Flying high with the IT Privacy and Security Weekly Update for October 18th. 2022


Daml’ers,

This week we start in the air and end in the air, with not a care while we are there.
1850-Unknown-EarlyFlyingMan

We get an update on “Baby Al Capone” who got done for hacking a phone, how your drone might give up your home, a new Turkish law that gets basted, and a card shark who’s wasted.

We have Shein getting the boot, hackers for hire facing a suit, a duck update for your next reboot and new AI that identifies a woodland hoot.

So put away that squirrel suit, don’t head for the roof, you’re safe with this update, and here is the proof!


FR/US: World’s Second Richest Man Sells Jet So People On Twitter Won’t Track Him Anymore, but the Richest Man?

Bernard Arnault, the CEO of luxury brand LVMH – known for expensive labels like Louis Vuitton – is the world’s second-richest man according to Bloomberg’s Billionaires Index.

He currently clocks in at a net worth of $133 billion, beating out Amazon founder Jeff Bezos’ paltry $130 billion.

He’s also been harangued on Twitter for his consistent use of private jets.

French accounts that use planes’ transponder signals and publicly accessible information have tracked Arnault’s and other rich folks’ use of private jets to reveal just how much wasteful flying time is used by the world’s wealthiest.

In September, the Twitter account laviodebernard (Bernard’s Plane) wrote that Arnault’s plane had been de-registered in France.

The account wrote "The LVMH private jet has not been registered in France since September 1, 2022.

Still no word from Bernard Arnault or LVMH on the subject of private jets. So Bernard, are we hiding?"

Apparently, that’s just what Arnault has been doing.

On the LVMH-owned podcast released recently, Arnault admitted that the LVMH group “had a plane, and we sold it.”

He added: “The result now is that no one can see where I go because I rent planes when I use private planes.”

So what’s the upshot for you? The world’s richest man, Elon Musk, also has a penchant for using his private plane quite an obscene amount.

Earlier this year, the Tesla and SpaceX CEO came under fire when transponder signals showed his $70 million private Gulfstream jet flew just nine minutes from San Jose to San Francisco.

That flight likely took place in May.

The billionaire reportedly proposed to buy one of the accounts tracking his jet, called @ElonJet. Musk asked Jack Sweeney, the young man who runs the bot-tracking Twitter account, to take down the account calling it a “security risk.”

He even offered to buy the account for a measly $5,000, according to Twitter DMs seen by Protocol.

Sweeney asked Musk to add “an extra ‘0’” to that number, but to this day, the tracking account remains.


US/CN: DJI drone tracking data exposed in the US

https://cybernews.com/privacy/dji-drone-tracking-data-exposed-in-us/

AeroScope, a drone-monitoring device by DJI, can “identify the vast majority of popular drones on the market today.”

The Cybernews Research Team discovered an open database with over 90 million entries of drone-monitoring logs created by 66 different DJI AeroScope devices, with the majority of them (53) being located in the US. Some were located in Qatar (six) and a few in Germany, France, and Turkey.

Logs included the drone’s position, model and serial number, the position of the drone’s pilot, and home location (usually the point of take-off). No personally identifiable information (PII) was present in the dataset. In total, we found over 80,000 unique drone IDs in the instance.

DJI told Cybernews that a 54.5GB-strong dataset, discovered by our researchers on July 11 and hosted by AWS in the US, is not their property, meaning that the data was most likely exposed by their client using AeroScope devices to monitor the airspace for drones.

Since the server was hosted on AWS and didn’t have any domains assigned to it, it was impossible for our researchers to track down the owner even with the help of VirusTotal, Centralops Domain dossier, nmap, and dig, among other useful open-source-intelligence (OSINT) tools.

Cybernews informed both DJI and AWS about the leaky database so they could fix the issue as soon as possible to reduce the risk of threat actors accessing the dataset. AWS said it had passed our “security concern on to the specific customer for their awareness and potential mitigation.”

