Cyber Security News Update 6/29/2018

California Governor Jerry Brown (D) signed the California Consumer Privacy Act (CCPA) into law yesterday. The CCPA borrows its overall tone and structure from the General Data Protection Regulation (GDPR) that was signed into law by the European Union, and both of these pieces of legislation seek to tightly control how companies interact with the personal data of their users. Like GPDR, the CCPA has a grace period of two years and it can still be modified or repealed before it takes effect. This gives corporations, like Google and AT&T, time to try and modify the bill but whether or not they’ll be successful remains to be seen. The CCPA being signed into law has started a conversation about a national level bill that would be enforced at the Federal level, which may have been the point of passing the CCPA. California’s standards tend to influence the rest of the nation, think of anything with the warning “X contains Y, a chemical known to the State of California to cause [cancer, and] birth defects or other reproductive harm.” Tech laws are especially powerful because California is home to Silicone Valley. It’d be like Kentucky passing a bourbon law: whatever happens, is going to carry a lot of weight behind it.
Source: The Cybersecurity 202: Why California could be the bellwether for the privacy movement
The CCPA Text: Assembly Bill No. 375

A hardware vulnerability that affects every Android and some Apple devices that have been produced since 2012 has been discovered by a group of researchers at three universities. This vulnerability is exploited by RAMpage, which is a subset of the Rowhammer malware family. RAMpage functions in a similar manner to SPECTRE in that it works on a known hardware vulnerability to gain access to otherwise secure files; once accessed those files can be used to locate and take all of a devices personal information as well as control of the device itself. RAMpage manipulates ION, Android’s memory management system, to provide access to itself that would normally be impossible. The researchers communicated with Google about the solution they had created, but Google told them that their fix would require more system overhead than they predicted and Google seems to have turned the researchers down.
Source: RAMpage vulnerability impacts every Android device since 2012

Facebook’s quizzes have been shown to expose user data, which was the foundation of the Cambridge Analytica scandal that saw Mr. Zuckerberg testifying before the federal government, this time through the Nametests.com developer. This developer creates quizzes to tell people all sorts of things, like what princess or Harry Potter house they belong to. This act isn’t malicious in and of itself, but the personal data being made available online through a Javascript bypass that gets around the normal process that would stop this data from being visible is.
Source: Facebook quizzes may have exposed 120 million users personal information

Max is a Legal Assistant and author residing in the Philadelphia area He has been writing for AskCyberSecurity.com since early 2017.