Dozens of companies leaked sensitive data thanks to misconfigured Box accounts

Security researchers have found dozens of companies inadvertently leaking sensitive corporate and customer data because staff are sharing public links to files in their Box enterprise storage accounts that can be easily discovered.

The discoveries were made by Adversis, a cybersecurity firm, which found major tech companies and corporate giants had left data inadvertently exposed. Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found over 90 companies with publicly accessible folders.

Not even Box’s own staff were immune from leaking data.

The company said while much of the data is legitimately public and Box advises users how to minimize risks, many employees may not know the sensitive data they share can be found by others.

Worse, some public folders scraped and indexed by search engines, making the data found more easily.

In a blog post, Adversis said Box administrators should reconfigure the default access for shared links to “people in your company” to reduce accidental exposure of data to the public.

Adversis said it found passport photos, bank account and Social Security numbers, passwords, employee lists, financial data like invoices and receipts, and customer data were among the data found. The company contacted Box to warn of the larger exposures of sensitive data, but noted that there was little overall improvement six months after its initial disclosure.

“There is simply too much out there and not enough time to resolve each individually,” he said.

Adversis provided TechCrunch with a list of known exposed Box accounts. We contacted several of the big companies named, as well as those known to have highly sensitive data, including:

• Amadeus, the flight reservation system maker, which left a folder full of documents and application files associated with Singapore Airlines. Earlier this year, researcher found flaws that made it easy change reservations booked with Amadeus.

• Apple had several folders exposed, containing what appeared to be non-sensitive internal data, such as logs and regional price lists.

• Television network Discovery had more than a dozen folders listed, including database dumps of millions of customers names and email addresses. The folders also contained some demographic information and developer project files, including casting contracts and notes and tax documents.

• Edelman, the global public relations firm, had an entire project proposal for working with the New York City mass transit division, including detailed proposal plans and more than a dozen resumes of potential staff for the project — including their names, email addresses, and phone numbers.

• Nutrition giant Herbalife left several folders exposed containing files and spreadsheets on about 100,000 customers, including their names, email addresses and phone numbers.

• Opportunity International, a non-profit aimed at ending global poverty, exposed a list of donor names, addresses and amount given exposed in a massive spreadsheet.

• Schneider Electric left dozens of customer orders accessible to anyone, including sludge works and pump stations for several towns and cities. Each folder had an installation “sequence of operation” document, which included both default passwords and in some cases “backdoor” access passwords in case of forgotten passwords

• Pointcare, a medical insurance coverage management software company, had thousands of patient names and insurance information exposed. Some of the data included the last four-digits of Social Security numbers.

• United Tissue Network, a whole-body donation non-profit, exposed a body donor information and personal information of donors in a vast spreadsheet, including the prices of body parts.

Box, which initially had no comment when we reached out, had several folders exposed. The company exposed signed non-disclosure agreements on their clients, including several U.S. schools, as well as performance metrics of its own staff, the researchers said.

Box spokesperson Denis Roy said in a statement: “We take our customers’ security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or ‘open’. We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.”

The cloud giant said it plans to reduce the unintended discovery of public files and folders.

Amadeus, Apple, Box, Discovery, Herbalife, Edelman and Pointcare all reconfigured their enterprise accounts to prevent access to their leaking files after TechCrunch reached out.

Amadeus spokesperson Alba Redondo said the company decommissioned Box in October and blamed the exposure on an account that was “misconfigured in public mode” which has now been corrected and external access to it is now closed. “We continue to investigate this issue and confirm there has been no unauthorized access of our system,” said the spokesperson, without explanation. “There is no evidence that confidential information or any information containing personal data was impacted by this issue,” the spokesperson added. We’ve asked Amadeus how it concluded there was no improper access, and will update when we hear back.

Pointcare chief executive Everett Lebherz confirmed its leaking files had been “removed and Box settings adjusted.” Edelman’s global marketing chief Michael Bush said the company was “looking into this matter.”

Herbalife spokesperson Jennifer Butler said the company was “looking into it,” but we did not hear back after several follow-ups. (Butler declared her email “off the record,” which requires both parties agree to the terms in advance, but are printing the reply as we were given no opportunity to reject the terms.)

