The best IT Privacy and Security Update … served with perhaps the most questionable intro and outtro music ever!
And he’s right. We follow the food theme again this week and go from Apple to Cheese.
We start with an outright rejection of the UK government’s second expensive attempt at a Covid-19 tracker, then we move over to the app that really should not be on your phone anymore.
Next: a crazy story about an exchange that gets breached and then reminds you that YOU should use more complex passwords, a completely politically correct request for UK women to get more involved in hacking, and 7 new and evolving methods that fisher-people are going to try to catch you out with.
Finally, we share a story on how Google intends to help you stop bumping into lamp posts.
Oh and then there is the missing cheese.
You’ll find it all here this week (except for the cheese) in probably the healthiest slice of IT Privacy and Security ever!
UK: Apple and Google reject UK COVID-19 app***
Apple and Google have been forced to reject the UK’s latest COVID-19 Test and Trace app update because it failed to follow privacy rules the nation had already agreed to follow in order to use the frameworks the tech firms provide.
The updated version included a tool that required users to check in to venues they visited using a QR code and the app. If they subsequently tested positive for the virus, the app would upload logs of those check-ins and warn others.
While this almost sounds reasonable, it actually isn’t, because it effectively means authorities collect personally identifiable location data in direct contravention of the conditions of use Apple and Google have always required their contact tracing framework.
So what’s the upshot for you? The tech firms cannot make an exception for one government, or they would be required to make an exception for all. Apple CEO Tim Cook recently observed, “Once you have a back door, you have a back door for everybody.”
Global: Encryption Has Never Been More Essential—or Threatened
Will Cathcart (@wcathcart) is the head of WhatsApp at Facebook.
"Elected officials in Europe have recently called for companies to build ways to break into their own encryption. In India, regulators have published new rules for messaging services that would undermine people’s ability to have a private conversation. Brazil’s Supreme Court may soon decide whether the government can shut off encrypted messaging services, in a case that started after a Facebook executive was arrested for not providing police with messages we could not access. Any of these steps could alter the course of the internet at a time when people need strong security more than ever.
Technical as encryption can be, it is really about something at the very core of how we live our lives today: Should people be able to have a private conversation when they are not together in person?
I believe the answer must be yes. People speak to each other privately in person all the time. As human beings, we’re wired to assume that when we’re talking to someone face to face, our conversation is private. We shouldn’t give that up. The lessons of the past five years make it absolutely clear that technology companies and governments must prioritize private and secure communication."
We have seen three separate events, all of which should give you every reason you need to make that change, to quit Messenger. First Cathcart’s rallying cry for users to use platforms with end-to-end encryption in place. Second, Facebook admitting that such security will not come to Messenger until some time in 2022, at the earliest. And, finally, another story on Facebook’s data mishandling.
So what’s the upshot for you? Will wrote this editorial before the news of the big What’sApp/Facebook data scraping fire-sale event broke last week. It’s somewhat ironic that the publication of his article coincided with Facebook’s latest data disaster—the online release of 533 million user records. Leaking user phone numbers isn’t really the best ad for “privacy and security.”
Global: Your WhatsApp account can be suspended by anyone who has your phone number
Here is how it works: The attacker installs WhatsApp on a new device and enters your number to activate the chat service. They can’t verify it, because of course, the two-factor authentication system is sending the login prompts to your phone instead. After multiple repeated and failed attempts, your login is locked for 12 hours.
With your account locked, the attacker sends a support message to WhatsApp from their email address, claiming that their (your) phone has been lost or stolen and that the account associated with your number needs to be deactivated. WhatsApp “verifies” this with a reply email, and suspends your account without any input on your end. The attacker can repeat the process several times in succession to create a semi-permanent lock on your account.
So what’s the upshot for you? You won’t have any problem with this if you have already moved off What’s App to Signal. Perhaps for all the friends who still feel the need to share their full contacts list with Facebook, you could use this technique as an added persuasion to get them off What’s App… by breaking it.
IN: Upstox breached
"We brought in the expertise of this globally renowned firm after we received emails claiming unauthorized access into our database. These claims suggested that some contact data and KYC details may have been compromised from third-party data-warehouse systems.
As a matter of abundant caution, we have also initiated a secure password reset via OTP.
- Immediately restricted access to the impacted database
- Added multiple security enhancements at all third party data-warehouses
- Setup real-time 24x7 monitoring
- Additionally ring-fenced the network"
So what’s the upshot for you? We find it a little bit offensive when an exchange gets hacked after baddies gained access to the company’s Amazon AWS key and they offer YOU advice like:
- Always use unique strong passwords (multi-case, alphanumeric, no name fragments) and different from older versions
- Never share OTPs with anyone
- Watch out for OTPs you may not have requested and alert the service provider in such events.
…And what is an OTP? That’s never defined. Is it a One Time Password? Is it a One Time Purchase? Or is it a One Trick Pony? Only Ravi Kumar, notice writer, Co-founder & CEO of Upstox might have a clue.
