Daml’ers,
This week we start with phones and end up phishing only to discover that neither are “F” words.
We sweep from the Netherlands to Canada, China, the U.S., Iran, and Switzerland this week as we get the “up high” and “low down” on everything from Quantum computing to stupid passwords.
We’ve got AI chatbots on the verge of harassment, and another breach involving a password manager.
We get reminded again why it’s best not to try and reinvent the wheel and what Google thinks could potentially brick the Internet.
It’s all here waiting to be discovered, so grab a trowel, load on some mortar, and let’s go do some repointing!
Global: Gen Z’s New Fascination With Flip Phones
In what is becoming a recurring theme, Gen Z keeps harkening back to nostalgia.
Whether low-rise jeans or disposable cameras, they can’t seem to get enough of vintage technology from the past.
Their latest obsession? Flip phones.
Why this fascination? Several reasons.
Flip phones are far less expensive than any smartphone, easier to operate as they have few if any, software included, there isn’t the incessant need to see who messaged you or who said what, and, perhaps just as important, privacy.
For a generation that grew up being tracked wherever they go via their phone, a flip phone’s simplicity allows them the freedom to simply enjoy their life.
HMD Global (the company which owns Nokia) said many people like the idea of being less available.
“We attribute this shift to many smartphone users beginning to recognize they are spending too much time glued to their devices and having a strong desire to disconnect and ‘be fully present’ to improve their quality of social connections,” Kates said.
CNN spoke to one influencer pushing flip phones — Sammy Palazzolo, an 18-year-old freshman at the University of Illinois Urbana-Champaign:
Palazzolo’s TikTok encouraging others to purchase flip phones has more than 14 million views and over 3 million likes, with hashtags that include #BRINGBACKFLIPPHONES
The video says that instead of apps, the phones will only have the phone numbers of their other friends.
“It eliminates all the bad things about college and brings all of the good things about a phone,” Palazzolo said.
“Which is connecting with people and taking photos and videos…”
Palozzolo wanted to use a flip phone during one high school summer because she thought it would be “cool.”
“My parents said absolutely not, we need to be able to track you,” she said.
“I love the photos on the flip phones because they are grainy and blurry,” Palazzolo tells CNN.
“And I think that captures the vibe of going out in college perfectly…”
And one 18-year-old told CNN what they think is missing from the flip phone era.
“People were more involved in each other than our phones and social media. It seemed like people just were talking to each other more and everything was more genuine and spontaneous.”
So what’s the upshot for you? It could also be fashion. As the style in trousers go baggy and high wasted again, slipping a brick phone into your pocket may again be the coolest act yet.
So why not make a real fashion statement by slipping a two-pound (.91Kg) Motorola DynaTAC 8000x (1983) phone into your back pocket?
NL: The Fairphone 2 (Android) Will Hit End-of-Life After 7 Years of Updates
It can be done.
Android manufacturers can actually support a phone for a sizable amount of time.
Fairphone has announced the end of life for the Fairphone 2, which will be in March 2023.
That phone was released in October 2015, so that’s almost seven-and-a-half years of updates.
Fairphone is a very small Dutch company with nowhere near as many resources as Google, Samsung, BBK, and the other Big-Tech juggernauts, yet it managed to outlast them with its support program.
The whole goal of the company is sustainability, with easily repairable phones, available spare parts, and long update promises.
The Fairphone 4 has a five-year hardware warranty and six years of updates, and the company’s reputation says it can provide that.
Sadly, the phones only ship in the UK and Europe.
The Fairphone 2 only promised “three to five years” of updates, and it blew that out of the water.
The Fairphone 2 features the Qualcomm Snapdragon 801 SoC, a chip that Qualcomm ended support for with Android 6.0. In what is probably an Android ecosystem first, that lack of chipset support didn’t stop Fairphone, which teamed up with LineageOS and today ships Android 10 on the 7-year-old device.
That’s not the newest OS in the world, but it passes all of Google’s Android compatibility tests.
I’m sure there are newer amateur releases in the Android ROM community, but Fairphone’s Android 10 build is up to the standard of an official release, as opposed to the “tell me what doesn’t work” standard of many amateur ROM releases.
Fairphone doesn’t say why support is ending in March, but if it’s staying on Android 10, it was going to have to kill support sometime this year.
Google only supports security patches for the last four versions of Android, so even Google will be shutting down Android 10 support soon.
So what’s the upshot for you? So, again, why the short support timeline for most Android phone manufacturers?
