Recently Browsing 0 members
No registered users viewing this page.
By Usama Jawad96
Teams is getting Customer Lockbox so Microsoft cannot access your data without your approval
by Usama Jawad
Microsoft Teams is the online communication and collaboration tool of choice for millions of entities around the globe, including organizations and consumers. In fact, its popularity has soared so much during the pandemic that Microsoft is also integrating it at an OS-level with Windows 11. The company keeps updating Teams with a steady stream of features each month, and now, it has revealed that it is working on Customer Lockbox for the software.
For those unaware, Customer Lockbox is a capability that Microsoft offers across various services in Exchange Online, SharePoint Online, OneDrive for Business, and Azure. It ensures that while performing service operations and troubleshooting, Microsoft cannot get access to your information without your explicit approval.
While Microsoft engineers generally leverage from telemetry and debugging techniques to troubleshoot problems, in some edge-cases, they do require direct access to customer data. Customer Lockbox essentially adds the customer into the approval workflow at the final step so that they can decide whether they want to give Microsoft access to their information to do root cause analysis (RCA). Customer Lockbox can be toggled and all requests and outcomes are audited. Typically, when engineers request access to data via Customer Lockbox, they also give a timeboxed window under which they will perform their RCA and troubleshooting activities.
Microsoft has recently started tracking Feature ID 86190 on its Microsoft 365 Roadmap, which states that the company is bringing Customer Lockbox capabilities to Teams as well. The feature is currently in development with an expected release date of March 2022. The capability will roll out to Teams GCC, Worldwide (Standard Multi-Tenant), General Availability, and Web. Microsoft has not yet clarified what data on Teams will be protected by Customer Lockbox.
By Usama Jawad96
38 million records exposed because companies used default configs in Microsoft Power Apps portals
by Usama Jawad
Power Apps is Microsoft's low-code platform for organizations to quickly develop full-fledged applications, mostly for internal use, complete with a frontend and a backend. It is a powerful utility that allows you to build apps, even if you're not well-skilled in programming. Microsoft regularly updates Power Apps with new features and capabilities. However, a new report might be cause for concern for organizations as it appears that over 38 million records have leaked online because of people using default configurations in Microsoft Power Apps portals.
As reported by Wired, security firm Upguard has highlighted that thousands of web apps made by multiple companies have been exposing sensitive information through public-facing Power Apps portals. According to the report, 38 million records were available to the public and contained information about COVID-19 contact-tracing information, employee databases, job information, phone numbers, social security numbers, and home addresses. Apparently, some of Microsoft's own apps also displayed the same behavior.
Upguard says that when enabling APIs for Power Apps, the default configuration used to be such that any data hosted on portals is publicly accessible. Anyone who had access to a portal's URL can utilize it to scrape data belonging to another entity.
The security firm reported its findings to Microsoft as well, and as a result, the Redmond tech giant released an update in August to make APIs private by default. It also rolled out a tool so organizations can check the security settings of their Power Apps portals.
This is certainly an interesting case in terms of defining where the blame lies. While the onus should be on organizations to properly configure their Power Apps portals, having the APIs public by default is a bit of an odd design decision by Microsoft as well. Many companies use Power Apps to build applications for internal use and publish them immediately, so security is probably not the top priority in a lot of use-cases. It is currently unknown if the 38 million records in question were scraped by someone but it has been revealed that multiple companies including Ford, J.B. Hunt, and American Airlines were impacted by the misconfiguration.
Source: Upguard via Wired
Editor's Note: The title and body of this news item was updated post-publication to reflect that the issue impacts Power Apps portals, not Power Apps as a whole.
China passes law tightening up data collection, processing, and protection
by Paul Hill
China has passed its new Personal Information Protection Law (PIPL) which seeks to tighten up the rules around data collection, processing, and protection, according to a CNBC report. Companies operating in China will now be subject to tougher rules on how people’s information can be stored and used; it’s expected to have an especial impact on tech giants which process lots of data.
