Privacy and Security related news for the week ending 2020 07 14

In this issue we have 5 tips for tax day (yes, tomorrow in the US), an update on TikTok, insight into the super secretive US non-profit Mitre and the announcement of a new database from the Electronic Frontier Foundation that will let readers in the US drill down to see what surveillance mechanisms are being used by the police in their own town.

We finish out the news with a great article from Forbes about why you might want to be a little less trusting of those glowing product reviews on Amazon.

IL: Researchers Unmask Video Conferencing Users from Images

P. Muncaster: A team from Ben-Gurion University (BGU) of the Negev used image processing recognition tools and social network analysis to process 15,700 collage images and over 142,000 face images of meeting participants from Zoom, Microsoft Teams and Google Meet.

AI-based image processing algorithms allowed them to identify the same individuals’ participation at different meetings, either via facial recognition or analyzing features in the background.

According to BGU, they were able to detect faces 80% of the time, as well as gender and approximate ages.

Web-based text recognition libraries available free-of-charge allowed the researchers to work out almost two-thirds of usernames from screenshots. Images can be cross-referenced with social media data to raise further potential security and privacy risks, BGU claimed.

The researchers were able to unmask individuals as well as networks of colleagues, highlighting the risk to corporate users as well as consumers.

“The findings in our paper indicate that it is relatively easy to collect thousands of publicly available images of video conference meetings and extract personal information about the participants, including their face images, age, gender and full names,” said Michael Fire of the BGU Department of Software and Information Systems Engineering (SISE).

“This type of extracted data can vastly and easily jeopardize people’s security and privacy, affecting adults as well as young children and the elderly.”

BGU urged individuals and companies not to post video conference images or videos online and to use generic pseudonyms rather than unique usernames or real names on such platforms. A virtual background is also a better choice as real backgrounds can help “fingerprint” user accounts across multiple meetings, it added.

A hacker is selling details of 142 million MGM hotel guests on the dark web

The MGM Resorts summer of 2019 data breach turned out to be much larger than initially reported, impacting more than 142 million hotel guests, rather than the 10.6 million reported last February.

The new finding was revealed in an ad published on a dark web cybercrime marketplace where the hacker is selling the details of 142,479,937 MGM hotel guests for $2,939.76.

Customer names, postal addresses, email addresses, dates of birth and phone numbers are all included in the treasure trove. Rumors have it that the numbers of compromised guests actually go as high as 200 million. MGM says they have notified all affected.

US: The Electronic Frontier Foundation (EFF)’s new database reveals what tech local police are using to spy on you

By Charlie Osborne: Launched on Monday in partnership with the University of Nevada’s Reynolds School of Journalism, the “Atlas of Surveillance” is described as the “largest-ever collection of searchable data on police use of surveillance technologies.”

The civil rights and privacy organization says the database was developed to help the general public learn about the accelerating adoption and use of surveillance technologies by law enforcement agencies.

The map pulls together thousands of data points from over 3,000 police departments across the United States. Users can zoom in to different locations and find summaries of what technologies are in use, by what department, and track how adoption is spreading geographically.

Atlas of Surveillance also highlights specific technologies including body-worn cameras, drones, automated license plate readers, facial recognition, Ring partnerships, and predictive policing, in which data is used to ‘predict’ where and how crimes are likely to take place.

It is also possible to directly search the data to investigate local police departments, including what has been adopted in your area and any surveillance-related grants or awards they have received in the past.

“Atlas of Surveillance documents the alarming increase in the use of unchecked high-tech tools that collect biometric records, photos, and videos of people in their communities, locate and track them via their cell phones, and purport to predict where crimes will be committed,” the EFF says.
“The prevalence of surveillance technologies in our society provides many challenges related to privacy and freedom of expression, but it’s one thing to know that in theory, and another to see hard data laid out on a map,” Reynolds School Professor and Director of the Center for Advanced Media Studies Gi Yun commented.

Mozilla Joins Apple, Google in Reducing TLS Certificate Lifespans

Ionut Arghire: Currently, SSL/TLS certificates have a maximum lifespan of 825 days, but, in an attempt to ensure better protection of HTTPS connections, browser makers such as Apple, Google and Mozilla are looking into reducing that period to 398 days.

