Nextgov/FCW - Authors - Caitlin Fairchild

FCC Chairman Declines to Brief Congress About Location Data Controversy

Caitlin Fairchild — Tue, 15 Jan 2019 16:01:05 -0500

Rep. Frank Pallone, chairman of the House Committee on Energy and Commerce, sent a letter to Federal Communications Commission Chairman Ajit Pai on Monday requesting an emergency briefing.

Pallone wanted to know what the FCC was doing to about mobile carriers' recently revealed practice of selling users' location data to third parties.

Pai, however, said no, blaming the ongoing government shutdown.

“Today, FCC Chairman Ajit Pai refused to brief Energy and Commerce Committee staff on the real-time tracking of cell phone location, as reported by Motherboard last week. In a phone conversation today, his staff asserted that these egregious actions are not a threat to the safety of human life or property that the FCC will address during the Trump shutdown," Pallone said in a statement.

Although the majority of its operations have ceased during the shutdown, some FCC employees have continued to work. This includes Pai and three FCC commissioners, Michael O'Rielly, Brendan Carr and Jessica Rosenworcel. The only activities that will continue during the shutdown are emergency services as well its 5G wireless spectrum auction.

Pallone wasn't alone in his requests for the FCC to investigate the matter. Several senators expressed concerns over the selling of location data and called for an official FCC investigation.

One of those senators, Ron Wyden, D-Ore. expressed his disappointment at the FCC's decision not to brief the committee.

"It's a new low for someone who has spent his tenure at the FCC refusing to do his job and stand up for American consumers," Wyden said to Gizmodo.

The FCC has responded to these criticisms.

"The Commission has been investigating wireless carriers' handling of location information," a spokesperson said in a statement to CNET. "Unfortunately, we were required to suspend that investigation earlier this month because of the lapse in funding, and pursuant to guidance from our expert attorneys, the career staff that is working on this issue are currently on furlough."

]]>

Lawmaker Asks FCC for Emergency Briefing

Caitlin Fairchild — Mon, 14 Jan 2019 17:02:25 -0500

The government may be shut down, but one lawmaker wants information from the Federal Communications Commission right away.

What's so urgent? Mobile carriers continue to sell our location data.

Rep. Frank Pallone, D-N.J., chair of the House Energy and Commerce Committee, sent an open letter to FCC Chairman Ajit Pai requesting an emergency briefing on the practice and what the agency plans to do about it

The lawmaker activity follows a report from Motherboard detailing the extent to which mobile carriers such as AT&T, Sprint and T-Mobile were selling location data to third parties without customer consent.

Pallone requested the meeting for Monday, whether or not the government was still shut down.

"An emergency briefing is necessary in the interest of public safety and national security, and therefore cannot wait until President Trump decides to reopen the government," Pallone wrote, adding the potential effect location data selling could have on certain government employees and others. "The privacy and security of everyone who subscribes to wireless phone service from certain carriers -- including government officials, military personnel, domestic violence victims and law enforcement officials -- may be compromised."

Pallone isn't alone. Last week, Senators Kamala Harris, D-Calif., Mark Warner, D.-Va. and Ron Wyden, D-Ore. all called for an FCC investigation into the matter.

But the mobile carriers that are under fire may be trying to preemptively fix the problem. AT&T said on Jan. 10 that it would entirely stop selling customer location data to third party service providers, the Washington Post reports. T-Mobile and Verizon have also announced plans to end the practice. This may not be enough to stave off the wrath of Congress and the FCC, however.

]]>

Yubico Creates Physical Security Key for iPhones

Caitlin Fairchild — Fri, 11 Jan 2019 16:22:11 -0500

Security experts have long established two-factor authentication as one of the best ways to keep your accounts secure—and a physical key can be part of that.

Instead of entering a password and a code sent to a mobile device, you log in by plugging in the physical key to gain account access. If hackers were to get ahold of user passwords, they wouldn't be able to do anything with them without the key.

