Google Will Delete Your Data by Default—in 18 Months

WIRED

Photograph: Neil Godwin/What Hi-Fi Magazine/Getty Images

At its Worldwide Developers Conference on Monday, Apple introduced a litany of new security and privacy features that fit into what the company calls its four privacy principles. Today, Google is announcing its own privacy-focused improvements as well, under what Google CEO Sundar Pichai says are three important principles of privacy.

Google already announced security and privacy upgrades to Android 11 earlier this month. But Wednesday’s changes focus on the data that Google services like Maps and YouTube can access—and how long they keep it for.

Full article

Victory: Indiana Supreme Court Rules that Police Can’t Force Smartphone User to Unlock Her Phone

Electronic Frontier Foundation

In courts across the country, EFF has been arguing that the police cannot constitutionally require you to unlock your phone or give them your password, and today the Indiana Supreme Court issued a strong opinion agreeing with us. In the case, Seo v. State, the court found that the Fifth Amendment privilege against self-incrimination protected a woman against unlocking her phone because complying with the order was a form of “testimony” under the Fifth Amendment. Indiana joins Pennsylvania, which ruled strongly in favor of the Fifth Amendment privilege in a compelled decryption case last year. Meanwhile, state supreme courts in New Jersey and Oregon are also considering this issue.

Full article

European victims refuse to bow to Thanos ransomware

Bleeping Computer

A Thanos ransomware campaign targeting mid-level employees of multiple organizations from Austria, Switzerland, and Germany was met by the victims’ refusal to pay the ransoms demanded to have their data decrypted.

Thanos ransomware is a Ransomware-as-a-Service (RaaS) operation advertised on Russian-speaking hacker forums that allows affiliates to customize their own ransomware through a builder offered by the developer.

Some Thanos ransomware samples have previously been tagged as the ransomware strain dubbed Hakbit due to different encryption extensions used by affiliates, Recorded Future’s Insikt Group says that they’re the same malware.

Based on code similarity, string reuse, and core functionality, Insikt Group assesses with high confidence that ransomware samples tracked as Hakbit are built using the Thanos ransomware builder developed by Nosophoros, Insikt Group said in early June.

Full article

Hackers Using Google Analytics to Bypass Web Security and Steal Credit Cards

The Hacker News

Researchers reported on Monday that hackers are now exploiting Google’s Analytics service to stealthily pilfer credit card information from infected e-commerce sites.

According to several independent reports from PerimeterX, Kaspersky and Sansec, threat actors are now injecting data-stealing code on the compromised websites in combination with tracking code generated by Google Analytics for their own account, letting them exfiltrate payment information entered by users even in conditions where content security policies are enforced for maximum web security.

Attackers injected malicious code into sites, which collected all the data entered by users and then sent it via Analytics, Kaspersky said in a report published yesterday. As a result, the attackers could access the stolen data in their Google Analytics account.

The cybersecurity firm said it found about two dozen infected websites across Europe and North and South America that specialized in selling digital equipment, cosmetics, food products, and spare parts.

Full article

UK police’s face recognition tech breaks human rights laws. Outlaw it, civil rights group urges Court of Appeal

The Register

Automated facial recognition (AFR) use by British police forces breaches human rights laws, according to lawyers for a man whose face was scanned by the creepycam tech in Cardiff.

Put simply, connected to a database with the right information, AFR could be used to identify very large numbers of people in a given place at a given time, Dan Squires QC told the Court of Appeal of England and Wales in written arguments this morning.

Full article

Mullvad VPN Android app available on F-Droid!

Mullvad

Our Android app is now available through yet another distribution channel: F-Droid.

It was the plan all along to offer the Android app via three different distribution channels. It was first made available on our website as a standalone installer APK in version
2019.8-beta1 on 2019-09-19. It was then made available on Google Play in version
2020.4-beta1 on 2020-03-31. And now, finally! Catering more to the Open Source community, we are available via F-Droid with the recent 2020.5-beta2 release.

