Dumping the IT Privacy and Security Weekly Update for the week ending July 26th., 2022


This week we share a pungent selection from the most excellent landfill of stories yet.

We start our noisome journey literally in the dump and end up staring at a set of salad tongs.

We have a familiar cast of characters representing slightly different fragrance lines: Zuck, Elon, Blake, and even the devil himself may be found to guff in this one.

There’s the effluvium at KMart, new detritus for Ohio, and why even Google is starting to sniff at the bitter waft of the TikTok algorithm.

We tell you what trumpery to expect when you next get phished and if you are one of the tens of thousands laid off in the latest round of tech cuts, what you might want to consider for your next less malodorous gig.

Yes, it may be less than aromatic, but this week’s update will leave you with a smile like a Welsh crypto-Millionaire!

Come on! Pull up the waders, put the clothes peg on your nose, grab a pair of rubber gloves and let’s get mucky.

UK: Still down in the Dumps. The ongoing quest to find $181 million in Bitcoin.

“It’s a story that goes from the incredibly mundane to the colossal”

James Howells’ life changed when he threw out a hard drive about the size of an iPhone 6.

Howells, from the city of Newport in southern Wales, had two identical laptop hard drives squirreled away in a drawer in 2013. One was blank; he says the other contained 8,000 bitcoins — now worth about $181 million, even after the recent crypto crash.

He’d meant to throw out the blank one, but instead the drive containing the cryptocurrency ended up going to the local dump in a rubbish bag.

Nine years later, he’s determined to get back his stash, which he mined in 2009.

Howells, 36, is hoping local authorities will let him stage a high-tech treasure hunt for the buried bitcoins. His problem is that he can’t get into the dump.

His plan has two versions, based on how much of the landfill the council would allow him to search.

By his estimates, the most extensive option would take three years and involve scouring 100,000 metric tons — or about 110,000 tons — of garbage at a cost of $11 million. A scaled-down version would cost $6 million and take 18 months.

…and what if the hard drive is damaged? … Don’t even go there…

So what’s the upshot for you? The outcome of this story all depends on the local council. He’s only managed a 20 minute zoom call with them in years of trying… and that was back in May … and that kind of stinks.

Global: Meta Is Suing Meta For Naming Itself Meta

An installation-art company specializing in augmented reality called META (or Meta.is) announced late last Tuesday that it will be suing Meta (or Facebook) for trademark violation, alleging that Zuckerberg’s name change violated the smaller company’s established brand.

“On October 28, 2021, Facebook seized our META mark and name, which we put our blood, sweat, and tears into building for over twelve years,” reads a post on the smaller company’s site. “Today, after eight months of trying to negotiate with Facebook in good faith to no avail, we were left with no choice but to file a lawsuit against them.”

Much of the case hinges on Facebook’s many privacy scandals, which Meta.is argues has made it impossible to share the name.

“Meta can no longer provide goods and services under the META mark,” the complaint argues, “because consumers are likely to mistakenly believe that Meta’s goods and services emanate from Facebook and that Meta is associated with the toxicity that is inextricably linked with Facebook.”

So what’s the upshot for you? It does seem a tough fight as Facebook has now made applications to use the name Meta for messaging, social networking, and financial services.

The name meta has also already been trademarked by non-techie companies selling anything from hard Selzer to … well prosthetic limbs.

We’re not gamblers, but, if we had to put our money on someone, we’d bet on Meta.

Global: Spree of multimillion-dollar hacks creates booming business for blockchain security experts

Even as cryptocurrency markets face economic turbulence, there’s one segment of blockchain-based industries where business is booming: blockchain security.

A boutique industry of auditing firms formed over the past few years to deal with the emerging technology now boasts up to a year-long wait time to even begin working with customers and a growing list of job openings they can’t fill quickly enough.

So what’s the upshot for you? “With innovation comes the question ‘How do you do so safely?’ …the more we progress the more complexity we’ll be facing, and the more risk we have to deal with.”

