The High Winds of the IT Privacy and Security Weekly Update for February 1st, 2022


In the week that Neil Young took both Spotify and Joe Rogan to task for spreading Covid misinformation, we start with the hurricane of an army wife scorned and end in the aftermath of Elon Musk moving something from the morning shower to the middle of the multi-lane highway.


In between that weather front and the next, we find facial recognition, fingerprints, fries, fines, and fight club. We even discover the new secret successor to the NSO Group.

Hold onto your hats, grab your phone, your raincoat, and let’s join the rest of the storm chasers as we track down this week’s highly unusual atmospheric activity.

US: Army Wife finds a new use for Apple AirTags

Military family, Austin and Valerie McNulty were recently moving across the United States as part of their fourth permanent change of station, from Fort Carson, Colorado, to Fort Drum, New York.

Prior to making the cross-country trek, Valerie felt inclined to track her family’s possessions in case something happened during the moving process. She had an Apple AirTag that she inserted into a box of her son’s toys.

The family’s household goods were all packed up in mid-December in Colorado, with the intention of receiving all their possessions on January 5 in New York. While they received most of their items on January 8, Valerie said they “were still lacking a few of our high-value items left in Colorado.”

On January 7 the couple saw that their AirTag was moving, and was later contacted that their items would be delivered on January 8. However, a moving guy reportedly told Austin that he “just picked up the stuff” and would take another day or two. Due to the AirTag, the couple knew the moving guy was not in Colorado but was just less than five hours away in Harrisburg, Pennsylvania.

As for the family’s possessions, which were supposed to be inventoried and in a safe location, GPS tracking showed that neither action allegedly occurred. According to Austin, that same driver who allegedly lied about his whereabouts told Austin in a phone call that he went to see “his lady” and that was part of the delay. He what?

“I think we would have been waiting a lot longer for our home goods to arrive [if we didn’t have the AirTag],” Valerie said. “It gives that opportunity for things to conveniently go missing. I’m thankful it didn’t happen but it would be all too easy. I would say that AirTags are an easy way to hold the third parties accountable.”

So what’s the upshot for you? Never lie to an Army wife, it’s like being caught by a funnel cloud.

Global: Apple Finally Removing Python 2 in macOS 12.3

Apple will no longer bundle Python 2.7 with macOS 12.3, according to developer release notes for the upcoming software update. Python 2 has not been supported since January 1, 2020, and no longer receives any bug fixes, security patches, or other changes.

Apple says that developers should use an alternative scripting language going forward, such as Python 3, but it’s worth noting that Python 3 also does not come preinstalled on macOS. Developers can run the stub /usr/bin/python3 in Terminal, but it prompts users to install Xcode developer tools, which includes Python 3.

So what’s the upshot for you? “If your software depends on scripting languages, it’s recommended that you bundle the runtime within the app.” say Apple.

US: PRIVACY CEO backtracks on claims company doesn’t use powerful facial recognition tech

Identity verification company uses a type of powerful facial recognition that searches for individuals within mass databases of photos, CEO Blake Hall explained in a LinkedIn post last week.

The post follows a news release from the company last week stating directly that: “Our 1:1 face match is comparable to taking a selfie to unlock a smartphone. does not use 1:many facial recognition, which is more complex and problematic.” Hall’s post on Wednesday confirms that does indeed use 1:many technology.

So what’s the upshot for you? Privacy advocates say that both versions of facial recognition pose a threat to consumers. In addition to numerous studies demonstrating the technology is less accurate on non-White skin tones, amassing biometric data can prove a huge security risk.

US: Domestic extremists have plotted to disrupt U.S. power grid, DHS bulletin warns

Domestic violent extremists have been planning to try to disrupt the U.S. power grid and will probably keep doing so, according to a Department of Homeland Security intelligence bulletin shared with law enforcement agencies and utility operators.

The U.S. electric grid contains approximately 7,700 power plants, 3,300 utilities, and over 2.7 million miles of power lines, according to the Council on Foreign relations. Yet it functions as three separate U.S. grids, or “self-contained interconnections of power production and transmission” that include Eastern, Western, and Texas interconnections.

