Posts Tagged ‘Personal privacy’

WHSmith leaking customers’ personal info

September 2nd, 2015 No Comments By Mof Gimmers

whsmith WHSmith leaking customers personal infoWHSmith is annoying enough at the best of times, so the latest news about them is surely set to grind everyone’s gears even further. The retailer seems to be leaking personal contact information to anyone using their contact forms.

Talking to the Huffington Post, WHSmith said the leak happened due to a “bug” in the system.

“It is a bug not a data breach. We believe that this has impacted fewer than 40 customers who left a message on the ‘Contact Us’ page where this bug was identified, that has resulted in some customers receiving e mails this morning that have been misdirected in error.”

“I-subscribe have immediately taken down their ‘Contact Us’ online form which contains the identified bug, while this is resolved. I-subscribe are contacting the customers concerned to apologise for this administrative processing error. We can confirm that this issue has not impacted or compromised any customer passwords or payment details and we apologise to the customers concerned.”

On Twitter, LynnCSchreiber said: “Anyone else getting dozens of emails via @WHSmith contact form ? Including phone numbers”, where she included a photo of the cock-up.

CN4e3YYXAAEv6DL WHSmith leaking customers personal info

Did Ashley Madison talk about hacking a rival?

August 25th, 2015 No Comments By Mof Gimmers

sex with glass Did Ashley Madison talk about hacking a rival?There’s a world of difference between saying “I could if I wanted to” and “I can and will”. That’s the terminology being slung around with Ashley Madison.

After the hack and leak of the affair-prompting dating site, there’s been another dump of information from The Impact Group. This time, internal emails were included, and it looks like Ashley Madison discussed hacking a competitor.

According to the leak, emails show that in 2012, AM’s chief technology officer Raja Bhatia, emailed chief executive Noel Biderman after looking at the security of the new dating section magazine Nerve.com – a publication that looks at sex and relationships and all that. There, Bhatia found some security flaws.

“They did a very lousy job building their platform. I got their entire user base,” said Bhatia. “Also, I can turn any non-paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.” Included was a link to a Github archive, with a sample of the database.

However, Ashley Madison say that these messages are being taken out of context. They say that this discovery was part of “due diligence” which was undertaken in the run-up to a proposed partnership between the two. Six months after this conversation, Bhatia emailed Biderman to see if he should “tell them of their security hole”, to which Biderman didn’t reply.

In a statement, AM’s parent company Avid Life Media said the emails were “taken out of context” and that the interpretation that Bhatia had hacked Nerve was “incorrect and unfortunate”. It continued: “Nerve was exploring strategic partnerships in May of 2012 and reached out to Noel to determine Avid Life Media’s interest in the property. At the time Noel did not act on that opportunity.”

“In September PTC Advisors, representing Nerve, contacted Noel and provided a more detailed brief on the opportunity. This communique was followed by a number of conversations. Subsequently Noel contacted Raja Bhatia and asked for his assistance in conducting technical due diligence on the opportunity. This activity, while clumsily conducted, uncovered certain technology shortcomings which Noel attempted to understand and confirm.”

“At no point was there an effort made to hack, steal or use Nerve.com’s proprietary data.”

While this is all well and good, Ashley Madison have been incredibly slow and unforthcoming about this whole affair (pardon the pun). It certainly seems that this mess isn’t going away any time soon.

Spotify to poke around your private parts

August 21st, 2015 No Comments By Mof Gimmers

spotify logo Spotify to poke around your private partsPrivacy concerns are a big issue when it comes to the apps on your phone. Well, Spotify have just updated their privacy policy, and it makes for unpleasant reading.

They now want to access more information on your mobile, specifically with sensors so they know whether you’re running, standing still or walking. That doesn’t seem like to much bother does it? Well, they also want your GPS co-ordinates too. And access to your photos and contacts.

They say that they will share that information with ‘partners’, which means that Spotify could now be telling people about where you are and, oddly, how quickly you’re getting there.

Whether you’re on the freemium model, or you’re a subscriber, this update applies to both.

The agreement says: “Depending on the type of device that you use to interact with the service and your settings, we may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth).”

“We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit).”

Now, you might not be bothered by this, but there’s some people who are already miffed about the whole thing. Over on various social networks, some have asked if Spotify are ‘crossing the line?’, while others are saying they want to quit the service. This is bad timing for the music streaming service, as they’ve never had so much competition for people to jump to.

Whether the competition is any better, remains to be seen.

A Spotify spokesperson said that they rolled out the new policy to be “as open and transparent as possible when it comes to how we describe our business, how we work with advertisers, what information we collect, and what we do with it”.