US: ParkMobile Breach Exposes License Plate Data, Mobile Numbers of 21M Users
ParkMobile confirmed it included basic account information – license plate numbers, and if provided, email addresses and/or phone numbers, and vehicle nickname.
“In a small percentage of cases, there may be mailing addresses,” spokesman Jeff Perkins added in.
So what’s the upshot for you? Someone has my license plate details? That’s as bad as writing them on a big piece of metal, bolting it to the front and rear of a car, and driving around in public. OK, again the issue here is associating the license plate data to phone number and e-mail address… and then tying those details to other personal data. Read on…
US: What’s a Databroker? What we should understand about the collection of our data.
Large data brokers—like Acxiom, CoreLogic, and Epsilon—tout the detail of their data on millions or even billions of people. CoreLogic, for instance, advertises its real estate and property information on 99.9 percent of the US population. Acxiom promotes 11,000-plus “data attributes,” from auto loan information to travel preferences, on 2.5 billion people (all to help brands connect with people “ethically,” it adds). This level of data collection and aggregation enables remarkably specific profiling.
All of these unchecked practices undermine civil rights. Companies that boast holding thousands of data points on millions or billions of people—all for selling them to whoever is buying—themselves represent the aggregation of unrestrained surveillance power. This is particularly dangerous to the less powerful. As centuries of surveillance in the United States have made undeniably clear, the impact of stockpiling individuals’ personal information will fall hardest on the already oppressed or marginalized.
Law enforcement already buys up data from brokers. The Department of Homeland Security, including subagencies responsible for putting children in cages, have purchased cell phone location data on millions of Americans, home address information to support deportations, and home utility data for investigations, among others. The Federal Bureau of Investigation has also been purchasing cell phone location data from data broker Venntel. These practices circumvent democratic accountability: Agencies buy the information without warrants, and in doing so may bypass prohibitions on companies handing data directly to law enforcement. Plus, the data may not even be accurate. An investigation by The Markup identified dozens of US cases over the last decade where individuals were denied housing because screening companies used bad information, often purchased from data brokers or pulled from “people search” broker websites. Citizens also get rejected from jobs because of background checks relying on incorrect data.
Data brokers are lobbying more aggressively in Washington. 25 such companies spent US$29 million on lobbying in 2020, rivaling the efforts of Facebook or Google. That’s why it’s more urgent than ever that legislators and regulators address this industry as a key part of protecting Americans’ privacy and curbing harms the industry causes abroad.
So what’s the upshot for you? The amount of money spent on “swaying” the opinion of our elected officials by lobbyists once they land in or near Washington DC is crazy. However, this is a fight that we all should be engaged in, covering us in ways we should all be familiar with. Why complain about TikTok profiling US users when any foreign nation-state can simply “buy” the information from any number of vendors?
US: Creative new Methods to Steal your Identity or your Data
- QR codes. We see them so often in commercial settings that we begin to trust them. Often, however, the QR codes sent are run by 3rd party vendors and are just like clicking on a malicious URL. "Scan this QR code to have a chance of winning an Xbox and often the code will lead to a dodgy site which downloads malware to the phone doing the scanning.”
- Browser notifications. What was once a useful way to engage with readers and keep them up to date is now, of course, also a social engineering tool. “These are called push notifications, and they can be weaponized. The problem is that many users blindly click ‘yes’ to allow notifications and the messages are usually phishing schemes or scam notifications that contain malware.”
- Offers to collaborate. Recent pandemic lockdowns and expanded work-from-home increased people’s comfort with remote collaboration, so this tactic fit the times well. “The threat actors send over a Visual Studio Project containing malicious code. The user self-runs the program, and their device is infected pretty quickly. This attack essentially exploits the desire or need to assist or help others with passion projects.”
- Supply chain partner impersonation. There have been a plethora of targeted emails coming in that look like they are from your trusted partners but are in fact bad actors posing as employees you may know within your network. Masked as incentives or thank-yous from the company’s real business partners they offer creative opportunities to compromise your own account."
- Deep-fake recordings. A couple of years back a fake recording of a CEO’s voice was used to instruct an employee to immediately transfer money to an international account. “The recording was left as a voicemail to the subordinate, who obeyed the fraudulent instructions and sent $243,000 to the attackers.”
- Text Fraud. Texts that promise information about COVID stimulus checks, vaccines, or other… link victims back to a website that looks like a valid site and asks for sensitive personal information, such as birth date and social security number.
-
Typo-squatting or lookalike domains. Fraudsters impersonate legitimate domains in order to fool victims into thinking they are in a safe location.
They do this with many tricks, including misspelling the domain (think G00gle instead of Google) or adding a different top-level domain (.uk instead of .co.uk). Unlike the often sloppy versions from earlier days, today these sites may feature sophisticated designs, carefully detailed mimicry of legitimate sites, and sophisticated functionality.
So what’s the upshot for you? Many of these are common sense, and… sometimes it’s good to have a little refresher.
UK: Calling all women! The Average British computer criminal is young, male, and not highly skilled.
