Tag: oracle

US FTC Seeks Information on Cloud Computing Companies’ Business Practices

The Federal Trade Commission said on Wednesday it is seeking information from the public on cloud computing companies’ business practices including details on their market power, competition and potential security issues.

The US cloud computing business is dominated by four providers that include Amazon.com, Microsoft, Alphabet‘s Google and Oracle. None of the companies immediately responded to a request for comment.

“Swathes of the economy now seem reliant on a small number of cloud computing providers,” said FTC Chair Lina Khan on Twitter. She added that the FTC “is seeking public input on how the current market structure and business practices of cloud providers affect competition and data security.”

The FTC and Justice Department under President Joe Biden have taken a strong stance against the perceived abuse of market power by challenging numerous mergers, cracking down on what it calls “junk fees”, and other actions aimed at giving consumers more say in the services they use.

Recently, regulators have started to focus on the cloud. Europe’s antitrust authority began probing Microsoft’s licensing agreements that discouraged rival cloud usage, prompting changes by the company in October that critics still called insufficient. Fees to take data out of various providers’ clouds have also drawn scrutiny from smaller players.

FTC staff are interested in the impact of cloud computing on industries including “healthcare, finance, transportation, e-commerce, and defense,” according to its press release.

The public will have until May 22 to submit a comment on the FTC “Request for information”.

The agency is asking for comments on which segments of the economy rely on a handful of cloud service providers, detail on contract negotiations, incentives to buy more services from a single provider, detail on services provided and information on notifications related to security.

The consumer protection agency noted it has targeted companies that failed to put in place security safeguards to protect data stored on third-party cloud computing services including one involving the alcohol delivery platform Drizly and another focused on education technology provider Chegg.

© Thomson Reuters 2023

After facing headwinds in India last year, Xiaomi is all set to take on the competition in 2023. What are the company’s plans for its wide product portfolio and its Make in India commitment in the country? We discuss this and more on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

 

Affiliate links may be automatically generated – see our ethics statement for details.



Check out our Latest News and Follow us at Facebook

Original Source

Democrats Widen Scrutiny of US Tech Companies Over Abortion Data Privacy

Democratic representatives are widening their scrutiny into the role of tech companies in collecting the personal data of people who may be seeking an abortion, as lawmakers, regulators and the Biden administration grapple with the aftermath of the Supreme Court ruling last month ending the constitutional protections for abortion.

In a new volley of congressional letters, six House Democrats have asked the top executives of Amazon‘s cloud-service network and major cloud provider Oracle about the companies’ handling of consumers’ location data from mobile phones, and what steps they have taken or planned to protect the privacy rights of individuals seeking information on abortion.

The decision by the court’s conservative majority to overturn Roe vs Wade has resulted in strict limits or total bans on abortion in more than a dozen states. About a dozen more states are set to impose additional restrictions. Privacy experts say that could make women vulnerable because their personal data could be used to surveil pregnancies and shared with police or sold to vigilantes. Online searches, location data, text messages and emails, and even apps that track periods could be used to prosecute people who seek an abortion — or medical care for a miscarriage — as well as those who assist them, experts say.

Privacy advocates are watching for possible new moves by law enforcement agencies in affected states — serving subpoenas, for example, on tech companies such as Google, Apple, Bing, Facebook‘s Messenger and WhatsApp, services like Uber and Lyft, and internet service providers including AT&T, Verizon, T-Mobile and Comcast.

“Data collected and sold by your company could be used by law enforcement and prosecutors in states with aggressive abortion restrictions,” the House Democrats, led by Representative Lori Trahan of Massachusetts, said in the letters. “Additionally, in states that empower vigilantes and private actors to sue abortion providers, this information can be used as part of judicial proceedings.”

“When consumers use apps on their phone and quickly tap ‘yes’ on ‘use geolocation data’ pop-ups, they should not be worried about the endless sale of their data to advertisers, individuals or law enforcement. And it most certainly should not be used to hunt down, prosecute and jail an individual seeking reproductive care. Companies can take action today to protect individual rights.”

The letters also went to executives of Near Intelligence Holdings and Mobilewalla. Along with Oracle and Amazon Web Services’ Data Exchange, the companies were described as leading data brokers — businesses that gather, sell or trade location data from mobile phones, which could be used to track people who have visited abortion clinics or have gone out of state seeking abortion services.

