Overheating in the Hot Tub with the IT Privacy and Security Weekly Update for June 28th. 2022


For this update, we start with a bit of binge drinking and end up in hot water.

We jet from the NSA’s advice for Windows admins to T-Mobile’s new scheme to sell your data to advertisers.

We hit the impeller fizzling and bubbling once we discover the extent of different kinds of data China is collecting on its own population.

We get a soaking from a new piece of spyware turning up on phones that for once did not come from our friends at the NSO group.

And we ready the leak-sealant after learning about those “innocuous” little applications that too many parents “must’ put on their phones to get updates on their pre-schoolers.

This week’s whirlpool of an update is all good clean fun, so leave your water shoes by the door, and let’s jump in. This one is hot!

JP: Day drinker loses a city’s worth of data

A municipal worker who went on a day-long drinks bender managed to lose a USB stick containing personal information about the entire population of their city.

The lost storage device contained data including names, addresses, welfare details, and dates of birth pertaining to the city’s 460,000 residents.

The employee – who worked for a company tasked with rolling out a COVID relief program in Amagasaki in western Japan – lost a bag containing the USB stick during a day of copious drinking and eating.

And the happy ending to what could have been a very bad hangover? “The drive was both encrypted and password protected.”

Let’s just hope that the worker was as smart about his password and that his dog “GeeI’llHave4HelpingsOfSush!!” does not have to be renamed again.

So what’s the upshot for you? Three things to remember: Encrypt it, password protect it, and don’t drive if you have been drinking.

US: Daycare Apps Are Dangerously Insecure

Last year, several parents from the Electronic Frontier Foundation (EFF) (a nonprofit organization defending civil liberties in the digital world) enrolled kids into daycare and were instantly told to download an application for managing their children’s care.

Daycare and preschool applications frequently include notifications of feedings, diaper changes, pictures, activities, and which guardian picked up/dropped off the child—potentially useful features for overcoming separation anxiety of newly enrolled children and their anxious parents.

Working at a privacy-oriented organization as we do, we asked questions: Do we have to use these? Are they secure?

The answer to the former, unfortunately, was “yes,” partly so that the schools could abide by health guidelines to avoid unnecessary in-person contact.

But troublingly, the answer to the second was a resounding “no.”

As an ethical hacker, the thing I planned to do was disclose what I found and wait 90 days for a response (a common security industry practice). Even there, I hit roadblocks.

Beyond not finding a way to contact them on their websites, I discovered that researchers based in Germany released a paper in March 2022 identifying security and privacy problems with 42 early education and daycare management applications.

In addition to outlining the vulnerabilities, the paper also explained that the researchers did their due diligence by ethically reporting the issues and had almost no response from the companies.

That’s unacceptable.

So what’s the upshot for you? It should not take a technologist who happens to work at a digital privacy organization and a coworker who happens to be a lawyer on these same issues cold-emailing and working contacts to get a meeting.

IT: Italy’s data watchdog latest to warn over use of Google Analytics

Another strike against the use of Google Analytics in Europe: The Italian data protection authority has found a local web publisher’s use of the popular analytics tool to be non-compliant with EU data protection rules owing to user data being transferred to the U.S.

[T]he Authority draws the attention of all Italian managers of websites, public and private, to the illegality of transfers made to the United States through GA [Google Analytics], also in consideration of the numerous reports and questions that are being received by the Office, and invites all data controllers to verify the compliance of the methods of use of cookies and other tracking tools used on its websites, with particular attention to Google Analytics and other similar services, with the legislation on the protection of personal data.

All these strikes against Google Analytics link back to a series of strategic complaints filed in August 2020 by the European privacy campaign group noyb — which targeted 101 websites with regional operators it had identified as sending data to the U.S. via Google Analytics and/or Facebook Connect integrations.

The complaints followed a landmark ruling by the bloc’s top court in July 2020 — which invalidated a data transfer agreement between the EU and the U.S., called Privacy Shield, and made it clear that DPAs have a duty to step in and suspend data flows to third countries where they suspect EU citizens’ information of being at risk.

So what’s the upshot for you? Protections applied by Google were not sufficient to address the risk, Italy’s DPA added, echoing the conclusion of several other EU DPAs who have also found the use of Google Analytics violates the bloc’s data protection rules over the data export issue. It has given the publisher in question (a company called Caffeina Media Srl) 90 days to fix the compliance violation.

But the decision has wider significance as it has also warned other local websites that are using Google Analytics to take note and check their own compliance, writing in a press release: “The Authority draws the attention of all Italian managers of websites, public and private, to the illegality of transfers made to the United States through Google Analytics, also in consideration of the numerous reports and questions that are being received by the Office, and invites all data controllers to verify the compliance of the methods of use of cookies and other tracking tools used on its websites, with particular attention to Google Analytics and other similar services, with the legislation on the protection of personal data.”