Yubico, one manufacturer of physical security keys, previously only made them compatible with Android devices. The company previewed a new Yubikey for iPhones and iPads this week at Consumer Electronics Show in Las Vegas.

If you're still not sold on the concept, multiple web browsers support the use of physical security keys, including Safari, Firefox, Chrome and Microsoft Edge.

Additionally, Google requires every employee use a physical security key. The company says this practice curbs instances of phishing.

]]>

Senators Call For FCC Investigation of Phone Companies Selling Location Data

Caitlin Fairchild — Thu, 10 Jan 2019 16:00:25 -0500

Several lawmakers have responded to a recent Motherboard article detailing the extent to which telecom companies like AT&T, Sprint and T-Mobile use and sell our location data.

For the article, a Motherboard reporter paid a bounty hunter $300 and the phone number of a target to find. Using a service that gets location data from telecommunications companies, the bounty hunter was able to find the target's location in near real time.

Lawmakers, including Sens. Mark Warner, D-Va., Kamala Harris, D-Calif. and Ron Wyden, D-Ore., are not happy and are calling for a Federal Communications Commission investigation into the practice.

“The American people have an absolute right to the privacy of their data, which is why I’m extraordinarily troubled by reports of this system of repackaging and reselling location data to unregulated third party services for potentially nefarious purposes. If true, this practice represents a legitimate threat to our personal and national security,” said Harris in a statement to Motherboard.

Wyden introduced privacy legislation in November that he believes would address the location tracking issue.

“The industry has failed again and again to protect Americans’ information. It’s time for Congress to step in and pass strong privacy legislation, like my bill, to safeguard our data and hold companies accountable when they fail,” Wyden told Motherboard.

It isn't just lawmakers who have called for FCC investigation. FCC Commissioner Jessica Rosenworcel has also made a statement:

The @fcc needs to investigate. Stat.https://t.co/1qe8ko1PbH
— Jessica Rosenworcel (@JRosenworcel) January 8, 2019

Customers can't opt out of the location tracking done by their mobile service provider, however, they can take steps to limit the amount of information Google and Apple collect about them.

]]>

Some Android Users Can't Delete Facebook From Their Devices

Caitlin Fairchild — Wed, 09 Jan 2019 16:37:16 -0500

Looking to delete the Facebook app off of your phone? If you have certain kinds of Android devices, you might not be able to.

It depends on the pre-install deal Facebook made with phone manufacturers, operating systems and mobile operators, Bloomberg reported Tuesday. Certain Samsung devices, for example, only let users disable the app.

A Facebook spokesperson told Bloomberg that disabling the app works the same as deleting it. It will no longer collect data and send it back to Facebook, but users trying to delete the app aren't informed of that.

Many Facebook users would likely happy to have the app come automatically with their device, but other customers might prefer to have total control of the device they've paid for. Some people don't want to be tempted by the urge to scroll through the social network, while others have a big issue with Facebook's repeated privacy scandals. This includes the Cambridge Analytica incident, the exposure of users' photos, a massive data breach and just generally the social network's habit of just giving away user data.

That same spokesperson declined to say the extent of how many preinstall deals that Facebook has globally.

]]>

IBM Wants to Use Your Smartphone to Better Predict the Weather

Caitlin Fairchild — Tue, 08 Jan 2019 17:18:24 -0500

Many people use an app on their smartphones to check the weather forecast for the day. It turns out IBM will also be looking at your smartphone to do the weather forecasting.

The Weather Company, a subsidiary of IBM, is working on a new system to boost the accuracy of weather forecasting entitled the Global High-Resolution Atmospheric Forecasting system, or GRAF. IBM announced this on Tuesday at the annual Consumer Electronics Show in Las Vegas.

This new system will require data collection from traditional sources such as weather stations and aircraft but also from a new source: the pressure sensors built into smartphones. IBM said users will be able to opt-in to sharing this barometric information.