Apple was the first to make a move in this direction, by announcing earlier this year that, starting September 1, 2020, TLS server certificates should have a validity period of up to 398 days.

“This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. Additionally, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change,” Apple said.

Last month, it was revealed that Google too will impose the limit in Chrome, also starting September 1, 2020. The company will reject certificates that violate the policy.

Now, Mozilla says that it too is ready to join the fray, explaining that the move will bring numerous security and privacy benefits: certificates using outdated or weak algorithms will be phased out faster, there will be fewer disruptions, and exposure diminished. Furthermore, certain impersonation attacks will likely be mitigated this way.

Google Moves to Secure the Cloud From Itself

Confidential Virtual Machines allows Google Cloud Services Customers to keep data secret—even when it’s being actively processed.

Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat and others last year announced the launch of the Confidential Computing Consortium, an organization of the Linux Foundation whose goal is to improve the security of data in use.

Google today unveiled the first product in its Google Cloud Confidential Computing portfolio: Confidential VMs. Currently in beta for Google Compute Engine, Confidential VMs are designed to help organizations, particularly ones in regulated industries, protect sensitive data by providing memory encryption capabilities that can be leveraged to isolate cloud workloads.

The tech giant says it has been focusing on making confidential computing easy and accessible since the launch of its Asylo open source framework in 2018, and with the launch of Confidential VMs it believes it has achieved this goal.

Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature in 2nd Gen AMD EPYC processors to ensure that sensitive data remains encrypted at all times, including while it’s used, queried or indexed.

Google Cloud Confidential Computing builds on the protections provided by Shielded VM, a hardened virtual machine instance that ensures a verified boot-loader and kernel run on startup, providing protection against malicious guest OS firmware, boot and kernel vulnerabilities, and malicious insiders.

“Confidential Computing can unlock computing scenarios that have previously not been possible. Organizations will now be able to share confidential data sets and collaborate on research in the cloud, all while preserving confidentiality,” Google explained.

The company noted that Google Cloud Platform users can easily move their current workloads to a Confidential VM, simply by ticking a checkbox and ponying up the add-on charge.

With Confidential Virtual Machines turned on, data is decryptable on the chip itself, but remains encrypted to everyone else, including Google, since they can’t access the decryption keys stored only on the chip.

US: Continued rumblings of ‘Strong Actions’ on TikTok, Anger China

AFP: The research firm eMarketer estimates TikTok has more than 52 million US users, having gained about 12 million since the outbreak of the coronavirus pandemic. TikTok is especially popular with young smartphone users.

In an interview Sunday, White House trade advisor Peter Navarro argued that “what the American people have to understand is all of the data that goes into those mobile apps that kids have so much fun with… goes right to servers in China, right to the Chinese military, the Chinese Communist Party.”

Navarro also accused TikTok’s new boss Kevin Mayer, former head of Disney’s streaming platforms, of being a puppet.

Democratic campaign teams for the US presidential election have already been asked to avoid using TikTok on personal devices and, if they do, to keep it on a non-work phone.

Amazon Says Email to Employees Banning TikTok Was a Mistake

AP: Roughly five hours after an internal email went out Friday to Amazon employees telling them to delete the popular video app TikTok from their phones, the online retailing giant appeared to backtrack, calling the ban a mistake.

“This morning’s email to some of our employees was sent in error,” Amazon emailed reporters just before 5 p.m. Eastern time. “There is no change to our policies right now with regard to TikTok.”

Company spokeswoman Jaci Anderson declined to answer questions about what caused the confounding turnaround or error.

The initial internal email, which was disseminated widely online, told employees to delete TikTok, a video app increasingly popular with young people but also the focus of intensifying national-security and geopolitical concerns because of its Chinese ownership. The email cited the app’s “security risks.”

US: 5 Ways to Stay Safe on Tax Day

Tom Kellermann: July 15th., tomorrow, is tax day in the US.

  1. Always use a secure browser. Anytime you’re inputting sensitive information such as a social security number and especially when filing, use a secure and up-to-date browser. Whatever you choose, make sure that it’s updated to the latest version.

  2. Never use public Wi-Fi. You should always follow this tip, but especially when filing taxes. Hackers will often set up fake networks or snoop on the traffic of legitimate ones to steal sensitive data, so don’t file your taxes while working at the local coffee shop.

