chicksdaddy shares a report from The Security Ledger: Websites for customers of agricultural equipment maker John Deere contained vulnerabilities that could have allowed a remote attacker to harvest sensitive information on the company's customers including their names, physical addresses and information on the Deere equipment they own and operate, The Security Ledger reported. The researcher known as "Sick Codes" published two advisories on Thursday warning about the flaws in the myjohndeere.com website and the John Deere Operations Center website and mobile applications. In a conversation with Security Ledger, the researcher said that a he was able to use VINs (vehicle identification numbers) taken from a farm equipment auction site to identify the name and physical address of the owner. Furthermore, a flaw in the myjohndeere.com website could allow an unauthenticated user to carry out automated attacks against the site, possibly revealing all the user accounts for that site.

Sick Codes disclosed both flaws to John Deere and also to the U.S. Government's Cybersecurity and Infrastructure Security Agency (CISA), which monitors food and agriculture as a critical infrastructure sector. The information obtained from the John Deere websites, including customer names and addresses, could put the company afoul of data security laws like California's CCPA or the Personal Information Protection Act in Deere's home state of Illinois. However, the national security consequences of the company's leaky website could be far greater. Details on what model combines and other equipment is in use on what farm could be of very high value to an attacker, including nation-states interested in disrupting U.S. agricultural production at key junctures, such as during planting or harvest time.

The consolidated nature of U.S. farming means that an attacker with knowledge of specific, Internet connected machinery in use by a small number of large-scale farming operations in the midwestern United States could launch targeted attacks on that equipment that could disrupt the entire U.S. food supply chain, researchers warn. The Agriculture sector and firms that supply it, like Deere, lag other industries in cyber security preparedness and resilience. A 2019 report (PDF) released by Department of Homeland Security concluded that the "adoption of advanced precision agriculture technology and farm information management systems in the crop and livestock sectors is introducing new vulnerabilities" (and that) "potential threats to precision agriculture were often not fully understood or were not being treated seriously enough by the front-line agriculture producers."

Still smarting from last month's dump of phone numbers belonging to 500 million Facebook users, the social media giant has a new privacy crisis to contend with: a tool that, on a massive scale, links Facebook accounts with their associated email addresses, even when users choose settings to keep them from being public. Wired reports: A video circulating on Tuesday showed a researcher demonstrating a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher -- who said he went public after Facebook said it didn't think the weakness he found was "important" enough to be fixed -- fed the tool a list of 65,000 email addresses and watched what happened next. "As you can see from the output log here, I'm getting a significant amount of results from them," the researcher said as the video showed the tool crunching the address list. "I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts."

The researcher [...] said that Facebook Email Search exploited a front-end vulnerability that he reported to Facebook recently but that "they [Facebook] do not consider to be important enough to be patched." Earlier this year, Facebook had a similar vulnerability that was ultimately fixed. "This is essentially the exact same vulnerability," the researcher says. "And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it."

In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings." A Facebook representative didn't respond to a question asking if the company told the researcher it didn't consider the vulnerability important enough to warrant a fix. The representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video.

TikTok is facing a legal challenge from former children's commissioner for England Anne Longfield over how it collects and uses children's data. The BBC reports: The claim is being filed on behalf of millions of children in the UK and EU who have used the hugely popular video-sharing app. If successful, the children affected could each be owed thousands of pounds. TikTok said the case was without merit and it would fight it.

Lawyers will allege that TikTok takes children's personal information, including phone numbers, videos, exact location and biometric data, without sufficient warning, transparency or the necessary consent required by law, and without children or parents knowing what is being done with that information. The claim is being launched on behalf of all children who have used TikTok since 25 May 2018, regardless of whether they have an account or their privacy settings. Children not wishing to be represented can opt out. "TikTok is a hugely popular social media platform that has helped children keep in touch with their friends during an incredibly difficult year," says Ms. Longfield. "However, behind the fun songs, dance challenges and lip-sync trends lies something far more sinister."

