One Year On and the IT Privacy and Security Weekly Update for September 21 2021 Goes to the Dogs

Daml’ers,

This week we start our podcasts’ one-year anniversary edition listen_tiny
with the sweet sound of violins lilting across the Tuscan hillsides and end in New Jersey to the sounds of barking dogs.

Ah, but between those two audible notes, we travel to Spain, France, Ireland, and the UK before moving on to Thailand and circling across to Russia and the US.

Get your vaccine certificates out, your passports in hand, your RayBans ready, and put your dog on a leash because this is one anniversary bash that you are not going to want to miss.

OK, on your marks, get set! Got the dog? Let’s Par-tay!


IT: Study confirms superior sound of a Stradivari is due to the varnish

Along with Andrea Amati and Andrea Guarneri, Antonio Stradivari dominated the so-called Golden Age of Violins (roughly 1660 to 1750), and the instruments they crafted remain the gold standard
today in terms of acoustic quality.

A recent paper published in the journal Angewandte Chemie confirms a theory dating back to 2006: the secret lies in the chemicals used to soak the wood, most notably borax, zinc, copper, alum, and lime water.

The varnish theory dates back to 2006, when Joseph Nagyvary, a professor emeritus of biochemistry at Texas A&M University, made headlines with a paper in Nature claiming that it was the chemicals used to treat the wood—not necessarily the wood itself—that was responsible for the unique sound of a Stradivarius violin.

Specifically, it was salts of copper, iron, and chromium, all of which are excellent wood preservers but may also have altered the instruments’ acoustical properties. He based his findings on studies using infrared and nuclear magnetic resonance spectroscopy to study the chemical properties of the backboards of several violins (the backboard is the instrument’s largest resonant component).

“This new study reveals that Stradivari and Guarneri had their own individual proprietary method of wood processing, to which they could have attributed a considerable significance. They could have come to realize that the special salts they used for impregnation of the wood also imparted to it some beneficial mechanical strength and acoustical advantages. These methods were kept secret. There were no patents in those times. How the wood was manipulated with chemicals was impossible to guess by the visual inspection of the finished product.”

So what’s the upshot for you? Although this detail was kept private, understanding these particular details helps preserve the culture and creativity of the past. In this rare case, we condone the exposure of someone else’s secrets.


ES/IT: 106 arrests as police dismantle Mafia-linked online crime gang

Police claim that they have dismantled an organized crime group with links to the Italian Mafia, involved in online fraud, money laundering, drug trafficking, and property crime. Police forces in Spain and Italy, assisted by Europol, arrested most of the alleged criminals last week on the Spanish island of Tenerife, as part of an operation dubbed “Fontana Almabahia”.

16 houses were searched in a series of raids in the Spanish Canary Islands, especially Santa Cruz de Tenerife, as well as Turin and Isernia in Italy. Some 118 bank accounts were frozen by the authorities, as computers and other electronic devices, hundreds of credit cards, SIM cards, and point-of-sale terminals were seized by investigators. A press release from Europol estimates that the gang’s activities illegally netted more than €10 million in profit last year alone.

Hundreds of victims are alleged to have been defrauded through phishing, SIM-swapping, and business email compromise (BEC) attacks orchestrated by the gang, with the illegally obtained proceeds of the crime laundered through “a wide network of money mules and shell companies.” From their base in Tenerife, the suspects are alleged to have tricked their victims into sending large amounts of money into bank accounts controlled by the gang. Victims are Italian, English, German and Irish.
The group allegedly used phishing attacks to defraud hundreds of victims.

So what’s the upshot for you? With $4 billion in Internet-based crime last year, you have to imagine that the Mafia is involved in there somewhere. Well, here are a few of them…


FR: Children born in 2010 have become targets for cyberbullying

The online cyberbullying of French children born in 2010 has prompted anger from the country’s education minister. Jean-Michel Blanquer has asked the heads of schools to “reinforce vigilance” against harassment, threats, and insults.

A number of online posts using the bizarre hashtag #anti2010 were targeted at French sixth-grade students this week. Some students born in 2010 will have started secondary school for the first time this autumn. The hashtag #anti2010 had more than 40 million views on TikTok before it was removed.

“The warm welcome of sixth-grade students – and their successful integration thanks to the goodwill of their peers and adults – is an essential issue in school life at the college,” Blanquer said in a letter on Thursday evening.

So what’s the upshot for you? and as is typical… “None of the 70 heads of schools who met at a national conference last week had heard anything about any of this…”


IE: Oooh Already blurred Vision for those Facebook RayBans

Ireland’s Data Protection Commission (DPC), which regulates Facebook in Europe, has expressed concerns about Facebook’s recently-launched Facebook View smart glasses.