When reached, an Apple spokesperson did not comment by the time of publication.

Discovery, Opportunity International, Schneider Electric, and United Tissue Network did not return a request for comment.

Data “dumpster diving” is not a new hobby for the skilled, but it’s a necessary sub-industry to fix an emerging category of data breaches: leaking, public, and exposed data that shouldn’t be. It’s a growing space that we predicted would grow as more security researchers look to find and report data leaks.

This year alone, we’ve reported data leaks at Dow Jones, Rubrik, NASA, AIESEC, Uber, the State Bank of India, two massive batches of Indian Aadhaar numbers, a huge leak of mortgage and loan data, and several Chinese government surveillance systems.

Adversis has open-sourced and published its scanning tool.

Here’s what to expect in cybersecurity in 2019

from Apple – TechCrunch https://ift.tt/2UtsqDy

Elizabeth Warren reportedly also wants to break up Apple

Massachusetts Senator and 2020 presidential candidate Elizabeth Warren made waves yesterday when she outlined her plan for breaking up big tech companies like Amazon, Google and Facebook. Now, The Verge reports Warren also wants to break up Apple.

Specifically, Warren believes Apple should not be able to both run the Apple App Store and distribute apps in it.

“It’s got to be one or the other,” Warren told The Verge. “Either they run the platform or they play in the store. They don’t get to do both at the same time.”

Warren’s proposal includes passing legislation to designate companies that offer marketplaces, exchanges or platforms for connecting third-parties with annual global revenues of more than $25 billion as “platform utilities.”

“These companies would be prohibited from owning both the platform utility and any participants on that platform,” Warren wrote on Medium yesterday. “Platform utilities would be required to meet a standard of fair, reasonable, and nondiscriminatory dealing with users. Platform utilities would not be allowed to transfer or share data with third parties.”

That would mean Amazon, for example, would not be able to sell its Amazon Basics line of products on its marketplace. Same goes for Apple, under Warren’s proposal.

“If you run a platform where others come to sell, then you don’t get to sell your own items on the platform because you have two comparative advantages,” Warren said. “One, you’ve sucked up information about every buyer and every seller before you’ve made a decision about what you’re going to sell. And second, you have the capacity — because you run the platform — to prefer your product over anyone else’s product. It gives an enormous comparative advantage to the platform.”

I’ve reached out to Warren’s media team and will update this story if I hear back.

Elizabeth Warren wants to break up Google, Amazon and Facebook

from Apple – TechCrunch https://ift.tt/2EQxRWw

Apple could launch augmented reality headset in 2020

According to a new report from Ming-Chi Kuo (via 9to5mac), a reliable analyst on all things Apple, the company has been working on an augmented reality headset and is about to launch the device. This pair of glasses could go into mass production as early as Q4 2019 and should be available at some point during the first half of 2020.

It’s still unclear what you’ll be able to do with this mysterious headset. Kuo says that it’ll work more or less like an Apple Watch. You won’t be able to use the AR headset without an iPhone as it’ll rely heavily on your iPhone.

The glasses will act as a deported display to give you information right in front of your eyes. Your iPhone will do the heavy lifting when it comes to internet connectivity, location services and computing. I wouldn’t be surprised if the AR headset relies on Bluetooth to communicate with your iPhone.

Kuo’s report doesn’t say what you’ll find in the headset. Apple could embed displays and sensors so that the AR headset is aware of your surroundings. An AR device only makes sense if Apple puts sensors to detect things around you.

Apple has already experimented with augmented reality with its ARKit framework on iOS. Developers have been able to build apps that integrate digital elements in the real world, as viewed through your phone cameras.

While many apps have added AR features, most of them feel gimmicky and don’t add any real value. There hasn’t been a ton of AR-native apps either.

One interested use case for augmented reality is mapping. Google recently unveiled an augmented reality mode for Google Maps. You can hold your phone in front of your face to see arrows indicating where you’re supposed to go.

