Tag Archives: privacy

Privacy Exploit – Easy Lobby Visitor Kiosk Access Systems and Others

Read full article on ThreatPost

Student researchers working with IBM X-Force Red team find security holes in five leading visitor management systems.

Excerpt:

Visitor-management systems protect business against physical threats such as unwanted and unidentified guests. But many of these lobby-based perimeter checkpoints are opening up companies to a bevy of cyber-threats.

On Monday, IBM’s penetration testing team, X-Force Red, released a report that outlines 19 bugs found across five leading visitor-management systems. Vulnerabilities range from data leakage, complete program takeover and the ability for a visitor to press Windows’ hotkeys to break out of the kiosk environment. Affected are systems made by HID Global (EasyLobby Solo), Threshold (eVisitorPass), Envoy (Envoy Passport) and The Receptionist (The Receptionist).

Interestingly, the research was conducted by IBM summer interns (Hannah Robbins and Scott Brink) under the guidance of the X-Force Red research team.

“These are really interesting targets. By their very nature, they are exposed to the public that has no credentials,” said Daniel Crowley, IBM X-Force Red’s research director.

Crowley said researchers had three goals in testing the visitor-management systems. “One, was how easy is to get checked-in as a visitor without any sort of real identifying information. Secondly, we set out to see how easy is it to get other people’s information out of the system. And third, is there a way that an adversary can break out of the application, cause it to crash or get arbitrary code-execution to run on the targeted device and gain a foothold to attack the corporate network,” he said.

Researchers said they were able to accomplish all three.

Read full article on ThreatPost

ADA Litigation – New Spin on Song-Beverly Act Litigation Against Retailers

A New Spin on Song-Beverly Act ADA Litigation Against Retailers

ADA litigation How much data are you handing over at POS? How much data are you taking/handling?  New litigation in California points also at operative locations for devices which are capturing the data.

Excerpt:

Retailers operating brick-and-mortar stores in California are likely well aware of the state’s requirements for the collection of consumers’ personally identifiable information (PII). The Song-Beverly Credit Card Act of 1971 (the “Act”) imposes civil penalties for certain practices with respect to capturing and recording PII in cardholder transactions. See Cal. Civ. Code § 1747.08. Traditional litigation under the Act challenged retailers’ requests for telephone numbers, driver license numbers, and email addresses in connection with credit card payments at the point of sale. Beginning in 2011, when the California Supreme Court held that ZIP codes constitute PII, retailers most notably faced a wave of litigation regarding requests for customers’ ZIP codes at the point of sale before purchases were consummated. See Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011). As we reported in June 2017, filings in this area have garnered less attention in recent years as prudent retailers have modified certain aspects of their checkout policies and procedures.

https://www.natlawreview.com/article/new-spin-song-beverly-act-litigation-against-retailers

Key Changes with the General Data Protection Regulation

EU GDPR or General Data Protection Regulation 2018

Key changes coming with the European General Data Protection Regulation (EU GDPR) and how it will impact businesses.

Source: www.eugdpr.org

GDPR Privacy After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. Enforcement date: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site.