Oct 312019
 October 31, 2019  Posted by  Breaches, Featured News, Non-U.S., Online, Surveillance

Sankalp Phartiyal and Sudarshan Varadhan report:

 India has asked Facebook-owned WhatsApp to explain the nature of a privacy breach on its messaging platform that has affected some users in the country, Technology Minister Ravi Shankar Prasad said on Thursday.

A WhatsApp spokesman was quoted by the Indian Express newspaper on Thursday as saying that Indian journalists and human rights activists were targets of surveillance by an Israeli spyware. The company said it was “not an insignificant number” of people, but did not share specifics.

Read more on Reuters.


Oct 312019
 October 31, 2019  Posted by  Featured News, Surveillance

Well, sure. We knew this already, right?  But it’s nice to see it spelled out with actual research, and Joe Cadillic has sent some along for us. Antonio Regalado spells it all out in an article on MIT Technology Review:

A private DNA ancestry database that’s been used by police to catch criminals is a security risk from which a nation-state could steal DNA data on a million Americans, according to security researchers.

Security flaws in the service, called GEDmatch, not only risk exposing people’s genetic health information but could let an adversary such as China or Russia create a powerful biometric database useful for identifying nearly any American from a DNA sample.

GEDMatch, which crowdsources DNA profiles, was created by genealogy enthusiasts to let people search for relatives and is run entirely by volunteers. It shows how a trend toward sharing DNA data online can create privacy risks affecting everyone, even people who don’t choose to share their own information.

Read more on MIT Technology Review.

The research article underlying the report is:

Genotype Extraction and False Relative Attacks: Security Risks to Third-Party Genetic Genealogy Services Beyond Identity Inference
Peter Ney, Luis Ceze, Tadayoshi Kohno
In Network and Distributed System Security Symposium (NDSS). 2020.
URL: https://dnasec.cs.washington.edu/genetic-genealogy/.

Oct 312019
 October 31, 2019  Posted by  Breaches, Surveillance

Raymond Leong, Dan Perez, and Tyler Dean report:

FireEye Mandiant recently discovered a new malware family used by APT41 (a Chinese APT group) that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft. Named MESSAGETAP, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts. APT41’s operations have included state-sponsored cyber espionage missions as well as financially-motivated intrusions. These operations have spanned from as early as 2012 to the present day. For an overview of APT41, see our August 2019 blog post or our full published report. MESSAGETAP was first reported to FireEye Threat Intelligence subscribers in August 2019 and initially discussed publicly in an APT41 presentation at FireEye Cyber Defense Summit 2019.

Read more on FireEye.

Oct 312019
 October 31, 2019  Posted by  Featured News, Laws, Non-U.S.

Yan Luo, Eric Carlson and Zhijing Yu of Covington & Burling write:

On October 26, 2019, China enacted a landmark Encryption Law, which will take effect on January 1, 2020.  The Encryption Law significantly reshapes the regulatory landscape for commercial encryption, including foreign-made commercial encryption products, but leaves many questions to be answered in future implementing regulations.  In this blog post, we provide a few highlights of the new Encryption Law as enacted.

Read more about it on InsidePrivacy. There is also a Q&A about the law , provided by the government (also in Chinese)