  3. Set up two router networks. Many people don’t realize it, but most Wi-Fi routers can simultaneously host two networks. By keeping sensitive network activity on one network and personal activity on the other, you can prevent hackers from jumping from one to the other if one network gets breached. Filing your taxes on the sensitive network should help keep your transaction more secure.

4). Demand cyber-security precautions from your accountant or tax firm. The next time you visit your accountant or tax firm, ask about their cybersecurity practices. Ask about encryption, but don’t just settle for that. You’re paying a fee to get your taxes filed by a third party, so it’s important to ensure they’re investing in cybersecurity. Ask your accountant or tax firm if they’re practicing micro-segmentation. With many tax professionals now working remotely and consulting via phone or video, make sure they have the proper security controls on the device used to process your tax return.

  1. Be vigilant. The cybercriminals often gather data used to file a false return before Tax Day. Be careful about what sites you’re visiting, which links you’re clicking, and where you’re inputting sensitive data. If something looks suspicious, stay away.

99% of Websites at Risk of Attack Via JavaScript Plug-ins

Steve Zurier: Third-party programs such as Google Analytics and other plug-ins expose websites to Magecart, form-jacking, cross-site scripting, and credit-card skimming, and other attacks, new research shows.

A report released today by Tala Security found that these kinds of attacks exploit vulnerable JavaScript integrations that run on some 99% of the world’s websites. And while 30% of the websites analyzed implemented new security policies – a 10% increase over 2019 – only 1.1% of websites were found to have effective security in place, an 11% decline from 2019.

“This indicates that while deployment volume went up, effectiveness declined steeply,” says Aanand Krishnan, founder and CEO of Tala Security. “The attackers have the upper hand largely because we are not playing effective defense.”

Krishnan adds that without effective policy controls, every piece of code running on most websites can modify, steal, or leak information via client-side attacks executed by JavaScript. These attacks are powerful for hackers because once they attack a third-party tool, they can exploit it on any other website where that tool gets deployed.

“In many cases, this data leakage takes place via whitelisted, legitimate applications, without the website owner’s knowledge,” Krishnan says. “Our report found that data risk is everywhere and effective controls are rarely applied. But just like the security business fixed network security issues with SSL and TLS, we’ll do the same with these third-party integrations by deploying better security controls and working with the industry to develop standards-based solutions.”

The report, which tracked the security posture of the Alexa top 1,000 websites, found that the average website includes content from 32 different third-party JavaScript programs, up slightly from 2019.

Of great concern: despite increasing numbers of high-profile breaches, the forms used to complete orders on 92% of websites expose data to an average of 17 domains.

“So this means that data doesn’t just get exposed on the main website, the shipper’s site, or at the payment clearing house, an average of 15 other domains are exposed, which dramatically exposes risk,” says Mark Bermingham, vice president of marketing at Tala. “We’ve seen cases where the hackers have changed code and even taken down entire websites.”

DE: German authorities seize ‘BlueLeaks’ server that hosted data on US cops

Catalin Cimpanu: The server seizure was announced today by investigative journalist Emma Best, one of the DDoSecrets public figureheads.

“We have received official confirmation that #DDoSecrets’ primary public download server was seized by German authorities (Department of Public Prosecution Zwickau file number AZ 210 AR 396/20),” Best wrote on Twitter last week.

The website has been active since June 19, when DDoSecrets published more than 269 GB of data containing more than one million files.

DDoSecrets said it received the files from the Anonymous hacker collective. The files included scanned documents, videos, emails, audio files, training materials, private law enforcement alerts, and more, and are believed to contain data from more than 200 US police departments and law enforcement fusion centers.

The BlueLeaks data is believed to have been stolen from a Houston company that provided web hosting services to US law enforcement agencies.

Four days after the BlueLeaks data was published, Twitter intervened and imposed a permanent ban on the official DDoSecrets Twitter account, which the organization was using to promote the BlueLeaks portal.

Twitter said the account violated its platform policies regarding the sharing of links to private data and hacked materials. Along with the ban, Twitter also started blocking users from posting links to the BlueLeaks website.