Global: LinkedIn tops the most impersonated brand list in phishing attacks

What company will be named on the next phishing attempt someone aims at you? Compared to the first quarter of the year, LinkedIn impersonation dropped from 52% to 45%.

However, it maintains a considerable distance from the second most imitated brand by fraudsters, Microsoft, currently at 13%.

The central theme in spoofed Microsoft email requests is to verify Outlook accounts to steal usernames and passwords.

DHL currently holds the third spot in the list with 12%, down from 14%.

Amazon rose to the fourth position, jumping from 2% in Q1 2022 to 9% this quarter, while Apple follows on fifth place with 3%; also a notable increase compared to last quarter’s 0.8%.

In the case of Amazon, the phishing emails attempt to steal the target’s billing information, including full credit card data, the researchers say.

So what’s the upshot for you? LinkedIn accounts can be used to set up fake job offer campaigns. As a recent example, North Korean hackers were able to trick an employee of a token-based online video game into downloading a malicious PDF that allowed the threat actor to steal $620 million worth of cryptocurrency.

Global: Nearly 40% of Gen Z is using TikTok and Instagram instead of Google for search.

TikTok ended 2021 with 655.9 million total users, and, according to the parent company Bytedance, they now have 1 billion monthly active users.

But that’s not the platform’s only achievement.

According to Google, nearly 40% of Gen Z prefer to search on TikTok and Instagram over Google Search and Maps.

Currently, it is already possible to see how it is changing the way we consume content and search, especially among younger people.

But it’s important to highlight something: in the history of social media platforms, the young people were the precursors – then the oldest people came after them.

Facebook, which started in universities and schools and turned into a giant, is the most famous case. And TikTok is growing in the same way.

Google may not be worried just about Gen Z.

So what’s the upshot for you? “…where go the early adopters… the late adopters will follow.”

Global: Hacker lists database of 5.4 million Twitter users for sale

A verified Twitter vulnerability from January has been exploited by a threat actor to gain account data allegedly from 5.4 million users. While Twitter has since patched the vulnerability, the database acquired from this exploit is now being sold on a popular hacking forum, posted last week.

Back in January, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and/or email address associated with Twitter accounts, even if the user has hidden these fields in the privacy settings.

The bug was specific to Twitter’s Android client and occurred with Twitter’s authorization process.

"We noticed a new user selling the Twitter database on Breached Forums, the famous hacking forum that gained international attention earlier this month with a data breach exposing over 1 billion Chinese residents.

The post was still live at last check in, with the Twitter database allegedly consisting of 5.4 million users being for sale.

The seller on the hacking forum goes by the username “devil” and claims that the dataset includes “Celebrities, to Companies, randoms, OGs, etc.”

How did this happen?

The vulnerability discovered earlier in the year allowed any party without any authentication to obtain a Twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings.

The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.

So what’s the upshot for you? Twitter has not commented on this report, only saying that Elon still has to buy the company.

US: Google Fires Blake Lemoine, Engineer Who Called Its AI Sentient

Google has fired one of its engineers who said the company’s artificial intelligence system has feelings.

Last month, Blake Lemoine went public with his theory that Google’s language technology is sentient and should therefore have its “wants” respected.

Google, plus several AI experts, denied the claims and on Friday the company confirmed he had been sacked.

So what’s the upshot for you? In its statement, Google said it takes the responsible development of AI “very seriously” and published a report detailing this.

It added that any employee concerns about the company’s technology are reviewed “extensively”, and that Lamda has been through 11 reviews.

“We wish Blake well”, the statement ended in a round of loud coughing.

US: Uber Avoids Federal Prosecution Over 2016 Breach of Data on 57M Users

In entering a non-prosecution agreement, Uber admitted that its personnel failed to report the November 2016 hacking to the U.S. Federal Trade Commission [for nearly one year], even though the agency had been investigating the ride-sharing company’s data security…

U.S. Attorney Stephanie Hinds in San Francisco said the decision not to criminally charge Uber reflected new management’s prompt investigation and disclosures, and Uber’s 2018 agreement with the FTC to maintain a comprehensive privacy program for 20 years.

