Time for a Checkup with the IT Privacy and Security Weekly Update for June 1st. 2021



G’day Damlers!

We’ve got an update that’s just chock full of news and updates that could very well help you see more clearly or leave you blind and wondering why you just bought those really dear headphones.

We start with tracking, move on to toothpaste, and then get a nosebleed from hits the ransomware group Conti has inflicted before we have our use of a certain term validated.

We discover how to tell the difference between “Dumb AI”, “Smart AI” and “Really Smart AI”.

And we leave you with a couple of health checks that have nothing to do with IT Privacy or Security but could have you feeling much better about your own visual and audio acuity.

This is without a doubt just what the doctor ordered, so let’s hang up our jackets, roll up our sleeves and get going!


CN: Alibaba’s Huge Browser Business Is Recording Millions Of Android And iPhone Users’ ‘Private’ Web Habits

If you went to download the Alibaba-owned app UC Browser this month, whether from Google’s Android Play Store or Apple’s iOS App Store, you would have been promised that with its “incognito” mode, no web browsing or search history would be recorded. Such guarantees, alongside promises of fast download times, have made the app, created by Alibaba subsidiary UCWeb, incredibly popular across the world, with 500 million downloads on Android alone.

According to one analysis, it’s the fourth biggest browser by user numbers in the world.

Privacy pledges made by UCWeb are misleading, according to security researcher Gabi Cirlig. His findings, verified for Forbes by two other independent researchers, reveal that on both Android and iOS versions of UC Browser, every website a user visits, regardless of whether they’re in incognito mode or not, is sent to servers owned by UCWeb. Cirlig said IP addresses - which could be used to get a user’s rough location down to the town or neighborhood of the user - were also being sent to Alibaba-controlled servers. Those servers were registered in China and carried the .cn Chinese domain name extension, but were hosted in the U.S. An ID number is also assigned to each user, meaning their activity across different websites could effectively be monitored by the Chinese company

So what’s the upshot for you? If this kind of story doesn’t shock you into action, the next one will.


Global: A week at my mom’s house and now I’m getting ads for her toothpaste brand

As explained by Robert G. Reeve:

First of all, your social media apps are not listening to you. This is a conspiracy theory. It’s been debunked over and over again.

But frankly, they don’t need to because everything else you give them unthinkingly is way cheaper and way more powerful.

Your apps collect a ton of data from your phone. Your unique device ID. Your location. Your demographics.

Data aggregators pay to pull in data from EVERYWHERE. When I use my discount card at the grocery store? Every purchase? That’s a dataset for sale.

They can match my Harris Teeter (Grocery store) purchases to my Twitter account because I gave both those companies my email address and phone number and I agreed to all that data-sharing when I accepted those terms of service and the privacy policy.

Here’s where it gets truly nuts, though. If my phone is regularly in the same GPS location as another phone, they take note of that. They start reconstructing the web of people I’m in regular contact with. The advertisers can cross-reference my interests and browsing history and purchase history to those around me. It starts showing ME different ads based on the people AROUND me. It will serve me ads for things I DON’T WANT, but it knows someone I’m in regular contact with might want.

So. They know my mom’s toothpaste. They know I was at my mom’s. They know my Twitter. Now I get Twitter ads for mom’s toothpaste.

Your data isn’t just about you. It’s about how it can be used against every person you know, and people you don’t. To shape behavior unconsciously.

So what’s the upshot for you? If this article doesn’t make you want an iPhone, you probably already have one.


IE: More on the HSE attack and the Conti behind it.

The Conti ransomware group, responsible for a debilitating ransomware attack on Ireland’s Health Service Executive (HSE) on May 14. Officials say that a ransomware demand of $20 million will not be paid, and while Conti has released an – unverified – decryption tool to the service, the group has still threatened to sell or leak HSE records allegedly stolen during the attack.

Dublin’s High Court has issued an injunction against Conti, under “persons unknown,” in an effort to stop the spread of stolen information. At the time of writing, staff are still unable to access email, there are delays with issuing birth, death, and marriage certificates. The COVID-19 vaccination program is rolling out as normal but there may also be delays in receiving test results.

Now the FBI has identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year. These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S. Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim.

The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors.

Ransom amounts vary widely and we assess are tailored to the victim. Recent ransom demands have been as high as $25 million.

So what’s the upshot for you? Ransomware as a service just should not be happening. When you add up all the #s you realize that the Cloud Service providers must be enablers of some of these services and it really is time to reign things in.


Global: And NOW the definitive guide to whether you have suffered a Cyber Attack

Def.: “A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”

One of the attacks listed was the Conti Attack on HSE, The Irish Health System. Was it classified as a Cyberattack? Now you can find out.

So what’s the upshot for you? Like it or not, we now have a formal definition.


