The Security and Exchange Commission (SEC) has warned investors away from dealing with iBSmartify Nigeria cryptocurrency offerings in an effort to clamp down on crypto-related scams and unregulated products.  For many — especially early investors in Bitcoin (BTC) and Ethereum (ETH) — the cryptocurrency sector is an innovative, interesting marketplace that can provide lucrative returns […] More

The story that an iPhone owner’s personal data was leaked online while it was in the hands of an authorized Apple repair center should bring chills to any owner of Apple hardware out there.And Apple’s response to the matter is even more worrying.This incident happened in 2016 at a Pegatron facility in California.It’s quite shocking. Our devices contain a vast array of private and personal data, ranging from health and financial data, our communications, movements, and personal photos and videos.The idea that someone could be going through this when a device is in for repair and go as far as to share that information is appalling.Must read: I just found my lost AirTag… you’ll never guess where it went

Apple is a company that claims to put privacy at the core of everything it does. And yet, everything about how it handled this, to its inaction since, suggests Apple is more concerned about its image rather than user privacy.

The fact that Apple’s involvement in this was kept confidential, becoming public only as a result of a legal dispute between Pegatron and its insurer over the cost, doesn’t look good.Now, there are always going to be people who end up in positions of trust that shouldn’t be trusted. It’s a fact of life. But Apple is supposedly leading the way when it comes to user privacy, and that should include the privacy of users wanting their devices repaired.It’s unclear here whether the repair center asked for access to the iPhone in question, or whether the device was unprotected, but either way, the best way to prevent this from happening is to make it so that it can’t happen.Just as some cars, such as Tesla, have a valet mode that secures certain features of the vehicle from access, Apple needs to implement a similar feature for its devices. This “repair mode” feature would allow repairers access to the device but no access to any of the data on the device. This would be a great addition to newer devices, closing a privacy loophole.I would also expect authorized repair centers to offer an environment where snooping on data, and being able to copy or share it, would be hard to do. I’ve seen secured repair facilities where CCTV is in use, the test networks don’t have access to the internet and are managed, and employees are not allowed to bring their own tech into the repair areas. This is somewhat extreme, but as users are asked to trust Apple with more and more of their data, there needs to be a barrier between repair agents and the user’s personal data. An alternative is a secure backup followed by a wipe before a device is handed over for repair, with the data reloaded following the repair. I know that companies try to cut costs when to comes to repair, especially when it comes to warranty work, but for a company rolling in cash, that’s a poor excuse.Also, while taking control of the privacy and security of user data during repair sounds costly, privacy breaches are costly, both in monetary terms and bad publicity.Apple does offer users tips on getting their device ready for service, which shifts the responsibility to the user. Problem is, depending on what’s wrong with a device or how it is damaged, this is not always possible. For example, on an iPhone with a dead screen, suffering from water intrusion, or stuck in a boot loop, this isn’t going to be possible. Owners should be confident they can send in their hardware for service without having that data snooped on even if they can’t securely erase it. You might also think that this is a lot for Apple in response to a single case from 2016, but given that Apple wanted to keep this quiet, we must bear in mind that this could be the one case we know of out of many that we don’t.Suppressing its involvement in these things isn’t helping secure end users. It just allows Apple to pretend that it’s not an issue.And it clearly is a problem. More

The Office of the Australian Information Commissioner (OAIC) has made available the outcomes of its latest privacy complaint investigations, including a determination made against Services Australia.
In the complaint against the CEO of Services Australia, Australian Information and Privacy Commissioner Angelene Falk found that the federal government department interfered with the complainant’s privacy as defined in the Privacy Act 1988 by breaching one of the guiding privacy principles.
Specifically, the department disclosed the complainant’s personal information in breach of privacy principle 11.
Australian Privacy Principles (APP) 11 requires an APP entity to take active measures to ensure the security of personal information it holds, and to actively consider whether it is permitted to retain personal information.
The entity must also take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification, or disclosure; and they must take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs.

