The IT Privacy and Security Weekly Update "Happy Birthday" Edition for the week ending November 15th., 2022


Presenting a special birthday round-up for you today. From a new law in Italia that will ban facial recognition until the rules surrounding it catch up, to the birth of a new baby who just might grow up to be president!

We have some great spy thriller/forensic analysis stories for you this week that will be either reassuring or … very disconcerting in their discoveries!

We move “down under” to get a better understanding as to why you don’t push around our Australian friends and then hit the northern hemisphere to hear about one of the larger tech firms taking a beat-down from 40 US States.

This week’s update is like a high-speed chase. Better blow out the candles on the cake before something runs into it.

Oh, and don’t forget to make a wish!

IT: Italy outlaws facial recognition tech, except to fight crime

Italy prohibited the use of facial recognition and “smart glasses” on Monday as its Data Protection Agency issued a rebuke to two municipalities experimenting with the technology.

Facial recognition systems using biometric data will not be allowed until a specific law is adopted or at least until the end of next year, the privacy watchdog said.

The exception is when such technologies play a role in judicial investigations or the fight against crime.

“The moratorium arises from the need to regulate eligibility requirements, conditions, and guarantees relating to facial recognition, in compliance with the principle of proportionality,” the agency said in a statement.

Under European Union and Italian law, the processing of personal data by public bodies using video devices is generally allowed on public interest grounds and when linked to the activity of public authorities, it added.

However, municipalities that want to use them have to strike “urban security pacts” with central government representatives, it added.

The agency was reacting to measures taken in the southern Italian city of Lecce, where authorities said they would begin using a technology based on facial recognition.

The privacy watchdog also targeted the Tuscan city of Arezzo, where local police were due to be equipped with infrared superglasses that can recognize car number plates.

So what’s the upshot for you? We are still not comfortable with the “Except to fight crime” part of this after seeing what the rest of the world did with facial recognition in the name of fighting crime. Perhaps we need to be more trusting….

US: Apple Privacy is Unsurpassed right? Er, not so Fast.

“Apple is facing a class action lawsuit for allegedly harvesting iPhone user data even when the company’s own privacy settings promise not to.”

The suit, filed Thursday in California federal court, comes days after Gizmodo exclusively reported on research into how multiple iPhone apps send Apple analytics data, regardless of whether the iPhone Analytics privacy setting is turned on or off.

The problem was spotted by two independent researchers at the software company Mysk, who found that the Apple App Store sends the company exhaustive information about nearly everything a user does in the app, despite a privacy setting, iPhone Analytics, which claims to “disable the sharing of Device Analytics altogether” when switched off.

Gizmodo asked the researchers to run additional tests on other iPhone apps, including Apple Music, Apple TV, Books, and Stocks.

The researchers found that the problem persists across most of Apple’s suite of built-in iPhone apps…

[I]n the tests, turning the iPhone Analytics setting off had no evident effect on the data collection, nor did any of the iPhone’s other built-in settings meant to protect your privacy from Apple’s data collection.

Mysk’s tests on the App Store found that Apple receives that data along with details that can identify you and your device, including ID numbers, what kind of phone you’re using, your screen resolution, your keyboard languages, and how you’re connected to the internet — the kind of information commonly used for device fingerprinting.

So what’s the upshot for you? It’s all so reassuring. Apple stopped Zuckerberg from doing this so they could do it themselves (“fingerprinting” our devices).

RU/US: Russian Software Disguised as American Finds Its Way Into US Army, CDC Apps

Thousands of smartphone applications in Apple and Google’s online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters reported yesterday.

The Centers for Disease Control and Prevention (CDC), the United States’ main agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the U.S. capital.

After learning about its Russian roots from Reuters, it removed Pushwoosh software from seven public-facing apps, citing security concerns.

The U.S. Army said it had removed an app containing Pushwoosh code in March because of the same concerns.

That app was used by soldiers at one of the country’s main combat training bases.

According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing.

It employs around 40 people and reported a revenue of 143,270,000 rubles ($2.4 mln) last year.

Pushwoosh is registered with the Russian government to pay taxes in Russia.

On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland, and Washington, D.C., Reuters found.

So what’s the upshot for you? This issue here is that any data center located in Russia has to make its data, your data if it is held there, available to the Russian government when asked.

US: A Mysterious Company With Government Ties Plays A Key Internet Role

Would you trust your communications to a company that has links to a spyware company and claims that its address is a UPS store in Toronto?

An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews.

Google’s Chrome, Apple’s Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what’s known as a root certificate authority, a powerful spot in the internet’s infrastructure that guarantees websites are not fake, guiding users to them seamlessly.

The company’s Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade.

One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics.

Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon.

The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it.