She alleges the firm is "a data collection service that is thinly veiled as a social network" which has "deliberately and successfully deceived parents." She added that those parents have a "right to know" what private information is being collected via TikTok's "shadowy data collection practices."

In response, TikTok said: "Privacy and safety are top priorities for TikTok and we have robust policies, processes and technologies in place to help protect all users, and our teenage users in particular. We believe the claims lack merit and intend to vigorously defend the action."

The law enforcement arm of the U.S. Postal Service has been quietly running a program that tracks and collects Americans' social media posts, including those about planned protests, according to a document obtained by Yahoo News. From the report: The details of the surveillance effort, known as iCOP, or Internet Covert Operations Program, have not previously been made public. The work involves having analysts trawl through social media sites to look for what the document describes as "inflammatory" postings and then sharing that information across government agencies. "Analysts with the United States Postal Inspection Service (USPIS) Internet Covert Operations Program (iCOP) monitored significant activity regarding planned protests occurring internationally and domestically on March 20, 2021," says the March 16 government bulletin, marked as "law enforcement sensitive" and distributed through the Department of Homeland Security's fusion centers. "Locations and times have been identified for these protests, which are being distributed online across multiple social media platforms, to include right-wing leaning Parler and Telegram accounts."

A sweeping proposed piece of legislation with support from both Democrats and Republicans will ban law enforcement agencies from buying data from controversial firm Clearview AI, as well as force agencies to obtain a warrant before sourcing location data from brokers. From a report: The news presents significant action against two of the main avenues of law enforcement surveillance uncovered in recent years: the widespread proliferation of facial recognition technology using images scraped from social media, and the warrantless supply chain of location data from ordinary smartphone apps, through middlemen, and eventually to agencies. "The Fourth Amendment Is Not For Sale Act is, in my view, a critically important bill that will prevent agencies from circumventing core constitutional protections by purchasing access to data they would otherwise need a warrant to obtain," Kate Ruane, senior legislative counsel at the American Civil Liberties Union (ACLU), told Motherboard in a phone call. The ACLU and a host of civil, digital, and race activism groups have endorsed the bill, according to the office of Senator Ron Wyden, which has spearheaded the legislation. "I think it is a clear and good step for Congress to take, and I hope that the bill moves forward quickly,' Ruane added.

An anonymous reader quotes a report from Newsweek: YouTube CEO Susan Wojcicki received a "Free Expression" award from the Freedom Forum Institute in a virtual ceremony sponsored by YouTube, an online video platform owned by Google. On Thursday, YouTube creator Molly Burke presented Wojcicki with the accolade in a video shared to the platform. "I'm so excited to be here tonight to present Susan Wojcicki with the Free Expression award. As the CEO of YouTube, Susan is facing some of the most critical issues around free expression today," Burke said.

Following the ceremony, some Twitter users mocked Wojcicki for receiving an award that was sponsored by her own platform. "YouTube CEO won a Free Speech award...sponsored by YouTube. Hahahahhhaahhhahhahahahaaaaaaa," one user wrote. Another wrote, "Lol, youtube receiving an award for free expression/pro first amendment is Orwellian s***. What's next, Facebook getting an award for respecting privacy?"

Geico, the second-largest auto insurer in the U.S., has fixed a security bug that let fraudsters steal customers' driver's license numbers from its website. From a report: In a data breach notice filed with the California attorney general's office, Geico said information gathered from other sources was used to "obtain unauthorized access to your driver's license number through the online sales system on our website." The insurance giant did not say how many customers were affected by the breach but said the fraudsters accessed customer driver's license numbers between January 21 and March 1. Companies are required to alert the state's attorney general's office when more than 500 state residents are affected by a security incident. Geico said it had "reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name." Many financially driven criminals target government agencies using stolen identities or data. But many U.S. states require a government ID -- like a driver's license -- to file for unemployment benefits. To get a driver's license number, fraudsters take public or previously breached data and exploit weaknesses in auto insurance websites to obtain a customer's driver's license number. That allows the fraudsters to obtain unemployment benefits in another person's name.