Five other Democrats active in tech issues signed the letters with Trahan: Representatives David Cicilline of Rhode Island, Yvette Clarke of New York, Debbie Dingell of Michigan, Adam Schiff of California and Sean Casten of Illinois.

Spokespeople for Amazon and Oracle didn’t respond to requests for comment from The Associated Press.

Also this week, Massachusetts’ two US senators, Democrats Elizabeth Warren and Edward Markey, sent letters to four companies raising concerns that the software they use to monitor students’ online communications could be used to punish students who seek information about abortion services and reproductive health care. They asked the companies — Bark Technologies, Gaggle.net, GoGuardian and Securly — whether their software flags students’ online searches for abortion and other related terms.

“It would be deeply disturbing if your software flags words or activity that suggest students are searching for contraception, abortion or other related services, and if school administrators, parents and even law enforcement were potentially informed of this activity,” Warren and Markey wrote.

Generally, the so-called “ed tech” companies say the monitoring is intended to stop the next school shooter or student suicide, and that the scans are mostly limited to school e-mails or activity on school computers or internet networks, not private accounts.

Earlier this month, President Joe Biden, under mounting pressure from fellow Democrats to be more forceful in response to the Supreme Court ruling, signed an executive order to try to protect access to abortion. The actions Biden outlined are intended to head off some potential penalties that women seeking abortion may face after the ruling, but his order cannot restore access to abortion in the more than a dozen states where strict limits or total bans have gone into effect.

Biden also asked the Federal Trade Commission to take steps to protect the privacy of those seeking information about reproductive care online. On June 24, the day the high court announced its decision, four Democratic lawmakers asked the FTC to investigate Apple and Google for allegedly deceiving millions of mobile phone users by enabling the collection and sale of their personal data of all kinds to third parties.

In May, several Senate Democrats urged the CEOs of Google and Apple to prohibit apps on the Google Play Store and the Apple App Store from using data-mining practices that could facilitate the targeting of individuals seeking abortion services.

Check out our Latest News and Follow us at Facebook

Original Source

TikTok Said to Reassure Lawmakers on US Data Security, Writes Letter to Ensure Information Transfer to Oracle

Chinese-owned social media site TikTok told US senators it was working on a final agreement with the Biden Administration that would “fully safeguard user data and US national security interests,” according to a letter seen Friday by Reuters.

TikTok Chief Executive Shou Zi Chew told senators in a letter dated Thursday that the short video app was working with Oracle on “new advanced data security controls that we hope to finalise in the near future.”

Last month, TikTok said it had completed migrating information on its US users to servers at Oracle but it was still using US and Singapore data centres for backup.

TikTok’s letter acknowledged that China-based employees “can have access to TikTok US user data subject to a series of robust cybersecurity controls and authorisation approval protocols overseen by our US-based security team.”

TikTok said as it continues to work on data issues it expects “to delete US users protected data from our own systems and fully pivot to Oracle cloud servers located in the US.”

A TikTok spokesperson confirmed the company sent a response to the senators’ letter. “We look forward to connecting with Members of congress to discuss the substance of our letter,” the spokesperson said in a statement to Reuters.

Republican Senator Marsha Blackburn said TikTok “should have come clean from the start but instead tried to shroud their work in secrecy. Americans need to know that if they are on TikTok, Communist China has their information. TikTok needs to come back and testify before Congress.”

The letter comes nearly two years after a US national security panel ordered parent company ByteDance to divest TikTok because of fears that US user data could be passed on to China’s communist government.

“We know we are among the most scrutinised platforms from a security standpoint and we aim to remove any doubt about the security of US user data,” the letter said.

TikTok is one of the world’s most popular social media apps, with more than 1 billion active users globally, and counts the United States as its largest market.

© Thomson Reuters 2022

 

 

Check out our Latest News and Follow us at Facebook

Original Source

US Senators Seek Report on Security Review of TikTok a Week After Data Transferred to Oracle

A group of six Republican senators on Friday asked the US Treasury Secretary Janet Yellen about an ongoing Biden administration national security review of social media platform TikTok.

