This is the best IT Privacy and Security weekly update yet!
We start up in the warm breezes over Texas and Georgia and finish in the cool Pacific waters off the coast of California.
It’s just one more 'round the world rave-up (with a couple of crustaceans thrown in for good measure) that will leave you yearning for more. So limber up 'cause this IT Privacy and Security weekly update is going global!!
US: 1.8 TB of Police Helicopter Surveillance Footage Leaks Online
Newly leaked aerial surveillance footage from the Dallas Police Department in Texas and what appears to be Georgia’s State Patrol underscore the breadth and sophistication of footage captured by another type of aerial police vehicle: helicopters.
The transparency activist group Distributed Denial of Secrets, posted a 1.8-terabyte trove of police helicopter footage to its website on Friday. Their co-founder says they don’t know the identity of the source who shared the data and that no affiliation or motivation for leaking the files was given. The source simply said that the two police departments were storing the data in unsecured cloud infrastructure.
“It’s a crystal-clear example of why mass surveillance makes our society less safe, not more safe. Corporations and governments are terrible at safeguarding the sensitive data that they collect.”
Police drones have gotten a lot of attention lately, because they represent a new generation of aerial vehicles capable of particularly stealthy surveillance and new types of behavior, including flying indoors. In contrast, law enforcement agencies have used helicopters in aerial surveys and monitoring for decades. But the footage released illustrates how effective helicopter-mounted cameras can be at capturing extremely sharp and detailed video close to the ground. Helicopters can also carry heavier surveillance equipment than what can be affixed to basic quad-copters or other types of low-cost drones.
“People think of police helicopters as traffic copters, but they’re so much more than that. They carry technology that lets police watch people who have no idea they’re being watched. It’s important for people to understand what police technology is already capable of and what it could be capable of soon. ”
Such broad use of helicopter surveillance augments privacy advocates’ concerns about drones. UAVs are much cheaper and easier to purchase and operate than helicopters and can still be outfitted with an extensive array of sensors.
“Camera and zoom tech is getting cheaper and lighter all the time. We need to always think of aerial vehicles like drones as a platform for other surveillance tools including cameras, stingrays, thermal imaging, and facial recognition software.”
So what’s the upshot for you? Could this be the new tagline? “If it gets collected, expect it to get spilled.”?
US: A Drone Tried to Disrupt the Power Grid. It Won’t Be the Last
In July of last year, a DJI Mavic 2 drone approached a Pennsylvania power substation. Two 4-foot nylon ropes dangled from its rotors, a thick copper wire connected to the ends with electrical tape. The device had been stripped of any identifiable markings, as well as its onboard camera and memory card, in an apparent effort by its owner to avoid detection. Its likely goal, according to a joint security bulletin released by DHS, the FBI, and the National Counterterrorism Center, was to “disrupt operations by creating a short circuit.”
The drone crashed on the roof of an adjacent building before it reached its ostensible target, damaging a rotor in the process. Its operator still hasn’t been found. According to the bulletin, the incident, which was first reported by ABC, constitutes the first known instance of a modified, unmanned aircraft system being used to “specifically target” US energy infrastructure… and…it seems unlikely to be the last.
When it comes to the potential for consumer drones to wreak havoc, experts have sounded the alarm for at least six years, saying that their broad availability and capabilities provide opportunity for bad actors. In 2018, an explosives-laden drone carried out an apparent assassination attempt on Venezuelan President Nicolas Maduro.
ISIS and other terrorist groups have used consumer-grade quadcopters for both surveillance and offensive operations.
So what’s the upshot for you? This is a topic that just thinking through in a local context, water reservoir, or other … could cause more stress than anyone sharing this was willing to take on. The days of zero trust are truly upon us.
Global: Apple’s ever-expanding privacy feature-set
From iOS15 Apple has included privacy reporting, but from iOS 15.2, it will come with an easy-to-use interface where you will see the App Privacy Report clearly displayed. The report will list the permissions your apps are accessing, how often they are doing so, and give you the chance to revoke them if they’re not needed. You’ll also be able to see if apps have contacted other domains and when.
The launch of iOS 15.2 comes as part of another major boost for iPhone privacy. Among the headline iOS 15 features are Mail Privacy Protection, which stops email marketers from tracking you, and Private Relay, which hides your IP address so it’s harder for advertisers to identify you.
Apple’s App Tracking Transparency features—which cut down the ability to track you on your iPhone by asking for explicit permission—will cost social media firms $10 billion in lost revenue during the second half of this year.
Note: This is leading advertisers to move away from Facebook while TikTok gains in popularity “because it’s a lot cheaper from a cost per 1,000 impressions basis.”
So what’s the upshot for you? Apple’s iPhone privacy features are a good thing. People are starting to care about their privacy, and they are becoming more aware of data tracking. More control over phone privacy, generally is a win-win, as long as you remember that you also have to throttle Apple’s data collection way back too!
