news.buyenne.com

Who's that behind you? Oculus's prying eyes, that's who! (credit: Oculus)

Critical backlash against Oculus's privacy policy reached Capitol Hill on Thursday, when Sen. Al Franken (D-Minn.) demanded that Oculus and its parent company Facebook answer for the data its new headset collects from virtual reality users.

"Oculus’ creation of an immersive virtual reality experience is an exciting development," Franken wrote in an open letter to Oculus CEO Brendan Iribe, "but it remains important to understand the extent to which Oculus may be collecting Americans’ personal information, including sensitive location data, and sharing that information with third parties."

The question is, what exactly is Oculus asking to collect—and how much worse is it compared to other online services' EULAs?

(credit: European Commission)

Leaked extracts from an imminent assessment of the EU-US Privacy Shield replacement for Safe Harbour suggests that a key group of EU data protection authorities will not support it in its present form.

It is expected that the Article 29 Working Party will say that it is "not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection [in the US] that is essentially equivalent to that in the EU." Any transatlantic data transfer scheme that does not provide an "essentially equivalent" level of protection is unlikely to withstand a legal challenge in the EU courts.

The leaked extracts, which have been seen by Ars, were found in an online PDF of the mandate for the German members of the Article 29 Working Party, which is expected to publish its official position of the Privacy Shield scheme soon. The extracts were first pointed out on the blog of the lawyer and privacy expert Dr. Carlo Piltz, who wrote: "These excerpts show that the European Data Protection Authorities are not able to okay the draft adequacy decision by the European Commission." At the time of publishing, it appears the mandate file has been deleted or removed from the Web.

Adobe has rushed out a Flash update to plug a security hole spotted by infosec researchers, who warned that Windows 10 users of the software may have been exposed to the flaw for more than a week.

Ne'er-do-wells could exploit the flaw by sending ransomware to Windows 10 machines. Adobe said its updates addressed critical vulnerabilities in Flash, and advised users to install the latest version of the software. It said in a security bulletin:

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier.

Researchers at Proofpoint—which has a good explainer of the flaw here—worked with other infosec folk to track down the latest security hole in Flash that could be exploited by attackers with a type of ransomware dubbed "Cerber." The ransomware is understood to have been in the wild since at least March 31.

On Thursday, Wall Street’s bookkeeper announced that it had successfully tested blockchain technology to manage single-name credit default swaps (CDS) among four big banks: Bank of America Merrill Lynch, Citi, Credit Suisse, and JP Morgan.

In a credit default swap, one bank buys the debt owed to another bank with the understanding that if the debt holder defaults on their loan, the buyer bank will be compensated by the selling bank. In the years leading up to the 2008 recession, the buying and selling of credit default swaps was not watched by regulators at all, and as an NPR explainer described it in October 2008, "If bad mortgages got the financial system sick, credit default swaps helped spread the illness worldwide."

The need for more transparency is where blockchain comes in. The concept of the blockchain ledger was developed and popularized by virtual currency Bitcoin, and on a blockchain ledger peer-to-peer transactions can be monitored by every entity that’s party to the ledger, theoretically resulting in more transparency. And recently Silicon Valley has pushed the finance world to appropriate the blockchain concept to make more traditional transactions more efficient, as well: if transactions are seamlessly recorded on a shared ledger, using a middleman to clear the transactions is no longer necessary.

(credit: Aurich Lawson)

There's something inherently world-changing about the latest round of crypto-ransomware that has been hitting a wide range of organizations over the past few months. While most of the reported incidents of data being held hostage have purportedly involved a careless click by an individual on an e-mail attachment, an emerging class of criminals with slightly greater skill has turned ransomware into a sure way to cash in on just about any network intrusion.

And that means that there's now a financial incentive for going after just about anything. While the payoff of going after businesses' networks used to depend on the long play—working deep into the network, finding and packaging data, smuggling it back out—ransomware attacks don’t require that level of sophistication today. It's now much easier to convert hacks into cash.

Harlan Carve, a senior security researcher at Dell SecureWorks, put it this way. "It used to be, back in the days of Sub7 and 'joy riding on the Information Highway,' that your system would be compromised because you're on the Internet. And then it was because you've got something—you've got PCI data, PHI, PII, whatever the case may be. Then it was intellectual property. And now it's to the point where if you've got files, you're targeted."