The IT Privacy and Security Weekly Update Cut it for the Week Ending March 21st., 2023



Daml’ers,

This week we start in the hacked offices of the US Government and end up being launched off a drone in Africa with a little parachute on our back.

In one country we have a government turning off wireless services to catch a perpetrator while in another country wireless service providers are the perpetrators!
scissors
Click the scissors for a link to this week’s podcast

We have a couple of TikTok updates and an official new bureau in China to mine data …for Economic Growth.

There’s another spyware-laden, wiretapped individual with a government denying everything and Amazon potentially in some fresh hot water.

Finally, we have a Twitter story about a ChatGPT that is going viral in a way that only a get-rich-quick story could inspire.

Let’s cut it up!


US: Federal agency hacked by 2 groups thanks to a flaw that went unpatched for 4 years

Multiple threat actors—one working on behalf of a nation-state—gained access to the network of a US federal agency by exploiting a four-year-old vulnerability that remained unpatched, the US government warned.

Exploit activities by one group likely began in August 2021 and last August by the other, according to an advisory jointly published by the Cybersecurity and Infrastructure Security Agency, the FBI, and the Multi-State Information Sharing and Analysis Center. From last November to early January, the server exhibited signs of compromise.

Both groups exploited a code-execution vulnerability tracked as CVE-2019-18935 in a developer tool known as the Telerik user interface (UI) for ASP.NET AJAX, which was located in the agency’s Microsoft Internet Information Services (IIS) web server.

So what’s the upshot for you? The breach is the result of someone in the unnamed agency failing to install a patch that had been available for years.

As noted earlier, tools that scan systems for vulnerabilities often limit their searches to a certain set of pre-defined file paths.

If this can happen inside a federal agency, it likely can happen inside other organizations.


IN: Indian Officials Cut Internet For 27 Million People Amid Search For Fugitive

Indian authorities severed mobile internet access and text messaging for a second day Sunday across Punjab, a state of about 27 million people, as officials sought to capture a Sikh separatist and braced for potential unrest.

The statewide ban – which crippled most smartphone services except for voice calls and some SMS text messages – marked one of the broadest shutdowns in recent years in India, a country that has increasingly deployed the law enforcement tactic, which digital rights activists call draconian and ineffective.

The Punjab government, led by the opposition Aam Admi Party, initially announced a 24-hour ban starting midday Saturday as its security forces launched a sprawling operation to arrest the fugitive Amritpal Singh, then extended the ban Sunday for another 24 hours.

Singh, a 30-year-old preacher, has been a popular figure within a separatist movement that seeks to establish a sovereign state in Punjab called Khalistan for followers of the Sikh religion.

In a bid to forestall unrest and curtail what it called “fake news,” Punjab authorities blocked mobile internet service beginning at noon Saturday, shortly after they failed to apprehend Singh as he drove through central Punjab with a cavalcade of supporters.

Officials were probably also motivated by a desire to deprive Singh’s supporters of social media, which they briefly used Saturday to seek help and organize their ranks.

Singh was still on the run as of late Sunday, and the 4G blackout remained in effect.

Only essential text messages, such as confirmation codes for bank transfers, were trickling through.

Wired internet services were not affected.

“My entire business is dependent on the internet,” said Mohammad Ibrahim, who accepts QR code-based payments at his two clothing shops in a village outside of Ludhiana and also sells garments online. “Since yesterday, I’ve felt crippled.”

So what’s the upshot for you? Let’s hope this idea does not catch on.


US: Why You Should Opt Out of Sharing Data With Your Mobile Provider

A new breach involving data from nine million AT&T customers is a fresh reminder that your mobile provider likely collects and shares a great deal of information about where you go and what you do with your mobile device — unless and until you affirmatively opt out of this data collection.

Telecommunications giant AT&T disclosed this month that a breach at a marketing vendor exposed certain account information for nine million customers.

AT&T’s disclosure said the information exposed included the customer’s first name, wireless account number, wireless phone number, and email address. In addition, a small percentage of customer records also exposed the rate plan name, past due amounts, monthly payment amounts, and minutes used. AT&T said the data exposed did not include sensitive information, such as credit card or Social Security numbers, or account passwords, but was limited to “Customer Proprietary Network Information” (CPNI), such as the number of lines on an account.

Certain questions may be coming to mind right now, like “What is CPNI?” CPNI refers to customer-specific “metadata” about the account and account usage and may include: Location, called phone numbers, Time of calls, Length of calls, Cost and billing of calls, Service features, Premium services, such as directory call assistance

The carriers can share and sell this data because they’re not explicitly prohibited from doing so.

All three major carriers say they take steps to anonymize the customer data they share, but researchers have shown it is not terribly difficult to de-anonymize supposedly anonymous web-browsing data.

