The niner noteworthy stories of 2016 (week 20)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

• Apple bans benign iOS spyware detection, security info app
  
• Challenging times for Ireland’s Data Protection Commissioner
  
• EU-wide cybersecurity rules adopted by the Council
  
• Why Google’s monopoly abuse case in Europe will run and run
  
• That Time I Got Publicly ‘Hacked’
  
• Health data breaches affect millions, including in Southwest Florida
  
• LinkedIn resetting passwords after 117 million user credentials stolen
  
• Another reason to hate videoconferences: lousy software security
  
• Samsung TV data protection court case in Germany is a wake up call from the past
  

Apple bans benign iOS spyware detection, security info app

Cupertino says ‘potentially false data’ could come from tool reporting on running processes

Two things that I find interesting in this story is the usage of SHA1 as a hashing algorithm which has been deprecated by the National Institute of Standards (NIST) for nearly 5 and a half years now. Although stil in use everywhere, if you really want to take this seriously I would use its successor SHA2 in either the 256 or 512 bits variant. Note that this would only help detect unsigned apps or other such anomalies, in general it would not directly make a device more secure.
The second note I want to make is, why did Apple even allow this app in the AppStore in the first place? Only to torpedo it out later? They claim to check everything before it’s allowed in, apparently not or not on functionality which meant this app sneaked by their detection methods and was therefore booted later. I have seen some other prove-of-concept stuff enter the AppStore undetected before, which was real malware though concept only luckily.
It leaves me to wonder how secure Apple’s AppStore practices really are.
source: The Register (external link)

Challenging times for Ireland’s Data Protection Commissioner

For the second time in two years, the DPC’s critics are asking: who is policing Ireland’s privacy police?

Apparently nobody until now that is. This is a must read for all privacy minded readers and may have a very interesting future outcome of which a lot of giant tech companies will feel the heat in years to come for sure. Couple this to the strengthening of our privacy rights in the GDPR coming into force in 2018 and you may get an idea why this will become very significant.
source: The Irish Times (external link)

EU-wide cybersecurity rules adopted by the Council

Let’s hope it doesn’t stay with good intentions and a piece of paper alone. More to follow on this topic in an upcoming article on this site.
source: European Council – Council of the European Union press release (external link)

Why Google’s monopoly abuse case in Europe will run and run

If you are done reading this, though not directly related to privacy or information security, you may understand why this is important for at least the privacy field. If a company can get such a dominant position in search and seemingly can get away for a long time with alleged abuse of that position, who’s to say the next big international tech company can’t do the same with your personal information instead of search?
I may even argue that that’s already happening right whilst you are reading this.
source: Ars Technica UK (external link)

That Time I Got Publicly ‘Hacked’

A good read and unfortunately that 10 years later WiFI isn’t that more secure then it was back at that time. Though the issues may have changed, open WiFi networks (mostly found in business centre’s, coffee bars etc.) is still suffering the same level of insecurity as outlined in this story.
Yes I know, I pointed this out last week as well.
source: Dark Reading (external link)

Health data breaches affect millions, including in Southwest Florida

Okay, being hacked isn’t fun. But having your medical papers blown out of a garbage truck as a data leak? Please, are you that unconcerned?
For my American readers and those non-American once who may have health data in the US, I know you may not be aware you have, check out the link at the bottom of the article for more data breach information.
source: The News-Press (external link)

LinkedIn resetting passwords after 117 million user credentials stolen

No, it’s no new data breach but the same one from 2012. So yes it took nearly four years to finally figure out that the number of accounts effected wasn’t a measly 6 million but way more then that, 117 million infect, and only because apparently the person who caused the breach finally decided to sell his treasure.
Update: the Register has some more details on this which is worth reading, you can find it here (external link)
source: Mashable (external link)

Another reason to hate videoconferences: lousy software security

Hacker finds video, etc/passwd leak in Vidyo teleconf tool used by US Army, NASA and CERN

Yes there is a patch and no I don’t know if all companies and agencies running this software already applied it yet. From experience I know most organisations are lousy patchers.
Oh and if your /etc/passwd still contains actual passwords, you may have more worries then lousy security in video conferencing software.
source: the Register (external link)

Samsung TV data protection court case in Germany is a wake up call from the past

This article shows very elegantly the split us privacy professionals are in daily between consumer ease of use and protecting our personal data. The point made in the closing paragraphs of this article therefore is more interesting then the Samsung connected TV one which is the main topic of the story.
I therefore can’t but agree with the conclusion in the final sentences.
source: Deutsche Welle (external link)