Privacy and Security related news for the week ending 2020 10 27

DAML’ers, this privacy and security related news is the best EVER. As we span the globe for stories we start off in Sweden and end up in Kazahkstan.

In between those two countries you can learn how to redact depositions, send high speed uploads to drones while in Munich, view some extraordinarily bad passwords a la the current US president, read a truly inspirational story about one of the team leads at Project Zero, get our recommendation for a for the “Zucked” What’s App. and protect your phone against malice on public wifi networks.

This week’s news is laughable and sobering at the same time, and you will find every piece a jewel.

Have a great read or listen, a wonderful week and stay informed, safe and secure!

SE: Swedish Authorities, Banks Hit by Security Data Leak

Details of bank vault floor plans, alarm systems and the security arrangements for Swedish authorities have been leaked online after a security company was hacked, local media reported Tuesday.

A total of 19 gigabytes of information and around 38,000 files were stolen from security group Gunnebo by one or more hackers in August, according to newspaper Dagens Nyheter.

Among the leaked documents are details of the security arrangements for the Swedish parliament, confidential plans of the Swedish Tax Agency’s new office on the outskirts of Stockholm, plans for bank vaults in at least two German banks, and alarm systems with surveillance camera placement at a branch of the SEB bank in Sweden

“We cannot rule out… industrial espionage.” Said Gunnebo CEO Stefan Syren.

Private Psychotherapy Notes Leaked in Major Finnish Hack. Patients already being blackmailed.

Finnish police are working with other agencies to investigate the data breach that targeted Vastaamo, the country’s largest private psychotherapy center, which treats roughly 40,000 patients across the country.

Some of the victims have received emails demanding payments in bitcoin to prevent the public disclosure of their personal information.

“This data breach is shocking in many ways,” Finland’s Prime Minister, Sanna Marin, said

Vastaamo said it has started an internal inquiry into the matter and admitted on its website Monday that its patient database was first accessed by hackers back in November 2018. The company said security flaws continued to persist until March 2019. The company also announced Monday it had fired its CEO, Ville Tapio, after it was discovered he concealed the breach from the company’s board and parent company.

US: We Cracked the Redactions in the Ghislaine Maxwell Deposition

On Thursday morning, a federal court released a 2016 deposition given by Ghislaine Maxwell, the 58-year-old British woman charged by the federal government with enticing underage girls to have sex with Jeffrey Epstein.

In the deposition, Maxwell was pressed to answer questions about the many famous men in Epstein’s orbit, among them Bill Clinton, Alan Dershowitz, and Prince Andrew. In the document that was released on Thursday, those names and others appear under black bars.

It turns out, though, that those redactions are possible to crack.

Although Ghislaine doesn’t admit to anything, it is interesting to see who investigators asked about in the examination.

The Slate article steps you through unmasking the redacted names that reads like an international who’s who any reenforces the statement that redacted or anonymized data is seldom truly so.

See the whole deposition here.

Read about unredacting .pdf documents with tools like Podofylin by Eclectic Light, here.

Amazon sacks insiders over data leak, alerts customers

Amazon has recently terminated employees responsible for leaking customer data, including their email addresses, to an unaffiliated third-party in violation of company policies.

“The individuals responsible for this incident have been fired. We have referred the bad actors to law enforcement and are supporting their criminal prosecution,” said an Amazon spokesperson.

The company did not answer how many customers were impacted, but tweets related to the matter over the weekend indicate it may have been global in scope, “Why is the Canadian branch notifying a UK account holder?”

DE: Stratospheric Platforms Limited announces successful demonstration of high-speed connectivity from the stratosphere into a live telecommunications network

Stratospheric Platforms Ltd working with Deutsche Telekom AG (“DT”), its largest shareholder, technology partner and launch customer, is pleased to announce the world’s first successful demonstration of high speed LTE/4G data and voice connectivity via a remotely piloted aircraft operating in the stratosphere and integrated into DT’s live terrestrial network.

Stratospheric Platforms is developing a hydrogen fuel-cell powered, long-endurance platform, communications payload and related infrastructure that will operate as a telecoms mast in the stratosphere. The platform will deliver high-quality 4G and 5G ubiquitous coverage, more cost-effectively to users than is possible with current terrestrial mast solutions.