All of this data will then be analyzed by an IBM POWER9-based supercomputer, the same kind that is used by the Energy Department.

What will all this data provide? IBM says that it will result in a more finely tuned a weather forecast that can be updated hourly.

The use of people's smartphones means there will likely be privacy concerns, even if it is an opt-in system. Engadget reported last week that the city of Los Angeles recently sued the Weather Company for not disclosing exactly how user's location data would be used.

IBM said it will be rolling out the system globally in 2019.

]]>

Beware of Apple Support Phishing Scams

Caitlin Fairchild — Mon, 07 Jan 2019 16:22:34 -0500

Phishing phone calls pretending to be from Apple are on the rise, KrebsOnSecurity reports.

The scam starts with an automated phone call, disguised with the company's logo, address and phone number.

The call will warn of a security breach and ask the victim to call back using a 1-866 phone number, different from the number the call appears to be coming from.

"The scary part is that if the recipient is an iPhone user who then requests a call back from Apple’s legitimate customer support Web page, the fake call gets indexed in the iPhone’s 'recent calls' list as a previous call from the legitimate Apple Support line," Krebs wrote.

If you do receive a call like this, don't take the bait. On its website, Apple advises users that if they suspect an alleged phone call from them is fishy, they should hang up and contact them directly.

In general, the best way to avoid falling for a phishing scam is to practice good cyber hygiene and verify with people emailing and calling you that they are who they say they are.

]]>

More Than 25 Million Passport Numbers Stolen in Marriott Breach

Caitlin Fairchild — Fri, 04 Jan 2019 14:33:39 -0500

Marriott has some good news and some bad news about the historic hack it suffered in November.

The company originally estimated that 500 million people were affected, but an investigation conducted by a digital forensic team slimmed that number down to 383 million customers, CNET reports.

Despite the reduced victim count, it's still one of the largest personal data breaches in history.

Hackers stole a lot of data, including names, phone numbers, email addresses and credit card numbers. They also stole 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers.

The company announced that it would pay for passport replacements.

“As it relates to passports and potential fraud, we are setting up a process to work with our guests who believe that they have experienced fraud as a result of their passports being involved in this incident,” a Marriott spokesman told MarketWatch on Friday.“If, through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport."

Though the culprit behind the hack hasn't been officially named, Reuters reported in December that the hackers allegedly had ties to the Chinese government.

]]>

FCC Shuts Down

Caitlin Fairchild — Thu, 03 Jan 2019 14:34:08 -0500

The Federal Communications Commission will shut down the majority of its operations Thursday due to the ongoing partial government shutdown.

Most agency activities will cease and the majority of employees will be furloughed, according to the FCC's notice posted on Wednesday.

Fewer than 20 percent of employees will continue working, however. This includes Chairman Ajit Pai as well as three commissioners Michael O'Rielly, Brendan Carr and Jessica Rosenworcel.

The FCC has stated that it will continue on with its 5G wireless spectrum auction, which first began in November and briefly stopped for the holidays. But the agency will resume auctioning off licenses in the 28 gigahertz and 24 GHz spectrum bands on Thursday, CNET reports.

Some of the agency's filing and database systems will remain online, including the Network Outage Reporting System, the Disaster Information Reporting System, the Public Safety Support Center, the Licensing Management System, the Consolidated Database System, the Electronic Comment Filing System, the Universal Licensing System, the Electronic Document Management System, the Auctions Public Reporting System, the Auction Application System, the Auction Bidding System, the Daily Digest, and the Commission Online Registration System.

The agency says it will also continue manning its emergency phone line.

So what will be shut down? The agency will temporarily suspend its review of the T-Mobile and Sprint merger, its testing of devices, and its enforcement of consumer protections. General consumer complaint and inquiry lines will also be unavailable.

So unless you're looking for a 5G license, the FCC will be of no help to you until the shutdown ends.