AmiMoJo writes: WordPress announced over the weekend that they plan on treating Google's new FLoC tracking technology as a security concern and hence block it by default on WordPress sites. For some time, browsers have begun to increasingly block third-party browser cookies used by advertisers for interest-based advertising. In response, Google introduced a new ad tracking technology called Federated Learning of Cohorts, or FLoC, that uses a web browser to anonymously place users into interest or behavioral buckets based on how they browse the web. After Google began testing FLoC this month in Google Chrome, there has been a consensus among privacy advocates that Google's FLoC implementation just replaces one privacy risk with another one.

"WordPress powers approximately 41% of the web -- and this community can help combat racism, sexism, anti-LGBTQ+ discrimination and discrimination against those with mental illness with four lines of code," says WordPress. WordPress states that this code is planned for WordPress 5.8, scheduled for release in July 2021. As FLoC is expected to roll out sooner, WordPress is considering back-porting this code to earlier versions to "amplify the impact" on current versions of the blogging platform. Further reading: Nobody is Flying To Join Google's FLoC.

Instagram for kids is a terrible idea, argues a columnist for the Observer. And yet: In March, Buzzfeed reported on Facebook's plans to develop a product for those too young to sign up to Instagram officially, as the platform requires users to be at least 13... Facebook says it will allow the company to focus on privacy and safety for children.

Last week, an international coalition of children's health advocates, brought together by the Boston-based, non-profit Campaign for a Commercial-Free Childhood, disagreed and wrote an open letter to Zuckerberg urging the company to drop its plans. "While collecting valuable family data and cultivating a new generation of Instagram users may be good for Facebook's bottom line, it will likely increase the use of Instagram by young children who are particularly vulnerable to the platform's manipulative and exploitative features," it said...

Maybe it is naive of me to expect that children will have any period of freedom from wondering "but how will it/I look?", but surely we should at least try to maintain that for as long as possible.

According to app developer Kosta Eleftheriou, Apple's App Store hosted a kid's game that's actually a front for gambling websites. "The secret password isn't one you'd be likely to guess: you have to be in the right country -- or pretend to be in the right country using a VPN," writes Sean Hollister via The Verge. "But then, instead of launching an ugly monkey-flipping endless runner game filled with typos and bugs, the very same app launches a casino experience." From the report: The app, "Jungle Runner 2k21," has already disappeared from the App Store, presumably thanks to publicity from Gizmodo and Daring Fireball, who each wrote about Eleftheriou's finding earlier today. It's not the only one, though: the same developer, "Colin Malachi," had another incredibly basic game on the App Store called "Magical Forest - Puzzle" that was also a front for gambling. [...] I accessed them from a VPN server in Turkey; While Daring Fireball notes that users in other non-US countries like Italy also seem to have been able to access the gambling sites, I tried them with a number of other locations including Italy without success.

Unlike the multi-million dollar App Store scams that Eleftheriou uncovered earlier this year, it's not hard to see why Apple's App Store review program might have missed these -- they largely look like your typical shovelware if you don't know the trick, with only a handful of tells... like the fact that Jungle Runner uses a Pastebin for its privacy policies. It's not necessarily clear to me that they'd be violating very many of Apple's App Store policies, either. Gambling apps are permitted by Apple, as long as they're geo-restricted to regions where that gambling is permitted by law, and you could maybe argue that's exactly what this developer did by checking your IP address.

Google is all alone with its proposed advertising technology -- FLoC-- to replace third-party cookies. Every major browser that uses the open source Chromium project has declined to use it, and it's unclear what that will mean for the future of advertising on the web. Firefox, Safari, Microsoft Edge, Vivaldi, and Brave have said they are not implementing Google's FLoC into their browsers.