“Your phone, and consequently your mobile provider, know a lot about you,” wrote Jack Morse for Mashable.

“The places you go, apps you use, and the websites you visit potentially reveal all kinds of private information — e.g. religious beliefs, health conditions, travel plans, income level, and specific tastes in pornography. This should bother you.”

Each of the opt-outs in the US is per wireless provider and browser specific. Yes, if you use Safari, Firefox, and Chrome, you need to ensure that all have been populated with opt-out cookies.
All three major carriers say resetting the consumer’s device ID and/or clearing cookies in the browser will similarly reset any opt-out preferences (i.e., the customer will need to opt-out again), and that blocking cookies by default may also block the opt-out cookie from being set.

So what’s the upshot for you? Why, if it’s so painful for US customers to opt-out, should you even bother?

Because phone companies have a horrible track record with your data and because that means they are either going to sell it (Verizon’s consumer CPNI data sales revenue alone was more than $100 billion last year), or have it stolen.

And by opting out you can take that opportunity away from them.


Global: Google Pixel bug lets you “un-crop” the last four years of screenshots

Back in 2018, Pixel phones gained a built-in screenshot editor called “Markup” with the release of Android 9.0 Pie.

The tool pops up whenever you take a screenshot, and tapping the app’s pen icon gives you access to tools like crop and a few colored drawing pens.

That’s very handy assuming Google’s Markup tool actually does what it says, but a new vulnerability points out that the edits made by this tool weren’t actually destructive! It’s possible to un-crop or un-redact Pixel screenshots taken during the past four years.

The bug was discovered by Simon Aarons and is dubbed “Acropalypse,” or more formally CVE-2023-21036.

There’s a proof-of-concept app that can un-redact Pixel screenshots at acropalypse.app, and it works!

There’s also a good technical write-up here by Aarons’ collaborator, David Buchanan.

The basic gist of the problem is that Google’s screenshot editor overwrites the original screenshot file with your new edited screenshot, but it does not truncate or recompress that file in any way.

If your edited screenshot has a smaller file size than the original – that’s very easy to do with the crop tool – you end up with a PNG with a bunch of hidden junk data at the end of it.

That junk data is made up of the end bits of your original screenshot, and it’s actually possible to recover that data.

While the bug was fixed in the March 2023 security update for Pixel devices, it doesn’t solve the problem, notes Ars.

“There’s still the matter of the last four years of Pixel screenshots that are out there and possibly full of hidden data that people didn’t realize they were sharing.”

So what’s the upshot for you? Imagine. Now you can see all the faces that have been cropped out of the profile pictures. (OK in fairness, not all).


UK/US: BBC Advises Staff To Delete TikTok From Work Phones

The BBC has advised staff to delete TikTok from corporate phones because of privacy and security fears.

The BBC seems to be the first UK media organization to issue the guidance - and only the second in the world after Denmark’s public service broadcaster.

Although the BBC said it would continue to use the platform for editorial and marketing purposes for now, the big fear is that data harvested by the platform from corporate phones could be shared with the Chinese government by TikTok’s parent company ByteDance, because its headquarters are in Beijing.

In an email to staff on Sunday, it said: “The decision is based on concerns raised by government authorities worldwide regarding data privacy and security. If the device is a BBC corporate device, and you do not need TikTok for business reasons, TikTok should be deleted from the BBC corporate mobile device.”

Staff with the app on a personal phone that they also use for work have been asked to contact the corporation’s Information Security team for further discussions, while it reviews concerns around TikTok.

So what’s the upshot for you? Until now, news organizations have been very keen to use TikTok, because it’s been one of the fastest-growing social media platforms for news publishers over the last year, and it’s been a good source of audience and traffic.

So most of the talk in the news media has been around encouraging TikTok rather than banning it."


NZ: New Zealand to ban TikTok on devices linked to parliament

New Zealand will ban TikTok on devices with access to the parliamentary network because of cybersecurity concerns, a government official said on Friday.

TikTok will be banned on all devices with access to New Zealand’s parliamentary network by the end of March. Parliamentary Service Chief Executive Rafael Gonzalez-Montero, in an email to Reuters, said the decision was taken after advice from cybersecurity experts and discussions within the government and with other countries.

“Based on this information the Service has determined that the risks are not acceptable in the current New Zealand Parliamentary environment,” he said.

Special arrangements can be made for those who require the app to do their jobs, he added.

So what’s the upshot for you? Another one bites the dust…


CN: And here it comes: China Sets Up New Bureau To Mine Data For Economic Growth

China’s annual, week-long parliamentary meeting just ended last Monday.

Apart from confirming President Xi Jinping for a historic third term and appointing a new batch of other top leaders, the government also approved a restructuring plan for national ministries, as it typically does every five years.

