The IT Privacy and Security Weekly Update with Zuck singing “We Will Track You” for the week ending July 19th., 2022



Daml’ers,

This week we use all our senses as we move from our ears, with Mark Zuckerberg’s lilting voice and constant tracking, to talk of a frozen backside during one of the biggest heatwaves ever to hit the northern hemisphere.
cold in the car

We learn that our eyes may never see the million-page novel censored by an online document service, and smell a rat as a former CIA agent gets the opportunity to feel the solitude of a jail cell.

We get a taste of what the dept. of Homeland Security are up to, yet are comforted that a sister agency has kept at least one hospital healthy and well.

We touch on the best IT Privacy and Security stories this week and if they leave you hot and sweaty, it could be global warming, but more likely it’s the content!

Faces forward, deep inhale, let’s go!


Global: Clever Facebook has Started Encrypting Links to counter browser Anti-Tracking.

From our collection of “Never give up, Never give in” stories: “Facebook has started to use a different URL scheme for site links,” writes the technology blog Ghacks, “to combat URL stripping technologies that browsers such as Firefox or Brave use to improve privacy and prevent user tracking.”

Some sites, including Facebook, add parameters to the web address for tracking purposes.

These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties.

Mozilla introduced support for URL stripping in Firefox 102, which it launched in June 2022.

Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser’s Tracking Protection feature is set to strict.

Firefox users may enable URL stripping in all Firefox modes, but this requires manual configuration.

Brave Browser strips known tracking parameters from web addresses as well…

But now, it is no longer possible to remove the tracking part of the URL, as Facebook merged it with part of the required web address.

So what’s the upshot for you? Sung to the melody of Queen’s “We will Rock you”: We will, We will track you.


CN/US: Chinese hackers targeted U.S. political reporters just ahead of Jan. 6 attack, researchers say

Hackers connected with the Chinese government engaged in numerous phishing campaigns targeting U.S.-based journalists since early 2021, with operations focused on political and national security reporters and White House correspondents in the days leading up to the Jan. 6 attack on the Capitol, researchers said last Thursday.

The previously unreported efforts are just a few examples of the digital risks that reporters and media companies are facing from an array of well-resourced state-backed hackers doing everything from gathering information to spreading malware.

Key Takeaways

  • Those involved in media make for appealing targets given the unique access, information, and insights they can provide on topics of state-designated import.
  • APT actors have been observed since early 2021 regularly targeting and posing as journalists and media organizations to advance their state-aligned collection requirements and initiatives.
  • The identified campaigns have leveraged a variety of techniques from using web beacons for reconnaissance to sending malware to establish initial access into the target’s network.
  • The focus on media by APTs is unlikely to ever wane, making it important for journalists to protect themselves, their sources, and the integrity of their information by ensuring they have an accurate threat model and secure themselves appropriately.

So what’s the upshot for you? The varied approaches by APT actors—using web beacons for reconnaissance, credential harvesting, and sending malware to gain a foothold in a recipient’s network—means those operating in the media space need to stay vigilant.

Assessing one’s personal level of risk can give an individual a good sense of the odds they will end up as a target.

Such as, if you report on China or North Korea or associated threat actors, you may become part of their collection requirements in the future.


CN: A Million-Word Novel Got Censored Before It Was Even Shared

Imagine you are working on your novel on your home computer.

It’s nearly finished; you have already written approximately one million words.

All of a sudden, the online word processing software tells you that you can no longer open the draft because it contains illegal information.

Within an instant, all your words are lost.

This is what happened in June to a Chinese novelist writing under the alias Mitu.

She had been working with WPS, a domestic version of cloud-based word processing software such as Google Docs or Microsoft Office 365.

In the Chinese literature forum Lkong on June 25, Mitu accused WPS of “spying on and locking my draft,” citing the presence of illegal content.

The news blew up on social media on July 11 after a few prominent influencer accounts belatedly picked it up.

It became the top trending topic on Weibo that day, with users questioning whether WPS is infringing on their privacy.

Since then, The Economic Observer, a Chinese publication, has reported that several other online novelists have had their drafts locked for unclear reasons in the past.

