Daml’ers,
Welcome to year 4 of the IT Privacy and Security Weekly Update.
This week we go from cookies and keys to bees.
We have stories that fly from hardware to… hard-to-secure and even one for the… hard of hearing.
Then there’s the latest hive of activity directed at a particular group of foreign exchange students, along with who’s been stung by more privacy fines.
2023 makes a beeline right out of the gate, and we don’t mean to wax lyrical but the stories flow like nectar.
So grab your Tyvek suit, your veil, and let’s join the swarm!
US: Google Will Pay $9.5 Million To Settle Washington DC Attorney General’s Location-Tracking Lawsuit
Google has agreed to pay $9.5 million to settle a lawsuit brought by Washington DC Attorney General Karl Racine, who accused the company earlier this year of “deceiving users and invading their privacy.”
Google has also agreed to change some of its practices, primarily concerning how it informs users about collecting, storing, and using their location data.
“Google leads consumers to believe that consumers are in control of whether Google collects and retains information about their location and how that information is used,” the complaint, which Racine filed in January, read.
“In reality, consumers who use Google products cannot prevent Google from collecting, storing and profiting from their location.”
Racine’s office also accused Google of employing “dark patterns,” which are design choices intended to deceive users into carrying out actions that don’t benefit them.
Specifically, the AG’s office claimed that Google repeatedly prompted users to switch in location tracking in certain apps and informed them that certain features wouldn’t work properly if location tracking wasn’t on.
Racine and his team found that location data wasn’t even needed for the app in question.
They asserted that Google made it “impossible for users to opt out of having their location tracked.”
So what’s the upshot for you? This is not new news, but good to see Google being helped to clarify that they are always tracking your location.
FR: Microsoft Fined $64 Million By France Over Cookies Used in Bing Searches
France’s privacy watchdog fined Microsoft $64 million for not offering clear enough instructions for users to reject cookies used for online ads, as part of the move to enforce Europe’s tightening data protection law.
CNIL, France’s digital privacy regulator, said Thursday that it carried out several investigations on the Microsoft search engine Bing in September 2020 and May 2021 and found that the site dropped advertising cookies in users’ terminals without their explicit consent.
The website also lacked a button for users to reject cookies as simply as accepting them, CNIL said, where two clicks were required to refuse all cookies while only one was needed to accept them.
Cookies are small files that track and monitor the sites users have visited and are often used to help personalize online ads.
According to CNIL, the $64 million fine against Microsoft is justified partly because of the scope of revenue the company made from advertising indirectly generated from the data collected via cookies.
So what’s the upshot for you? That’s a batch of expensive cookies.
CN/UK: RedZei Chinese Scammers Targeting Chinese Students in the U.K.
Chinese international students in the U.K. have been targeted by persistent Chinese-speaking scammers for over a year as part of an activity dubbed RedZei (aka RedThief).
“The RedZei fraudsters have chosen their targets carefully, researched them and realized it was a rich victim group that is ripe for exploitation,” cybersecurity researcher Will Thomas said in a write-up published last week.
The most notable aspect about the operation is the steps taken by the threat actors to bypass steps taken by users to prevent scam calls, using a new pay-as-you-go U.K. phone number for each wave so as to render phone number-based blocking ineffective.
Thomas, pointing out the meticulous tradecraft employed by the scammers, said the threat actor alternates between SIMs from several mobile carriers such as Three, O2, EE, Tesco Mobile, and Telia.
Indications are that the lucrative RedZei campaign may have started as far back as August 2019, with a report from The Guardian detailing a visa scam that tricked Chinese students into shelling out huge sums of money to avoid getting deported.
So what’s the upshot for you? Just what every student needs. More trouble.
Global: The LastPass disclosure of leaked password vaults is being torn apart by security experts
Last week, LastPass announced that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident.
“While the company insists that your login information is still secure, some cybersecurity experts are heavily criticizing its post, saying that it could make people feel more secure than they actually are and pointing out that this is just the latest in a series of incidents that make it hard to trust the password manager.”
LastPass’ December 22nd statement was “full of omissions, half-truths and outright lies,” reads a blog post from Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, among other things.
Some of his criticisms deal with how the company has framed the incident and how transparent it’s being; he accuses the company of trying to portray the August incident where LastPass says “some source code and technical information were stolen” as a separate breach when he says that in reality the company “failed to contain” the breach.