The US government’s Committee on Foreign Investment in the United States (CFIUS), which reviews deals by foreign acquirers for potential national security risks, in 2020 ordered Chinese parent company ByteDance to divest TikTok because of fears that the US user data could be passed on to China’s communist government.

Last week, TikTok said it has completed migrating information on its US users to servers at Oracle, as it seeks to address US concerns over data integrity.

Senators Tom Cotton, Ben Sasse, Mike Braun, Marco Rubio, Todd Young and Roger Wicker asked Yellen numerous questions saying the administration “has seemingly done nothing to enforce” the August 2020 divestiture order.” They noted “the results of the security reviews, likewise, have not been publicly released after one year.”

The senators want to know “will TikTok be locally managed in the United States?” and “Will the US government have the ability to routinely access and inspect the algorithm’s source code?” It also asks “what assurances does the US government have that TikTok will store US data and adopt privacy policies with adequate protections?”

TikTok did not immediately respond to a request for comment.

Former President Donald Trump attempted to block new users from downloading WeChat and TikTok and ban other transactions that would have effectively blocked the apps’ use in the United States but lost a series of court battles.

President Joe Biden in June 2021 withdrew a series of Trump’s executive orders that sought to ban new downloads of the apps and ordered the Commerce Department to conduct a review of security concerns posed by the apps.

The senators said the proposal for TikTok to store its US users’ information without ByteDance access “would do little to address the core security concerns.”

CFIUS has been in extensive discussions with TikTok on security issues, sources have said. A spokesman for Yellen declined to comment Friday.

TikTok is one of the world’s most popular social media apps, with more than 1 billion active users globally, and counts the US as its largest market.

© Thomson Reuters 2022

 

Check out our Latest News and Follow us at Facebook

Original Source

TikTok Migrates US Users’ Data to Oracle Servers, Ensures Safety of Information

TikTok said it has completed migrating information on its US users to servers at Oracle, in a move that could address US regulatory concerns over data integrity on the popular short video app.

The move, which was first reported by Reuters, comes nearly two years after a US national security panel ordered parent company ByteDance to divest TikTok because of fears that US user data could be passed on to China’s communist government.

TikTok is one of the world’s most popular social media apps, with more than 1 billion active users globally, and counts the US as its largest market.

The United States has been increasingly scrutinising app developers over the personal data they handle, especially if some of it involves US military or intelligence personnel.

The order to sell off TikTok was not enforced after Joe Biden succeeded Donald Trump as US president last year.

The panel, known as the Committee on Foreign Investment in the United States (CFIUS), however, has continued to harbor concerns over data security at TikTok that ByteDance is now hoping to address, Reuters previously reported.

The White House had no immediate comment while the US Treasury declined to comment.

In March, Reuters reported that TikTok was nearing a deal for Oracle to store its US users’ information.

Oracle had discussed acquiring a minority stake in TikTok in 2020, when ByteDance was under US pressure to sell the app. The cloud computing giant now stores all of TikTok’s US user data on Oracle data servers in the United States under the new partnership, TikTok said.

Oracle declined to comment.

Data security team

TikTok had previously been storing its US user data at its own data centres in Virginia, with a backup in Singapore. It will now delete private data on US users from its own data centres and rely fully on Oracle’s US servers, it said.

The Virginia and Singapore centres are still being used to back up the data, the company said.

TikTok has also set up a dedicated US data security team known as “USDS” as a gatekeeper for US user information and ringfencing it from ByteDance, a company spokesperson told Reuters.

Led by Andrew Bonillo, who was an executive at TikTok’s global security department, the USDS currently reports to TikTok CEO Shou Zi Chew, the spokesperson said.

The company is discussing a structure under which the team would operate autonomously and not be under TikTok’s control or supervision, a source told Reuters.

Another senior executive at USDS is Will Farrell, who was previously working under TikTok’s Chief Security Officer Roland Cloutier. The USDS team includes content moderation personnel, engineers, and members from user and product operations.

ByteDance is one of China’s fastest growing startups. It owns the country’s leading news aggregator, Jinri Toutiao, as well as TikTok’s Chinese counterpart Douyin.

In June 2021, Biden withdrew Trump-era executive orders that sought to ban new downloads of WeChat and TikTok. The Commerce Department is writing new rules on app data security that could potentially lead to restrictions on how apps based abroad use US user data or even ban apps deemed serious security risks.

