Connect with us

Privacy

Public Knowledge Blasts Latest Privacy Meltdown, This One at Instagram Affiliate Hyp3r

Published

on

Photo from Hyp3r's Twitter stream.

WASHINGTON, August 8, 2019 – News of another data breach at Facebook marketing partner Hyp3r on Thursday prompted more demands for federal privacy legislation.

According to the non-profit group Public Knowledge, Hyp3r collected public records of Instagram users’ geolocation, personal bios, followers, metadata and photos – all without users’ consent.

“It’s well past time for Congress to enact strong, comprehensive federal privacy legislation,” said Dylan Gilbert, policy fellow at Public Knowledge.

As long as companies operate free of strong consumer privacy and security laws, he said, companies will continue to turn a blind eye to user privacy and security violations.

Instagram, which is owned by Facebook, said it has terminated its partnership with Hyp3r. Hyp3r had been using data harvesting tools to download users’ Instagram stories that are supposed to auto-delete after 24 hours.

Hyp3r also reportedly took advantage of a security lapse in the Instagram app to harvest posts tagged with geofenced locations. In both cases, only public accounts were compromised.

In the wake of Facebook’s Cambridge Analytica scandal, Instagram had begun disabling parts of its API, including location tools. However, Instagram’s faulty implementation of API rollbacks prompted Hyp3r to create tools that take advantage of these discrepancies, according to a report in  Gizmodo.

Hyp3r saved the content and then used the information to build and sell extensive profiles of users’ daily lives, said Gilbert. While this was done in violation of Instagram’s rules, Hyp3r appears to have been free of any meaningful oversight from Instagram or Facebook.

Rules should be put in place that will empower consumers to better control their data, said Gilbert. The situation is also unsurprising, given that Facebook likely indirectly profited from Hyp3r’s data collection via the Facebook ad manager tool.

(Photo from Hyp3r’s Twitter stream.)

Cybersecurity

Private Sector Falling Behind on Information Sharing During Cyberattacks, Says Comcast Rep

Comcast’s Noopur Davis says cyber attackers share information better than the private sector.

Published

on

Noopur Davis, Chief Product and Information Officer at Comcast Cable.

ASPEN, Colorado, August 23 — In the wake of an influx of ransomware attacks on critical infrastructure and cyberattacks on private carriers, entities across the technology industry are revaluating their strategies and how they share information to prevent such acts.

T-Mobile announced on August 15 that as many as 50 million consumers had their private data compromised during a data breach. Days later, on August 17, as part of Technology Policy Institute’s 2021 Aspen Forum, Noopur Davis, Chief Product and Information Officer at Comcast Cable, sat down for a fireside chat to discuss what the industry was doing to address this event and events like it.

Join in Broadband Breakfast Live Online’s Discussion on “Cybersecurity: Reviewing the Biden Administration’s Executive Order,” on Wednesday, August 25, 2021, at 12 Noon ET.

When Davis was asked how she felt about the current state of cybersecurity, she said it was okay, but that the telecom community at large would have to do more.

She referenced the mean time of comfort—that is, the average duration between the time that a service becomes connected to the internet and when it is targeted by bad actors. While in the early days of the internet cybersecurity experts could expect to have significant mean times of comfort, she stated that this is no longer the case.

“The second you connect [to the internet] you are attacked,” she said.

As soon as a successful breach is recognized, Davis explained that the target companies begin to revaluate their “TTP,” or tactics, techniques, and procedures.

Information sharing is crucial

Though one company may find a remedy to their breach, other companies may remain vulnerable. To combat this, Davis said that it is critical for companies to share information quickly with their counterparts, but she indicated that this is a race that the private sector is currently losing.

“[Attackers] share information better than [the private industry does].”

She went further, revealing that there is now a sophisticated market for malware as a service, where various platforms publish reviews for their products and services and even offer tech support to those struggling to get the most out of their purchases.

Growing market for hacking tools

She pointed to the Colonial Pipeline attack as an example where hackers did not even create the malware themselves—they just purchased it from a provider online. She explained that this marketplace has significantly lowered the barriers of entry and deskilled the activity for would be attackers, and that theoretically anyone could engage in such nefarious acts today.

Though Davis was in favor of collaboration between companies to address these attacks, she made it clear that this would not mean that responses and capabilities would become standardized, and that every company would maintain their own unique strategies to ensure that their services and data remain uncompromised.

