Breathe deeply with the IT Privacy and Security Update for the week ending May 16th, 2023


Up North here, it’s Springtime so we start with a deep breath of DNA and finish out of ink, we think!

- click on the picture for the podcast -

Between here and there we sneeze as we bump into a couple of projects, one that sniffs out unencrypted LTE communication and another that sniffed out the contents of the phone you lost or had taken as evidence by the police.

We dab the tears of a former Bytedance executive as he makes allegations about the Chinese Communist Party “maintaining supreme access” to data, and Toyota who cleverly created an online portal that exposed driver’s data to anyone who looked for it, for a full 10 years!!

There is spluttering from New Zealand as we learn about the dangers of holding onto sensitive data for a little too long and a gasp as we find Google in the UK doing the same.

In the US, you might make an effort to make yourself presentable for the TSA as they will be taking your photograph at even more airports this summer (we name them all).

Whether it’s the cat or the high pollen count turning on that runny nose, just grab a tissue and join in for the latest update adventure!

US: Your DNA Can Now Be Pulled From Thin Air

Environmental DNA research has aided conservation, but scientists say its ability to glean information about human populations and individuals poses dangers.

David Duffy, a wildlife geneticist at the University of Florida, just wanted a better way to track disease in sea turtles.

Then he started finding human DNA everywhere he looked.

Over the last decade, wildlife researchers have refined techniques for recovering environmental DNA, or eDNA – trace amounts of genetic material that all living things leave behind.

A powerful and inexpensive tool for ecologists, eDNA is all over – floating in the air, or lingering in water, snow, honey, and even your cup of tea.

Researchers have used the method to detect invasive species before they take over, to track vulnerable or secretive wildlife populations, and even to rediscover species thought to be extinct.

The eDNA technology is also used in wastewater surveillance systems to monitor Covid and other pathogens.

But all along, scientists using eDNA were quietly recovering gobs and gobs of human DNA.

To them, it’s pollution, a sort of human genomic bycatch muddying their data.

But what if someone set out to collect human eDNA on purpose?

New DNA collecting techniques are “like catnip” for law enforcement officials, says Erin Murphy, a law professor at the New York University School of Law who specializes in the use of new technologies in the criminal legal system.

The police have been quick to embrace unproven tools, like using DNA to create probability-based sketches of a suspect.

That could pose dilemmas for the preservation of privacy and civil liberties, especially as technological advancement allows more information to be gathered from ever smaller eDNA samples.

Dr. Duffy and his colleagues used readily available and affordable technology to see how much information they could glean from human DNA gathered from the environment in a variety of circumstances, such as from outdoor waterways and the air inside a building.

The results of their research, published Monday in the journal Nature Ecology & Evolution, demonstrate that scientists can recover medical and ancestry information from minute fragments of human DNA lingering in the environment.

Forensic ethicists and legal scholars say the Florida team’s findings increase the urgency for comprehensive genetic privacy regulations.

So what’s the upshot for you? We’re thinking that someday really soon privacy will be just a memory. Sniff.

US: Ex-Ubiquiti developer jailed for 6 years.

Nickolas Sharp has been sentenced to six years in prison and ordered to pay almost $1.6 million to his now-former employer Ubiquiti – after stealing gigabytes of corporate data from the business and then trying to extort almost $2 million from his bosses while posing as an anonymous hacker.

In February, Sharp, 37, pleaded guilty to intentionally damaging a protected computer, wire fraud, and making false statements to the FBI.

He was sent down on Wednesday by US District Judge Katherine Polk Failla.

“Nickolas Sharp was paid close to a quarter million dollars a year to help keep his employer safe,” US Attorney Damian Williams said in a statement.

"He abused that trust by stealing a massive amount of sensitive data, attempting to implicate innocent employees in his attack, extorting his employer for ransom, obstructing law enforcement, and spreading false news stories that harmed the company and anyone who invested in the company.

So what’s the upshot for you? After his prison time is up, Sharp will get three more years of supervised release.

The judge also ordered him to pay restitution of $1,590,487 to cover Ubiquiti’s costs, and to forfeit personal property used or intended to be used in connection with these offenses.

Global: LTESniffer - An Open-source LTE Downlink/Uplink Eavesdropper

If you are in the Northern Hemisphere and are looking for a Summer project you might want to consider this 3-week-old Github project. LTE Sniffer

LTESniffer is a tool that can capture the LTE wireless messages that are sent between a cell tower and smartphones connected to it.

