CBS Sports Digital fixed a vulnerability related to Android and iOS versions of its app that transferred users' names, email addresses, account passwords, birth dates and ZIP codes over an insecure connection, after a mobile security firm discovered the problem, a company spokeswoman said Tuesday. She said a vulnerability on the CBS Sports mobile website that transmitted users' email/user ID and passwords in clear text rather than being encrypted also was fixed. "There was no data breach on either the CBS Sports app or mobile site," the company emailed. "Our internal teams are rigorous about monitoring our platforms for any potential security issues. We take issue with outside companies publicizing the security operations of other firms for their own purposes rather than user protection." Mobile security company Wandera said in a threat advisory that it had discovered the vulnerabilities, which potentially exposed personally identifiable information when users signed up for an account. It said the CBS Sports app is one of the most popular sources for sports news. "Our researchers have identified that a significant amount of personal data is collected during the account registration process, and all these details are sent in clear text over an unencrypted connection to the app's backend services," the advisory said. Neither company said when the vulnerabilities were discovered or fixed.
Thirty-seven percent of U.S. businesses lack confidence that their third-party vendors would inform them if a data breach involving sensitive information occurred, said a Ponemon Institute Web-based survey commissioned by law firm BuckleySandler and Treliant Risk Advisors. Ponemon surveyed 598 people in various industries, and involved companies that had a vendor data risk management program. "The study reveals the difficulty companies have in mitigating, detecting and minimizing risks associated with third parties that have access to their sensitive or confidential information," the survey said. It found that 73 percent of respondents didn't believe indirect service providers or subcontractors hired by a third-party vendor would notify companies of a data breach. "The risk to strategic data assets extends beyond any single third-party but rather to the web of relationships that comprise the data ecosystem," BuckleySandler Managing Director Rena Mears said in a Monday news release. Companies worry about data safeguards, security policies and procedures implemented by third parties, but the survey said that companies "rarely" perform reviews of vendor management policies and programs involving data risk. "Companies should compile a comprehensive inventory of and conduct data and privacy risk assessments for all third-party vendors; however, we found that few companies represented in this research, in particular those outside the regulated banking sector, have done so," Treliant Chief Business Officer Susanna Tisa said.
The DOJ’s decision Monday to abandon its lawsuit to compel Apple to create security-defeating software for the iPhone (see 1603280054) was “a preferable outcome to a wide-reaching court decision,” CTA President Gary Shapiro said Tuesday in a statement. Americans “want every tool in the fight against terrorism, but we also want our privacy and many in the technology and national security industry world believe that secure devices are an important weapon against terrorism,” Shapiro said. Tech companies “will help fight the battle against terrorism through innovation,” he said. “They will develop predictive analytics combined with sensing devices that smell explosives, measure biometrics including voice, facial and other indicators of emotion or intent. They will create new tools, applications and measures which keep us all safe." But what tech firms "are reluctant to do" is allow government "to have unfettered tools" that are easily "obtainable by bad actors" to crack "the most private of interactions" conducted on consumers' devices, Shapiro said. Shapiro buys into the argument (see 1603290059) that DOJ’s withdrawal of the suit against Apple doesn’t resolve the larger questions on privacy vs. security, he said. “The national discussion on the balance between privacy and security can and must continue,” Shapiro said. “We look forward to working with law enforcement, Congress and our members to discuss the appropriate tradeoffs in this critical balance."
The FTC approved a final order Tuesday, resolving a complaint against Oracle that it deceived customers about security updates to the Java platform, standard edition (Java SE) software (see 1512210028), the commission said in a news release. The commission approved the order 4-0 after a public comment period. FTC announced the settlement in December when the commission said Oracle was aware of "significant security issues" with older Java SE versions -- installed in more than 850 million personal computers -- that support browser-based features such as calculators, online gaming, chat rooms and 3D images. FTC's complaint said Oracle didn't tell customers that software updates may have left older versions intact. The complaint said hackers could exploit the flaws in the older versions, potentially giving them access to consumers' usernames and passwords to financial accounts and enabling them to launch phishing attacks. The order requires Oracle to notify customers of any older versions on their computers during an update process, inform them of the risks and give them the choice to uninstall them. "In addition, the company will be required to provide broad notice to consumers via social media and their website about the settlement and how consumers can remove older versions of the software," the FTC release said.
The Electronic Frontier Foundation is urging President Barack Obama to listen to academics, mathematicians, security engineers and his own advisers who say a back door to unlock encrypted data can't be used only by the "good guys." "You can’t put a key under a doormat that only the FBI will ever find," wrote EFF Activism Director Rainey Reitman in a blog post Friday, referring to the legal fight between Apple and the U.S. government over unlocking the iPhone used by one of the San Bernardino, California, mass shooters (see 1603010013). She wrote that it's "not possible" to secure encryption back doors that can be accessed by "the smallest number of people possible," which Obama recommended in a talk at the South by Southwest festival in Austin (see 1603110082). She said "crypto-critics like FBI Director James Comey, the attorney general, and others" don't appreciate the technical consequences of what they're proposing, which could be exploited by hackers, identity thieves, authoritarian governments and corporations, compromising everyone's security. "The public debate we’re having over the security of our devices boils down to a question of math versus politics," she added.
The FTC issued warning letters Thursday to 12 app developers whose apps appear to the FTC to include the code for Silverpush software that can detect audio signals via a device's microphone as a way of monitoring consumers' TV use. Silverpush software can monitor TV use by detecting “audio beacons” that TVs emit, the FTC said in a news release. App developers can use Silverpush software to produce a detailed log of TV usage habits as a way of targeting specific ads at a consumer, the FTC said. Silverpush has said its software isn't currently in use in the U.S., but app developers should still notify consumers if their apps contain the software, the FTC said. Apps that include Silverpush typically ask consumers for permission to access their microphone without providing a reason and don't warn consumers that the software can be used to monitor TV use, the FTC said. App developer claiming falsely that their apps don't collect information on TV use via the Silverpush software may be in violation of FTC Act Section 5, the FTC said in a sample version of the letters.
Kaspersky Labs announced Internet security software designed to safeguard children when they use the Internet on computers and mobile devices. Called Kaspersky Safe Kids, the software allows parents to monitor children’s online activity and physical location, prevent them from going to inappropriate websites and regulate the amount of time they can use their computers or mobile devices, said the company. A Kaspersky survey indicated 45 percent of parents were concerned that children are encountering inappropriate or explicit content online, 41 percent worry about children communicating with dangerous strangers, and 40 percent worry children share too much personal information online about themselves. The Safe Location feature allows parents to monitor their child’s location in real-time, set up safe areas and receive automatic alerts if their child moves outside an agreed perimeter, it said. The basic version is free, while the $14.99 version adds features such as Safe Location, it said.