an interesting– But it’s true — there’s a joke here at TechCrunch that the security department might as well be called the “Bad News Department,” because, well, did you see what we reported recently? Devastating breaches, ubiquitous surveillance, and cunning new startups are constantly attacking and are downright dangerous.
But sometimes—albeit rarely—we want to share a glimmer of hope. Especially because doing the right thing helps make the cyberspace safer, even (and especially) in the face of adversity.
Bangladesh thanks a security researcher for discovering citizen data breach
When a security researcher discovered that a Bangladeshi government website was leaking the personal information of its citizens, it was clear something was wrong. Viktor Markopoulos discovered the exposed data through inadvertently cached Google search results, which exposed citizens’ names, addresses, phone numbers, and ID numbers from the affected websites. TechCrunch confirmed that Bangladeshi government websites were leaking data, but efforts to alert government agencies were initially met with silence. The data is so sensitive that TechCrunch is unable to determine which government agency leaked it, as that could further expose the data.
It was then that the country’s Computer Emergency Response Team, also known as CIRT, got in touch and confirmed that the leaked database had been repaired. The data was leaked from the country’s birth, death and marriage registries. CIRT confirmed in an announcement that it had addressed the data breach and was “leaving no stone unturned” to understand how the breach occurred. Governments rarely handle their own scandals well, but an email the government sent to researchers thanking them for discovering and reporting the flaw shows a willingness to engage in cybersecurity that many other countries are not.
Apple denounces spyware issues
It’s been more than a decade since Apple dropped its now-infamous claim that Macs couldn’t be infected with PC viruses (words that, while technically true, have dogged the company for years). Today, the most pressing threat to Apple devices is commercial spyware developed by private companies and sold to governments that can create holes in our phones’ security defenses and steal our data. It takes courage to admit a problem, but Apple has done just that by rolling out rapid security response fixes to fix security vulnerabilities that spyware makers are actively exploiting.
Apple rolled out its first emergency “patches” for iPhone, iPad and Mac earlier this year. The idea is to roll out critical patches that can be installed without having to always reboot the device (arguably a pain point for security awareness). Apple also has a setting called “Lockdown Mode” that limits certain device features on Apple devices that are often targeted by spyware. Apple said it is not aware of anyone who was hacked after using Lockdown Mode. In fact, security researchers say Lockdown Mode has actively blocked ongoing targeted hacking attacks.
The Taiwan government does not blink After company information is leaked and before intervention
When a security researcher told TechCrunch that a ride-sharing service called iRent, run by Taiwanese auto giant Hotai Motors, was leaking instantly updated customer data to the internet, it seemed like an easy fix. But a week after emailing the company to address the ongoing data breach, which included customer names, mobile numbers and email addresses, as well as customer license scans, TechCrunch has never received a response.We did not receive a response until we contacted the Taiwan government for assistance in exposing the incident. Instantly.
Within an hour of contacting the government, Taiwan’s Digital Affairs Minister Audrey Tang told TechCrunch via email that the exposed database had been flagged by Taiwan’s Computer Emergency Response Team, TWCERT, and taken offline. The Taiwanese government’s response was astonishingly fast, but it’s not over yet. Taiwan later fined Hotai Auto for failing to protect the data of more than 400,000 customers and ordered it to improve cybersecurity. After the incident, Taiwanese Deputy Prime Minister Cheng Wen-zan said the fine of about $6,600 was “too light” and proposed changing the law to increase the fine for data breaches tenfold.
US court records system leak raises right alarms
At the heart of any justice system is the court records system, a stack of technologies used to file and store sensitive legal documents for court cases. These systems are often online and searchable, while limiting access to files that might otherwise jeopardize ongoing litigation. But when security researcher Jason Parker discovered extremely simple bugs in several court records systems that could be exploited using just a web browser, Parker knew they had to make sure they were fixed.
Parker discovered and disclosed eight security vulnerabilities in court records systems used by five U.S. states, and this was only the first of their disclosures. Some deficiencies have been fixed, others are still pending, and states have had mixed reactions. Lee County, Florida, has taken a harsh (and self-righteous) stance by threatening security researchers with Florida’s anti-hacking laws. But these revelations also raise appropriate alarms. Chief information security officers and officials responsible for court records systems in several U.S. states saw the disclosure as an opportunity to examine their own court records systems for vulnerabilities. Government technology is broken (and woefully underserved), but having researchers like Parker find and expose flaws that must be fixed can make the web safer for everyone and the justice system fairer.
Google removes geofencing mandates, better late than never
It was Google’s greed, driven by advertising and continued growth, that laid the foundation for geofencing authorization. These so-called “reverse” search warrants allow police and government agencies to dig into the vast troves of user location data stored by Google to see if anyone was nearby when a crime was committed. But the constitutionality (and accuracy) of these reverse authorizations has been questioned, with critics calling on Google to end the surveillance practices it created in the first place. Then, just before the holidays, came the gift of privacy: Google said it would start storing location data on users’ devices instead of centrally, effectively ending the ability of police to obtain real-time locations from its servers.
Google’s move is not a panacea, nor will it undo years of damage (or prevent police from searching Google’s stored historical data). But that could prompt other companies also subject to such reverse search orders — Microsoft, Snap, Uber and Yahoo (the parent company of TechCrunch) — to follow suit and stop storing users’ sensitive data in a way that the government can access. need.
