once credentials had been phished, bypassing the financial firm’s authentication tools. And now another security report claims the entire authentication process can be bypassed, enabling an attacker to gain access to an account with nothing but stolen credentials, available for purchase on the dark web “for as little as $1.50.” The report comes from the research team at CyberNews and includes a complaint that the findings were not taken seriously by PayPal or by the team at HackerOne who field such reports. “When our analysts discovered six vulnerabilities in PayPal,” CyberNews said, “ranging from dangerous exploits that can allow anyone to bypass their two-factor authentication, to being able to send malicious code through their SmartChat system—we were met with non-stop delays, unresponsive staff, and lack of appreciation.” For its part, PayPal told me it always takes such submissions seriously, “and reviews each with an appropriate sense of priority.” I was assured the team had investigated this in detail, but, after review, “found that the submissions did not pose a threat and that the assertions being advanced by CyberNews are inaccurate and misleading.” “We would like PayPal to take this vulnerability more seriously,” CyberNews told me. “At the moment, [PayPal is] writing it off as something ‘out-of-scope’ just because it involves stolen credentials.” The research team went to great lengths to show me the exploit working. While there is no way of knowing the state of the back-end algorithm checking the process, it did appear at face value to bypass the check. To understand the debate between PayPal and CyberNews, it’s critical to understand some of the ways in which PayPal safeguards your account. First, PayPal is in the somewhat unique position of knowing everything about both sides of every transaction, including the behavioral track record, login environment, recent activity, and risk potential that a transaction may be fraudulent. The detail is closely held, but there are numerous data points captured by the company’s systems. That becomes apparent when you log in from a new device or location as identified by the IP address of your connection. PayPal will then seek to ensure it’s you—they have a successful username and password login, but they will run a system check to look for further assurance that it’s you. Once in, the company will then run further checks on each transaction that you attempt, again to determine whether to approve or challenge. Read the full report on OUR FORUM.

Google has finally broken its silence. Almost a year after U.S. President Trump blacklisted Huawei, forcing Google’s software and services from the Chinese giant’s new devices, Google has surprisingly ventured into the public domain with a clarification as to what it now means. “We have continued to receive a number of questions about new Huawei devices,” Tristan Ostrowski, Android’s Legal Director, said in a February 21 post. “We wanted to provide clear guidance to those asking these important questions.” The Google ban has been the headline issue in the Huawei blacklist affair. While the U.S. legal move was actually intended to scupper Huawei’s 5G equipment sales around the world, the impact has been felt more keenly on its consumer products. It turns out it’s easier to replace the supply chain of chips and widgets on a 5G base station than the software millions of customer demand on shiny new smartphones. The 5G battle between the U.S. and Huawei, with China weighing in, has become more a political fight and a battle of influence than anything technical. The latest tug of war between Washington and Shenzhen over the U.K., with Germany and France awaiting their turns, perfectly illustrates this. But consumers have proven inured to political meddling—Huawei has retained its number two spot for global smartphone shipments. That said, behind the headlines Huawei knows it is in for a rougher ride this year. The last new device to ship complete with Google onboard is almost a year old. Its Mate 30 fell flat outside China given the lack of full-fat Android. And the forthcoming P40 has a risk of doing the same. Another “gorgeous” device dashed by politics. When the Mate 30 launched in September, there was initial confusion as to whether there would be an almost official workaround—Huawei’s head of consumer products, Richard Yu, certainly hinted as much. When that was scuppered, there followed a raft of options online, complete with instructional videos, as to how Google’s primary apps could be sideloaded onto a sanctioned device. But that carries serious risk, Google is now warning. “Sideloaded Google apps will not work reliably,” it says. “Sideloading Google’s apps carries a high risk of installing an app that has been altered or tampered with in ways that can compromise user security.” As headlines pile up overexposed compromises on app security, taking such blatant additional risks is a huge gamble for users. Google wants nothing more than a return to business as usual. One can assume that losing access to the world’s number two smartphone maker, putting Samsung in an even more dominant position when it comes to full-fat Android, is not ideal. And in the post, the company confirms “we have continued to work with Huawei, in compliance with government regulations—and we will continue to do so as long as it is permitted.” Follow this thread and included links on OUR FORUM.

 

Translate