CN: Samsung Galaxy S21 Smartphone Hacked During $1 Million, 61 Zero-Days, Hacking Romp
Just weeks after hackers managed to breach iOS 15 security measures and hack an Apple iPhone 13 Pro, it’s the turn of Samsung’s current flagship smartphone, the Galaxy S21, to feel the hacking heat.
Unfortunately, like the iPhone 13 Pro before it, the Galaxy S21 has been hacked not once but twice. Indeed, within just a few days, hackers were able to demonstrate a total of 61 unique zero-day security flaws across a range of products and make themselves a whopping $1,081,250 in the process. Here’s how it all went down.
Over the weekend of 16-17 October, Chinese hackers taking part in the annual Tianfu Cup hacking challenge were able to bypass Safari security protections and achieve remote code execution on an iPhone 13 Pro running the fully patched iOS 15.0.2 at the time. What’s more, a different team of hackers went on to jailbreak the same flagship device by way of a ‘one-click’ attack.
The Tianfu Cup came about after China’s elite ethical hackers were banned by the Chinese government from taking part in international competitive hacking events where zero-day exploits are demonstrated. Zero-day exploits target a vulnerability that is unknown to the vendor and, therefore, cannot be stopped immediately.
on Wednesday, 3 November, the STARLabs team used an exploit chain to successfully attack the Samsung Galaxy S21. Officially, this was categorized as a ‘collision’ rather than an outright success as that attack chain included a vulnerability that was already known to Samsung rather than being a full zero-day chain.
On Thursday, 4 November, Sam Thomas, director of research at Pentest Limited, was able to get code execution on the Samsung Galaxy S21 using a three-bug chain that earned a full success label. It also earned the Pentest Limited team a $50,000 cash prize. The STARLabs team was awarded $25,000 for their hacking efforts.
So what’s the upshot for you? While it seems exactly the opposite, exposing the weaknesses on our phones actually helps their creators make them more secure.
CN: Ignore China’s New Data-Privacy Law at Your Peril
On November 1, the country’s first comprehensive data privacy law came into effect and boosted the protections given to hundreds of millions of consumers. The law will reshape how companies in China do business, but will also send huge ripples around the world.
The new rules come in the form of the Personal Information Protection Law (PIPL), which places greater restrictions on what companies and individuals handling people’s personal information can do with that data. The law is the latest salvo in China’s efforts to rein in the previously unchecked growth of its tech giants, including WeChat operator Tencent and ByteDance, the company behind TikTok and Douyin.
While the law may help stop unauthorized data trading and theft in China, it is also closely linked to the government’s national security interests and builds upon recent cybersecurity and data security laws. Overseas companies that don’t fall into line with the law or harm the national security of China may be placed on a blacklist, which could effectively ban them from processing Chinese personal data—opening the door to international tit-for-tat retaliation against businesses. On the day the law was introduced, Yahoo shut down the few remaining services it was operating in China, citing an “increasingly challenging business and legal environment.” LinkedIn pointed to the same concerns when it withdrew from China in October.
China’s personal privacy law mirrors certain aspects of Europe’s all-encompassing General Data Protection Regulation (GDPR). For individuals, it copies much of the same language as GDPR. Both laws let people access information that’s held about them, ask for it to be corrected and deleted, and withdraw their consent for their information to be handled by a company. In some cases, the laws are so similar the language is almost the same.
For companies, there’s the requirement to protect people’s personal information. Companies operating in China now must employ a data protection officer, a move that has sent demand for such roles through the roof. Also cribbed from GDPR is the potential for huge fines: If a company breaches the new Chinese law it can be hit with fines up to 50 million yuan ($7.8 million) or 5 percent of its annual revenue—roughly equivalent to GDPR’s $23 million and 4 percent thresholds.
The unavoidable flaw in China’s personal data law is that it doesn’t stop the state itself from being able to access its citizens’ personal information. People living in China will still be some of the most surveilled and censored on the planet. “The Chinese government is the greatest threat to individual privacy.”
The Personal Information Protection Law does differ from other data regulations in how it mirrors the broader political aims of the country enforcing it. “If European data protection laws are grounded in fundamental rights and US privacy laws are grounded in consumer protection, Chinese privacy law is closely aligned with, and grounded in national security.”
In fact, the new law expands on a requirement in China’s existing cybersecurity law that companies store personal data within China. Telecoms, transport, finance firms and other entities deemed to be critical information infrastructure already had to do so. But that requirement now applies to any company that collects a certain, still undefined amount of people’s data. Following the departure of Yahoo and LinkedIn, Apple is now one of a small number of high-profile international tech companies with a presence in China. To keep its place in the hugely lucrative market, Apple has previously made serious concessions to the Chinese government. At this stage, it’s unclear how much of an impact the Personal Information Protection Law will have on Apple’s business in China or how they will manage compliance with the requirements.