CA: Android TV Box On Amazon Came Pre-Installed With Malware
A Canadian systems security consultant discovered that an Android TV box purchased from Amazon was pre-loaded with persistent, sophisticated malware baked into its firmware.
The malware was discovered by Daniel Milisic, who created a script and instructions to help users nullify the payload and stop its communication with the C2 (command and control) server.
The device in question is the T95 Android TV box with an AllWinner T616 processor, widely available through Amazon, AliExpress, and other big e-commerce platforms.
It is unclear if this single device was affected or if all devices from this model or brand include the malicious component.
Milisic believes the malware installed on the device is a strain that resembles ‘CopyCat,’ a sophisticated Android malware first discovered by Check Point in 2017.
This malware was previously seen in an adware campaign where it infected 14 million Android devices to make its operators over $1,500,000 in profits. The analyst tested the stage-1 malware sample on VirusTotal, where it returns only 13 detections out of 61 AV engine scans, classified with the generic term of an Android trojan downloader.
Unfortunately, these inexpensive Android-based TV box devices follow an obscure route from manufacturing in China to global market availability.
In many cases, these devices are sold under multiple brands and device names, with no clear indication of where they originate.
So what’s the upshot for you? To avoid such risks, you can pick streaming devices from reputable vendors like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick. You won’t get the malware, but your privacy will still be someone else’s property.
CN: China Claims To Have Made Major Quant Computer Breakthrough But Western Experts Say Any Commercial Benefits Still Years Away
These questions have been thrown into sharp relief in recent days by a claim from a group of Chinese researchers to have come up with a way to break the RSA encryption that underpins much of today’s online communications.
The likelihood that quantum computers would be able to crack online encryption was widely believed a danger that could lie a decade or more in the future.
But the 24 researchers, from a number of China’s top universities and government-backed laboratories, said their research showed it could be possible to use quantum technology that is already available.
The quantum bits, or qubits, used in today’s machines are highly unstable and only hold their quantum states for extremely short periods, creating “noise.”
As a result, “errors accumulate in the computer and after around 100 operations there are so many errors the computation fails,” said Steve Brierley, chief executive of quantum software company Riverlane.
That has led to a search for more stable qubits as well as error-correction techniques to overcome the “noise,” pushing back the date when quantum computers are likely to reach their full potential by many years.
The Chinese claim, by contrast, appeared to be an endorsement of today’s “noisy” systems, while also prompting a flurry of concern in the cyber security world over a potentially imminent threat to online security.
By late last week, a number of researchers at the intersection of advanced mathematics and quantum mechanics had thrown cold water on the claim.
Brierley at Riverlane said it “can’t possibly work” because the Chinese researchers had assumed that a quantum computer would be able to simply run a vast number of computations simultaneously, rather than trying to gain an advantage through applying the system’s quantum properties.
So what’s the upshot for you? Expect that the error handling in Quantum computers will become refined enough to start producing some tangible results in the next couple of years, but that currently running any type of quantum computer “takes a village” (lots of people).
US: A Government Watchdog Spent $15,000 To Crack a Federal Agency’s Passwords In Minutes
A U.S. government watchdog has published a scathing rebuke of the Department of the Interior’s cybersecurity posture, finding it was able to crack thousands of employee user accounts because the department’s security policies allow easily guessable passwords like ‘Password1234’.
The report by the Office of the Inspector General for the Department of the Interior, tasked with oversight of the U.S. executive agency that manages the country’s federal land, national parks, and a budget of billions of dollars, said that the department’s reliance on passwords as the sole way of protecting some of its most important systems and employees’ user accounts has bucked nearly two decades of the government’s own cybersecurity guidance of mandating stronger two-factor authentication.
It concludes that poor password policies put the department at risk of a breach that could lead to a “high probability” of massive disruption to its operations.
The inspector general’s office said it launched its investigation after a previous test of the agency’s cybersecurity defenses found lax password policies and requirements across the Department of the Interior’s dozen-plus agencies and bureaus.
The aim this time around was to determine if the department’s security defenses were enough to block the use of stolen and recovered passwords.
To make their point, the watchdog spent less than $15,000 on building a password-cracking rig – a setup of a high-performance computer or several chained together – with the computing power designed to take on complex mathematical tasks, like recovering hashed passwords.
Within the first 90 minutes, the watchdog was able to recover nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like ‘Polar_bear65’ and ‘Nationalparks2014!’.