So what’s the upshot for you? This is a great journalistic “reveal” by the Washington Post.

AU: Hunt down the scumbags’

A couple weeks Australia’s biggest health insurer, Medibank, said that data on all 4 million of its customers was breached.

Now the group behind that breach “have since released more sensitive details of customers’ medical records on the dark web, including data on abortions and alcohol issues,” reports Australia’s public broadcaster.

Their article points out that the release “follows Medibank’s refusal to pay a ransom for the data, with almost 500,000 health claims stolen, along with personal information.” But what was really interesting was that article’s headline:

" ‘Hunt down the scumbags’: Australian government to ‘hack the hackers’ behind Medibank breach"

The Australian government is going to “hunt down the scumbags” responsible for the Medibank hack that compromised the private information of nearly 10 million customers, cyber security minister Clare O’Neil said… “Around 100 officers around these two organizations will be a part of this joint standing operation, and many of these officers will be physically co-located from the Australian Signals Directorate,” she said.

Ms. O’Neil said the officers will “show up to work every day” with the “goal of bringing down these gangs and thugs”.

“This is the formalization of a partnership — a standing body within the Australian government which will day in, day out, hunt down the scumbags who are responsible for these malicious crimes against innocent people,” she said.

“The smartest and toughest people in our country are going to hack the hackers…”

Australian Federal Police Commissioner Reece Kershaw on Friday said officers were also working with Interpol to track down the criminals.

“We know who you are,” he said. “The AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system.”

One Australian think tank told the Associated Press that the breach was caused by a stolen username and password, sold on a Russian dark web forum.

“In a tweet, Australian Prime Minister Anthony Albanese, whose own Medibank data was stolen, said the Australian Federal Police knows where the hackers are and are working to bring them to justice,” reports TechCrunch:

The cybercriminals claimed that they initially sought $10 million in ransom from Medibank before reducing the sum to $9.7 million, or $1 per affected customer, the blog said.

“Unfortunately, we expect the criminal to continue to release stolen customer data each day,” Medibank CEO David Koczkar said on Friday.

“These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.”

So what’s the upshot for you? We say, Booyah! Go get them, Australian Signals Directorate!

RU: A Russian Missile Crew Was Geolocated From Just one Eight-year-old Photo

In the early hours of Monday, 10 October 2022, Russia pummeled Ukraine’s largest cities with missiles killing at least 20 people and wounding more than 100, according to Ukraine’s national emergency service.

Russia has boasted about the surgical precision of its cruise missiles and claimed the attacks on 10 October targeted Ukraine’s military, security command centers and the national energy grid.

However, open-source evidence shows that multiple missiles struck non-military targets, damaging residential buildings and hitting kindergartens and playgrounds.

As the war in Ukraine rages on, an investigative team geolocated a Russian cruise missile program from a single group photo.

The missile program has caused untold misery in Ukraine and a group shot, taken in 2013, was sent to the investigative website Bellingcat laboriously geolocated the photo’s location using satellite imagery and various other methods.

The photo, sent anonymously from a burner email account, was said to have been taken at the Russian Ministry of Defense’s Znamenka 19 facility 8 years earlier., but the team had to prove it.

“As with all geolocation, the first step is to identify details in the photograph that could be useful,” writes Aric Toler for Bellingcat.

“There are broadly two types of details that we look for when performing this type of task: big-picture details, and micro-details.”

The forensic work is detailed and methodical, but eventually, Belincat traced enough detail to tie the two ends of the string together resulting in a six-month-long investigation, where Bellingcat and its investigative partners The Insider and Der Spiegel were able to discover a hitherto secretive group of dozens of military engineers with an educational and professional background in missile programming.

Phone metadata shows contacts between these individuals and their superiors spiked shortly before many of the high-precision Russian cruise missile strikes that have killed hundreds and deprived millions in Ukraine of access to electricity and heating.

So what’s the upshot for you? This is amazing forensic work and absolutely worth more of a read. And to the missile crew: “The war will end soon enough. Justice may take time, but it will find you.”

US: Why shouldn’t the government tell you what languages to program in?

In a press release published last week, the US National Security Agency (NSA) says it will be making a strategic shift to memory safe programming languages.

The agency is advising organizations explore such changes themselves by utilizing languages such as C#, Go, Java, Ruby, Swift or Daml (OK we added that one).

The “Software Memory Safety” Cybersecurity Information Sheet highlights how malicious cyber actors can exploit poor memory management issues to access sensitive information, promulgate unauthorized code execution, and cause other negative impacts.

“Memory management issues have been exploited for decades and are still entirely too common today,” said Neal Ziring, Cybersecurity Technical Director. “We have to consistently use memory safe languages and other protections when developing software to eliminate these weaknesses from malicious cyber actors.”

