Sony pulls 'The Interview' after 9/11 terror threat

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Sony Pictures is close to monopolizing security news with post-cyber-attack ripples.

Those ripples now include getting sued by ex-employees over privacy violations, being threatened with a terrorist attack similar to 9/11, having its film The Interview pulled from several cinemas as a result, and the subsequent announcement that Sony has cancelled the theatrical release altogether.

On the breathe-one-small-sigh-of-relief side of the ledger, it's received compliance with a DCMA takedown request from Reddit, which has banned users from sharing documents pilfered from the movie studio.

On Tuesday, those purportedly behind the hack threatened a terrorist attack on theaters and movie goers who attend screenings of The Interview.

The GOP had previously promised to deliver a "Christmas gift," which originally sounded like another batch of leaked data.

But in Tuesday's message, which Mashable reports was sent to itself and several other news outlets, along with new batch of Sony Entertainment CEO Michael Lynton's hacked emails, warned people to stay away from the movie, specifically mentioning the 2001 attacks on New York and the Pentagon:

We will clearly show it to you at the very time and places "The Interview" be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to.

Soon all the world will see what an awful movie Sony Pictures Entertainment has made.

The world will be full of fear.

Remember the 11th of September 2001.

We recommend you to keep yourself distant from the places at that time.

(If your house is nearby, you’d better leave.)

A Department of Homeland Security (DHS) official who requested anonymity told Fortune that the DHS isn't aware of any active plot against movie theaters in connection with the attack against Sony.

From his or her statement:

We are still analyzing the credibility of these statements, but at this time there is no credible intelligence to indicate an active plot against movie theaters within the United States. ... As always, DHS will continue to adjust our security posture, as appropriate, to protect the American people.

At least one New York theater canceled the premiere of the film, which is a Seth Rogen/James Franco comedy about a plot to kill North Korea's leader Kim Jong-Un.

Carmike Cinemas, a movie theater chain that's based in Columbus, Georgia, and which has theaters in 41 states, also chose not to show The Interview, according to The Hollywood Reporter.

In addition, the two stars canceled all of their upcoming press events, according to BuzzFeed, which was hosting an event with the two.

Sony announced yesterday that it wouldn't be releasing The Interview on Christmas Day as planned:

In light of the decision by the majority of our exhibitors not to show the film The Interview, we have decided not to move forward with the planned December 25 theatrical release. We respect and understand our partners' decision and, of course, completely share their paramount interest in the safety of employees and theater-goers.

Sony Pictures has been the victim of an unprecedented criminal assault against our employees, our customers, and our business. Those who attacked us stole our intellectual property, private emails, and sensitive and proprietary material, and sought to destroy our spirit and our morale — all apparently to thwart the release of a movie they did not like. We are deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company, our employees, and the American public. We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.

In other fallout, two of the movie studio's ex-employees have sued the company for failing to protect their private information.

They'd like to turn it into a class action lawsuit of up to 15,000 former employees.

The plaintiffs haven't been specific about the amount of money they're seeking, but according to Money CNN, they want Sony to provide five years of credit monitoring, bank monitoring, identity theft insurance and credit restoration service. They're also seeking for Sony to be subject to regular privacy audits.

Finally, a ray of hope that somebody on the internet is going to take down Sony's doxed materials.

As it is, Sony on Monday warned the media not to publish the details of anything that was stolen in last month's breach.

By Wednesday, Reddit had acceded to a DMCA takedown request from Sony.

Reddit removed a hub for sharing the company’s hacked files, deleted posts, blocked individual user accounts, and banned a subreddit devoted to sharing the files.

However, as Reddit told Business Insider, "discussions and news stories" about the attack were unaffected by the bans - similar to how Reddit recently banned stolen celebrity nude photos but allowed discussion about the thefts.

Follow @LisaVaas

Follow @NakedSecurity

View the original article here

Google and Facebook under fire from Dutch government over citizens' privacy

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The Dutch government is clamping down on the way in which large organisations use its citizen's personal data.