]]>

FCC Approves Google's Motion Sensor Tech

Caitlin Fairchild — Wed, 02 Jan 2019 13:31:55 -0500

Google hopes one day its users will be able to simply wave their hands through the air to control their mobile devices. And now the Federal Communications Commission is making this goal possible, Reuters reported Tuesday.

The technology behind this goal is better known as Project Soli. Google's Advanced Technology and Projects Team first began developing the tech in 2015.

Project Soli uses broad-beam radar to capture movements and gestures, which could be used to control a wide variety of devices.

"The Soli chip can be embedded in wearables, phones, computers, cars and [internet of things] devices in our environment," Google states on the Project Soli website.

Until now, development of the technology was restricted, due to concerns that it would interfere with other tech using that slice of the spectrum. FCC has decided to grant a waiver to let Project Soli develop unabated, however.

"We find that the Soli sensors ... pose minimal potential of causing harmful interference to other spectrum users," the FCC wrote, also stating that Google could even test the technology aboard an aircraft. Google will still have to comply with Federal Aviation Administration regulations though.

]]>

Microsoft Patches Browser Bug That Allowed a PC Takeover

Caitlin Fairchild — Thu, 20 Dec 2018 15:33:40 -0500

Microsoft revealed the zero-day vulnerability in its Internet Explorer browser—and its patch—in a post on Wednesday.

The tech giant said that hackers were using the flaw for targeted attacks. A memory corruption vulnerability allowed anyone to set up a fake website that exploits the flaw and then lure people to that site with just a link. Once the user clicks that link, the hacker could then hijack the user's computer.

The flaw was first discovered by Google, who then alerted Microsoft to it, Ars Technica reports.

Microsoft has recommended all users update their browser. The update would fix the flaw by "modifying how the scripting engine handles objects in memory." Another option for users is to enable Windows Update, which will download the fix automatically.

Internet Explorer was once the world's most popular browser, but now a much smaller percentage of people still use it.

It's important to note that in general, you should keep your devices as up to date as possible to keep them secure. So if you are using an old version of Windows or an old web browser like Internet Explorer, it's time to update. Also, remember, don't click on suspicious links in your email inbox.

]]>

NASA Reveals It Had a Security Breach in October

Caitlin Fairchild — Wed, 19 Dec 2018 16:05:04 -0500

NASA is investigating a possible data breach of current and former employees' personal information.

The space agency discovered the breach on Oct. 3 after finding a compromised server and disclosed the breach Tuesday to employees in an agencywide memo, which the website Spaceref posted.

The server contained employee personal information, such as Social Security numbers, though the agency doesn't know if whoever breached the server actually stole this information. The agency's cybersecurity personnel has managed to secure the server and is currently working with "federal cybersecurity partners" to investigate further.

NASA does not believe that the breach has affected any scientific missions.

"NASA takes cybersecurity very seriously and is committed to devoting the necessary resources to ensure the security of agency information and IT systems," NASA said in a statement to CNET.

The agency also indicated that it would provide identity protection services to anyone potentially impacted by the breach.

This isn't the first time NASA has gotten in trouble for its cybersecurity. Reports from the Government Accountability Office and the agency's Inspector General released earlier in 2018 indicated that NASA has repeatedly dropped the ball on IT management and cybersecurity.

]]>

Twitter Is Facing More Global Government Demands For Content Removal Than Ever Before

Caitlin Fairchild — Tue, 18 Dec 2018 16:23:58 -0500

Twitter released its latest Transparency Report on Thursday, revealing details about government requests for information requests and removal of content, as well as data on Twitter's own enforcement of policy violations.

The social platform began publishing these reports biannually in 2012. This means that the latest report only addresses the first half of 2018—and the company saw a massive increase in legal demands from governments.

"Internet freedom and online expression remain under significant pressure and constraint, a trend we have observed across recent reports," Twitter wrote in a blog post. "Twitter received approximately 80% more global legal demands, impacting more than twice as many accounts compared to the previous reporting period."

