Catch Up On “At Home with EFF,” and Join Us For Giving Tuesday Now!

Electronic Frontier Foundation

Back by popular demand, we’re hosting a third At Home with EFF event tomorrow at 2 pm (PT)! In addition to our EFF all-stars, we’ll be joined by special guests Şerife Wong, founder of Icarus Salon, and the magical Brad Barton (aka reality thief). As this event coincides with Giving Tuesday, our panels will highlight considerations for nonprofits and mutual aid organizers, including an update on last week’s victory in protecting the .ORG registry from being sold to a private equity firm.

Full article

Office 365 to stop data theft by disabling external forwarding

Bleeping Computer

Microsoft is planning to put a stop to enterprise data theft via email forwarding by disabling Office 365’s email forwarding to external recipients by default.

The company also wants to add improved external email forwarding controls which will allow Office 365 admins to enable the feature only to select employees in their organizations.

Full article

Victory! ICANN Rejects .ORG Sale to Private Equity Firm Ethos Capital

Electronic Frontier Foundation

In a stunning victory for nonprofits and NGOs around the world working in the public interest, ICANN today roundly rejected Ethos Capital’s plan to transform the .ORG domain registry into a heavily indebted for-profit entity. This is an important victory that recognizes the registry’s long legacy as a mission-based, non-for-profit entity protecting the interests of thousands of organizations and the people they serve.

We’re glad ICANN listened to the many voices in the nonprofit world urging it not to support the sale of Public Interest Registry, which runs .ORG, to private equity firm Ethos Capital. The proposed buyout was an attempt by domain name industry insiders to profit off of thousands of nonprofits and NGOs around the world. Saying the sale would fundamentally change PIR into an entity bound to serve the interests of its corporate stakeholders with no meaningful plan to protect or serve the .ORG community, ICANN made clear that it saw the proposal for what it was, regardless of Ethos’ claims that nonprofits would continue to have a say in their future. ICANN entrusted to PIR the responsibility to serve the public interest in its operation of the .ORG registry, they wrote, and now ICANN is being asked to transfer that trust to a new entity without a public interest mandate.

Full article

NHS rejects Google and Apple Coronavirus tracking app due to data security fears

Cybersecurity Insiders

Last week, Apple and Google came forward to offer a Corona Virus tracking app to NHS which will be in lines with India’s Aarogya Setu Mobile app.

However, UK’s government-funded healthcare service provider had rejected the plea due to data security concerns as the tech giants said that the App developed by them on a collective note will be running on a central database which will be in full control of them- creating a blueprint for unethical mass surveillance after the Wuhan Virus spread ends in UK & Europe.

Therefore, the NHS decided to build its app which runs on a centralized information collecting system and will be ready to be used by Britain’s population in two or three weeks.

NHSX, a digital arm of NHS will be building the app which will not only help the users in tracking COVID 19 patients but will also share insights on the spread of the pandemic, the mitigation measures are taken by the government to stop the spread, several people who are being infected, recovered and dead and also some precautionary measures to be taken by the users to help flatten the curve of the Coronavirus Infection spread.

Full article

iPhone “word of death” could crash your phone – what you need to know

Naked Security

It’s happened again!

A weird combination of Unicode characters that make up a nonsense word can crash your iPhone, apparently by confusing the iOS operating system when it tries to figure out how to display the “word”.

(We say apparently because we have an iPhone 6+, which is stuck back on iOS 12, and we couldn’t get our phone to crash, although we’ve seen one person on Twitter claiming that their iOS 12 device was affected.)

If you’re a regular Naked Security reader, you’ll have a feeling not just of having read this before but of having read it before before, because we covered similar troubles for iOS back in 2013 and in 2018.

Full article

Nine million logs of Brits’ road journeys spill onto the internet from password-less number-plate camera dashboard

The Register

In a blunder described as “astonishing and worrying,” Sheffield City Council’s automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.

The ANPR camera system’s internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield’s road network.

Britain’s Surveillance Camera Commissioner Tony Porter described the security lapse as “both astonishing and worrying,” and demanded a full probe into the snafu.

Full article

Ransomware attack on US Pharma Company ExecuPharm

Cybersecurity Insiders

ExecuPharm, a US-based pharmaceutical company is reported to have become a victim of a Ransomware attack on March 13th of 2020. And as per a letter sent by the company to the Attorney General, Vermont details such as social security numbers, financial info, driving license details, passport numbers, and other sensitive data might have been accessed and stolen by hackers.

News is out that the hackers belonging to the CLOP ransomware group have posted a vast cache of data including email records, financial data, and accounting records along with user docs and data backups on the dark web.

Full article

Australian contact-tracing app leaks telling info and increases chances of third-party tracking, say security folks

The Register

The design of Australia’s COVIDSafe contact-tracing app creates some unintended surveillance opportunities, according to a group of four security pros who unpacked its .APK file.

Penned by independent security researcher Chris Culnane, University of Melbourne tutor, cryptography researcher and masters student Eleanor McMurtry, developer Robert Merkel and Australian National University associate professor and Thinking Security CEO Vanessa Teague and posted to GitHub, the analysis notes three concerning design choices.

The first-addressed is the decision to change UniqueIDs – the identifier the app shares with other users – once every two hours and for devices to only accept a new UniqueID if the app is running. The four researchers say this will make it possible for the government to understand if users are running the app.

Full article

Twitter kills SMS-based tweeting in most countries

Bleeping Computer

witter announced today that it has turned off the Twitter via SMS service because of security concerns, a service which allowed the social network’s users to tweet using text messages since its early beginnings.

“We want to continue to help keep your account safe,” the company’s support account tweeted earlier today. 

“We’ve seen vulnerabilities with SMS, so we’ve turned off our Twitter via SMS service, except for a few countries.”

However, as the company added, Twitter users will still be able to use “important SMS messages” to log in onto the platform and to manage their accounts.

Full article