Needless to say, the surveillance of drones is upsetting enough for people who simply take theirs out for a spin or to capture aerial footage. Given the security concerns, tracking of drones is inevitable: however, it’s reasonable to expect that surveillance data is kept in protected databases.

Aras Nazarovas, a Cybernews researcher, said this information is upsetting to hobbyists since it can essentially show the routes they take with your drone.

So what’s the upshot for you? “For people who launch drones in their backyards, there is an added danger of revealing their address, and the fact that they are rich enough to have a DJI drone – prices range from $300 to $13,700, and you can see which drone they have,” Nazarovas said.


Global: TikTok profits from live streams of families begging

A BBC investigation found that ByteDance-owned TikTok is profiting from donations on charitable live streams, which have gained popularity.

The BBC went on the ground in war-torn Syria, where displaced families living in camps are begging for donations to cover everything from food to medical care — all through TikTok live streams.

TikTok is said to pocket up to 70% of donations collected via live streams.

For five months the BBC scraped info from 30 accounts broadcasting live from Syrian camps.

Some streams earned up to $1K/hour, but families said they received a tiny fraction of that.

TikTok’s response: Gen Z’s favorite app said this type of content isn’t allowed on its platform and added it would take action against “exploitative begging.”

But TikTok failed to explain why it’s reported to have taken a cut of the live streams if they’re not allowed.

Doesn’t add up: TikTok said the commission that it takes from digital gifts is significantly less than 70%.

But a BBC reporter in Syria tested it out and said TikTok had kept about 70% of the proceeds from his live stream.

Lions and roses… TikTok live-stream viewers can send digital gifts — ranging from roses (which cost a few cents) to lions (which cost $500) — to tip creators or donate to people in need.

The BBC found that the Syrian live-stream trend was facilitated by “TikTok middlemen,” who said they worked with agencies affiliated with TikTok in Asia and provided needy families with phones and accounts to go live.

So what’s the upshot for you? It could be TikTok’s lowest blow…

The world’s most popular app is no stranger to accusations of sketchy practices — from boosting harmful content to censoring content at China’s behest.

But if the BBC’s findings are accurate, it could be its worst scandal.

Over 1 billion people use TikTok to stay up to date with news, engage with trends, and donate to their favorite causes.

This report might add additional bruising to TikTok’s stellar reputation.


CN: Shein Owner Fined $1.9 Million For Failing To Notify 39 Million Users of Data Breach

Zoetop, the firm that owns Shein and its sister brand Romwe, has been fined (PDF) $1.9 million by New York for failing to properly disclose a data breach from 2018.

A cybersecurity attack that originated in 2018 resulted in the theft of 39 million Shein account credentials, including those of more than 375,000 New York residents, according to the Attorney General’s announcement.

An investigation by the Attorney General’s office found that Zoetop only contacted “a fraction” of the 39 million compromised accounts, and for the vast majority of the users impacted, the firm failed to even alert them that their login credentials had been stolen.

The Attorney General’s office also concluded that Zoetop’s public statements about the data breach were misleading.

In one instance, the firm falsely stated that only 6.42 million consumers had been impacted and that it was in the process of informing all the impacted users.

So what’s the upshot for you? We’ve heard a lot lately about how fast (or even ultra-fast) fashion might be good for your image (if not the environment), but this is the first time we’ve encountered its adverse effects on your identity.


Global: Apple updates

The next versions of macOS and iPadOS will be released to the general public on October 24, Apple announced today.

Apple has just announced the new sixth-generation iPad Pro. The company’s latest flagship tablet has WiFi 6E and is powered by the M2 chip that first debuted in the MacBook Air and 13-inch MacBook Pro earlier this year.

iOS 16 continues to leak data outside an active VPN tunnel, even when Lockdown mode is enabled, security researchers have discovered. iOS 16’s approach to VPN traffic is the same whether Lockdown mode is enabled or not. The news is significant since iOS has a persistent, unresolved issue with leaking data outside an active VPN tunnel.

