The report notes that, while it is still difficult to obtain access orders for this information, at least since 2018 Telegram has been adopting measures to comply with the legal provisions of some governments in the West, willing to share IP addresses and telephone numbers when required by a court.

These changes can even be seen in the application’s usage policies. In the section “WHO YOUR PERSONAL DATA MAY BE SHARED WITH”, Telegram shares some details about this possible scenario: “If Telegram receives a court order confirming that you are suspected of terrorism, we may disclose your IP address and phone number to the relevant authorities. So far, this has never happened. When it happens, we will include it in a semi-annual transparency report published in https://t.me/transparency.”

Free interpretation

While this is a valid cause for the deployment of intelligence tasks, it is known that governments around the world have always used counterterrorism policies to validate the implementation of invasive measures.

The German government itself already carries out some surveillance tasks on opposition groups and civil interest groups. Recently, a German court had to order the state intelligence agency BfV to halt its investigations into the Alternative for Germany (AfD) party, a right-wing political group that opposes immigration, among other ultra-nationalist measures.

In addition, the governments of the United States and Canada have been deploying mass surveillance tasks for years under the pretext of combating terrorist activities.

Privacy structure

In this regard, Telegram published a message endorsing its commitment to protecting the confidential information and conversations of its users: “Secret chats on the platform use end-to-end encryption, so we do not have any data to reveal.”  Still, it’s important to mention that Telegram doesn’t use end-to-end encryption by default.

To safeguard unprotected data with end-to-end encryption, Telegram uses a distributed infrastructure; Cloud chat data is stored in various data centers around the world that are controlled by different legal entities across multiple jurisdictions. The relevant decryption keys are divided into parts and never stored in the same place as the data, so interested parties would require several court orders to force Telegram to share this information.

Telegram considers that this structure simply makes it impossible for government agencies to access the confidential records of their users, although it has always been specified that the platform may be forced to hand over data only in sufficiently serious and relevant cases at the multinational level. Still, there are no known examples of what Telegram considers important enough to pass the scrutiny of the legal systems that safeguard its privacy structure.

Is Telegram even a good choice?

Although the idea of the general public is that Telegram represents a safer option than platforms such as WhatsApp or Facebook Messenger, this is not an idea shared by many experts. Moxie Marlinspike, the developer of the encrypted messaging service Signal, has become one of Telegram’s harshest critics: “I’m surprised that the media refers to Telegram as an encrypted messaging service; Telegram has a lot of attractive features, but there’s no worse option in terms of privacy and data collection.”

According to Marlinspike, Telegram stores on its servers all contacts, groups, media, and plain text messages that users have sent: “Almost everything we can see in the app, Telegram can see it too,” adds the developer.

For the expert, this false perception of privacy comes from a misinterpretation of the “secret chat” function, conversations that are protected with end-to-end encryption although with technology at least questionable. Other platforms like Facebook Messenger or Instagram chat also have secret chat features or expired messages, and they don’t store users’ files on their servers.

In conclusion, Telegram is a good choice in the world of instant messaging, although users should not assume that no one can access their conversations, photos, videos, and documents sent through this platform.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post <strong>Telegram is providing Police with user information in several cases, contradicting the company’s privacy policy. Use it with a burner phone and VPN</strong> appeared first on Information Security Newspaper | Hacking News.

The update considers any system storing personally identifiable information (PII) as critical equipment, making them subject to regular reviews and testing processes. Technology implementations interacting with critical operating and maintenance systems are also considered critical.

Entities providing investment services shall also maintain an updated inventory of their systems, including hardware, software, storage units, network resources and data flows. System administrators should perform frequent security audits, performed only by entities previously approved by CERT-In.

If that were not enough, all organizations that provide these services must submit their security reports within ten days after receiving this notification.

As many readers may guess, ten days is a ridiculously short deadline to achieve such goals, so it is anticipated that many organizations will try to challenge this decision of the Indian government.

