A funny — but true — joke at TechCrunch is that the security desk might as well be called the Department of Bad News, since, well, have you seen what we’ve covered of late? There is a never-ending supply of devastating breaches, pervasive surveillance and dodgy startups flogging the downright dangerous.
Sometimes though — albeit rarely — there are glimmers of hope that we want to share. Not least because doing the right thing, even (and especially) in the face of adversity, helps make the cyber-realm that little bit safer.
Bangladesh thanked a security researcher for citizen data leak discovery
When a security researcher found that a Bangladeshi government website was leaking the personal information of its citizens, clearly something was amiss. Viktor Markopoulos found the exposed data thanks to an inadvertently cached Google search result, which exposed citizen names, addresses, phone numbers and national identity numbers from the affected website. TechCrunch verified that the Bangladeshi government website was leaking data, but efforts to alert the government department were initially met with silence. The data was so sensitive, TechCrunch could not say which government department was leaking the data, as this might expose the data further.
That’s when the country’s computer emergency incident response team, also known as CIRT, got in touch and confirmed the leaking database had been fixed. The data was spilling from none other than the country’s birth, death and marriage registrar office. CIRT confirmed in a public notice that it had resolved the data spill and that it left “no stone unturned” to understand how the leak happened. Governments seldom handle their scandals well, but an email from the government to the researcher thanking them for their finding and reporting the bug shows the government’s willingness to engage over cybersecurity where many other countries will not.
Apple throwing the kitchen sink at its spyware problem
It’s been more than a decade since Apple dropped its now-infamous claim that Macs don’t get PC viruses (which while technically true, those words have plagued the company for years). These days the most pressing threat to Apple devices is commercial spyware, developed by private companies and sold to governments, which can punch a hole in our phones’ security defenses and steal our data. It takes courage to admit a problem, but Apple did exactly that by rolling out Rapid Security Response fixes to fix security bugs actively exploited by spyware makers.
Apple rolled out its first emergency “hotfix” earlier this year to iPhones, iPads and Macs. The idea was to roll out critical patches that could be installed without always having to reboot the device (arguably the pain point for the security-minded). Apple also has a setting called Lockdown Mode, which limits certain device features on an Apple device that are typically targeted by spyware. Apple says it’s not aware of anyone using Lockdown Mode who was subsequently hacked. In fact, security researchers say that Lockdown Mode has actively blocked ongoing targeted hacks.
Taiwan’s government didn’t blink before intervening after corporate data leak
When a security researcher told TechCrunch that a ridesharing service called iRent — run by Taiwanese automotive giant Hotai Motors — was spilling real-time updating customer data to the internet, it seemed like a simple fix. But after a week of emailing the company to resolve the ongoing data spill — which included customer names, cell phone numbers and email addresses, and scans of customer licenses — TechCrunch never heard back. It wasn’t until we contacted the Taiwanese government for help disclosing the incident that we got a response immediately.
Within an hour of contacting the government, Taiwan’s minister for digital affairs Audrey Tang told TechCrunch by email that the exposed database had been flagged with Taiwan’s computer emergency incident response team, TWCERT, and was pulled offline. The speed at which the Taiwanese government responded was breathtakingly fast, but that wasn’t the end of it. Taiwan subsequently fined Hotai Motors for failing to protect the data of more than 400,000 customers, and was ordered to improve its cybersecurity. In its aftermath, Taiwan’s vice premier Cheng Wen-tsan said the fine of about $6,600 was “too light” and proposed a change to the law that would increase data breach fines by tenfold.
Leaky U.S. court record systems sparked the right kind of alarm
At the heart of any judicial system is its court records system, the tech stack used for submitting and storing sensitive legal documents for court cases. These systems are often online and searchable, while restricting access to files that could otherwise jeopardize an ongoing proceeding. But when security researcher Jason Parker found several court record systems with incredibly simple bugs that were exploitable using only a web browser, Parker knew they had to see that these bugs were fixed.
Parker found and disclosed eight security vulnerabilities in court records systems used in five U.S. states — and that was just in their first batch disclosure. Some of the flaws were fixed and some remain outstanding, and the responses from states were mixed. Florida’s Lee County took the heavy-handed (and self-owning) position of threatening the security researcher with Florida’s anti-hacking laws. But the disclosures also sent the right kind of alarm. Several state CISOs and officials responsible for court records systems across the U.S. saw the disclosure as an opportunity to inspect their own court record systems for vulnerabilities. Govtech is broken (and is desperately underserved), but having researchers like Parker finding and disclosing must-patch flaws makes the internet safer — and the judicial system fairer — for everyone.
Google killed geofence warrants, even if it was better late than never
It was Google’s greed driven by ads and perpetual growth that set the stage for geofence warrants. These so-called “reverse” search warrants allow police and government agencies to dumpster dive into Google’s vast stores of users’ location data to see if anyone was in the vicinity at the time a crime was committed. But the constitutionality (and accuracy) of these reverse-warrants have been called into question and critics have called on Google to put an end to the surveillance practice it largely created to begin with. And then, just before the holiday season, the gift of privacy: Google said it would begin storing location data on users’ devices and not centrally, effectively ending the ability for police to obtain real-time location from its servers.
Google’s move is not a panacea, and doesn’t undo the years of damage (or stop police from raiding historical data stored by Google). But it might nudge other companies also subject to these kinds of reverse-search warrants — hello Microsoft, Snap, Uber and Yahoo (TechCrunch’s parent company) — to follow suit and stop storing users’ sensitive data in a way that makes it accessible to government demands.
Comment