A data breach on the AdultFriendFinder dating website exposed the personally identifiable information for more than 3.5 million users, parent company FriendFinder Networks said Friday. The website asks customers to specifically list their sexual preferences and other information in order match them with other users. AdultFriendFinder, which has 64 million total members, says it has helped customers “find traditional partners, swinger groups, threesomes, and a variety of other alternative partners.” The U.K.’s Channel 4 News originally named AdultFriendFinder last week as the victim of the data breach. FriendFinder Networks said Friday it launched an internal investigation to “review and expand” its security processes and is “taking steps to protect our members such as temporarily disabling the username search function and masking usernames of any users we believe were affected by the security issue.” FriendFinder Networks said it’s currently getting in touch with affected customers. The company said it’s working with cybersecurity firm Mandiant to investigate the data breach, review FriendFinder’s security practices and remediate the company’s system. FriendFinder said it also notified federal law enforcement about the breach.
Google released Chrome version 43.0.2357.65 for Linux, Mac and Windows Tuesday to address multiple vulnerabilities, including allowing a remote hacker to take control of an affected system, said the U.S. Computer Emergency Readiness Team. The update includes 37 security fixes, Google’s Chrome blog said. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” it said. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
The FTC launched IdentityTheft.gov Thursday, in hopes of making it easier for identity theft victims to report and recover from identity theft, a news release said. The new website has an interactive checklist for those who learn their identity is stolen and has advice for those notified their personal information was exposed in a data breach. A Spanish version of the site is available at RobodeIdentidad.gov.
One mechanism that operating systems use to mediate developer access to resources is permission-based access control, which asks the user to decide which resources an application can access, wrote FTC Privacy and Identity Protection Division attorney Nithan Sannappa in a blog post Thursday. The usability of permissions has been widely debated in the security community, he said, because researchers have noted users may become habituated to run-time warnings, making them ineffective. Developers have observed that run-time dialogues in mobile operating systems can be similarly problematic since an application “usually barrages users with a stack of dialogs on its first launch,” which can lead to the user “carelessly dismissing all of them without reading them,” Sannappa said. The risk of habituation prompted Google and Microsoft to implement install-time permissions in Android and Windows Phone so users wouldn’t say "OK" or ignore every dialogue shown, he said. “Despite a history of usability concerns, permissions appear to be a useful tool in increasing transparency and encouraging developers to adhere to the principle of least privilege,” Sannappa said. “The Commission has long supported the idea of layered disclosures presented in a context that is useful for consumers,” he said. “From this perspective, permissions in mobile operating systems are clearly an improvement over the opacity of traditional operating systems, which often led to disclosures buried in lengthy legal documents.” Increasing the usability and efficacy of permissions remains an important challenge to address, he said. “To minimize habituation and increase user comprehension, mobile operating systems should only ask users to make security decisions when information flows defy user expectations,” Sannappa said. “By providing incentives and opportunities for developers to adhere to the principle of least privilege, mobile operating systems can help minimize the situations in which users must confront such information flows,” he said. “And by providing greater context for access requests, mobile operating systems can help users make informed decisions about such information flows.”
The Mozilla Foundation released security updates Tuesday to address vulnerabilities in Firefox, Firefox ESR and Thunderbird, said a notice from the U.S. Computer Emergency Readiness Team. U.S.-CERT said the vulnerabilities in Firefox may have let a remote hacker “cause a denial-of-service condition or steal sensitive information." Adobe also released security updates Tuesday for Acrobat, Flash Player and Reader, a U.S.-CERT notice said. It said exploitation of Adobe vulnerabilities may let an attacker take control of an affected system.
The Department of Commerce Internet Policy Task Force extended the comment deadline on identifying substantive cybersecurity issues from May 18 to May 27, said a notice in Wednesday's Federal Register. Comments may be submitted via email or mail.
The rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019, said a Juniper Research news release Tuesday. The industry researcher said most data breaches will come from existing IT and network infrastructure, and threats targeting mobile devices and the IoT are being reported “at an increasing rate.” The report said cybercrime is increasingly becoming professional with the emergence of cybercrime products like malware creation software, and while the number of attacks overall may decrease, there will be more successful hacks. “We aren’t seeing much dangerous mobile or IoT malware because it’s not profitable,” said report author James Moar. “The kind of threats we will see on these devices will be either ransomware, with consumers’ devices locked down until they pay the hackers to use their devices, or as part of botnets, where processing power is harnessed as part of a more lucrative hack,” Moar said. “With the absence of a direct payout from IoT hacks, there is little motive for criminals to develop the required tools.” Juniper said 60 percent of anticipated data breaches in 2015 will occur in North America, “but this proportion will decrease over time as other countries become both richer and more digitized.”
Microsoft released 13 updates to address vulnerabilities in Microsoft Windows, the U.S. Computer Emergency Readiness Team (U.S.-CERT) said in a security bulletin Tuesday. “Some of these vulnerabilities could allow elevation of privilege, denial of service, remote code execution, information disclosure, or security feature bypass,” it said. U.S.-CERT recommended users review the Microsoft Security Bulletins (MS15-043 - MS15-055) and apply any necessary updates.
The Trustworthy Accountability Group, the advertising industry's initiative to improve the digital ecosystem, said it plans to create, maintain and share its database of domains that have been identified as known sources of fraudulent bot traffic for digital ads. The TAG fraud threat list program was unveiled Monday at an Interactive Advertising Bureau conference in New York by Mike Zaneis, interim CEO of TAG, and Jim Norton, global head of media sales at AOL, which Verizon Tuesday agreed to buy. The technical proposal for the fraud threat list program will be at tagtoday.net and comments from ad industry stakeholders will be accepted for 30 days before the program is finalized. The pilot phase of the program battling the $6.3 billion issue of fraudulent ad traffic has been implemented, and broader deployment of the final program is expected in Q3, said TAG. The program lets ad companies “take power back from the criminals who are undermining our industry,” Zaneis said. “By gathering and sharing known sources of fraudulent impressions across the digital advertising ecosystem, TAG will give companies the information they need to find and remove non-human traffic from their inventory.” The list will be compiled using information from participating companies with “specific insight on domains that are driving significant fraudulent ad traffic to the ad industry” such as AOL and Yahoo, and will be available to advertising networks, publishers and technology providers, said TAG.
Don't overlook privacy and security issues associated with application programming interfaces of mobile devices, as APIs have been abused by some apps, wrote Nithan Sannappa, an attorney in the FTC Division of Privacy and Identity Protection, in a blog post Thursday. Unlike with desktops, “With the rapid evolution of the internet and the spread of malware, it soon became clear that not all applications could be trusted,” he wrote. In computing, “privilege” is the right to perform an action like accessing a device resource while “sandboxing” is implementing the privileges necessary to “complete the job,” Sannappa said. Though “nearly all modern mobile operating systems feature sandboxing,” there are various approaches on how and when an app should be permitted to access things like a device camera or mic, or a user’s contacts or calendar, Sannappa said. APIs decide which resources a developer needs and how users should be informed of that access. Mozilla’s Firefox OS prevents third-party applications from accessing the device’s telephony API, Sannappa said. “According to its documentation, Mozilla restricted access to this API in order to prevent the creation of malicious applications that surreptitiously dial premium phone numbers, a practice known as ‘toll fraud,’” Sannappa said. “Google’s Android operating system provides developers with a telephony API, as well as many other APIs that are not accessible on other operating systems,” he said. “Providing developers with too much flexibility can create privacy and security risks.” The FTC previously filed a complaint against HTC America alleging a vulnerable application pre-installed on the company’s Android devices copied sensitive personal information, such as location data and text messages, to the system log, potentially exposing this information to third-party applications, Sannappa said. He also cited 2013 comments from Facebook that developers were copying Facebook user IDs to their system logs, and that after Apple began in 2010 a policy prohibiting developers from collecting users' personal information like contacts and calendars, apps continued to abuse these APIs.