Camouflaged as the IT Privacy and Security Weekly Update for the Week ending August 2nd, 2022



Get out the passport because you’ll need it for a range of stories that circle the globe.

We start with an icon and end with an algorithm, and in between, we’ve got one of the best updates yet.

From data sharing between governments to Meta/Facebooks’ latest debacle, you could find our story on camo might be the only thing left to hide behind.

There’s a shocking story for new parents in the US state of New Jersey, and yes, one more revelation about the NSO groups’ software that cuts very close to home for our European audience.

We even have a superb story that calls out one of the hidden benefits of liberally buying your teenager pizza… from a mother that might be contemplating just that for a very long time.

So take your glasses off, pull your hair back behind your left ear, look straight at the camera and relax your shoulders because this week’s update is pretty as a picture!

Anonymous-PNG-Photos


Outer Space: A great character leaves our solar system.

Nichelle Nichols, who portrayed communications officer Uhura on the original “Star Trek” series, died Saturday night in Silver City, N.M.

Nichols shared one of the first interracial kisses in television history on “Star Trek" a landmark moment.

Uhura, whose name comes from a Swahili word meaning “freedom,” was essential beyond the interracial kiss: A capable officer who could man other stations on the bridge when the need arose, she was one of the first African American women to be featured in a non-menial role on television.

Nichols played Lt. Uhura in the original series, voiced her on “Star Trek: The Animated Series” and played Uhura in the first six “Star Trek” films. Uhura was promoted to lieutenant commander in “Star Trek: The Motion Picture” and to full commander in “Star Trek II: The Wrath of Khan.”

Nichols mulled leaving “Star Trek” after the first season to pursue a career on Broadway, but the Rev. Martin Luther King Jr., who was a fan of the series and understood the importance of her character in opening doors for other African Americans on television, personally persuaded her to stay on the show, she told astrophysicist Neil deGrasse Tyson in an interview for the Archive of American Television.

So what’s the upshot for you? Uhura: “Hailing frequencies open, sir.” and always a secure connection.


Global: “Anonymous” Hacktivists Breach Russian Databases, Leak ‘Massive’ Amounts of Data

Ongoing efforts by the underground hacktivists known as Anonymous are “embarrassing” Russia and its cybersecurity technology.

Though missile strikes are making more headlines these days, Anonymous and its affiliate groups aren’t losing steam.

Anonymous claims to have hacked over 2,500 Russian and Belarusian sites.

In some instances, the stolen data was leaked online in amounts so large it will take years to review.

Training recruits allowed Anonymous to expand its reach, brand name, and capabilities:

  • Training people how to launch DDoS attacks and mask their identities
  • cybersecurity assistance to Ukraine

So what’s the upshot for you? "Anonymous pulled the veil off Russia’s cybersecurity practices, which is both embarrassing and demoralizing for the Kremlin.”


CA/US: Better Camo yields Better Privacy

https://www.hyperstealth.com/camo-improvement/index.html

We know you didn’t ask for this one, but we stumbled across an article from a subject matter expert who clearly knows a thing or two about camouflage.

OK, first the acronyms:

  • CADPAT Canadian Disruptive Pattern (Canadian Department of National Defence camouflage uniform)
  • MARPAT (short for Marine pattern)

CADPAT was the first pixelated camouflage to be issued.

Canada wore Olive Drab fatigues up until the late 1990’s when their military research showed that there is a 45 percent less chance of being detected from 50-300 meters away with their new CADPAT (Canadian Disruptive Pattern). They also found that the enemy had to be 35% closer to a soldier wearing CADPAT to detect him/her over the soldier wearing a Monotone (Olive Drab) Uniform.

Further NATO trials among all camouflage uniforms used by all the countries that make up NATO showed that CADPAT outperformed all other camouflages including U.S. Woodland, British DPM, German Flectarn…

Recent NATO studies in 2012 in Australia confirmed that CADPAT TW is one of the most effective patterns in Tropical and Subtropical regions.

The U.S. Army had experimented with pixelated camouflage uniforms in the 1980s. The biggest issue was people outside of the testing could not understand how something so artificial looking could be more effective than the standard blobby camouflage.

The Canadian and NATO studies changed that perception.

