Weather Channel app accused of selling user data to third parties

7 Jan 2019

Image: © Marc/Stock.adobe.com

This week in infosec, Los Angeles authorities accuse the Weather Channel app of secretly mining user data.

In the world of cybersecurity last week, global firm Proofpoint shone a spotlight on a new technique criminals are using to help disguise phishing websites.

The Luas website juddered to a screeching halt hanks to a cyberattack that sees the website continuing to undergo repairs today (7 January).

Meanwhile, German politicians fell victim to a major data breach, with email addresses and private communications published to an anonymous Twitter account over the month of December.

Stormy outlook for the Weather Channel app

Many of us regularly use third-party apps to check the weather before outdoor concerts or to potentially avoid getting soaked on our commute, but one popular offering, the Weather Channel app, is being sued by the city of Los Angeles, according to The New York Times.

The city government there says the operators unfairly coerced app users to turn on location tracking by saying it would only use the data to create localised weather reports.

Apparently, the firm also used the data for commercial purposes, such as targeted marketing. The Next Web pointed out that other weather apps have subject to similar scandals, including Accuweather and WeatherBug.

Marriott reveals details on massive data breach

Last year, a massive data breach of Marriott International’s Starwood reservations system saw around 383m records accessed, as opposed to the original 500m initially stated.

Marriott also revealed that 5.35m passport records were obtained and another 20.3m encrypted passport numbers were accessed. The hotel says it will have a method of checking if passport numbers were accessed live on its website soon.

NSA to release reverse-engineering tool for free

According to ZDNet, the US National Security Agency (NSA) is releasing a reverse-engineering tool free of charge at the RSA security conference slated to take place this March in San Francisco.

The software, developed in the 2000s, is called GHIDRA. In simple terms, it can break down executable files into assembly code, which can then be read by humans. When WikiLeaks published the Vault7 documents in 2017, it showed that the CIA had access to the tool.

European Commission launches bug bounty programme for open source tools

Infosecurity Magazine reports that the European Commission is launching a bug bounty scheme as part of the Free and Open Source Software Audit (FOSSA). Established by MEPs Julia Reda and Max Andersson in 2015, the scheme has had two iterations.

This third edition of FOSSA encompasses 15 software programs, including 7-zip, Apache Kafka, KeePass and VLC Media Player. A list of bounty amounts can be found on Julia Reda’s website.

Updated, 5.26pm, 7 January 2019: This article has been updated to reflect the correct number of encrypted passport numbers reportedly accessed in the Marriott breach as 20.3m.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com