IT/KZ: Spyware vendor targets users in Italy and Kazakhstan

Google is warning of a sophisticated new spyware campaign that has seen malicious actors steal sensitive data from Android and iOS users in Italy and Kazakhstan.

Engadget reports: On Thursday, the company’s Threat Analysis Group (TAG) shared its findings on RCS Labs, a commercial spyware vendor based out of Italy.

On June 16th, security researchers at Lookout linked the firm to Hermit, a spyware program believed to have been first deployed in 2019 by Italian authorities as part of an anti-corruption operation.

Lookout describes RCS Labs as an NSO Group-like entity. The firm markets itself as a “lawful intercept” business and claims it only works with government agencies. However, commercial spyware vendors have come under intense scrutiny in recent years, largely thanks to governments using the Pegasus spyware to target activists and journalists.

According to Google, Hermit can infect both Android and iOS devices. In some instances, the company’s researchers observed malicious actors work with their target’s internet service provider to disable their data connection. They would then send the target an SMS message with a prompt to download the linked software to restore their internet connection.

If that wasn’t an option, the bad actors attempted to disguise the spyware as a legitimate messaging app like WhatsApp or Instagram.

What makes Hermit particularly dangerous is that it can gain additional capabilities by downloading modules from a command and control server.

Some of the addons Lookout observed allowed the program to steal data from the target’s calendar and address book apps, as well as take pictures with their phone’s camera. One module even gave the spyware the capability to root an Android device. Google believes Hermit never made its way to the Play or App stores.

However, the company found evidence that bad actors were able to distribute the spyware on iOS by enrolling in Apple’s Developer Enterprise Program. Apple told The Verge that it has since blocked any accounts or certificates associated with the threat. Meanwhile, Google has notified affected users and rolled out an update to Google Play Protect.

So what’s the upshot for you? Like USB devices, you never can tell what will happen to spyware if it gets away from you.

RU/Global: Early Lessons about Russia from the Cyber War


Russia’s invasion of Ukraine is “the first full-scale battle in which traditional and cyberweapons have been used side by side,” reports the New York Times. But the biggest surprise is that “many of the attacks were thwarted, or there was enough redundancy built into the Ukrainian networks that the efforts did little damage… more than two-thirds of them failed, echoing its poor performance on the physical battlefield.”

Microsoft president Brad Smith says the ultimate result is Russia’s attempted cyberattacks get underreported. A study published by Microsoft last week indicated that Ukraine was well prepared to fend off cyberattacks, after having endured them for many years. That was at least in part because of a well-established system of warnings from private-sector companies, including Microsoft and Google, and preparations that included moving much of Ukraine’s most important systems to the cloud, onto servers outside Ukraine…

In many instances, Russia coordinated its use of cyberweapons with conventional attacks, including taking down the computer network of a nuclear power plant before moving in its troops to take it over. Microsoft officials declined to identify which plant was being referred to.

While much of Russia’s cyber activity has focused on Ukraine, Microsoft has detected 128 network intrusions in 42 countries. Of the 29 percent of Russian attacks that have successfully penetrated a network, Microsoft concluded, only a quarter of those resulted in data being stolen.

Outside Ukraine, Russia has concentrated its attacks on the United States, Poland, and two aspiring members of NATO, Sweden, and Finland…

But Microsoft, other technology companies, and government officials have said that Russia has paired those infiltration attempts with a broad effort to deliver propaganda around the world.

Microsoft tracked the growth in consumption of Russian propaganda in the United States in the first weeks of the year. It peaked at 82 percent right before the Feb. 24 invasion of Ukraine, with 60 million to 80 million monthly page views. That figure, Microsoft said, rivaled page views on the biggest traditional media sites in the United States.

So what’s the upshot for you? Examples cited were that of Russian propaganda inside Russia pushing its citizens to get vaccinated, while its English-language messaging spread anti-vaccine content.

Microsoft also tracked the rise in Russian propaganda in Canada in the weeks before a trucker convoy protesting vaccine mandates tried to shut down Ottawa, and that in New Zealand before protests there against public health measures meant to fight the pandemic.

CN: China’s expanding surveillance allows the state to tighten its grip

“China’s ambition to collect a staggering amount of personal data from everyday citizens is more expansive than previously known,” reports the New York Times, after their Visual Investigations team with reporters in Asia “spent more than a year analyzing more than 100,000 government bidding documents.”