**UPDATE**

Spotify has issued an apology and an explainer.

CEO Daniel Ek says: ”We should have done a better job in communicating what these policies mean and how any information you choose to share will – and will not – be used.”

So, they’re saying that you don’t have to let them access all your data, because the ask you for permission first. And they won’t share any of that info without ‘de-identifying’ it first.

Spotify want you to know that these permissions can be revoked whenever you want… although, seeing as you have to agree to their t&cs on Android, or you can’t download the app, and you can’t customise your permissions in the settings, it isn’t clear what they actually mean by this.

Spotify promise that they’re going to update their privacy policy over the coming week, in a bid to explain themselves better.

Mumsnet cyber attack – update your passwords

August 20th, 2015 No Comments By Mof Gimmers

mumsnet 300x300 Mumsnet cyber attack   update your passwordsHackers have got all up in the face of Mumsnet, with armed police being dispatched to the house of the founder of the site. While that is frankly bizarre, what does it mean for the most of you who use the site? Well, a DDoS attack took the site offline, and all users should change their passwords asap.

Founder, Justine Roberts, said Mumsnet was the victim of a cyber attack from someone called ‘DadSecurity’ on Twitter. User information on the site has been accessed, and here’s all you need to know.

Reset your password and, if you use the same password for other sites, it’d be wise to update those too. Hackers have edited some posts from user accounts, so this is a pressing concern. Stolen passwords have been posted online.

Mumsnet have reset all passwords, so you’ll have to do this anyway, but if you’ve missed all this news, it’d be worth getting your finger out.

Mumsnet have said: “We take great care to protect the information users give us, and don’t ask for, or store, any more information than we need to run the site. All passwords are encrypted, so that no one – not even us – can see them. We think, therefore, that this has been done via a form of phishing, whereby the hacker creates a fake Mumsnet login page that looks just like the usual page, but with a slightly different URL. The hacker would have been able to see passwords in plain text when they were typed in.”

“Any passwords the hacker has been able to harvest up to this point will now be useless. However, if phishing was the cause, the Mumsnet login page could be phished again – so it’s really important to check the URL when you enter your details, or use your social login (ie via Facebook/Google), which doesn’t require a password.”

“If the URL begins with anything other than https://www.mumsnet.com/session/login, don’t use it. Note the ‘S’ in ‘https://’.”

Roughly 3,000 usernames and passwords have been posted online, but that figure could shoot up at any time. Mumsnet don’t know how much information has been obtained and the hackers could be posting them in batches.

Mumsnet has a live update going on here.

 

Ashley Madison affair hack put online

August 19th, 2015 1 Comment By Mof Gimmers

We told you about the Ashley Madison hack, where the details of loads of people were going to be dumped online. Well, it has finally happened, exposing loads of people’s naked photos, sexual preferences, private chats and of course, potentially alerting people to the fact that their partners have been having extra-marital affairs.

The Impact Team, who are behind all this, have a point to prove. They didn’t like the fact that Ashley Madison charged people to delete users’ accounts, so, to stick it to the man… they’ve… uh… taken it out on the customers. Whether or not you agree with the site, it is peculiar that the hack stands to hurt users more than the people who ran the site.

Here’s The Impact Team’s words on the matter.

ashley madison 440x500 Ashley Madison affair hack put online

Anyway, Avid Life Media (ALM), who run Ashley Madison as well as Cougar Life and Established Men, is now looking into the claim that the hack is online.

In a statement ALM said: “Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.”

Of course, this information is available on the Dark Web, which you can’t get to with normal search engines. That being the case, unless your partner is a dab hand at getting access to the underbelly of the internet, you’re probably alright. Unless you’re a celebrity or politician. In which case, you’re probably doomed.

ALM want justice for this: “This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities.”

“The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society.”

“We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully co-operate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law.”

Of course, there’s already rumours that there are hundreds of government email addresses in the leaked database. Of course, that’s not to say anyone who signed-up even used the site or, indeed, went through with doing anything once signed up. Either way, this whole thing could devastate some lives.

Firefox to give true stealth mode?

August 17th, 2015 No Comments By Mof Gimmers

firefox 300x288 Firefox to give true stealth mode?People can get very jumpy about how private their browsing habits are, and most browsers are walking the tightrope of pleasing their board who want all the money that comes from tracking you, and not completely angering users.

With Apple and Google jostling for the top spot, former favourite Firefox, from Mozilla, is looking at ways of getting people back on their team, by making private browsing truly private.

Mozilla are testing out enhancements to private browsing in Firefox, designed to block website elements that could be employed by third parties to track your behaviour across sites. While most browsers have an option called ‘Do Not Track’ or similar, they don’t really mean it and you end up getting tracked all the same.