Online platforms think this is mission impossible, especially considering that the deadline granted by the authorities includes two weekends.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Indian companies listed in stock exchange to provide infosec audits and information system inventory to government. New SEBI guidelines appeared first on Information Security Newspaper | Hacking News.

In 2017, LinkedIn demanded that hiQ stop collecting LinkedIn data, starting to block hiQ’s access and its ability to extract data from public profiles. At the time, LinkedIn argued that hiQ’s actions violated several laws, primarily the Computer Fraud and Abuse Act (CFAA) and LinkedIn’s own terms of use.

In this regard, the courts in the U.S. determined that LinkedIn could not block access to the public data of its users for HiQ; in her ruling, Circuit Judge Marsha Berzon said, “There is little evidence that LinkedIn users who choose to make their profiles public maintain an expectation of privacy with respect to the information they post.”

For LinkedIn, this decision was not enough to desist from their plans, so they took the case to the U.S. Supreme Court. However, in a previous case the Court had already decided not to penalize the extraction of publicly available information on Internet platforms, so the LinkedIn case was returned to the circuit court.

Upon receiving the case back, the Ninth Circuit ruled that the concept of access authorization will not apply to public websites. Not only can this prove useful for companies like hiQ, but it will also ensure access to relevant sources of information for journalists, researchers and companies for legitimate purposes.

Despite all the setbacks, LinkedIn doesn’t seem to have given up. In a statement, spokesman Greg Snapper said: “We are disappointed with the court’s decision. This is a preliminary decision and the case is far from over.” Snapper says LinkedIn will continue to fight to protect its users’ information.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post It’s now legal to scrap LinkedIn users’ data for marketing purposes without their permission appeared first on Information Security Newspaper | Hacking News.

In case of failing to accomplish the legal requirements, companies could be fined or even shut down.

The provision includes companies that will be engaged in monitoring and pentesting services, in addition to covering external providers and resellers of cybersecurity services that are licensed to operate in the country.

The government agency announced that this new provision will come into force from this Monday, April 11, as a postulate of the Singapore Cybersecurity Act.

With this new law, authorities seek to prioritize consumer protection, ensuring that service providers meet their commitments to users and establishing mechanisms for the protection of personal information.

On the legal consequences that could face those entities that do not comply with this legislation, the maximum penalties could reach two years in prison, in addition to the payment of fines of between SG $36,000 and $ 50,000. In addition, the license payment will range from SG$500 to $360 for small and medium-sized businesses, and between SG$700 and $1,000 for large corporations.

The license will be valid for only two years. For individuals or companies submitting their applications before April 11, the authority will offer a 50% discount.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Cyber security companies will have to apply for a yearly license to operate in Singapore appeared first on Information Security Newspaper | Hacking News.

This variant of encryption allows data to be encrypted so that third parties cannot read it, although it does allow third parties and third-party technologies to perform operations using the protected data. For example, a user could use homomorphic encryption to upload sensitive data to a cloud deployment to perform data analysis; cloud solutions could perform the analyses and send the resulting information to the user without reading the sensitive data.

Aydin Aysu, an expert at North Carolina State University in charge of the research, says, “Homomorphic encryption is attractive because it preserves data privacy, but allows users to make use of that information, even though it requires a lot of computing resources.” Given the large amount of hardware and software resources required, this is not a practical implementation.

Microsoft has excelled in the development of homomorphic encryption, creating the SEAL Homomrphic Encryption Library to facilitate research among the specialized community. Aysu’s report notes that there is a way to crack homomorphic encryption using the SEAL library through a side-channel attack.

According to the report, the researchers detected this vulnerability at least in SEAL versions prior to 3.6: “This library receives constant updates, so it is likely that the flaw will be corrected in later iterations, although it is also not ruled out that later versions remain exposed to this vulnerability.

