Search Results for “Alfred Ng”


October 15, 2019
Alfred Ng / CNET

Alfred Ng / CNET  
Facebook Expands Its Bug Bounty Programs Giving Researchers More Ways to Find Flaws in Third-Party Apps, Ups Payments for Rare Vulnerabilities

Facebook announced it is expanding several of its bug bounty programs, including bonus payouts for rare vulnerabilities. The social media giant will give researchers more ways to find flaws in third-party apps and websites that integrate with Facebook. Researchers will no longer be limited to “passively observing the vulnerability” and are now able to actively test these third-party apps for security issues as long as the third party authorizes the researchers. The rewards are based on the severity of the bug, with a minimum payout of $500. For the rare vulnerabilities, Facebook is upping the bounty for native code bugs, with a full bounty and a $15,000 bonus for zero-click flaws in Facebook Messenger on iOS. Finally, Facebook said it is bringing its hardware to Pwn2Own Tokyo in November where it will offer a $60,000 reward for successful hacks of its Portal device, and $40,000 for security flaws in the Oculus Quest.

September 24, 2019
Alfred Ng / CNET

Alfred Ng / CNET  
Amazon-Owned Ring Considered Building Tool to Activate Nearby Smart Doorbell Video Cameras Triggered by 911 Emergency Calls

Amazon-owned home surveillance company Ring considered building a tool that would automatically activate the video cameras on nearby smart doorbells in the event of a 911 emergency call, according to emails obtained by CNET. Although not currently working on it, Amazon told a California police department in August 2018 that the function could arrive in the “not-so-distant future.” The goal of the automatic triggering would be to have nearby Ring cameras record and stream video that police could then use to investigate an incident. Ring currently faces a number of controversies over its partnerships with nearly 470 police departments across the country.

September 20, 2019
Alfred Ng / CNET

Alfred Ng / CNET  
Workspace Provider WeWork Exposes Customers’ Sensitive Records via Insecure Wi-Fi Unless They Pay $95 Per Month More, Multiple WeWork Locations Use Identical Passwords

Digital media company employee Teemu Airamo discovered four years ago that workspace provider WeWork was exposing financial records, business transactions, client databases and emails from companies surrounding his office in Manhattan through its insecure Wi-Fi network, a situation that remains unchanged today despite the fact that Fast Company first exposed WeWork’s insecure Wi-Fi in August. CNET reviewed the Wi-Fi scans Airamo has been running on the WeWork network, in which 658 devices, including computers, servers, and coffee machines were exposing an “astronomical amount” of data. Moreover, multiple locations across WeWork’s massive landscape use the exact same password for its Wi-Fi network. WeWork does, however, offer “enhanced” security features for its customers, a VLAN costing an additional $95 a month with a $250 setup fee, although experts suggest that most Wi-Fi should have a baseline security requirement that doesn’t allow this kind of data exposure. Separately, on Tuesday WeWork postponed its planned initial public offering amid investor questions about its value.

September 10, 2019
Alfred Ng / CNET

Alfred Ng / CNET  
More Than 50 CEOs Send Letter to Congress in Bid to Establish Federal Privacy Law That Shuts Down Tougher State-Level Legislation

Hoping to preempt and forestall tougher privacy laws at the state level, such as the recent California privacy legislation, more than fifty CEOs, including Amazon’s Jeff Bezos and AT&T’s Randall Stephenson, sent a letter to Congress calling for federal privacy legislation that would “strengthen consumer trust and establish a stable policy environment.” Under the auspices of the CEO group Business Roundtable the letter from the CEOs went to Senate Majority Leader Mitch McConnell, Senate Minority Leader Chuck Schumer, House Speaker Nancy Pelosi, and House Minority Leader Kevin McCarthy. Google and Facebook aren’t part of the Business Roundtable, but they have made the same points in congressional hearings on data privacy in the same kind of effort to establish weaker privacy rules at the federal level.

