New Google Pixel 4 has One Big Privacy Issue with Face Unlock Feature

Google has created their own version of the face recognition unlock system for their Pixel 4 and 4 XL. Google’s system is similar to that of Apple’s Face ID technology and has changed their fingerprint authentication on the Pixel 4 to solely implement this method of phone unlock. However, there’s a huge privacy issue with their system: the phone can be unlocked even if your eyes are fully closed. 

The phone can be unlocked by someone else if the device is held up to your face – eyes closed or not. The unlock system will also work if you’re asleep and someone wanted to unlock your phone without you knowing. Contrary to Google’s unlock system, Apple’s requires your eyes to be fully open to unlock, thus making it more secure for its device users. 

Whether or not Pixel has intentions to add more security to the face unlock system remains unknown. A Google representative commented on the issue in a statement to The Verge, explaining: “We don’t have anything specific to announce regarding future features or timing, but like most of our products, this feature is designed to get better over time with future software updates”. With nothing yet officially announced, the privacy issue still stands, allowing a nosy friend or significant other to access a user’s device at ease. 

As of now, the only way to combat this issue is a lockdown function equipped on Android phones. Lockdown can be accessed through the power menu, and once pressed, the device disables the face unlock feature until the user’s PIN code is entered. If you choose to do lockdown, notifications will not be displayed on your phone screen. Bluetooth devices also lose the ability to unlock the phone.

Google’s New Application Tools for Maps, YouTube, and Assistant Put Privacy in the Hands of Its Users

Image Source: www.iStock.com/IngusKruklitis

Just in time for National Cybersecurity Awareness Month, Google Maps, YouTube, and Google Assistant were recently announced to have new tools related to user privacy and security. The new updates to these applications give users more control over what data Google can retrieve, and even gives the option for users to delete already collected data such as within Google Voice Assistant. 

Google Maps has now included an incognito mode to keep the application from tracking which places you search for and where you travel to, this thus giving its application users more control over privacy. Incognito mode also helps to keep users’ personalized recommendations from including any locations that would otherwise be irrelevant. Android and iOS users are expected to have this feature available to their Maps application this month.

Image Source: Google | https://www.blog.google/technology/safety-security/keeping-privacy-and-security-simple-you/

 

YouTube is receiving an update as well, with users now able to choose when the app will automatically delete accumulated history. You can choose to keep your watch history for three or 18 months, or just choose to keep the data until you delete it manually.

Google Assistant is also getting an update that allows users to delete any saved voice data. By saying phrases like “Hey Google, delete the last thing I said to you,” or “Hey Google, delete everything I said to you last week,” to your device, Google Assistant will delete its “Assistant Activity”. Deleting voice data from a while back would require you to go into account settings.

After it was revealed that actual people could listen to voice recordings for the purposes of improving voice assistants, Google, Amazon, and Apple all took action to remedy the privacy situation. Alexa, for instance, was implemented with the option for consumers to choose whether recordings will be reviewed. Two months ago, Apple also stated the suspension of its Siri grading program which similarly recorded user audio. The company commented on how they would incorporate consumer participation choice in the grading program with a future update. 

Image Source: Google | https://www.blog.google/technology/safety-security/keeping-privacy-and-security-simple-you/

 

This Google Assistant feature is expected to be released in all languages by next month. The English commands will be available this month. 

Lastly, Google had released Password Checkup within its Password Manager tool. The Checkup feature notifies its users if their passwords have been compromised from a data breach, weak and need to be strengthened, or whether a password has been reused. Google will be adding this tool to Chrome soon, but users can still take advantage of the feature at passwords.google.com.

540 Million Facebook User Records Found On Public Amazon Storage Server

UpGuard security firm researchers have discovered an unpleasant surprise: millions of Facebook user records were found exposed publicly on an Amazon S3 storage server without a password to protect the data.

Two third-party companies – a Mexico based media company called Cultura Colectiva and an app developer At The Pool – had left user records available for public access. User record data such as comments, likes, reactions, and account names were all stored onto the servers. At The Pool stored sensitive information from approximately 22,000 users and included data such as photos, check-ins, and friends lists.  

UpGuard had not received a reply from Cultura Colectiva after warning them about the public server data back in January. After reaching out to Amazon as well, the security firm was yet again met with indifference as no one had taken action to resolve the issue. After Bloomberg’s reporting on April 3rd, the database was then secured.

