European Privacy Advocates File Complaints Against Apple’s Ad Tracking
Commerce Dept. lets Qualcomm sell chips to Huawei, Egregor ransomware hits Cencosud, Hacker shares 3.2 million Pluto TV user records, Donald Trump finally paying attention to election security
Check out our bonus edition of Metacurity, which was published on Saturday and -plug - my column from last week on CSO Online on how the California Privacy Rights and Enforcement Act (CPRA) could get copycatted by other states and my companion column from this morning on what the hot topics could be in state-level cybersecurity legislation next year.
While you’re at it, consider becoming a paying subscriber to Metacurity. Paying subscribers gain access to the archive and receive bonus content that you won’t find anywhere else. Thank you.
Noyb, a group founded by privacy activist Max Schrems, who forced changes in the way Facebook transfers data, has filed two complaints to Spanish and German authorities about Apple’s ad tracking. Noyb accuses Apple of unlawfully installing so-called identification for advertisers on its devices to track users’ behavior and their consumption preferences without their consent. Noyb lawyer Stefano Rossetti said in a statement, “With our complaints, we want to enforce a simple principle: trackers are illegal unless a user freely consents.” (Aoife White and Stephanie Bodoni /Bloomberg)
Qualcomm Receives Surprising Exemption to Sell Chips to Huawei
In a surprising exemption from the Commerce Department's punitive restrictions, Qualcomm received a license from the U.S. government to sell 4G mobile phone chips to China’s top telecom technology provider Huawei. Qualcomm and other chipmakers were forced to stop selling to Huawei in September due to its supposed supply chain security threat. (Stephen Nellis / Reuters)
Chilean Retailer Cencosud Hit by Egregor Ransomware Attack
Chilean retail company Cencosud has been hit by an attack from the Egregor ransomware operators, forcing the company to shut down some services such as credit card payments or purchase returns. However, its retail outlets are still operating. Egregor is a ransomware-as-a-service operation that began operating in the middle of September just as the Maze ransomware operation was shutting down, and some Maze operators are now working with Egregor. Reports suggest that some printers in numerous retail outlets in Chile and Argentina, such as Easy home goods stores, began printing out ransom notes as devices are encrypted, which is a feature of Egregor. (Lawrence Abrams / Bleeping Computer)
Privacy-Oriented iOS Exposure Notification System Can Potentially Reveal Sensitive Information
Although many US state and local governments, workplaces, and universities have built their own systems for Covid contact tracing and monitoring using Google and Apple’s theoretically privacy-friendly exposure notification system, more than six out of seven Covid-focused iOS apps worldwide are free to request whatever privacy permissions they want, with 59 percent asking for a user's location when in use and 43 percent tracking location at all times. Jonathan Albright, director of the Digital Forensics Initiative at the Tow Center for Digital Journalism, released the results of his analysis of 493 Covid-related iOS apps across dozens of countries showing that apps built on the iOS system can potentially reveal sensitive information along with collecting location data and could become a privacy problem for many users. (Andy Greenberg / Wired)
A Hacker Is Sharing 3.2 Million Pluto TV User Records, ShinyHunters Apparently Behind the Breach
A hacker is sharing what they state are 3.2 million Internet TV service Pluto TV user records that were stolen during a data breach. The threat actor behind the breach is purportedly ShinyHunters, whose reappearance is credited with the recent hacks of Animal Jam, 123RF, and many others. Each record in the Pluto TV database contains a member's display name, email address, bcrypt hashed password, birthday, device platform, and IP address. (Lawrence Abrams / Bleeping Computer)
Well, At Least Election Security Has Grabbed the Administration’s Attention
Over the weekend, Donald Trump tweeted an NBC News story about DEFCON’s voting village in what he claims is the substantiation of a conspiracy theory about voting machine maker Dominion. Dominion has released a fact check explaining why the conspiracy theory is wrong, and DHS’s Cybersecurity and Infrastructure Security Agency (CISA) have repeatedly denied any claims that would support the theory. Trump’s sudden interest in election security strikes many people in the infosec arena as a surprise, given his complete indifference to the topic until now. Joseph Marks and Tonya Riley have this good run-down of the situation in today’s Cybersecurity 202.
Donald J. Trump @realDonaldTrumphttps://t.co/aqAf0KkoYn