The San Francisco-based company is also cooperating with the prosecution of the former security chief, Joseph Sullivan, over his alleged role in concealing the hacking.

Here’s what the Department of Justice is now alleging against that former security chief: “he arranged to pay money to two hackers in exchange for their silence while trying to conceal the hacking from passengers, drivers, and the U.S. Federal Trade Commission.”

That led to three separate wire fraud charges against the former security chief, as well as two charges for obstruction of justice.

The defendant was originally indicted in September 2020 and is believed to be the first corporate information security officer criminally charged with concealing a hacking.

Prosecutors said Sullivan arranged to pay the hackers $100,000 in Bitcoin and have them sign nondisclosure agreements that falsely stated they had not stolen data.

Uber had a bounty program designed to reward security researchers who report flaws, not to cover up data thefts…

In September 2018, the San Francisco-based company paid $148 million to settle claims by all 50 U.S. states and Washington, D.C. that it was too slow to reveal the hacking.

So what’s the upshot for you? Ouch! Wouldn’t want to be Joseph Sullivan!

Global: The future of cars is a subscription nightmare

Further to last week’s story: As cars get more expensive to make and profit margins dwindle, automakers are coming up with new and loathsome ways to squeeze more money out of their customers.

Subscription-based access to vehicle features, like heated seats or remote-start key fobs, are the latest attempt to charge people for things their car already came with.

The question is whether customers are going to lay down and take it.

A couple weeks ago, some media outlets noticed that BMW was selling $18-a-month subscriptions to heated seats in a number of countries, including the UK and South Korea.

The German automaker had previously tried and failed to get customers to pay $80 a month for access to Apple CarPlay and Android Auto — features that are otherwise free in other companies’ vehicles.

But even after BMW reversed its decision to force people to pay for something that used to be free, it was clear that it wouldn’t stop there.

BMW isn’t alone — Volkswagen, Toyota, Audi, Cadillac, Porsche, and Tesla have all dabbled in subscription models for certain options, such as driver-assist features or voice recognition.

It’s a troubling trend, considering how much people freaking hate it.

Earlier this year, Cox Automotive conducted a survey of 217 people who intend to buy a new car over the next two years.

Only 25 percent said they’d be willing to pay a monthly or annual fee to unlock a feature in their vehicle.

The remaining 75 percent said “sod off” (or equivalent).

Last year, General Motors said it earned over $2 billion in in-car subscription service revenue, a number the company expects to grow to $25 billion by the end of the decade.

That would essentially put GM in the same league as Netflix, Spotify, and Peloton.

For a while, it seemed like the car itself would become a subscription.

A number of automakers thought they could charge people a monthly fee to access a variety of different models as an alternative to ownership or vehicle leases.

Turns out that people weren’t into it: Ford, BMW, Cadillac, and Mercedes-Benz have all pulled the plug on their vehicle subscription services.

So what’s the upshot for you? Cars are more expensive than ever, with the average car price cresting US$48,000 for the first time ever this month.

With the industry shifting to producing more electric vehicles, that average cost is expected to rise even more.

People are already feeling squeezed by dealers, so it’s not likely they will embrace the idea of paying more money on a recurring basis for access to things that were already there but just got turned off.

Unless automakers lower the purchase price of new vehicles to offset the subscriptions, customers aren’t likely to embrace the add-ons.

Perhaps automakers will have to back down on either pricing or how many things they want to turn into subscriptions or start selling more driver data.

US: Oh joy! Even Ohio is amping up on automated license plate readers.