How did we get here? A trend was starting to develop in the research – All-In-One color schemes were not proving as effective as color-specific camouflage. "The data clearly show that environment-specific patterns provide the best camouflage, i.e., the lowest probability of detection, in their respective environments.

Pixelated patterns dominated the top-place finishers in all environments. Pixels within camouflage are not a fad but becoming a proven and effective form of camouflage.

The US Army is now going through a selection process where three environmental patterns will be selected: Urban, desert, and woodland, and issued appropriate to the location the troops are deployed.

So what’s the upshot for you? While the US Army decision on which patterns is still pending, the pixellated urban camo does appear effective for maintaining one’s privacy when out and about, just be mindful to select for the correct environment, and remember not to mix and match!


CN: TikTok Owner ByteDance Used A News App On Millions Of Phones To Push Pro-China Messages, Ex-Employees Say

According to new claims by four former employees of the company, ByteDance already has used one of its apps to push pro-China messages to Americans: its now-defunct English-language news app, TopBuzz.

The four former ByteDance employees, each of whom worked on TopBuzz, claimed that ByteDance instructed members of its staff to place specific pieces of pro-China messaging in the app.

According to three of the former employees, TopBuzz staff sometimes promoted content by “pinning” it to the top of the app.

One former employee remembered staff posting panda videos in the app, along with videos promoting travel to China.

Another remembered a staff member pinning a video in which a white man talked about the benefits of moving his startup to China.

According to all four former employees, staff was required to provide evidence to ByteDance that the content had in fact been placed in the app as directed.

Three of the former employees said the staff was required to take screenshots of the live content in TopBuzz and send them back to the company.

Many of the details provided by these sources were independently corroborated by other sources and by screenshots viewed by BuzzFeed News.

So what’s the upshot for you? Launched in 2015, TopBuzz amassed 40 million monthly active users by 2018 and was hailed as a major driver of traffic to US news publishers. But it was shuttered in June 2020, eight months after Reuters reported that the Committee on Foreign Investment in the United States was investigating ByteDance’s purchase of Musical.ly, the app that would later become TikTok, as a potential national security risk.


US/UK: Law enforcement to implement data sharing law, troubling privacy advocates

The Department of Justice announced last week that it will begin using a controversial 2018 law meant to give law enforcement agencies in the U.S. and U.K. easier access to data from technology and telecom companies as part of criminal investigations.

The little-noticed announcement that Justice will use the “data access agreement” beginning in October with U.K. officials comes more than four years after Congress passed what is known as the Clarifying Lawful Overseas Use of Data (CLOUD) Act in March 2018.

Justice has said the legislation will “speed access to electronic information held by U.S.-based global providers that are critical to our foreign partners’ investigations of serious crime.”In an announcement posted on its website, Justice hailed the inaugural partnership with the U.K. as the “start of a new era of cooperation.”

So what’s the upshot for you? Do we call this the end of privacy as we once knew it?


US: Amazon admits giving cops Ring doorbell data without user consent

Should police have access to Ring video doorbell recordings without first gaining user consent?

Ring recently revealed how often the answer to that question has been yes.

The Amazon company responded to an inquiry from US Senator Ed Markey (D-Mass.), confirming that there have been 11 cases in 2022 where Ring complied with police “emergency” requests.

In each case, Ring handed over private recordings, including video and audio, without letting users know that police had access to—and potentially downloaded—their data.

This raises many concerns about increased police reliance on private surveillance, a practice that has long gone unregulated.

So what’s the upshot for you? Although most Ring users may be unaware, there are higher security settings that Ring users can change on their devices to stop recording audio and start using end-to-end encryption for data storage.

By changing these settings, users can ensure that no third parties (like Ring or the police) can access their recordings and know they’re not recording any protected free speech that happens within 30 feet of their front doors.


Global: You’ll need a university degree to understand Meta’s terms of service

https://allaboutcookies.org/social-media-terms-of-service

Roughly 4,6 billion people use at least one social media platform. Do they understand what they are signing up for?

To better understand social media terms of service, privacy firm All about Cookies looked into the terms of service of 10 social media sites: Facebook, Twitter, TikTok, YouTube, Snapchat, Reddit, Discord, Twitch, WhatApp, and Instagram.

“Meta/Facebook has the most difficult terms of service to understand, requiring the reading comprehension level of a college graduate,” the company’s study reads.

