Cyber Security News Update 5/18/2018

GDPR is a week away from becoming law, and companies are still rushing to achieve compliance. GDPR has a wide reach and any company with an online presence would wise to update their terms of service and landing pages. GDPR requires data users to clearly explain how a user’s personal data will be used, what it’s being used for and how the user can opt-out at a future date. All of this must be done through a positive action system, which means that users must actively give their consent to have their data used. If you use a checkbox to get this consent, the checkbox must default to a state that DOESN’T provide you with access to the user’s data, and they must make the effort to provide it. Not only that, but if the data will (or could) be used for multiple purposes then each of those purposes must have their own opt-in feature. If a user accepts to having their data be used then the onus is on your company to prove that the user has actually provided their permission. How companies will build this record keeping system is up to the company, but screen-captures of the acceptance form have been the most popular suggestion so far.

A security flaw for LocationSmart has allowed anyone who knows of the bug to track the location of any cell-phone with the service. Verizon, AT&T, T-Mobile, and Sprint phones all use the service to provide location data. KrebsOnSecurity reported that the LocationSmart website allowed users to track anyone they wanted without the person being notified or the tracker requiring special authorization. To track someone required that persons phone number, name, and email address; all of these things are easily attainable through social media networks or a few minutes digging around the internet. While the demo was supposed to require security credentials before it could be used, there were flaws in the website that allowed anyone to bypass the security measures. The location data could be rapidly pinged to provide near real-time tracking of an individual; testing showed that it wasn’t always accurate, but on average it was able to locate someone’s phone with an accuracy of under 1/3 of a mile. The demo has since been taken off of LocationSmart’s website after KrebsOnSecurity reported it to them. This comes on the heels of the Securus revelation, which showed how law enforcement had a tool that allowed them to find the real-time position of a person through aggregate services. These aggregate services are what prompt you with reminders about local locations of interest while traveling, and if you’ve ever been prompted to leave a review for a restaurant of other business then you’ve seen an aggregate service in action. Securus would search these aggregate services for specific users using data provided by the police, such as the person’s phone number, and then Securus would look if any aggregate service’s had recently pinged them. Using this ping information it was possible for law enforcement agencies to track someone as they traveled.
Source: Website leaked real-time location of most US cell phones to almost anyone