LTESniffer supports capturing the messages in both directions, from the tower to the smartphones, and from the smartphones back to the cell tower.

It does run on Ubuntu but needs at least 8 cores, 16 gigs of Ram, two synched daughterboards, a Universal Software Radio Peripheral (USRP), and a couple of antennae.

LTESniffer cannot decrypt encrypted messages between the cell tower and smartphones, but it can be used for analyzing unencrypted parts of the communication between the cell tower and smartphones.

For example, encrypted messages can allow the user to analyze unencrypted parts, such as headers in MAC and physical layers.

However, those messages sent in plaintext can be completely analyzable.

For example, the broadcast messages sent by the cell tower, or the messages at the beginning of the connection are completely visible.

So what’s the upshot for you? As with all good summer projects, we advise checking legality with local authorities before starting out.

US: Privacy Leaks and Re-Victimization from Police-Auctioned Mobile Phones

Last year researchers at the University of Maryland purchased 228 smartphones sold “as-is” from, which bills itself as the largest auction house for police departments in the United States.

Of phones they won at auction (at an average of $18 per phone), the researchers found 49 had no PIN or passcode; they were able to guess an additional 11 of the PINs by using the top 40 most popular PIN or swipe patterns.

Phones may end up in police custody for any number of reasons — such as its owner being involved in identity theft — and in these cases, the phone itself was used as a tool to commit the crime.

“We initially expected that police would never auction these phones, as they would enable the buyer to recommit the same crimes as the previous owner,” the researchers explained in a paper released this month. “Unfortunately, that expectation has proven false in practice.”

The researchers said while they could have employed more aggressive technological measures to work out more of the PINs for the remaining phones they bought, they concluded based on the sample that a great many of the devices they won at auction had probably not been data-wiped and were protected only by a PIN.

Beyond what you would expect from unwiped secondhand phones — every text message, picture, email, browser history, location history, etc. — the 61 phones they were able to access also contained significant amounts of data pertaining to crime — including victims’ data — the researchers found.

Some readers may be wondering at this point, “Why should we care about what happens to a criminal’s phone?” First off, it’s not entirely clear how these phones ended up for sale on PropertyRoom.

“Some folks are like, ‘Yeah, whatever, these are criminal phones,’ but are they?” said Dave Levin, an assistant professor of computer science at the University of Maryland.

“We started looking at state laws around what they’re supposed to do with lost or stolen property, and we found that most of it ends up going the same route as civil asset forfeiture,” Levin continued. “Meaning, if they can’t find out who owns something, it eventually becomes the property of the state and gets shipped out to these resellers.”

So what’s the upshot for you? PropertyRoom was advised of this study’s findings in October 2022 and apparently started wiping the phones thereafter, but this is only one vendor for lost and seized articles.

Before you lose your phone… ensure there is a long pin and (for older phones) that it is encrypted. If you then lose your phone and you have been doing periodic backups, perform a remote wipe. Something that a Google search can help you with for either Android or iPhone.

JP/KP: North Korean hackers stole $721 million in cryptocurrency from Japan

Hacker groups affiliated with North Korea have stolen $721 million worth of cryptocurrency assets from Japan since 2017, the Nikkei business daily reported on Monday, citing a study by U.K. blockchain analysis provider Elliptic.

The amount is equal to 30% of the total of such losses globally, the Nikkei reported.

The report comes after Group of Seven finance ministers and central bank governors said in a statement on Saturday that they support measures to counter growing threats from illicit activities by state actors, such as the theft of crypto-assets.

According to Elliptic, which conducted the analysis on behalf of the Japanese newspaper, North Korea has stolen a total of $2.3 billion in cryptocurrency from businesses between 2017 and 2022.

So what’s the upshot for you? Good little money generator for this nation-state. It appears the Japanese have been critical to the funding of much of the North Korean Nuclear arsenal.

US: Former ByteDance Exec Claims CCP ‘Maintained’ Access to US Data

The Chinese Communist Party “maintained supreme access” to data belonging to TikTok parent company ByteDance, including data stored in the U.S., a former top executive claimed in a lawsuit Friday…

In a wrongful dismissal suit filed in San Francisco Superior Court, Yintao Yu said ByteDance “has served as a useful propaganda tool for the Chinese Communist Party.”

Yu, whose claim says he served as head of engineering for ByteDance’s U.S. offices from August 2017 to November 2018, alleged that inside the Beijing-based company, the CCP “had a special office or unit, which was sometimes referred to as the ‘Committee’.”