Among all the changes, there’s one that the tech world is avidly watching: the creation of a new regulatory body named the National Data Administration.

According to official documents, the NDA will be in charge of “advancing the development of data-related fundamental institutions, coordinating the integration, sharing, development and application of data resources, and pushing forward the planning and building of a Digital China, the digital economy and a digital society, among others.”

In plain words, the NDA will help digitize government services, improve internet infrastructure, and make government agencies share data with each other.

For now, it seems this new department is part of an ongoing effort by the Chinese government to drum up a “digital economy” around collecting, sharing, and trading data.

In fact, the new national administration greatly resembles the Big Data Bureaus that Chinese provinces have been setting up since 2014.

These local bureaus have built data centers across China and set up data exchanges that can trade data sets like stocks.

The content of the data is as varied as cell phone locations and results from remote sensing of the ocean floor.

Now, these local experiments are being integrated and elevated to a national-level agency.

And that explains why the new NDA is set up under China’s National Development and Reform Commission, an office mostly responsible for drawing broad economic blueprints for the country.

So what’s the upshot for you? We may not get clarity on NDA’s full scope of authority until the summer when its organizational structure, personnel, and regulatory responsibilities are expected to be put down in writing.

But analysts think that it may not replace the Cyberspace Administration of China, which has risen up in recent years to become the “super-regulator” of the tech industry.


GR: Meta Manager Was Hacked With Spyware and Wiretapped in Greece

A U.S. and Greek national who worked on Meta’s security and trust team while based in Greece was placed under a yearlong wiretap by the Greek national intelligence service and hacked with a powerful cyberespionage tool, according to documents obtained by The New York Times and officials with knowledge of the case.

The disclosure is the first known case of an American citizen being targeted in a European Union country by the advanced snooping technology, the use of which has been the subject of a widening scandal in Greece.

It demonstrates that the illicit use of spyware is spreading beyond use by authoritarian governments against opposition figures and journalists, and has begun to creep into European democracies, even ensnaring a foreign national working for a major global corporation.

The simultaneous tapping of the target’s phone by the national intelligence service and the way she was hacked indicate that the spy service and whoever implanted the spyware, known as Predator, were working hand in hand.

The latest case comes as elections approach in Greece, which has been rocked by a mounting wiretapping and illegal spyware scandal since last year, raising accusations that the government has abused the powers of its spy agency for illicit purposes.

The Predator spyware that infected the device is marketed by an Athens-based company and has been exported from Greece with the government’s blessing, in possible breach of European Union laws that consider such products potential weapons, The New York Times found in December.

So what’s the upshot for you? The Greek government has denied using Predator and has legislated against the use of spyware, which it has called “illegal.” Cough.


Global: Is Amazon Building a New AI-Powered Web Browser?

Gizmodo reports that Amazon “is thinking about releasing a web browser, a boring-sounding project that could have massive implications.”

The company has sent a survey to users asking detailed questions, including which features would “convince you to download and try” a “new desktop/laptop browser from Amazon…”

Select which of the following you would most like to know more about." The survey went on to list topics such as privacy, syncing passwords across devices, and shopping features…

Users were asked to rate the importance of features including text-to-speech, extensions, the availability to sync data across desktop and mobile devices, and — notably — blocking third-party cookies.

Amazon seems to be seriously considering a web browser of its own, and it comes at a time when it would have an unusual impact on the advertising business.

The ad industry is bracing for cataclysmic change as Google moves closer to killing third-party cookies in Chrome, the world’s most popular web browser, which would kneecap one of the primary ways businesses track consumers for ads…

Part of what makes Amazon so attractive to marketers is the fact that the company sits on a treasure trove of data about what consumers are buying and what their shopping habits are like.

If Amazon could match that information with the data collection that comes from a web browser, it could tip the scales of internet advertising in favor of the retail giant.

One thing Amazon asked users is whether they’d be convinced to download and try a browser if it offered “AI-enabled tab, history, and bookmarks management to automatically sort these into categories for quick search and retrieval.”

So what’s the upshot for you? The interesting thing about Amazon is that over the last few years, it has moved from a model of putting the customer first and tracking you for your own benefit to one of tracking you to the benefit of the highest-paying advertisers.

We have covered this before. Run a search. Out of the 10 results returned 8-9 are likely to be ads whose placement is predicated by how much the advertiser is paying Amazon.

With Amazon’s browser, no matter what Ai or gimmicks it incorporates, you will now be tracked everywhere all over again.


US: Washington Prepares For War With Amazon

The Biden administration is planning to take action soon on at least three of its half-dozen investigations of Amazon – moves that could lead to a blitz of litigation to rein in the iconic tech-industry giant.

