Flashing Colours in the IT Privacy and Security Update for the week ending May 23rd., 2023



Daml’ers,

This week’s update starts with what some might see as a poke in the eye and could end with really poor enunciation.

We have Google introducing 8 new domains and getting caught in a .zip.

There’s a great story that might have you thinking that HP has moved into home construction when you hear about all the bricks it created over the past couple of weeks.

We have evidence that the FBI emerged from the locker room dirty and the low down on the kingpin of scammer calls in the UK.

While that’s going on Meta’s been setting new records and the White House, one of the slowest moving objects in Washington D.C. just got in front of you.

And then we end with a couple of Silicon Valley’s highest flyers, locked firmly in place.

TeleTubbies Rock!
- for the podcast to this week’s update click on something bright -

This update is more colorful than a meadow full of Teletubbies, so come on, grab your Ray Bans, and let’s go check out the action!


US/CA: Luxottica confirms 2021 data breach after info of 70M leaks online

Luxottica has confirmed one of its partners suffered a data breach in 2021 that exposed the personal information of 70 million customers after a database was posted this month for free on hacking forums.

Luxottica is the world’s largest eyewear company, glasses, and prescription frames maker, and the owner of popular brands like Ray-Ban, Oakley, Chanel, Prada, Versace, Dolce and Gabbana, Burberry, Giorgio Armani, Michael Kors, and many other. The company also operates Eyemed, a vision insurance company in the US.

In November 2022, a member of the now-defunct “Breached” hacker forum attempted to sell what he claimed to be a 2021 database containing 300 million records of personal information related to Luxottica customers in the United States and Canada.

According to the seller, the database contained customers’ personal information, such as email addresses, first and last names, addresses, and date of birth.

So what’s the upshot for you? If you had a Luxottica account in 2021, make sure that it and any other website you used the password on has been updated with fresh new passwords.


US/CA: Luxottica subdivision EyeMed fined $2.5M after security ‘deficiencies’ spurred 2020 breach

Talk about doing it blindingly wrong. EyeMed is owned by eyecare giant Luxottica, which provides vision benefits for health insurance companies.

In total, the states’ audit found six security program flaws, including failure to ensure data protection, lack of an accurate and thorough risk assessment, inadequate password policies, ineffective email security measures, and failure to implement effective user verification measures.

The impacted account contained data tied to current and former vision benefits members, including contact details, dates of birth, vision insurance account and identification numbers, driver’s licenses and other government identification numbers, health insurance account and identification numbers, Medicaid or Medicare numbers, and birth or marriage certificates.

Some patients also had partial or full Social Security Numbers and/or financial data compromised during the hack, in addition to medical diagnoses, health conditions, treatments, and/or passport numbers. Approximately six years of personal and medical data were exposed

EyeMed’s inadequate security program contributed to the incident and violated state consumer and personal information protection laws, as well as the Health Insurance Portability and Accountability Act.

Specifically, “several EyeMed employees were sharing a single password to an email account used by EyeMed employees to communicate sensitive consumer information,” such as details on plan members’ vision benefits enrollment and coverage, according to the findings.

So what’s the upshot for you? This isn’t even stupid security. This is no security. Seeing red? You should be.


Global: Google Pushes New Domains Onto the Internet, and the Internet Pushes Back

A recent move by Google to populate the Internet with eight new top-level domains is prompting concerns that two of the additions could be a boon to online scammers who trick people into clicking on malicious links.

Two weeks ago, Google added eight new top-level domains (TLDs) to the Internet, bringing the total number of TLDs to 1,480, according to the Internet Assigned Numbers Authority, the governing body that oversees the DNS Root, IP addressing, and other Internet protocol resources.

Two of Google’s new TLDs – .zip and .mov – have sparked scorn in some security circles. While Google marketers say the aim is to designate “tying things together or moving really fast” and “moving pictures and whatever moves you,” respectively, these suffixes are already widely used to represent something altogether different.

Specifically, .zip is an extension used in archive files that use a compression format known as zip.

The format .mov, meanwhile, appears at the end of video files, usually when they were created in Apple’s QuickTime format.

Many security practitioners are warning that these two TLDs will cause confusion when they’re displayed in emails, on social media, and elsewhere.

The reason is that many sites and software automatically convert strings like “arstechnica.com” or “mastodon.social” into a URL that, when clicked, leads a user to the corresponding domain.

So what’s the upshot for you? The concern is that emails and social media posts that refer to a file such as setup.zip or vacation.mov will automatically turn them into clickable links – and that scammers will seize on the ambiguity.


US: Google pays $39.9M to end Washington’s location tracking, privacy lawsuit

In an agreement to resolve allegations over Google’s misleading location tracking practices, the tech giant has agreed to pay the state of Washington $39.9 million and to implement court-ordered reforms to increase transparency about its location tracking settings.