In an interview with Wired, Best admitted that the DDoSecrets team might have missed sanitizing or removing files containing sensitive information.

DE: Home Routers Are All Broken, Finds Security Study

Danny Bradbury: According to a study by Germany’s Fraunhofer Institute for Communication (FKIE), vendors have failed to fix hundreds of vulnerabilities in their consumer-grade routers, leaving people exposed to a wide range of attacks.

The FKIE examined 127 routers spanning seven large vendors and found security flaws in all of them, it said in a report released in late June. It called its results “alarming.

“Many routers are affected by hundreds of known vulnerabilities,” it warned. “Even if the routers got recent updates, many of these known vulnerabilities were not fixed.”

The routers usually failed to use exploit mitigation techniques, it said, adding that some had passwords that users could not change, and which were either well-known or easy to crack. “Most firmware images provide private cryptographic key material,” it continued. “This means, whatever they try to secure with a public-private crypto mechanism is not secure at all.”

The Institute used a firmware analysis and comparison tool to extract and analyze the routers’ most recent firmware. It found that 46 of them had received no security updates within the last year. At least 90% of the routers used Linux, but over a third of them used version 2.6.36 of the Linux kernel or even older. At the time of writing, the current Linux kernel is 5.7.7. The last security update for version 2.6.36 was in February 2011.

Even the best devices had at least 21 critical vulnerabilities and at least 348 rated with high severity, the study found. On average, routers had 53 critical vulnerabilities, it said.

Nvidia eclipses Intel as most valuable U.S. chipmaker

(Reuters) - Nvidia (NVDA.O) has overtaken Intel (INTC.O) for the first time as the most valuable U.S. chipmaker.

In a semiconductor industry milestone, Nvidia’s shares rose 2.3% in afternoon trading on Wednesday to a record $404, putting the graphic component maker’s market capitalization at $248 billion, just above the $246 billion value of Intel, once the world’s leading chipmaker.

Nvidia’s stock has been among Wall Street’s strongest performers in recent years as it expanded from its core personal computer chip business into data centers, automobiles and artificial intelligence.

Trump Confirms U.S. Launched Cyberattack on Russian Troll Farm in 2018

By Eduard Kovacs: The Washington Post reported in February 2019 that the U.S. Cyber Command, supported by the NSA, had launched an attack on the Internet Research Agency (IRA), a Saint Petersburg-based firm that is said to conduct online influence operations for the Russian government.

Officials who spoke on condition of anonymity said at the time that the attack took the IRA offline. The goal was to prevent Russia from interfering in the 2018 midterm elections, similar to how it meddled in the 2016 presidential elections. The operation against the IRA was considered a success by at least some officials.

In an interview with the Washington Post last week, President Trump confirmed authorizing the attack on the Russian troll farm, and claimed that his predecessor, President Barack Obama, did nothing to stop similar influence campaigns before the 2016 presidential election, despite allegedly knowing about them.

While it’s known that the United States does conduct offensive cyber operations, it’s highly uncommon for the government to confirm a specific attack.

Google moves on stalkerware ads - Update to Enabling Dishonest Behavior policy

In August 2020, the Google Ads Enabling Dishonest Behavior policy will be updated to clarify restrictions on advertising for spyware and surveillance technology. The updated policy will prohibit the promotion of products or services that are marketed or targeted with the express purpose of tracking or monitoring another person or their activities without their authorization. This policy will apply globally and we will begin enforcing this policy update on August 11, 2020.

Examples of products and services that will be prohibited (non-exhaustive)
Spyware and technology used for intimate partner surveillance including but not limited to spyware/malware that can be used to monitor texts, phone calls, or browsing history; GPS trackers specifically marketed to spy or track someone without their consent; promotion of surveillance equipment (cameras, audio recorders, dash cams, nanny cams) marketed with the express purpose of spying.

This does not include
(a) private investigation services or
(b) products or services designed for parents to track or monitor their underage children.

Violations of this policy will not lead to immediate account suspension without prior warning. A warning will be issued, at least 7 days, prior to any suspension of your account.

Please review this policy update to determine whether or not any of your ads fall in scope of the policy, and if so, remove those ads before August 11, 2020.

