On “giving Tuesday” we are “giving” you the best privacy and security stories yet.
AI and privacy feature high on the list, from AI aimed at truck drivers to office 365 workers and sticking with the theme comes our AI generated title this week for the Privacy and Security update. Using the https://www.semrush.com/title-generator/
and the two most coherent results for your delectation:
- “The Best It Privacy & Security tricks For Your First Date”
- “8 It Privacy & Security Things that Are Hiding under Your Bed”
(It really had to be the second option for this week’s update…)
… from there we move into GDPR fines, DNA hacking, and Magecart attacks. We swap voice commands for laser to instruct your Alexa device and highlight some other privacy concerns from Amazon.
We finish with a delightful interview where privacy and GDPR appear not to be foremost thoughts in the mind of psychic Uri Geller.
This is the best collection yet, so let’s get the road train rolling! Read on or listen to the podcast
FR: Carrefour Handed $3.7m GDPR Fine
Following investigations (triggered by complaints), the French data protection regulator, the Commission nationale de l’informatique et des libertés (CNIL), has sanctioned two French organizations for a number of data protection compliance failures: Carrefour France was fined €2.25 million; and, Carrefour Banque was fined €800,000.
IL: Next threat? DNA hacking
A team at Ben-Gurion University (BGU) of the Negev describes how criminals no longer need to have physical contact with a dangerous substance to produce and deliver it. Think Man-in-the-middle-DNA-attack.
They found 2 key issues: Screening protocols could be circumvented using a generic obfuscation procedure and insufficient cybersecurity controls on lab computers.
Through these; attackers can change the order of sequences placed with a DNA synthesis company to yield a completely different outcome. From there, DNA obfuscation techniques would be used to camouflage the alteration to the order, which is then processed without raising any alarms.
Recommendation? Electronic signatures on any DNA synthesis order and intrusion detection systems to identify malicious code on PCs and in labs. Pretty basic security we think.
Magecart Attack Hijacks PayPal Transactions
Definition: Magecart is an umbrella term encompassing several different threat groups who all use the same attack method: They compromise e-commerce websites to inject card-skimming scripts on checkout pages, stealing unsuspecting customers’ payment card details and other information entered into the fields on the page. The info is then sent back to a server under the attackers’ control.
In September, Magecart mounted one of its largest campaigns to date with nearly 2,000 e-commerce sites hacked in an automated campaign that may be linked to a zero-day exploit. The attacks impacted tens of thousands of customers who had their credit-card and other information stolen. The group also that month was seen using encrypted messaging service Telegram as a channel for sending stolen credit-card information back to its command-and-control (C2) servers.
Then in October, a Magecart spinoff group called Fullz House group targeted an unlikely victim in Boom! Mobile’s, targeting the wireless service reseller’s website with an e-commerce attack.
Now a new attack strategy hides malicious code inside an image hosted on the server of the compromised online store using a steganography method. While at first the code seems similar to many other skimmers, because it grabs data the shopper has inputted in the form and exfiltrates it, it then does something very differently than other skimmers, he said. It uses the exfiltrated data to improve its fake payment form, the researcher said.
Magecart Attack Convincingly Hijacks PayPal Transactions at Checkout. The attack does this by pre-filling fake PayPal forms to be displayed during a victim’s checkout process instead of the legitimate one, which boosts the likelihood the person shopping will fall victim to the malicious action.
“When the victim sees this page, it is now partially filled out, which definitely increases the odds that it will capture their full payment data. It will then pass along the items in the cart and the accurate transaction total, taxes and shipping costs, which lend even more plausibility to the attack."
Once the victim enters and submits payment info, the skimmer exfiltrates the data to apptegmaker[dot]com. The skimmer then clicks the order button behind the malicious iframe and sends the victim back to the legitimate checkout page to complete the transaction.
So the word is, watch your credit card statements carefully this holiday season. If your credit card issuer offers text updates to your phone every time a transaction is made you will be able to limit damage if your card details are stolen.