The Dutch Data Protection Authority (DPA) threatened Google with a fine of €15m (£11.9m, $18.7m) on Monday, saying the search giant had breached various provisions of the Dutch data protection act via a privacy policy it introduced in 2012.

The company has been given until the end of February 2015 to change how it handles personal data, especially in regard to the tailoring of adverts based on keyword search queries, video viewing habits, location data and the content of email messages.

Jacob Kohnstamm, chairman of the Dutch DPA, said:

Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested.

Kohnstamm explained how, under Dutch law, Google should have informed users that it was gathering data across a number of platforms - such as YouTube and Gmail - and obtained permission before combining or analysing that data.

The regulator has now demanded that Google obtains "unambiguous" consent from users before combining their data, "via a separate consent screen", rather than through its more generalised privacy policy.

It also ordered the company to add clarification to the policy so that users are better informed as to how each of the company's services is using their data.

Furthermore, Google is required to make it clear that YouTube is part of its setup, though the DPA did note that this already appeared to be underway.

Five other regulators - in France, Germany, Italy, Spain and the UK - have recently received a letter from Google detailing how it intends to comply with European privacy laws but the Dutch DPA says it has yet to establish whether the proposals will suffice within its own jurisdiction.

While the DPA's gripe with Google awaits resolution, it has now moved onto fellow data gatherer Facebook.

In another statement (in Dutch - view Google translate version) released on Tuesday it announced it would investigate Facebook's new privacy policy.

The social network announced last month that it intends to make changes to its policy, effective from 1 January 2015.

As Facebook has a physical presence in the Netherlands, the DPA says it is authorised "to act as supervisor", as per a European Court of Justice ruling on Google vs. Spain on 13 May 2014 (the 'right to be forgotten' case).

As such, it has asked Facebook to hold fire on its new privacy policy until it has had the chance to investigate how the changes may impact Dutch users, including how Facebook obtains permission for the use of their personal data.

The latest iteration of the policy states that Facebook can use:

your name, profile picture, content, and information in connection with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. This means, for example, that you permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you. If you have selected a specific audience for your content or information, we will respect your choice when we use it.

Given how the key points of the policy have not changed since it was last revised in November 2013, it seems unlikely Facebook will comply with the DPA's wishes.

According to The Telegraph, the company responded by highlighting how it is "a company with international headquarters in Dublin", which routinely reviews its policies and procedures with its own regulator, the Irish Data Protection Commissioner.

Facebook said it is confident that its new privacy policy is compliant with all relevant laws.

Follow @Security_FAQs

Follow @NakedSecurity

Image of Dutch citizen courtesy of Shutterstock.

View the original article here

Teenager pleads guilty to massive Spamhaus DDoS attack

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A 17-year-old London schoolboy who was arrested last year has pleaded guilty to a distributed denial of service (DDoS) attack of unprecedented ferocity launched against the Spamhaus anti-spam service and internet exchanges, including the London Internet Exchange.

Given that he's a minor, he can't be named.

The Register quoted a police statement that said that the boy also admitted last week to money laundering and possessing child abuse images.

He's out on bail pending sentencing on 9 January, the statement said:

A 17-year-old male from London has this week (Wed 10 Dec) pleaded guilty to [offences under the] Computer Misuse Act, money laundering and making indecent images of children offences, following a National Crime Agency investigation. He was arrested in April 2013 after a series of distributed denial of service (DDoS) attacks which led to worldwide disruption of internet exchanges and services. On his arrest officers seized a number of electronic devices. He has been bailed until 9 January 2015 pending sentencing.

He's admitted to having a hand in the biggest DDoS ever recorded: one that at times was reported to be as large as 300 gigabits per second.

Traditionally, even large botnets are only able to deliver hundreds of megabits or a few gigabits per second, as Naked Security noted at the time.