Commerce Secretary Gina Raimondo said last year the administration is “very serious about protecting Americans’ data,” but criticised Trump’s approach.

“Doing some executive order that’s meaningless on TikTok is not the way to do it,” she said.

© Thomson Reuters 2022

Check out our Latest News and Follow us at Facebook

Original Source

Java Suffers from Crypto Bug That Could Allow Attackers to Bypass Digital Signatures, Oracle Releases Fix

Java versions 15 and above carry a flaw in the implementation of its Elliptic Curve Digital Signature Algorithm (ECDSA) that could exploited by cybercriminals to digitally sign files by forging some types of Secure Sockets Layer (SSL) certificates, signed JSON Web Tokens (JWTs), and even two-factor authentication messages. The issue was first discovered last year and was reported to Oracle, which eventually patched it last week. However, since organisations take time to update their systems with the latest releases, any device that uses the affected Java versions for consuming digitally-signed data could be at risk.

Oracle patched the issue, which is also called a blunder among the community, as a part of more than 500 fixes. The vulnerability is tracked as CVE-2022-21449.

Neil Madden, the researcher at security consultancy firm ForgeRock, found the security loophole and reported it to Oracle privately in November. Although the software company has given a severity rating of 7.5 out of 10 to the issue, experts including ForgeRock is considering it to be a flaw with the severity rating of 10 — “due to the wide range of impacts on different functionality” that could bring a large impact.

“If you are running one of the vulnerable versions then an attacker can easily forge some types of SSL certificates and handshakes (allowing interception and modification of communications), signed JWTs, SAML assertions or OIDC id tokens, and even WebAuthn authentication messages. All using the digital equivalent of a blank piece of paper,” Madden wrote in a blog post.

Cybercriminals and hackers could use the flaw to digitally sign a malicious app or file that could have a different set of implications for end consumers. It could allow attackers to ultimately gain backdoor access to systems or even hack a network using files and data that looks authentic and trustworthy.

Java uses ECDSA that is based on the principles of elliptic curve cryptography — one the known and widely adopted approaches to enable key agreement and digital signatures. The researcher found that the bug was introduced by a rewrite of the elliptic curve cryptography from native C++ to Java, which took place with the release of Java 15.

Digital signatures based on elliptic curve cryptography typically require users to prove to the recipients that they have access to the private key corresponding to the public key. This helps verify the authentication and allows users to gain access to the data. It also restricts users from presenting a digital signature for handshakes who don’t have access to a relevant private key.

However, using the flaw, an attacker could use a blank signature that could be considered as valid and verified by the system against any public keys.

Madden calls these signatures similar to a “psychic paper” — the plot device that appeared on long-running sci-fi Doctor Who. It was essentially a completely blank paper but was designed to work as a security pass, warrant, or a proof on the basis of what the protagonist wants others to see.

“An ECDSA signature consists of two values, called r and s,” the researcher said while explaining the flaw. “To verify an ECDSA signature, the verifier checks an equation involving r, s, the signer’s public key, and a hash of the message. If the two sides of the equation are equal then the signature is valid, otherwise it is rejected.”

The process involves a condition that the R and S in the calculation must not be a zero. It is, though, not the case with Java’s implementation of the verification.

“Java’s implementation of ECDSA signature verification didn’t check if R or S were zero, so you could produce a signature value in which they are both 0 (appropriately encoded) and Java would accept it as a valid signature for any message and for any public key,” Madden said.

Echoing the severity highlighted by Madden, security expert Thomas Ptacek said that the issue is the “crypto bug of the year.”

Data security firm Sophos in a blog post also pointed out that the bug is not just impacting Java servers that are interacting with client software.

“Any device that consumes digitally-signed data inside your network could be at risk,” it said.

The affected Java versions — Java 15 to 18 — are thankfully not as widely used as its previous releases. According to the data in a survey conducted between February and March 2021, cybersecurity firm Snyk said that Java 11 accounted for over 61 percent of total deployments, while Java 15 had a share of 12 percent.

Nevertheless, IT administrators and organisations are advised to quickly update their Java version to avoid instances of any future attacks.



Check out our Latest News and Follow us at Facebook

Original Source

Exit mobile version