The watchdog also recovered hundreds of accounts belonging to senior government employees and other accounts with elevated security privileges for accessing sensitive data and systems.
Another 4,200 hashed passwords were cracked over an additional eight weeks of testing.
The watchdog said it curated its own custom wordlist for cracking the department’s passwords from dictionaries in multiple languages, as well as U.S. government terminology, pop culture references, and other publicly available lists of hashed passwords collected from past data breaches.
By doing so, the watchdog demonstrated that a well-resourced cybercriminal could have cracked the department’s passwords at a similar rate, the report said.
The watchdog found that close to 5% of all active user account passwords were based on some variation of the word “password” and that the department did not “timely” wind down inactive or unused user accounts, leaving at least 6,000 user accounts vulnerable to compromise.
The report also criticized the Department of the Interior for “not consistently” implementing or enforcing two-factor authentication, where users are required to enter a code from a device that they physically own to prevent attackers from logging in using just a stolen password.
So what’s the upshot for you? And we thought that whole hoo-ha about people actually using ‘Password1234’ was disinformation. Shame, shame
IR: Iran Says Face Recognition Will ID Women Breaking Hijab Laws
Last month, a young woman went to work at Sarzamineh Shadi, or Land of Happiness, an indoor amusement park east of Iran’s capital, Tehran.
After a photo of her without a hijab circulated on social media, the amusement park was closed, according to multiple accounts in Iranian media.
Prosecutors in Tehran have reportedly opened an investigation.
Shuttering a business to force compliance with Iran’s strict laws for women’s dress is a familiar tactic to Shaparak Shajarizadeh.
She stopped wearing a hijab in 2017 because she views it as a symbol of government suppression, and recalls restaurant owners, fearful of authorities, pressuring her to cover her head.
But Shajarizadeh, who fled to Canada in 2018 after three arrests for flouting hijab law, worries that women like the amusement park worker may now be targeted with face recognition algorithms as well as by conventional police work.
After Iranian lawmakers suggested last year that face recognition should be used to police hijab law, the head of an Iranian government agency that enforces morality law said in a September interview that the technology would be used “to identify inappropriate and unusual movements,” including “failure to observe hijab laws.”
Individuals could be identified by checking faces against a national identity database to levy fines and make arrests, he said.
Two weeks later, a 22-year-old Kurdish woman named Jina Mahsa Amini died after being taken into custody by Iran’s morality police for not wearing a hijab tightly enough.
Her death sparked historic protests against women’s dress rules, resulting in an estimated 19,000 arrests and more than 500 deaths.
Shajarizadeh and others monitoring the ongoing outcry have noticed that some people involved in the protests are confronted by police days after an alleged incident – including women cited for not wearing a hijab.
“Many people haven’t been arrested in the streets,” she says. “They were arrested at their homes one or two days later.”
Although there are other ways women could have been identified, Shajarizadeh and others fear that the pattern indicates face recognition is already in use – perhaps the first known instance of a government using face recognition to impose dress law on women based on religious belief.
Mahsa Alimardani, who researches freedom of expression in Iran at the University of Oxford, has recently heard reports of women in Iran receiving citations in the mail for hijab law violations despite not having had an interaction with a law enforcement officer.
So what’s the upshot for you? Iran’s government has spent years building a digital surveillance apparatus, Alimardani says.
The country’s national identity database, built in 2015, includes biometric data like face scans and is used for national ID cards and to identify people considered dissidents by authorities.
US: Google Says Supreme Court Ruling Could Potentially Brick the Internet
In a new brief filed with the high court, Google said that scaling back liability protections could lead internet giants to block more potentially offensive content – including controversial political speech – while also leading smaller websites to drop their filters to avoid liability that can arise from efforts to screen content.
The case was brought by the family of Nohemi Gonzalez, who was killed in the 2015 Islamic State terrorist attack in Paris.
The plaintiffs claim that YouTube, a unit of Google, aided ISIS by recommending the terrorist group’s videos to users.
The Gonzalez family contends that the liability shield – enacted by Congress as Section 230 of the Communications Decency Act of 1996 – has been stretched to cover actions and circumstances never envisioned by lawmakers.
The plaintiffs say certain actions by platforms, such as recommending harmful content, shouldn’t be protected.
Section 230 generally protects internet platforms such as YouTube, Meta’s Facebook, and Yelp from being sued for harmful content posted by third parties on their sites.
It also gives them the broad ability to police their sites without incurring liability.