Washington State Attorney General Bob Ferguson first filed a lawsuit against Google that claimed it “deceptively led consumers to believe that they have control” over how the platform collects and uses their location data.

The lawsuit claimed consumers were unable to effectively prevent Google from not only collecting and storing their data but profiting from it as well.

So what’s the upshot for you? “For years, Google’s help page stated, ‘With Location History off, the places you go are no longer stored.’

That statement was false,” according to the lawsuit.

“For example, the company collects location data under a separate setting — ‘Web & App Activity’— that is defaulted ‘on’ for all Google Accounts.”


EU: Meta Fined Record $1.3 Billion in EU Over US Data Transfers

https://www.bloomberg.com/news/articles/2023-05-22/meta-fined-record-1-3-billion-in-eu-over-us-data-transfers

Facebook owner Meta was hit by a record $1.3 billion European Union privacy fine and given a deadline to stop shipping users’ data to the US after regulators said it failed to protect personal information from the prying eyes of American security services.

The social network giant’s continued data transfers to the US didn’t address “the risks to the fundamental rights and freedoms” of people whose data was being transferred across the Atlantic, according to a decision by the Irish Data Protection Commission announced on Monday.

On top of the fine, which eclipses a $806 million EU privacy penalty previously doled out to Amazon, Meta was given five months to “suspend any future transfer of personal data to the US” and six months to stop “the unlawful processing, including storage, in the US” of transferred personal EU data.

A data-transfers ban for Meta was widely expected and once prompted the US firm to threaten a total withdrawal from the EU.

But its impact has now been muted by the transition phase given in the decision and the prospect of a new EU-US data flows agreement that could already be operational by the middle of this year.

So what’s the upshot for you? EU regulators in December unveiled proposals to replace the previous “Privacy Shield” pact torpedoed by the EU’s Court of Justice.

This followed months of negotiations with the US, which yielded an executive order by President Joe Biden and US pledges to ensure that EU citizens’ data is safe once it’s shipped across the Atlantic.

Facebook will appeal, hopefully have the underpinnings of this new arrangement in place, and could skip the fine altogether.


US: FBI Abused Spy Law 280,000 Times In a Year

The FBI misused surveillance powers granted by Section 702 of the Foreign Intelligence Surveillance Act (FISA) over 278,000 times between 2020 and early 2021 to conduct warrantless searches on George Floyd protesters, January 6 Capitol rioters, and donors to a congressional campaign, according to a newly unclassified court opinion.

On Friday, the US Foreign Intelligence Surveillance Court made public a heavily redacted April 2022 opinion https://regmedia.co.uk/2023/05/22/2021_fisc_opinion.pdf that details hundreds of thousands of violations of Section 702 of the Foreign Intelligence Surveillance Act (FISA) – the legislative instrument that allows warrantless snooping.

The Feds were found to have abused the spy law in a “persistent and widespread” manner, according to the court, repeatedly failing to adequately justify the need to go through US citizens’ communications using a law aimed at foreigners.

The court opinion details FBI queries run on thousands of individuals between 2020 and early 2021.

This includes 133 people arrested during the George Floyd protests and more than 19,000 donors to a congressional campaign.

In the latter, “the analyst who ran the query advised that the campaign was a target of foreign influence, but NSD determined that only eight identifiers used in the query had sufficient ties to foreign influence activities to comply with the querying standard,” the opinion says, referring to the Justice Department’s National Security Division (NSD).

In other words, there wasn’t a strong enough foreign link to fully justify the communications search.

For the Black Lives Matter protests, the division determined that the FBI queries “were not reasonably likely to retrieve foreign intelligence information or evidence of a crime.”

Again, an overreach of foreign surveillance powers.

Additional “significant violations of the querying standard” occurred in searched related to the January 6, 2021 breach of the US Capitol, domestic drug and gang investigations, and domestic terrorism probes, according to the court.

It’s said that more than 23,000 queries were run on people suspected of storming the Capitol.

So what’s the upshot for you? and there we were thinking the FBI were squeaky clean…


Global: HP Rushes to Fix Bricked Printers After Faulty Firmware Update

Following on from last week’s story where the Telegraph reported that a recent firmware update to HP printers "prevents customers from using any cartridges other than those fitted with an HP chip, which are often more expensive.

If the customer tries to use a non-HP ink cartridge, the printer will refuse to print."

Some HP “Officejet” printers can disable this “dynamic security” through a firmware update, PC World reported earlier this week.

HP still defends the feature, arguing it’s “to protect HP’s innovations and intellectual property, maintain the integrity of our printing systems, ensure the best customer printing experience, and protect customers from counterfeit and third-party ink cartridges that do not contain an original HP security chip and infringe HP’s intellectual property.”