Inside America’s Secretive $2 Billion Research Hub Collecting Fingerprints From Facebook, Hacking Smartwatches And Fighting Covid-19

Thomas Brewster for Forbes: whenever James Bond needs a high-tech edge, he goes to Q and his secretive MI6 lab. In the real world, American agents often rely on a less clandestine, but far better funded group. Armed with 8,000 employees and an annual budget of between $1 and $2 billion of taxpayers’ money, Mitre Corp, a government-linked skunkworks, has been making bleeding-edge breakthroughs for U.S. agencies for more than six decades. With its HQ housed in four towers atop a hill in McLean, Virginia, Mitre’s research centers employ some of the nation’s leading computer scientists and engineers to build digital tools for America’s top military, security and intelligence organizations.

Among the government’s wilder Mitre orders: a prototype tool that can hack into smartwatches, fitness trackers and home thermometers for the purposes of homeland security; software to collect human fingerprints from social media websites like Facebook, Instagram and Twitter for the FBI; support in building what the FBI calls the biggest database of human anatomy and criminal history in the world; and a study to determine whether someone’s body odor can show they’re lying.

These varied, multimillion dollar projects, revealed in hundreds of pages of contract details obtained via FOIA requests as well as interviews with former Mitre executives and government officials, provide just a glimpse into this sprawling contractor’s secretive world. Mitre’s influence goes far beyond its vast tech development; it’s also a major consultant for myriad government agencies on how best to deploy tech and policy strategies. Its latest gig: helping the Centers for Disease Control and Prevention (CDC) and Homeland Security’s ominously-named Countering Weapons of Mass Destruction office craft sweeping plans for curtailing the Covid-19 pandemic.

Mitre’s history is full of such unlauded public service. As its promo material says: “You may not know it, but Mitre touches your life most every day.” Wanting to know the extent of Mitre’s touch, Forbes launched an investigation to pull Mitre’s staggering range of work from the shadows. What we found is an elite institute that has proved a major boon to the U.S. government, providing tools for surveillance of criminals, diseases and immigrants illegally trying to enter the country. But some of the same projects are setting off alarm bells among human rights organizations and privacy advocates like the ACLU, who are concerned about surveillance overreach from Mitre’s sophisticated technology. Despite multiple requests to meet with Mitre executives in person and visit its headquarters, Mitre declined to provide comment for this article. The FBI and DHS acknowledged requests for comment but had not provided any.

“The characteristic of Mitre that I’ve always explained to people is that when we say we do information sciences, we go way beyond what people would typically call IT,” Martin Faga, the Mitre CEO from 2000 to 2006, tells Forbes. It would, for example, design a specialized antenna to go on a military aircraft to send and receive data from a communication satellite, says Faga, a white-haired, inconspicuous longtime employee of U.S. intelligence agencies and contractors. Mitre would then design the satellite communications system too, as well as the radar, “every kind of information system,” he adds.

Mitre doesn’t commercialize the technology it creates. Once a prototype is built, it’s licensed to either the government, private business or academic institutions. Since 2014, it’s transferred more than 670 licenses to industry and university partners.

Unshackled from commercial pressures, Mitre’s given latitude to develop some of the more radical answers to the government’s most pressing questions. Take a project to collect fingerprints from peoples’ Facebook, Twitter and other social media posts. Emails and details of a Mitre contract obtained by Forbes outline a $500,000 “social media image fingerprinting project” for the FBI, which started in 2015. It was run by an FBI hacking unit in Quantico, the Operational Technology Division, and funded by a previously-unreported research funding body called TRIAD. Chris Piehota, the recently-retired chief of operations for the FBI Science and Technology Program, tells Forbes TRIAD was designed to fund innovative research from objective outside bodies and that “image fingerprinting” is as literal as it sounds: trying to capture biometric information from social media images. Think of gang members who put up photos of themselves online, showing gang signs with their hands, explains Piehota. “They’re also giving us access to their fingerprint patterns,” he adds. “[The FBI] can take your fingerprint characteristics from those images and they can build fingerprint files or fingerprint characteristics for individuals [for whom] we don’t have biographic information.” This could be useful for individuals violating immigration laws where the U.S. doesn’t have a record of their fingerprint in another database, adds Piehota. It could also be used to identify someone in a child exploitation video or, as in an investigation in the Welsh city of Swansea, catch drug dealers using tools like WhatsApp.