The bulletin notes that “Absent significant technical knowledge or insider assistance, small scale attacks are unlikely to cause widespread, multi-state power loss but may result in physical damage that poses risks to operations or personnel.”

So what’s the upshot for you? Sounds like security through obfuscation which… is … never very reassuring.

Global: What Do Hurricanes and Cybersecurity Have in Common?

Over 100 years ago the international community decided that it was beneficial for all —countries, regions, and hemispheres—to share weather-related information and technology to prepare for and tackle potential risks.

Even during the most frigid years of the Cold War, the U.S.S.R. and the United States reported weather patterns to each other and the rest of the world.

This is a remarkable example of sustained international cooperation for the greater good, in the interest of making the right decisions about public safety, agriculture, civilian safety, transport, and insurance.

What does this have to do with cybersecurity? Everything.

Cyberattacks can sometimes appear to come almost out of nowhere, devastating businesses and crippling all levels of government. But, like extreme weather events, there are warning signs —if one knows where to look for them and whom to inform.

Information sharing is everyone’s responsibility. Engineers need to report and follow warnings. Above all, boards need to accept and foster a cybersecurity culture. Customers need to demand security. Governments need to be more open. Every single one of us needs to care. If we continue as is, holding information close to our chests, more death by cyber incidents will happen. The international community has come together to make the world safer in the past. We can do it again.

So what’s the upshot for you? Weather doesn’t recognize borders; neither do cyberattacks.

US: Internal Revenue Service plan to scan your face prompts anger in Congress, confusion among taxpayers

Millions of Americans could soon have to scan their faces to access their Internal Revenue Service tax accounts, one of the government’s biggest expansions yet of facial recognition software into people’s everyday lives.

For now, U.S. taxpayers can still file their returns the old-fashioned way; the IRS began accepting returns for 2021 earnings last week, encouraging electronic filing.

But by this summer, anyone wanting to access their records — including details about child tax credits, payment plans, or tax transcripts — on the IRS website could be required to record a video of their face with their computer or smartphone, and send it to the private contractor to confirm their identity.

Many taxpayers already have encountered the system as they prepare to file their tax returns, attempt to make estimated tax payments, or try to peruse other records that can be accessed online. The company says that last month more than 60,000 face photos were submitted in a single day, though it was unclear how many of those came from taxpayers. But complaints of confusing instructions and long wait times to complete the sign-up have caused an unknown number to abandon the process in frustration.

The US$86 million contract with the IRS also has alarmed researchers and privacy advocates who say they worry about how Americans’ facial images and personal data will be safeguarded in the years to come.

There is no federal law regulating how the data can be used or shared. While the IRS couldn’t say what percentage of taxpayers use the agency’s website, internal data show it is one of the federal government’s most-viewed websites, with more than 1.9 billion visits last year.

So what’s the upshot for you? A senior counsel at the Electronic Privacy Information Center said “We haven’t even gone the step of putting regulations in place and deciding if facial recognition should even be used like this. We’re just skipping right to the use of a technology that has clearly been shown to be dangerous and has issues with accuracy, disproportionate impact, privacy, and civil liberties.”

A spokesperson for the U.S. Treasury Department told Bloomberg News “that any taxpayer who does not want to use can opt against filing his or her taxes online. We believe in the importance of protecting the privacy of taxpayers, while also ensuring criminals are not able to gain access to taxpayer accounts,” a representative added, arguing that it’s been “impossible” for the IRS to develop its own cutting-edge identification program because of “the lack of funding for IRS modernization.”

AU/FR/IL: Your Graphics Card Fingerprint Can Be Used to Track Your Activities Across the Web

Dubbed DrawnApart, the method “identifies a device from the unique properties of its GPU stack,” researchers from Australia, France, and Israel said in a new paper," adding " variations in speed among the multiple execution units that comprise a GPU can serve as a reliable and robust device signature, which can be collected using unprivileged JavaScript."

