India has relaxed its planned restrictions on cross-border data flows, with a revision to its planned data protection laws. The new Digital Personal Data Protection Bill 2022 will allow the transfer of personal data to certain other nations and proposes GDPR-style restrictions on the ways in which companies use that data. There are penalties of up to around $31 million for failing to prevent a data breach, with another $24.5 million where organizations fail to notify the authorities and users. The bill has been a long time in the making, with a first version proposed in 2018. Years of revisions led to a new version last year, which was withdrawn by the government this summer after concerns from big tech firms and others over cross-border data flows.
CORELLIUM, A CYBERSECURITY startup that sells phone-virtualization software for catching security bugs, offered or sold its tools to controversial government spyware and hacking-tool makers in Israel, the United Arab Emirates, and Russia, and to a cybersecurity firm with potential ties to the Chinese government, according to a leaked document reviewed by WIRED that contains internal company communications. The 507-page document, apparently prepared by Apple with the goal of using it in the company’s 2019 copyright lawsuit against Corellium, shows that the security firm, whose software lets users perform security analysis using virtual versions of Apple’s iOS and Google’s Android, has dealt with companies that have a track record of selling their tools to repressive regimes and countries with poor human rights records.
Google Cloud’s intelligence research and applications team has created and released a collection of 165 YARA rules to help defenders flag Cobalt Strike components deployed by attackers. “Our intention is to move the tool back to the domain of legitimate red teams and make it harder for bad guys to abuse,” says Greg Sinclair, a security engineer with Google Cloud Threat Intelligence. Cobalt Strike, a legitimate adversary simulation tool used by pentesters and cyber red teams, has also become threat actors’ preferred post-exploitation tool. While some attackers have switched to using Brute Ratel, DeimosC2, and similar tools, Cobalt Strike is still a very popular option.
The controversial facial recognition firm hired by the US government during the height of the pandemic is being slammed by members of Congress, who say the company misrepresented how its technology works and downplayed excessive wait times which stopped Americans from collecting unemployment benefits. New evidence shows that ID.me “inaccurately overstated its capacity to conduct identity verification services to the Internal Revenue Service (IRS) and made baseless claims about the amount of federal funds lost to pandemic fraud in an apparent attempt to increase demand for its identity verification services,” according to a new report from the two U.S. House of Representatives committees overseeing the government’s COVID-19 response.
A human rights campaigner is suing Meta in the UK’s high court in a case that could have serious implications for other social media sites and search engines. Since 2018, when GDPR was adopted in the UK, internet users have had the right to demand that their personal data be deleted. However, Tanya O’Carroll, a senior fellow at campaigning law firm Foxglove, claims in her lawsuit that Meta has breached UK data laws by refusing to stop collecting and processing her personal data for ad targeting purposes when asked. “We shouldn’t have to give up every detail of our personal lives just to connect with friends and family online,” she says.