The attackers used large-scale DNS reflection, taking advantage of misconfigured DNS servers to amplify the power of a much smaller botnet.

It was very effective. While the attack didn't break the internet's backbone when it launched in March 2013, it managed to slow the internet around the world.

But the 17-year-old didn't pull all that off all on his lonesome. He was reportedly one of multiple arrests.

In April 2013, another suspect was arrested in Spain.

In fact, the teenager's arrest, by detectives from the National Cyber Crime Unit, followed an international police operation against those suspected of carrying out the massive DDoS.

We're on the brink of a new year. Unfortunately, this kid has made choices to put his talents to use in a way that means he'll be in court soon into the coming new year.

Bad choice. Regrettable choice.

Will he do jail time? Will he cough up names of others involved in the attack?

Time will tell.

But if I had been in on this caper, I'd be very, very worried about getting a knock on the door.

Follow @LisaVaas

Follow @NakedSecurity

Image of hacker courtesy of Shutterstock.

View the original article here

Delta Airlines flaw lets others access your boarding pass

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Have you travelled on planes in recent years?

If so, I'm sure you've had your fair share of security seriousness at airports.

One of the strictest, and perhaps the most peculiar, exchanges I've overheard went something like this:

You can't take a 110g tube of toothpaste through security, Sir.But, look! It's close to half empty. There's 60g at most in there. Weigh it, you'll see.Sorry, Sir. If you want to carry more than 100g of toothpaste, buy two 100g tubes.I don't want to carry 200g of toothpaste. I want to carry 60g of toothpaste. In fact, I am carrying 60g of toothpaste.I'm sorry, Sir, I don't make the rules. I'm just following orders.

And as for finding out whether your mother-in-law managed to board her connecting flight in Singapore, having been worried about getting lost in Changi airport?

Forget it.

Actually, unlike the dentifrice disaster story above, the lockdown of passenger lists is a good thing.

The privacy of passengers should be strongly protected, so no complaints there.

So, what a disappointment to read that Delta, and apparently other US airlines, didn't seem to see it that way.

Hackers of NY denizen Dani Grant found that out last week when she received a URL from Delta that led to her boarding pass.

(She didn't say in her post but it looks from the screenshots like a non-HTTPS URL; that's a concern for another time.)

The SNAFU was just like last week's flaw at AliExpress, the online retail portal of Chinese e-commerce megabrand Alibaba.

By changing characters in a parameter in a URL, AliExpress users could retrieve the home address and phone number of other users.

At least in the AliExpress case, you had to login as someone first, before accessing the data of anyone.

In Dani Grant's case, arbitrarily changing even a single character in her URL brought up other people's travel plans, without any authentication stage at all.

A bit more URL fiddling, and she had a boarding card for a third passenger on a different airline:

We'll ignore that this makes a mockery of the security precautions at many airports.

Let's look at why this is a problem in general terms, by forgetting the in-flight safety angle for a moment, and considering the cybercrime side of things.

Both the Delta Airlines and the Alibaba URL vulnerabilities play right into the hands of online scammers and social engineers.

In many, if not most, online scams, the crooks don't need to know that you are flying to Florida this evening, arriving at 19:45.

They just need to know that somebody is going to be on that plane, or some other plane, to be able to tweak their criminality to target that person.

And if they can automate the process of recovering that sort of information by simply scraping URLs until they get lucky, they can attack even more broadly.

Of course, this raises the question, "As a consumer, how can you tell if a website is guilty of this sort of data leakage carelessness?"

Sometimes, you'd be wise to assume there's a problem, for example if the confidentiality of a web page relies on some text in the URL, but the text looks far from random:

But even then, proving there really is a vulnerability is tricky, because:

You might get close by trying nearby strings (e.g. id=32767, id=32768), but not close enough to hit paydirt. (Maybe you needed to try id=42766 instead?) You might actually hit paydirt, and then what? (Whom do you tell? What if you just broke your country's equivalent of the Computer Misuse Act?)

