Shake it with the IT Privacy and Security Weekly Update for the week ending April 4th., 2023


For this update we start off with our feet solidly on the ground, buried under U.S. tax returns, before shaking it and finishing in outer space.

We learn when people discover that you are using NSO’s Pegasus spyware, you’ve got to go shopping for something even more secret.

Elon Musk gives us an opportunity to work for him for free while Mandiant divines how North Korea is paying for its latest set of rockets.

DarkTrace provides some sobering news about phishing that you should probably check out before you open any more emails, and then Western Digital backs up some malware and finds itself in the same trouble many of its users have already discovered.

It’s time to shake things up.
shake the tree
for a link to a podcast of this week’s content, use your mouse to click on the pic.

This week’s update branches off in more directions than a tree so why resist? Let’s shake it.

US: Tax Preparation Industry Alarmed Over Plan For IRS Free Tax-Filing System

The Biden administration’s $80 billion overhaul of the Internal Revenue Service is facing a new line of attack, this time from lobbyists representing tax preparers who fear that the agency’s growing power will cripple their businesses and infringe upon taxpayer privacy.

The fight is over a potential plan for the I.R.S. to create its own tax-filing system that would allow taxpayers to submit their returns directly to the federal government at no cost.

That type of free service could diminish the need for those provided by tax preparation companies like H&R Block and TurboTax.

The idea, which is still being studied, is stoking backlash from Republicans and business groups who argue that President Biden’s plans to bolster the I.R.S. will give it even more power over ordinary taxpayers.

The I.R.S. received a giant infusion of money as a result of the Inflation Reduction Act, a sweeping climate and energy bill that Congress passed last year.

That legislation set aside $15 million for the I.R.S. to conduct a study to determine how it could develop a program that would let Americans file their tax returns directly with the agency.

The I.R.S. is expected in the coming days to release its plan for how it intends to spend the $80 billion that it was allocated as part of that legislation.

Republican lawmakers have maintained firm opposition to the funding, which will help the agency hire 87,000 employees and have been taking steps to claw it back.

Democrats have long pushed to make filing free for everyone, seeing that as a way to make the process easier and less costly.

But that ambition could upend the business models of the multibillion-dollar tax preparation industry, which earns hefty fees every year for helping people navigate the tax code.

Several companies already provide free tax-filing services through the I.R.S. website to those who earn less than $73,000, and the agency provides forms that taxpayers who do not need any guidance can use to file their returns for free.

Some other software platforms offer limited free services for simple tax returns that also do not offer guidance through the process.

Initially, a tax-filing system developed by the I.R.S. would be similar to the existing free options.

But proponents of the idea believe that over time it could evolve to become a more comprehensive system that would provide taxpayers with returns that are already filled out based on wage data that the I.R.S. tracks.

At that point, taxpayers could just sign off on their returns as easily as responding “yes” to a text message.

So what’s the upshot for you? If you live in the US and just prepared your taxes and filed them yourself, the suggestion that you could just click on a single button and be done sounds like nirvana.

Paying to file your tax payments just seems inherently wrong. Growing an industry off the back of that also seems wrong.

Get the security and privacy right and dump all the cling-ons that make tax time for US citizens such an onerous annual experience and we might just vote for that even if we do lose a little more privacy in the deal.

Global: Twitter Opens Much of Its Source Code To the Global Community

"At Twitter 2.0, we believe that we have a responsibility, as the town square of the internet, to make our platform transparent. So today we are taking the first step in a new era of transparency and opening much of our source code to the global community.

On GitHub, you’ll find two new repositories (main repo, ml repo) containing the source code for many parts of Twitter, including our recommendations algorithm, which controls the Tweets you see on the For You timeline.

We’re also sharing more information on our recommendation algorithm in this post on our Engineering Blog.

For this release, we aimed for the highest possible degree of transparency, while excluding any code that would compromise user safety and privacy or the ability to protect our platform from bad actors, including undermining our efforts at combating child sexual exploitation and manipulation.