A device fingerprint or machine fingerprint is information that is collected about the hardware, installed software, as well as the web browser and its associated add-ons from a remote computing device for the purpose of unique identification.

Browser fingerprints suffer from one major drawback in that they can evolve over time, making it harder to track users for extended periods. That’s where DrawnApart comes in.

It’s not only the first-of-its-kind mechanism to explore and weaponize the manufacturing differences between identical GPUs but also for reliably using the approach to distinguish between machines with identical hardware and software configurations, effectively undermining users’ privacy.

So what’s the upshot for you? In an evaluation setup constituting 88 devices, including Windows 10 desktops, Apple Mac mini devices, and multiple generations of Samsung Galaxy smartphones, the researchers found that when used in conjunction with state-of-the-art fingerprint linking algorithms like FP-STALKER, DrawnApart extended the median average tracking period of a particular user from 17.5 days to 28 days.

RU/UA: More Russian Attacks Against Ukraine Come to Light

The WhisperGate attack is not the only operation believed to have been conducted by Russia-linked threat actors against Ukraine in recent months. Symantec on Monday disclosed the details of an espionage operation that it has tied to a known group.

For years, Russian advanced persistent threat (APT) actors have been observed launching various cyberattacks against Ukrainian targets, with some of these groups believed to be part of or under the direct supervision of Moscow’s secret service.

So what’s the upshot for you? It’s likely that the purpose of the attempted data leaks was to lower public trust in Ukrainian government institutions amid increasing tensions with Russia. Such offensive operations against Ukraine are expected to continue and to involve destructive malware, likely masquerading as ransomware.

CN: A Digi-Yuan Olympics

China will promote its state-run digital currency at the Winter Olympics, which kick off on Friday in Beijing. The digital yuan (#digi-yuan) is Earth’s first major central bank-backed digital currency.

China started rolling it out in 2019, and even tested expiration dates to fuel spending. This month, China opened it up to all citizens and launched a Digi-wallet app (it already has 261M users).

China is pushing US companies like Nike and Visa to accept Digi-yuans, and McDonald’s and Subway locations in Shanghai already do.

Digi-yuan could threaten the US dollar’s global trade dominance and soften the effect of US sanctions, especially on China. The USD’s reliable rep has made it the world’s “reserve currency” for international purchases (think: Canada buys oil from Mexico… in USD), making US sanctions a nightmare for impacted countries.

Also: USD is used in 88% of foreign exchange trades. But the dollar’s share of global payments is falling as euros, yuans, and cryptos gain. And now, China is positioning the Digi-yuan for international use.

So what’s the upshot for you? 87 countries are developing digital currencies, which settle instantly, are less expensive to create, and are more accessible for people without bank accounts. Of the five biggest banking systems, the US is furthest from going digital – though it’s exploring a digital dollar.

There are concerns with digi-currencies: surveillance states like China could use them to automatically fine citizens for things like jaywalking (it’s already using facial recognition cameras to send fine notifications via text).

CN: Chinese censors give ‘Fight Club’ new ending to make police win, angering fans and inspiring memes

More than two decades after its initial release, Fight Club, David Fincher’s beloved cult classic, has recently gotten an online release on Tencent Video, one of the biggest streaming sites in China.

But in a move that has upset and confused many, Chinese censors have given the movie a makeover, altering its iconic ending to something less anarchist and destructive than the original.

So what’s the upshot for you? We can only guess that viewers will be tripping over themselves to get to Tencent video to see this particular 22-year-old politically correct remake. Remember to pay in Digi-yuan.

DE: Website Fined By German Court For Leaking Visitor’s IP Address Via Google Fonts

Earlier this month, a German court fined an unidentified website €100 ($110, £84) for violating EU privacy law by importing a Google-hosted web font.

The decision, by Landgericht München’s third civil chamber in Munich, found that the website, by including Google-Fonts-hosted font on its pages, passed the unidentified plaintiff’s IP address to Google without authorization and without a legitimate reason for doing so. And that violates Europe’s General Data Protection Regulation (GDPR).