"Having a go" at URLs to see what you can find is not a good idea, and we don't recommend it.

Even if your motivation is pure, you could end up in trouble if you don't have explicit permission.

A court might form the opinion that you knew jolly well you were going after data that wasn't yours, and find you at fault.

All we can recommend is that if you do encounter what you consider to be security through obscurity, report it and ask what the company concerned has to say about it.

Dani Grant did just that in the case above; Delta, bless their hearts, replied to her, and didn't try to brush it under the carpet, either:

[We] certainly understand how insecure you must have felt due to the unpleasant incident you experienced while trying to view and print [your] boarding pass from our website.

That's not as good as a clear statement that the problem is being fixed, and how solidly, but it's a good start, not least because it explicitly admits the flaw as an insecurity.

By the way, if your company deploys "secret" URLs for any purpose, whether customer facing or internal, why not review how they are generated, distributed and used?

Don't make the same mistakes as Alibaba and Delta...

Follow @duckblog

Groovy image of aeroplane courtesy of Shutterstock.

View the original article here

The 12 Days of Christmas - all the answers to the #naksecquiz

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

We've just finished running our 12 Days of Christmas #naksecquiz.

For the first 12 working days of December, we revisited the big stories of 2014, one per day.

Each day, we included a quick quiz question related to the day's material, and invited you to submit your answers.

And each day we gave away Naked Security T-shirts to 5 lucky winners.

We thought this would be a fun way of looking back over the ups and downs of the year.

A huge "Thanks!" to everyone who took part – we received close to 3000 answers to the 12 questions.

Close to 80% of the answers submitted were correct.

Here's how you did:

Lots of you answered more than one question correctly, but only seven people got a perfect 12 out of 12:

We'll let you know who's won the Ueberprize, open to those who got every question correct, once we've told the winner...

...If they want to be identified, of course!

We couldn't include everybody's favourite story, but here's what we chose.

Click on the text Day N to view the story for each day.

Click on the text Day N+1 to view the question and answer for the previous day.

Story: The game "Talking Angela" provoked a stream of comments from people who claimed it was a cover for paedophilia, even though all the evidence (and common sense) said that it was not.

Moral: Make sure brain is in gear before engaging mouth.

Story: XP passed over into unsupported mode in April 2014. But many diehard users said they would neither update to a more secure version of Windows, nor switch to a different operating system.

Moral: Do it for the rest of us, because XP's insecurity doesn't just hurt you.

Story: The "Heartbleed" bug affected any software using OpenSSL. Servers could be tricked into leaking random fragments of private data. No knowing what a hacker might get, so everyone scrambled to patch it.

Moral: Many eyes make all bugs shallow? Piffle. This bug was there for years.

Story: Numerous Aussies woke up one morning to find their iPhones locked and a $100 ransom demand displayed. Crooks had done a remote lock and wanted money to sell you back the unlock password.

Moral: Pick a proper password.

Story: The developers of the free and popular encryption software TrueCrypt suddenly announced, "It's insecure. Don't use it." Seems they just decided they'd had enough. Goodbye users.

Moral: Buy Sophos's SafeGuard product instead.

Story: Mobile malware has been around for ten years already. It all started with Cabir, a Symbian virus for Nokia phones from 2004.

Moral: There's nothing new under the sun.

Story: Law enforcement took out a bunch of servers behind the infamous malware families Gameover and CryptoLocker. Sadly, new crooks appeared to fill the void.

Moral: Keep your guard up.

Story: SophosLabs in Hungary measured a single zombie-infected PC on a regular network connection sending 5,500,000 spams in a single week. 75% of the spam advertised dodgy pharmaceutical sales; the rest sent out malware.

Moral: Kill-a-zombie today.

Story: Apple and U2 signed a deal to give you the new U2 album for free. But they didn't ask you. Whether you wanted it or not, it just turned up in your iTunes.