They may say “awards totaling $3.5 million to help law enforcement agencies throughout the state address violent crime and human trafficking. Fourteen police departments are set to receive funding to expand programs like proactive policing, hiring more personnel to head anti-human-trafficking efforts, and expanding crime gun intelligence centers.”…

But slowly they are increasing the use of license plate readers and tracking with over 10% of the funding going to the readers.

Beyond the readers the Toledo Police Dept. as an example, also uses cameras from Flock Safety to surveil high-traffic areas with the aim of gathering evidence and generating leads.

“Any bit can help.” said the spokesperson for the Toledo PD

So what’s the upshot for you? All the “bits” add up, and soon the average citizen has no reasonable expectation of privacy outside their own home at all… even in Ohio!

AU: Kmart halts use of in-store facial recognition amid Australian privacy investigation

Kmart and Bunnings have temporarily halted the use of facial recognition in their local stores while the Office of the Australian Information Commissioner (OAIC) investigates the privacy implications of their systems.

The two chains were trialing the technology to spot banned customers, prevent refund fraud and reduce theft.

The investigation started in mid-July, a month after the consumer advocacy group Choice learned that Kmart and Bunnings were testing facial recognition.

Bunnings had already paused use as it migrated to a new system.

Other Australian retailers, such as Aldi, Coles, and Woolworths, have said they don’t have plans to adopt the technology.

Both retailers defended their implementations. A Kmart spokesperson stressed that its facial recognition tech was used for “preventing criminal activity” and had strict privacy controls.

Bunnings managing director Mike Schneider, meanwhile, claimed people were “mischaracterizing” face detection.

The company’s trial is only meant to catch banned customers and doesn’t store images for regular shoppers, he said.

So what’s the upshot for you? Once you have the facial recognition technology in place wouldn’t it be great to leverage it for other use cases like special promotions, or targeted sales?

Or, if you knew a customer was from a wealthier demographic, you could do what some websites already do and raise prices for that special customer. Why waste a great opportunity?

AU: Hard-Coded password in Confluence app has been leaked on Twitter


What’s worse than a widely used Internet-connected enterprise app with a hardcoded password? Try said enterprise app after the hardcoded password has been leaked to the world.

Atlassian last Wednesday revealed three critical product vulnerabilities, including CVE-2022-26138 stemming from a hardcoded password in Questions for Confluence, an app that allows users to quickly receive support for common questions involving Atlassian products. The company warned the passcode was “trivial to obtain.”

The company said that Questions for Confluence had 8,055 installations at the time of publication. When installed, the app creates a Confluence user account named disabledsystemuser, which is intended to help admins move data between the app and the Confluence Cloud service. The hardcoded password protecting this account allows for viewing and editing of all non-restricted pages within Confluence.

“A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to,” the company said. “It is important to remediate this vulnerability on affected systems immediately.”

So what’s the upshot for you? To figure out if a system is vulnerable, Atlassian advised Confluence users to search for accounts with the following information:

User: disabledsystemuser
Username: disabledsystemuser
Email: dontdeletethisuser@email.com

Note that cloud instances of the app are not vulnerable.

Global: Not the Cat’s Meow? The Impact of Posing with Cats on Female Perceptions of Male Dateability

People use dating sites to look for both long-term and short-term potential partners.

Previous research suggests that the presence of a pet may add to women’s perceptions of male attractiveness and date-ability.

This study sought to understand to what degree if any, the presence of a cat has on women’s perceptions of men.

Women responded to an online survey and rated photos of men alone and men holding cats as measures of masculinity and personality.

Men holding cats were viewed as less masculine; more neurotic, agreeable, open; and less dateable.

These results varied slightly depending on whether the women self-identified as a “dog person” or a “cat person.”

So what’s the upshot for you?

  • For men: ditch the cat and borrow the neighbor’s dog for your next photo shoot.
  • For women: you can be holding a dog, a cat, or salad tongs. Guys don’t care.


Quote of the week: “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” - Benjamin Franklin.

That’s it for this week. Stay safe, stay secure, please take the clothes peg off your nose now, and see you in se7en.