The report also found that 87 percent of those demands came from just two countries: Russia and Turkey. They aren't alone, however. Legal demands came from 38 different countries, including 99 demands for content removal from the United States. Twitter didn't comply with any of the U.S.'s demands.

Government information requests have also risen by 10 percent. The U.S. made the majority of them, requesting information 2,231 times on 9,226 Twitter accounts. Twitter complied with 76 percent of these requests.

Twitter does release information aside from these transparency reports. In October, the social platform released data sets that included 10 million election meddling tweets as well as information on its new rules regarding fake account removal.

]]>

Hackers Could 3D Print Your Head to Unlock Your Phone

Caitlin Fairchild — Mon, 17 Dec 2018 16:31:26 -0500

That smartphone that you access using facial recognition might not be secure as you think it is. Spoofing your face to unlock a smartphone could be piece of cake with the right resources—like a 3D printer.

According to a report released Thursday, Forbes tested just that and worked with a laboratory to see how a life-size 3D printed head fared at unlocking smartphones.

Forbes conducted a test of five different smartphone models that have a facial recognition unlock option. They used an iPhone X and four different Android devices: an LG G7 ThinQ, Samsung S9, Samsung Note 8 and OnePlus 6. Of those devices, only the iPhone X passed the test and wasn't fooled by the false head.

The process of creating a realistic 3D printed head required 50 cameras and editing software, and cost more than £300. 3D printing is far from a new technology and access to it is a lot more common than it was just a few years ago. But not just anyone has the funds to tackle this.

Many people still use a passcode to unlock their phones, though evidence shows that some people don't choose particular strong passcodes for their devices. Ultimately, the passcode or password is as strong as you make it. Meanwhile, there's no way to make your fingerprints or face more difficult to copy.

]]>

Facebook Faces Another Privacy Scandal

Caitlin Fairchild — Fri, 14 Dec 2018 13:15:39 -0500

Another day, another data exposure for a large tech company.

A photo API bug gave third-party app developers access to people's Facebook photos, the company announced in post on Thursday.

Facebook estimates the bug affected up to 6.8 million users, as well as 1,500 apps built by 876 developers.

These weren't just photos people shared to their public timelines, however. This bug also included photos posted to Facebook marketplace, Facebook stories and photos uploaded to Facebook that were never actually shared.

The exposure lasted from Sept. 13 to Sept. 25, at which point Facebook was able to fix the bug. But the company's work ins't over yet.

"We're sorry this happened," wrote Tomer Bar, Facebook developer. "Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users."

The social media giant says it will also be sending out notifications to those whose photos were potentially exposed. The notification will look like this and will direct users to a help link where they can determine if they used the affected apps:

This certainly isn't the first time that Facebook has accidentally exposed user data. The Cambridge Analytica scandal in April exposed the data of 87 million people while a massive data breach in September exposed the information of 50 million people.

]]>

The Biggest Password Mistakes of 2018

Caitlin Fairchild — Thu, 13 Dec 2018 16:03:16 -0500

Passwords are one of the first lines of defense against hackers and data breaches.

On Wednesday, digital security company Dashlane released its third annual list of the "Worst Password Offenders."

Kanye West tops the list for his iPhone passcode of 000000, which he displayed in full view of television cameras in the Oval Office. But just behind him is the Pentagon, which made the list for a GAO report that discovered the vulnerabilities plaguing U.S. weapons systems.

Coming in at number 7 is the White House. The administration made the list this year because of one particular staffer who left his email password at a Washington, D.C., bus stop.

Other high profile organizations like the United Nations and Google also made the list.

But these organizations aren't alone in using weak passwords. SplashData released the list of the 25 most common ones. At the top of that list are "123456" and "password." In general, passwords on this list were short, simple and very easy to crack. SplashData created the list by evaluating 5 million passwords that had been linked online over the course of the year, Gizmodo reports.

