Railroad giant BNSF has been found guilty of violating the privacy of 45,000 drivers. In U.S. District Court in Chicago Wednesday, a jury awarded a $228 million verdict to the truck drivers who filed a class-action suit. BNSF was found guilty of violating Illinois the Biometric Privacy Act (BIPA). The state law basically says you can collect iris scans, fingerprints, voiceprints, facial geometry scans, but you have to get written consent to do so. The Rogers v. BNSF Railway Company lawsuit accused BNSF of using a fingerprint system that allowed drivers to access railyards for pickups and drop-offs, but did not obtain written consent from drivers that complied with BIPA requirements, according to a news release from the law firm Honigman LLP.
An ongoing security audit of our app identified that Android leaks certain traffic, which VPN services cannot prevent. The audit report will go public soon. This post aims to dive into the finding, called MUL22-03. We researched the reported leak, and concluded that Android sends connectivity checks outside the VPN tunnel. It does this every time the device connects to a WiFi network, even when the Block connections without VPN setting is enabled. We understand why the Android system wants to send this traffic by default. If for instance there is a captive portal on the network, the connection will be unusable until the user has logged in to it. So most users will want the captive portal check to happen and allow them to display and use the portal. However, this can be a privacy concern for some users with certain threat models. As there seems to be no way* to stop Android from leaking this traffic, we have reported it on the Android issue tracker.
Details and a proof-of-concept (PoC) exploit have been published for the recent Fortinet vulnerability tracked as CVE-2022-40684, just as cybersecurity firms are seeing what appears to be the start of mass exploitation attempts. Fortinet privately informed some customers last week about the availability of patches and workarounds for a critical authentication bypass vulnerability exposing some devices to remote attacks. The security hole allows an unauthenticated attacker to remotely perform unauthorized operations on an appliance’s admin interface using specially crafted requests. Exploitation is not difficult and it can lead to a full device takeover.
India’s minister of state for electronics and information technology, Rajeev Chandrasekhar, has hinted strongly that he will again extend the deadline to comply with sweeping new information security reporting rules that were imposed as an essential national defence mechanism. The unheralded rules were introduced in April 2022 and gave local organizations a 60-day deadline to put systems in place. After the deadline they were required to report many types of infosec incidents – even trivial ones like port scanning and phishing attempts – to India’s Computer Emergency Response Team (CERT-In) within six hours of detection.
IN NOVEMBER 2021, Facebook announced it would delete face recognition data extracted from images of more than 1 billion people and stop offering to automatically tag people in photos and videos. Luke Stark, an assistant professor at Western University, in Canada, told WIRED at the time that he considered the policy change a PR tactic because the company’s VR push would likely lead to the expanded collection of physiological data and raise new privacy concerns. This week, Stark’s prediction proved right. Meta, as the company that built Facebook is now called, introduced its latest VR headset, the Quest Pro. The new model adds a set of five inward-facing cameras that watch a person’s face to track eye movements and facial expressions, allowing an avatar to reflect their expressions, smiling, winking, or raising an eyebrow in real time. The headset also has five exterior cameras that will in the future help give avatars legs that copy a person’s movements in the real world.