So what’s the upshot for you? It’s easy to understand why so many companies have packed their bags and left. Privacy for the individual is one concern, but when elected, or even non-elected officials are also privy to personal choices and detail from all sources across the country, it can’t possibly result in a happy ending.
UK: Reg reader returns Samsung TV after finding giant ads splattered everywhere
Even your telly is now a moneymaking gadget for someone else. A Register reader triggered a kerfuffle for Samsung after asking the electronics biz if he could disable large and intrusive adverts splattered across his new smart TV’s program guide.
Ross McKillop bought the telly from UK retailer John Lewis but felt distinctly undersold when he turned it on to find the internet-connected device displaying advertising on its electronic program guide menu.
“If you press the menu button to change between like TV or Netflix or, or whatever, even different sources, there’s an advert panel,” lamented McKillop to The Reg. “It seems that people accept this.”
Irritated by the giant advert for Samsung’s own wares, McKillop took to Twitter to ask the obvious question. The answer was surprisingly blunt.
Hey, Ross. Congratulations on your new TV. You wouldn’t be able to disable the ads we’re afraid. ^HA — Samsung UK (@SamsungUK) October 27, 2021
And remember that the devices can pose a security risk unless they’re treated like any other internet-connectable device. They collect data, so they need to be updated and patched so the data you probably don’t even want to be giving them doesn’t get leaked.
All in all, if you’re buying a Samsung TV, just remember that you’re not only paying for a big panel so you can watch reruns of Friends; you’re also paying to be part of Samsung’s global TV advertising network.
Global: This AI Predicts How Old Children Are. Can It Keep Them Safe?
PREDICTING HOW OLD someone is based only on how they look is incredibly hard to get right, especially in those awkward early teen years. And yet bouncers, liquor store owners, and other age-restricted goods gatekeepers make that quick estimation all the time.
“Yoti” says its age estimation technology, which it has developed over the past three years, has a margin of error of 2.79 years across its total 45-year age range. For under 25s the margin of error drops below 1.5 years. In the next few weeks, it will get brick-and-mortar tests at five major supermarket chains in the UK. The company hasn’t named the supermarket brands but says a number of unnamed gaming websites are also trialing the tech to stop underage visitors. It adds that its age estimation technology is already being used by children’s streaming social network Yubo and healthy living app Smash.
Point a camera running Yoti’s software at your face—it can work through the web on your phone, laptop, or tablet, or at a self-checkout terminal—and the system estimates your age range. On multiple tests using a browser-based staging environment on the author’s phone, the system correctly put them in the correct age ranges.
The company says neither it nor its clients store the image, and you don’t need to register to use it. “It’s not identifying. It’s also not authenticating anyone.” says one director at Yoti.
The company claims it’s not facial recognition, as it can’t identify individuals. “When it sees a new face, it just spits out the estimated age of that individual.”
The company itself is unsure what facial features its AI uses to determine people’s age. “We have to be honest, we don’t really know whether it’s to do with wrinkles or saggy eyes or quite what. It has just done so many that it is now very good at it.”
So what’s the upshot for you? When we asked the system to guess our age it blue-screened and had to be rebooted. Should we take that as a bad sign?
US: The US Puts a $10M Bounty on DarkSide Ransomware Hackers
The DarkSide ransomware gang spent a year or so as one of the most prolific groups in a very crowded field of criminal hackers, culminating in an attack on Colonial Pipeline that caused a temporary gas shortage along the East Coast.
They went dark not long after that, presumably because of all the attention, but likely reemerged as a group that called themselves BlackMatter not long after.
Now, the US State Department has offered up to a $10 million reward for anyone who has information that will help them identify or locate DarkSide leadership, as well as up to $5 million for tips that lead to the arrest or conviction of DarkSide affiliates.
There’s no easy answer for ransomware, but putting pressure on its most high-profile perpetrators is at least a start.
So what’s the upshot for you? US$10M is a lot of money. Would you consider turning in the kid that lives two apartments down for hacking into a capitalist gas company in a faraway place? Da!
UA: Ukraine Publicly IDs Russian Hackers Behind Over 5,000 Attacks
There’s another innovative way to deal with hackers. Dox them!
That’s the approach Ukraine took this week, outing several members of Russia’s Gamaredon hacking group and linking them to the country’s FSB intelligence service. In addition to sharing the hackers’ names, Ukrainian authorities released audio of telephone calls in which they discuss their attacks … and complain about their salaries.
The Ukrainian Security Service says that Gamaredon has carried out more than 5,000 cyberattacks against 1,500 government targets since 2013.
So what’s the upshot for you? Ooh that’s got to hurt. We’re not sure any malware miscreant would want to be “outed” with as many people mad at them as there are these days.