Moral: Ask for permission. Even if you are Bono.

Story: The "Shellshock" bug was found in Bash, a command processor common on OS X and Linux. You could trick Bash into running commands a server wouldn't notice, even if it was programmed to be really cautious.

Moral: Still think Linux and OS X have some sort of magic security shield?

Story: You could bypass Snapchat's claimed "auto-deletion" of photos by fetching them onto a site called SnapSaved.com. Guess what? SnapSaved.com got hacked.

Moral: You uploaded a selfie to the internet. What did you think was going to happen?

Story: We went out of our way to convince you that there's never a good reason to choose a weak password. You may as well choose a good one every time, especially if you use software to help you with the randomness.

Moral: There's never a good reason to choose a weak password.

Because there isn't a Day 13 article, there isn't anywhere to click for the answer to the final question from Day 12.

So here it is.

We asked you to make sense of the six characters MXIPCZ by using what we called a "Caesar Salad" cipher.

Shift 3 letters along 3 places; 2 letters along by 2; and 1 letter by 1.

For example, shifting MXIPCZ with the "shift key" 122333 would give NZKSFC, although that doesn't make sense.

If you treat the possible keys as the permutations of the string 122333, denoting the amount to shift each letter, you'll find there are only 720 (6x5x4x3x2x1) possible keys.

In fact, you only need the unique permutations (or combinations), of which there are just 60.

You could write a quick program to print them all out and then look for the obvious one. (We used Python and its itertools module.)

Or you could just write out three rows of characters, shifting each letter one, two or three characters in each row, like this:

Scrambled = MXIPCZ Shifted 1 = NYJQDA Shifted 2 = OZKREB Shifted 3 = PALSFC

Now choose one character from each vertical column, and see if you can make anything like a word.

If you can, cross-check that it matches the "shift key" pattern of 3 letters by 3, 2 letters by 2 and 1 by 1.

We think the answer's obvious: NAKSEC.

Follow @duckblog

View the original article here

Microsoft deluged with support in its email privacy battle against US government

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Microsoft would prefer if the US Department of Justice (DOJ) refrained from reaching over the ocean and past international law to ransack its Irish servers.

It's been fighting the issue in court since August, when it refused to comply with a warrant for a user's email that was stored in a Dublin data center.

On Monday, much of the tech industry, along with civil rights advocates, backed Microsoft in its legal battle, with more than 75 civil liberties groups, technology companies, trade associations and computer scientists filing legal briefs in support of the software company.

At issue: the DOJ's insistence that it may search Microsoft's overseas servers with a valid US warrant, sidestepping national and international laws that protect such content.

The scope of support for Microsoft's position is unprecedented, its counsel says.

Verizon has said that if the US prevails in this case, it would produce "dramatic conflict with foreign data protection laws."

Apple and Cisco have also come out against the government, saying that the tech sector runs the risk of being sanctioned by foreign governments and that the US should instead seek cooperation with foreign nations via treaties: a position the US has deemed impractical.

The deluge of support that added to these previously filed briefs point to what a precedent-setting case this will be if the company loses - one that would affect the technology world on a global basis, Microsoft Executive Vice President and General Counsel Brad Smith wrote in a blog posting about the outpouring of support:

Seldom has a case below the Supreme Court attracted the breadth and depth of legal involvement we're seeing today. ... This case involves not a narrow legal question, but a broad policy issue that is fundamental to the future of global technology.

Microsoft published the list of backers that filed amicus briefs, including large media outlets such as National Public Radio, The Washington Post, The Guardian, and Forbes; leading technology companies such as Verizon, Apple, Amazon, Cisco, Salesforce, HP, eBay, Infor, AT&T, and Rackspace; professors of computer science; civil rights and free speech advocates such as Digital Rights Ireland, the Electronic Frontier Foundation, and the Center for Democracy and Technology; trade groups such as the National Association of Manufacturers and the Reporters Committee for Freedom of the Press; and even the US Chamber of Commerce.