The demonstration carried out by DT was performed in Bavaria using a H3Grob 520 aircraft – a remotely piloted Aircraft System (RPAS) operating in the low stratosphere at an altitude of 45,000ft (c. 14km) – and a LTE antenna, with architecture compatible with 5G standalone delivered signals, to user equipment at the 2.1 GHz frequency band. A Voice over LTE (VoLTE) call, video call, data call, and video streaming were demonstrated on a standard smartphone and linked into the DT terrestrial live network. The stratospheric test demonstrated download speeds of 70Mbps and upload speeds of 23Mbps over a 10 MHz bandwidth.

NL: How Trump’s Twitter account was hacked – again

On October 16, 2020 a mysterious message is posted on Donald Trump’s Twitter timeline.

Twitter Shuts Down Entire Network To Slow Spread Of Negative Biden News via @TheBabylonBee

Wow, this has never been done in history. This includes his really bad interview last night. Why is Twitter doing this. Bringing more attention to Sleepy Joe & Big T

Did Trump make a mistake?
Is it a joke?
Or neither of the above?

The security world was split last week, when ethical hacker Victor Gevers claimed in Dutch newspaper Vrij Nederland that he had guessed the password to Donald Trump’s Twitter account and gained access—again.

First things first, Gevers is not an anonymous hacker hiding behind a social media pseudonym. Within the international hacker community, Gevers (44) is considered an authority. He’s well known in cybersecurity and highly credible—and that means he has a reputation to preserve. Gevers and his GDI.Foundation made headlines last year, exposing Chinese surveillance databases that were unsecured and which contained alarming data on the public, including one that appeared to include the “BreedReady” status of 1.8 million women.

Four years ago Gevers discovered Trump’s password was yourefired. (No, we couldn’t make this up!). It didn’t work this time

Gevers suspects Trump’s account has its own special security. This would also explain why Trump’s account was left untouched during the Twitter hack in July 2020. During this hack, posts appeared on the accounts of Barack Obama, Elon Musk and Joe Biden, requesting Bitcoin transfers. Not on Trump’s account.

Gevers tries a few other passwords:


Plong! At the last try, he gets kicked off the site. Or at least, that is what it seems like – for a split second. Because he then realizes, he’s back in Donald Trump’s Twitter account, just like he was 4 years ago. He also discovered that 2FA had been turned off.

Gevers pursued an official ‘responsible disclosure’ path and received only this message: ‘Thank you, we forwarded your message.’

Fast forward to last week and the password seems to have changed, Two-Factor-Authentication has been reinstated. Other than this, nothing is happening – just like in 2016. Zero. Nothing. Nada. Not a single bleep. From anyone.”

Gevers gives up on trying to reach Trump to warn him. He gives Gerard Janssen for the Dutch newspaper Vrij Nederland permission to run this story as a plea to everyone to use Two-Factor-Authentication.

Huawei Launches Stunning New Strike At Google To Beat Android

The Mate 40 has finally launched. Set against the backdrop of U.S. restrictions on the chipsets required to power Huawei devices, and with Google still missing, China’s leading smartphone manufacturer has released another stellar device who’s sales will stall outside China based on factors outside its control. But… It’s the replacement of Google maps that’s stealing the headlines.

Huawei’s initial Petal Search, part of a new app family that includes the company’s long-awaited Google Maps replacement, was designed to find directions, but other info as well including social media and entertainment offerings. Petal Search has become a fully-fledged search engine in its own right, akin to “Huawei Search,” which was road-tested in March but was never fully released.

There are a whole raft of implications from this latest update. A threat to Google’s core business model as a mainstream smartphone maker goes its own way, a threat to U.S. dominance on mobile internet standards and staples for the same reason, but also a serious question about a Chinese company providing a search engine to the west.

Huawei is looking at morphing from phone maker to software ecosystem provider. Under that model, its search engine and other apps would be provided to a range of other OEMs through the company’s open-source HarmonyOS alternative to Android.

For now, with sales plummeting and chipset stocks depleting, the company is fighting for its life.

The Unsinkable Maddie Stone, Google’s Bug-Hunting Badass

Maddie Stone is formidable. As she sets up to do modified circuits at her San Francisco Olympic weightlifting gym. Her bum knee has been keeping her from doing her preferred workouts—everything from wall stands to the rowing machine is now off limits—so she settles for modified lifts and grinds away on upper-body machines.