Apple has also been rebuilding Apple Maps with its own data. The company isn’t just drawing maps. It is collecting a ton of real world data using LiDAR sensors and eight cameras attached on a car roof. Let’s see if Apple Maps will play an important part in Apple’s rumored AR headset.

from Apple – TechCrunch https://ift.tt/2IZk4lV

Trump called Apple’s CEO ‘Tim Apple’ by mistake

The president has to remember a lot of names! Some he remembers, some he forgets. But we will never forget today in the Year of Our Lord 2019 when President Trump called Apple CEO Tim Cook “Tim Apple.”

Maybe we’re just losing our minds waiting for a good meme, but there’s something relentlessly good and pure about calling the executive formerly known as Tim Cook “Tim Apple.” Tim Cook: Great guy, great phones. Tim Apple though? Man, where do we start!

In the video from Cook’s appearance with the American Workforce Policy Advisory Board, Trump invents Tim Apple at 1:03 before launching into a tirade on unspecified murders in Mexico.

“You’ve really put a great investment in our country. We really appreciate it very much, Tim Apple,” Trump said.

As the Verge pointed out, Trump once called Lockheed Martin’s CEO “Marillyn Lockheed” which is fine but not good and pure like Tim Apple.

For evidence that Trump in fact knows the “true” identity of Tim Apple, you can rewind to 40:43 when he calls the Apple chief executive “Tim Cook” (his old name). Usually it’s cheap to give someone a hard time for forgetting a name or making a minor mistake in extemporaneous speech. But Tim Apple is so much more than a mistake.

If you’d prefer, watch the clip over and over again. We can’t recommend it enough.

… here's the president of the united states calling tim cook, ceo of apple, "tim apple." pic.twitter.com/RTc45RFm5e

— fake nick ramsey (@nick_ramsey) March 6, 2019

from Apple – TechCrunch https://ift.tt/2EQNJK2

Google gives Android developers new tools to make money from users who won’t pay

Google today is introducing a new way for Android developers to generate revenue from their mobile applications. And no, it’s not subscription-related. Instead, the company is launching a new monetization option for apps called “Rewarded Products.” This will allow non-paying app users to contribute to an app’s revenue stream by sacrificing their time, but not their money. The first product will be rewarded video, where users can opt to watch a video ad in exchange for in-game currency, virtual goods, or other benefits.

The feature may make developers happy, but it remains to be seen how users react. Reception will depend on how the videos are introduced in the app.

Even in Google’s example of the rewarded product in action – meant to showcase a best design practice, one would think – the video interrupts gameplay in between levels with a full screen takeover. This is not a scenario users would respond well to unless this was presented as the only way to play a popular, previously paid-only game for free, perhaps.

Rewarded video has worked for some apps where users have come to expect a free product. That could include free-to-play games or others services where subscribing is an option, not a requirement.

For example, Pandora’s music streaming service was free and ad-supported for years, as it was radio-only. After it introduced tiers offering on-demand streaming to compete with Spotify, it rolled out a rewarded video product – so to speak – of its own. Today, Pandora listeners can choose to watch a video ad to access on-demand music for a session, as an alternative to paying a monthly subscription.

Android app developers, of course, are already using advertisements to supplement or as a means of monetization, but this launch creates an official Google Play “product.” This makes implementation easier on developers and gives Google a way compete with third parties offering something similar.

Rewarded products can be added to any app using the Google Play Billing Library or AIDL interface with only a few additional API calls, the company says. It won’t require an SDK.

The launch comes at a time when Apple has been seeing success with subscriptions, which it has fully embraced, pushed and sometimes even let run amok. Subscriptions are now one of the biggest factors, outside of games, in app store revenue growth.

But Android users, historically, have been more averse to paying for apps than those on iOS. Apple’s store has even seen nearly double that of Google Play, in terms of revenue – despite having far fewer downloads. That means Android developers will not be able to tap into the subscription craze at the same scale as their iOS counterparts. And it means cross-platform developers may further prioritize building for iOS, as a result.

Rewarded products offer those developers an alternative path to monetization on a platform where that’s often been more difficult, outside of running ads.

Google says the rewarded video product is launching into open beta, and is available in the Play Console for developers.

