School’s out for Summer with the IT Privacy and Security Update for the week ending June 13th., 2023


Daml’ers,

From the cool waters of the backyard pool to the chilling depths of cylindrical holes in the ground, this week’s stories will elevate your temperature to get you in that summertime mood.

We commute to work past a copycat chip shop and then get an update on why the unemployment rate for lobbyists is still at all-time lows in Washington DC.

school books
- For the podcast of this update just right click the pic -

We catch Microsoft being naughty, while Google and Apple go to the head of the class.

We find the US government flunking out with their latest budget spend, while one state that’s round on the ends and Hi in the middle makes the honors list.

Finally, we have a round-up of last year’s breach news from Verizon’s annual survey that should get us out of study hall early.

Up North, school’s almost out for Summer so grab your books and let’s go!


FR: Undeclared pools in France uncovered by AI technology

Following an experiment using artificial intelligence (AI), more than 20,000 hidden pools were discovered.

They have amassed some €10m (£8.5m) in revenue, French media is reporting.

Pools can lead to higher property taxes because they boost property value, and must be declared under French law.

There were more than 3.2 million private swimming pools in France in 2020, according to data website Statista, with sales already booming before the Covid pandemic.

But as more employees worked from home, there was a further surge in pool installations.

According to Le Parisien newspaper, an average pool of 30 sq m (322 sq ft) is taxed at €200 (£170) a year.

So what’s the upshot for you? The tax authorities are super-excited and say the software could eventually be used to find undeclared home extensions, patios, or gazebos, which also play a big part in property taxes.


Global: Will Productivity Gains from AI-Generated Code Be Offset by the Need to Maintain and Review It?

ZDNet asks the million-dollar security question. "Despite the potential for vast productivity gains from generative AI tools such as ChatGPT or GitHub Copilot, will technology professionals’ jobs actually grow more complicated? "

People can now pump out code on demand in an abundance of languages, from Java to Python, along with helpful recommendations.

Already, 95% of developers in a recent survey from Sourcegraph report use Copilot, ChatGPT, and other gen AI tools this way.

But auto-generating new code only addresses part of the problem in enterprises that already maintain unwieldy codebases, and require high levels of cohesion, accountability, and security.

For starters, security and quality assurance tasks associated with software jobs aren’t going to go away anytime soon.

“For programmers and software engineers, ChatGPT and other large language models help create code in almost any language,” says Andy Thurai, an analyst with Constellation Research, before talking about security concerns.

"However, most of the code that is generated is security-vulnerable and might not pass enterprise-grade code.

So, while AI can help accelerate coding, care should be taken to analyze the code, find vulnerabilities, and fix it, which would take away some of the productivity increase that AI vendors tout about."

Then there’s code sprawl.

An analogy to the rollout of generative AI in coding is the introduction of cloud computing, which seemed to simplify application acquisition when first rolled out, and now means a tangle of services to be managed.

The relative ease of generating code via AI will contribute to an ever-expanding codebase — what the Sourcegraph survey authors refer to as “Big Code”. A majority of the 500 developers in the survey are concerned about managing all this new code, along with code sprawl, and its contribution to technical debt.

Even before generative AI, close to eight in 10 say their codebase grew five times over the last three years, and a similar number struggle with understanding existing code generated by others.

So what’s the upshot for you? So, the productivity prospects for generative AI in programming appear to be a mixed bag.


HK/US: ByteDance Accused of Helping China Track Hong Kong Activists

https://www.bloomberg.com/news/articles/2023-06-06/chinese-used-bytedance-god-credential-to-track-data-suit-says#xj4y7vzkg

A former exec at TikTok’s parent company raised (more) alarm bells last week: Yintao “Roger” Yu, who was ByteDance’s US head of engineering, said that Chinese Communist Party members were able to use a “superuser credential” (aka a “god credential”) to monitor users’ personal data — including that of US users — through a special Chinese gov’t committee installed at ByteDance’s Beijing office.

Stalker mode: In a court filing Yu said that CCP officials used the superuser power to identify and track civil-rights activists and protesters in Hong Kong.

Superuser access was “commonly discussed” among employees, Yu said. He also accused TikTok of storing users’ DMs, search histories, and viewing habits.

So what’s the upshot for you? The US gov’t has been talking about a nationwide ban for years, and Americans favor a ban 2-to-1, a recent Pew survey found.

But TikTok’s still going strong with 150M+ US users.

ByteDance has spent millions lobbying Congress and recruited armies of influencers to promote TikTok.

Democratic Sen. Mark Warner said, “I don’t think there is a lobbyist that I know that is not on TikTok’s payroll at this point.”


CN: Ex-Samsung Executive Accused of Stealing Secrets for China Chip Factory

A former executive at South Korea’s Samsung Electronics was indicted on Monday on suspicion of stealing company technology for a copycat chip factory in China and jeopardizing national economic security, prosecutors said.

South Korea is a chipmaking powerhouse, increasingly pressed by the geopolitical and economic rivalry between the United States and China.

Last week, President Yoon Suk Yeol described chip industry competition as an “all-out war”.