Mitu’s complaint triggered a social media discussion in China about censorship and tech platform responsibility.

So what’s the upshot for you? This highlights the tension between Chinese users’ increasing awareness of privacy …

and tech companies’ obligation to censor on behalf of the government.


US: TikTok’s Head of Cybersecurity Is Stepping Down Amid Rising Privacy Concerns

TikTok’s chief security officer is leaving the role in September amid renewed calls from members of the government to look into the social media app’s ties to China.

A TikTok spokesperson told the Wall Street Journal that the decision to replace Roland Cloutier as Chief Security Officer is unrelated to any data-privacy concerns.

TikTok, which is currently the fastest growing social media company, has often faced scrutiny for being owned by the Chinese company ByteDance.

Last month, Buzzfeed News reported that US user data had been repeatedly accessed by TikTok employees in China based on leaked audio from internal company meetings.

CEO Shou Zi Chew sent a note to TikTok employees about Cloutier’s exit as chief security officer, writing that "part of our evolving approach has been to minimize concerns about the security of user data in the U.S., including the creation of a new department to manage U.S. user data for TikTok.

This is an important investment in our data protection practices, and it also changes the scope of the Global CSO role."

Cloutier will officially step down from his role as Chief Security Officer in September and transition to an advisory role at TikTok.

So what’s the upshot for you? We can understand this departure, especially if you are looking at a beat-down coming.


US: Former CIA engineer convicted in WikiLeaks espionage case

NEW YORK, July 13 (Reuters) - A former CIA software engineer was convicted on Wednesday of leaking classified information to WikiLeaks from the spy agency, in one of the biggest such thefts in CIA history.

Jurors in Manhattan federal court convicted Joshua Schulte, 33, on eight espionage charges and one obstruction charge over the so-called Vault 7 leak.

Schulte had represented himself at the month-long trial. The jury began deliberating on Friday. An earlier trial ended in a March 2020 mistrial because jurors were deadlocked on the main counts.

“Today, Schulte has been convicted for one of the most brazen and damaging acts of espionage in American history,” in undermining U.S. efforts to battle “terrorist organizations and other malign influences” around the world, U.S. Attorney Damian Williams in Manhattan said in a statement.

The leaked materials concerned software tools the Central Intelligence Agency used to surveil people outside the United States, through such means as compromising smartphones and internet-connected TVs.

So what’s the upshot for you? First thing: Don’t try to represent yourself in a trial that lasts a month over something you did because you were mad at your management. You will probably end up with years and years to review what you woulda, coulda, shoulda done differently.


Global: A New Attack Can Unmask Anonymous Users on Any Major Browser

Researchers from the New Jersey Institute of Technology are warning about a novel technique attackers could use to de-anonymize website visitors and potentially connect the dots on many components of targets’ digital lives.

The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.

When you visit a website, the page can capture your IP address, but this doesn’t necessarily give the site owner enough information to individually identify you.

Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more.

The attacks work against every major browser, including the anonymity-focused Tor Browser.

The attack takes advantage of a number of factors most people likely take for granted: Many major services—from YouTube to Dropbox—allow users to host media and embed it on a third-party website.

Regular users typically have an account with these ubiquitous services and, crucially, they often stay logged into these platforms on their phones or computers.

Finally, these services allow users to restrict access to content uploaded to them.

For example, you can set your Dropbox account to privately share a video with one or a handful of other users. Or you can upload a video to Facebook publicly but block certain accounts from viewing it.

These “block” or “allow” relationships are the crux of how the researchers found that they can reveal identities.

The technique is known as a “side channel attack” because the researchers found that they could accurately and reliably make this determination by training machine learning algorithms to parse seemingly unrelated data about how the victim’s browser and device process the request.

Once the attacker knows that the one user they allowed to view the content has done so (or that the one user they blocked has been blocked) they have de-anonymized the site visitor.

Complicated as it may sound, the researchers warn that it would be simple to carry out once attackers have done the prep work. It would only take a couple of seconds to potentially unmask each visitor to the malicious site—and it would be virtually impossible for an unsuspecting user to detect the hack.