The “Committee” didn’t work for ByteDance but “played a significant role,” in part by “gui[ding] how the company advanced core Communist values,” the lawsuit claims…

The CCP could also access U.S. user data via a “backdoor channel in the code,” the suit states…

In an interview with the New York Times, which first reported the lawsuit, Yu said promoting anti-Japanese sentiment was done without hesitation.

“The allegations come as federal officials weigh the fate of the social media giant in the U.S. amid growing concerns over national security and data privacy,” the article adds.

Yu also accused ByteDance of a years-long, worldwide “scheme” of scraping data from Instagram and Snapchat to post on its own services.

So what’s the upshot for you? Ouch! For all those who loudly proclaimed that the Chinese Gov’t did not have access to US users’ data.

Global: Microsoft Is Scanning the Inside of Password-Protected Zip Files For Malware

Microsoft cloud services are scanning for malware by peeking inside users’ zip files, even when they’re protected by a password, several users reported on Mastodon on Monday.

Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads.

Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form.

Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code.

While analysis of password-protected in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt.

The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint.

On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password “infected.”

“While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues’ malware samples,” Brandt wrote.

“The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs.”

Fellow researcher Kevin Beaumont joined the discussion to say that Microsoft has multiple methods for scanning the contents of password-protected zip files and uses them not just on files stored in SharePoint but all its 365 cloud services.

One way is to extract any possible passwords from the bodies of email or the name of the file itself.

Another is by testing the file to see if it’s protected with one of the passwords contained in a list.

“If you mail yourself something and type something like ‘ZIP password is Soph0s’, ZIP up EICAR and ZIP password it with Soph0s, it’ll find (the) password, extract and find (and feed MS detection),” he wrote.
A Google representative said the company doesn’t scan password-protected zip files, though Gmail does flag them when users receive such a file," notes Ars.

"One other thing readers should remember: password-protected zip files provide minimal assurance that content inside the archives can’t be read.

As Beaumont noted, ZipCrypto, the default means for encrypting zip files in Windows, is trivial to override.

A more dependable way is to use an AES-256 encryptor built into many archive programs when creating 7z files."

So what’s the upshot for you? You heard it here. For true protection, Zip files do not cut it anymore.

JP: Toyota Japan Exposed Data on Millions of Vehicles For a Decade

Toyota Japan has apologized after admitting to leaving millions of customers’ vehicle details on the public internet for a decade.

The carmaker said in a notice that it will notify about 2.15 million customers whose personal and vehicle information were left exposed to the internet after a “cloud misconfiguration” was discovered recently in April.

Toyota said that the exposed data includes: registered email addresses; vehicle-unique chassis and navigation terminal numbers; the location of vehicles and what time they were there; and videos from the vehicle’s “drive recorder” which records footage from the car.

Toyota said the data spilling from its Connected Cloud (TC) was initially exposed in November 2013, but pertains only to vehicles in Japan, according to the company.

The company’s connected service provides Toyota customers with information about their vehicles, provides in-car entertainment services, and helps to notify authorities in the event of an accident or breakdown.

So what’s the upshot for you? This is a lesson on why having a bit of security engagement before you let rip in the cloud might be a good idea.

US: TSA Tests Facial Recognition Technology To Boost Airport Security

A passenger walks up to an airport security checkpoint, slips an ID card into a slot, and looks into a camera atop a small screen.

The screen flashes “Photo Complete” and the person walks through – all without having to hand over their identification to the TSA officer sitting behind the screen.

It’s all part of a pilot project by the Transportation Security Administration to assess the use of facial recognition technology at a number of airports across the country.

“What we are trying to do with this is aid the officers to actually determine that you are who you say who you are,” said Jason Lim, identity management capabilities manager, during a demonstration of the technology to reporters at Baltimore-Washington International Thurgood Marshall Airport.

The effort comes at a time when the use of various forms of technology to enhance security and streamline procedures is only increasing.

TSA says the pilot is voluntary and accurate. Still, critics have raised concerns about questions of bias in facial recognition technology and possible repercussions for passengers who want to opt-out.

The technology is currently in 16 airports.

In addition to Baltimore, it’s being used at Reagan National near Washington, D.C., airports in Atlanta, Boston, Dallas, Denver, Detroit, Las Vegas, Los Angeles, Miami, Orlando, Phoenix, Salt Lake City, San Jose, and Gulfport-Biloxi and Jackson in Mississippi.

