"Drifting" through the IT Privacy and Security Weekly Update for February 22nd., 2022


This week we discover 15 boxes, a number one app., and end up at the back end of the car.

With high compression pistons and rack and pinion steering stabilizing our high adhesion slicks, we roll through a billion faces, pound on Taiwanese bank doors, steal some NFTs, experience Man City in 3D, and come to understand why you should never use pixelation to hide behind when you track a Magpie.

Join us through the hairpin turns as we go flag to flag on a racing line through this week’s superspeedway of stories. car drifting small

Let’s don that Nomex, check our earpiece accelerometers, flip down our visors, and hit the tarmac!

US: National Archives Says It Found ‘Classified National Security Information’ In Boxes At Mar-A-Lago

The National Archives and Records Administration found “classified national security information” among the 15 boxes of White House records that had been stored at former President Donald Trump’s Mar-a-Lago club, the agency confirmed Friday, leading the National Archives to contact the Department of Justice and intensifying concerns that Trump mishandled official documents after leaving office.

Some of the records transferred to the National Archives after Trump left office included paper documents that Trump had torn up, some of which had been taped back together confirming a January report by the Washington Post detailing Trump’s habit of ripping up papers.

So what’s the upshot for you? Trump’s new platform “The Truth” app had 170,000 downloads in its first day in the Apple app store placing it first across the finish at number 1. He’s already busy rewriting history.

US: Documents shed light on ID.me’s marketing to states about powerful facial recognition tech

Identity verification technology company ID.me quietly deployed a powerful form of facial recognition on unemployment benefits applicants while encouraging state partners to dispel the idea that the company used the technology, according to Oregon state records the American Civil Liberties Union shared with CyberScoop.

The documents show that in the months following the introduction of facial recognition software that matched a photo across a wider database — known as “1:many” — into its fraud detection service, ID.me disseminated talking points to the Oregon Employment Department (OED) and other state partners to combat media reports that it used the more powerful form of facial recognition.

“The problem here is that nowhere in their Duplicate Face Detection description do they describe what they’re doing as facial recognition,” Olga Akselrod, a senior staff attorney at the ACLU, said of the documents.

Federal research has shown that facial recognition algorithms are more likely to misidentify people of color and the accuracy of performance can vary widely depending on the product and even factors such as quality of lighting.

In light of pushback from both privacy advocates and lawmakers, the IRS announced earlier this month it would transition away from using ID.me. The Department of Veteran’s Affairs is also reevaluating its contract.

Groups — including the ACLU — are pushing states to follow. More than 40 civil liberties organizations on Monday called for states to end their contracts with the company. They say the company’s misleading public statements and lack of transparency in the accuracy of its technology pose a privacy risk Americans shouldn’t be required to take to access basic government services.

So what’s the upshot for you? “We would prefer that it was a national system that all states could use, but there isn’t one right now that provides the same level of identity verification security,” OED Acting Director David Gerstenfeld said recently at a press conference.

Global: Clearview AI aims to put almost every human in facial recognition database

“Clearview AI is telling investors it is on track to have 100 billion facial photos in its database within a year, enough to ensure ‘almost everyone in the world will be identifiable,’ according to a financial presentation from December obtained by The Washington Post,” the Post reported today. There are an estimated 7.9 billion people on the planet.

The December presentation was part of an effort to obtain new funding from investors, so 100 billion facial images is more of a goal than a firm plan. However, the presentation said that Clearview has already racked up 10 billion images and is adding 1.5 billion images a month, the Post wrote. Clearview told investors it needs another $50 million to hit its goal of 100 billion photos, the Post reported:

The company said that its “index of faces” has grown from 3 billion images to more than 10 billion since early 2020 and that its data collection system now ingests 1.5 billion images a month.

With $50 million from investors, the company said, it could bulk up its data collection powers to 100 billion photos, build new products, expand its international sales team and pay more toward lobbying government policymakers to “develop favorable regulation.”

“Clearview has built its database by taking images from social networks and other online sources without the consent of the websites or the people who were photographed. Facebook, Google, Twitter, and YouTube have demanded the company stop taking photos from their sites and delete any that were previously taken. Clearview has argued its data collection is protected by the First Amendment.”