So what’s the upshot for you? As a note, we tried NJIT’s “Leakuidator+” browser add-on to block this type of tracking on both Firefox and Chrome and, you guessed it, most other web pages stopped working too.


US: Two US Lawmakers Urge Immediate Action Curtailing Deceptive Data Practices in VPN Industry

Two members of the U.S. Congress urged America’s Federal Trade Commission “to address deceptive practices in the Virtual Private Network industry.”

With abortion becoming illegal or restricted in several states, more people are looking to conceal their messages and search history, as police can use this information to prosecute someone seeking the procedure.

In their letter, Anna Eshoo (D-CA) and Senator Ron Wyden asked the FTC to clamp down on VPN providers that engage in deceptive advertising or make false assertions about the range of their service’s privacy.

The lawmakers cite research from Consumer Reports that indicate 75 percent of the most popular VPNs “misrepresented their products” or made misleading claims that could give “abortion-seekers a false sense of security.”

Eshoo and Wyden also call attention to reports accusing various VPN services of misusing user data, as well as “a lack of practical tools or independent research to audit VPN providers’ security claims…”

“We urge the Federal Trade Commission to take immediate action… to curtail abusive and deceptive data practices in companies providing VPN services to protect internet users seeking abortions.”

Eshoo and Wyden also ask that the FTC develop a brochure that informs anyone seeking an abortion about online privacy, as well as outlines the risks and benefits of using a VPN.

So what’s the upshot for you? Wait… what? Wasn’t the reason you were using a VPN? To ensure your privacy?


US: Homeland Security records show ‘shocking’ use of phone data, ACLU says

The Trump administration’s immigration enforcers used mobile location data to track people’s movements on a larger scale than previously known, according to documents that raise new questions about federal agencies’ efforts to get around restrictions on warrantless searches.

The data, harvested from apps on hundreds of millions of phones, allowed the Department of Homeland Security to obtain data on more than 336,000 location data points across North America, the documents show.

Those data points may reference only a small portion of the information that CBP has obtained.

These data points came from all over the continent, including in major cities like Los Angeles, New York, Chicago, Denver, Toronto, and Mexico City.

This location data use has continued into the Biden administration, as Customs and Border Protection renewed a contract for $20,000 into September 2021, and Immigration and Customs Enforcement signed another contract in November 2021 that lasts until June 2023.

The American Civil Liberties Union obtained the records from DHS through a lawsuit it filed in 2020. It released them to the public on Monday.

The documents highlight conversations and contracts between federal agencies and the surveillance companies Babel Street and Venntel.

Venntel alone boasts that its database includes location information from more than 250 million devices.

The documents also show agency staff having internal conversations about privacy concerns regarding using phone location data.

In just three days in 2018, the documents show that the CBP collected data from more than 113,000 locations from phones in the Southwestern United States – equivalent to more than 26 data points per minute – without obtaining a warrant.

The documents highlight the massive scale of location data that government agencies including CBP and ICE received, and how the agencies sought to take advantage of the mobile advertising industry’s treasure trove of data.

“It was definitely a shocking amount,” said Shreya Tewari, the Brennan fellow for the ACLU’s Speech, Privacy and Technology Project.

“It was a really detailed picture of how they can zero in on not only a specific geographic area, but also a time period, and how much they’re collecting and how quickly.”

So what’s the upshot for you? If they collect this much data without a warrant, either they now don’t need to bother with a warrant, or the volumes of data collected with a warrant in hand would be truly obscene.


DK: Denmark Bans Chromebooks, Google Workspace In Schools Over Data Transfer Risks

In a verdict published last week, Denmark’s data protection agency, Datatilsynet, revealed that data processing involving students using Google’s cloud-based Workspace software suite – which includes Gmail, Google Docs, Calendar and Google Drive – “does not meet the requirements” of the European Union’s GDPR data privacy regulations.

Specifically, the authority found that the data processor agreement – or Google’s terms and conditions – seemingly allow for data to be transferred to other countries for the purpose of providing support, even though the data is ordinarily stored in one of Google’s EU data centers.

Google’s Chromebook laptops, and by extension Google Workspace, are used in schools across Denmark.