So what’s the upshot for you? This means that the minority of users who are vulnerable to a cyberattack and need to enable Lockdown mode on their phones are equally at risk of data leaks outside their active VPN tunnel and that it will continue on iOS.


Global: DuckDuckGo’s Privacy-Focused Mac Browser is Now Available for Public Beta Testing

DuckDuckGo is rolling out its web browsing app for Mac users as an open beta test. Designed for privacy, the app was announced back in April as a closed beta but is now available for all Mac users to try before its official public launch.

The desktop browser includes the same built-in protections we’ve seen already featured in DuckDuckGo’s mobile apps, combining DuckDuckGo’s search engine, defenses against third-party tracking, cookie pop-up protection, and its popular one-click data clearing ‘Fire Button.’

Some additional features have been added to the browser (version 0.30) since its original announcement.

Now users can try Duck Player, a feature that protects users from targeted ads and cookies while watching YouTube content.

Ads viewed within the Duck Player will not be personalized, which DuckDuckGo claims actually removed most YouTube ads as a result during testing.

YouTube will still register your views, but content watched through Duck Player won’t contribute to your YouTube advertising profile.

Pinned tabs and a new bookmarks bar have been included to address feedback from early beta testing, as well as a way to view your locally stored browsing history.

The app also lets you activate DuckDuckGo Email Protection on the desktop to better protect your inbox with email tracker blocking.

So what’s the upshot for you? The big win is DuckDuckGo’s Cookie Consent Pop-Up Manager which works on about 50 percent of sites (with more to come) to automatically choose the most private option and spare users from the annoying pop-up messages. This will be a boon on UK sites that have their own cookie selection (sometimes on every page)!


UK: UK Holds Talks on How To Avoid Blackouts at Major Data Centers

https://www.bloomberg.com/news/articles/2022-10-17/uk-discusses-blackout-planning-with-data-center-operators

UK government officials held detailed discussions with some of the biggest data center operators about ways to keep those businesses running through any potential power shortages in coming months, Bloomberg News reported Monday, citing people familiar with the matter.

The talks focused on allocating diesel for backup generators if Britain’s energy infrastructure operator, National Grid, needed to cut power, the people said, asking not to be named because the discussions are private.

The sides also discussed whether data centers should be considered critical national infrastructure.

There are between 400 and 600 commercial data centers in Britain, and they account for about 2.5% of the country’s electricity demand, according to the National Grid.

Operators often have their own backup generators that can run for as many as 72 hours, but businesses and officials have discussed the security of supplies in scenarios where disruptions worsen.

Slough, a beauty spot west of London, is one of Europe’s biggest hubs for server farms and would need more fuel for backup than other areas.

So what’s the upshot for you? This conversation about the energy crisis prep in the UK is starting to become sobering.


US: SIM Card Swindler ‘Baby Al Capone’ Agrees To Pay Back $22 Million To Hacked Crypto Investor

A young man who was not even old enough to drive back in 2018 managed to steal nearly $24 million from a major crypto investor’s account.

Now, over four years later and thousands likely invested in both an investigation and lawyers fees, Michael Terpin can now claim he has reclaimed $22 million from the original hack, according to a recently filed agreement.

The original complaint filed in New York Southern District Court back in 2020 named the then-18-year-old Ellis Pinsky of leading a 20-person group that met on the OGUsers’ forum that attacked people’s crypto wallets using stolen SIM card data.

Pinsky allegedly performed this hack when he was only 15 years old while living with his mother in upstate New York.

The only other hacker named in the original complaint was 20-year-old Nick Truglia, who had been previously jailed on federal charges for a separate crypto theft.

So what’s the upshot for you? Terpin was a major name in the tech and crypto world, especially back in the late 20-teens as the co-founder of crypto investment firm BitAngels along with early work launching Motley Fool and Match.com.

At the time, Terpin’s phone hack was one of the largest crypto hacks of its kind.