This tool will block things like analytics firms and ad networks, and stop them from keeping tabs on your cookies and the like. It is available from the Firefox Developer Edition on Windows, Mac and Linux, and Firefox Aurora on Android, Mozilla and you can find out more about it here.

It is not even reached Beta mode yet, so don’t expect too much.

“We’ve worked with developers and created a process that attempts to verify that add-ons installed in Firefox meet the guidelines and criteria we’ve developed to ensure they’re safer for you,” Mozilla said.

Can Microsoft delete things from your computer?

August 17th, 2015 2 Comments By Mof Gimmers

windows 10 Can Microsoft delete things from your computer?Microsoft are under fire over something in Windows 10, that looks like it would allow them to look around your computer looking for illegally downloaded software and media, where they have the opportunity to delete it.

This is troubling news, if not unsurprising.

Here’s the skinny: a paragraph in Microsoft’s terms and conditions has been found which appears to give the software company the ability to stop people from using things that weren’t legally sourced. There’s already privacy concerns with Microsoft’s newest OS, and this is something that is equally troubling.

The t&cs says: ”We may automatically check your version of the software and download software updates or configuration changes, including those that prevent you from accessing the services, playing counterfeit games, or using unauthorized hardware peripheral devices.”

Of course, that paragraph is on the vague side, but it doesn’t look good from the off and Microsoft could do with providing some clarity on this, or else feel the wrath of a load of very angry IT-types.

Naturally, the gaming and entertainment industries will welcome this move, as piracy has becoming a massive issue for them in recent years. That means Microsoft will have to walk the tightrope of pleasing companies and pleasing those that they want as customers.

They’ll win no friends if people start having their virtual sanctum messed around with.

Bitterwallet Facebook censorship Facebook security flaw lets hackers get personal data using phone numbersFacebook won’t let you have a nickname, and have been sued by thousands over personal privacy, and now, the social network is being lambasted for their lackadaisical approach to security. Why? Well, a software engineer discovered that he was able to harvest a load of personal information about thousands of FB users, with little more than some phone numbers.

With a number of people’s names, photos, location settings and phone numbers leaking through the flaw, Facebook clearly need to tighten things up. Whether they actually care or not, is another matter entirely.

So how was this done? Well, the information was mined using the search feature where you can look for people using their phone number. The software engineer wrote an algorithm which generated thousands of numbers, and after processing them through Facebook’s API, they soon had a load of user profiles and personal data.

Of course, the problem here is that there’s no limit to the amount of data you can get as you can do unlimited searches for people. This loophole means that cyber villains could get info about millions of Facebook users.

Reza Moaiandin, technical director of Leeds-based company Salt.agency and the person who found this exploit, said: “By using a script, an entire country’s (I tested with the US, the UK and Canada) possible number combinations can be run through these URLs, and if a number is associated with a Facebook account, it can then be associated with a name and further details”

Moaiandin alerted Facebook, and the spokesperson replied with: “We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse.”

So, if you are bothered about this, and trust the tools Facebook has in place, you might want to change your privacy settings.

You need to update Firefox, like now!

August 7th, 2015 No Comments By Mof Gimmers

firefox 300x288 You need to update Firefox, like now!Do you use Mozilla’s Firefox as your browser? Well, you need to get something sorted, immediately!

You need to install updates on your browser at once, because there’s an exploit in it that wants to steal your data and has been turning up on websites and causing havoc.

Right away, go to Help, then hit ‘About Firefox’, then press the ‘Check for Updates’ button, to ensure you’ve got the latest version of the browser.

In a blog, Mozilla say the exploit makes use of a weakness in Firefox’s PDF viewer. The bug basically gets into your Windows computer and searches through your files looking for passwords from a host of popular FTP apps, as well as any text files with ‘pass’ or ‘access’ in the name. It will then, you suspect, send all that information to people who you really don’t want to be having that sort of information.

Even if you’re on a Mac and using Firefox, it’d be a good idea to do an update, as there’s no good reason why the baddies aren’t going after you too. So hurry up. Update your Firefox. Do it now!

Your privacy and Windows 10

August 5th, 2015 1 Comment By Mof Gimmers

Windows 300x300 Your privacy and Windows 10It won’t surprise you that, in 2015, there’s a tech company after all your personal data. However, it is still worth talking about, especially if you’re one of the millions who has downloaded the new Windows 10 update from Microsoft.

Microsoft updated their privacy statement in a bid to explain what they’re doing with your data, and what they are collecting while your computer runs Windows 10.