IN/US: Indian National to Spend 20 Years in Prison for Call Center Scheme
On November 30, U.S. District Judge David Hittner handed down a 20-year prison sentence to Hitesh Madhubhai Patel, aka Hitesh Hinglaj, 44, of Ahmedabad, India.
The sentence stemmed from charges of wire fraud conspiracy along with conspiracy to commit identification fraud, access device fraud, money laundering and impersonation of a federal officer.
Some of these scams involved the conspirators impersonating officials from the IRS and U.S. Citizenship and Immigration Services (USCIS). They subsequently leveraged those disguises to threaten victims with arrest, imprisonment, fines and even deportation unless they paid an amount of money that they allegedly owed to the U.S. federal government.
Authorities in Singapore arrested Patel after he flew there from India in September 2018. Singapore subsequently extradited Patel to the United States.
In addition to mandating a prison sentence, Judge Hittner ordered that Patel complete three years of supervised release and pay US$8,970,396 in restitution to his victims.
Alexa, Disarm the Victim’s Home Security System
Imagine someone hacking into an Amazon Alexa device using a laser beam and then doing some online shopping using that person’s account.
Researchers said that they were able to launch inaudible commands by shining lasers – from as far as 360 feet – at the microphones on various popular voice assistants, including Amazon Alexa, Apple Siri, Facebook Portal, and Google Assistant.
“User authentication on these devices is often lacking, allowing the attacker to use light-injected voice commands to unlock the target’s smartlock-protected front doors, open garage doors, shop on e-commerce websites at the target’s expense, or even unlock and start various vehicles connected to the target’s Google account (e.g., Tesla and Ford),” researchers wrote in their paper.
The research team– Sara Rampazzi, an assistant professor at the University of Florida; and Benjamin Cyr and Daniel Genkin, a PhD student and an assistant professor, respectively, at the University of Michigan acknowledge that they are still not completely clear why this works… only that it does.
The team plans to present the evolution of their research at Black Hat Europe on Dec. 10.
For now; we say, “Keep your smart device away from windows.”
Cayman Islands investment fund left entire filestore viewable by world+dog in unsecured Azure blob
In a Register exclusive: A Cayman Islands-based investment fund has exposed its entire unencrypted backup collection to the internet after failing to properly configure a secure Microsoft Azure blob.
Details of the fund’s register of members and correspondence with its investors could be freely read by anyone with the URL to its Azure blob, the Microsoft equivalent of an Amazon Web Services S3 storage bucket.
Documents viewed by The Register in the unsecured blob stretch back years and include: scans of directors’ passports; letters to and from investors including commented files sent during commercial negotiations; term sheets; share certificates (including blank copies); documents signed by its directors and more.
The un-named firm claim US$500M under management, with investors including sovereign wealth funds, prominent financial institutions, corporations and family offices. One of its investors is Rothschild & Co, the well-known investment bank.
The Register has notified the fund of the misconfiguration.
Australia’s spy agencies caught collecting COVID-19 app data
Australia’s intelligence agencies have been caught “incidentally” collecting data from the country’s COVIDSafe contact-tracing app during the first six months of its launch, a government watchdog has found.
The report did not say when the incidental collection stopped, but noted that the agencies were “taking active steps to ensure compliance” with the law, and that the data would be “deleted as soon as practicable,” without setting a firm date.
Secret Amazon Reports Expose the Company’s Surveillance of Labor and Environmental Groups
A trove of more than two dozen internal Amazon reports reveal in stark detail the company’s obsessive monitoring of organized labor and social and environmental movements in Europe, particularly during Amazon’s “peak season” between Black Friday and Christmas. The reports, obtained by Motherboard, were written in 2019 by Amazon intelligence analysts who work for the Global Security Operations Center, the company’s security division tasked with protecting Amazon employees, vendors, and assets at Amazon facilities around the world.