So, what kind of password should you use to avoid these big mistakes?

There are a few things you can do. First, start using passphrases instead of passwords. Create something long but easy for a human to memorize. While it may be easy for you to memorize a song lyric or a sentence, the more characters a password has, the harder it is for a computer to crack.

Enabling two-factor authentication is still one of the best ways to back up your password and protect yourself online. This security feature is available on almost every email service and social media platform, so take advantage.

And never, ever reuse passwords. If one of your accounts is breached, that could mean a hacker has access to every account.

]]>

Hertz is Now Using Facial Recognition to Check Out Cars

Caitlin Fairchild — Wed, 12 Dec 2018 15:53:31 -0500

Want to rent a car on your next trip? You may be getting your face scanned in order to do so.

Hertz car rental is partnering with startup Clear to deploy biometrics to speed up its car rental check-out process.

The technology is already in place at the Hartsfield-Jackson Atlanta International Airport and the company plans to expand to 40 more locations over the course of 2019. Hertz and Clear have named the partnership "Fast Lane."

Use of this technology won't be available for everyone, however. The facial recognition is being presented as a perk for those customers with a rewards account with Hertz. If they want to rent a car with "Fast Lane," they simply need to show their face at the biometrics kiosk placed near the exit to check out, which will then match it to their drivers' license and registration information.

Hertz is promising that these customers will be finished with the entire process in 30 seconds or less. Though, to do all of that they will need to sign up for a Clear account beforehand.

“When you enroll you’re linking your identity to your fingerprint, your iris, your face. The ability to turn that on for Hertz in a plug and play way was simple," Caryn Seidman-Becker, CEO of Clear told Bloomberg News.

Clear is also responsible for some of the facial recognition check-ins that airports across the country are implementing. Of course Clear isn't alone in its embrace of facial recognition. Customs and Border Protection is also deploying facial recognition technology as part of the boarding process at some airports.

]]>

New Facebook Patent Predicts Your Location Before You Get There

Caitlin Fairchild — Tue, 11 Dec 2018 15:49:07 -0500

Facebook wants to know where its users are going, and the company filed a patent application on Dec. 6 on software that can tracks users' future locations—even if they're offline.

The patent is titled "Offline Trajectories" and uses machine learning algorithms to analyze your previously logged location data as well as the location patterns of both friends and strangers, to calculate the probability of where you might be headed. The company's patented software then predicts where you'll be, something it says will benefit users by pre-loading a newsfeed for them in case the location doesn't have WiFi.

Critics content it's another way for Facebook to strategically target users for advertising, but for now, the technology patented, and there's no guarantee the social media giant will put it into action.

“We often seek patents for technology we never implement, and patent applications — such as this one — should not be taken as an indication of future plans," Facebook spokesperson Anthony Harrison told Buzzfeed News.

Both Apple and Google's location tracking practices have come under fire recently. And of course Facebook has repeatedly drawn criticism for invading users privacy and playing fast and loose with their data.

]]>

CDC to Study Scooter Accidents

Caitlin Fairchild — Mon, 10 Dec 2018 16:17:42 -0500

If you live in an urban area you've likely seen them...slowly spreading across neighborhoods, eventually infecting every block and street corner: e-scooters.

These devices let users zip around town quickly, but they also expose people to more accidents. And now the scooter phenomenon has grown large enough that the Centers for Disease Control has sent special researchers to Austin, Texas to study it.

The researchers, working with the Austin Transportation Department and Austin Public Health, will examine data from a 60-day period, from Sept. 5 to Nov. 4, where the city documented 37 emergency calls and 68 injuries related to scooters. Interviews begin next week, according to the Austin American-Statesmen.

Ultimately, the city hopes the epidemiologists will spot patterns that will be used to determine new local rules around scooter use. And because this is the first CDC epidemiology study of e-scooters in the U.S., it might affect the way other cities decide to handle this particular mode of transportation.