Today’s release also does not include the code that powers our ad recommendations.

We also took additional steps to ensure that user safety and privacy would be protected, including our decision not to release training data or model weights associated with the Twitter algorithm at this point.

Ultimately, this is our first step to be more transparent in this way, and we plan to continue sharing more code that does not present a significant risk to Twitter or people on our platform."

So what’s the upshot for you? Now you can do the work for free that Twitter workers were doing for pay before being fired by Elon.

Who could resist that?

EU: Meta Wants EU Users To Apply For Permission To Opt Out of Data Collection

Meta announced that starting next Wednesday, some Facebook and Instagram users in the European Union will for the first time be able to opt out of sharing first-party data used to serve highly personalized ads.

The move marks a big change from Meta’s current business model, where every video and piece of content clicked on its platforms provides a data point for its online advertisers.

People “familiar with the matter,” said that Facebook and Instagram users will soon be able to access a form that can be submitted to Meta to object to sweeping data collection.

If those requests are approved, those users will only allow Meta to target ads based on broader categories of data collection, like age range or general location.

This is different from efforts by other major tech companies like Apple and Google, which prompt users to opt-in or out of highly personalized ads with the click of a button.

Instead, Meta will review objection forms to evaluate reasons provided by individual users to end such data collection before it will approve any opt-outs.

It’s unclear what cause Meta may have to deny requests.

A spokesperson said that Meta is not sharing the objection form publicly at this time but that it will be available to EU users in its Help Center starting on April 5.

That’s the deadline Meta was given to comply with an Irish regulator’s rulings that it was illegal in the EU for Meta to force Facebook and Instagram users to give consent to data collection when they signed contracts to use the platforms.

Meta still plans to appeal those Irish Data Protection Commission (DPC) rulings, believing that its prior contract’s legal basis complies with the EU’s General Data Protection Regulation (GDPR).

In the meantime, though, the company must change the legal basis for data collection.

Meta announced in a blog post today that it will now argue that it does not need to directly obtain user consent because it has a “legitimate interest” to collect data to operate its social platforms.

“We believe that our previous approach was compliant under GDPR, and our appeal on both the substance of the rulings and the fines continues,” Meta’s blog said.

“However, this change ensures that we comply with the DPC’s decision.”

So what’s the upshot for you? Dragged kicking and screaming into GDPR alignment.

Meta does not want to accommodate the GDPR and their stance confirms it.

UK: What if Social Media were not for profit?

“What would it look like if we called time on Big Tech’s failed experiment?” asks the co-editor of the Oxford-based magazine New Internationalist.

A better social media would need to be decentralized… As well as avoiding a single point of failure (or censorship), this would help with other goals: community ownership, and democratic control, which would be facilitated by having many smaller, perhaps more local, sites.

Existing social media giants must be brought into public (and transnational) ownership — in a way that hands power to citizens, not governments.

They should also be broken up, using existing anti-monopoly rules.

It is hard to know what sort of algorithms would best promote real community until we try…

The algorithms that determine what enters peoples’ social feeds must be transparent:
open source, open for scrutiny, and for change.

We could also adapt from sites like Wikipedia (collectively edited) and Reddit (where posts and comments’ visibility is determined by user votes).

Moderation policies — what content is and isn’t allowed — could be decided collectively, according to groups’ needs…

An important step towards a decentralized social network would be interoperability and data portability.

Different sites need to be able to talk to each other (or ‘federate’), just as email providers or mobile operators are required to.

There’s no point being on a site if your friends aren’t, but if your server can relay messages to theirs there is less of a barrier.

Meanwhile, encryption will be vital for privacy.

So what’s the upshot for you? One particularly intriguing idea is that of software developer Darius Kazemi, who suggests every public library — there are 2.7 million worldwide — could host its own federated social media server.