The Internet of Secure Things Alliance, an IoT security certification body (a.k.a. ioXt), has launched a new security certification for mobile apps and VPNs. From a report: The new ioXt compliance program includes a 'mobile application profile' -- a set of security-related criteria against which apps can be certified. The profile or mobile app assessment includes additional requirements for virtual private network (VPN) applications. Google and Amazon had a hand in shaping the criteria, along with number of certified labs such as NCC Group and Dekra, and mobile app security testing vendors such as NowSecure. Google's VPN within the Google One service is one of the first to be certified against the criteria. Mobile app makers can get their apps certified against a set of security and privacy requirements. The ioXt Alliance has a broad cross-section of members from the tech industry, with its board comprising execs from Amazon, Comcast, Facebook, Google, Legrand, Resideo, Schneider Electric, T-Mobile, the Zigbee Alliance, and the Z-Wave Alliance. About 20 industry figures helped write the requirements for the mobile app profile, including Amit Agrawal, a principal security architect at Amazon, and Brooke Davis from the Strategic Partnerships team at Google Play. Both are vice-chairs of the mobile app profile group.

Australia's federal court found that Google misled users about personal location data collected through Android mobile devices between 2017 and 2018, the country's competition regulator said Friday. From a report: The Australian Competition and Consumer Commission (ACCC) -- which launched legal proceedings against Google in 2019 -- said the ruling was an "important victory for consumers" with regard to the protection of online privacy. Google misled Android users into thinking the search giant could collect personal data only if the "location history" setting was on, the ACCC said. The court found that Google could still collect, store and use personally identifiable location data if the setting for "web and application activity" was on -- even if "location history" was turned off. "This is an important victory for consumers, especially anyone concerned about their privacy online, as the Court's decision sends a strong message to Google and others that big businesses must not mislead their customers," ACCC Chair Rod Sims said in a statement.

Amazon tried to use its power to coerce Ecobee into using its smart home products to collect user data by threatening Ecobee's ability to sell its products on Amazon, according to a report from The Wall Street Journal. The Verge reports: As of now, Ecobee's products can still be purchased on Amazon, but the WSJ claims that negotiations between Ecobee and Amazon are ongoing. According to the WSJ, the online retail giant asked Ecobee to share data from its Alexa-enabled smart thermostats, even when the customer wasn't actively using the voice assistant. Ecobee reportedly refused to have its devices constantly report back to Amazon about the state of the user's home, including data on which doors were locked or unlocked and the set temperature. The reasoning being that enabling its devices to report this data to Amazon would be a violation of its customer's trust.

Ecobee may have also been concerned that Amazon wanted the data to build competing products. The retail giant has a reputation for taking non-public sales data and using it to develop products -- something that's come up in antitrust investigations in the US and EU. Amazon has also been accused of using this sales data to directly copy and compete with other companies using its Amazon Basics brand.

An anonymous reader quotes a report from Ars Technica: Charter Communications employees who have been on strike since 2017 are building an Internet service provider in New York City called "People's Choice." "People's Choice Communications is an employee-owned social enterprise launched by members of IBEW Local #3 to bridge the digital divide and help our neighbors get connected to the Internet during the COVID-19 pandemic," the ISP's website says. "We are the workers who built a large part of New York City's Internet infrastructure in the first place. We built out [Charter] Spectrum's cable system, until in 2017, the company pushed us out on strike by taking away our healthcare, retirement, and other benefits. It's now the longest strike in US history."

So far, People's Choice says it has completed rooftop antenna installations at two schools in the Bronx and installed "hardline connections to wireless access points connecting 121 units" at housing for survivors of domestic violence who have disabilities. A Gizmodo article said the system is equipped to offer minimum speeds of 25Mbps downstream and 3Mbps upstream, meeting a broadband standard that has been used by the Federal Communications Commission since 2015. "We have a big portion of most of the Bronx covered with our antenna," IBEW Local #3 steward Troy Walcott told Gizmodo. "Now we have to go building by building to let people know we're out there and start turning them on." "A few dozen Spectrum strikers have been actively involved in the installations, but Walcott expects that at least one hundred workers are waiting in the wings for the project to scale up," the Gizmodo article said. "We work in affordable housing, supportive housing, co-op housing, NYCHA [NYC Housing Authority], homeless shelters, and regular old apartment complexes," the webpage notes. You can fill out this form if you're interested in bringing broadband to your building.