Meanwhile, Engadget now reports that “a software update Hewlett-Packard released earlier this month for its OfficeJet printers is causing some of those devices to become unusable.”

After downloading the faulty software, the built-in touchscreen on an affected printer will display a blue screen with the error code 83C0000B.

Unfortunately, there appears to be no way for someone to fix a printer broken in this way on their own, partly because factory resetting an HP OfficeJet requires interacting with the printer’s touchscreen display.

For the moment, HP customers report the only solution to the problem is to send a broken printer back to the company for service.

BleepingComputer says the firmware update “has been bricking HP Office Jet printers worldwide since it was released earlier this month…”

“Our teams are working diligently to address the blue screen error affecting a limited number of HP OfficeJet Pro 9020e printers,” HP told BleepingComputer…

Since the issues surfaced, multiple threads have been started by people from the U.S., the U.K., Germany, the Netherlands, Australia, Poland, New Zealand, and France who had their printers bricked, some with more than a dozen pages of reports.

So what’s the upshot for you? "HP has no solution at this time.

Hidden service menu is not showing, and the printer is not booting anymore.

Only a blue screen," one customer said. “I talked to HP Customer Service and they told me they don’t have a solution to fix this firmware issue.”


UK: How the 35-year-old Weed Smoker Behind 10 Million Scam Calls Made His Fortune

Millions of people get phone calls from scammers and wonder who is at the other end.

Now we know: rather than someone in a call center far away, a “bright young man” living in a lush flat in London has been unmasked as the mastermind behind so many of these calls.

Tejay Fletcher’s trial exposed how criminals with a simple website bypassed police, phone operators, and banks to facilitate “fraud on an industrial scale”, scamming victims out of £100m ($124 million) of their hard-earned cash.

Fletcher, 35, who ran the website iSpoof.cc, was jailed for 13 years and four months earlier this week following his arrest in 2019 in what is the biggest anti-fraud operation mounted in the UK.

The website allowed criminals to disguise their phone numbers in a process known as “spoofing” and trick unsuspecting people into believing they were being called by their bank or other institutions…

The number of people using iSpoof swelled to 69,000 at its peak, with as many as 20 people per minute targeted by callers using the site.

More than 10 million fraudulent calls were made using iSpoof in the year to August 2022 — 3.5 million of them in the UK, the prosecution said.

More than 200,000 victims in the UK — many of them elderly — lost £43m, while global losses exceeded £100m…

The website allowed [its users] to intercept one-time passwords, which were “ironically” introduced by banks to increase their security measures, noted John Ojakovoh, prosecuting…

Fletcher was not particularly tech-savvy, but he used a website called freelancer.com to hire programmers to make the “building blocks” of the site.

iSpooft’s users “could only pay via Bitcoin,” the Telegraph writes. They describe Bitcoin as “a currency favored by many criminals because it is more difficult to trace payments.”

Here’s what happened next:

Posing as iSpoof customers, police paid for a trial subscription in Bitcoin and tested the website.

They traced the money they paid to iSpoof and eventually discovered that the “lion’s share” of the profits were going to Fletcher.

They obtained a copy of the website’s server, which revealed call logs that further incriminated Fletcher and the scammers using his website.

It turned out that Fletcher had deceived the scammers, too, when he claimed he was not storing any of their information, prosecutors said…

Although Fletcher will remain behind bars, others are also being investigated.

Additionally, some 120 suspected phone scammers have been arrested, 103 of them in London.

So what’s the upshot for you? Apparently police in the UK spend just 2pc of funding on fraud despite fraud representing 40pc of all crime.


US: Court Orders Theranos Founder Elizabeth Holmes To Go To Prison

Theranos founder Elizabeth Holmes has been ordered to report to prison while she appeals her fraud conviction and a jail sentence of over 11 years for defrauding investors.

Backstory: Theranos was a healthcare technology company that claimed to have developed a breakthrough blood-testing technology.

However, investigations revealed that the technology was flawed, in some cases non-existent, and that the company engaged in fraudulent practices.

The company’s founder, Elizabeth Holmes, faced legal repercussions, and Theranos eventually shut down.

The case highlighted the importance of ethical practices and regulatory oversight in the healthcare technology industry.

Latest update: She has also been ordered to pay $452 million to victims, which will be split with her former partner, Ramesh “Sunny” Balwani, who has already been convicted and sentenced to 13 years in prison.

Now Elizabeth Holmes, the disgraced CEO of Theranos, must also report to prison on May 30, according to a ruling issued Wednesday by U.S. District Judge Edward Davila.

Holmes must report to jail no later than 2:00 p.m. local time on that day, and is expected to begin her sentence at a minimum-security facility in Bryan, Texas.