Finally, experts point out that side-channel attacks are a widely documented hacking variant, so organizations with adequate security protocols should have no problem containing this threat: “With the advancement of homomorphic encryption, the computer industry must ensure that it incorporates the necessary security tools for protection against side-channel attacks and other security threats,” concludes Aysu.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Vulnerability in next-generation homomorphic encryption allows data to be stolen even while encrypted appeared first on Information Security Newspaper | Hacking News.

In a case brought before the Austrian Data Protection Authority, it is mentioned that the operators of a health-focused website violated various provisions set out in the GDPR, transferring the personal data of their users to Google using the Analytics tool. European law states that it is illegal for a company to send personal information to companies in the U.S. if they cannot guarantee that this data will not be available to American intelligence agencies.

This case was brought as part of an initiative by activist Max Schrems and None of your Business (NOYB), his privacy advocacy group. This was a multinational initiative, so it is anticipated that more countries will make similar decisions in the near future; if so, websites operating in the European Union may stop using Google Analytics and other U.S.-based cloud services.

This week, the activist stated: “We have filed 101 complaints in basically every member state of the European Union. We formed a working group, so we expect the other data protection authorities to now come up with similar decisions, creating a domino effect.”

It is worth mentioning that the resolution was not entirely favorable to privacy advocates. While the Austrian authority ruled against the website that sent the data to the US, the complaint against Google was also dismissed, as the GDPR breach was committed by the company exporting the data.

In addition to stopping using Google’s cloud services, European companies also expect authorities in the U.S. to pass laws to prevent foreigners’ data from being analyzed by local intelligence agencies, though there is no chance of this happening anytime soon.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Google Analytics banned in EU, due to privacy concerns of leaking people data to spy agencies appeared first on Information Security Newspaper | Hacking News.

To every single Public Relationships crisis it goes through, Facebook tries to respond with improvements to its service, especially in terms of user privacy and information security. The most recent of these improvements was dubbed Facebook Protect, a new feature that the social media giant has begun suggesting to its users.

Some users report receiving notifications from Facebook to activate this security mechanism, which has more complex protections, no later than October 28^th; otherwise their accounts will be deactivated.

The company describes Facebook Protect as a protection mechanism that emerged from the 2019 U.S. election process, enabled for candidates, election officials, political party activists and others involved in the process to adequately protect their accounts on the platform. Its main goal was to protect accounts of interest from hacking attacks aiming to the spreading of fake news and disinformation during election campaigns.

Registration in this program allows users to activate advanced security measures, including multi-factor authentication and the implementation of controls to detect potential attempts at illegitimate access to their accounts. As mentioned above, enrollment in this program was voluntary and only available to users with verified pages.

The information collected by Facebook Protect allows the platform to quickly detect any hint of unusual activity, in addition to determining whether it is a hacking attempt, based on indicators such as location of login attempts and use of non recognized devices.

“We are in permanent search of the best strategies to stay one step ahead of threat actors. While we know that it is virtually impossible to contain all threats in real time, we will try to get as close as possible to this scenario,” the Facebook Protect advisory states.

At the time of its launch, Facebook Protect was only available to users in the United States and Canada, although the platform could be preparing for the massive application of this program.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to protect your Facebook account from hackers with new security feature “Facebook Protect” appeared first on Information Security Newspaper | Hacking News.

Technology has made life better for all. The advent of the internet opened up limitless possibilities. For instance, today you can easily share data with people in various geographic locations without leaving the comfort of your home.

However, the rising wave of cybercrime has raised the concern for data protection on the internet. Hackers often intercept, access, and exploit sensitive information you put on the internet. But, fortunately, there are several ways to secure online file transfers.

Would you like to send large files securely over the internet? In this article, we’ll show you how.

What Is Data Protection?

Data protection, also called information privacy or data security, refers to a set of processes and strategies that ensure the availability, privacy, and integrity of your data. 

An effective data protection strategy is crucial for any organization that handles, stores, or collects sensitive data. It can help prevent data loss, corruption, or theft. And should a breach occur, it can help minimize damages.