"After we build out a network in your building, it transfers to cooperative ownership, so profits are returned to users," the People's Choice website says. "We are able to provide high-speed service in most cases for $10-$20/month. No more cable company ripping you off, and as an owner, you have a vote in policies like data privacy."

An anonymous reader quotes a report from TechCrunch: Facebook's lead data supervisor in the European Union has opened an investigation into whether the tech giant violated data protection rules vis-a-vis the leak of data reported earlier this month. Here's the Irish Data Protection Commission's statement:

"The Data Protection Commission (DPC) today launched an own-volition inquiry pursuant to section 110 of the Data Protection Act 2018 in relation to multiple international media reports, which highlighted that a collated dataset of Facebook user personal data had been made available on the internet. This dataset was reported to contain personal data relating to approximately 533 million Facebook users worldwide. The DPC engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance to which Facebook Ireland furnished a number of responses.

The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users' personal data. Accordingly, the Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service, or whether any provision(s) of the GDPR and/or the Data Protection Act 2018 have been, and/or are being, infringed by Facebook in this respect." "We are cooperating fully with the IDPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services," Facebook said in a statement. "These features are common to many apps and we look forward to explaining them and the protections we have put in place."

The Electronic Frontier Foundation (EFF) today announced it has enhanced its groundbreaking HTTPS Everywhere browser extension by incorporating rulesets from DuckDuckGo Smarter Encryption. According to the digital rights group's press release, HTTPS Everywhere is "a collaboration with The Tor Project and a key component of EFF's effort to encrypt the web and make the Internet ecosystem safe for users and website owners." From the press release: "DuckDuckGo Smarter Encryption has a list of millions of HTTPS-encrypted websites, generated by continually crawling the web instead of through crowdsourcing, which will give HTTPS Everywhere users more coverage for secure browsing," said Alexis Hancock, EFF Director of Engineering and manager of HTTPS Everywhere and Certbot web encrypting projects. "We're thrilled to be partnering with DuckDuckGo as we see HTTPS become the default protocol on the net and contemplate HTTPS Everywhere's future."

EFF began building and maintaining a crowd-sourced list of encrypted HTTPS versions of websites for a free browser extension -- HTTPS Everywhere -- which automatically takes users to them. That keeps users' web searching, pages visited, and other private information encrypted and safe from trackers and data thieves that try to intercept and steal personal information in transit from their browser. [...] DuckDuckGo, a privacy-focused search engine, also joined the effort with Smarter Encryption to help users browse securely by detecting unencrypted, non-secure HTTP connections to websites and automatically upgrading them to encrypted connections. With more domain coverage in Smarter Encryption, HTTPS Everywhere users are provided even more protection. HTTPS Everywhere rulesets will continue to be hosted through this year, giving our partners who use them time to adjust. We will stop taking new requests for domains to be added at the end of May.

A new report from The Washington Post reveals how the FBI gained access to an iPhone linked to the 2015 San Bernardino shooting. Apple refused to build a backdoor into the phone, citing the potential to undermine the security of hundreds of millions of Apple users, which kicked off a legal battle that only ended after the FBI successfully hacked the phone. Thanks to the Washington Post's report, we now know the methods the FBI used to get into the iPhone. Mitchell Clark summarizes the key findings via The Verge: The phone at the center of the fight was seized after its owner, Syed Rizwan Farook, perpetrated an attack that killed 14 people. The FBI attempted to get into the phone but was unable to due to the iOS 9 feature that would erase the phone after a certain number of failed password attempts. Apple attempted to help the FBI in other ways but refused to build a passcode bypass system for the bureau, saying that such a backdoor would permanently decrease the security of its phones. After the FBI announced that it had gained access to the phone, there were concerns that Apple's security could have been deeply compromised. But according to The Washington Post, the exploit was simple: [An Australian security firm called Azimuth Security] basically found a way to guess the passcode as many times as it wanted without erasing the phone, allowing the bureau to get into the phone in a matter of hours.

