Welcome to Codebook, the cybersecurity newsletter telling you to subscribe to Axios' new Cities newsletter.
Situational Awareness: President Trump is currently hosting his social media summit.
Today's Smart Brevity: 1,425 words, ~4 minute read.
Photo: ValeryBrozhinsky/Getty Images
A researcher has demonstrated how to exploit Europe's privacy protection laws to violate other people's privacy — and new privacy rules on the way in the U.S. could be vulnerable in the same way.
The big picture: Privacy laws, including Europe's mammoth General Data Protection Regulation and California's recently passed regulations, often include provisions to allow people to request the personal information that companies have compiled on them.
Yes, but: These laws have not generally done a good job clarifying acceptable ways to do this safely.
Details: James Pavur, a Ph.D. student at Oxford University, bet his fiancee he could use GDPR to steal her personal information.
"Companies are afraid under GDPR of telling you no."— James Pavur
"The very big companies did an excellent job fighting fraud and told me to access that information through my profile or email from the account I used to sign up," Pavur, who will present his research in August at the Black Hat conference, told Codebook. "The small companies — like a podcast company in the U.S. — knew the law didn't apply to them."
Between the lines: "These laws focus upon the user, not the company," said Matthew McCabe, senior vice president and assistant general counsel for cyber policy at Marsh.
What's next: "The same problem in GDPR is in the California Consumer Privacy Act," which goes into effect at the start of 2020, said Shannon Yavorsky, data security and privacy partner at Venable.
Why it matters: Without a concerted effort to mandate fighting fraud while protecting privacy, these experts agree, new U.S. privacy laws are likely to create similar new vulnerabilities.
Amazon's cloud-shaped tent at the 2016 CeBIT international computer expo in Hanover, Germany. Photo: Peter Steffen/picture alliance via Getty Images
A hacker group known as Magecart appears to have inserted credit-card-stealing code at more than 17,000 websites that did not secure their Amazon Cloud storage accounts.
Why it matters: Companies use cloud servers to streamline website operations, but misconfigured cloud servers leave both the websites and customers vulnerable.
It's not just small companies: Klijnsma noted that the victims include sites in the top 2000 of web rankings service Alexa.
What happens next: RiskIQ is working with Amazon to notify affected sites.
The National Institute of Standards and Technology held its third public meeting Tuesday on the Privacy Framework it is currently developing.
The big picture: NIST is the Commerce Department agency that wrote the immensely popular Cybersecurity Framework, a set of general guidelines for conceptualizing cybersecurity that has been translated into multiple languages and become popular the world over.
Why it matters: In a perfect world, the Privacy Framework would have a similar impact, said Kent Landfield, the head of standards and technology policy at McAfee and an active participant in the meetings.
Details: The difference between a guide for standards and a guide for strategy was an issue at the NIST meetings as well, said Landfield, as some participants had hoped for a guide to navigate GDPR. This meeting marked the first time all participants were on board with what NIST intended to do.
Mozilla ends alleged spy's web bid (Axios): Mozilla, the creator of the Firefox web browser, denied a United Arab Emirates firm's request for authority to issue security certificates to websites without the supervision of a more trusted group. The UAE firm is accused of assisting that nation's global cyber espionage operations.
Cyber Command warns of attacks with potential Iran tie (Axios): United States Cyber Command issued a warning Tuesday about hackers using a security flaw in Microsoft's Outlook email program. They uploaded new malware to an archive used by cybersecurity researchers that one expert believes is connected to an infamous Iranian attack.
New commercial government spyware emerges (Kaspersky Lab): Kaspersky Lab detailed the latest versions of FinSpy, off-the-shelf spyware sold to governments to surveil mobile devices.
Mozilla named, then unnamed, internet villain (ISPAUK): A U.K. trade organization of internet service providers nominated Mozilla to its list of "internet villains" last week, in response to Mozilla's Firefox web browser allowing use of DNS over HTTPS (DoH), a fancy way of saying the browser can encrypt the web addresses people want to visit. The group subsequently has withdrawn its nomination.
PGP poisoners gonna poison: Two researchers found their public PGP (Pretty Good Privacy) profiles had fallen victim to a "poisoning" attack.
Codebook will return next week.