EU: Europol Announces Arrests of 7 People Linked to REvil, GandCrab Ransomware
Law enforcement officials have seized an estimated $6 million in ransom payments, and the US Justice Department is expected to announce Monday that it has charged a suspect from Ukraine over a damaging July ransomware attack on an American company in a breakthrough for the Biden administration’s pursuit of cybercriminals.
Yaroslav Vasinskyi, a Ukrainian national who was arrested in Poland last month, is to face US charges for deploying ransomware known as REvil, which has been used in hacks that have cost US firms millions of dollars. Vasinskyi conducted a ransomware attack over the Fourth of July weekend on Florida-based software firm Kaseya that infected up to 1,500 businesses around the world, according to the charges the Justice Department is expected to announce.
Vasinskyi and another alleged REvil operative, Russian national Yevgeniy Polyanin, are expected to be charged with conspiracy to commit fraud and conspiracy to commit money laundering
So what’s the upshot for you? Nope, not such a cool time to be a malware miscreant after all.
UK: The Unsolved Mystery of the Putney Pusher
In May 2017 a runner on the Putney Bridge in West London pushed a woman in front of a bus. 15 minutes later, that same runner ran back across the same side of that same bridge, and was recognized by the woman he pushed. However, despite the city’s vast CCTV network—and the close attentions of internet sleuths —the case remains unsolved.
That, despite London being the capital of one of the most surveilled nations on Earth.
According to figures released in 2020, there are around 5.2 million CCTV cameras in operation around the UK, in both public and private ownership. Around 691,000 of these are in London, making it the only city outside of China in the global top ten.
It’s thought that the average Londoner is captured on camera around 300 times a day… Even buses are loaded with cameras, there are around 17 on a typical double-decker, and most of them face inwards.
“Unfortunately the image [in this case] showed a person of fairly generic appearance in running gear with no distinguishing features. This meant that anyone who police suspected of being the offender could simply point out that the image could show any jogger of a similar height and build”.
Facial recognition has come a long way in the intervening 4 years. In late September this year, the Metropolitan Police received approval to expand its facial recognition systems to look at CCTV footage.
"It’s an incredibly unregulated space.”
“The databases that law enforcement have are vast and the introduction of retrospective facial recognition by UK police forces is concerning. But this technology is inherently flawed and rights-abusive.”
So what’s the upshot for you? This has become a cold case as it is still unsolved, perhaps something will be discovered from the archives, certainly, if a similar incident were to happen today, we expect the outcome would be vastly different.
US: The Cutest Way to Fight Climate Change
Off the coast of California lies an underwater forest of giant kelp, a kind of seaweed that grows to 100 feet tall at the rate of a foot a day. And just as a terrestrial forest sucks carbon dioxide out of the air, all that rapidly growing seaweed soaks up carbon from the water, playing an incredibly important role in reducing CO2 above the water.
“With kelp goes a huge amount of carbon,” says Chris Wilmers, an ecologist at the University of California, Santa Cruz. “As a general rule, kelp forests are much more productive than most terrestrial forests, in that they’re churning through carbon much more quickly.”
But since the 18th century, California’s kelp forest has been steadily mowed down by purple urchins, thanks to the massacre of their natural predator—the sea otter—hunted for its luxurious fur.
Over the last few centuries, otter numbers in California crashed from 20,000 to just 50.
Without otters patrolling the kelp forests, the native urchin population skyrockets. The spiky invertebrates actually switch up their foraging strategy, from hiding in rock crevices and waiting for detritus to come to them to boldly venturing out and eating all the kelp in sight.
Parts of the West Coast have seen a 10,000 percent increase in urchins in recent years, and California has lost 95 percent of its kelp forests.
A sea otter is a ravenous ecosystem engineer of the highest order. Because of its low body fat, to stay warm and healthy, an otter must eat a quarter of their body weight every day, repeatedly diving to the seafloor to gather urchins, crabs, and bivalves like clams. “By having to eat as much as they do in order to survive in their environment, they have really drastic impacts on those habitats, which are overwhelmingly positive,”
Keeping the urchin population in check preserves the kelp, which is vital for the ecosystem in two main ways:
First, the forest is a habitat for fish, which are the food source for birds and other marine mammals, like sea lions.
Second, the seaweed is part of what scientists call a “blue carbon” ecosystem, meaning a coastal or marine area that sequesters carbon.
So what’s the upshot for you?. There is a third benefit in the volumes of tourists that enrich local economies for a chance to come to just see the cute sea otters. Like IT Privacy and Security, getting the balance right so that people like not only the results, the overall experience is an important part. We think this solution is a win/win/win and why this week’s podcast will be presented from behind whiskers (just like a sea otter!). Aww!
Until then, be kind, stay safe, stay secure and see you in se7en!