The app is still classified as a beta due to stability issues on some devices and versions of Android. But it gets better with every release, and we are pretty close to making a stable release now.

Full article

Staying Private While Using Google Docs for Legal & Mutual Aid Work

Electronic Frontier Foundation

Regardless of your opinion about Google, their suite of collaborative document editing tools provides a powerful resource in this tumultuous time. Across the country, grassroots groups organizing mutual aid relief work in response to COVID-19 and legal aid as part of the recent wave of protests have relied on Google Docs to coordinate efforts and get help to those that need it. Alternatives to the collaborative tools either do not scale well, are not as usable or intuitive, or just plain aren’t available. Using Google Sheets to coordinate who needs help and how can provide much-needed relief to those hit hardest. But it’s easy to use these tools in a way Google didn’t envision, and trigger account security lockouts in the process.

The need for privacy when doing sensitive work is often paramount, so it’s understandable that organizers often won’t want to use their personal Google accounts. But administering aid documents from a single centralized account and sharing the password amongst peers is not recommended. If one person accessing the account connects from an IP address Google has marked as suspicious, it may lock that account for some time (this can happen for a variety of reasons—a neighbor piggybacking off of your WiFi and using it to hack a website, for example). The bottom line is: the more IPs that connect to a single account, the more likely the account will be flagged as suspicious.

In addition, sharing a password makes it easy for someone to change that password, locking everyone else out. It also means that you can’t protect the account with 2-step verification without a lot of difficulty. 2-step verification protects accounts so that you have to use an app that displays a temporary code or an authentication key every time you sign in to an account.  This protects the account from various password-stealing attacks.

Full article

At Mozilla VPN stands for Vague Product News: Foundation reveals security product will launch eventually, with temporary pricing, in unspecified places

The Register

The Mozilla Foundation has announced it will soon launch its VPN.

The organisation’s announcement is rather vague, as it says the product will debut “in the next few weeks” and protect up to five devices for $4.99 a month. But that price will be offered “for a limited time” without word of when it will change or what it will change to.

There’s also uncertainty around when the product where and when it will become available. Mozilla says We are working hard to make the official product, the Mozilla VPN, available in selected regions this year.

The definite info in the announcement is that the VPN will exit Beta phase in the next few weeks, move out of the Firefox Private Network brand, and become a stand-alone product, Mozilla VPN, to serve a larger audience.

We also know the VPN works on Windows 10, Android, iOS and Chromebooks, with MacOS and Linux support planned. Other certainties are that the VPN tech comes from Swedish outfit Mullvad and uses the WireGuard protocol.

Full article

Zoom will provide end-to-end encryption to all users

Bleeping Computer

Zoom’s CEO Eric S. Yuan today announced that end-to-end encryption (E2EE) will be provided to all users (paid and free) after verifying their accounts by providing additional identification info such as their phone number.

We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform

Eric S Yuan, Zoom CEO

Full article

Our conclusion: stay away from Zoom!

Mullvad VPN assessed in external security audit new beta version (2020.5-beta2) available

Mullvad

An independent security audit of the Mullvad VPN app was recently completed. Based on the auditors’ findings, we’ve prioritized our improvements accordingly and released a new beta version for desktop and Android.

Here are the new beta versions:

  • Windows, macOS, Linux: 2020.5-beta2 which you can download on our website or wait until we release the next stable version, which we always recommend that you have.
  • Android: 2020.5-beta2, to be released shortly.

During the assessment, auditors from Cure53 found nothing that they define as critical and were “unable to compromise the [app].”

Why you should care about VPN audits

An independent audit helps us to discover potential security vulnerabilities and fix them, all resulting in an even better service for our users. It also gives you the opportunity to judge whether or not we are technically competent enough to provide a service in which security is paramount.

Final audit report coming soon

We will publish a link to the audit report and an overview of the findings when it becomes available on Cure53’s website.

Full article