The Chinese government’s goal is clear: designing a system to maximize what the state can find out about a person’s identity, activities, and social connections… The Times analysis found that the police strategically chose locations to maximize the amount of data their facial recognition cameras could collect… The police also wanted to install facial recognition cameras inside private spaces, like residential buildings, markets, karaoke lounges, and hotels.

In the police’s own words, the strategy to upgrade their video surveillance system was to achieve the ultimate goal of “controlling and managing people.”

Authorities are using phone trackers to link people’s digital lives to their physical movements.

Devices known as Wi-Fi sniffers and IMSI catchers can glean information from phones in their vicinity, which allows the police to track a target’s movements…

In a 2017 bidding document from Beijing, the police wrote that they wanted the trackers to collect phone owners’ usernames on popular Chinese social media apps… As of today, all 31 of mainland China’s provinces and regions use phone trackers.

DNA, iris scan samples, and voice prints are being collected indiscriminately from people with no connection to the crime. The police in China are starting to collect voice prints using sound recorders attached to their facial recognition cameras.

In the southeast city of Zhongshan, the police wrote in a bidding document that they wanted devices that could record audio from at least a 300-foot radius around cameras. The software would then analyze the voice prints and add them to a database. Police boasted that when combined with facial analysis, they could help pinpoint suspects faster.

The article suggests that more than half the world’s 1 billion surveillance cameras are already in China — but there’s more information to be gathered.

One of China’s largest surveillance contractors also pitched software that to the government displays a person’s “movements, clothing, vehicles, mobile device information, and social connections. The Times investigation found that this product was already being used by Chinese police.”

So what’s the upshot for you? The Times has created a separate video summarizing the results of their investigation. Find the link in the show transcript.

CN:As China shuts out the world, internet access from abroad gets harder too

One of the most sweeping surveillance states in the world, China has all but closed its borders since the start of the pandemic, accelerating a political turn inward as nationalism is on the rise and foreign ties are treated with suspicion.

A harsh zero-COVID policy has contributed to the attrition of foreign residents, particularly after a long and bitter lockdown this spring in Shanghai, China’s largest and most international city.

At the same time, academics and researchers have complained that the digital window into China seems to be constricting too. That compounds a growing concern for China experts locked out of the country amid deteriorating relations with the West.

A tightening of internet access means observers will struggle to decipher what internal pressures China’s leader Xi Jinping may be facing and how to keep track of Beijing’s diplomatic, technological and military ambitions.

“Describing to a newspaper the workarounds to access blocked Chinese sites ensures that the workarounds will be blocked, too,” one U.S. academic researcher wrote via email. “The only thing I can add, without cutting short my own career, is another common-sense measure, namely, scrape and cache whatever one discovers the first time around.”

“Sometimes you see the perfect piece of information that you need and then suddenly it’s gone. You almost have to start from scratch every single time.”

So what’s the upshot for you? “Sometimes it feels like a bad sci-fi movie. The type of research that we used to do is not going to be possible moving forward in the next few years.”

CN: Chinese influence operation aimed to protect Beijing’s stake in rare earth mining, research finds

Since June 2019, Mandiant has reported to customers on an influence campaign known as DRAGONBRIDGE, comprising a network of thousands of inauthentic accounts across numerous social media platforms, websites, and forums that have promoted various narratives in support of the political interests of the People’s Republic of China (PRC).

We have since observed multiple shifts in DRAGONBRIDGE tactics, and in September 2021, we reported on an expansion of this campaign’s activity.

Recently, we identified and investigated a subset of information operations activity we attribute to the DRAGONBRIDGE campaign across social media that targeted the Australian rare earths mining company, Lynas Rare Earths Ltd, with content criticizing its alleged environmental record and calling for protests of its planned construction of a rare earths processing facility in Texas.

Subsequently, in June, we observed additional DRAGONBRIDGE activity begin to target the Canadian rare earths mining company Appia Rare Earths & Uranium Corp and the American rare earths manufacturing company USA Rare Earth with negative messaging in response to potential or planned rare earths production activities involving those companies.

So what’s the upshot for you? Make sure your decisions are your own and that you understand the politics behind every argument posed.

US: The NSA takes a stand on Powershell for Windows. You should use it.

Let’s start with the Conclusion:

PowerShell is essential to secure the Windows operating system, especially since newer versions have resolved previous limitations and concerns through updates and enhancements.

Removing or improperly restricting PowerShell would prevent administrators and defenders from utilizing PowerShell to assist with system maintenance, forensics, automation, and security.

PowerShell, along with its administrative abilities and security measures, should be managed properly and adopted.

So what’s the upshot for you? CISA and the NSA give solid advice for configuration, securitization, and monitoring … the most important parts to get right after your upgrade to version 7.2.