He also highlights LastPass’ admission that the leaked data included “the IP addresses from which customers were accessing the LastPass service,” saying that could let the threat actor “create a complete movement profile” of customers if LastPass was logging every IP address you used with its service.
Another security researcher, Jeremi Gosney, wrote a long post on Mastodon explaining his recommendation to move to another password manager.
“LastPass’s claim of ‘zero knowledge’ is a bald-faced lie,” he says, alleging that the company has “about as much knowledge as a password manager can possibly get away with.”
LastPass claims its “zero knowledge” architecture keeps users safe because the company never has access to your master password, which is the thing that hackers would need to unlock the stolen vaults.
While Gosney doesn’t dispute that particular point, he does say that the phrase is misleading. “I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no – with LastPass, your vault is a plaintext file and only a few select fields are encrypted.”
Encryption only does you any good if the hackers can’t crack your master password, which is LastPass’ main defense in its post: “if you use its defaults for password length and strengthening and haven’t reused it on another site, it would take millions of years to guess your master password using generally-available password-cracking technology" wrote Karim Toubba, the company’s CEO.
“This prepares the ground for blaming the customers. LastPass should be aware that passwords will be decrypted for at least some of their customers. And they have a convenient explanation already: these customers clearly didn’t follow their best practices.”
Also, remember that LastPass hasn’t necessarily enforced those standards.
Despite the fact that it made 12-character passwords the default in 2018, you can log in with an eight-character password without any warnings or prompts to change it."
So what’s the upshot for you? The nicest thing we can say at this point is that you can export your LastPass database and import it into another password manager.
And again we suggest putting Bitwarden on your shortlist of password managers.
Global: The Password Isn’t Dead Yet. You Need a Hardware Key
In August, the internet infrastructure company Cloudflare was one of hundreds of targets in a massive criminal phishing spree that succeeded in breaching numerous tech companies.
While some Cloudflare employees were tricked by the phishing messages, the attackers couldn’t burrow deeper into the company’s systems.
That’s because, as part of Cloudflare’s security controls, every employee must use a physical security key to prove their identity while logging into all applications.
Weeks later, the company announced a collaboration with the hardware authentication token maker Yubikey to offer discounted keys to Cloudflare customers.
Cloudflare wasn’t the only company high on the security protection of hardware tokens, though.
Last month, Apple announced hardware key support for Apple IDs, seven years after first rolling out two-factor authentication on user accounts.
And two weeks ago, the Vivaldi browser announced hardware key support for Android.
So what’s the upshot for you? Yubikeys are said to be the best. Google has a similar offering produced in China that has already run into some issues.
US: Google Voice will now warn you about potential spam calls
Google has announced that it’s adding a red “suspected spam caller” warning to Google Voice calls if it doesn’t think they’re legitimate.
In a post last Thursday, the company says it’s identifying spam “using the same advanced artificial intelligence” system as it does with its traditional phone app for Android.
If the spam label appears, you’ll also have the option of confirming that a call was spam – in which case any future calls will be sent straight to your voicemail – or clarifying that it wasn’t, which will get rid of the label for future calls.
Google Voice has had the ability to automatically filter calls identified as spam to voicemail for years, and has also allowed you to screen calls before actually picking them up, but those options may not have been great if you’re the type of person who gets a lot of important calls from unknown numbers.
So what’s the upshot for you? Google does say that you’ll have to turn off the Filter Spam feature by going to Settings > Security > Filter spam if you want the automatic spam labeling.
Global: Google develops free terrorism-moderation tool for smaller websites
Google is developing a free moderation tool that smaller websites can use to identify and remove terrorist material, as new legislation in the UK and the EU compels Internet companies to do more to tackle illegal content.
The software is being developed in partnership with the search giant’s research and development unit Jigsaw and Tech Against Terrorism, a UN-backed initiative that helps tech companies police online terrorism.
“There are a lot of websites that just don’t have any people to provide enforcement.
It is a really labor-intensive thing to even build the algorithms [and] then you need all those human reviewers,” said Yasmin Green, chief executive of Jigsaw.
The move comes as Internet companies will be forced to remove extremist content from their platforms or face fines and other penalties under laws such as the Digital Services Act in the EU, which came into force in November, and the UK’s Online Safety bill, which is expected to become law this year.