The documents show Amazon analysts closely monitor the labor and union-organizing activity of their workers throughout Europe, as well as environmentalist and social justice groups on Facebook and Instagram. They also indicate, and an Amazon spokesperson confirmed, that Amazon has hired Pinkerton operatives—from the notorious spy agency known for its union-busting activities—to gather intelligence on warehouse workers.
The new intelligence reports obtained by Motherboard reveal in detail how Amazon uses social media to track environmental activism and social movements in Europe—including Greenpeace and Fridays For Future, environmental activist Greta Thunberg’s global climate strike movement—and perceives such groups as a threat to its operations.
“Amazon’s systemic use of military surveillance methods against unionists and activists is deeply alarming,” said Manon Aubry, a senior member of France’s France Insoumise, France’s main radical left party. “Amazon and Jeff Bezos act as if they were above the law because they have accumulated unprecedented levels of wealth and power. This has to stop.”
Powered by AI and Computer Vision
You can probably imagine the value of a dash cam pointing forward in a car or truck, but now AI dash cams are monitoring the driver too. Look down and an alert is sent for review by your fleet manager.
The camera, which is connected to the truck’s internal computer, constantly records footage of the driver in the cabin when the truck is on. This footage is only saved and transmitted to a manager when the camera detects some kind of risky driving.
The Teamsters, America’s largest trucking union, say that the technology leads to micromanaging and is an invasion of members’ privacy.
Companies like Lytx, which claims to have 650,000 cameras deployed in commercial trucks across the world and 60% market share, say that people are alive today because their technology stopped crashes.
“We can now give alerts to the driver to help them self-correct. We can tell them the percentage of their trips that they have picked up a cellphone. We can tell them the percentage of time that they’re driving where they’re distracted or fatigued."
One thing is for certain, with the size of insurance reductions promised the trucking companies, privacy for long haul truckers may soon be a thing of the past.
Microsoft patents tech to score meetings using body language, facial expressions, other data
Microsoft is facing criticism for its new “Productivity Score” technology, which can measure how much individual workers use email, chat and other digital tools. But it turns out the company has even bigger ideas for using technology to monitor workers in the interest of maximizing organizational productivity.
Newly surfaced Microsoft patent filings describe a system for deriving and predicting “overall quality scores” for meetings using data such as body language, facial expressions, room temperature, time of day, and number of people in the meeting. The system uses cameras, sensors, and software tools to determine, for example, “how much a participant contributes to a meeting vs performing other tasks (e.g., texting, checking email, browsing the Internet).”
US: The Supreme Court will hear its first big Computer Fraud and Abuse Act (CFAA) case
The Supreme Court heard arguments this week in a case that could lead to sweeping changes to America’s controversial computer hacking laws — and affecting how millions use their computers and access online services.
The Computer Fraud and Abuse Act was signed into federal law in 1986 and predates the modern internet as we know it, but governs to this day what constitutes hacking — or “unauthorized” access to a computer or network. The controversial law was designed to prosecute hackers, but has been dubbed as the “worst law” in the technology law books by critics who say it’s outdated and vague language fails to protect good-faith hackers from finding and disclosing security vulnerabilities.
A broad reading of the CFAA could criminalize anything from lying on a dating profile, sharing the password to a streaming service, or using a work computer for personal use in violation of an employer’s policies.
And our last act of giving this week is a YouTube short…
Uri Geller Loses His Temper in Spoon Council Interview
Uri Geller is not big on privacy. But you can imagine this stance might develop for any psychic who spends years reading people’s minds … and bending spoons.
This interview does not address reading minds, privacy concerns, or data retention, but instead tackles the thorny issue of spoon disfigurement.
From the interview: “Is it true to say that without the spoon you would be a nobody?”
Probably the best interview we have seen in the last 3 hours.
And that’s a wrap for this week… Join us next week when we explore more fascinating stories from the world of Privacy and Security!
See you in se7en days!