A Facebook representative commented on the matter, explaining how “Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases.” Spokespeople from the company also commented on how Facebook was not aware of the issue until the UpGuard team had brought it to their attention.

Both third-party companies had collected and stored the data in the past when Facebook was more lenient on data gathered by outside applications. However, after the Cambridge Analytica scandal, Facebook set tighter restrictions on what developers may access in regards to user data.

As of now, it is unclear on whether the data on the open storage servers were accessed by malicious actors who could potentially use it to their advantage in marketing or fraudulent schemes.

Uber Uses Software to Remotely Log Out to Preserve Customer Privacy Data

With 78 or more international offices, you might have to consider some possible opposition with government authorities. In 2015, Uber faced a series of investigations in China and various other countries and were looking to secure their information while being investigated. During these police raids, employees knew the drill: immediately log-off and make it nearly impossible for the police to access the information they had a warrant to retrieve, aka proceed with the “unexpected visitor protocol.”

For fear of sounding a little too suspicious, it’s important to know that Uber was trying to protect the privacy and security of their customers, drivers, and employees – especially abroad. After a lot of searching, Uber discovered a software titled, “Ripley,” which was said to be named after Sigourney Weaver’s character in the 1979 sci-fi movie, Alien. This special software is able to remotely disable, lock, or change the password on employees’ computers and smartphones in the event of a breach or police raid. As quoted in an Bloomberg.com article, “The nickname was inspired by a Ripley line in Aliens, after the acid-blooded extraterrestrials easily best a squad of ground troops. ‘Nuke the entire site from orbit. It’s the only way to be sure.’”

According to Bloomberg, the software was used during a raid in Montreal in May 2015. The  idea behind this was for Uber’s team at the San Francisco headquarters to be able to shut down a device if necessary. At this point in time, the Quebec tax authority arrived at the office unannounced with a warrant. Uber’s on-site managers followed the protocol and alerted company headquarters about what was happening. Fortunately, with the use of Ripley, they were able to not reveal anything to the investigators by logging off from all the devices in the Montreal office immediately.

The employees are trained to alert and follow some simple procedures when someone arrives unannounced at its foreign office to protect their data. If the investigators begin to investigate Uber’s machines, they have a list of Do’s and Don’ts that the employees should follow. Do’s include cooperating with the authorities and disclosing requested documents. Don’ts say not volunteer any information, nor “delete, destroy, and hide any document or data.” It’s unclear though if they used this list when using the software Ripley. Although, it is clear that Uber has allowed authorities to leave the building with company laptops plenty of times before. It all depends on the legal privilege of the situation.

Uber said “Like every company with offices around the world, we have security procedures in place to protect corporate and customer data,” an Uber spokeswoman said. “When it comes to government investigations, it’s our policy to cooperate with all valid searches and requests for data.”

Later, Uber started using off-the-shelf software called Prey and another named uLocker. Uber said that these softwares are able to protect the privacy of the drivers, Uber employees, and the passengers. Last March, the New York Times revealed that the company used secretive software called Greyball in some cities where Uber wasn’t yet allowed to operate. The software let the company target certain people, like the police, and showed them a mock-up version of the app that showed no cars available to hide the fact that they were indeed in operation.

According to the article, Uber is now under investigation by the US Department of Justice for its use of Greyball and is facing at least four other inquiries by the US government. As for the software Ripley, uLocker, and Prey being used by the Uber they have mentioned that there is nothing secretive about it. It’s basically the same software someone would use to track down their lost or stolen smartphones. However, an Uber Spokeswoman has mentioned that these softwares are even good for internal use. For instance, if an employee loses their laptop, we can just log them out of the Uber’s System to prevent the information from leaking and having someone else access private user data.

Cybersecurity Trends for 2016

Today we can do just about everything with the help of the internet- view and control bank accounts, peruse and shop from stores around the world, connect with new people or video chat with distant friends and family, even control smart objects like kitchen appliances from afar. The same effect can be observed in business, with more and more day-to-day operations becoming automated or conducted online.

It’s no surprise that privacy and online security is going to be a prolific topic of concern in 2016 and beyond. With all kinds of sensitive information being transferred between different parties, hackers have more opportunity than ever to try and steal information to either sell on the dark web or use for their own financial gain.