As well as providing local accountability and access, and boosting increasingly defunded neighborhood assets, these servers would benefit from librarians’ expertise in curating information.

IN: India Hunts For Spyware That Rivals Controversial Pegasus System

India is hunting for new spyware with a lower profile than the controversial Pegasus system blacklisted by the US government, with rival surveillance software makers preparing bids on lucrative deals being offered by Narendra Modi’s government.

Defense and intelligence officials from the South Asian country have decided to acquire spyware from less exposed competitors to the NSO Group, the Israeli makers of Pegasus, according to people familiar with the move, seeking to spend up to $120mn through new spyware contracts.

About a dozen competitors are expected to join the bidding process, according to two people with knowledge of the talks, stepping into the void created by the pressure on NSO from human rights groups and the administration of US President Joe Biden.

India’s move shows how demand for this sophisticated – and largely unregulated – technology remains strong despite growing evidence that governments worldwide have abused spyware by targeting dissidents and critics. India has never publicly acknowledged being a customer of NSO.

However, the company’s malware has been found on the phones of journalists, left-leaning academics, and opposition leaders around India, sparking a political crisis.

Pegasus can turn phones into surveillance devices and can hoover up encrypted WhatsApp and Signal messages surreptitiously.

Modi government officials have grown concerned about the “PR problem” caused by the ability of human rights groups to forensically trace Pegasus, as well as warnings from Apple and WhatsApp to those who have been targeted, according to two people familiar with the discussions.

So what’s the upshot for you? The Modi agenda is often filled with shaky little unexpected surprises.

RU: Vulkan Files’ Leak Reveals Putin’s Global and Domestic Cyberwarfare Tactics

Inside the six-story building, a new generation is helping Russian military operations.

Its weapons are more advanced than those of Peter the Great’s era: not pikes and halberds, but hacking and disinformation tools.

The software engineers behind these systems are employees of NTC Vulkan. On the surface, it looks like a run-of-the-mill cybersecurity consultancy.

However, a leak of secret files from the company has exposed its work bolstering Vladimir Putin’s cyberwarfare capabilities.

Thousands of pages of secret documents reveal how Vulkan’s engineers have worked for Russian military and intelligence agencies to support hacking operations, train operatives before attacks on national infrastructure, spread disinformation, and control sections of the internet.

The company’s work is linked to the federal security service or FSB, the domestic spy agency; the operational and intelligence divisions of the armed forces, known as the GOU and GRU; and the SVR, Russia’s foreign intelligence organization.

One document links a Vulkan cyber-attack tool with the notorious hacking group Sandworm, which the US government said twice caused blackouts in Ukraine, disrupted the Olympics in South Korea, and launched NotPetya, the most economically destructive malware in history.

Codenamed Scan-V, it scours the internet for vulnerabilities, which are then stored for use in future cyber-attacks.

Another system, known as Amezit, amounts to a blueprint for surveilling and controlling the internet in regions under Russia’s command and also enables disinformation via fake social media profiles.

A third Vulkan-built system – Crystal-2V – is a training program for cyber-operatives in the methods required to bring down rail, air, and sea infrastructure.

A file explaining the software states: “The level of secrecy of processed and stored information in the product is ‘Top Secret’.”

So what’s the upshot for you? Is a top-secret operation still top-secret if everyone knows about it?

KP: Mandiant Catches Another North Korean Gov Hacker Group

Threat hunters at Mandiant have caught another North Korean hacker group funding itself through cybercrime operations to support espionage campaigns against South Korean and U.S.-based government organizations.

The Google-owned incident response forensics firm flagged the group as APT43 and warned it’s a “moderately-sophisticated cyber operator that supports the interests of the North Korean regime.

A new report from Mandiant said the threat actor’s cyberespionage campaigns include strategic intelligence collection aligned with North Korea’s geopolitical interests, credential harvesting, and social engineering to support espionage activities, and financially-motivated cyber crime to fund operations.