CDC isn't the only government agency to take a good, hard look at e-scooters. The Pentagon recently decided to ban them after seven of them were abandoned at the Pentagon's September 11 memorial.

]]>

Microsoft: Tech Companies Must Regulate Their Use of Facial Recognition

Caitlin Fairchild — Fri, 07 Dec 2018 15:33:53 -0500

Microsoft is calling on its fellow tech companies to adopt and follow a code of conduct for dealing with facial recognition. The company has previously called for government regulation of the burgeoning technology, Tech Crunch reports.

Microsoft President Brad Smith wrote about these concerns in a blog post on Thursday.

Smith discussed several major problems that will arise or grow if facial recognition remains unchecked. This includes certain uses of facial recognition technology that could create biased outcomes, develop new ways to invade people's privacy and allow for mass surveillance by the government.

"We and other tech companies need to start creating safeguards to address facial recognition technology. We believe this technology can serve our customers in important and broad ways, and increasingly we’re not just encouraged, but inspired by many of the facial recognition applications our customers are deploying," wrote Smith. "But more than with many other technologies, this technology needs to be developed and used carefully."

Smith and Microsoft aren't alone in their concerns.

Both the American Civil Liberties Union and a group of lawmakers have expressed concern over Amazon's Rekognition software, pointing to how it is used by Immigrations and Customs Enforcement.

To deal with facial recognition, Smith outlined six principles that he says Microsoft will adopt: fairness, transparency, accountability, notice and consent, non-discrimination and lawful surveillance.

Microsoft plans to follow this blog post with another document further detailing these principles. The company will also call for feedback and suggestions from the public. Eventually, Microsoft plans to launch an official framework in March.

]]>

Safari Browser Is Testing USB Security Keys

Caitlin Fairchild — Thu, 06 Dec 2018 16:09:05 -0500

If Safari is your browser of choice, you will soon have a new way to secure yourself online.

Apple released Safari Technology Preview 71 on Wednesday for users to download. and this latest version of the browser has support for WebAuthentication or "WebAuthn" technology. This means instead of using only a password or enabling standard two-factor authentication, users can authenticate their passwords using a physical USB stick.

Safari isn't the first browser to enable this security feature, however.

Microsoft's Edge browser introduced this option for users in April, Firefox made it available in May and Chrome browsers supported WebAuthn by June. Additionally, social networks Facebook and Twitter both have made it an option for users.

Google actually requires all of its employees to use physical security keys for their logins, as it's one of the best ways to avoid falling victim to phishing. But a physical key isn't fool-proof. Humans have an unfortunate tendency to lose things that are small and important.

]]>

Secret Service to Test Facial Recognition Tech Around the White House

Caitlin Fairchild — Wed, 05 Dec 2018 16:31:34 -0500

Next time you stroll by the White House, the Secret Service could be scanning your face.

The American Civil Liberties Union surfaced a government document that revealed a new Secret Service facial recognition pilot program would be happening in a blog post on Tuesday. The Homeland Security Department published the document last week.

The Secret Service wants to see if the tech could help identify known individuals entering and leaving the White House. It would rely on already existing camera streams where security agents are posted.

The Homeland Security document stated that while anyone outside the White House might not realize they're being scanned by facial recognition technology, they would not be able to "opt-out." The document also said that the system would automatically delete images not deemed a match and that all data would be deleted after the pilot program ends.

ACLU, however, worries about the implications of capturing the faces of protesters outside the White House who did not consent to having their faces scanned.

"This pilot program seems to be a relatively narrowly defined test that does not in itself pose a significant threat to privacy, it crosses an important line by opening the door to the mass, suspicionless scrutiny of Americans on public sidewalks," wrote Jay Stanley a senior policy analyst for the ACLU, "That makes it worth pausing to ask how the agency’s use of face recognition is likely to expand—and the constitutional concerns that it raises."