Recently, Meta/Facebook’s updated terms of service came into effect, and the document is longer and more complicated than before. It’s 900 words longer (5,007 words in total,) and you need a 16th-grade reading comprehension level to get through the document.

“It’s important to keep in mind that the average American reads at a level between seventh and eighth grade, according to the Center for Plain Language. That means the average US social media user would have a very difficult time making sense of the terms of use for any of these sites.”

Using the Hemingway Editor App to evaluate the documents for readability and length, All About Cookies concluded that they are 6,141 words long on average – enough to fill 13.5 single-spaced pages.

Meta/Facebook: “Our Products, however, are provided “as is,” and we make no guarantees that they always will be safe, secure, or error-free, or that they will function without disruptions, delays, or imperfections. To the extent permitted by law, we also DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.”

So what’s the upshot for you? We are considering adopting that disclaimer here. Let us know what you think.


US: Meta sued for violating patient privacy with data tracking tool

Facebook’s parent company Meta and major US hospitals violated medical privacy laws with a tracking tool that sends health information to Facebook, two proposed class-action lawsuits allege.

The lawsuits, filed in the Northern District of California in June and July, focus on the Meta Pixel tracking tool.

The tool can be installed on websites to provide analytics on Facebook and Instagram ads.

It also collects information about how people click around and input information into those websites.

An investigation by The Markup in early June found that 33 of the top 100 hospitals in the United States use the Meta Pixel on their websites.

At seven hospitals, it was installed on password-protected patient portals.

The investigation found that the tool was sending information about patient health conditions, doctor appointments, and medication allergies to Facebook. In one of the lawsuits, a patient says that her medical information was sent to Facebook by the Meta Pixel tool on the University of California San Francisco and Dignity Health patient portals (those hospitals are also defendants in the suit).

The patient then was served advertisements targeted to her heart and knee conditions.

So what’s the upshot for you? Under the medical privacy law HIPAA, healthcare organizations need patient consent to share personally identifiable health information with outside groups.

The lawsuits allege that Meta is knowingly not enforcing those policies and that it put the Pixel on healthcare organizations’ websites despite knowing it would collect personal health information.


US: Crypto Firm Nomad Hit By $190 Million Theft

U.S. crypto firm Nomad has been hit by a $190 million theft, blockchain researchers said on Tuesday, the latest such heist to hit the digital asset sector this year.

Nomad said in a tweet that it was “aware of the incident” and was currently investigating, without giving further details or the value of the theft.

Crypto analytics firm PeckShield told Reuters that $190 million worth of users’ cryptocurrencies were stolen, including ether and the stablecoin USDC.

Other blockchain researchers put the figure at over $150 million.

So what’s the upshot for you? again… Ouch!


Global: What is an SBOM?

If you’ve worked in engineering or manufacturing, you’re already familiar with a bill of materials, or BOM, which is a list of all the parts needed to manufacture a specific product – from raw materials to subcomponents and everything in between, along with quantities of each one needed for a finished product.

An SBOM, then, is a BOM for software. CISA defines an SBOM as a “nested inventory, a list of ingredients” that make up software components.

According to the U.S. Department of Commerce, SBOMs should offer a complete, formally structured, machine-readable list of these components, as well as libraries and modules required to build the software, the supply chain relationships between them, and their given vulnerabilities. Notably, SBOMs provide insight into the makeup of software created by open-source software and third-party commercial software.

“SBOMs represent a critical first step in discovering vulnerabilities and weaknesses within your products and the devices you procure from your software supply chain. SBOMs allow organizations to “de-risk” the vast amounts of code they create, consume and operate."

SBOMs “improve the visibility, transparency, security, and integrity of proprietary and open-source code in software supply chains,”

So what’s the upshot for you? Once the software that you, we, and others create is standardized into a package, software composition analysis (SCA) allows better understanding from the perspective of strengths, vulnerabilities, and weaknesses.

In other words, once you know the ingredients you are working with you can (generally) cook up a better meal.


US: NJ police used baby DNA to investigate crimes, lawsuit claims

https://www.documentcloud.org/documents/22084922-nj-office-of-the-public-defender-et-al-vs-department-of-health-et-al

According to a lawsuit filed by the New Jersey Office of the Public Defender (OPD), the practice came to light after a case in which New Jersey State Police successfully subpoenaed a testing lab for a blood sample drawn from a child. Police then performed DNA analysis on the blood sample that reportedly linked the child’s father to a crime committed more than 25 years ago.