Nowadays, however, $24 million is nothing compared to some of the funds modern crypto hackers seem to be rolling in by attacking crypto exchanges, protocols, and cross-chain bridges.


US: Man Alleging Poker Cheating Demands Better Security in Livestreamed Games

Last week the Los Angeles Times published a sympathetic portrait of Robbi Jade Lew, the woman facing unproven allegations of cheating in a high-stakes poker match.

This week the newspaper profiled the man making those accusations — Garrett Adelstein, known “as an affable guy who is known for taking even big losses in stride.”

“Adelstein would have reacted normally if his opponent made a good, even heroic, call that cost him $100,000,” said Jennifer Shahade, a pro poker player and chess champion. “I think the initial hand, the call, and the situation would be suspicious under any circumstances, any gender.”

In the profile we learn that Adelstein has 14 years of experience as a professional poker, and is "one of the game’s best and most profitable high-stakes cash players, known to viewers of popular casino broadcasts for his loose-aggressive style of no-limit hold 'em and his willingness to buy in for enormous sums of money, bringing as much as $1 million to the table.

“On Sept. 29, Adelstein made the biggest bet of his life: risking his well-respected reputation, and possibly his poker career, when he accused rookie player Robbi Jade Lew of cheating in a $269,000 hand against him on Hustler Casino Live…”

Adelstein, 36, hasn’t played poker since.

In a more than four-hour interview from his Manhattan Beach home last Tuesday, Adelstein said he was “extremely confident” that he was the target of a cheating ring involving not just Lew but other players and at least one member of the show’s production crew. Lew, 37, denied the allegation, which she called “defamatory.”

The article notes how major poker sites were busted 15 years ago for “superuser” accounts with cheating privileges — and a 2019 lawsuit in which dozens of pros sued a player and gambling hall accused of leaking info from the RFID-tagged cards used in their live streams.

So what’s the upshot for you? Adelstein said, “I’m not playing poker on a stream again unless I see tangible, noticeable, measurable differences in Livestream security. That’s for my own benefit and it’s for the benefit of the poker community at large.”


TR: Just in time for Thanksgiving: New Turkey Law Mandates Jail Time for Spreading ‘Disinformation’

https://www.bloomberg.com/news/articles/2022-10-13/turkey-criminalizes-spread-of-false-information-on-internet

Turkey criminalized the spread of not cranberry sauce, but what authorities describe as false information on digital platforms, giving the government new powers in the months remaining before elections.

The measure, proposed by the governing AK Party and its nationalist ally MHP, is part of a broader “disinformation” law that was adopted by parliament on Thursday.

It mandates a jail term of one to three years for users who share online content that contains “false information on the country’s security, public order, and overall welfare in an attempt to incite panic or fear.”

Media groups and opposition parties have decried the bill as censorship, seeing it as a move to stifle critics and journalists in the run-up to elections set for next year.

So what’s the upshot for you? “The crime is defined in vague and open-ended terms. It is not clear how prosecutors will take action against those who allegedly spread false information.”


US/IN: Hackers for Hire: Former WSJ Reporter Says Law Firm Used Indian Hackers To Sabotage His Career

A former Wall Street Journal reporter is accusing a major U.S. law firm of having used mercenary hackers to oust him from his job and ruin his reputation.

In a lawsuit filed by Jay Solomon, the Wall Street Journal’s former chief foreign correspondent said Philadelphia-based legal firm Dechert LLP worked with hackers from India to steal emails between him and one of his key sources

The lawsuit is the latest in a series of legal actions related to hired hackers operating out of India, notes Reuters.

“In June, Reuters reported on the activities of several hack-for-hire shops, including Delhi area companies BellTroX and CyberRoot, that were involved in a decade-long series of espionage campaigns targeting thousands of people, including more than 1,000 lawyers at 108 different law firms.”

Solomon said in a statement Saturday that the hack-and-leak he suffered was an example of "a trend that’s becoming a great threat to journalism and media, as digital surveillance and hacking technologies become more sophisticated and pervasive.