Jigsaw’s tool aims to tackle the next step of the process and help human moderators make decisions on content flagged as dangerous and illegal.
Jigsaw has about 70 staff, primarily based in Google’s offices in New York. Green, who became chief executive in July, said the loss-making division was not expected to become profitable.
So what’s the upshot for you? We end this story with these altruistic comments: “There’s an understanding that there’s a long-term business return… Google needs a healthier Internet,” said Green.
“We are helping Google and helping the Internet in a way that delivers value even though it isn’t monetary.”
Global: Netgear warns users to patch recently fixed WiFi router bug
Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible.
The flaw impacts multiple Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC router models.
Although Netgear did not disclose any information about the component affected by this bug or its impact, it did say that it is a pre-authentication buffer overflow vulnerability.
The impact of a successful buffer overflow exploitation can range from crashes following denial of service to arbitrary code execution if code execution is achieved during the attack.
Attackers can exploit this flaw in low-complexity attacks without requiring permissions or user interaction.
So what’s the upshot for you? In a security advisory published last Wednesday, Netgear said it “strongly recommends that you download the latest firmware as soon as possible.”
US: New York breaks the right to repair bill as it’s signed into law
New York governor Kathy Hochul signed the Digital Fair Repair Act on December 28th, 2022, and the law will go into effect on July 1st, 2023 – a full year after it was originally passed by the NY State legislature.
The bill establishes that consumers and independent repair providers have a right to obtain manuals, diagrams, diagnostics, and parts from original equipment manufacturers (OEMs) in order to repair their own devices.
However, the bill was meaningfully compromised at the last minute by amendments that give OEMs some convenient exceptions and loopholes to get out of obligations that many right-to-repair advocates had been hoping for.
One of the most controversial adjustments in the signed law is that it allows OEMs to sell assemblies of parts instead of individual components if they choose to.
The bill also won’t require OEMs to provide “passwords, security codes or materials” to bypass security features, which is sometimes necessary to do to save a locked, but otherwise functionally fine device.
This makes the bill “functionally useless,” according to Louis Rossmann, a repair technician who has been a fierce advocate of toothy right to repair legislation.
Rossmann responded recently to the amended bill with a video full of detailed analysis and criticism.
Hochul claims in her signed memorandum that the bill was amended to lessen the risk of physical harm or security issues while making repairs, an amendment that Rossman calls “bullshirt” and expects manufacturers to exploit in circumvention of the spirit of the bill.
So what’s the upshot for you? Stay tuned for more, and in the meantime, don’t think you will be fixing it yourself.
US: U.S. Department of Homeland Security Can’t Even Secure Its Buildings Against People It Fired
For the fourth time since 2007, an internal audit shows the Department of Homeland Security isn’t deactivating access cards in the hands of ex-employees, leaving its secure facilities vulnerable to intruders.
A new report by Homeland Security’s Office of Inspector General shows that the department is systemically failing to revoke tens of thousands of “personal identity verification” cards that allow staff to enter sensitive, secure facilities and access internal data networks, despite being warned about the problem for 15 years.
The issue is made worse, the report continues, by the fact that Homeland Security’s internal record-keeping is so shoddy that it was impossible to determine how many ex-staffers have working access cards they aren’t supposed to.
Like many modern office workers, Homeland Security hands out office-unlocking keycards to its employees to make sure strangers can’t wander in off the street.
And, like most workplaces, the department is supposed to follow a standard policy: When an employee is no longer an employee, for whatever reason, their card is to be promptly deactivated.
Unlike most employers, though, Homeland Security is a component of the U.S. Intelligence Community, meaning these credit card-sized badges have a “grave potential for misuse if lost, stolen, or compromised,” according to the inspector general report.
So what’s the upshot for you? Unfortunately for the department – and potentially the homeland – the Office of Inspector General’s latest audit found that’s exactly what’s happening and on a vast scale.
US: Hackers stole data from multiple U.S. electric utilities in a recent ransomware attack
Hackers stole data belonging to multiple electric utilities in an October ransomware attack on a US government contractor that handles critical infrastructure projects across the country, according to a memo describing the hack obtained by CNN.