The final draft of the law has not been published yet but a previous draft said that data collectors must obtain consent to collect data and users can withdraw their consent at any time. Companies will also not be allowed to deny services to users if they refuse to consent to the data collection rules unless that data collection is necessary for the functioning of the product or service.
The law also makes it more difficult for companies to transfer Chinese citizens’ data outside the country as companies have to abide by more ambitious requirements. Any company that is found to be breaking the rules risks being hit with a fine.
The importance of giving users more control over their data has come to the fore in recent years. The most notable data protection law to come into force in recent years is the European Union’s General Data Protection Regulation (GDPR). Similar laws were introduced in other areas including California.
In terms of the action we could see the Chinese taking against companies flouting the rules, we only need look to Didi Chuxing which went public in the U.S. in July. The Chinese government swiftly banned the platform from signing up new members and it was removed from Chinese app stores after it was alleged it has illegally collected user data.
LG successfully trials 6G THz in an outdoor setting
by Paul Hill
LG marked a milestone today after it successfully trialed the transmission and reception of wireless 6G terahertz (THz) over a 100-metre distance in an outdoor setting. While the company is just announcing the results, it actually carried out the trial on August 13 in collaboration with Europe’s biggest applied research lab, Fraunhofer-Gesellschaft.
According to LG, one of the problems currently faced with 6G technology is the loss of power during the transmission and reception of data between antennas. To help address this, LG has worked with Fraunhofer HHI and the Fraunhofer Institute for Applied Solid State Physics (IAF) to build a power amplifier that was crucial to the latest trial.
The new power amplifier is able to generate a stable signal output up to 15 dBm in the frequency range between 155 to 175 GHz. LG was also able to successfully demonstrate adaptive beamforming technology that alters the signal’s direction based on the receiver’s position and high gain antenna switching which combines output signals from several power amplifiers and sends them to specific antennas.
Commenting on the successful trial, Dr I.P. Park, President and CTO of LG Electronics, said:
The global standardisation of 6G is currently due for 2025 and then commercialisation will begin four years later in 2029. LG hopes that its technological innovations will feature as part of the standardisation and to help achieve this it has been working on 6G technology for two years to secure early-mover initiatives. We should expect to hear more from LG and other firms in the coming years as they refine 6G technology further.
By Usama Jawad96
U.S. Senators want to know more about Amazon One's collection of biometric data
by Usama Jawad
Amazon One is a program that launched a few months back. It offers Amazon customers a new way of contactless payments in which their palm prints, credit card details, and phone numbers are collected by the company, and they just need to hover their hand over a scanner to make payments and check out of Amazon stores. The service is currently available in 59 Amazon stores with plans of expanding to more soon. However, it appears that the collection of biometric data is making some U.S. lawmakers uncomfortable, as three of them have penned a letter to Amazon, asking for more details about its program.
The letter - which can be seen here - is addressed to Amazon CEO Andy Jassy, and is signed by U.S. Senators Amy Klobuchar, Bill Cassidy, and Jon Ossoff. The lawmakers have highlighted a number of concerns related to user privacy and data security. They have also cited past incidents of Amazon offering customer data to third-parties and those about the company's devices being hacked and leaking data. The Senators have noted that while some biometric systems such as Apple's Face ID and Touch ID, as well as Samsung Pass store biometric data on the device, Amazon is uploading palm prints to the cloud which raises further questions about data security. The letter goes on to say that:
As such, the lawmakers have asked a bunch of questions from Amazon regarding its system. These deal with expansion plans for Amazon One, availability of customer data to third-parties, privacy protections, whether the company will use this data to personalize advertisements, storage and security of data, and more. The letter also inquires into the number of people who have signed up for Amazon One. The Senators have asked that Amazon responds to all of its concerns by August 26, but the company has declined to comment at this time.
Via: The Seattle Times