The groups and companies are all raising issues similar to those already brought up by Apple, AT&T, Cisco and Verizon, Smith said:

These groups raise a range of concerns about the significant impact this case could have both on the willingness of foreign customers to trust American technology and on the privacy rights of their customers, including US customers if other governments adopt the approach to US datacenters that the US Government is advocating here.

Verizon said in its policy blog that the US government is overreaching:

The law does not allow the US government to use a search warrant to obtain customer data stored overseas. The US Supreme Court has reiterated many times that US statutes are presumed not to have extraterritorial application unless Congress "clearly expressed" its "affirmative intention" to the contrary.

There's good reason why Congress hasn't said that domestic US warrants should apply to data stored offshore, Verizon's Randal Milch wrote. For one thing, the content of private email belongs to a customer, not to a provider.

The DOJ has resisted this argument, claiming that email stored in the cloud ceases to belong exclusively to us, becoming instead the business records of a cloud provider.

Because business records have a lower level of legal protection than personal records, the government claims that it can use its broader authority to reach emails stored anywhere in the world.

But if Microsoft were to give in to the government's demands, it would actually be breaking Irish law, Verizon points out:

Ireland's Minister for Data Protection has made clear that "when governments seek to obtain customer information in other countries they need to comply with the local laws in those countries."

In fact, there are treaties in place that would have dictated whether or not the emails could be dug out of Microsoft's offshore servers. Specifically, the DOJ could have followed procedures under the Mutual Legal Assistance Treaty between the US and Ireland to request the information it needed from the government of Ireland "in a manner consistent with Ireland's laws", Verizon points out.

Why didn't the DOJ go that route? Many suggest that the reason is because it knew full well that it wanted something that was inconsistent with Ireland's laws.

In its latest appeal, Microsoft argued that going outside of well-established treaties and partnerships to get at data wherever it's stored sets a precedent for other countries to do the same and thus threaten the privacy of Americans.

There's good reason why Microsoft and other tech companies store customers' data close to them, Smith said:

As we've said since this case began, tech companies such as Microsoft for good reason store private communications such as email, photos, and documents in datacenters that are located close to our customers. This is so consumers and companies can retrieve their personal information more quickly and securely. For example, we store email in our Irish datacenter for customers who live in Europe.

And even if the treaties need an overhaul, that's no reason to ignore them completely, he suggested:

The US has well-established treaties with countries around the world that allow them to seek the information they need while ensuring that citizens of other countries retain the privacy protections offered by their own laws and Courts. And there's ample opportunity for work to modernize these agreements further.

Follow @LisaVaas

Follow @NakedSecurity

Image of data center privacy courtesy of Shutterstock.

View the original article here

Uber: We accessed reporter's private trip info because she was late

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Filed Under: Featured, Privacy

In a letter to Senator Al Franken, Uber says it accessed a reporter's account because "She was 30 minutes late" to a meeting and an executive wanted to know when she'd show up so he could meet her in the lobby.

And flash his iPhone at her. And tell her that he was tracking her, according to a report from The Guardian.

In fact, Uber New York General Manager Josh Mohrer reportedly poked at BuzzFeed reporter Johana Bhuiyan's personal data twice, on both occasions tracking her movements without her permission.

That's just one of a rash of eyebrow-raising reports about Uber's data collection practices and possible misuse of consumers' data that came to light last month and which prompted Sen. Franken to send the company a letter with 10 pointed questions about the company's privacy policies.

(Note: Non-US readers might not be familiar with the American use of the term "rider" as used in these letters. Uber, Senator Franken and American media use the term to indicate "passenger".)

He also asked Uber, which connects passengers with drivers-for-hire using a GPS-based mobile app, to explain how widely it uses its so-called "God View" tool, which allows Uber to track passengers' locations.

