A roller coaster of a week for IT security

Ashley Madison cheats at security, WhatsApp backtracks on privacy promises, tech firms vow to stamp out robocallers and a secret iPhone vuln surfaces. It’s all in this week’s tech roundup.

Share this article:

The Canadian Privacy Commissioner’s report on Ashley Madison came out, and boy it’s a good read. Working with the Australian privacy commissioner, it looked into how the extramarital affair site lost 33 million users’ records last year.

One of the juiciest revelations is that the firm advertised a fake security award on its website, which it called a “trusted security award.” Presumably the award would have to be a fake, because the firm also left an important password on a shared Google Drive, and stored encryption keys and passwords in plain text. That wouldn’t pass many security audits.

The privacy commissioners also made several recommendations to the company, including “reviewing protection of personal information” and no longer charging users to delete their information. Why did they bother making recommendations? Because the site is still operating. That has to be the most surprising thing of all.

WhatsApp shifts privacy direction

How things change. Messaging tool WhatsApp, which originally touted itself as a privacy oasis, has said it will start sharing information with parent company Facebook. The site will now give users’ phone numbers to Facebook, along with analytics about what devices and operating systems they’re using. The service, which Facebook bought in 2014, promised to remain autonomous after the acquisition.

Oh, and the new terms and conditions also allow the firm to start sending ads to WhatsApp users. People have a month to opt out.

Hackers found selling single-tap iPhone vuln

Apple’s iOS was cracked by a private cyber-arms dealer called NSO Group. It developed an exploit for the platform called Pegasus, delivered by simply visiting a URL in the mobile version of Safari. Anyone using the tool could then see anything happening on the device.

Canada’s own Citizen Lab, at the University of Toronto’s Munk School of Global Affairs, spotted the issue after being tipped off by human rights activist Ahmed Mansoor, who had been receiving strange messages on his phone. The lab then worked with security research firm Lookout to pull apart the tool, and the three vulnerabilities that it exploited have since been patched by Apple.

Tech firms battle robocallers

Homer Simpson isn’t the only person to use robocallers in phone scams. Scammers across the world use VoIP services to mass-dial Americans from overseas. Now, Apple, Alphabet and a host of other tech firms are clubbing together to figure out how to stop these “Hello, friend” nuisance calls automatically. Apple and Alphabet’s Google are part of a task force that includes U.S. mobile carriers. The collective effort will hopefully block nuisance robocalls forever.

Dingbat of the week

We deliberated for about 20 seconds before deciding on our dingbat this week. Whisky Tango Foxtrot, Microsoft? The latest Windows 10 update — the anniversary one, released Aug. 2 — disabled thousands of webcams. Secondly, the firm won’t fix it until sometime in September. Thirdly, it broke Powershell. Fourthly, Microsoft won’t fix that bug immediately, either. Fifthly, it made some computers freeze entirely.

We noticed that Windows 10 is also sending extensive amounts of user data back to the mothership, including location, text input and the websites that users visit, to the point that the EFF is now criticizing the firm in public. It isn’t as though users had a choice to install Windows 10, which was typically force-fed to users. Hopefully within a few days, the world can get back to Powershelling again.

Image courtesy of Free Digital Photos

Share this article:
Comments are closed.