How to Secure Your Data Transfer

1. Data Encryption

Data encryption is a security measure that encodes data, granting access to it only to the user with the appropriate decryption key. Encrypted data, also called ciphertext, looks scrambled or unreadable to a third party without appropriate access.

Data encryption is an essential defense line in a cybersecurity architecture because it renders intercepted data useless or as difficult as possible to use by a third party.

What’s more, using zero-knowledge encryption to protect data is even better. It’s a cutting-edge method in data protection and file transfer security. This is because with zero-knowledge encryption, only the user has access to the password key. 

The password key is not stored on the servers or any data storage unit, denying even the service providers access to the data. So, if the servers get compromised, your password key is secure with you. You can entrust your files to any reliable data sharing service provider that uses zero-knowledge encryption, such as FileWhopper.

FileWhopper utilizes the zero-knowledge encryption method in its design to ensure top-tier protection of every data transfer. You can use it to send large files and folders securely to any geographical location.

Here’s how it works:

• Whenever a user initiates an upload to share data, they will receive a unique ID for the transfer instead of a file name. And with zero-knowledge encryption, even the FileWhopper team does not have any idea of the name of your file or folder.
• There is a tiny dedicated app to securely upload and transfer data. The sender gets a download link to their file or folder, and the transfer is assigned a strong password, which is either generated automatically or designed by the user.  The password is locally stored with the user and never on any of FileWhopper’s servers.
• The app encrypts the user’s folder or file, breaking it into tiny data fragments, and then uploads the ciphertext to FileWhopper’s server.
• Once the transfer is over, the FileWhopper app auto-deletes, sparing you the need to remove it manually.
• The user can share the encryption key and download link with their recipient using appropriate means at the beginning of the transfer process. The recipient can use the download link and start downloading the data while the upload is still in progress, meaning FileWhopper supports simultaneous uploads and downloads.

You can rest assured that only you and your desired recipient can access your data. Besides, FileWhopper has no file size limits, and your transfer can auto-resume if your internet connection fails during the data upload. Zero-knowledge encryption is no doubt one of the best ways to protect data from malicious users.

2. File Transfer Protocol (FTP)

FTP is a standard communication protocol used for transferring data from a server to a client on another computer network. FTP employs a client-server model architecture using separate data connections and control between the server and the client. 

FTP often requests user authentication through a clear-text sign-in procedure, usually as a username and password. However, users can also connect anonymously if the server’s configuration allows it.

FTP allows the back and forth transfer of files between computers or via the cloud. It is an essential tool for those who build and maintain websites. As long as you keep your username and password private, you can rest assured that your files are secure.

3. Virtual Private Network (VPN)

A VPN is another trusted method you can use to secure your data. Regardless of your work setting, as long as it requires using the internet, VPN remains one of the most secure ways to prevent data breaches on the internet. This is particularly essential for public Wi-Fi network users.

A VPN creates a private, secure, and encrypted communication channel: if your packets (chunks of data) are intercepted, they cannot be deciphered. Let’s see how it works.

Each internet request results in a sequence of communication events between multiple points. What a VPN does is it encrypts those packets at the originating point, hiding the data and your IP address information.

The VPN software on your device then sends those packets to a VPN server at a destination point, decrypting that information and sending it to your destination application, such as your bank app.

A VPN works both at the corporate and consumer levels. The corporate or enterprise VPN connects the local area networks of business branches over the public internet. This works by setting up VPNs between offices, which encrypts your data as it is transferred over the public internet.

Similarly, the consumer VPN is a software-as-a-service (SaaS) offering that provides a secure communication channel between your computing device, such as your phone, laptop, or tablet, and the provider’s data center.

If you’re away from your home or office and want to use another person’s Wi-Fi network, use a VPN. Since you can’t tell whether or not it is compromised, it’s best to play safe.

Conclusion

There are several other ways to secure your files online, but with the methods mentioned above, you can rest assured of the security of your data.

Was this guide helpful? Please leave a comment below.