The FTC has been investigating the internet titan on multiple fronts dating at least back to 2019, looking into its abuse of power within its online marketplace, as well as potential consumer-privacy violations connected to its Ring cameras and Alexa digital assistant.

The agency is also reviewing Amazon’s purchase of robot vacuum maker iRobot.

Any suit against Amazon would be a high-profile move by the agency under chair Lina Khan, a Big Tech skeptic who rose to prominence with a 2017 academic paper specifically identifying Amazon as a modern monopolist needing to be reined in.

Although Amazon has already been hit by local antitrust suits in Washington, D.C., and California, the coming federal cases would be the most significant challenges to the global company yet.

The exact timing of any cases or settlements is unknown.

POLITICO spoke to more than 10 people with direct knowledge of the investigations by the FTC’s competition and consumer protection teams to put together a comprehensive picture of how the agency is now pursuing Amazon, why it didn’t take action on the company’s most recent major acquisition of One Medical and what is likely to happen in the coming months.

So what’s the upshot for you? This report is unsurprisingly surprising. Unsurprising in that Amazon has thrown its weight around for years, but a seemingly sudden pivot to a profits-first model and some of its seemingly deceptive practices certainly have endeared it to no one.


US: Amazon Sued For Not Telling New York Store Customers About Facial Recognition

Amazon did not alert its New York City customers that they were being monitored by facial recognition technology, a lawsuit filed Thursday alleges.

In a class-action suit, lawyers for Alfredo Perez said that the company failed to tell visitors to Amazon Go convenience stores that the technology was in use.

Thanks to a 2021 law, New York is the only major American city to require businesses to post signs if they’re tracking customers’ biometric information, such as facial scans or fingerprints.

The lawsuit says that Amazon only recently put up signs informing New York customers of its use of facial recognition technology, more than a year after the disclosure law went into effect.

“To make this ‘Just Walk Out’ technology possible, the Amazon Go stores constantly collect and use customers’ biometric identifier information, including by scanning the palms of some customers to identify them and by applying computer vision, deep learning algorithms, and sensor fusion that measure the shape and size of each customer’s body to identify customers, track where they move in the stores, and determine what they have purchased,” says the lawsuit.

“It means that even a global tech giant can’t ignore local privacy laws,” Albert Cahn, project director, said in a text message. “As we wait for long overdue federal privacy laws, it shows there is so much local governments can do to protect their residents.”

So what’s the upshot for you? The regulatory environment is evolving quickly and we are all guilty of not feeling the ground move and change under our feet. This time one of the big boys gets caught out.


Global: Jackson gave GPT-4 a budget of $100 and told it to make as much money as possible

As we examine Ai and try to understand where, if any, lines should be drawn around our own privacy and security, (currently there are none), we have seen some interesting modeling.

One such scenario follows:

“You are HustleGPT, an entrepreneurial Al. I am your human counterpart.
I can act as a liaison between you and the physical world.
You have $100, and your only goal is to turn that into as much money as possible in the shortest time possible, without doing anything illegal.
I will do everything you say and keep you updated on our current cash total. No manual labor.”

Jackson followed ChatGPT’s instruction, (and with a little magic thrown in like millions of Twitter followers) they ended up with a business valued at US$25K in a day or two.

We didn’t do the accounting, but with no product and only venture capital coming your way, we suppose it’s still a viable outcome.

So what’s the upshot for you? Favor monopoly? For our experiment, we chose an alternate investment strategy and can tell you that running that scenario provided some interesting results and probably more sage advice than we have ever had from many financial planners.

Before you get too excited these are simulations where no money moved anywhere, yet provided a learning experience that made the short foray into doing what your Ai tells you (somewhat) worthwhile, just make sure that any detail you feed into your simulation is public as its use may not be limited to your session.


RW/US: Zipline Drones

Every once in a while we go off-topic to share something interesting we have come across in our travels. This week we introduce a drone manufacturer with a little bit of a difference.

Zipline is a provider of an automated drone delivery service intended for the distribution of blood and other medical supplies in areas of the world where delivery across land due to road conditions (from Nigeria to LA) can be difficult, now moving into other logistics services.

The company leverages proprietary fixed-wing drones to facilitate deliveries of vaccines and medicines to hospitals and health centers, enabling the medical community and patients in remote areas with instant access to vital supplies.

Start with Crunchlab’s Mark Rober and Zipline in Rwanda and see how drone technology is moving forward and being refined. (See the youtube link included)

The video posted 3 days ago, has already had 23.6 million views.

So what’s the upshot for you? It’s great to blink and realize that a technology has moved so far forward in practical terms in so little time.

We are certain that this is one company you will be seeing again.


Our Quote of the week: “If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it.” – Tim Cook, Apple’s CEO


DJ cutting it up

That’s it for this week. Stay safe, stay secure, cut it up, and see you in se7en.