Microsoft and Google have each stated that software memory safety issues are behind around 70 percent of their vulnerabilities.

NSA recommends that organizations use memory safe languages when possible and bolster protection through code-hardening defenses such as compiler options, tool options, and operating system configurations.

So what’s the upshot for you? Poor memory management can also lead to technical issues, such as incorrect program results, degradation of the program’s performance over time, and program crashes. It’s all true, it’s just when was the last time a government agency suggested preferential programming languages?

US: Any great idea for a new basis for public-key cryptography which does not use lattices will be greatly appreciated!

Fearing the possibility of encryption-cracking quantum computers researchers are “scrambling to produce a new,’ post-quantum’ encryption scheme.”

Earlier this year, the U.S. National Institute of Standards and Technology (NIST) revealed four finalists in its search for a post-quantum cryptography standard.

Three of them use “lattice cryptography” — a scheme inspired by lattices, regular arrangements of dots in space.

Lattice cryptography and other post-quantum possibilities differ from current standards in crucial ways.

But they all rely on mathematical asymmetry.

The security of many current cryptography systems is based on multiplication and factoring: Any computer can quickly multiply two numbers, but it could take centuries to factor a cryptographically large number into its prime constituents.

That asymmetry makes secrets easy to encode but hard to decode… A quirk of factoring makes it vulnerable to attack by quantum computers… Originally developed in the 1990s, [lattice cryptography] relies on the difficulty of reverse-engineering sums of points…

Of course, it’s always possible that someone will find a fatal flaw in lattice cryptography… Cryptography works until it’s cracked.

Indeed, earlier this summer one promising post-quantum cryptography scheme was cracked using not a quantum computer, but an ordinary laptop.

At a recent panel discussion on post-quantum cryptography, Adi Shamir (the S in RSA), expressed concern that NIST’s proposed solutions are predominantly based on lattice cryptography.

"In some sense, we are putting all eggs in the same basket, but that is the best we have…

So what’s the upshot for you? “The best advice for young researchers is to stay away from lattice-based post-quantum crypto,” Shamir added. “What we really lack are entirely different ideas which will turn out to be secure.”

US: Google Agrees to $392 Million Privacy Settlement With 40 States

Google agreed to a record $391.5 million privacy settlement with a 40-state coalition of attorneys general on Monday for charges that it misled users into thinking they had turned off location tracking in their account settings even as the company continued collecting that information.

Under the settlement, Google will also make its location tracking disclosures clearer starting in 2023. The attorneys general said that the agreement was the biggest internet privacy settlement by U.S. states.

It capped a four-year investigation into the internet search giant’s practices from 2014-2020, which the attorneys general said violated the state’s consumer protection laws.

Google said it had already corrected some of the practices mentioned in the settlement.

“Consistent with improvements we’ve made in recent years, we have settled this investigation which was based on outdated product policies that we changed years ago,” said Jose Castaneda, a spokesman for Google.

So what’s the upshot for you? States have taken an increasingly central role in reining in the power and business models of Silicon Valley corporations, amid a vacuum of action from federal lawmakers.

AU: Today the 8 billionth person in the world joined us.

UN’s latest projections, released earlier this year, suggest the world will house about 9.7 billion humans in 2050.

By this point in history many countries’ populations have plateaued.

Just eight countries are projected to be responsible for more than half the world’s population increase by 2050.

One of them is India, which is set to overtake China as the most populous country in the world next year.

Pakistan and the Philippines are also on the list, and the remaining five are all in Africa:
Nigeria, Tanzania, Ethiopia, the Democratic Republic of the Congo and Egypt.

Since 2017, more people have lived in cities than rural areas, with the share of the population in cities only growing larger from the current 55%

So what kind of life will 9 billion people on Earth live?

Fewer babies will lead to fewer workers, and will that lead to a smaller economy?

Do we need to rethink how we design cities for more and more people who aren’t commuting to offices?

Will the robots and artificial intelligence of the fourth industrial revolution finally deliver the promise of less work and more leisure?

So what’s the upshot for you? Happy birthday baby 8 billion. Lots of questions for you to answer. And who knows? Maybe you will grow up to become president!

And our quote of the week: “Technology trust is a good thing, but control is a better one.” ― Stéphane Nappo


That’s it for this week. Stay safe, stay secure, don’t wake the baby, and see you in se7en.

1 Like

Reactive Policing is a no-win policy.

The and the ASD would be far better off launching a national, risk analysis review of key Private/Public entities in terms of Security, Information Management and practical Computing.

The Bad Guys who steal Data, are now like Hydra: cut off 1 head, 2 more will grow :octopus:

Good idea, but I think I still enjoy the thought of the Ozzies hitting them with a can of
Whoop Ass

1 Like