So what’s the upshot for you? The campaign “effectively caused Solomon to be blackballed by the journalistic and publishing community.” Not a good thing for a journalist.


Global: Meta’s New Headset for $1,500 will Track Your Eyes for Targeted Ads.

Earlier this week, Meta revealed the Meta Quest Pro, the company’s most premium virtual reality headset to date with a new processor and screen, dramatically redesigned body and controllers, and inward-facing cameras for eye and face tracking.

"To celebrate the $1,500 headset, Meta made some fun new additions to its privacy policy, including one titled 'Eye Tracking Privacy Notice. The company says it will use eye-tracking data to ‘help Meta personalize your experiences and improve Meta Quest.’

The policy doesn’t literally say the company will use the data for marketing, but ‘personalizing your experience’ is typical privacy-policy speak for targeted ads."

Eye tracking data could be used “in order to understand whether people engage with an advertisement or not,” said Meta’s head of global affairs Nick Clegg in an interview with the Financial Times.

Whether you’re resigned to targeted ads or not, this technology takes data collection to a place we’ve never seen.

The Quest Pro isn’t just going to inform Meta about what you say you’re interested in, tracking your eyes and face will give the company unprecedented insight into your emotions. "

We know that this kind of information can be used to determine what people are feeling, especially emotions like happiness or anxiety," said Ray Walsh, a digital privacy researcher at ProPrivacy.

“When you can literally see a person look at an ad for a watch, glance for ten seconds, smile, and ponder whether they can afford it, that’s providing more information than ever before.”

Meta has already filed a patent for a system that “adapts media content” based on facial expressions back in January, and it has experimented with harnessing and manipulating people’s emotions for more than a decade.

In January, it patented a mechanical eyeball. Despite the public’s privacy concerns about Meta, it may be hard for people who use the company’s products to resist activating the eye-tracking features because of what they will allow your avatar to do.

“If Meta is successful, there’s going to be a stigma attached with denying that data,” ProPrivacy’s Walsh said. “You don’t want to be the only one looking like an expressionless zombie in a virtual room full of people smiling and frowning.”

Of course, eye-tracking data could be used to determine what you’re thinking about buying.

Maybe you spend a few extra seconds glancing at an expensive digital fedora, and the company sends you a coupon code an hour later.

But measuring your emotions opens up a whole new arena for targeted ads.

Digital marketing is all about showing you the right ad at the right moment.

Walsh says advertisers could build campaigns with content specifically designed for people who seem frustrated, or more cheerful ads for people who are in a good mood.

So what’s the upshot for you? Meta seems to have pulled the policy (website above) after this cat got out of the bag.


US/CA: Looking for a new pursuit for the holidays? Help the kids become contributing Eco-scientists.

The global Living Planet Index continues to decline. It shows an average 68% decrease in population sizes of mammals, birds, amphibians, reptiles, and fish between 1970 and 2016.

A 94% decline in the Living Planet Index for the tropical subregions of the Americas is the largest fall observed in any part of the world.

…And from that context comes the Haikubox; a first-of-its-kind AI-enabled device that continuously detects and identifies backyard birds with help from a neural net and thousands of bird recordings at Cornell. Download an app. plug in a Haikubox outside your home and wait.

The app quickly starts queuing the birds nearby, recording each call for playback. Haikubox can send an alert when certain birds or new species are recorded and lets you see which other locations have recorded those species.

It also connects users to more information about those birds.

So what’s the upshot for you? The data being recorded in your yard can help tell a much bigger story — about migration patterns, when species are active, and environmental changes.

Every Haikubox owner is like a citizen-scientist, contributing information to the largest dataset of bird behavior ever assembled.


And our quote of the week: Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite. - Marlon Brando


That’s it for this week. Stay safe, stay secure, always fly safely, and see you in se7en.
1850-Unknown-EarlyFlyingBike