Encrypted mail service Proton confirmed handing PII to cops again

6 months ago 35
BOOK THIS SPACE FOR AD
ARTICLE AD

in brief Encrypted email service Proton Mail is in hot water again, and for the same thing that earned it flack before: handing user data over to law enforcement. 

Proton, which offers several software products it touts as being secure and safe, includes an end-to-end encrypted email product. Ostensibly designed for the privacy conscious, Proton claims to be unable to read the content of email and attachments, be free of trackers and ads, and have the "highest standards of privacy." 

Those lofty privacy ambitions haven't always been easy for Proton to achieve. In 2021, the Switzerland-based vendor provided Swiss police with the IP address and device details of a user they were trying to identify. That individual – a French climate activist – was later arrested after Proton shared the same data with French police. 

Shortly after the incident, Proton removed the claim that it didn't track user IP addresses from its website. Proton has also previously been accused of offering real-time surveillance of users to authorities. 

In this latest instance, Proton has admitted to handing recovery email address information to Spanish police concerning a suspect believed to be supporting Catalonian separatists. Spanish police handed the recovery address to Apple, which was reportedly able to identify the individual associated with the account. 

Proton told privacy advocacy outlet Restore Privacy it was aware of the case, but its hands were tied under Swiss laws against terrorism. 

"Proton has minimal user information, as illustrated by the fact that in this case data obtained from Apple was used to identify the terrorism suspect," a Proton spokesperson protested. "Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper OpSec, such as not adding your Apple account as an optional recovery method." 

When we reached out to Proton it directed us to a Twitter thread from its CEO Andy Yen, in which he says much the same.

To paraphrase Chen: sure your email is secure, but whatever we know about you that isn't encrypted is fair game when the government hands us a subpoena.

Critical vulnerabilities: Time to polish that Chrome

We start this week of vulnerabilities with a Chrome stable channel update released last Thursday. This patch fixes CVE-2024-4671 – a use after free vulnerability in Visuals. What makes this one important to deal with is the fact that Google is aware of it being exploited in the wild, so check Chrome for updates and get them installed ASAP. 

Elsewhere:

CVSS 9.3 – CVE-2023-46604: Delta Electronics InfraSuite Device Master hardware monitoring software is running an older version of Apache ActiveMQ that makes it vulnerable to deserialization of untrusted data. CVSS 9.2 – CVE-2024-3493: Several models of Rockwell Automation ControlLogix and GuardLogix PLCs are improperly validating input, opening them to a MNRF.  CVSS 8.6 – CVE-2024-26024: Subnet Solutions Substation Server versions 2.23.10 and prior contain untrustworthy third-party components that could lead to RCE, DoS or other bad conditions. CVSS 8.3 – CVE-2024-4622: Aliptronic Hypercharger EV charging units are using known default credentials in their web portals, opening them up to takeover. 

Patent office springs another leak

The US Patent and Trademark Office (USPTO) has admitted for the second time in as many years to publicly disclosing the private information of patent applicants online.

Last year the blame fell on a misconfigured API exposing domicile data. This time it's reportedly domicile data being exposed again – but the Patent Office claims the issue stems from an IT systems migration mistake.  

Approximately 14,000 patent applicants have had their private addresses exposed in bulk datasets published by the USPTO, the Office revealed. The data wasn't discoverable in regular searches during the period in which it was exposed (August 2023 to April 2024). 

"[USPTO] blocked access to the impacted bulk data set, removed files, implemented a patch to fix the exposure, tested our solution, and re-enabled access," the agency explained of its recovery measures. 

It's just too bad for everyone caught up in the leak that it took around a year to spot the issue for the second time in a row. 

LockBit still strong enough to knock Wichita offline

Its operations may have been significantly curtailed and its leader may have been exposed, but that doesn't mean notorious ransomware group LockBit is giving up the game. New targets – like the government of the city of Whichita, Kansas – are still being attacked.

Wichita officials disclosed a ransomware attack that took several systems offline last week, forcing the city to take payment systems offline for its water utility, court and public transportation. Arrival and departure screens at Wichita's airport, and its public Wi-Fi, were offline as well.

LockBit posted the city to the ransom website it established after its original was seized by law enforcement earlier this year the day after Wichita disclosed the attack on its own.

Systems were still reported offline as of Friday, May 10, and Wichita officials still haven't provided a timetable for system restoration. ®

Read Entire Article