The defendant, who also formerly worked at SK Hynix as a vice president, is accused of illegally acquiring Samsung data to build a rival factory only 1.5 km (1 mile) away from a Samsung chip manufacturing facility in Xian, China, the Suwon District Prosecutors’ Office said in a statement.

Prosecutors said they estimated the theft of data to have caused at least 300 billion won ($233 million) worth of losses for Samsung Electronics.

So what’s the upshot for you? What might make it worse was having to commute past the copycat factory that was stealing all the intellectual property.

Pretty brazen, we’d say!


CN: China Is Planning To Restrict and Scrutinize the Use of Wireless File-sharing Services

China is planning to restrict and scrutinize the use of wireless file-sharing services between mobile devices, such as airdrop and Bluetooth after they were used by protesters to evade censorship and spread protest messages.

The Cyberspace Administration of China, the country’s top internet regulator, has released draft regulations on “close-range mesh network services” and launched a month-long public consultation on Tuesday.

Under the proposed rules, service providers would have to prevent the dissemination of harmful and illegal information, save relevant records and report their discovery to regulators.

Service providers would also have to provide data and technical assistance to the relevant authorities, including internet regulators and the police, when they conduct inspections.

Users must also register with their real names.

In addition, features and technologies that have the capability to mobilize public opinion must undergo a security assessment before they could be introduced.

Apple, in particular, came under the spotlight after some Chinese protesters used airdrop in 2022 to bypass surveillance and circulate messages critical of the regime by sending them to strangers on public transport.

The tool was a relatively untraceable method for sharing files in China, where most social media and messaging platforms are tightly monitored.

Shortly later, Apple limited the use of airdrop on iPhones in China, allowing Chinese users to receive files from non-contacts for only ten minutes at a time.

The proposed rules will take control of similar functions up a notch, requiring the receiving of files and preview of thumbnails to be disabled by default.

So what’s the upshot for you? To all our Chinese counterparts, “Goodbye wireless file sharing!”


Global: Edge Sends Images You View Online To Microsoft

Not so long ago, Microsoft Edge ended up in hot waters after users discovered a bug leaking your browser history to Bing.

Now you may want to toggle off another feature to ensure Edge is not sending every picture you view online to Microsoft.

Edge has a built-in image enhancement tool that, according to Microsoft, can use “super-resolution to improve clarity, sharpness, lighting, and contrast in images on the web.”

Although the feature sounds exciting, recent Microsoft Edge Canary updates have provided more information on how image enhancement works.

The browser now warns that it sends image links to Microsoft instead of performing on-device enhancements.

So what’s the upshot for you? How to turn it off?

  1. Launch Microsoft Edge and open its main menu.
  2. Go to Settings > Privacy, Search, and Services.
  3. Scroll down and toggle off Enhance images in Microsoft Edge.

Global: Google’s Password Manager Gains Biometric Authentication on Desktop

Google’s aim is to make it easier to use and secure passwords – at least, for users of the Password Manager tool built into its Chrome browser.

Last Thursday, the tech giant announced that Password Manager, which generates unique passwords and auto-fills them across platforms, will soon gain biometric authentication on PC. (Android and iOS have had biometric authentication for some time.)

When enabled, it’ll require an additional layer of security, like fingerprint recognition or facial recognition, before Chrome auto-fills passwords.

Exactly which types of biometrics are available in Password Manager on the desktop will depend on the hardware attached to the PC, of course (e.g. a fingerprint reader), as well as whether the PC’s operating system supports it.

So what’s the upshot for you? Beyond “soon,” Google didn’t say when to expect the
feature to arrive.


Global: iOS 17 Automatically Removes Tracking Parameters From Links You Click On

iOS 17 and macOS Sonoma include even more privacy-preserving features while browsing the web.

Link Tracking Protection is a new feature automatically activated in Mail, Messages, and Safari in Private Browsing mode.

It detects user-identifiable tracking parameters in link URLs and automatically removes them.

Adding tracking parameters to links is one-way advertisers and analytics firms try to track user activity across websites.

Rather than storing third-party cookies, a tracking identifier is simply added to the end of the page URL.

This would circumvent Safari’s standard intelligent tracking prevention features that block cross-site cookies and other methods of session storage.

Navigating to that URL allows an analytics or advertising service at the destination to read the URL, extract those same unique parameters, and associate it with their backend user profile to serve personalized ads.

So what’s the upshot for you? Very clever Apple.


US: US Intelligence Confirms It Buys Americans’ Personal Data

A newly declassified government report confirms for the first time that U.S. intelligence and spy agencies purchase vast amounts of commercially available information on Americans, including data from connected vehicles, web browsing data, and smartphones.

By the U.S. government’s own admission, the data it purchases “clearly provides intelligence value,” but also “raises significant issues related to privacy and civil liberties.”

The Office of the Director of National Intelligence (ODNI) declassified and released the January 2022-dated report on Friday, following a request by Sen. Ron Wyden (D-OR) to disclose how the intelligence community uses commercially available data.