Produced in conjunction with Ray-Ban, the glasses allow users to take a picture or a video clip of up to 30 seconds by either pressing a button or using a voice command. A small light on the glasses is turned on when a recording is being made.

However, the Data Protection Commission is concerned that this indicator light is insufficient to alert others that recording is taking place. “While it is accepted that many devices including smartphones can record third party individuals, it is generally the case that the camera or the phone is visible as the device by which recording is happening, thereby putting those captured in the recordings on notice. With the glasses, there is a very small indicator light that comes on when recording is occurring.”

So what’s the upshot for you? The Data Protection Commission has asked Facebook to run an information campaign to alert the public as to how this new consumer product may give rise to less obvious recording of their images. We say the picture quality is so poor no one would recognize you anyway…


UK: An example of how using CC instead of BCC can get people killed

The email was sent by the team in charge of the UK’s Afghan Relocations and Assistance Policy (Arap), which has been in contact with them since the Taliban took control of the country last month.

The team told the interpreters it was doing everything it could to help relocate them.

It also said they should not put themselves or their families at risk if it was not safe for them to leave their current location.

But one interpreter who received the email realized that more than 250 Afghans who worked with British forces had been copied into the email. “This mistake could cost the life of interpreters, especially for those who are still in Afghanistan. Some of the interpreters didn’t notice the mistake and they replied to all the emails already and they explained their situation which is very dangerous. The email contains their profile pictures and contact details.”

Labour shadow defense secretary John Healey said the data breach had “needlessly put lives at risk” and called on the government to urgently step up efforts to get the interpreters to the UK.

So what’s the upshot for you? This is a particularly sad case demonstrating the improper use of carbon copy (CC) vs. Blind Carbon Copy (BCC).


TH: Thai data goes Bye-Bye

https://www.securityweek.com/details-100m-visitors-thailand-exposed-online-research-firm

“Any foreigner who traveled to Thailand in the last decade might have had their information exposed in the incident”, including their name, passport number, and residency status.

More than 106 million travelers to Thailand had their personal details exposed online in August in an unsecured database. The database contained information dating back to 2011.

The Southeast Asian nation is a popular tourist destination, drawing nearly 40 million visitors in 2019 before the pandemic shuttered borders and seized up global travel.

“Any foreigner who traveled to Thailand in the last decade might have had their information exposed in the incident including their name, passport number, and residency status,” said Bob Diachenko of British firm Comparitech.

Thai authorities were informed on August 22 and secured the data the following day. “However we do not know how long the data was exposed prior to being indexed,” said the report.

While Thais are largely internet-savvy, their government may be less so. In June a government website for foreigners to sign up for a coronavirus vaccine exposed the names and passport numbers of prospective recipients.

So what’s the upshot for you? As vacationers were stripping down to their bathing suits, things that should have stayed private were being exposed.


US: Slapped hard by a major player, Alaska gives up the goods.

Last week, Alaska’s Department of Health and Social Services disclosed a security breach apparently made by a sophisticated nation state-level attacker.

September 16, 2021, ANCHORAGE – The Alaska Department of Health and Social Services is notifying the public today of a security breach of the Health Insurance Portability and Accountability Act (HIPAA) and the Alaska Personal Information Protection Act (APIPA). This breach was caused by a highly sophisticated cyberattack on the Department of Health and Social Services that was first detected in May 2021.

Notification of this security breach was delayed until now to avoid interference with a criminal investigation.
• Full names
• Dates of birth
• Social Security numbers
• Addresses
• Telephone numbers
• Driver’s license numbers
• Internal identifying numbers (case reports, protected service reports, Medicaid, etc.)
• Health information
• Financial information
• Historical information concerning a person’s interaction with the Department of Health and Social Services
The Department of Health and Social Services disclosed that r infosec firm Mandiant completed its initial investigation and concluded that the intrusion was a direct, sophisticated attack rather than a simple drive-by ransomware infestation. “The type of group behind this disruptive attack is a very serious operation with advanced capabilities.”

So what’s the upshot for you? We have to start assuming that if we give up sensitive data it will be lost or stolen, but it is unusual to see a nation-state attacking a place like Alaska.


RU/US: Down on the Farm

A ransomware group believed to be the latest incarnation of the infamous DarkSide cybergang is being blamed for taking out a farmers’ cooperative online network, with extortionists demanding $5.9 million in ransom.

