- – Security researcher discovered data leak on Bangladeshi government website
- – Apple releases emergency hotfix to address spyware issue on its devices
- – Taiwan’s government swiftly intervenes after ridesharing service data leak
- – U.S. court records systems found to have multiple security vulnerabilities
- – Google announces it will no longer store location data centrally, preventing geofence warrant searches
A funny — but true — joke at TechCrunch is that the security desk might as well be called the Department of Bad News, since, well, there is a never-ending supply of devastating breaches, pervasive surveillance and dodgy startups flogging the downright dangerous. Sometimes though — albeit rarely — there are glimmers of hope that we want to share. Not least because doing the right thing, even (and especially) in the face of adversity, helps make the cyber-realm that little bit safer.
Bangladesh thanked a security researcher for citizen data leak discovery
When a security researcher found that a Bangladeshi government website was leaking the personal information of its citizens, clearly something was amiss. Viktor Markopoulos found the exposed data thanks to an inadvertently cached Google search result, which exposed citizen names, addresses, phone numbers and national identity numbers from the affected website. TechCrunch verified that the Bangladeshi government website was leaking data, but efforts to alert the government department were futile. The data was so sensitive, TechCrunch could not say which government department was leaking the data, as this might expose the data further. That’s when the country’s computer emergency incident response team, also known as CIRT, got in touch and informed the researcher that the data was spilling from none other than the country’s birth, death and marriage registrar office. The government assured that it left “no stone unturned” to understand how the leak happened. Governments seldom handle their scandals well, but an email from the government to the researcher thanking them for their finding and reporting the bug shows the government’s willingness to engage over cybersecurity where many other countries will not.
Apple throwing the kitchen sink at its spyware problem
It’s been more than a decade since Apple ran an ad campaign that Macs don’t get PC viruses (which while technically true, those words have plagued the company for years). These days the most pressing threat to Apple devices is commercial spyware, developed by private companies and sold to governments, which can punch a hole in our phones’ security defenses and steal our data. It takes courage to admit a problem, but Apple did exactly that by rolling out its first emergency “hotfix” earlier this year to iPhones, iPads and Macs. The idea was to roll out critical patches that could be installed without always having to reboot the device (arguably the pain point for the security-minded). Apple also has a setting called Lockdown Mode, which limits certain device features on an Apple device that are typically targeted by spyware. Apple says it ensures the app’s developer and users have no privacy-invasive means in an app. In fact, Apple’s chief security engineer has proposed an industry-wide effort to further hamper commercial spyware companies by providing its security researchers with better means of inspecting third-party app stores.
Taiwan’s government didn’t blink before intervening after corporate data leak
When a security researcher told TechCrunch that a ridesharing service called iRent — run by Taiwanese automotive giant Hotai Motors — was spilling real-time updating customer data to the internet, it seemed like a simple fix. But after a week of emailing the company to resolve the ongoing data spill — which included customer names, cell phone numbers and email addresses, and scans of customer licenses — TechCrunch never heard back. It wasn’t until this story published that we got a response immediately. Within an hour of contacting the government, Taiwan’s minister for digital affairs Audrey Tang told TechCrunch by email that the exposed database had been flagged with Taiwan’s computer emergency incident response team, TWCERT, and was pulled offline. The speed at which the Taiwanese government responded was breathtakingly fast, but that wasn’t the end of it. Taiwan fined Hotai Motors $6,600, and was ordered to improve its cybersecurity. In its aftermath, Taiwan’s vice premier Cheng Wen-tsan said the fine was “too light” and proposed a change to the law that would increase data breach fines by tenfold.
Leaky U.S. court record systems sparked the right kind of alarm
At the heart of any judicial system is its court records system, the tech stack used for submitting and storing sensitive legal documents for court cases. These systems are often online and searchable, while restricting access to files that could otherwise jeopardize an ongoing proceeding. But when security researcher Jason Parker found eight security vulnerabilities in court records systems used in five U.S. states, Parker knew they had to see that these bugs were fixed. Some of the flaws were fixed and some remain outstanding, and the responses from states were mixed. Florida’s Lee County took the heavy-handed (and self-owning) position of threatening the security researcher with Florida’s anti-hacking laws. But the disclosures also sent the right kind of alarm. Several state CISOs and officials responsible for court records systems across the U.S. saw the disclosure as an opportunity to inspect their own court record systems for vulnerabilities. Govtech is broken (and is desperately underserved), but having researchers like Parker makes the internet safer — and the judicial system fairer — for everyone.
Google killed geofence warrants, even if it was better late than never
It was Google’s greed driven by ads and perpetual growth that set the stage for geofence warrants. These so-called “reverse” search warrants allow police and government agencies to dumpster dive into Google’s vast stores of users’ location data to see if anyone was in the vicinity at the time a crime was committed. But the ACLU, Google’s own employees, and critics have called on Google to put an end to the surveillance practice it largely created to begin with. And then, just before the holiday season, the gift of privacy: Google said it would begin storing location data on users’ devices and not centrally, effectively cutting off geofence warrant searches from its servers. Google’s move is not a panacea, and doesn’t undo the years of damage (or stop police from raiding historical data stored by Google). But it might nudge other companies also subject to these kinds of reverse-search warrants — hello Microsoft, Snap, Uber and Yahoo — to follow suit and stop storing users’ sensitive data in a way that makes it accessible to government demands.