Stone is a prominent researcher on Google’s Project Zero bug-hunting team, which finds critical software flaws and vulnerabilities—mostly in other companies’ products. But her journey through the ranks of the security research community hasn’t always been easy, and has galvanized her to speak openly, often on Twitter, about the need to make the tech and engineering industries more inclusive.

“When you see that you’re physically strong, that translates to so many other mental aspects,” she says. “I think it helped me in situations like my first job [at the Johns Hopkins University Applied Physics Laboratory] where I was in lots of rooms with many men from the military. I was like, OK, I can do push-ups. I can deadlift 305 pounds.”

At Google’s Mountain View campus, 40 minutes south of her gym, Stone’s job could easily be all-consuming. She joined Project Zero in 2019 after two years working on the Android security team, where she was hired for her skills in hardware and software reverse engineering. It’s a discipline where you take unknown code—in this case, some of the most sophisticated malware in the world—and deconstruct it to see what makes it tick. Once you’ve done that, you can figure out how to defuse it.

Stone eventually rose to lead a team that studies and neuters the Android malware actively used by criminals and nation state hackers. “There was such a clear, direct impact,” Stone says of her Android-focused work. “I find these potentially harmful apps, I flag the malware, and the defense we develop propagates to 2.8 billion devices. It was just such a massive, tangible impact that most people don’t get in their jobs.”

Some of the work involved countering one-off hacking tools, but other times got more personal. Stone and her colleagues once spent 18 months battling a botnet maker intent on infecting Android devices and skilled at circumventing deterrents. While the fight was still raging in the summer of 2018, Stone gave a talk at the Black Hat security conference in Las Vegas about features that helped the botnet malware avoid being analyzed. Within 72 hours, Stone says, the attacker group started altering each of the features she had touched on—despite the talk not being made public.

In her first year at Project Zero, Stone has investigated dozens of actively exploited software flaws to determine how each one works, whether the techniques it uses are novel or widespread, what tools attackers may have used to find the initial bug, and whether structural improvements in software could make whole classes of exploits more difficult to craft.

“A lot of the findings so far have been things that we weren’t quite expecting,” For example, Project Zero’s tracking spreadsheet for actively exploited zero-days currently shows 15 examples that have come to light this year. Three of those were found in security scanning tools like antivirus software. Stone points out that this number of AV-related entries is surprising given how modest their user base is relative to massive platforms like Chrome, Windows, or iOS.

How did she end up here? Maddie heard about “computer forensics,” thanks to Tim McGee, the resident hacker in the police TV show NCIS. Stone started watching the show in early high school with her mom after it had already been on the air for a few years.

As an undergraduate at Johns Hopkins university, Stone applied to dozens of computer science-related internships. While other students in her program racked up work experience during summers and school breaks, she landed only a single interview. Stone clinched a technical internship at the defense contractor Booz Allen Hamilton for the summer before her senior year.

“I really just needed one person in one company to say, ‘yes, we’ll give you a shot,’” Stone says. “It’s such a different experience once you have that one job on your resume.”
Stone graduated from Hopkins with an offer for a research-focused job at the Johns Hopkins University Applied Physics Laboratory (APL).

Stone’s first reverse engineering project was to see if she could ferret out an attack method for an embedded device through its data port. Reverse engineering is all about pattern analysis and instinct. She spent hours and then days attempting to reverse engineer the suspicious feature. On the fourth day she managed to draw back the digital curtain—she had uncovered the measly print function.

While it seemed like a letdown, Stone eventually realized that her gut had been correct. As mundane as the print function sounded, she realized that she could in fact exploit it as part of an attack chain against the device.

“She does stick out in our field,” says former APL colleague Mary Ann Saunders. “She wears floral dresses, she’s not the stereotypical engineer or hacker you have in your mind."

In June 2017 Stone gave a reverse engineering talk at a conference called Recon that took place in Montreal that year. Within weeks a recruiter from Google reached out to her about joining the Android security team.

“My mom passed away in January 2018 three months after I uprooted my life and moved to California for Google,” Stone says. “And yet 2018 was one of my best work years. When other things seem very hectic in our lives, doing good work, solving challenging problems that don’t have easy answers, and trying to make the world a little bit of a better place has always been an outlet for me.”

Moving to Project Zero, in her first week she was tasked with flushing out a vulnerability so serious that Project Zero decided to give only seven days’ notice—to Google itself—before going public, instead of the usual 90. And, because this was her first assignment, Stone had never even filed a bug in Project Zero’s issue tracker.