The suspect then became a client of the OPD, which alerted the office to the techniques used to identify the man. The lawsuit, filed jointly by the OPD and the New Jersey Monitor, now seeks to compel the state of New Jersey to disclose information on the full extent of the practice.

All babies born in the state of New Jersey are required to have a blood sample drawn within 48 hours as part of a mandatory testing program that screens them for 60 different disorders. These samples are processed in a state-run lab, which shares data with the state health authority and communicates results to parents.

The blood samples are not directly shared with law enforcement agencies. But if police can reliably obtain the samples through subpoena, then effectively, the disease screening process is entering all babies born in the state into a DNA database with no ability to opt-out.

According to the lawsuit, parents and the public at large are unaware that blood samples taken from their children could be used in this way.

So what’s the upshot for you? This one was a shocker and is on par or worse than anything happening in China where DNA sampling is becoming routine.


EU: The European Union Found Evidence Employee Phones Compromised With Spyware

In a July 25 letter sent to European lawmaker Sophie in 't Veld, EU Justice Commissioner Didier Reynders said iPhone maker Apple had told him in 2021 that his iPhone had possibly been hacked using Pegasus, a tool developed and sold to government clients by Israeli surveillance firm NSO Group.

The warning from Apple triggered the inspection of Reynders’ personal and professional devices as well as other phones used by European Commission employees, the letter said.

Though the investigation did not find conclusive proof that Reynders’ or EU staff phones were hacked, investigators discovered “indicators of compromise” a term used by security researchers to describe evidence exists showing a hack occurred.

So what’s the upshot for you? Soon we are going to start reporting on the phones that don’t have the NSO group’s Pegasus spyware loaded on them. It’ll be less work.


Global: Google plans to keep serving you cookies until 2024

Google was originally planning to get rid of third-party cookies in its browser by 2022, but that was later pushed back to 2023.

That cookies deadline for Chrome is now being delayed to 2024.

The Privacy Sandbox is Google’s initiative to replace third-party cookies – as well as cross-site tracking identifiers, fingerprinting, and other covert techniques – once privacy-conscious alternatives are in place.

Since then, Google has been working on new technologies for the past few years and more recently released trials in Chrome for developers to test.

Citing “consistent feedback” from partners, Google is “expanding the testing windows for the Privacy Sandbox APIs before we disable third-party cookies in Chrome,” with that phase out now set to begin in the second half of 2024.

So what’s the upshot for you? Keep the milk near to hand. You’ll need it if they keep serving up those cookies.


UK: Orwellian’ Facial Recognition Cameras at Your Local Co-Op Challenged By Rights Group

Shoppers at a supermarket chain in southern England are being tracked by facial recognition cameras, prompting a legal complaint by a privacy rights group. Big Brother Watch said Southern Co-operative’s use of biometric scans in 35 stores across Portsmouth, Bournemouth, Bristol, Brighton and Hove, Chichester, Southampton, and London was “Orwellian in the extreme” and urged Britain’s Information Commissioner’s Office (ICO) to investigate whether it breaches data protection legislation.

The complaint claims the use of the biometric cameras “is infringing the data rights of a significant number of UK data subjects.”

It outlines how the facial recognition system, sold by surveillance company Facewatch, creates a biometric profile of every visitor to stores where the cameras are installed, enabling Southern Co-operative to create a “blacklist” of customers.

If a customer on the list enters the store, staff are alerted.

It said it uses the facial recognition cameras only in stores where there is a high level of crime to protect staff from known offenders and does not store images of an individual unless they have been identified as an offender.

So what’s the upshot for you? The Co-op supermarket? Really? Time to try Sainsbury’s


AU: Brisbane teenager built spyware used by domestic violence perpetrators across the world

Police allege that a teenager living in the suburbs of Brisbane created and sold a sophisticated hacking tool used by domestic violence perpetrators and child sex offenders to spy on tens of thousands of people across the globe – and then used the proceeds to buy takeaway food.

Jacob Wayne John Keen, now 24, was 15 years old and living in his mother’s rental when he allegedly created a sophisticated spyware tool known as a remote access trojan (RAT) that allowed users to remotely take control of their victims’ computers.

Called Imminent Monitor, once installed it could be used to steal victims’ personal information, spy on them via webcams and microphones, and track what they typed into emails or documents.

A global investigation involving more than a dozen law enforcement agencies across Europe led to 85 search warrants being executed around the world, with 434 devices seized and 13 people arrested for using the malware for “alleged criminality”.

So what’s the upshot for you? Both the mother and son are being charged: He with 6 charges and her with forcing her son into crime because she would not get him an occasional takeaway pizza. Sentencing in Brisbane magistrates court happens next month.


NZ: Post-Quantum Encryption Contender is Taken Out by Single-Core PC and 1 Hour

In the US government’s ongoing campaign to protect data in the age of quantum computers, a new and powerful attack that used a single traditional computer to completely break a fourth-round candidate highlights the risks involved in standardizing the next generation of encryption algorithms.

Last month, the US Department of Commerce’s National Institute of Standards and Technology, or NIST, selected four post-quantum computing encryption algorithms to replace algorithms like RSA, Diffie-Hellman, and elliptic curve Diffie-Hellman, which are unable to withstand attacks from a quantum computer.

In the same move, NIST advanced four additional algorithms as potential replacements pending further testing in hopes one or more of them may also be suitable encryption alternatives in a post-quantum world.

The new attack breaks SIKE, which is one of the latter four additional algorithms.

The attack has no impact on the four post-quantum cryptographic (PQC) algorithms selected by NIST as approved standards, all of which rely on completely different mathematical techniques than SIKE.

SIKE—short for Supersingular Isogeny Key Encapsulation—is now likely out of the running thanks to research that was published over the weekend by researchers from the Computer Security and Industrial Cryptography group at KU Leuven.

The paper, titled An Efficient Key Recovery Attack on SIDH (Preliminary Version), described a technique that uses complex mathematics and a single traditional PC to recover the encryption keys protecting the SIKE-protected transactions.

The entire process requires only about an hour.

“The newly uncovered weakness is clearly a major blow to SIKE,” David Jao, a professor at the University of Waterloo and co-inventor of SIKE, wrote in an email. “The attack is really unexpected.”

NIST’s PQC replacement campaign has been running for five years. Here’s a brief history:

1st round (2017)—69 candidates

2nd round (2019)—26 surviving candidates

3rd round (2020)—7 finalists, 8 alternates

4th round (2022)—3 finalists and 1 alternate selected as standards. SIKE and three additional alternates advanced to a fourth round.

…and now there are 3.

So what’s the upshot for you? A simple explanation from David Jao:

"It’s true that the attack uses mathematics which was published in the 1990s and 2000s. In a sense, the attack doesn’t require new mathematics; it could have been noticed at any time.

One unexpected facet of the attack is that it uses genus 2 curves to attack elliptic curves (which are genus 1 curves). A connection between the two types of curves is quite unexpected.

To give an example, for decades people have been trying to attack regular elliptic curve cryptography, including some who have tried using approaches based on genus 2 curves. None of these attempts has succeeded.

So for this attempt to succeed in the realm of isogenies is an unexpected development. In general, there is a lot of deep mathematics which has been published in the mathematical literature but which is not well understood by cryptographers.

I lump myself into the category of those many researchers who work in cryptography but do not understand as much mathematics as we really should.

Sometimes all it takes is someone who recognizes the applicability of existing theoretical math to these new cryptosystems. That is what happened here."



Anonymous-PNG-Photos

And our quote of the week: “Our only security is our ability to change.” John Lilly



That’s it for this week. Stay safe, stay secure, we’ll go study some maths now and see you in se7en.



#1: Always thought that Naval Forces wearing any sort of Camouflage whilst being on a large, Grey lump of noisy, angled metal was quite amusing.

#2: Having an capable Anonymous might seem like a good idea, until they switch their focus from ‘the Bad Guys’ and back to ordinary, boring and unstable Society.

Anonymous is an outlier. I don’t think anyone is pleased about their cyber participation, in that it could be perceived as state-sponsored and then we really have trouble.

As to the Camo. I am thinking about getting a camo mask that matches my eye colour.

1 Like