The post How to Protect Data When Transferring Files Online appeared first on Information Security Newspaper | Hacking News.

This legislation was passed in 2008 and regulates the way companies collect and use biometric information from users, including retinal records, fingerprints, voice records and facial recognition. One of the most important rules in this regard is that companies require the express consent of individuals to collect this kind of information.

This case began with Stacy Rosenbach, a mother who filed a lawsuit against Six Flags in 2016 accusing park staff in Gurnee, Illinois, of scanning her 14-year-old son’s fingerprints without first seeking his consent and without mentioning details of how the company uses these records.

After a lengthy legal process, the case reached the state Supreme Court, where Six Flags argued that the plaintiff had failed to demonstrate actual harm as set forth in BIPA. The Court dismissed Six Flags’ arguments, ruling that it is not necessary that an actual harm arising from the collection of this data has been presented to consider a person as a victim under the BIPA.

At the conclusion of an arduous mediation process, it was agreed that Six Flags would pay up to $200 USD to people whose biometric data was recorded in its U.S. parks between October 1, 2013 and April 30, 2016. On the other hand, people whose biometric records were scanned between May 1, 2016 and December 31, 2018 could receive up to $60 USD.

This isn’t the first time a company has faced multiple lawsuits for non-compliance with BIPA. A couple of years ago, the American Civil Liberties Union (ACLU) sued startup Clearview AI, arguing that the company maintained a biometric database of billions of people, sharing the data with third-party companies. Vimeo, the popular ad-free video platform, was also the subject of a lawsuit for non-compliance with BIPA.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Six Flags collected fingerprints of theme park visitors without their consent but will now pay $36 million USD fine appeared first on Information Security Newspaper | Hacking News.

However, the UK Information Commissioner’s Office ordered an investigation that revealed that of the 50 million “service” emails sent by the company at least 4.9 million messages contained advertising targeted to some users.

The ICO says this was a completely deliberate action that the company planned to make a profit with, as well as adding that American Express continued this practice even after receiving multiple customer complaints.

As many will know, the Privacy and Electronic Communications Regulations (PECR) are a series of guidelines that give UK service users complete control over the type of messages they wish to receive to their email addresses, as well as give the ICO the ability to fine infringing companies.

In a later update, ICO Research Director Andy Curry mentioned, “We began to look into the incident after receiving multiple complaints from some users who were constantly receiving advertising via email despite having denied permission for this action.” Curry asked American Express and other companies to refrain from sending advertising to users who do not wish to receive such messages.

While this seems like a hefty fine, many experts believe that companies will not abandon this kind of practices. Cybersecurity researcher John Bambenek thinks that the fines in such cases are too low and won’t stop companies looking for greater incomes: “Current legislation is really ineffective, so a more proactive approach is needed and companies are really considering leaving this unethical practice behind.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post British government fins American Express for sending spam to its customers appeared first on Information Security Newspaper | Hacking News.

Bill Demirkapi, an independent security researcher and student at Rochester Institute of Technology, said he discovered this leak while looking for loan services for college students.

The student mentions that he found a website offering to verify his eligibility for a loan by simply entering his name, address, and date of birth: “By verifying the code on this website, I could see that an Experian API was invoked,” Demirkapi said. For obvious reasons, this is not a process that should be available to any lending website: “Experian must require non-public information for such queries, as attackers could use this condition as a vulnerability,” the expert adds.

Demirkapi discovered that the Experian API could be accessed directly without any authentication, and that entering only zeros in the “date of birth” field allowed obtaining the credit score of almost any user, even creating a command-line tool to perform an automated search.

A group of researchers tested this tool and was able to demonstrate that it is really functional, helping to find credit scores and risk factors for the analyzed users

Demirkapi refused to share with Experian the name of the lender or the website where the API was exposed, arguing that there could be many more sites exposing this information: “If we let them know the name of this website, Experian could simply block specific requests, which doesn’t really solve anything.” 

Still, shortly after receiving Demirkapi’s report, Experian’s security teams discovered the source of the leak: “We have confirmed that only one instance is impacted by this incident, and that it has already been corrected.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Credit information from millions of people exposed by Experian API appeared first on Information Security Newspaper | Hacking News.

In addition to pornography, this technology is also used in politics, creating false or intentionally misleading news, such as a popular video clip in which Barak Obama refers to the former President Donald Trump as “a complete idiot.” Shortly thereafter it was shown that the video was created from multiple Obama images and a speech by actor and director Jordan Peele, proving that its use could have serious implications for users’ data protection.

Deepfake has even been used by the artistic community. An example of this was the exhibition in honor of the 115th anniversary of Salvador Dalí’s birth date, in which the curators projected a prototype of the artist driven by artificial intelligence that was even able to interact with the attendees.

This technology may seem very complex, although there are already some attempts to make it available to any user. This time, data protection specialists from the International Institute of Cyber Security (IICS) will show you how to create a deepfake image from a simple photo or video of the face you want to emulate.

This process requires image animation, which is possible through neural networks that cause the image to move over a video stream previously selected by the user. It should be mentioned that the content of this article was developed for specifically academic purposes, so the principle of data protection must prevail in the use of this knowledge. IICS is not responsible for any misuse that may be given to this information.

How does this process work?

Data protection experts mention that deepfake is based on adverse generative neural networks (GAN), machine learning algorithms responsible for creating new content from a particular and limited set of information, for example by analyzing thousands of photographs of a person to create new images that preserve all the physical traits of the selected person.

In this case, the model presented in First Order Motion Model for Image Animation is detailed, an approach that will replace the ways in which previously worked, dependent on replacing objects in a video with other images.

Using this model, the neural network helps reconstruct a video, where the original subject is replaced by another object in the original image. During the test, the program tries to predict how the object will move in the original image based on the video added, so in practice it is tracked to the smallest movement presented in the video, from turns of the head to the movement of the cornering of the lips.

Creating a deepfake video

It all starts by testing a lot of video samples, mentioned by data protection experts. To start video rebuilding, the model extracts multiple frames to analyze the contained motion patterns and then learn how to encode the motion as a mixture of multiple variables.

During testing, the model reconstructs the video stream by adding an object from the original image to each frame of the video, and therefore an animation is created.

The framework is implemented by using a motion estimation module and an image generation module.

The purpose of the motion evaluation module is to understand exactly how the different frames in the video move, mentioned by data protection experts. In other words, you try to track each movement and code it to move key points. As a result, a dense field of motion is obtained by working in conjunction with an occlusal mask that determines which parts of the object should be replaced by the original image.

In the GIF file used as an example below, the woman’s back is not animated.

Finally, the data obtained by the motion estimation module is sent to the image generation module along with the original image and the selected video file. The imager creates moving video frames with the original image object replaced. Frames come together to create a new video later.

How to create a deepfake

You can easily find the source code of a deepfake tool on GitHub, clone it on your own machine and run everything there; however, there is an easier way that allows you to get the finished video in just 5 minutes.

• Follow the next link:

https://colab.research.google.com/github/AwaleSajil/DeepFake_1/blob/master/first_order_model_demo(Youtube)_new_audioV5_a.ipynb

• Then create a copy of the ipynb file on your Google drive

• Run the first process to download all the necessary resources and configure the model parameters

• You can now test the algorithm using a default set of photos and videos. Just select a source image and the video in which you want to project the image. According to data protection experts, after a couple of minutes the deepfake material will be ready

• To create your own video, specify the path to the original image and moving video in the third cell. You can download them directly to the folder with the model, which can be opened by clicking the folder icon in the menu on the left. It is important that your video is in mp4 format

As a result, by combining the video with Ivangai and Elon Musk’s photo, we managed to get the following deepfake:

To learn more about data protection, information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to create your professional deep fake video easily and free of cost appeared first on Information Security Newspaper | Hacking News.