The technical details of how the auto-erase feature was bypassed are fascinating. The actual hacking was reportedly done by two Azimuth employees who gained access to the phone by exploiting a vulnerability in an upstream software module written by Mozilla. That code was reportedly used by Apple in iPhones to enable the use of accessories with the Lightning port. Once the hackers gained initial access, they were able to chain together two more exploits, which gave them full control over the main processor, allowing them to run their own code. After they had this power, they were able to write and test software that guessed every passcode combination, ignoring any other systems that would lock out or erase the phone. The exploit chain, from Lightning port to processor control, was named Condor. As with many exploits, though, it didn't last long. Mozilla reportedly fixed the Lightning port exploit a month or two later as part of a standard update, which was then adopted by the companies using the code, including Apple.

A man who was falsely accused of shoplifting has sued the Detroit Police Department for arresting him based on an incorrect facial recognition match. The American Civil Liberties Union filed suit on behalf of Robert Williams, whom it calls the first US person wrongfully arrested based on facial recognition. The Verge reports: The Detroit Police Department arrested Williams in 2019 after examining security footage from a shoplifting incident. A detective used facial recognition technology on a grainy image from the video, and the system flagged Williams as a potential match based on a driver's license photo. But as the lawsuit notes, facial recognition is frequently inaccurate, particularly with Black subjects and a low-quality picture. The department then produced a photo lineup that included Williams' picture, showed it to a security guard who hadn't actually witnessed the shoplifting incident, and obtained a warrant when that guard picked him from the lineup.

Williams -- who had been driving home from work during the incident -- spent 30 hours in a detention center. The ACLU later filed a formal complaint on his behalf, and the prosecutor's office apologized, saying he could have the case expunged from his records. The ACLU claims Detroit police used facial recognition under circumstances that they should have known would produce unreliable results, then dishonestly failed to mention the system's shortcomings -- including a "woefully substandard" image and the known racial bias of recognition systems.

Michelle Dionne, a former employee at a cleaning company in Darwell, Alberta, says she was fired for refusing to download an app that would check her location and ensure she was working her scheduled hours. CBC.ca reports: Dionne says she was thrilled to get the job last fall -- responsible for things like disinfecting door handles, light switches and bathrooms to prevent possible spread of the coronavirus. When her boss told her to download the app, Dionne says she was concerned about her privacy. The app would go on her personal phone and, she says, her boss didn't clearly explain how it worked or what would happen to any data it collected.[...] The app, called Blip, generates a geofence -- a virtual boundary, created by the employer using GPS -- that detects when an employee enters or leaves. The app registers a signal from the worker's cell phone, when their "locations" setting is turned on, so the boss can tell whether an employee is on site and how many hours that person works. It only registers an employee's location when they enter and exit the geofence and doesn't track their specific movements. It's not clear where that data is stored, or whether any other employee information might be included.

Go Public reached out to the maker of the app, U.K.-based BrightHR. Spokesperson Natalie Shallow said, although the app collects data, that data "belongs to the customer organization" -- meaning, the company using the app -- and therefore is subject to the company's own policies. The data's protection "complies with all applicable laws, including Alberta's Personal Information Protection Act," Shallow said. Dionne worried about where the information might end up. She knew apps like Instagram, Facebook and others had been breached. She says no one told her how securely the information would be protected.

Dionne's former boss admits she didn't know where the data generated by Blip would be stored when she introduced the app to her workforce last fall. "I never asked that question and it never came up in my mind to ask," said Hanan Yehia, founder and owner of H.Y. Cleaning Services, which operates cleaning services for eight locations in northern Alberta. She says after Dionne raised concerns, she went back to BrightHR for more information and was told employees' movements within the geofence are not specifically monitored. Yehia says she shared that information with Dionne. The app was a solution to a problem, says Yehia -- she was looking for a way to simplify payroll by easily tracking hours and making sure employees who claimed they were working were actually on the job. "We had some issues in some locations where they would say they were on site, that they were working, but they weren't," she said, clarifying that attendance was not an issue with Dionne. She also says Dionne's refusal to download the app wasn't the sole reason she was fired.