 

 

from Android – TechCrunch https://ift.tt/2C7FQ0W
via IFTTT

Google introduces educational app Bolo to improve children’s literacy in India

Google is expanding its suite of apps designed for the Indian market with today’s launch of a new language-learning app aimed at children, called Bolo. The app, which is aimed at elementary school-aged students, leverages technology like Google’s speech recognition and text-to-speech to help kids learn to read in both Hindi and English.

To do so, Bolo offers a catalog of 50 stories in Hindi and 40 in English, sourced from Storyweaver.org.in. The company says it plans to partner with other organizations in the future to expand the story selection further.

Included in the app is a reading buddy, “Diya,” who encourages and corrects the child when they read aloud. As kids read, Diya can listen and respond with feedback. (Google notes all personal information remains on device to protect kids’ privacy.) Diya can also read the text to the child and explain the meaning of English words. As children progress in the app, they’ll be presented with word games in the app which win them in-app rewards and badges to motivate them.

The app works offline – a necessity in large parts of India – where internet access is not always available. Bolo can be used by multiple children, as well, and will adjust itself to their own reading levels.

Google says it had been trialing Bolo across 200 villages in Uttar Pradesh, India with the help of nonprofit ASER Centre. During testing, it found that 64 percent of children who used the app showed an improvement in reading proficiency in three months’ time.

To run the pilot, 920 were given the app and 600 were in a control group without the app, Google says.

In addition to improving their proficiency, more students in group with the app (39%) reached the highest level of ASER’s reading assessment than those without it (28%), and parents also reported improvements in their children’s reading abilities.

 

Illiteracy remains a problem in India. The country has one of the largest illiterate populations in the world, where only 74 percent are able to read, according to a study by ASER Centre a few years back. It found then that more than half of students in fifth grade in rural state schools could not read second grade textbooks in 2014. By 2018, that figure hadn’t changed much – still, only about half can read at a second grade level, ASER now reports.

While Google today highlights its philanthropic efforts in education, it’s worth noting that Google’s interest in helping improve India’s literacy metrics benefits its bottom line, too. As the country continues to come online to become one of the largest internet markets in the world, literate users capable of using Google’s products like Search, Ads, Gmail, and others – are of increased importance to Google’s business.

Already, Google has shipped a number of applications designed specifically for Indian internet users, like data-friendly versions of YouTube, Search, and other popular services, payments app Tez (now rebranded Google Pay), a food delivery service, a neighborhood and communities networking app, blogging app, and more.

Today, Bolo is launching across India as an open beta, while Google will continue to work with its nonprofit partners – including Pratham Education Foundation,  Room to Read, Saajha and Kaivalya Education Foundation – a Piramal Initiative – to bring the app to more children.

Bolo is available now on the Google Play Store in India, and works on Android smartphones running Android 4.4 (Kit Kat) and higher. The app is currently optimized for native Hindi speakers.

from Android – TechCrunch https://ift.tt/2H12Pil
via IFTTT

Qualcomm v. Apple patent suit trial kicks off in San Diego ahead of next month’s big one

Apple sues Qualcomm, Qualcomm sues Apple, Qualcomm sues Apple, Qualcomm sues Apple.

For the past two years, the legal battle between Apple and Qualcomm has played out much like this, while the patent cases have greatly inconvenienced Apple at times in certain markets, the royalties suit that Apple filed in January of 2017 has threatened a big part of Qualcomm’s core business and ultimately led Apple to start eschewing Qualcomm IP in their devices.

The entire saga is about to reach a fever pitch, we are just weeks away from proceedings kicking off for Apple’s $1 billion royalties suit. Today, a more low-key eight-day trial kicked off in San Diego federal court regarding Apple’s alleged usage of patent-infringing modem tech.

The case, overseen by U.S. District Judge Dana Sabraw, is related to the power consumption and speed of boot-up times for iPhones sold in the period between mid-2017 and late-2018. A positive outcome for Qualcomm could result in up to $1.41 in damages per infringing iPhone sold during this period, an amount that could swell to tens of millions in damages, Reuters reports.

Qualcomm has scored some small victories in its efforts to chip away at Apple. The company has won iPhone sales bans in Germany and China for certain models, though the ban in China has yet to be enforced and Apple has modified some of its phones in Germany to comply with the ruling.

from Apple – TechCrunch https://ift.tt/2XEwoev