The technology, if it works as described, is potentially useful for the law enforcement and intel agencies Mitre works with, and potentially dangerous for personal privacy. Nate Wessler, staff attorney at the ACLU Speech, Privacy and Technology Project, says the surveillance project raises “serious privacy concerns,” especially during a time of pan-American civil unrest over the Covid-19 pandemic and racial inequality. “Nobody expects that by posting a digital photo online, they are exposing their unique biometric identifiers including their fingerprints, to collection in a law enforcement database,” he says. “Not only are we seeing historic protests against anti-Black racism and police brutality, but we’re seeing historic levels of digital recordings of those photos of those protesters by the media and by law enforcement… The prospect of law enforcement agencies being able to cheaply, easily and quickly obtain people’s fingerprints off of those photos is extraordinarily chilling.” Piehota notes that as a privacy precaution the FBI would only take fingerprints from social media images where the target was a valid suspect and it wouldn’t simply trawl the likes of Facebook for all available prints.

Mitre has a history in assisting the U.S. government’s expansion of biometric surveillance. Another 2014 contract details Mitre’s work assisting the FBI on facial recognition tools, right down to “creating local watchlists by flagging subjects of interest.” It’s also helping the FBI build the Next Generation Identification (NGI) system, which is one of the biggest databases of criminal suspects’ faces, fingerprints and other identifying body parts on the planet. According to the FBI, the NGI is “the world’s largest and most efficient electronic repository of biometric and criminal history information.” It’s cost the FBI at least $500 million since its incipience in 2007, much of it going to early developer Lockheed Martin, according to a review of contract records. Piehota says that all manner of law enforcement agencies, from local to federal, can access it to check the identity and background of a criminal. And Mitre, since at least 2013, has received millions in contracts to provide technology and guidance to build it as part of a previously-unreported project called Sugar Bowl II, an unexplained codename, FOIA records show.

Mitre’s high-tech snooping also extends to the fast growing world of connected devices: think smart watches, speakers, TVs and security cameras. In a $500,000 September 2017 contract, the DHS asked Mitre to create a system that could locate and hack into smartwatches, fitness trackers, home automation devices, or anything that could be classed as an Internet of Things (IoT) system. The contract says the tech could be used either by law enforcement or border officials to help them “rapidly detect and exploit for evidentiary purposes IoT devices in a security or crime scene environment,” or for use at “physical security boundaries” to hack into devices “passing through or approaching the boundary.” Think of people crossing the U.S.-Mexico border and a surveillance tool that scans every device coming through, checking which ones are smartwatches and other IoT systems. When one is worn by a criminal suspect, it could quickly be drained of data and evidence on their activities gathered, from their text messages to their previous locations.

One source, a former police officer and surveillance industry expert who claimed knowledge of the contract, says the tech was only ever used by Customs and Border Protection (CBP). Another source, a former Mitre and government employee, says Mitre has long provided digital forensics expertise to CBP staff carrying out searches of electronic devices at the border. And FOIA-obtained contracts worth more than $13 million show Mitre has provided expansive CBP technical support since at least 2016, including a study of the efficacy of Rapid DNA technology - another controversial tool that’s led to an outcry amongst civil rights organizations, who say the tools infringe on immigrants’ privacy. Designed to help uncover immigrants lying about being families at the border, it can quickly determine whether people entering the U.S. are related.

The power to hack into smart IoT devices could be hugely advantageous for federal agents, though the government wouldn’t tell Forbes where and how it’s been deployed. As explained in the September 2017 project outline, police have been lacking in the skills and resources to acquire evidence from these kinds of technologies. “IoT devices capture a lot of telemetry and I can imagine lots of places where this is useful,” says Jake Williams, a former NSA analyst turned cybersecurity practitioner, who adds that he was shocked such a tool would be used at border checkpoints. It’s got civil rights lawyers spooked too. “It would appear to only require the person using the tools to be in range of the device signals and would not require physical possession or access,” says Jerome Greco, a public defender in the Digital Forensics Unit of the Legal Aid Society. “Law enforcement use would be troubling and it would be difficult to hold them accountable for how they use it.”