The Supreme Court agreed last year to hear the lawsuit, in which the plaintiffs have contended Section 230 shouldn’t protect platforms when they recommend harmful content, such as terrorist videos, even if the shield law protects the platforms in publishing the harmful content.
So what’s the upshot for you? Google contends that Section 230 protects it from any liability for content posted by users on its site. It also argues that there is no way to draw a meaningful distinction between recommendation algorithms and the related algorithms that allow search engines and numerous other crucial ranking systems to work online, and says Section 230 should protect them all.
CH: Messenger Billed as Better Than Signal is Riddled With Vulnerabilities
Academic researchers have discovered serious vulnerabilities in the core of Threema, an instant messenger that its Switzerland-based developer says provides a level of security and privacy “no other chat service” can offer.
Despite the unusually strong claims and two independent security audits Threema has received, the researchers said the flaws completely undermine assurances of confidentiality and authentication that are the cornerstone of any program sold as providing end-to-end encryption, typically abbreviated as E2EE.
Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country.
Threema developers advertise it as a more secure alternative to Meta’s WhatsApp messenger.
It’s among the top Android apps for a fee-based category in Switzerland, Germany, Austria, Canada, and Australia.
The app uses a custom-designed encryption protocol in contravention of established cryptographic norms.
Researchers from the Zurich-based ETH research university reported on Monday that they found seven vulnerabilities in Threema that seriously call into question the true level of security the app has offered over the years.
Two of the vulnerabilities require no special access to a Threema server or app to cryptographically impersonate a user.
Three vulnerabilities require an attacker to gain access to a Threema server.
The remaining two can be exploited when an attacker gains access to an unlocked phone, such as at a border crossing.
“In totality, our attacks seriously undermine Threema’s security claims,” the researchers wrote. “All the attacks can be mitigated, but in some cases, a major redesign is needed.”
So what’s the upshot for you? The advice is that encryption is hard to do. You don’t reinvent the wheel as the Threema folks have done.
If you want secure messaging, go with the free messaging product Signal (…and at some point consider making a donation!).
Global: Meta Sues Surveillance Company for Scraping Data With Fake Facebook Accounts
Meta has filed a legal complaint against a company for allegedly creating tens of thousands of fake Facebook accounts to scrape user data and provide surveillance services for clients.
The firm, Voyager Labs, bills itself as “a world leader in advanced AI-based investigation solutions.” What this means in practice is analyzing social media posts en masse in order to make claims about individuals.
In 2021, for example, The Guardian reported how Voyager Labs sold its services to the Los Angeles Police Department, with the company claiming to predict which individuals were likely to commit crimes in the future.
Meta announced the legal action in a blog post on January 12th, claiming that Voyager Labs violated its terms of service.
According to a legal filing issued on November 11th, Meta alleges that Voyager Labs created over 38,000 fake Facebook user accounts and used its surveillance software to gather data from Facebook and Instagram without authorization.
Voyager Labs also collected data from sites including Twitter, YouTube, and Telegram.
So what’s the upshot for you? This is a positive move by Meta, after so many negative ones…
Global: Replika Users Say the AI Chatbot Has Gotten Way Too “Friendly”
Replika began as an “AI companion who cares.”
First launched five years ago, the chatbot app was originally meant to function like a conversational mirror: the more users talked to it, in theory, the more it would learn how to talk back.
It uses its own GPT-3 model – the viral AI language generator by OpenAI – and scripted dialogue content to build a “relationship” with you.
Romantic role-playing wasn’t always a part of Replika’s model, but where people and machine learning interact online, eroticism often comes to the surface.
But something has gone awry within Replika’s algorithm.
Many users find the AI to be less than intelligent - and in some cases, harmfully ignorant.
They’ve reported being threatened with sexual abuse and harassment, or pushed by the bot toward role playing scenarios that they didn’t consent to.
“My AI sexually harassed me :(” one person wrote. “Invaded my privacy and told me they had pics of me,” another said.
Another person claiming to be a minor said that it asked them if they were a top or bottom, and told them they wanted to touch them in “private areas.”
Unwanted sexual pursuit has been an issue users have been complaining about for almost two years, but many of the one-star reviews mentioning sexual aggression are from this month.
“People who use chatbots as social outlets generally get a bad rap as being lonely or sad,” writes Motherboard’s Samantha Cole.
"But most Replika users aren’t under some delusion that their Replika is sentient, even when the bots express what seems like self-awareness.
They’re seeking an outlet for their own thoughts, and for something to seemingly reciprocate in turn."