Mandiant has been tracking the group since 2018 and observed a combination of spear-phishing campaigns, spoofed domains, and email addresses as part of aggressive social engineering tactics.

“APT43 maintains a high tempo of activity, is prolific in its phishing and credential collection campaigns, and has demonstrated coordination with other elements of the North Korean cyber ecosystem,” the company said, warning that targeting is focused on organizations in South Korea, the United States, Japan, and Europe.

So what’s the upshot for you? Mandiant said the ultimate aim of APT43’s campaigns is most likely centered around enabling North Korea’s weapons program.

UK: Capita, Company Providing UK’s Nuclear Submarine Training, Says It’s Successfully Contained ‘Cyber Incident’

Capita, the United Kingdom’s largest outsourcing company, confirmed Monday that an IT outage that left staff locked out of their accounts on Friday was caused by “a cyber incident.”

Staff attempting to login were erroneously told their usual passwords were “incorrect” according to reports, fueling speculation that a cyberattack was to blame, although not all of Capita’s 61,000 employees were affected.

At the time, a Capita spokesperson said the company was investigating “a technical issue.”

In an update on Monday about the incident sent to the Regulatory News Service, the company confirmed it “experienced a cyber incident primarily impacting access to internal Microsoft Office 365 applications.”

So what’s the upshot for you? In its statement, Capita said: “Immediate steps were taken to successfully isolate and contain the issue,” which was “limited to parts of the Capita network.”

The company acknowledged that some services provided to clients were disrupted, although it did not specify which.

Global: Western Digital Says Hackers Stole Data in Network Security Breach

Data storage giant Western Digital has confirmed that hackers exfiltrated data from its systems during a “network security incident” last week.

The California-based company said in a statement on Monday that an unauthorized third party gained access to “a number” of its internal systems on March 26.

Western Digital hasn’t confirmed the nature of the incident or revealed how it was compromised, but its statement suggests the incident may be linked to ransomware.

Western Digital notes that the incident “has caused and may continue to cause disruption” to the company’s business operations.

So what’s the upshot for you? Interesting to see Western Digital get hit like this. Perhaps it will encourage a different approach to data storage that might make malware less of an issue for everyone.

Global: Novel Social Engineering Attacks Soar 135% Amid Uptake of Generative AI

Researchers from Darktrace have seen a 135% increase in novel social engineering attack emails in the first two months of 2023.

The cyber security firm said the email attacks targeted thousands of its customers in January and February 2023, an increase which it said matches the adoption rate of ChatGPT.

The novel social engineering attacks make use of “sophisticated linguistic techniques,” which Darktrace said include increasing text volume, sentence length, and punctuation in emails.

Darktrace also found there’s been a decrease in the number of malicious emails that are sent with an attachment or link.

The firm said that this behavior could mean that generative AI, including ChatGPT, is being used by malicious actors to construct targeted attacks rapidly.

Survey results indicated that 82% of employees are worried about hackers using generative AI to create scam emails that are indistinguishable from genuine communication.

It also found that 30% of employees have fallen for a scam email or text in the past. Darktrace asked survey respondents what the top-three characteristics are that suggest an email is a phish and found:

  • 68% said it was being invited to click a link or open an attachment
  • 61% said it was due to an unknown sender or unexpected content
  • Poor use of spelling and grammar was chosen by 61% too

In the last six months, 70% of employees reported an increase in the frequency of scam emails.

Additionally, 79% said that their organization’s spam filters prevent legitimate emails from entering their inbox.

So what’s the upshot for you? You used to be able to count on subtle errors made on behalf of those creating Phish e-mails. Now the power of AI is delivering something that requires an extra level of vigilance. The best strategy now is to review and examine all unexpected emails as if they were phishing attempts.

US/CN: ByteDance pushes an Instagram-like app while Washington battles over banning TikTok

When Congress gives you lemons… make Lemon8.

