Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Third Party Attacks. Show all posts

FTC Proposes Ban on Meta Profiting Off Children’s Data

The Federal Trade Commission (FTC) has accused Facebook of violating its 2019 privacy agreement by allowing advertisers to target children with ads based on their activity on other apps and websites. The FTC has proposed a ban on Meta from profiting off children's data and a blanket prohibition on any company monetizing the data of children aged under 13.

According to the FTC, Facebook’s Messenger Kids app, which is aimed at children under 13, was also used to gather data on children's activity that was used for advertising purposes. The Messenger Kids app is designed to allow children to communicate with friends and family in a safe and controlled environment, but the FTC alleges that Facebook failed to adequately protect children's data and privacy.

The proposed ban would prevent Meta from using children's data to target ads or sharing such data with third-party advertisers. The FTC also suggested that the company should provide parents with greater control over the data that is collected about their children.

Facebook has responded to the FTC's allegations, stating that it has taken significant steps to protect children's privacy, including requiring parental consent before children can use the Messenger Kids app. The company has also stated that it will continue to work with the FTC to resolve any concerns and will take any necessary steps to comply with the law.

The proposed ban on profiting off children's data is part of a wider crackdown by regulators on big tech companies and their data practices. The FTC has also proposed new rules that would require companies to obtain explicit consent from consumers before collecting or sharing their personal information.

In addition to the FTC's proposed ban, lawmakers in the US have also proposed new legislation that would strengthen privacy protections for children online. The bill, known as the Children's Online Privacy Protection Modernization Act, would update the Children's Online Privacy Protection Act (COPPA) to reflect changes in technology and the way children use the internet.

The proposed legislation would require companies to obtain parental consent before collecting any personal information from children under 16, and would also establish a new agency to oversee online privacy protections for children.

The proposed ban on profiting off children's data, along with the proposed legislation, highlights the growing concern among lawmakers and regulators over the use of personal data, particularly when it comes to vulnerable groups such as children. While companies may argue that they are taking steps to protect privacy, regulators are increasingly taking a tougher stance and pushing for more stringent rules to ensure that individuals' data is properly safeguarded.

Third-party Attacks: Hacker's Exploit Software Networks

Third-party incursions are yet another reminder of how fast and widely supply-chain assaults may spread, as seen most recently at Twilio and Mailchimp.

All of these cases have one thing in common – they were service supply chain assaults, which are intrusions in which the attackers used access granted to third-party services as a backdoor into the target companies' critical core systems.

Hackers pay attention and return for more when an attack on one institution opens the door for prospective strikes on many more. Attacks involving phishing and social engineering are frequently used to acquire unauthorized access.

This amplification effect has led to an increase in attacks by third-party vendors. Hackers now have a way to reach more targets more reliably and successfully due to the level of access or data that is potentially exposed throughout the supply chain.

Companies are rapidly incorporating third-party apps into the fabric of their enterprise IT as digitalization and the rise in cloud-based, remote, or hybrid work progress to boost productivity and streamline business procedures. These linked apps increase productivity across the board, which is why they have gained so much attention recently. 

Twilio suffered a phishing assault that affected 125 customers, resulting in the exposure of 1,900 Signal users' phone numbers and verification credentials. DigitalOcean was one of 214 accounts impacted by the vulnerability of Mailchimp's internal tooling caused by social engineering assaults.

The firm wants to implement new technologies to increase automation and productivity, but security and IT teams are becoming more underfunded and overworked. Traditional third-party review procedures and security governance models are under pressure due to the quick expansion of new integrations between third-party cloud apps and core systems, which is overwhelming IT and security teams and ultimately leading to the creation of a new, expansive, largely unmonitored attack surface.

Similar supply chain attacks will inevitably continue to take place if these integrations spread without adequate comprehension and mitigation of the specific vulnerabilities they bring. In fact, 93% of businesses in 2021 had a cybersecurity compromise of some type as a result of unreliable third parties or weak supply chains. 




Zero Trust & Basic Cyber Hygiene: Best Defense Against Third-Party Attacks

 

Since the beginning of the year, there has been a slew of third-party cybersecurity attacks, with the repercussions affecting a number of companies in Singapore and across Asia. 

Personal information of 30,000 Singaporeans could have been unlawfully accessed last month as a result of a violation that targeted a third-party vendor of the Jobs and Employability Institute, a job-matching organization (e2i). The personal information of 580,000 Singapore Airlines frequent flyers and 129,000 Singtel customers was also compromised earlier this year due to third-party security breaches. 

A zero confidence architecture, according to Acronis CEO Serguei Beloussov, may have avoided third-party attacks like those involving Accellion and SIA. In terms of how supply chains are secured, he said, security policies should be enforced and followed. He emphasized the importance of monitoring and controlling as well as performing vulnerability assessment and penetration testing should be carried out. 

Kevin Reed, Acronis' chief information security officer (CISO), said that companies must be aware of who and what is accessing their data. This meant they'd have to evaluate their partners' trustworthiness on a regular basis, rather than only when a new contract was signed, he explained. 

To limit the risks of engaging with these suppliers, Finkelstein recommends questions should be asked about security measures they had put in place and whether connections with these suppliers were secured. According to Reed, prevention would be crucial. Since the majority of security threats today are opportunistic, he believes that organizations would be able to thwart the majority of them if they take preventative steps to reduce their chances of being hacked. 

The way to mitigate the risk to businesses is by adopting better data management and replacing old technology. Beloussov said it concisely: "Nothing that is more than a few years old is healthy. It is possible to penetrate a structure constructed 20 years ago. You have to constantly check and update the system. 

CyberGRX's CISO Dave Stapleton pointed to the attack on SITA, whose effect on some airlines could be comparatively small due to the types of data exchanged. This may mean good data management practices such as data segmentation and categorization, in which not all pieces of information are stored in the same database and data access is limited to particular functions. 

According to Reed, the security industry too had evolved over time, And, he added, with today's programming compilers and frameworks, the software is more stable, with security built-in by design.