They’ve said that they’re saving your search information from Bing (does anyone actually use Bing?), as well as content from your private emails and what apps you use. They are also storing information about “your typed and handwritten words”, which is sinister.

Microsoft will also store your voice through the spoken commands given to Cortana. This is all to ‘customise’ your experience, which is something we’ve heard from a lot of companies. You’ll no doubt be aware that Google go through your emails to get keywords for targeted adverts, while Apple’s Siri and Google Now collect data to personalise responses.

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services,” says Microsoft in the new terms of services agreement.

“Windows does not collect personal information without your consent. To effectively provide Windows as a service, Microsoft gathers some performance, diagnostic and usage information that helps keep Windows and apps running properly. Microsoft uses this information to identify problems and develop fixes.”

“However, we do not use what you say in email, chat, video calls or voice mail, or your documents, photos or other personal files to target ads to you,” the privacy statement reads.

So, you might want to adjust your privacy settings, right?

Well, you can, by going to Settings, then Privacy and messing around with your options in there. If you want, you can opt out of personalised ads if you go to this page from Microsoft. You don’t need to be on Windows 10 to opt out of the latter.

Better online rights for young people?

July 30th, 2015 No Comments By Mof Gimmers

stupid children 214x300 Better online rights for young people?There’s an internet campaign group (no, wait! Come back!) called iRights (they’re not making it easy for us) who want people under the age of 18 to be able to delete things from their social media profiles, that might end up being damaging to them in later in life.

Basically, if you were a gobshite when you were 14 and something you did online stopped you from getting a job, you’d be peeved. Of course, you might be a 37 year old gobshite who shouts at women for spurious reasons, in which case, there’s nothing Bitterwallet can do for you.

The organisation has already gained the support of politicians, corporations and even some young people themselves, who dragged themselves away from looking at their spots in a mirror for 10 minutes.

iRights has come up with five key things that they’d like to see, to provide better protection online for youngsters. They include that social media content should be easy to delete (which it pretty much is already, unless someone screengrabs it) and that young people should have the right to know who is holding information on them and what it is likely to be used for.

Regarding the latter, the campaign group would like to see terms and conditions that would effect young people, written in such a way that “typical minors can understand them.”

“Children and young people are often presented as digital natives – with fast thumbs able to summon up the knowledge of the world in an instant, build a million dollar company from their bedroom, or topple a corrupt regime with a tweet,” iRights said. “Yet the latest research shows that far from being at the forefront of the digital revolution, many young people remain on the lower ‘rungs’ of digital understanding. They lack the skills and knowledge necessary to benefit from the immense opportunities on offer as they move between spaces that are heavily limited and others where ‘anything goes.’”

You can check what they’re all about, here

Can you be on Facebook with a nickname or not?

July 29th, 2015 2 Comments By Mof Gimmers

Bitterwallet Facebook censorship Can you be on Facebook with a nickname or not?There’s been a lot of trouble about Facebook and their need to have users using their own names on the social network.

Some people think Facebook are being heavy-handed, while in more extreme cases, users think Facebook are jeopardising people’s safety (such as those who have abusive ex-partners and the like). A lot of people are very, very irritated by the move, locked out of their accounts for using pseudonyms that everyone knows them by.

In Germany, Facebook have been prevented from stopping users creating accounts under nicknames and name’s that aren’t on their passports.

The Hamburg data protection authority said that Facebook could not change people’s chosen usernames or ask them to provide any official ID. You see, Facebook not only ask you to use your real name, but also prove it by sending them copies of your passport, driver’s licence and other photo ID. Obviously, a lot of people aren’t keen on sending a company like Facebook anything like that.

“The use of authentic names on Facebook protects people’s privacy and safety by ensuring people know who they’re sharing and connecting with,” the company said. Zuckerberg recently said that, if everyone knows you by your nickname, then you should be able to use it as your main name on Facebook – however, they’ve not provided any way of users doing that.

The German watchdog said making users sign up under their real names violated an individual’s privacy rights, and on top of that, rejected an argument from Facebook, where the social network said they didn’t have to listen to the Germans because they’re based in Ireland, so should be subject to Irish law.

Hamburg’s commissioner for data protection, Johannes Caspar, said: “Facebook cannot again argue that only Irish data protection law would be applicable. Anyone who stands on our pitch also has to play our game.”

So, for now, it appears that you can’t have a nickname and be on Facebook, and, if you want to change it to your real name, you’ll have to provide the social network with images of your photo ID and the like.

Are Amazon spying on you?