In a 3-page response, Uber's Managing Counsel of Privacy, Katherine M. Tassi, reiterated what the company's been saying all along: that it has a "strong culture of protecting rider information" and that the company "prohibits employees from accessing rider information except for legitimate business purposes."

Franken said in a press release on Monday that while he was glad to get a reply, the letter wasn't particularly forthcoming with the details he'd asked for.

To wit:

I am concerned about the surprising lack of detail in their response. Quite frankly, they did not answer many of the questions I posed directly to them. Most importantly, it still remains unclear how Uber defines legitimate business purposes for accessing, retaining, and sharing customer data.

Franken had originally asked what, exactly, would trigger the company to discipline an employee for violating privacy policies and whether any disciplinary actions had been taken on that basis.

In the case of the twice-tracked BuzzFeed reporter, Uber says that Mohrer "believed he had a legitimate purpose for looking at" Bhuiyan's location as she travelled to his office, but that Uber "regarded his judgment in this instance to be poor" and has "disciplined him accordingly".

Franken had also asked about Uber SVP of Business Emil Michael having suggested spending $1 million to mine personal data for dirt to discredit a journalist who criticized the company.

Franken had noted in his letter that Michael's statements sound like they were intended to have a chilling effect on journalists covering Uber and had asked if he'd been disciplined as a result.

Apparently not.

Uber mentioned in its letter that if the company had in fact used account details to discredit journalists, it would have been a "gross invasion of privacy" and a "violation of our commitment to our users", but in fact the executive's comments were just "ill-considered" given his "frustration with reporters" and "don't reflect company policies or practices."

Uber has publicly apologized for the incident, Tassi notes.

With regards to the "God View" function, which allows Uber to see where all of its cars and all of its passengers are at any given time, the letter says that the company's scaled it back so that only employees in "operations or other areas, like fraud prevention" can use it.

Uber also stated that the company had shown God View to “third parties” in the past because it has a "compelling visual display," but when showing it to those outside the company, it's stripped down to "presentation view, which has been available for about a year now and makes rider personal data inaccessible."

Franken said that he's “concerned” by the response and will continue “pressing for answers.”

Earlier this month, the senator also sent a letter to Uber competitor Lyft to clarify its own privacy policies.

Follow @LisaVaas

Follow @NakedSecurity

Image of taxi courtesy of Shutterstock.

View the original article here

Did computer security get better or worse in 2014? Have your say...

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

It's the end of the year and time to reflect on the events of 2014. There were some high profile wins, like the apparent defeat of the GameOver botnet, and some dreadful loses such as the Heartbleed bug - but what was the final score?

Did the forces for good win, lose or draw in 2014?

It's a big subject and there are many, many points of view. So we'd really like to read about your perspective on the year just gone - what did you think of computer security in 2014? You can vote in our poll and leave your thoughts on the year in our comments.

To whet your appetite I asked our regular contributors to give you some food for thought, starting with me.

It seems to me that popular, mature software is getting harder to crack with encryption, bug bounties, responsible disclosure and frequent, predictable - often automatic - updates increasingly accepted as best practice. We know how we should be writing software, even if we're not all doing it yet.

Users remain our Achilles' heel though - year after year, we continue to choose terrible passwords and to click on links and attachments we shouldn't, and 2014 was no better.

So long as security is reliant on good behaviour from users who adapt at a slower rate than software, we're standing still at best.

Mark is founder of independent web consultancy Compound Eye.

I'd say things have got better, although not necessarily more secure just yet.

It may feel bad that there have been so many horrible vulnerabilities in vital software, epic leaks of all sorts of personal data, awful privacy decisions by sites and services people trust, mass doxing of celebrities, huge scams and frauds and lots and lots of general misery, which in themselves are of course not a good thing.

But the scale and frequency of incidents this year feels like it has really pushed us over a tipping point and made security a topic everyone is thinking about, rather than just a few specialists.