August 9, 2019
Alfred Ng / CNET

Alfred Ng / CNET  
Majority of Robocall-Blocking Apps Collect and Share Personal Data Collected From Devices Without User Consent

A majority of robocall-blocking apps are collecting personal data on people’s devices without their explicit consent and sharing it with analytics firms, Dan Hastings, a security researcher at NCC Group found. These “free” apps aimed at reducing pesky and unwanted robocalls are sharing people’s phone numbers with data analytics firms, looking at their text messages and phone calls, and can learn what apps users have on their devices. Hastings discovered that the top robocall-blocking app, TrapCall, is sending people’s phone numbers to three data analytics companies even though this sharing wasn’t explicitly mentioned in the app’s privacy policy. TrapCall contends it only shares phone numbers with service providers who power their internal analytics and app messaging platforms. Another top robocalling app, Hijay, also sends people’s phone data to three data analytics firms even before they agree to the privacy policy. Hiya said it would resubmit its apps to the iOS and Play stores to make sure that basic device information is not sent without people’s consent.

July 3, 2019
Alfred Ng / CNET

Alfred Ng / CNET  
Amazon Says It Keeps Alexa Transcripts and Voice Recordings for All Accounts Indefinitely, Can Only Be Manually Deleted by Users

In a letter to Senator Chris Coons (D-DE), Amazon’s vice president of public policy Brian Huseman says the company keeps Alexa transcripts and voice recordings associated with every Alexa account indefinitely, only removing them if manually deleted by users. Huseman’s letter was a response to an earlier letter from Coons demanding answers from the company following a report that Amazon kept transcripts of interactions with Alexa, even after people deleted the voice recordings. Huseman noted that for Alexa requests that involve a transaction, like ordering a pizza or hailing a rideshare, as well as ordinary interactions such as setting reminders and alarms, would remain saved indefinitely.

July 18, 2019
Alfred Ng / CNET

Alfred Ng / CNET  
Google Pulls Seven Icon-Less Stalkerware Apps From Play Store That Had Been Downloaded 130,000 Times

Seven stalkerware apps that had been downloaded more than 130,000 times were pulled from Google’s Play Store after being discovered by Avast. One called Spy Tracker was promoted as a way to keep kids safe but was described on the Play Store by users as a way to keep track of spouses. All seven apps prompted the attacker to install other software and then delete the initial download, which allowed the stalkerware apps to spy on victims without an icon appearing on the device.

Related: SlashGear, Engadget, BleepingComputer.com, BleepingComputer.com, Economic TimesTechradar, The Register – Security, Trusted Reviews, TechSpot, Digital Trends, GBHackers On Security, Android Central , 9to5GoogleMemeburn, IB TimesAndroid Central, Avast

Tweets:@alfredwkng


July 9, 2019
Alfred Ng / CNET

Alfred Ng / CNET  
Over a Thousand Android Apps Skirt User Permission Denials to Access Geolocation, Phone Identifier Data, Researchers

Up to 1,325 Android apps skirt user permission denials to access geolocation data and phone identifiers and collect the data anyway, according to a study by the International Computer Science Institute (ICSI). The study examined 88,000 apps from the Google Play store, tracking how data transferred from the apps when they were denied permissions to access the data. The offending apps used workarounds hidden in its code that would take personal data from sources like Wi-Fi connections and metadata stored in photos. Around 13 of the offending apps, which had been installed 17 million times, were relying on other apps that were granted permission to look at personal data, piggybacking off their access to gather phone identifiers such as users IMEI numbers. The researchers notified Google about these issues last September, as well as the FTC. Google said it would be addressing the issues in Android Q, which is expected to release this year. The researchers will be releasing details of the 1,325 apps at the Usenix conference in August.

Related: RT News, MacDailyNews, BGR, Dark Reading, xda-developers, The Verge, Techradar, PhoneArena, Slashdot, CNET, FTC (PDF), The Independent