The group BlackMatter is credited for the attack on an Iowa collective of farmers called NEW Cooperative. The incident occurred over the weekend, locking up computer systems. Threat actors behind the attack are demanding a $5.9 million ransom to provide a decryptor, which will increase to $11.9 million if not paid in five days, according to reports.

The Iowa-based organization is a feed and grain cooperative, with 50 locations. It provides a variety of digital and software services to its network of farmers. As a result of the attack, it had to shut down its operations.

“Your website says you do not attack critical infrastructure. We are critical infrastructure… intertwined with the food supply chain in the US. If we are not able to recover very shortly, there is going to be very very public disruption to the grain, pork, and chicken supply chain.”

So what’s the upshot for you? One thing you learn in life: Don’t mess with farmers, don’t ever mess with farmers.


Global: Gates predicts the Death of the Password (Note the date)

“Traditional password-based security is headed for extinction, says Microsoft’s chairman, because it cannot “meet the challenge” of keeping critical information secure.”

Feb. 25, 2004 1:27 p.m. PT. Bill Gates, speaking at the RSA Security conference here on Tuesday, said: “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”

Yesterday: A new feature from Microsoft, which will be rolled out to consumers over the next few weeks, will enable users to choose to simply remove the password from their Microsoft account. Instead, they will be authenticated using the Microsoft Authenticator app, or Windows Hello biometric authentication, or a security key, or with a verification code sent to their phone or email address.

So what’s the upshot for you? After years of longer, more complex passwords: with upper and lower case letters, numbers, special characters, all typed in while standing on one leg, the explosion of apps and services requiring creating, changing, and resetting passwords have made us all weary. Maybe this is a step in the right direction.


Global: The Apple rumors were wrong

For many who follow tech news closely, Apple’s event last Tuesday had a few big surprises — not because there were completely unexpected announcements, but because we didn’t see things we really thought we’d be getting. Rumors that had enough smoke to be almost a sure-fire thing in previous years ended up falling flat.

For example:

The Apple Watch was rumored to get a complete redesign, featuring flat edges and a flat-screen. We saw this design in renders, reportedly leaked CAD files (which act as a 3D blueprint for products), and even heard that it’d be happening from noted Apple reporter Mark Gurman two days before the event. While the Apple Watch that showed up on stage does have some design tweaks, it looks nothing like what we were expecting.
Another notable analyst, Ming-Chi Kuo, also reported days before the event that Apple would debut a new set of AirPods, redesigned to include shorter stems. The wireless earbud redesign has also been rumored for months by Gurman, we’ve even seen alleged pictures of them, and some noted publications wrote that Apple was set to start production on the buds in August. With this rumor, though, it’s possible that just the timing was off, and that Apple will release them at an (of course!) already-rumored future event.

Gurman also suggested that the iPhone 13 could feature an always-on display, thanks to the (accurately rumored) LTPO display that could theoretically allow for the low refresh rate needed to make always-on not destroy the phone’s battery. The always-on rumor was also backed up by well-known leaker Max Weinbach earlier this year. Alas, Apple didn’t announce this display feature that has been a staple on Android phones for years.

So what’s the upshot for you? We were disappointed. We are not surprised others felt the same way.


US: Court Ruling Gives Dog Owners Less Privacy Than Their Dogs

From Michael Zukrow and Court Ruling Gives Dog Owners Less Privacy Than Their Dogs

A lawsuit filed against a New Jersey city for refusing to turn over dog license data to a business owner for marketing has resulted in a strange state Supreme Court ruling that seemingly provides greater privacy rights to dogs than their human counterparts, privacy groups say.

In 2001 the state of New Jersey passed the Open Public Records Act, allowing anyone to fill out a form and receive certain government documents within seven business days. The goal of the law was to give state residents more transparent insight into the working of government, with an eye on limiting potential corruption.

Instead, there has been a growing rise in complaints that companies are exploiting the law to harvest citizen data for marketing purposes.

This week the New Jersey Supreme Court ruled in favor of handing over the names and addresses of dog owners in the city. But declared that turning over the names and breeds of the dogs would be taking things too far.

The court ruled that disclosing breed information would be a problem, “given the high value of certain purebred dogs.” It also declared that dog names should not be disclosed “given that many people use the names of their beloved pets as passwords or answers to important security questions.”

So what’s the upshot for you? Privacy group EPIC argued that New Jersey should follow federal guidelines on privacy, and not be disclosing citizen data “when the only justification for disclosure was commercial interest in selling dog paraphernalia.” We agree and ask has New Jersey gone barking mad?


That’s it for this week!

Thanks for being a brilliant audience to our first year of 52 podcast episodes and we look forward to serving up many more to come.

Be kind, stay safe, stay secure and see you in se7en!



1 Like