Continue Reading

Robocall

Associations Press FCC to Keep Robocall Extension for Facilities-Based Carriers

Organizations say preponderance of illegal calls don’t come from facilities-based providers.

Published

on

Acting FCC Chairwoman Jessica Rosenworcel

August 11, 2021 – In submissions to the Federal Communications Commission on Monday, associations representing smaller telecom are asking the agency to keep an extension specifically for facilities-based carriers to comply with new robocall rules.

In May, the FCC voted to push up by a year, from 2023 to 2022, the deadline for small carriers to comply with the STIR/SHAKEN regime, which requires telephone service providers to put in place measures – including analytics services to vet calls – to drastically reduce the frequency of scam, illegal robocalls, and ID spoofing that misleads Americans to believe the call is legitimate. Large carriers, however, had a deadline of June 30 this year.

But in submissions to the FCC this week, the Competitive Carriers Association, NTCA, and USTelecom said the preponderance of illegal robocalls come from smaller providers – those with fewer than 100,000 lines – that don’t have networks and, because of that, facilities-based carriers should have the additional year to comply with the rules, which is reportedly a highly technical and complex endeavor.

To appreciate the effort, providers must tag or label all calls on their network, using analytics tools, to ensure that the calls are legitimate. All illegitimate calls must be tagged as potential spam or blocked completely. Even still, the possibility of “false positives” can occur. Failure to comply with the rules could result in hefty penalties.

‘Good faith’ actors shouldn’t be penalized

“Commenters recognize as well that care must be taken to correctly identify this group of small providers in a surgical and precise manner that does not sweep in innocent actors and compel them to adopt this standard on a timeframe they had neither anticipated nor budgeted for,” the NTCA said in its submission to the FCC on Monday.

“A more targeted and effective way of capturing the parties that prompted these proposals can be found in the record – specifically, the Commission should require operators that are not ‘facilities-based’ voice providers…to adopt STIR/SHAKEN on a more accelerated timeframe,” the NTCA continued.

Burden of proof on non-facilities providers to show need for extension

USTelecom, however, added that the non-facilities-based providers – which generally originate calls over the public internet – should be able to request the full two-year extension, but they must show why they need it.

“It’s also critical that they are required to explain in detail and specificity why their robocall mitigation plans are sufficient to protect consumers and other voice service providers from illegal and unwanted robocalls,” USTelecom said in its Monday submission.

“Such a requirement would offer the right balance between affording non-facilities-based small providers the opportunity for the full extension if truly needed, but without creating an opportunity for the small VoIP providers responsible for illegal robocalls to abuse the process in order to continue to send unsigned illegal traffic downstream to the detriment of other providers and consumers,” USTelecom added.

Continue Reading

Robocall

FCC Proposes Measures to Limit Unwanted Access to Numbers, Protect Against Foreign Entities

The agency proposed rules for public comment on that would further restrict illegal use of numbering resources.

Published

on

Acting FCC Chairwoman Jessica Rosenworcel

August 9, 2021 – The Federal Communications Commission is seeking comment on proposed rules that it expects will reduce access to phone numbers by those running illegal robocalls and to further enhance public safety by adding transparency measures on foreign providers.

At the August Open Meeting on Thursday, the FCC said it is proposing to require voice-over-internet protocol providers to abide by the new robocalling regime, which requires voice service providers to put in place measures to limit spam calls and ID masking or face severe penalties.

To block calls, voice providers must first gather analytics on the origins of the call and essentially tag its authenticity before its routed.

As of the June 30 deadline, all major U.S. phone companies use caller ID authentication system to label calls as part of the regime, known as STIR/SHAKEN. This allows for end-to-end phone calls to be verified with a now common digital tool. AT&T said in June that is it now labelling over one billion calls a month.

Last week’s meeting also yielded other proposals to safeguard limited numbering resources, “protect against national security risks…and further promote public safety” by adding a layer of oversight at the executive branch level to vet those outside the United States trying to access numbering resources. That includes requiring applicants disclose foreign ownership information.

This would add to the federal government’s approach to protecting national security from foreign entities perceived as threats to the country, including legislation introduced recently that would prevent the FCC from approving those companies with ties to the Chinese communist party.

Continue Reading

Recent

Signup for Broadband Breakfast

Get twice-weekly Breakfast Media news alerts.
* = required field

Trending