Mozilla turns off “Firefox Send” following malware abuse reports

Firefox Send, a free service from Mozilla that aimed to let you share large files easily, but without the worry of what gets left behind and forgotten about.

When you uploaded a file to send DOT firefox DOT com, it gets encrypted in your browser before any data is send into the cloud; the decryption key is encoded into the URL for downloading the file; and the link thus generated is (by default, at least) valid for one download or 24 hours, whichever comes first.

If the recipient downloads the file using the link you send them, the data gets decrypted in their browser only after it has been downloaded, and then it vanishes from Mozilla’s servers forever.

If both you and the recipient forget about the uploaded file altogether, then it vanishes anyway and you don’t have to wonder if it’s still sitting around somewhere for someone else to download.

While the file is still on Mozilla’s servers, the pre-upload encryption means that even Mozilla can’t decrypt the file anyway, because only the encrypted data was uploaded and not the key.

crooks love Firefox Send just as much as we do, because it lets them generate short-term links based on trusted URLs for sharing arbitrary files without leaving any leftover data in the cloud.

The problem is that in the case of the crooks, they’re typically using Firefox Send for what you might call “data infiltration” – a way of importing malware files or attack tools onto a network they’ve already broken into without drawing undue attention to themselves.

That sort of operational tactic goes by the name of living off the land – a slightly misplaced metaphor, to be sure, but one that is now widely used in the cybersecurity industry to mean “fitting right in with everyday behavior on the network”.

By using Firefox Send, the crooks don’t need to set up a file sharing server of their own at a legitimate-looking URL, and they don’t have to worry about making sure their URLs expire automatically after use.

Links that work only once are a thorn in the side of security researchers, because even if you manage to acquire a full URL as an indicator of compromise, you can’t go back to the URL to investigate what malevolent baggage it might have served up when it was used.

The crooks also make themselves harder to track because their malicious content is effectively hiding in plain sight at an IP number operated by Mozilla.

Mozilla has issued a statement to say: “Before relaunching, we will be adding an abuse reporting mechanism to augment the existing Feedback form, and we will require all users wishing to share content using Firefox Send to sign in with a Firefox Account.”

My Bizarre Stint As an Amazon Reviewer for Hire - A Peek into the Fake Review Marketplace

Eli Reiter: In exchange for positive Amazon reviews, the mysterious Facebook accounts who recruited me promised me free stuff. They delivered.

A personal account of someone who was paid to buy products on Amazon and leave fake reviews. Fake reviews are one of the problems that everyone knows about, and no one knows what to do about – so we all try to pretend it doesn’t exist.

For the last nine months, I’d been writing positive Amazon reviews in exchange for free merchandise. Like most criminals, I started out legit, through a site called RebateKey, which offers rebates between 5% and 100% in exchange for leaving a review. Sellers used this third-party service of small refunds to bolster the search results when consumers are looking for, say, LifeStone Rose Quartz Crystal Soap with French Pink Clay and Rose Geranium Essential Oil, a meat thermometer, or a newsboy cap. The rebate check arrived after 30 days, so I couldn’t return the product after payment. It only made sense to participate if I were truly interested in owning the product in question.

But after I contacted RebateKey customer service using Facebook Messenger, the social media data vacuum otherwise known as Facebook apparently pegged me as someone interested in writing Amazon product reviews. It served me an ad with a picture of a desk chair that read: “Click here for 100% rebate offer.” I clicked it. A draconian private message popped up: “Welcome to Smugdesk company’s Reviewer Reward Program and participate in an awesome Free product trial. Everyone only has one chance to join this program. There are lots of people who want to enjoy our benefits, so before we officially confirm the cooperation, we need to make sure you can accept the following.” In halted English, I was given a set of directions. And despite the disembodied creepiness, I clicked “I agree.” Worst-case scenario, I figured I could return the chair and get a refund. Following the directions, I plugged in specific search keywords into Amazon, found the chair and separate wheels for it, and purchased them for $196.72. The items came three days later in a heavy box that barely fit through my door.

My PayPal refund, according to the Facebook Messenger directions, would only come if I left a five-star review. I didn’t want to lie too much, so I wrote bland copy under the title, “They work, I guess!” Two business days later, $196.72 arrived in my PayPal account. It is still the most money I was ever paid as a writer, per word.