People everywhere, from technophobic moms and pops to tight-fisted business leaders, are starting to realise the dangers they can stumble into, and are making efforts to make themselves more secure. In the long run that means fewer easy targets and more demand for better protections, so eventually everyone will end up safer.

John Hawes is Chief of Operations at Virus Bulletin and sits on the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO).

This year has been a mixed bag. We won some battles on the privacy front with an increasing number of websites using HTTPS as a default.

It also appears we fatally wounded the GameOver/CryptoLocker infrastructures.

Like high-waisted "mom" jeans, macro viruses are back making us wary of opening Word documents again. Hipster beards and fixies seem to be going strong and so does ransomware. Now we have viral ransomware with hybrid action mechanisms. A little dose of the old sprinkled with some new flavour.

It appears as though we are also staring down the barrel of 64-bit malware which is giving us something new to worry about. Let's not forget that (really) old code though! Something written 20 years ago by someone with a different kind of beard is now front page news with a catchy name, a website and a PR agent.

It certainly was a bad year for retail but a great teaching opportunity on how not to do security. So it seems awareness is increasing but we still have a long way to go before we can claim any kind of decisive victory, so let's call 2014 a draw.

John Shier is a Senior Security Expert at Sophos, a popular presenter at security events and a hands-on technical guru for Sophos partners and customers.

The Snowden rash keeps itching, and the industry's immune system is kicking in to make this a year where security took some performance-enhancing drugs.

Big tech is hosing itself down trying to rid itself of any whiff of government collusion, as in, perish the thought that we knew about backdoors allowing law enforcement to prance into our products. Or, as Google and Apple would put it, Encryption-R-Us. Good stuff for consumers, unless of course the US government succeeds in stabbing warrantless search to death once and for all.

Cyberbullying got a tiny bit better in some corners, such as Facebook apologising to the LGBT community over its real-name policy and promising to fix its cluelessness over the importance of pseudonyms in protecting people from harassment and violence.

But it was still damn hard to be a teacher. Or a kid. Or a female game developer. Or a victim of cyberbullying, bomb threats, stalking, Sony or Sony-like data doxing, or nude photo theft and publishing.

Let's not pat ourselves on the back for a job well done just yet. There's still an enormous amount of work to be done to make the internet a more safe place for all.

Lisa Vaas is a freelance technology writer and former executive editor of eWeek whose credits include CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and HP's Input/Output.

The 2014 computer security glass is half-empty because...

We spent a lot of time in 2014 energetically repeating the worst blunders of 2013. Case in point: malware breaches on point of sale networks via the same holes we had last year, including contractors or vendors with pathetically insecure remote access to our own networks. "Those who cannot remember the past are condemned to repeat it," so it's time to stop living in the past!

The 2014 computer security glass is half-full because...

We're ready to try out security procedures that we rejected last year. Case in point: two-factor authentication. Two or three years ago, lots of people were telling us that they weren't willing to put up with inconvenience to help someone else do security better. Today, we're hearing the same people saying, "Where is it? Bring it on!" It's great that we're no longer living in the past!

Paul Ducklin is Naked Security's security-proselytiser-in-chief and winner of the inaugural 'AusCERT Director's Award for Individual Excellence in Computer Security' in 2009.

2014 was the year that the data breach went mainstream. From JP Morgan to Home Depot, Victoria's Secret to Sony, the news was filled with ever-increasing stories of doom, payment card theft and personal information exfiltration.

But you know what? There is a silver lining.

Security awareness is still in its infancy and mainstream news coverage may just prompt users and organisations to choose stronger passwords, review security policies and adopt a non-checkbox approach to security standards and regulations.

So while 2014 hasn’t been a great year for computer security, I do have some optimism for the new year ahead.

Lee Muson is a writer, social media manager and founder of the popular computer security website Security FAQs.

That's enough fence-sitting from our writers, now tell us what you think!

Follow @NakedSecurity

Image of signpost courtesy of Shutterstock.

View the original article here