July 27th, 2015 1 Comment By Mof Gimmers

peeping tom spy Are Amazon spying on you?Are you the kind of person who likes to review things on Amazon? Well, you might not want to after a rather serious allegation has been made against the online vendor. They’ve been accused of spying on reviewers’ social media profiles.

The kicker is this: a blogger from New York called Imy Santiago, wrote a book review on Amazon, and it was censored on a number of occasions, saying that she’d violated the rules of the site. Imy questioned Amazon’s decision and found that she had been blocked from reviewing the book in question, because they thought she knew the person who wrote it.

Amazon said: “We cannot post your Customer Review for (book title deleted) by (author name deleted) to the Amazon website because your account activity indicates that you know the author.”

“Customer Reviews are meant to give customers unbiased product feedback from fellow shoppers… we encourage family and friends to share their enthusiasm for the book through our Customer Discussions feature or Editorial Reviews feature.”

The problem was, that Santiago doesn’t know the author at all. So, how did Amazon jump to this conclusion? Well, it has been suggested that Amazon are snooping around reviewers’ social media profiles, looking for connections between those leaving reviews and authors.

On her blog, Imy wrote: ”The Big Brother mentality Amazon is employing is appalling, and crosses an ethical line of unfathomable proportions.”

“What quantifiable and verifiable ways is Amazon using to determine if I know the author of a book, or not? The fact that they refuse to elaborate as to how I ‘know the author personally’ is highly concerning.”

She added: “I applaud Amazon for trying to curb unethical positive/negative reviews from being posted. What I don’t find congruent is them monitoring social media activity as basis to determine associations, because as an indie writer I use social media to network and promote my books, like thousands before me. I never consented to that in their terms and conditions. If Amazon is data mining, we deserve to know, and I stand my ground in saying I do not know this author on a personal level as Amazon claims.”

sex with glass Ashley Madison offers to delete your profile for freeAshley Madison, the site that allows you to have an affair (hey, who are we to judge – get yours and hurt no-one, okay?) was, as you know, hacked.

That meant that ne’er-do-wells made off with loads of sensitive information and threatened to dump the whole load on the internet, if Ashley Madison didn’t erase itself completely.

Well, the extracurricular dating site has again apologised, saying that they are now offering users the chance to fully delete their account, free of charge. This is only a temporary move though, and one that won’t impress The Impact Team, the people behind the hack.

The hackers were cheesed off with the site, thanks to the paid-delete activity. In the UK, it costs you £15 to fully delete yourself from Ashley Madison’s systems, which seems wildly unfair. The Impact Team said that, even after paying for deletion, the site doesn’t actually get rid of all your information.

In a statement, Ashley Madison hit back at this claim, saying: “Contrary to current media reports, and based on accusations posted online by a cyber criminal, the “paid-delete” option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity.”

“The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback.”

Still. Get that. Having to pay to get your information out of their hands. That could very well put off a lot of people from using the dating site in the future.

And, in a Locking The Stable Door After The Horse Has Bolted move, AM is saying they’ll delete your information, even though The Impact Team already have your information in their possession. Ashley Madison are unwise to be so cavalier in attitude about this, as their customers will have no doubt entrusted them with a lot of VERY sensitive info, such as mucky photos, their sexual wants and all manner of romantic activities.

Affair site, Ashley Madison, hacked with leaks

July 20th, 2015 No Comments By Mof Gimmers

sex with glass Affair site, Ashley Madison, hacked with leaksHackers have got under the covers of Ashley Madison – the site that basically enables you to have an affair, at a cost – stealing a load of personal information and leaking it online.

The extramarital dating site has the tagline: “Life is short – Have an affair” and apparently has around 37 million members. It was hacked by a bunch of people calling themselves the Impact Team, and they also got stuck into another pair of sites owned by the same company – Cougar Life and Established Men.

The hackers say that they’ve got complete access to the databases, including financial records and all manner of stuff. For now, Impact Team have released 40MB of data, including credit card details, and are hanging onto the rest for, you can only assume, a special occasion.

And why is this happening? Well, you might think that these hackers don’t like people having affairs. When they released the initial batch of data, they also put out a manifesto, saying that the rest of the info will be leaked if Ashley Madison and Established Men aren’t permanently closed.

It says: “Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

The thing that sticks in the craw of the hackers, is that Ashley Madison charges users £15 to carry out a “full delete” of information, should they decide to leave the site.

They add: “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

Avid Life Media think they know who is behind the hack, and Noel Biderman said: “We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication.” He added: “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

Is ‘touched our technical services’ a euphemism or something?

Meanwhile, parent company ALM said: “We apologise for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”

“At this time, we have been able to secure our sites, and close the unauthorised access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”