Soon, other ads for Amazon review schemes started popping up on my feed. Four kinds of identical beard oil with differing labels. A selfie lamp that attached to my table. Three-ounce bottles used for carrying liquid through airport security. Even a large lamp used for professional photographers. I didn’t need any of this stuff; I was addicted.

Fake Facebook accounts with bland profile pictures of flowers started messaging me. “Are you a US Reviewer?” I would say yes and send them my Amazon profile link so they could see my many reviews. The person on the other end would message me a gallery of various product images, and I would choose the one I wanted. They’d offer keywords and tell me the exact amount the product sold for and the number of reviews it had, so I would have to search first and then select the product on my own, a process that might raise the item’s search ranking. It was a nudge-nudge kind of thing, sending me covertly toward the products without sharing the exact link.

The more I reviewed, the more the Facebook accounts asked me to review. It became a daily ritual.

At 1 a.m. or so, after scarfing down a book or cramming in a paper for the next day’s class, the Facebook accounts that offered me reviewing opportunities came alive. It was obvious from their incessant badgering that they were hustling. They were not the products’ sellers. They did not send me money. They were recruiters, gig workers, and would follow up with me so that I did my job. Many different accounts would offer the same two dozen items. The PayPal refund, coming from different email accounts with Mandarin characters, did not tell me which refund the item was for. I would have to match the refund amount with the dozens of products I purchased.

The black market for Amazon reviews makes some sense if you consider how valuable positive reviews can be to sellers on the platform. With more than 2.5 million sellers on the platform, getting seen by customers who might make a purchase is no easy feat. As one friend who has been selling on Amazon Marketplace since 2016 explained to me, on Amazon, “the more reviews you have on an item, the more likely for the item to come up in an algorithmic search. The more customers like the item, with reviews, the more Amazon likes it.”

Exactly how Amazon uses reviews in its search algorithms is a mystery. Not all reviews are worth the same. Older reviews may lose value over time, and reviews from consumers who purchased their products on other sites — unverified purchases — may be worth less. Amazon might also weigh reviews differently based on the customer’s number of reviews and average review score. Amazon keeps its exact methods secret. So sellers are always trying new methods to recruit good reviews.

But why didn’t sellers just refund me on Amazon, and skip intermediary commissions and PayPal? They “bought” my reviews twice, once on the refund and once on the recruiters’ commissions. Why go through all this trouble to recruit me on Facebook and send me free stuff?

When I asked another long-time Amazon seller this question, he said that it’s because Amazon has been cracking down on fake and incentivized reviews. Up until 2016, the company actually allowed sellers to offer discounts and free merchandise in exchange for reviews, as long as the reviewer disclosed the deal in their review. Even before changing this policy, the company had sued the operators of websites offering the service as well as individuals who offered to leave five-star reviews in exchange for a fee using the freelancing website Fiverr. The Federal Trade Commission (FTC) issued its first charges against a company that hired fake reviewers last year.

Amazon is on the lookout for suspicious reviewers. Recruiting people like me creates real purchases on Amazon from accounts with real addresses, and the refund is hidden off of Amazon’s platform. All of which make the reviews more convincing.

Still, the strategy didn’t seem to work perfectly. Some of my reviews were never posted. Some items mysteriously got taken down. Sometimes I would purchase an item, receive it, and go back to review it, only to find that it was taken down.

Eventually I decided to quit. The guilt crept in slowly as my bedroom piled up with boxes. The ubiquitous Amazon symbol, shaped like a smile, taunted me, reminding me that I was adding to the noise on the internet in an unethical manner. It became a frown. My parents raised me to be an honest person, above all else. This was lying, and my words were influencing others’ decisions.


@rps I love reading your weekly security news! Have had a lot of friends discussing the TikTok/Amazon news. What are your thoughts?

1 Like

Tik Tok is going to become a political soccer ball. I am betting someone will try a bicycle kick, but shoot wide of the goal.

I love the icon BTW!

1 Like

We’ll make you one now that you’ve reached the DAML’r User Level. Check out this thread for all the info (which you should now be able to see) Get your custom pixel art avatar for reaching the DAML’r user level