This, of course, isn't the first time the ACLU has expressed its dismay at the use of facial recognition. In October, the organization has called on Homeland Security and Immigration and Customs Enforcement to further disclose its use of facial recognition technology.

]]>

Infosec Experts Buy Marriott-Related Sites to Prevent Criminal Spoofing

Caitlin Fairchild — Tue, 04 Dec 2018 16:49:40 -0500

The fallout from the massive Marriott data breach continues.

Lawmakers say the breach as evidence for why the U.S. should crack down on companies that don't secure data and the notification emails sent to customers also had issues.

Namely, the notifications' sender domain name “email-marriott.com” didn't immediately indicate it was from Marriott because it the domain name didn't load and didn't have an HTTPS certificate to identify it, according to TechCrunch. This possibly confused the recipients about whether to take the email notification seriously.

Even worse, this means that spoofing this email in order to direct unsuspecting victims to turn over their private information (again) would be incredibly easy.

Seeing this potential trap, security experts have stepped up to help people. Jake Williams of Rendition Infosec registered a domain one letter away, “email-marriot.com," to stop anyone else from doing so and to warn people to be careful.

“After the Equifax breach, it was obvious this would be an issue, so registering the domains was just a responsible move to keep them out of the hands of criminals," Williams told TechCrunch.

Nick Carr, a security research at FireEye, had similar motives when he registered, “email-mariott.com," and included the warning, "please watch where you click."

Another security expert, Troy Hunt, founder of Have I Been Pwned, drew attention to these domain name issues from his Twitter account:

Here’s the Starwood / Marriott disclosure now being emailed to people. It’s extensive, but there’s also some subtle ironies in there... pic.twitter.com/XZhR2fQn5z
— Troy Hunt (@troyhunt) December 1, 2018

]]>

Senators Call For A Data Security Law

Caitlin Fairchild — Mon, 03 Dec 2018 15:16:15 -0500

The world's largest hotel chain was hacked and some lawmakers are not happy.

The Marriott breach affected 500 million hotel guests and put their personal information at risk that includes credit numbers, passport numbers, mailing addresses, email addresses and phone numbers. The company discovered the hack on Sept. 8 and announced it to the public on Nov. 30.

Soon after, senators called for national data privacy legislation to safeguard consumer information and hold companies accountable for mishandling people's data.

"We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need," Sen. Mark Warner D-Va, cofounder of the Cybersecurity Caucus said. "And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses."

Sens. Ed Markey, D-Mass and Richard Blumenthal, D-Conn. echoed Warner's sentiments. Blumenthal also recently criticized the Federal Trade Commission for not doing enough to stop data breaches, CNET reports.

"Breaches like this can lead to identity theft and crippling financial fraud," Markey said. "They are a black cloud hanging over the United States’ bright economic horizon."

The Marriott breach certainly isn't the first data breach of this size, and it likely won't be the last.

]]>

ACLU Pushes Court to Release Secret Facebook Wiretap Order

Caitlin Fairchild — Thu, 29 Nov 2018 17:18:17 -0500

Earlier this year, the U.S. government tried to force Facebook to give the FBI access to its Messenger app.

The bureau wanted the social media giant to recode the app so that feds could listen to encrypted phone calls allegedly related to the MS-13 gang. Facebook declined and the FBI pushed the courts to force Facebook to comply. Reuters first reported all of this in August.

But now the American Civil Liberties Union and the Electronic Frontier Foundation want answers, and the pair filed a motion Wednesday in the state of California to unseal the case so the public can find out what the government's argument for a backdoor was and see why the court pushed back.

"The public deserves to know why the government thought it could dismantle measures that protect their right to privacy online, and how they can defend that right should the government try to force another service to undermine its security features," said Jennifer Granick, surveillance and cybersecurity counsel for the ACLU.

In June of this year, the ACLU released a guide for software developers on how to handle government requests for data and demands that would undermine user security. Recommendations included establishing privacy policies and acquiring legal representation before the feds come knocking.

]]>