ByteDance has been busy, and not just defending its social superstar, TikTok, from US lawmakers, who are considering a ban.

The Chinese tech titan has another social app, dubbed Lemon8, which hit US App Store top charts this week.

Described as a cross between Meta’s Instagram and Pinterest (picture: style pics, shopping recs), Lemon8 is said to use the same recommendation algo. powering TikTok’s addictive feed.

After introducing the app in 2020, in Japan, ByteDance grew Lemon8 to 5M monthly users last year by rolling it out in countries including the UK and Indonesia.

ByteDance paid US creators to juice up Lemon8 with #sponsored content, and some social stars are posting about Lemon8 on TikTok.

ByteDance is reportedly gearing up to (officially) promote Lemon8 globally next month.

ByteDance also owns CapCut, a Tok-friendly video-editing app with 400M+ global downloads last year.

Lemon8’s low-key launch contrasts with ByteDance’s high-key TikTok tangle.

A bipartisan group of lawmakers is pushing legislation that would give President Biden the power to ban (or force a sale of) TikTok — plus other apps are seen as posing national security concerns.

Think of platforms that might share data with China or other sanctioned countries. POTUS urged Congress to pass the bill, but not everyone’s on the bandwagon: Sen. Rand Paul and Rep. Alexandria Ocasio-Cortez recently opposed a ban on free-speech grounds. TikTok users have also been posting fan content supporting the app’s CEO, who was grilled by Congress last month.

So what’s the upshot for you? Even if the US gov’t squashes TikTok, lawmakers might sour on TikTok-adjacent apps, leaving them forever chasing viral hits.

Meanwhile, federal privacy legislation — which could address the root of many app-privacy concerns — has been stalled in Congress for years.

As officials keep whacking moles, incredibly popular new apps from China keep appearing.

US: US Military Prepares for Space Warfare As Potential Threats Grow From China

America’s Department of Defense “is gearing up for a future conflict in space,” reports the Wall Street Journal, “as China and Russia deploy missiles and lasers that can take out satellites and disrupt military and civilian communications.”

The White House this month proposed a $30 billion annual budget for the U.S. Space Force, almost $4 billion more than last year and a bigger jump than for other services including the Air Force and the Navy…

A key aim of a stand-alone force was to plan, equip and defend U.S. interests in space for all of the services and focus attention on the emerging threats.

For the first time, the spending request also includes plans for simulators and other equipment to train Guardians, as Space Force members are known, for potential battle…

Just as it is on Earth, China is the Pentagon’s big worry in space.

In unveiling a defense strategy late last year, the Biden administration cast China as the greatest danger to U.S. security.

In space, the threats from China range from ground-launched missiles or lasers that could destroy or disable U.S. satellites, to jamming and other cyber interference and attacks in space, said Pentagon officials.

China has invested heavily in its space program, with a crewed orbiting station, developing ground-based missiles and lasers as well as more surveillance capabilities.

This is part of its broader military aims of denying adversaries access to space-based assets.

China is “testing on-orbit satellite systems which could be weaponized as they have already shown the capability to physically control and move other satellites,” Gen. Chance Saltzman, chief of space operations for the U.S. Space Force, told a congressional hearing this month.

“There’s nothing we can do in space that’s of any value if the networks that process the information and data are vulnerable to attack,” Gen. Saltzman said.

A central part of the Space Force’s next tranche of military contracts for rocket launches is protecting them from attacks by China and other adversaries.

The hope is to make satellites tougher to approach by adversaries’ equipment as well as less susceptible to lasers and jamming from space or the ground, said Space Force leaders.

So what’s the upshot for you? To infinity and beyond……
bent tree
for a link to a podcast of this week’s content, use your mouse to click on the tree.

And our quote of the week: "The key to overcoming procrastination is to do something more unpleasant than the thing you are procrastinating about.” - Andrew D. Huberman, Ph.D.

That’s it for this week. Stay safe, stay secure, shake a leg, and see you in se7en.