The increase in photos could be paired with an expanded business model. Clearview “wants to expand beyond scanning faces for the police, saying in the presentation that it could monitor 'gig economy” workers and is researching a number of new technologies that could identify someone based on how they walk, detect their location from a photo or scan their fingerprints from afar.”

Clearview’s website includes a statement of principles. “Clearview AI currently offers its solutions to only one category of customer—government agencies and their agents,” the statement says. “It limits the uses of its system to agencies engaged in lawful investigative processes directed at criminal conduct, or at preventing specific, substantial, and imminent threats to people’s lives or physical safety.”

In his statement to the Post, Ton-That argued that “every photo in the data set is a potential clue that could save a life, provide justice to an innocent victim, prevent a wrongful identification, or exonerate an innocent person.”

However, the company’s approach could change along with its business model. “Our principles reflect the current uses of our technology. If those uses change, the principles will be updated, as needed,” Ton-That said.

So what’s the upshot for you? Last week in a case over whether Clearview AI violated the Illinois Biometric Information Privacy Act by collecting and using facial images without people’s consent a federal judge “rejected Clearview’s First Amendment defense, denied the company’s motion to dismiss, and allowed the lawsuits to move forward.”

Stay tuned for more.

CA: Canada’s major banks go offline in mysterious hours-long outage

Major Canadian banks went offline for hours blocking access to online and mobile banking as well as e-transfers for customers.

The banks reportedly hit by the outage include Royal Bank of Canada (RBC), BMO (Bank of Montreal), Scotiabank, and the Canadian Imperial Bank of Commerce (CIBC).

Canada’s major banks went offline yesterday impeding access to e-Transfers, online and mobile banking services for many.

RBC customer Andrew Currie reported having “no access to my money at the grocery store” and being stuck in the checkout line for half an hour due to the outage.

BMO customers also saw the bank’s “Global Money Transfer service” being down “all day” with transfers getting auto-rejected for no obvious reason. A BMO representative directed such customers to reach out to the customer service.

The cause of the outage is yet to be known but its timing is rather interesting, just days after the Canadian Prime Minister Trudeau invoked the Emergencies Act amid ongoing ‘Freedom Convoy’ protests. The Emergencies Act authorizes banks to freeze accounts of individuals and businesses that they suspect to be affiliated with the illegal blockades, without requiring a court order and without incurring any civil liability.

So what’s the upshot for you? “It remains unclear how would new legislation trigger a planned or sudden, unexpected downtime.” but one reader speculated it could have been a test.

CN: Chinese hackers linked to the months-long attack on the Taiwanese financial sector

A hacking group affiliated with the Chinese government is believed to have carried out a months-long attack against Taiwan’s financial sector by leveraging a vulnerability in a security software solution used by roughly 80% of all local financial organizations.

The attacks are believed to have started at the end of November 2021 and were still taking place this month.

CyCraft researchers said that the credential stuffing attacks were only used as a cover. In reality, APT10 exploited a vulnerability in the web interface of a security tool, planted a version of the ASPXCSharp web shell, and then used a tool called Impacket to scan a target company’s internal network.

The attackers then used a technique called reflective code loading to run malicious code on local systems and install a version of the Quasar RAT that allowed the attackers persistent remote access to the infected system using reverse RDP tunnels.

CyCraft said it was able to uncover the truth behind the November 2021 attacks after one of its customers was hit in February 2022.

“Further investigation showed that what was initially presumed to be two separate waves of cyberattacks was actually one prolonged attack campaign in which the attackers leveraged advanced obfuscation techniques not previously observed."

So what’s the upshot for you? “The objective of the attacks does not appear to have been financial gain but rather the exfiltration of brokerage information, PII data, and the disruption of investment during a period of economic growth for Taiwan."

The attacks are nothing new. Chinese cyberespionage groups have had Taiwan in their sights for years, repeatedly and relentlessly attacking almost all sectors of its local government and economy.

Global: More on the stolen NFTs from OpenSea

$1.7 million in NFTs stolen in an apparent phishing attack on 17 OpenSea users

The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea.

One explanation described the attack in two parts: first, targets signed a partial contract, with a general authorization and large portions left blank.

With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment.

In essence, targets of the attack had signed a blank check — and once it was signed, attackers filled in the rest of the check to take their holdings.

“I checked every transaction,” said a user, who goes by the name Neso. “They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.”

So what’s the upshot for you? Many details of the attack remain unclear — particularly the method attackers used to get targets to sign the half-empty contract. Writing on Twitter shortly before 3 AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea’s website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far no link has been discovered.

UK: Man City begin building the world’s first football (Soccer in the US) stadium inside the metaverse

Manchester City have begun building the world’s first football stadium inside the metaverse with the help of virtual reality experts at Sony.

Using image analysis and skeletal-tracking technologies created by Hawk-Eye, a subsidiary of the tech and entertainment giant, the club’s stadium will become the central hub of City in a virtual reality world.

Club officials working on the project envisage a time when City can fill a virtual Eithad Stadium several times over, allowing supporters who may never go to Manchester to watch live games from the comfort of their own homes anywhere in the world.

No other club in the world are as intensely exploring the technology and its potential as Manchester City, who recently signed a three-year partnership with technology giants Sony and work is advancing rapidly on creating the Etihad Stadium in the metaverse and examining how the space can be used to engage fans from all over the world.

And that’s what this is: exploring new frontiers, stepping into unknown worlds, building them, digital block by digital block, shaping the very fabric of our future. It is football inexorably moving beyond the traditions of domestic fandom.

As Tarre points out, “at best one percent of our fans will ever travel to Manchester to experience a game”.

Perhaps the most tantalizing prospect is that in the future fans could watch games live in a virtual stadium, almost as if they were there in person, from the comfort of their homes. It remains a vision rather than a certainty and would require a major overhaul of the way football television rights are distributed. Currently, the Premier League sells the rights collectively to broadcasters, but clubs are increasingly exploring the potential to own their own, to package and sell them how they wish.

The idea of wishing to buy something that would only exist online in a virtual space is alien to some people. But younger age groups are already comfortable with it. The offer of in-game purchases has transformed the video game industry. Fortnite was given away free by makers Epic Games but generated billions of pounds in income from in-game purchases – purely cosmetic special characters or accessories – that have no real-life application, existing solely within the game.

And if you are skeptical about live performances working in digital, it is already happening. Fortnite has hosted in-game performances from stars such as Ariana Grande. Sony has hosted multiple music events within Roblox, a platform in which games can be created and played. When Lil Nas X performed the first-ever Roblox concert in 2020 more than 36 million people watched.

So what’s the upshot for you? Tarre predicts that within 5 to 10 years – watching a live match on television in the living room will not be the most common way to experience football.

UK: UK ready to launch retaliatory cyber-attacks on Russia, defense secretary tells MPs

The UK is ready to launch cyberattacks on Russia if Moscow targets Britain’s computer networks after a Ukraine invasion, the defense secretary has threatened.

In a Commons statement, Ben Wallace pointed to the “offensive cyber capability” the UK is already developing from a base in the northwest of England.

“I’m a soldier – I was always taught the best part of defense is offence,” he told an MP who urged him to “give as good as we get back to Russia” if necessary.

So what’s the upshot for you? “We didn’t put 165,000 combat troops on the edge of a sovereign country and hold a gun to the head of a democratically elected government,” Ben Wallace said. “We didn’t do that. Russia did that. We have nothing to deescalate from – Russia does.”

Global: Never, Ever, Ever Use Pixelation for Redacting Text

The only way to redact securely is to use black bars. Sometimes, people like to be clever and try some other redaction techniques like blurring, swirling, or pixelation. But this is a mistake.

Dan Petro, Lead Researcher at Bishop Fox gives a pixel by pixel account of reconstructing text that had been obfuscated using pixelation and it actually turns out to be pretty interesting.

He started with 2 things, the font and the font size, and with a process of breaking the written lines into quadrants and removing the rightmost edge of the quadrant for inconsistencies (different width characters for example), he was able to reconstruct a challenge set by security firm JumpSec.

So what’s the upshot for you? Perhaps the ages-old redaction method of printing out the document, crossing out the redacted words with a thick black marker pen and rescanning, hold some merit after all.

Global: Google Search Is Dying

If you’ve tried to search for a recipe or product review recently, I don’t need to tell you that Google search results have gone to “shift”. You would have already noticed that the first few non-ad results are SEO-optimized sites filled with affiliate links and ads.

Google still gives decent results for many other categories, especially when it comes to factual information. You might think that Google results are pretty good for you, and you have no idea what I’m talking about.

What you don’t realize is that you’ve been self-censoring yourself from searching most of the things you would have wanted to search. You already know subconsciously that Google isn’t going to return a good result.

In 2000, Google got popular because hackers realized it was better than Lycos or Excite. This effect is happening again. Early adopters aren’t using Google anymore.

1998 statement from Sergey Brin and Lawrence Page: “Currently, the predominant business model for commercial search engines is advertising. The goals of the advertising business model do not always correspond to providing quality search to users…we expect that advertising-funded search engines will be inherently biased towards the advertisers and away from the needs of the consumers…Furthermore, advertising income often provides an incentive to provide poor quality search results.”

Unfortunately, these thoughts on the failings of ad-based search engines read like an instruction manual for what Google did next.

They’ve dialed it up to the max recently to squeeze out every last cent before their inevitable collapse.

So what’s the upshot for you? What do you think? We’d be interested to see your response to this on discuss.daml.com

AU: Magpies have outwitted scientists by helping each other remove tracking devices

When we attached tiny, backpack-like tracking devices to five Australian magpies for a pilot study, we didn’t expect to discover an entirely new social behavior rarely seen in birds.

Our goal was to learn more about the movement and social dynamics of these highly intelligent birds and to test these new, durable, and reusable devices. Instead, the birds outsmarted us.

The harness was tough, with only one weak point where the magnet could function. To remove the harness, one needed that magnet or some really good scissors.

Animals living in larger groups tend to have an increased capacity for problem-solving, such as hyenas, spotted wrasse, and house sparrows.

Australian magpies generally live in social groups of between two and 12 individuals, cooperatively occupying and defending their territory through song choruses and aggressive behaviors (such as swooping).

Within 10 minutes of fitting the final tracker, we witnessed an adult female without a tracker working with her bill to try and remove the harness off of a younger bird.

Within hours, most of the other trackers had been removed. By day three, even the dominant male of the group had its tracker successfully dismantled.

The birds needed to problem solve, possibly testing at pulling and snipping at different sections of the harness with their bill. They also needed to willingly help other individuals, and accept help.

This is a very rare behavior termed “rescuing”.

Tracking magpies is crucial for conservation efforts, as these birds are vulnerable to the increasing frequency and intensity of heatwaves under climate change. In a study published this week, Perth researchers showed the survival rate of magpie chicks in heatwaves can be as low as 10 percent.

So what’s the upshot for you? We wondered why subscriptions to the podcast tend to rise in flocks of 12 but are happy that the magpies take their privacy so seriously.

US: Loud back end? Get your photo taken in NYC

If you live in New York and drive a loud car, you could receive a notice from the city’s Department of Environmental Protection (DEP) telling you your car is too loud. Not because a police officer caught your noisy car, but because a computer did.

“I am writing to you because your vehicle has been identified as having a muffler that is not in compliance with Section 386 of the Vehicle and Traffic Law, which prohibits excessive noise from motor vehicles. Your vehicle was recorded by a camera that takes pictures of the vehicle and the license plate. In addition, a sound meter records the decibel level as the vehicle approaches and passes the camera.”

The order goes on to tell the owner to bring their car to a location specified by the DEP—a sewage treatment plant, to be precise—for inspection.

Show up, and you’ll have the opportunity to get the car fixed to avoid a fine—much like California’s “fix-it” ticket system.

The document also informs the owner that if they fail to show up, they could face a maximum fine of US$875, plus additional fines for continuing to ignore the summons.

The DEP tells us this new program is unrelated to Governor Kathy Hochul’s recent initiative to curb noise pollution in New York. In September 2021 she signed the SLEEP bill into law, raising fines for an exhaust noise violation in the state from $150 to $1000—currently the highest in the nation.

So what’s the upshot for you? The program will be reevaluated on June 30, according to the DEP. From there it’ll likely either be expanded or taken out of commission.

car drifting small

One parting quote you can try on the inspectors: “What’s behind you doesn’t matter.” – Enzo Ferrari

That’s it for this week.

Stay safe, stay, secure, let us know if that worked… and we’ll see you in se7en.

Reminds me of a report from many years ago, of the GSG-9 at Flughafen Berlin-Tegel being called to respond to a suspicious package. After destroying it in place, they discovered it was a bundle of pamphlets on ‘How to deal with suspicious packages’.

Moral of the story: Banal, inane and weird stuff really happens.

and it happens a lot!

1 Like