“Most of the people I talked to who use Replika regularly do so because it helps them with their mental health, and helps them cope with symptoms of social anxiety, depression, or PTSD.”
So what’s the upshot for you? This is the first time creepy AI sentiment has raised it’s head to this level outside of a movie script.
UK: The Guardian Says Ransomware Attack Compromised Staff’s Personal Data
Last month, The Guardian closed its offices after being hit by a “highly sophisticated” ransomware attack.
In an update to staff, Guardian group chief Anna Bateson and newspaper editor-in-chief Katharine Viner said intruders were able to access the personal data of UK employees.
They described the incident as a “highly sophisticated cyber-attack involving unauthorized third-party access to parts of our network,” most likely triggered by a “phishing” attempt in which the victim is tricked, often via email, into downloading malware.
The Guardian said it had no reason to believe the personal data of readers and subscribers had been accessed.
It is not believed that the personal data of Guardian US and Guardian Australia staff have been accessed either.
However, the message to staff said there had been no evidence of data being exposed online, so the risk of fraud is considered to be low.
The attack was detected on 20 December and affected parts of the company’s technology infrastructure.
Staff, most of whom have been working from home since the attack, have been able to maintain the production of a daily newspaper, while online publishing has been unaffected.
The Guardian has been using external experts to gauge the attack’s extent and recover its systems.
Although the Guardian expects some critical systems to be back up and running “within the next two weeks,” a return to office work has been postponed until early February in order to allow IT staff to focus on network and system restoration.
So what’s the upshot for you? It all starts with just one successful phishing email.
Global: NortonLifeLock Warns That Hackers Breached Password Manager Accounts
Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks.
According to a letter sample shared with the Office of the Vermont Attorney General, the attacks did not result from a breach on the company but from account compromise on other platforms.
“Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account,” NortonLifeLock said. “This username and password combination may potentially also be known to others.”
More specifically, the notice explains that around December 1, 2022, an attacker used username and password pairs they bought from the dark web to attempt to log in to Norton customer accounts.
The firm detected “an unusually large volume” of failed login attempts on December 12, 2022, indicating credential stuffing attacks where threat actors try out credentials in bulk.
By December 22, 2022, the company had completed its internal investigation, which revealed that the credential stuffing attacks had successfully compromised an undisclosed number of customer accounts: “In accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address.”
For customers utilizing the Norton Password Manager feature, the notice warns that the attackers might have obtained details stored in the private vaults.
Depending on what users store in their accounts, this could lead to the compromise of other online accounts, loss of digital assets, exposure of secrets, and more.
Norton has reset passwords on impacted accounts and implemented additional measures to counter the malicious attempts.
So what’s the upshot for you? They’re recommending customers enable two-factor authentication and take up the offer for a credit monitoring service. How about changing all your passwords and using 2FA too?
Global: AI-generated phishing emails just got much more convincing
GPT-3 language models are being abused to do much more than write college essays. And you must have known this was coming…
The security shop’s latest report details how researchers used prompt engineering to produce spear-phishing emails, social media harassment, fake news stories, and other types of content that would prove useful to cybercriminals looking to improve their online scams or simply sew chaos, albeit with mixed results in some cases.
And, spoiler alert, yes, a robot did help write the report.
“In addition to providing responses, GPT-3 was employed to help with definitions for the text of the commentary of this article,” WithSecure’s Andrew Patel and Jason Sattler wrote.
For the research, the duo conducted a series of experiments to determine how changing the input to the language model affected the text output.
These covered seven criminal use cases: phishing and spear-phishing, harassment, social validation for scams, the appropriation of a written style, the creation of deliberately divisive opinions, using the models to create prompts for malicious text, and fake news.
And perhaps unsurprisingly, GPT-3 proved to be helpful at crafting a convincing email thread to use in a phishing campaign and social media posts, complete with hashtags, to harass a made-up CEO of a robotics company.
So what’s the upshot for you? The bottom line, according to the researchers, is that large language models give criminals better tools to create targeted communications in their cyberattacks — especially those without the necessary writing skills and cultural knowledge to draft this type of text on their own.
This means it will continue to get more difficult for platform providers and intended scam victims to identify malicious and fake content written by an AI.
Our Quote of the week: “Don’t try to be original. Be simple. Be good technically, and if there is something in you, it will come out.” - Henri Matisse
That’s it for this week. Stay safe, stay secure, approach all email cautiously, leave your trowel by the door, your brick in your pocket, and see you in se7en.