However, it’s not at every TSA checkpoint so not every traveler going through those airports would necessarily experience it.

So what’s the upshot for you? You’re only going to notice more and more of these checkpoints as time passes.

NZ: New Zealand’s biggest data breach shows retention is the sleeping giant of data security

Over one million past and present New Zealand driver’s licenses have been exposed as part of the attack on Latitude Financial, as well as people’s passports.

Some of the 14 million New Zealand and Australia records taken are up to 18 years old, which isn’t okay.

Liz MacPherson, New Zealand’s Deputy Privacy Commissioner says that data retention is emerging as a key issue in several recent domestic and global cyber-attacks including the Latitude Financial breach.

“Data retention is the sleeping giant of data security. There are consequences for holding onto data you no longer need.

All businesses and organizations can learn from this: don’t collect or hold onto information you don’t need. The risk is simply too high for your customers and your organization.

You risk being a hostage to people who make it their day job to illegally extract data.”

There is no place for a “she’ll be right” attitude to privacy and cyber security. Cyber attackers are active. People are employed to be cyber attackers.

“People make their fortunes from hacking the security of agencies. Having sea borders does not protect your very internet-connected agency from being hacked.

So what’s the upshot for you? Good practical advice shared by those recently burned.

UK: Google Accused of Breaking European Privacy Law By Hoarding Personal Data of Potential Job Candidates

When Mohamed Maslouh, a London-based contractor, was assigned to enter data into Google’s internal gHire recruitment system last September, he noticed something surprising.

The database contained the profiles of thousands of people in the EU and U.K. whose names, phone numbers, personal email addresses, and resumes dated back as far as 2011.

Maslouh knew something was amiss, as he had received data-protection training from Randstad, the European human resources giant that employed him, and was aware of the EU’s five-year-old General Data Protection Regulation (GDPR), which remained part of British law after Brexit.

Under the law, companies in the European Union and the U.K. may not hang onto anyone’s personal data – that is, information relating to any identifiable living person – for longer than is strictly necessary, which generally means a maximum retention time measured in weeks or months.

Google may now face investigations over potential violations of the GDPR after Maslouh filed protected whistleblower complaints with the U.K. Information Commissioner’s Office in November and with the Irish Data Protection Commission (DPC) – which has jurisdiction over Google’s activities in the EU – in February.

So what’s the upshot for you? Hold it like a hot potato

Global: HP Updates Firmware, Blocks Its Printers From Using Cheaper Ink Cartridges from Rivals

Hewlett-Packard printers recently got a firmware update that “blocks customers from using cheaper, non-HP ink cartridges,”

Customers’ devices were remotely updated in line with new terms which means their printers will only work if they are fitted with approved ink cartridges.

It prevents customers from using any cartridges other than those fitted with an HP chip, which is often more expensive. If the customer tries to use a non-HP ink cartridge, the printer will refuse to print.

HP printers used to display a warning when a “third-party” ink cartridge was inserted, but now printers will simply refuse to print altogether.

The printer company said it issued the update to reduce the risk of malware attacks, saying “third-party cartridges that use non-HP chips or circuitry can pose risks to the hardware performance, print quality, and security.”

It also said it used regular updates to improve its services, such as introducing alerts for some customers telling them when their ink is running low.

However, according to HP’s website, the company also blocks the use of rival cartridges in order to “maintain the integrity of our printing systems, and protect our intellectual property”.

Outraged customers have flooded social media with complaints, saying they felt “cheated” by the update.

HP ink cartridges can cost more than double the price of third-party offerings… Some customers can choose to disable HP’s cartridge-blocking feature in the printer’s settings, HP said, but it depends on the printer model.

Others will be stuck with a printer that only works if they commit to spending more on ink cartridges approved by HP.

So what’s the upshot for you? It’s bad enough running out of ink, but when an update prevents the printer from using the ink it had been happy with a couple of days before there could be dark clouds on the horizon.

HP Printer
- click on the picture for the podcast -

And our quote of the week - “The best way to destroy an enemy is to make them a friend.”

That’s it for this week. Stay safe, stay secure, breathe deeply, and see you in se7en.

This reminds me suspiciously of the efforts by HP and their geocoding of Printer cartridges waaaay back in the early 2000s:

John Deere tried it with unserviceable (by owners) tractors. This won’t stay in place, but it sure will cause ill-will in the meantime. Buying a printer anytime soon? Not HP!

1 Like