Stone’s approach to work and life? You don’t have to be the best at anything right away, you don’t have to fit in. You just have to enjoy what you’re doing—and have the raw determination to see it through.

Has Facebook Finally Broken WhatsApp? Radical New Update Now Confirmed

And so it begins. WhatsApp, the world’s leading secure messenger has suddenly and without warning confirmed its plans to become a commercial shopping site, a marketing tool for businesses to pitch their wares. This has been the risk from the moment Facebook acquired the platform all those years ago. Well, now all those fears that Facebook will break WhatsApp have become much more real.

The $19 billion that Facebook paid for WhatsApp back in 2014 was always going to come home and bite at some point. That time might well be now.

WhatsApp’s mission has always been to provide simple, secure messaging, ad-free, clutter-free. Facebook’s mission, meanwhile, is monetization. “We want to make shopping easier for people and empower anyone,” it says, “to use our apps to connect with customers and grow their business. That’s why we’re creating new ways for people to shop on our apps and providing tools to help businesses sell online.”

We say there’s never been a better time to switch to Signal for private messaging and take your friends with you.

Palo Alto Networks Threatens Legal Action Over Product Comparison

The issue was made public last week in a blog post written by Avi Shua, co-founder and CEO of Orca Security. The video made by Orca in August, which is still available on YouTube, is described as a “detailed competitive comparison” between Orca Security’s platform and Palo Alto Networks’ Prisma Cloud product.

“In its letter (threatening legal action against Orca), Palo Alto Networks does not point to any factual inaccuracies in the reviews of its products’ performance. It’s outrageous that the world’s largest cybersecurity vendor believes that its users aren’t entitled to share any benchmark or performance comparison of its products,” Said Shua.

Palo Alto claims it breaks the EULA. Whatever… it’s great PR for ORCA.

US/CA: Infamous ‘Stingrays’ Become 'Obsolete’

L3Harris Technologies, formerly known as the Harris Corporation, notified police agencies last year that it would discontinue sales of its surveillance boxes June 2020. One reason cited was that the old technology did not work on 5G. Now US police forces are scrambling to find alternate sources.

Originally designed solely for military and national security use, the devices are colloquially known as “Stingrays” after the popular model once manufactured by the Harris Corporation. Over the course of a decade, Harris has kept pace with evolving cellular standards by rolling out newer models such as the Hailstorm and the Crossbow, two devices that target 4G networks.

Law enforcement agencies are turning to a North Carolina company named Tactical Support Equipment as the sole US supplier for new cell-site simulators known as the Nyxcell V800/F800 TAU—surveillance technology, manufactured by a Canadian firm “Octasic”.

“It is important that the public is informed about these powerful and expensive surveillance devices, especially when local police departments rarely understand how the technology works,” Mike Katz-Lacabe, founder of the Center for Human Rights and Privacy said. “When Harris Corporation was selling these to state and local law enforcement agencies, the software only allowed tracking of cell phones.” But the “federal version,” he noted, “enabled them to be used to intercept phone calls and text messages.”

UK: Nando’s Customers Hit by Credential Stuffing Attacks

Single mum-of-three Sandy Warden said her daughter, Mia, lost £114.50 after her account was accessed by criminals.

The 18-year-old from Hertfordshire said she used her bank details a week before to place an order online via a QR code in her local branch.

Mia was at home on September 21 when she received an email from Nando’s claiming she’d placed an order.

“It said she’d placed a huge order at the Kensington High Street branch in West London.”

"We take immediate action to refund anyone who has been impacted and secure those affected Nando’s accounts.

“We have made and are continuing to make investments to improve our detection and prevention of suspicious and malicious activity. We apologise to our customers who have been impacted by this.”

UK ‘test and trace’ service did not complete mandatory privacy checks

“Public Health England, supported by the NHS Business Services Authority, is preparing a data protection impact assessment for the NHS Test and Trace system,” Julia Thompson, a spokeswoman, said in a statement. It “expects to publish this shortly.”

Under U.K law, such an assessment, detailing the potential privacy concerns of collecting reams of people’s sensitive data, is obligatory and must be completed before data collection begins. It has to be submitted to the country’s privacy watchdog for review.

Under U.K. rules, companies and government agencies can face fines of up to 4 percent of annual revenues if they mishandle people’s data. Earlier this year, for instance, the country’s Financial Conduct Authority referred itself to the U.K.'s privacy authority after it accidentally published people’s confidential details on its website.

Apps downloaded 8 million times finally get the boot from Google Play.

21 apps packed with adware from the HiddenAds family. The HiddenAds malware disguises itself like a fun or useful application — in this instance, games that promise to virtually “let your car fly across the road, trees, hills,” to shoot criminals from a helicopter, or virtually iron their clothes — but actually exist to serve up intrusive ads outside the app. They also frequently hide their icons, so they can’t be deleted, and hide behind relevant-looking advertisements, making them hard to identify.

Read the reviews. If an app is a scam, then other users have likely already noticed and left bad reviews. If the app developers have created other apps with terrible reviews, but the one you are looking at has glowing reviews, it’s probably a scam.

Check permissions. a classic way that bad actors gain access to our devices is by asking for permissions they don’t need. Does a weather app need to access your microphone? Nope. Does a wallpaper app need to access your storage? Nope. That’s a sign the app is likely a scam.

Why You Should Stop Using This ‘Dangerous’ Wi-Fi Setting On Your iPhone

When you connect to public Wi-Fi, you rely on the network’s service set identifier, its SSID, to pick a connection. This is often the name of the hotel, coffee shop or bar, it’s intended to keep things simple. Your iPhone will then automatically connect to that Wi-Fi again and again, each time you return to the location, intended as a convenience. But that simple convenience is a significant security risk that you must address.

“Most devices are configured to automatically connect to known hotspots,” security researcher Sean Wright warns. “Victims don’t need to do anything to connect. They just need to be in range.

This security risk is so stark that it can be pushed to satirical levels. “Public Wi-fi will always have risk,” Cyjax CISO Ian Thornton-Trump says. “I once saw a Starbucks and a Subway Wi-Fi access point, flying from Newark to Vegas at 35,000 feet.”

Worse, your iPhone is constantly searching for familiar Wi-Fi networks, “sending out probes for hotspots it is looking to connect to,” Wright says, “so [an attacker] can stand-up hotspots with those SSIDs—a capability built into Wi-Fi Pineapples,” malicious routers designed to intercept traffic. But, in reality, no special equipment is needed. It takes nothing more than a cell phone. “I was in a hotel lobby,” Wright says, “I setup my ‘free’ hotspot and had five devices connect in a matter of minutes.”

How to turn this off? In your iPhone’s settings, go to “Wi-Fi,” and ensure “Ask to Join Networks” is set to “Ask,” and that “Auto-Join Hotspot” is set to “Ask to Join.” This will stop your iPhone connecting to new or known networks or personal hotspots without you realizing, giving you the opportunity to exercise caution before clicking “Yes.”

Much more importantly, you should click on the blue-circled “i” next to any public network you connect to, and disable the “Auto-Join” option.

If you do these two things—deselect auto-join for any public network you connect to and use a reputable VPN when you must use public Wi-Fi, then you will have taken sensible measures to keep your device protected. That said, prudent security advice is to avoid public Wi-Fi altogether.

IN: Data breach prompts Dr Reddy’s to shut key plants

COVID-19 vaccine manufacturer Dr. Reddy’s Laboratories has shut down its plants in Brazil, India, Russia, the U.K. and the U.S. following a cyberattack, according to reports.

The Indian company is the contractor for Russia’s “Sputinik V” COVID-19 vaccine, which is about to enter Phase 2 human trials. The Drug Control General of India (DCGI) gave the company the go-ahead on Oct. 19.

Chief information officer Mukesh Rathi said: "In the wake of a detected cyber-attack, we have isolated all data centre services to take required preventive actions. The company refused to comment on whether or not its manufacturing facilities had been affected.

US: T-Mobile screwups caused nationwide outage, but FCC isn’t punishing carrier

The Federal Communications Commission (FCC) has finished investigating T-Mobile for a network outage that Chairman Ajit Pai called “unacceptable.” Pai has a history of talking tough with carriers and not following up.

What happened? T-Mobile was installing new routers in the Southeast US. When a fiber transport link in the region failed, T-Mobile’s network should have transferred traffic across a different link. But the carrier "had misconfigured the weight of the links. T-Mobile hadn’t implemented any fail-safe process to prevent the misconfiguration or to alert network engineers.

The Atlanta market “became isolated” from the rest of the network, causing all LTE users in the area to lose connectivity. A software error made things worse by preventing mobile devices in the Atlanta area from re-registering with the IP Multimedia Subsystem over Wi-Fi. Instead of routing device-registration attempts to a different node, “the registration system repeatedly routed re-registration attempts for each mobile device to the last node retained in its records, which was unavailable due to the market isolation.”

T-Mobile engineers “ended up exacerbating [the outage’s] impact because they misdiagnosed the problem.” T-Mobile had not tested and so didn’t know about the software flaw or the routing misconfiguration.

the outage spread from the Atlanta market, going nationwide. Shortly after, "IP Multimedia Subsystem, VoLTE, and Voice over Wi-Fi registrations began to fail nationwide. Emergency 911 call failed, because the same network nodes that choose gateways for calls destined for 2G and 2G networks also choose gateways for 911 calls. T-Mobile told the FCC that 23,621 calls to 911 didn’t get through.

In a press release Friday, Pai again criticized T-Mobile. “T-Mobile’s outage was a failure,” Pai said. “Our staff investigation found that the company did not follow several established network reliability best practices that could have either prevented the outage or at least mitigated its impact.”

And that was that. Pai did nothing more.

Researchers Discover A Large content management system Botnet So Brazen It Sells Its Own T-Shirt Merchandise

As criminals go, the people behind the vast and prolific KashmirBlack botnet must be an enterprising lot.

Not content with showering vulnerable content management systems (CMS) with plugin exploits, these guys have time for a little entrepreneurial action on the side selling campaign t-shirts at $7 a time (plus postage). With their own Facebook page, it’s almost as if they don’t think they’ll be found, or that nobody will bother to look.

In research released late last week, security company Imperva exposes the innards of the KashmirBlack botnet, a factory of evil which over the last year has spewed 20 different plugin and CMS exploits and payloads at an estimated 70,000 servers per day in more than 30 different countries around the world.

Estimating its size is guesswork, but Imperva believes it has reached 230,000 compromised servers, or about 700 new victims per day. On the receiving end are mostly US-based WordPress, Jumla, Drupal, and vBulletin CMS systems vulnerable to any one of a long list software flaws.

The scary part is it is built on a massive infrastructure that is here to stay.

US: Vote for Trump or else!”

Voters in several U.S. states have received threatening emails telling them to vote for incumbent presidential candidate Donald Trump, and vowing to “come after” them if they do not comply. U.S. officials now say that Iran was behind the emails, and that their goal was to create chaos and to undermine the legitimacy of the upcoming elections.

Analysis of the emails revealed that they had been “spoofed”: made to appear as if they were coming from the Proud Boys organization in order to conceal their true origin. The emails’ metadata indicated that they had been routed through servers in Estonia and possibly the Middle East.

FBI Director Christopher Wray and Director of National Intelligence John Ratcliffe gave a press conference to address the issue, during which they singled out Iran as the culprit behind the voter intimidation email campaign.

3 steps that US voters can take after receiving such an e-mail:

1). Keep your cool. Remember that since voter registration data is publicly available, there is not necessarily anything remarkable about a bad actor having access to your party affiliation or even your address.

2). Raise Awareness. Other people in your life may not be as security-savvy as you, and if they were to receive one of these voter intimidation emails, it could leave them deeply frightened — perhaps to the point of influencing their actions. If you know someone like this, take a moment today to reach out to them and let them know what’s going on.

3). Report voter intimidation. The FBI has a whole list of local field offices here:

And for our last article from the BBC there’s almost nothing in it about privacy or security, but we think it’s still very nice news…

Kazakhstan adopts Borat phrase for tourism campaign

When the first Borat film was released in 2006, Kazakhstan authorities banned the film and release of it on DVD and people were blocked from visiting its website. The first Borat film caused outrage in the country, and authorities threatened to sue creator Sacha Baron Cohen.

But with tourism up tenfold, and Sacha Baron Cohen now actually being hailed for exposing racial, ethnic and sexual stereotypes, the country’s tourism board has embraced Borat as a perfect marketing tool - just as a second Borat film is being released.

It has released a number of short advertisements that highlight the country’s scenery and culture. The people in the video then use Borat’s catchphrase “very nice”.

“Kazakhstan’s nature is very nice. Its food is very nice. And its people, despite Borat’s jokes to the contrary, are some of the nicest in the world,” the deputy chairman of Kazakh Tourism, said in a statement.

And that, dear DAML’ers is the conclusion of this “very nice” Privacy and Security Update!


Thanks @rps for this update!