But Datatilsynet focused specifically on Helsingor for the risk assessment after the municipality reported a “breach of personal data security” back in 2020.

While this latest ruling technically only applies to schools in Helsingor for now, Datatilsynet notes that many of the conclusions it has reached will “probably apply to other municipalities” that use Google Chromebooks and Workspace.

It added that it expects these other municipalities “to take relevant steps” off the back of the decision it reached in Helsingor.

The ban is effective immediately, but Helsingor has until August 3 to delete user data.

A Google spokesperson told TechCrunch in a statement: "We know that students and schools expect the technology they use to be legally compliant, responsible, and safe. That’s why for years, Google has invested in privacy best practices and diligent risk assessments and made our documentation widely available so anyone can see how we help organizations comply with the GDPR.

Schools own their own data.

We only process their data in accordance with our contracts with them. In Workspace for Education, students’ data is never used for advertising or other commercial purposes.

Independent organizations have audited our services, and we keep our practices under constant review to maintain the highest possible standards of safety and compliance."

So what’s the upshot for you? What did we learn from TikTok? If you can administer data from another country that data is effectively in that other country.

We can only imagine what use the US Homeland Security team might have for Danish school children’s data.


US/NZ: US court orders Glassdoor to give reviewer information to NZ toymaker Zuru

Shared with us by Abhi Sangeetha: Company review website Glassdoor has been ordered by a United States court to hand over the information of users who wrote negative reviews about New Zealand toymaker Zuru a Billion dollar company.

Glassdoor allows current and former employees to rate their experience in a workplace and write anonymous reviews.

Zuru brought the legal challenge following six scathing reviews, alleging the anonymous poster or posters had defamed the company.

Zuru intended to sue the reviewers for defamation in New Zealand, where Zuru was founded, and the reviewers worked, case notes show.

So what’s the upshot for you? Zuru intends to sue the reviewers for defamation in New Zealand.

This makes us:
A.) Want to avoid leaving any further honest, anonymous reviews on Glassdoor, Comparably, or Indeed.
B.) Go buy toys for our children from a fine, friendly Kiwi company… but not Zuru.
C.) Want to think about ever again participating in a survey or set of responses that could leave us open to legal recrimination.


Global: Amazon sues admins from 10,000 Facebook groups over fake reviews

Amazon has been plagued with reviews that artificially boost product ratings for years.

A Washington Post investigation back in 2018 found that obviously fake reviews dominated some product categories, including Bluetooth headphones and health supplements.

At the time the Post found a thriving cottage industry selling fake reviews on Facebook.

Sellers court Amazon shoppers on Facebook across “dozens of networks, including Amazon Review Club and Amazon Reviewers Group, to give glowing feedback in exchange for money or other compensation,” according to the Post.

Amazon acknowledged the scope of the problem in a blog post last year.

“Due to our continued improvements in detection of fake reviews and connections between bad-actor buying and selling accounts, we have seen an increasing trend of bad actors attempting to solicit fake reviews outside Amazon, particularly via social media services,” the company wrote.

So what’s the upshot for you? Amazon says that it will leverage the discovery process to “identify bad actors and remove fake reviews commissioned by these fraudsters that haven’t already been detected by Amazon’s advanced technology, expert investigators, and continuous monitoring.”

…And that should provide you great reassurance that the thing you didn’t really need, but bought, because of all the glowing reviews, might not be such a piece of rubbish after all.


US/KP/CN: The US ‘Disrupted’ North Korean Hackers Who Breached the Health Sector

https://www.bloomberg.com/news/articles/2022-07-19/us-disrupted-north-korean-hackers-who-breached-health-sector

Federal investigators “disrupted” a North Korean state-sponsored hacking group that targeted US medical facilities and other health organizations, a top Justice Department official said Tuesday.

The attacks included the targeting of a medical center in Kansas last year, Deputy Attorney General Lisa Monaco said, disabling the hospital’s systems that store important data and run key equipment.

Monaco said the government’s investigation led to a public warning, with the Department of Homeland Security, about “Maui” ransomware targeting the health sector.