An academic researcher has analyzed more than 100 Computer Misuse Act cases to paint a picture of the sort of computer-enabled criminals who plague Great Britain’s digital doings in the 21st Century.
The average Computer Misuse Act convict is likely to be a semi- or low-skilled individual, mostly working alone and more likely than not to have no knowledge of his or her victim, James Crawford of Royal Holloway, University of London, found.
Males made up a whopping 97 percent of perps in the data Crawford analyzed, with just three criminals out of the 100 cases being women. “The average age of those deemed to be hackers in this project is just over 29 years old at the point of conviction. The youngest hacker in the survey was 16 on conviction (14 at the time he committed the crimes). The oldest was 69.”
Nonetheless, the median criminal computer abuser is “young and male, with mental health and development disorders over-represented in their number,” the researcher concluded.
So what’s the upshot for you? We know so many men who fit into these categories… but why only 3% women? Come on! Let’s get some parity and some real skill in here.
US: Bruce Schneier endorses Bidens’ Cybersecurity Nominations
https://www.schneier.com/blog/archives/2021/04/more-biden-cybersecurity-nominations.html
President Biden announced key cybersecurity leadership nominations Monday, proposing Jen Easterly as the next head of the Cybersecurity and Infrastructure Security Agency and John “Chris” Inglis as the first-ever national cyber director (NCD).
Jennifer Easterly is ex-West Point Military and rose to become Deputy counterterrorism with a side order of cyber-security. She was involved at a senior level with the design of what eventually become U.S. Cyber Command. As part of the transition team for President Biden, she took the lead role in the development of the current administration’s cyber policy.
After something like three decades of Army and GS, four years ago she joined Morgan Stanley. Jennifer is currently Managing Director of Morgan Stanley’s React and Global Head of the Cybersecurity Fusion Center.
If approved she will fill the vacant Director role formally held by Chris Krebs that has been empty since President Trump fired him very publicly in a tweet… CISA was originally seen as a fairly minor agency when created back in 2018 but due to many incidents, it has become a fairly heavy-weight role. Especially with the recent ill winds of SolarWinds and other highly embarrassing if not vexatious events occurring.
Let’s hope she has not outgrown her jogging shoes, because not only is she going to have to hit the ground running this is going to be a grueling marathon. Especially as one Senator has called the job “a single neck to squeeze”.
John “Chris” Inglis is a former Deputy Director of the National Security Agency. A post he retired from back in early 2014. Which it has been said he was forced out of by the Ed Snowden fallout that also claimed General Alexander[1]. He will if approved be the first National Cyber Director. What that will involve will be anybody’s guess at the moment.
Since 2015 he has been Professor in Cyber Security Studies, at the United States Naval Academy. In the mid 90’s he spent a year as Deputy Chief NSA Office of Encryption Policy. With a year at the end of the decade as Deputy Chief, in the Operations Directorate for the Office of China and Korea. Something that might prove invaluable with the way things are “cooking up” in the South China seas and may well boil over into fairly serious cyber activity.
Interestingly he is well qualified in engineering and computer science, which kind of makes a difference to your usual political appointee. I would as a consequence expect him to have a way better grasp of the technological side of things, which is very likely to become of significant relevance in very short order.
Once tipped to be the first Civilian Director of the NSA, Ed Snowden caused a massive shakeup and “Chris” got unceremoniously “brushed” out the door,
So what’s the upshot for you? They are both NSA insiders from the Obama era. We aren’t sure we are as comfortable with Bruce about these nominations. Time will tell.
Global: Google starts rolling out “Heads Up” in Digital Wellbeing to stop distracted walking
“Watch your step with Heads Up…If you’re walking while using your phone, get a reminder to focus on what’s around you. Use with caution. Heads Up doesn’t replace paying attention.” Tapping on the ‘Next’ button at the bottom of this screen begins the setup process, after which the feature pushes a reminder every time you use your phone while walking.
So what’s the upshot for you? At the moment, the new Heads Up feature seems to be rolling out only on Google’s Pixel devices with the latest Digital Wellbeing beta update. Downloading it now, we hope it prevents those awkward lamp post collisions.
Holland: Where’s the cheese Please?
With over 1000 locations around Holland, Albert Heijn is an industry giant. Yet the supermarket firm suffered major food shortages after a cyber-attack on key supplier Bakker Logistiek.
The attack itself occurred over the Easter weekend and forced Bakker Logistiek to return to pen and paper as IT pulled the plug on digital systems.
That meant orders were not coming in or being fulfilled in warehouses, as the whole process is usually highly automated for maximum efficiency.
Cheese deliveries were reportedly held up for three days, creating a backlog of orders and supermarket shortages.
It appears to be a ransomware attack involving the Microsoft Exchange server compromise of a few weeks back. Right now Bakker Logistics isn’t commenting on a ransom being paid, only saying that the case is with the police.
So what’s the upshot for you? Whoever thought that cybercriminals could have such an impact on our waistlines.
And that’s the meat and potatoes for this week. Stay safe, stay secure, and see you in Se7en!