On Tuesday, an appeals court rejected Holmes’ bid to stay out of prison while she appeals her conviction.

So what’s the upshot for you? Elizabeth can polish her amazing skill of looking people right in the eye and lying… every day for the next 11 years.


US: OpenAI CEO In ‘Historic’ Move Calls For Regulation Before Congress

Last week OpenAI CEO Sam Altman appeared before a Senate Judiciary subcommittee, along with IBM chief privacy officer Christian Montgomery and NYU professor Gary Marcus, to testify about the dangers posed by generative artificial intelligence.

Altman said he’d welcome legislation in the space and urged Congress to work with OpenAI and other companies in the field to figure out rules and guardrails.

Altman argued that generative AI is different and requires a separate policy response.

He called it a “tool” for users that cannot do full jobs on its own, merely tasks.

Altman called for a government agency that would promulgate rules around licensing for certain tiers of AI systems “above a crucial threshold of capabilities.” He said: “My worst fear is we cause significant harm to the world.”

Sen. Dick Durbin called it “historic” that a company was coming to Congress pleading for regulation.

IBM’s Montgomery said it was important to regulate risks, not the tech itself. “This cannot be the era of move fast and break things,” she said.

So what’s the upshot for you? Members of Congress will continue to have hearings on AI, with one in July that will look specifically at copyright and patents.


US: White House Takes New Steps To Study AI Risks, Determine Impact on Workers

The White House said on Tuesday it would ask workers how their employers use artificial intelligence (AI) to monitor them, as it allocates federal investments in the technology, which is expected to change the nature of work.

The White House will hold a listening session with workers to understand their experience with employers’ use of automated technologies for surveillance, monitoring, and evaluation.

The call will include gig work experts, researchers, and policymakers.

Millions of users have tried AI apps and tools, which supporters say can make medical diagnoses, write screenplays, create legal briefs and debug software, leading to growing concern about how the technology could lead to privacy violations, skew employment decisions, and power scams and misinformation campaigns.

As part of its evaluation of the technology, the administration will also announce new steps, including an updated roadmap for federal investments in AI research, a request for public input on AI risks, and a new report from the Department of Education on how AI affects teaching, learning, and research.

So what’s the upshot for you? These concerns are concerns for all of us. If you haven’t yet considered how AI will impact you, just remember how far behind the White House typically is in addressing issues of privacy and security.


CN/US: UC Berkeley Neglected To Disclose $220 Million Deal With China To the US Government

The University of California-Berkeley (or U.C. Berkeley) has failed to disclose to the U.S. government massive Chinese state funding for a highly sensitive $240 million joint tech venture in China that has been running for the last eight years.

The Californian university has not registered with the U.S. government that it received huge financial support from the city of Shenzhen for a tech project inside China, which also included partnerships with Chinese companies that have since been sanctioned by the U.S. or accused of complicity in human rights abuses.

The university has failed to declare a $220 million investment from the municipal government of Shenzhen to build a research campus in China.

A Berkeley spokesperson said that the university had yet to declare the investment – announced in 2018 – because the campus is still under construction.

However, a former Department of Education official who used to help manage the department’s foreign gifts and contracts disclosure program said that investment agreements must be disclosed within six months of signing, not when they are fully executed.

Berkeley admitted that it had also failed to disclose to the U.S. government a $19 million contract in 2016 with Tsinghua University, which is controlled by the Chinese government’s Ministry of Education.

The project’s Chinese backers promised lavish funding, state-of-the-art equipment, and smart Ph.D. students for Berkeley academics researching national security-sensitive technologies, according to contract documents.

After the project got underway, Berkeley researchers granted Chinese officials private tours of their cutting-edge U.S. semiconductor facilities and gave “priority commercialization rights” for intellectual properties (IP) they produced to Chinese government-backed funds.

A Berkeley spokesman said that Berkeley only pursued fundamental research through TBSI, meaning that all research projects were eventually publicly published and accessible to all; it did not conduct any proprietary research that exclusively benefited a Chinese entity.

Still, Berkeley’s ties to the Chinese government and sanctioned Chinese companies are sure to raise eyebrows in Washington, where U.S. policymakers are increasingly concerned about the outflow of U.S. technology to China, especially those with military applications.

So what’s the upshot for you? What do you do to University professors who decide they are too smart to follow the rules?

Sit them in front of a television set and force them to watch Teletubbies until they can’t form words correctly anymore.

Teletubbies in a meadow
- for the podcast to this week’s update click on something bright -



And our quote of the week - “Privacy is not just a privilege; it’s the encrypted fortress that safeguards the sanctuary of our individuality, where our secrets dance freely in the symphony of anonymity."


That’s it for this week. Stay safe, stay secure, dance brightly, and see you in se7en.