Federal officials have closely monitored the incident for any potential broader impact on the US power sector while private investigators have combed the dark web for the stolen data, according to the memo sent this month to power company executives by the North American grid regulator’s cyberthreat sharing center.
The previously unreported incident is a window into how ransomware attacks on critical US companies are handled behind the scenes as lawyers and federal investigators quietly spring into action to determine the extent of the damage.
The ransomware attack hit Chicago-based Sargent & Lundy, an engineering firm that has designed more than 900 power stations and thousands of miles of power systems and that holds sensitive data on those projects.
The firm also handles nuclear security issues, working with the departments of Defense, Energy and other agencies “to strengthen nuclear deterrence” and keep weapons of mass destruction out of terrorists’ hands, according to its website.
Two people familiar with the investigation of the Sargent & Lundy hack told CNN that the incident was contained and remediated, and didn’t appear to have a broader impact on other power-sector firms.
There is no sign that data stolen from Sargent & Lundy, which includes “model files” and “transmission data” the firm uses for utility projects, is on the dark web, according to the memo from the Electricity Information Sharing and Analysis Center.
So what’s the upshot for you? That’s comforting news for your post-holiday celebrations.
TW: Sorry, what? Apple’s AirPods Pro might be an inexpensive solution to your grandad’s hearing loss
In an experiment by doctors in Taiwan, Apple’s AirPods Pro were found to be as good as premium hearing aids in most scenarios for those with mild to moderate hearing loss.
However, experts recommend getting a test from an audiologist first.
It may be both presumptuous and too early to say that Apple’s AirPods Pro are both a revolutionary and an inexpensive way to solve humanity’s hearing loss problems, but a recent medical experiment has electrified the global medical community with its implications for those with auditory impairments.
Sometimes, radical inventions, even ones in medicine, do not arise from the concerted and focused efforts of scientists to solve scourges that afflict humanity. Instead, they emerge from happy accidents that become life-saving necessities.
In all scenarios except one, the AirPods Pro gave the hearing aids a run for their money.
In a quiet environment, the pair of AirPods Pro, thanks to their noise-canceling feature, in addition to the Live Listen one, matched the experience of wearing basic hearing aids and were only slightly less effective than the premium ones. (The AirPods were linked to a smartphone).
So what’s the upshot for you? Certainly we have been “hearing” stories that AirPods were helping people with hearing difficulties. These experiments are proving those rumors out.
Now, before some of us go racing off to find a pair of AirPods Pro to address hearing issues, you may need to lend an ear to some experts who have weighed in with what they think are some important issues concerning this development.
The most important one is the emphasis that AirPods do not replace hearing aids.
This is because not all hearing loss cases are the same.
There exist significant divergence in both causes for it as well as ear anatomy.
UK: Do bumble bees play?
“This research provides a strong indication that insect minds are far more sophisticated than we might imagine," said co-author Lars Chittka of Queen Mary University of London and author of a recent book, The Mind of a Bee.
“There are lots of animals who play just for the purposes of enjoyment, but most examples come from young mammals and birds.”
Play behavior is typically divided into three broad categories:
- Social play involves playful interactions between animals, usually juveniles engaged in play-fighting.
- Locomotor play involves running, jumping, or similar intense and sustained movement that is not associated with a particular purpose.
- And object play involves the manipulation of an object as a toy.
Chittka’s group conducted a previous study in 2017 in which they showed that bees could be trained to roll little wooden balls in order to receive a reward.
But they also noticed instances where the bees opted to roll the balls even when there wasn’t an obvious reward or benefit.
The balls had been placed in a tunnel that connected the hive to the experimental arena where the food was.
Several bees walked over the balls or stopped to roll them on their way back and forth from the food.
So what’s the upshot for you? All in all, the authors argue that the behavior of the bees in their experiments met the basic criteria for play.
“It is certainly mind-blowing, at times amusing, to watch bumble bees show something like play. They approach and manipulate these ‘toys’ again and again. It goes to show, once more, that despite their little size and tiny brains, they are more than small robotic beings. They may actually experience some kind of positive emotional states, even if rudimentary, like other larger fluffy, or not so fluffy, animals do.”
And our quote of the week: "The counterfeit innovator is wildly self-confident. The real one is scared to death.” - Steven Pressfield
That’s it for this week. Stay safe, stay secure, and buzz back in se7en.