Information Technology

Globally, students who were required to use government-endorsed education technology (ed tech) during the COVID-19 pandemic had their contact, keystroke, and location data collected and sold to ad tech companies, according to the Human Rights Watch (HRW).A total of 146 of 164 government-endorsed ed tech products endangered the privacy of children, with 199 third-party companies receiving personal data, the HRW said.Further, only 35 endorsed vendors disclosed that user data would be collected for behavioural advertising, whilst a total of 23 products were developed with children as primary users in mind.”In the absence of alternatives, children faced a singular choice whether they were aware of it or not: Attend school and use an ed tech product that infringes upon their privacy, or forgo the product altogether, be marked as absent, and be forced to drop out of school during the pandemic,” the HRW wrote in its report How dare they peep into my private life.The HRW investigation, which began in March 2021, examined the uptake of students using ed tech products as a result of a surge in home learning during pandemic lockdowns — a rise that saw education apps used for an estimated 100 million cumulative hours per week, up 90% from the same period in 2019.Of the products investigated, 39 were mobile apps, 91 were websites, and 34 were available in both formats. Apps running on Google’s Android system were the focus of the report, with the HRW citing it as the “dominant mobile operating system worldwide”. Meta was also caught up in the investigation, with the HRW finding that 31 ed tech websites sent data to Facebook through Facebook Pixel — a technology that collects data, and later facilitates targeted ads on Facebook and Instagram.  Read: YouTube remains in Russia to be an independent news source: CEO  In Australian schools, the HRW investigation concluded the following products had the capability to track students: Minecraft Education Edition, Cisco’s Webex, Education Perfect, Microsoft Teams, Zoom, Webex, and Adobe Connect. Outside of Australia, nine governments including Ghana, India, Indonesia, Iran, Iraq, Russia, Saudi Arabia, Sri Lanka, and Turkey, built and offered 11 education apps that had the capability to collect Android advertising ID from children. An estimated 41 million students and teachers had their privacy put at risk by these apps, according to the HRW.  The HRW made the following recommendations for governments to remedy the privacy breach: Adopt child-specific data protection laws; enact and enforce laws to prevent companies from exploiting the rights of children; ban the profiling of children; and ban behavioural advertising to children among others.The report also recommended changes for technology companies including to stop collecting and processing children’s data for user profiling, and provide child-friendly privacy policies among others.Related Coverage More

Image: Meta Meta said after being “inspired” by user feedback and privacy experts, the company has rewritten its privacy policy “to make it easier to understand”. The updated policy, formerly referred to as its data policy, now provides examples of what information is collected, and how it is used, shared, retained, and transferred, including with […] More

Data privacy has become absolutely crucial for businesses. And some businesses go to great lengths to protect their data, files, and communications. But consumers and smaller businesses seem to think that adding extra security isn’t worth the extra work required. The problem with this take is anyone who refuses to take the extra steps might find themselves on the wrong end of a data breach.
ZDNet Recommends
You might have sent some sensitive information in an innocent email, only to find some bad actor intercepted the message and was able to easily read the content of that email and extract the information. You don’t want that. Even if it does require an extra bit of work on your part, being safe is much better than being sorry. So what do you do? You encrypt your email (or the email containing sensitive information).  What is email encryption? More

Shutterstock Google on Thursday announced it’s adding a collection of plug-and-play integrations into Chrome with popular IT security tools. This will make it easier for IT teams to keep workers safer — on the Chrome browser and using Chrome OS devices — with the security products they already use.  The new Chrome Enterprise Connectors Framework […] More

Are you getting a ton of spam text messages? How annoying is it to be interrupted with a notification on your iPhone, only for it to be yet another junk message? Here’s a secret: you can make these go away using a feature already in iOS. Here’s how you do it.  1. Open Settings  Scroll […] More

Researchers have disclosed the existence of the critical “Pantsdown” vulnerability in some Quanta Cloud Technology (QCT) server models. On Thursday, cybersecurity firm Eclypsium said that several servers belonging to the data center solutions provider were still vulnerable to the bug, which has been publicly known for years now. The vulnerability, tracked as CVE-2019-6260, was first discovered in January 2019. At the time one security researcher described it as “the nature of feeling that we feel that we’ve caught chunks of the industry with their….” CVE-2019-6260, issued a CVSS severity score of 9.8, or critical, is a vulnerability in ASPEED Baseband Management Controller (BMC) hardware & firmware. AHB bridges, in particular, can be exploited for arbitrary read/write access, leading to information leaks, code execution, data tampering or theft, or denial-of-service (DoS) attacks.  At the time of disclosure, Pantsdown impacted multiple firmware BMC stacks including AMI, SuperMicro, and OpenBMC (up to v.2.6). Exploits exist in the wild that harness the Pantsdown bug, potentially placing enterprise servers at risk.  According to Eclypsium, some QCT server models are still vulnerable to CVE-2019-6260. The team tested a QuantaGrid D52B rackmount server containing update package version 1.12 — with a release date of 2019.04.23 — and BIOS version 3B13, as well as BMC version 4.55.00. “This same firmware package names support for D52BQ-2U, D52BQ-2U 3UPI, and D52BV-2U models of the server,” the team noted. “On inspection, we found that the server contained an Aspeed 2500 BMC (AST2500(A2)) and was running a version of AMI-based BMC software vulnerable to Pantsdown.”During tests, the researchers were able to patch the web server code while it was running in memory on the BMC by exploiting CVE-2019-6260, granting themselves read/write access to memory. Furthermore, they could replace it with their own crafted code to trigger a reverse shell whenever a user attempted to connect to the server or refresh its linked webpage. Eclypsium created proof-of-concept (PoC) code that they say “demonstrates how even an unsophisticated attacker with remote access to the operating system could leverage this vulnerability to gain code execution within the BMC of QCT servers.” The presence of the vulnerability in Quanta servers was disclosed on October 7, 2021. According to Eclypsium, QCT has now patched the vulnerability and new firmware was made available privately to customers.  Eclypsium VP of Technology, John Loucaides, told ZDNet:”Unfortunately, we cannot be sure just how many server models are vulnerable. Some of our partners have run our tests on other models and found the same issue. Given that even some major manufacturers did not run comprehensive tests for this, no one is likely to have a complete list.”ZDNet has reached out to Quanta and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Shutterstock Google has released stable Chrome version 102 with 32 security fixes for browser on Windows, Mac and Linux.  Chrome 102 for the desktop includes 32 security fixes reported to Google by external researchers. There’s one critical flaw, while eight are high severity, nine are medium severity, and seven are low severity. Google also […] More

Image: Getty Images/iStockphoto Microsoft has detailed how Windows customers can defend themselves from automated ‘Kerberos Relay’ attacks that can give an attacker System privileges on a Windows machine.  Microsoft has responded to the April release of KrbRelayUp, a tool that streamlines several earlier public tools to escalate privileges from a low-privileged Windows domain user to […] More