***Global: Linux Kernel Signature Verification Code Adds FIPS Compliance ***


Phoronix reports a new change was merged into the soon-to-be-released Linux 5.19 on Tuesday, making the kernel’s signature verification code compliant with the Federal Information Processing Standards known as FIPS:

FIPS are public standards via the National Institute of Standards and Technology used by U.S. government agencies and contractors in the areas of computer security and interoperability…

Known-answer self-tests are required for FIPS compliance at startup/reboot, but the Linux kernel’s signature verification code has been lacking such tests.

The signature checking code is used for module signing, Kexec, and other functionality.

With Linux 5.19 there will now be some basic self-tests at start.

So what’s the upshot for you? The tests will make their debut in Linux 5.19-rc4.

Global: T-Mobile has started selling your app data to advertisers

T-Mobile has just officially launched its new ad platform, known as T-Mobile Advertising Solutions.

That innocuous name hides a rather sketchy business model – it aggregates your mobile application usage and sells it to advertisers.

The specifics of the program will sound familiar to anyone who has followed the ebb and flow of browser tracking.

T-Mobile uses network-level tools to track the apps that people use on their phones, and it then anonymizes and aggregates that data to lump you into various “personas,” or “cohorts” as other platforms would call it.

For example, if you regularly use Expensify and airline apps on your phone, T-Mobile could identify you as a business traveler for advertising purposes.

This program has been in testing for the past year as “T-Mobile Marketing Solutions,” but it is now live with its new name.

There is some good news (but less of it for Android fans).

T-Mobile does not currently collect app data on iOS users, fearing it could run afoul of Apple’s privacy rules.

But we Android users are fair game, apparently.

You can opt-out of T-Mobile’s program using its official “Magenta Marketing Platform Choices” app.

Alternatively, the Digital Advertising Alliance offers an app that lets you opt-out of numerous trackers, including T-Mobile Advertising Solutions, which is listed under its old name of T-Mobile Marketing Solutions.

So what’s the upshot for you? One comment on the AppChoices app use: "Way more work than expected. It’s like a 2nd job almost to keep your opt-out options locked in and up to date.

…Not to mention what it does to your battery, so you’re just adding another app, using more memory, running in the background that you have to constantly check like it’s your email If you want your personal information kept private…”

US: Mark Zuckerberg may be more Interested in the Metaverse Than Election Integrity

Zuckerberg has been public with his desire to transform Meta – formerly known as Facebook – into a metaverse company, plowing billions of dollars into developing metaverse technology.

The New York Times reports Meta’s core election team has shrunk significantly since 2020. With the US midterms approaching, a reduced election team at Meta could mean less enforcement against misinformation.

Whereas it used to comprise over 300 people, now 60 people spend their time focused on election security and some additional employees divide their time between elections and other projects, sources told The Times.

So what’s the upshot for you? “Nick Clegg, former Deputy Prime Minister of the United Kingdom, has led this work for the company for many years, which is why Mark promoted him earlier this year to President, Global Affairs so he can continue leading on the most complex issues we face, including protecting elections,” a spokesperson said.

Facebook placed heavy emphasis on election integrity on its platforms in the run-up to the 2020 election, with two top executives getting 110% bonuses in 2021 in part due to their “election integrity efforts in connection with the U.S. 2020 elections.”

The company is still haunted by the 2016 presidential election after it was found that Russian state operatives had used the platform to attempt to manipulate the election.

Global: Oh No! Honey, they Hacked the Hot Tub!

Security researcher Eaton Zveare found vulnerabilities in Jacuzzi’s SmartTub interface that allowed access to the personal data of every hot tub owner. Jacuzzi’s SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app.

Marketed as a “personal hot tub assistant,” users can make use of the app to control water temperature, switch on and off jets, and change the lights. But this functionality could also be abused by threat actors to access the personal information of hot tub owners worldwide, including their names, email addresses, and the temperature of their hot tub!

It’s unclear how many users are potentially impacted, but the SmartTub app has been downloaded more than 10,000 times on Google Play.

“The main concern is their name and email being leaked,” Eaton told TechCrunch, adding that attackers could also potentially heat up someone else’s hot tub and change the filtration cycles. “That would make things unpleasant the next time the person checked their tub.”

Eaton first noticed a problem when he tried to log in using the SmartTub web interface, which uses third-party identity provider Auth0 and found that the login page returned an “unauthorized” error.

But for the briefest moment, Eaton saw the full admin panel populated with user data flash on his screen.

green towel

So what’s the upshot for you? For some, this hot tub hack will hit like an overheated tsunami.

And our quote of the week this week comes from William M. Kelly: "people are slow, sloppy and brilliant thinkers; machines are fast, accurate and stupid.”

That’s it for this week. Stay safe, stay, secure, try to chill, and see you in se7en.