“The hospital’s leadership faced an impossible choice: Give in to the ransom demand, or cripple the ability of the doctors and nurses to provide critical care,” Monaco said at the International Conference on Cyber Security at Fordham University in New York.

So what’s the upshot for you? Through the investigation into the ransomware attacks on medical centers, the FBI identified China-based money launderers – who “regularly assist the North Koreans in ‘cashing out’ ransom payments” – and seized about $500,000 in payments and cryptocurrency, including all the funds paid by the Kansas medical center.

“Today, we have unsealed the seizure warrant and initiated proceedings to return the stolen funds to the victims."

Aw! Happy ending.


Global:Cryptocurrency Flowing Into ‘Mixers’ Hits an All-Time High

Mixers, also known as tumblers, obfuscate cryptocurrency transactions by creating a disconnect between the funds a user deposits and the funds the user withdraws.

To do this, mixers pool funds deposited by large numbers of users and randomly mix them. Each user can withdraw the entire amount deposited, minus a cut for the mixer, but because the coins come from this jumbled pool, it’s harder for blockchain investigators to track precisely where the money went.

Some mixers provide additional obfuscation by allowing users to withdraw funds in differing amounts sent to different wallet addresses.

Others try to conceal the mixing activity altogether by changing the fee on each transaction or varying the type of deposit address used.

But Before you jump to conclusions, mixer use isn’t automatically illegal or unethical.

“Mixers present a difficult question to regulators and members of the cryptocurrency community,” researchers from cryptocurrency analysis firm Chainalysis wrote in a report that linked the surge to increased volumes deposited by sanctioned and criminal groups.

"Virtually everyone would acknowledge that financial privacy is valuable and that in a vacuum, there’s no reason services like mixers shouldn’t be able to provide it.

However, the data shows that mixers currently pose a significant money laundering risk, with 25 percent of funds coming from illicit addresses, and that cybercriminals associated with hostile governments are taking advantage."

Cryptocurrency received by these mixers fluctuates significantly from day to day, so researchers find it more useful to use longer-term measures.

The 30-day moving average of funds received by mixers hit $51.8 million in mid-April, an all-time high, Chainalysis reported.

The high-water mark represented almost double the incoming volumes at the same point last year.

What’s more, illicit wallet addresses accounted for 23 percent of funds sent to mixers this year, up from 12 percent in 2021.

So what’s the upshot for you? Transaction privacy is what you don’t get on a public blockchain except through mixers or with something like the Canton Distributed Ledger, a privacy-enabled distributed ledger that is enhanced when deployed with complementary blockchains that provides secure synchronization between multiple parties on a wide range of technologies.


UK: You bought it but now you have to pay to use it. BMW introduces a new heated seat subscription in the UK

BMW has sparked debate after offering an online subscription to turn on heated front seats in its cars in the UK for £15 per month.

A monthly heated steering wheel subscription costs £10.

Subscriptions have been available for features on BMW cars for some time in the UK, but the heated seat offer started this month.

The news has sparked an online debate, with news site The Verge saying: "In the case of heated seats, for example, BMW owners already have all the necessary components, but BMW has simply placed a software block on their functionality that buyers then have to pay to remove.

"The Register said that while it could work as a way for owners to add features as they can afford them, “on the other hand, it may feel like buying a mug and having to rent the handle”.

A number of the reports note BMW’s move is part of a wider industry trend with a range of car-makers offering subscriptions.

There were negative comments on social media too, with one Twitter user writing: "Subscriptions for software is one thing, no one is going to subscribe for heated seats or whatever if I own the car I own everything in it.

So what’s the upshot for you? We liked this response from Kurt Opsahl, general counsel of digital civil liberties campaign group the Electronic Frontier Foundation:
“A seat heater blocked by software is broken, and the car owner should have the right to repair their seats.”



Quote of the week: “Toughen up cupcake, the Prince of Nigeria is sad too; no one falls for his emails anymore.” –Anonymous



That’s it for this week. Stay safe, stay secure, remember that the best time to introduce service charges for seat warmers is during a global heat wave, keep cool and we’ll track you down in se7en.
ice cold car seats