However, this requirement does not apply where the personal information is contained in a Commonwealth record or where the entity is required by law or a court/tribunal order to retain the personal information.
In her declaration, Falk said she found that Services Australia engaged in conduct constituting an interference with the privacy of the complainant; and must pay the complainant AU$3,000 for non-economic loss caused by the interference with the complainant’s privacy within 60 days of the date of determination. The determination was made on 30 June 2020.
See also: Robo-debt: Minister claims the government is not built for refunds
The complainant’s grievance relates to the collection of her personal information by the former Child Support Agency (CSA) and former department administering child support, and subsequent disclosure to the complainant’s ex-partner in 2012. Services Australia now administers child support.
As explained by the OAIC, the complainant applied to CSA for a change of assessment to the amount of child support paid by her ex-partner. On receipt of the ex-partner’s objection review application, CSA collected the complainant’s personal information from her bank, but did not notify her of that action.
The complainant applied to the Social Security Appeals Tribunal for a review of the objection decision, at which time CSA disclosed the complainant’s personal information to the Tribunal and to the ex-partner as part of the Tribunal review process.
The complainant claimed that the bank statement revealed her personal information in the form of places she frequented. The complainant added that she feared harm from the ex-partner and that she had attempted to keep her location unknown to him.
She had previously obtained a Family Violence Order against the ex-partner.
The complainant was originally seeking compensation of AU$30,000.
Other recent determinations made by Falk include the compensation of AU$3,000 to the complainant for non-economic loss and AU$2,000 for aggravated damages regarding a breach of privacy principle 12 by a psychologist; and compensation of AU$10,000 for non-economic loss and AU$3,400 for economic loss to the first complainant and AU$3000 to the second complainant for non-economic loss in a breach of a few privacy principles by a medical clinic.
RELATED COVERAGE
Services Australia’s proud achievements include answering the phone
Minister Stuart Robert talks about respect and transparency, but they require more than just answering the phone. They even require more than a personalised dashboard. They require wholesale culture change.
Australians made over 3,000 privacy complaints last year
3,306 privacy complaints were made to the Office of the Australian Information Commissioner in 2018-19 and the commissioner has finally admitted her office needs more assistance.
Australian Privacy Commissioner offers advice on staff privacy amid COVID-19
Employers given a little reminder that their Privacy Act obligations still apply, even in a global pandemic.
Accidental personal info disclosure hit Australians 260,000 times last quarter
85 cases of human error resulted in 269,621 instances of Australians having their personal information disclosed accidentally. More

Image: ZDNet
GitHub has denied rumors today of getting hacked after a mysterious entity shared what they claimed to be the source code of the GitHub.com and GitHub Enterprise portals.
The “supposed” source code was leaked via a commit to GitHub’s DMCA section.
The commit was also faked to look like it originated from GitHub CEO Nat Friedman.
But in a message posted on YCombinator’s Hacker News portal, Friedman denied that it was him and that GitHub got hacked in any way.
Friedman said the “leaked source code” didn’t cover all of GitHub’s code but only the GitHub Enterprise Server product. This is a version of GitHub Enterprise that companies can run on their own on-premise servers in case they need to store source code locally for security reasons but still want to benefit from GitHub Enterprise features.
Friedman said this source code had already leaked months before due to its own error when GitHub engineers accidentally “shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers.”

Image: ZDNet
Friedman promised that GitHub was going to fix the two bugs exploited by the leaker and prevent unauthorized parties from attaching their code to other people’s projects via faked identities.

“In summary: everything is fine, situation normal, the lark is on the wing, the snail is on the thorn, and all’s right with the world,” Friedman said.
Not the first time
But this is not the first time that this happened on GitHub.
One of the two bugs was used just days earlier when a security researcher attached the source code of the youtube-dl library to GitHub’s DMCA section.
The security researcher’s gesture came as a form of protest after GitHub decided to honor a suspicious DMCA takedown request against the youtube-dl library from music recording industry group RIAA.

Image: ZDNet
While the mystery leaker never explained their actions, it is believed that the person who leak the GitHub Enterprise Server code was also protesting against GitHub’s decision to honor RIAA’s DMCA request and take down youtube-dl, a project that lets users download raw audio and video files from YouTube and other services — which RIAA argued was heavily used to pirate its songs catalog.
For the past week, hundreds of other users have been re-uploading the youtube-dl code on their own accounts and daring RIAA to send them a DMCA request too. GitHub has warned users not to do so, as they risk getting banned by its automated systems. More

Image:Azlan Baharudin Special feature Cyberwar and the Future of Cybersecurity Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly. Read More A Chinese state-sponsored hacking group has been targeting Malaysian government officials, computer experts with […] More