There are many precautions consumers and businesses should take to stay in control of their confidential information and protect business assets. For users, get started with our comprehensive Guide to Cyber Security and our Guide to Email Security.

For a general idea of cybersecurity trends, check out our infographic:

 

Cybersecurity 2016

In the coming weeks, we will continue our Cybersecurity series to help inform users of how to protect their information. Stay tuned for more on common social engineering tactics, how to protect your inbox through safe email practices, bolstering information security on mobile devices, and how to control what is shared on social media.

Interested in protection for your business? Visit our website to learn more about our cybersecurity services and contact Inverselogic to speak with an expert.

Silent Circle’s Blackphone 2 Arriving in September

The average consumer is largely unaware of how much information they share through the use of their smartphones. This has become a major concern for organizations whose employees access sensitive company information via personal devices. If this is true for you, the Blackphone 2 might be a viable alternative. Silent Circle, a Switzerland-based global encryption communications firm is now accepting pre-orders for the Blackphone 2, the latest version of their security focused smartphone.

blackphone2

The phone runs on SilentOS, a version of Android, and comes preloaded with Silent One’s secure messaging apps and other third party pro-privacy applications. Some notable features on SilentOS include its secure wireless VPN connection to Disconnect.me servers (a Blackphone partner) and Disconnect, an anonymizing service which keeps your search activity private. The phone also encrypts all emails, texts, and contact information.

Previously targeting consumers, Silent Circle is now marketing the phone to enterprise hoping their secure software suite is private enough to steal market share from Blackberry. The Blackphone 2 is set to release in September, at a price somewhere above $630. Silent Circle also announced a private tablet back in March, but has not provided any updates on its release.

The Police are Keeping an Eye on Your Car

Today’s law enforcement use License Plate Readers (LPRs) to detect stolen vehicles. These LPRs automatically scan up to 60 license plates per second. These scanners use OCR technology to match what they find with “hot plates,” plates for cars that have been reported stolen or linked to subjects wanted or under investigation. The technology is so efficient that aside from being affixed to physical structures, they are often mounted onto squad cars.

While this isn’t all that surprising, what you might find interesting is the fact that these records are kept between 48 hours and “indefinitely,” regardless of whether the logged information is linked to any cases under investigation. Below is a chart made by the ACLU, depicting the difference in retention periods between a variety of cities in the U.S.

alpr_retention_chart2

So what happens if you want to get a hold of records linked to your license plate? Some departments will deny  you access to that information, while others may only require proof of registration. Cyrus Farivar posted a piece on Ars Technica, The Cops are Tracking My Car- and Yours, explaining how he acquired his info and what he found.

CISPA Bill to be Revived

CISPA, short for the Cyber Intelligence Sharing and Protection Act will likely be brought back for voting in Washington after recent reports of cyber espionage attempts against U.S. targets. Chairman of the House Intelligence Committee, Mike Rogers, claims that “American businesses are under siege,” making the controversial bill a necessity. Today hackers are considered the new terrorists and the head of Homeland Security, Janet Napolitano, believes a “cyber 9-11” is probable if no cyber security legislation is enacted.

While we doubt that the threat of a nationwide crippling infrastructure cyber attack is near, businesses large and small should be taking the necessary precautions to prevent security breaches from hackers more interested in gaining valuable information. Recent targets have included several U.S. banks, the Federal Reserve’s website, the Wall Street Journal, New York Times and The Washington Post. Most of these attacks have been traced overseas to China.

security-100023223-gallery
Image courtesy of PCWorld.com

If passed, CISPA would grant immunity from privacy laws to companies and federal parties which share customer information that relates to “cyber security”. The issue of course, is how easy it is for companies to cross the fine line between “sharing” this information for security purposes and misusing this immunity for spying. CISPA was passed by the House of Representatives last Spring, but never made it to the floor after a veto threat was issued by the White House. President Obama is reportedly preparing to issue an executive order on cyber security after the Union Address scheduled for February 12.

So how could this affect us? Overall, if the bill passes with restrictions on the use of “sharing” information and companies act within those boundaries, the bill would work for its intended purpose of preventing cyber attacks from overseas. This seems unlikely though, and it would also increase the government’s surveillance abilities, making most uncomfortable. However, it is unlikely that the bill will pass through the House it’s second time around without major changes, and we hope the President’s plans to address cyber security will create more options for better security without compromising privacy.