“The unauthorized disclosure of the plaintiff’s dynamic IP address by the defendant to Google constitutes a violation of the general right of personality in the form of the right to informational self-determination according to § 823 Para. 1 BGB,” the ruling stated, as algorithmically translated. “The right to informational self-determination includes the right of the individual to disclose and determine the use of their personal data.”

The German court ruling echoes two other recent decisions, one earlier in January by Austria’s data protection authority that found the use of Google Analytics violated the law, and one in December last year when a different German court found that a Danish consent manager’s CookieBot program shared European IP addresses with US-based Akamai in violation of EU data laws.

So what’s the upshot for you? The decision says IP addresses represent personal data because it’s theoretically possible to identify the person associated with an IP address and that it’s irrelevant whether the website or Google has actually done so. Expect more cases of this nature as we move forward.

US: Spirion Releases Definitive Guide to 2021 Sensitive Data Breaches

83 percent of last year’s record number of data breaches involved sensitive data compromising 889 million records and 150 million individuals

The most common data targeted during sensitive data breaches last year included:

Social Security Number: 65% of all sensitive data incidents involved SSN
Personal Health Information: 41% of all sensitive data incidents
Bank account information: 23% of all sensitive data
Driver’s license: 23% of all sensitive data
Credit/debit card details: 12% of all sensitive data incidents
Email/password credentials: 10% of all sensitive data incidents

So what’s the upshot for you? When it comes to your data, we think it’s important to know exactly what is being targeted.

Global: NortonLifeLock Introduces Social Media Monitoring

NortonLifeLock today introduced a new feature to help keep customers’ social media accounts “safer” by monitoring them for account takeovers, risky activity, and inappropriate content.

Social Media Monitoring1 keeps a pulse on customers’ social media accounts, notifying them of suspected account compromise or potentially risky links in their account feed.

But wait…

Didn’t we get an update on this company a few weeks ago because it was buying up anti-virus companies and then adding in something very different?

So what’s the upshot for you? Consider the effect of your social media status as it is monitored by a company that is in the habit of loading crypto mining software on your machine along with its antivirus software.

US: Billionaire Facebook Investor Peter Thiel Secretly Funded A ‘Cyber Warfare’ Startup That Hacked WhatsApp

Since its founding in 2017 in San Diego, startup Boldend has kept a low profile. That’s because, according to two company insiders, it has to, with a mission to create tools that assist in cyber warfare missions with a focus on automation. It only has one customer, one that demands secrecy: the U.S. government.

Though it’s received little press, it did make it into the New York Times last weekend, right at the end of a feature on beleaguered Israeli spyware business NSO Group.

Boldend was reported to have developed a capability to hack WhatsApp, though it was closed off in a security update in January 2021.

So what’s the upshot for you? We found this story interesting not only due to the company’s similarity to the NSO group but because Peter Theil (you know the guy who got NZ citizenship and then built the luxury home with the fallout bunker on the South Island) was such a large investor in a company focussed on hacking What’s App, a Facebook product, after being such a large initial investor in Facebook.

CN: For when your singing moves out of the privacy of your shower

Tesla has launched a new product: a microphone called ‘TeslaMic’ designed for its in-car karaoke system. It’s only available in China for now.

Friday, Tesla started pushing its ‘Chinese New Year’ software update in China. Like in the rest of the world, Tesla often bundles up features for a bigger end-of-the-year software update that most often includes some fun features. For the Chinese New Year update, Tesla went a step further and actually also launched a physical product.

The company released the ‘TeslaMic,’ a microphone designed to work with Leishi KTV, a karaoke system that is being included as part of the update. The device has launched on Telsa’s Chinese merch store for 1,199 Chinese Yuan (~$188 USD):

So what’s the upshot for you? It sold out on the first day.

Your drive to work may never be the same again.


That’s it for this week. And just in case you do find yourself facing off against a hurricane, stay away from the windows, get as low as possible, move to an interior room, closet, or downstairs bathroom, and remember that we will be back in 7 to give you more instruction.

Until then stay safe, stay, secure… and try to remain calm…

1 Like


They do not call them the GOHC (General Officer for Home Command) for nothing.