This kind of data is generated from internet-connected devices and made available by data brokers for purchase, such as phone apps and vehicles that collect granular location data and web browsing data that tracks users as they browse the internet.

The declassified report is the U.S. government’s first public disclosure revealing the risks associated with commercially available data of Americans that can be readily purchased by anyone, including adversaries and hostile nations.

The United States does not have a privacy or data protection law governing the sharing or selling of Americans’ private information.

“In a way that far fewer Americans seem to understand, and even fewer of them can avoid, [commercially available information] includes information on nearly everyone that is of a type and level of sensitivity that historically could have been obtained” by other intelligence gathering capabilities, such as search warrants, wiretaps, and surveillance, the report says.

So what’s the upshot for you? Would we really be surprised if the next report found the US Government buying data from China on US citizens?


US: Ohio Senate Moves to Criminalize Secretly Tracking People with Apple’s AirTags and Similar Devices

Tracking someone through apps and devices like the popular Apple AirTag without their consent could soon be deemed a criminal offense in Ohio after the state’s Republican-led Senate advanced the measure Wednesday with a unanimous bipartisan vote…

[V]iolators could be charged with a new first-degree misdemeanor offense of the “illegal use of a device or application,” resulting in up to 180 days in jail.

If the individual holds a prior conviction of menacing by stalking, the charge could escalate to a fourth-degree felony, resulting in six to 18 months in jail…

There is no known opposition to the measure.

Exceptions to the proposal include some law enforcement activity; parents or guardians tracking their children; caregivers tracking an elderly or disabled person they are entrusted with; a non-private investigator acting on behalf of a “legitimate business purpose;” and private investigators on certain cases.

The bill now heads to Ohio’s House of Representatives for further consideration.

So what’s the upshot for you? There are 49 more states in the US that should probably consider passing something similar.


US: The Verizon Annual 2023 Data Breach Investigations Report

Every year the US telephone service provider Verizon prepares an annual report of data breaches that happened during the previous year.

It’s good insight for businesses but also gives us a hint as to what to be prepared for at a more personal level.

  • Social engineering attacks are up, with Business Email Compromise and ransomware leading the charge.
  • Most breaches involve human error and external actors, and the primary motives are still financial.
  • Business Email Compromise (BEC) attacks have almost doubled and represent more than 50% of incidents in the Social Engineering pattern.
  • 74% of all breaches involve human error; 83% involve external actors.
  • Banks and exchanges have become prime targets for cybercriminals, with a fourfold increase in cryptocurrency-based attacks compared to previous years.
  • Organizations of all sizes and industries remain vulnerable to ransomware. Ransomware is present in 62% of incidents involving organized crime actors and 59% of financially motivated incidents.
  • Financial motives underlie 95% of breaches.
  • Ransomware is present in 24% of reported breaches and remains a significant threat.
  • Stolen credentials, phishing, and exploitation of vulnerabilities are the top attack methods for gaining access to organizational systems.
  • More than 32% of all Log4j scanning activities occurred within 30 days of its release.
  • Despite the heightened focus on Log4j, exploitation of vulnerabilities remained relatively stable in incidents and saw a decrease in their presence in breaches.

So what’s the upshot for you? Now you have the stats. One day we may treat our
cybersecurity precautions as commonly as looking both ways before we cross the street.


KP: Lazarus hackers linked to the $35 million Atomic Wallet heist

The notorious North Korean hacking group known as Lazarus has been linked to the recent Atomic Wallet hack, resulting in the theft of over $35 million in crypto.

This attribution is from the blockchain experts at Elliptic, who have been tracking the stolen funds and their movements across wallets, mixers, and other laundering pathways.

The attack on Atomic Wallet occurred a couple of weekends back when numerous users reported that their wallets were compromised and their funds had been stolen.

The first evidence pointing to the Lazarus group is the observed laundering strategy, which matches patterns seen in previous attacks by the particular threat actor.

The second attribution element is using the Sinbad mixer for laundering the stolen funds, which the threat group also used in the Harmony Horizon Bridge hack.

Elliptic has previously said that North Korean hackers have passed tens of millions of USD through Sinbad, demonstrating confidence and trust in the new mixer.

The third and most significant proof of Lazarus’ involvement in the Atomic Wallet hack is that substantial portions of the stolen cryptocurrency ended up in wallets that hold the proceeds of previous Lazarus hacks and are assumed to belong to group members.

So what’s the upshot for you? The rise of blockchain monitoring firms, coupled with the enhanced capabilities of law enforcement agencies, has significantly complicated the laundering process and subsequently cashing out the stolen assets.

And did you see that new North Korean rocket launcher? Who do you think paid for that?


And the quote of the week - “The creative adult is the child who survived.” - Ursula K. Le Guin

pile of books
- For the podcast of this update just right click the pic -

That’s it for this week. Stay safe, stay secure, school books, what school books? See you in se7en.



Low cost, high-quality GEOSAT imagery + LLM-based tools + enhanced Computer Vision software will give entities far-reaching capabilities for remote analysis of terrestrial objects.

Spying-as-a-Service?

Very well could be. I’m just going to pop out back for a swim. See you all later! :man_swimming: