Lies, Spies and the IT Privacy and Security Weekly Update for October 11th. 2022


James Bond, Mata Hari,
mata hari
and Papa John?

This week we look into what today’s liars and spies are up to; from fishing to card sharks, wiretaps to deauthers, stolen keys to firewall upgrades.

And in the face of that, we are presented with an Operating System that is bundling higher security and application updates and … supporting it all for 10 years. Publicity stunt? Maybe, but it got our attention!

Finally if clutching your wallet and your phone as you hit that last 76-meter drop on Tarragona Spain’s “Shambhala” roller coaster, you notice the emergency medical services waiting at the bottom, it may have less to do with the person next to you who blacked out and more to do with your latest toy.

Mata Hari’s got nothing on you. Quick, jump into the Aston Martin, and let’s roll!

US: Papa John’s Sued For ‘Wiretap’ Spying on Website Mouse Clicks, Keystrokes

Papa John’s is being sued by a customer – not for its pizza but for allegedly breaking the US Wiretap Act by snooping on the way he browsed the pie-slinger’s website.

The pizza chain is accused of falling foul of wiretapping rules by using so-called session replay software on its website.

This software records and phones home everything a user does on the site, beyond what fetching pages and placing an order would submit.

For instance, it tells Papa John’s where the mouse is moved and clicked, and what’s typed into the page.

This info can be used to figure out where users get stuck, bail out of a sale, get lost, and so on.

Session replay tools have been a privacy concern due to their indiscriminate capturing of data, sometimes poor security, and failures to get user consent to track and store this data, not to mention having analysts going over your every move to see how they can optimize their webpages and boost sales.

So what’s the upshot for you? On the other hand, you may not see it as that much of a concern given all the other material data a website might have on you – such as name, email and home address, date of birth, orders placed, payment details, etc etc.

NL: Subjecting workers to webcam monitoring violates privacy, Dutch court rules

Chetu, a Florida-headquartered company has been ordered to pay about €75,000 (around $73,000) in compensation and other fees after firing a Netherlands-based remote worker who refused to keep their webcam on all day.

The employee worked for the American firm for over a year and a half, but on 23 August 2021 he was ordered to take part in a virtual training period called a “Corrective Action Program.”

He was told that during the period he would have to remain logged in for the entire workday with screen-sharing turned on and his webcam activated.

The telemarketing worker replied, “I don’t feel comfortable being monitored for 9 hours a day by a camera.

This is an invasion of my privacy and makes me feel really uncomfortable.

That’s the reason why my camera isn’t on.

You can already monitor all activities on my laptop and I am sharing my screen.”

He was summarily fired on 26 August, for “refusal to work” and “insubordination.”

In a decision published last week, the court ruled that these were not sufficient reasons to dismiss the employee.

“There has been no evidence of a refusal to work,” the court’s decision reads (via Google Translate).

It added that “instruction to leave the camera on is contrary to the employee’s right to respect for his private life” and that the dismissal was not legally valid.

Specifically, the court cites Article 8 of the European Convention on Human Rights (ECHR), which grants citizens the “right to respect for private and family life.”

So what’s the upshot for you? Micro-management anyone? And despite the fine, this may have cost Chetu many times that in negative publicity.

Software developers the world over will be flocking to work for a company like this. -coughing sound-

CN: China Upgrades Great Firewall To Defeat Censor-Beating TLS Tools

Great Firewall Report (GFW), an organization that monitors and reports on China’s censorship efforts, has this week posted a pair of assessments indicating a crackdown on TLS encryption-based tools used to evade the Firewall.

The group’s latest post opens with the observation that starting on October 3, “more than 100 users reported that at least one of their TLS-based censorship circumvention servers had been blocked. The TLS-based circumvention protocols that are reportedly blocked include trojan, Xray, V2Ray TLS+Websocket, VLESS, and gRPC.”

Trojan is a tool that promises it can leap over the Great Firewall using TLS encryption.

Xray, V2ray and VLESS are VPN-like internet tunneling and privacy tools.

It’s unclear what the reference to gRPC describes – but it is probably a reference to using the gRPC Remote Procedure Call (RPC) framework to authenticate client connections to VPN servers.

GFW’s analysis of this incident is that "blocking is done by blocking the specific port that the circumvention services listen on.

When the user changes the blocked port to a non-blocked port and keep using the circumvention tools, the entire IP addresses may get blocked."

Interestingly, domain names used with these tools are not added to the Great Firewall’s DNS or SNI blacklists, and blocking seems to be automatic and dynamic.

“Based on the information collected above, we suspect, without empirical measurement yet, that the blocking is possibly related to the TLS fingerprints of those circumvention tools,” the organization asserts.

An alternative circumvention tool, naiveproxy, appears not to be impacted by these changes.

So what’s the upshot for you? "It’s not hard to guess why China might have chosen this moment to upgrade the Great Firewall: the 20th National Congress of the Chinese Communist Party kicks off next week.

The event is a five-yearly set piece at which Xi Jinping is set to be granted an unprecedented third five-year term as president of China."

RU/US: Russian-Speaking Hackers Knock Multiple US Airport Websites Offline

More than a dozen public-facing U.S. airport websites, including those for some of the nation’s largest airports, appeared inaccessible Monday morning, and Russian-speaking hackers claimed responsibility.

No immediate signs of impact to actual air travel were reported, suggesting the issue may be an inconvenience for people seeking travel information.

“Obviously, we’re tracking that, and there’s no concern about operations being disrupted,” Kiersten Todt, Chief of Staff of the US Cybersecurity and Infrastructure Security Agency (CISA), said Monday at a security conference in Sea Island, Georgia.

The 14 websites include the one for Atlanta’s Hartsfield-Jackson International Airport.

An employee there told CNN there were no operational impacts.

The Los Angeles International Airport website was offline earlier but appeared to be restored shortly before 9 a.m. Eastern.

So what’s the upshot for you? This is just the news delay weary US travelers were waiting for: More delays…thanks RU.

US: Intel Confirms Alder Lake BIOS Source Code Leaked

From Tom’s Hardware: We recently broke the news that Intel’s Alder Lake BIOS source code had been leaked to 4chan and Github, with the 6GB file containing tools and code for building and optimizing BIOS/UEFI images.

We reported the leak within hours of the initial occurrence, so we didn’t yet have confirmation from Intel that the leak was genuine.

Intel has now issued a statement to Tom’s Hardware confirming the incident:

"Our proprietary UEFI code appears to have been leaked by a third party.

We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure.

This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them to our attention through this program…"

The BIOS/UEFI of a computer initializes the hardware before the operating system has loaded, so among its many responsibilities, is establishing connections to certain security mechanisms, like the TPM (Trusted Platform Module).

Now that the BIOS/UEFI code is in the wild and Intel has confirmed it as legitimate, both nefarious actors and security researchers alike will undoubtedly probe it to search for potential backdoors and security vulnerabilities…

So what’s the upshot for you? Intel hasn’t confirmed who leaked the code or where and how it was exfiltrated.

However, we do know that the GitHub repository, now taken down but already replicated widely, was created by an apparent LC Future Center employee, a China-based ODM that manufactures laptops for several OEMs, including Lenovo.

Global: Canonical Launches New Free Tier for Its Security-Focused ‘Ubuntu Pro’

“Starting with the Ubuntu 16.04 edition and including the later LTS versions, Canonical will offer expanded security coverage for critical, high, and medium Common Vulnerabilities and Exposures (CVEs) to all of Ubuntu’s open-source applications and toolchains for ten years,” reports ZDNet.

“Yes, you read that right, you get security patches not just for the operating system, but for all of Ubuntu’s open-source applications for a decade.”

Most of these are server programs, such as Ansible, Apache Tomcat, Drupal, Nagios, Redis, and WordPress.

But, it also includes such developer essentials as Docker, Node.js, phpMyAdmin, Python 2, and Rust. Altogether, Canonical is supporting more than 23,000 packages.

Indeed, it’s now offering security for, as Mark Shuttleworth, Canonical’s CEO, said, “Security coverage to every single package in the Ubuntu distribution.”

Canonical isn’t doing this on its own.

It’s offering free, improved security in partnership with the security management company Tenable.

Robert Huber, Tenable Chief Security Officer, said, "Ubuntu Pro offers security patch assurance for a broad spectrum of open-source software.

Together, we give customers a foundation for trustworthy open source."

Beyond ordinary security, Canonical is backporting security fixes from newer application versions.

This enables Ubuntu Pro users to use the Ubuntu release of their choice for long-term security without forced upgrades.

Happy to keep using Ubuntu 20.04? No problem. You can run it until April 2030. Knock yourself out…

Users can obtain a free personal Ubuntu Pro subscription at Ubuntu Pro | Ubuntu for up to five machines.

This free tier is for personal and small-scale commercial use.

So what’s the upshot for you? Mark Shuttleworth, CEO of Ubuntu’s parent company Canonical, explains that Ubuntu “is now the world’s most widely used Linux…”

“What makes us most proud, though, is that we have found a way to make this available free of charge to anybody for their personal and for small-scale commercial use… full commercial
use for you, and any business you own, on up to five machines.”

Global: Chess, Fishing and Poker Cheat, Cheat Cheat.

First it was chess – now top-level US poker and match fishing have been dogged by their own claims of cheating.

A casino is investigating after one player stunned poker fans by making an audacious bet to win a huge pot.

Meanwhile, two fishermen have been accused of stuffing their catches with lead weights in order to win a tournament held on Lake Erie, Ohio.

And world chess officials are probing whether a teen talent cheated in face-to-face matches – something he denies.

A row erupted following a high-stakes game held at the Hustler Casino in Los Angeles on Thursday night.

Robbi Jade Lew stunned the table by appearing to successfully call a semi-bluff by her opponent Garrett Adelstein.

Lew called an all-in bet by her opponent, risking her chips with an underwhelming hand, apparently convinced her opponent was bluffing and scooping a pot that had grown to $269,000.

Pundits commentating during the live-streamed match expressed their incredulity at the gambit, while Adelstein gave his competitor an icy stare.

So what’s the upshot for you? If you haven’t seen the fishing cheat video, start with that. “How did they get all that stuff in the fish, you ask?” Watch the reaction of the guy who’s just been caught. Nothing

Then move on to the card game video. She gives away nothing. You win US$269K and no reaction?

JP: Toyota exposing way more of the driver than anyone expected…

Toyota Motor Corporation is warning that customers’ personal information may have been exposed after an access key was publicly available on GitHub for almost five years.

Toyota T-Connect is the automaker’s official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle’s infotainment system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more.

Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers.

This made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted.

On September 17, 2022, the database’s keys were changed, purging all potential access from unauthorized third parties.

The announcement explains that customer names, credit card data, and phone numbers have not been compromised as they weren’t stored in the exposed database.

So what’s the upshot for you? Toyota blamed a development subcontractor for the error but recognized its responsibility for the mishandling of customer data and apologized for any inconvenience caused.

Global: How criminals are using jammers, deauthers to disrupt WiFi security cameras

A new warning is being issued for anyone who uses wireless security cameras like “Ring” to protect their home.

A Detroit woman said her Ring camera didn’t capture the moment her car was stolen from the front of her house, and one local expert said it’s because crooks are becoming more tech-savvy.

Earlier this month, the woman said her car was stolen from her driveway, and when she went to review her Ring camera footage, she realized hours were missing.

Chris Burns, the owner of Techie Gurus, said security cameras that use WiFi to record are more about convenience than security.

That’s because WiFi can easily be disrupted, with something called a “deauther” which can be as small as a wrist watch, jamming the Wifi connectivity, preventing the camera from capturing who is around your home, and criminals are catching on.

So what’s the upshot for you? For cameras especially, Wifi has its weaknesses and in this case we’d expect this trend is just starting.

Global: The iPhone 14 keeps calling 911 on rollercoasters

The iPhone 14’s new Crash Detection feature, which is supposed to alert authorities when it detects you’ve been in a car accident, has an unexpected side effect: it dials 911 on rollercoasters.

According to a report from The Wall Street Journal, the feature has had law enforcement sent to amusement parks on numerous occasions after mistaking a thrill ride’s twists, turns, and hard braking for a real emergency.

So what’s the upshot for you? Crash Detection is on by default.

You can turn off alerts and automatic emergency calls from Apple after a severe car crash in Settings > Emergency SOS, then turn off Call After Severe Crash.

If you have third-party apps registered to detect crashes on your device, they will still be notified, so maybe shut the whole phone off when you do the big rides!

And our quote of the week: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” - Edward Snowden


That’s it for this update. Stay safe, stay secure, turn the phone off for the Leviathan, and see you in se7en.