A funny – but it's true: the joke at TechCrunch is that the security department might as well be called the Bad News Department, since, well, have you seen what we've covered lately? There is an endless supply of devastating breaches, widespread surveillance, and dodgy startups lashing out at the downright dangerous.
However, sometimes (although rarely) there are glimmers of hope that we want to share. Especially since doing the right thing, even (and especially) in the face of adversity, helps make the cyber realm a little safer.
Bangladesh thanked security researcher for discovery of citizen data breach
When a security researcher discovered that a Bangladeshi government website was leaking personal information of its citizens, something was clearly wrong. Viktor Markopoulos found the exposed data thanks to an inadvertently cached Google search result, which exposed citizen names, addresses, phone numbers, and national identity numbers from the affected website. TechCrunch verified that the Bangladesh government website was leaking data, but efforts to alert the government department were initially met with silence. The data was so sensitive that TechCrunch could not say which government department was leaking the data, as this could further expose it.
That's when the country's Computer Emergency Incident Response Team, also known as CIRT, got in touch and confirmed that the leaked database had been fixed. The data came from none other than the country's birth, death and marriage registration office. CIRT confirmed in a public notice that it had resolved the data breach and that he left “no stone unturned” to understand how the leak occurred. Governments rarely handle their scandals well, but an email from the government to the researcher thanking him for finding and reporting the bug shows the government's willingness to get involved in cybersecurity where many other countries will not.
Apple throws out the kitchen sink over its spyware problem
It has been more than a decade since technology/apple-drops-claim-that-macs-dont-get-viruses-20120703-21ei4.html” target=”_blank” rel=”noopener”>Apple dropped its now infamous claim that Macs don't get PC viruses (which, while technically true, those words have plagued the company for years). Today, the most pressing threat to Apple devices is commercial spyware, developed by private companies and sold to governments, which can pierce our phones' security defenses and steal our data. It takes courage to admit a problem, but Apple did exactly that by implementing Quick Security Response fixes to fix security bugs actively exploited by spyware makers.
Apple released its first emergency “hotfix” earlier this year for iPhones, iPads and Macs. The idea was to deploy critical patches that could be installed without always having to restart the device (possibly the problem for those concerned about security). Apple also has a setting called Lock Mode, which limits certain Apple device functions that are typically targeted by spyware. Apple says it is not aware of anyone who used lock mode and was subsequently hacked. In fact, security researchers say that Lockdown mode has actively blocked ongoing targeted attacks.
The Taiwanese government does not to blink before intervening after the leak of corporate data
When a security researcher told TechCrunch that a ride-sharing service called iRent, run by Taiwanese auto giant Hotai Motors, was publishing updated customer data in real time on the Internet, it seemed like a simple solution. But after a week of emailing the company to resolve the ongoing data leak, which included customer names, mobile phone numbers and email addresses, and scans of customer licenses, TechCrunch never heard back. It wasn't until we contacted the Taiwanese government to help us reveal the incident that we got a response. immediately.
An hour after contacting the government, Taiwan's Digital Affairs Minister Audrey Tang told TechCrunch via email that the exposed database had been flagged with Taiwan's computer emergency incident response team, TWCERT, and was disconnected. The speed with which the Taiwanese government responded was surprisingly quick, but that was not the end. Taiwan later fined Hotai Motors for failing to protect the data of more than 400,000 customers and was ordered to improve its cybersecurity. Later, Taiwan Vice Premier Cheng Wen-tsan said the fine of around $6,600 was “too light” and proposed a change to the law that would increase fines for data breaches tenfold.
Leaks in US court records systems raised the right kind of alarm
At the heart of any court system is its court records system, the technology stack used to file and store confidential legal documents for court cases. These systems are typically online and searchable, while restricting access to files that might otherwise jeopardize an ongoing procedure. But when security researcher Jason Parker found several court records systems with incredibly simple bugs that were exploitable using just a web browser, Parker knew they had to make sure those bugs were fixed.
Parker found and disclosed eight security vulnerabilities in court records systems used in five US states, and that was just in its first disclosure of the lot. Some of the glitches have been fixed and others remain outstanding, and responses from states have been mixed. Lee County, Florida, took the heavy-handed (and its own) stance of threatening the security researcher with Florida's anti-piracy laws. But the revelations also sent the right kind of alarm. Several state CISOs and officials responsible for court records systems across the United States saw the disclosure as an opportunity to inspect their own court records systems for vulnerabilities. Govtech is broke (and desperately neglected), but having researchers like Parker find and reveal flaws that need to be fixed makes the Internet safer (and the justice system fairer) for everyone.
Google removed geofence orders, even if better late than never
It was Google's ad-driven greed and perpetual growth that set the stage for geofencing guarantees. These so-called “reverse” search warrants allow police and government agencies to dip into Google's vast stores of user location data to see if anyone was nearby at the time the crime was committed. But The constitutionality (and accuracy) of these reverse orders has been called into question. and critics have called on Google to end the surveillance practice that it largely created to begin with. And then, just before the holiday season, the gift of privacy: Google said it would start storing location data on users' devices rather than centrally, effectively ending police's ability to obtain location in real time from their servers.
Google's move is not a panacea and does not undo years of damage (nor does it prevent police from accessing historical data stored by Google). But it could push other companies also subject to these types of reverse lookup orders (hello, Microsoft, Snap, Uber and Yahoo (TechCrunch's parent company)) to follow suit and stop storing sensitive user data in a way that makes them accessible to the government. demands.