Global: Artificial intelligence Can Write Disinformation Now—and Dupe Human Readers

When OpenAI demonstrated a powerful artificial intelligence algorithm capable of generating coherent text last June, its creators warned that the tool could potentially be wielded as a weapon of online misinformation.

Now a team of disinformation experts has demonstrated how effectively that algorithm, called GPT-3, could be used to mislead and misinform. The Georgetown researchers say GPT-3, or a similar AI language algorithm, could prove especially effective for automatically generating short messages on social media, what the researchers call “one-to-many” misinformation.

In experiments, the researchers found that GPT-3’s writing could sway readers’ opinions on issues of international diplomacy. The researchers showed volunteers sample tweets written by GPT-3 about the withdrawal of US troops from Afghanistan and US sanctions on China.

In both cases, they found that participants were swayed by the messages. After seeing posts opposing China sanctions, for instance, the percentage of respondents who said they were against such a policy doubled.

Researchers note that the algorithm does not seem capable of reliably generating coherent and persuasive articles much longer than a tweet. “but, the machines are only going to get better.”

So what’s the upshot for you? Oh no, that’s all we need. Dumb AI.


US: Perlmutter, said to be the world’s fastest AI supercomputer, comes online

The Perlmutter system, according to Nvidia Corp., whose graphics chips it uses in large numbers, is the “fastest on the planet” when it comes to handling the 16- and 32-bit mixed-phase precision math that’s used by AI applications. It will be tasked with tackling some of the most difficult science challenges in astrophysics and climate science, such as creating a 3D map of the universe and probing subatomic interactions for green energy sources, Nvidia said.

The system is a Hewlett Packard Enterprise Co.-built Cray supercomputer that boasts some serious processing power. It’s powered by a whopping 6,159 Nvidia A100 Tensor Core graphics processing units, which are the most advanced graphics processing units Nvidia has built.

Perlmutter will be used by researchers to assemble what will be the largest 3D map of the universe ever made by processing data from the Dark Energy Spectroscopic Instrument. DESI, as it’s known, can capture images of up to 5,000 galaxies in a single exposure. The idea is that by building a 3D map of the universe, scientists will be able to learn more about “dark energy,” which is the mysterious physics that’s said to be responsible for the accelerating expansion of the universe.

The supercomputer is fittingly named after astrophysicist Saul Perlmutter, who won a Nobel Prize for his work that led to the discovery of dark energy in 2011.

So what’s the upshot for you? We will need a 3-d map of the universe when some of these commercial space-trip ventures really do start to “Take off” shortly. This must be SMART AI!


Global: Artificial intelligence system can predict the impact of research

An artificial intelligence system trained on almost 40 years of the scientific literature correctly identified 19 out of 20 research papers that have had the greatest scientific impact on biotechnology – and has selected 50 recent papers it predicts will be among the ‘top 5%’ of biotechnology papers in the future.

Scientists say the system could be used to find ‘hidden gems’ of research overlooked by other methods, and even to guide decisions on funding allocations so that it will be most likely to target promising research.

As with all machine learning systems, due care needs to be taken to reduce systemic biases.

The system has already attracted some criticism. Andreas Bender, a chemist at the University of Cambridge, wrote on Twitter that Delphi ‘will only serve to perpetuate existing academic biases’, while Daniel Koch, a molecular biophysicist at King’s College London, tweeted: ‘Unfortunately, once again “impactful” is defined mostly by citation-based metrics, so what’s “optimized” is scientific self-reference.’

So what’s the upshot for you? Who cares what Bender and Koch say! AI has indicated that this is the BEST IT Privacy and security weekly update EVER. So this must be REALLY SMART AI!


***AU: Pwned Passwords, Open Source in the .NET Foundation, and Working with the FBI


Troy Hunt set up Have I been Pwned? (HIBP) in 2013, and the dot-com is now said to be getting a billion requests a month.

Hunt previously shared that maintaining the site solo had brought him “very close to burn-out” and he has repeatedly looked for ways to spread the burden.

Open-sourcing the code that powers the site appears to be the most publicly transparent way to do that without selling 10 billion login credentials to a profit-motivated corporation.

Last year, Hunt announced plans to make key portions of the system open source for others to pick up, use, and improve. Now the Pwned Passwords codebase is available from GitHub under a BSD three-clause license.

Hunt also said the FBI has offered to feed known compromised passwords into HIBP.

"Today, it’s finally happened with Pwned Passwords now completely open to all. That’s only been possible with the help of the .NET Foundation because as I’ve said many times now, this is new territory for me. And just to make things really interesting, we’re all going to build some code for the FBI to feed passwords obtained in the process of their various investigations into HIBP.

Their goal here is perfectly aligned with mine and, I dare say, with the goals of most people reading this: to protect people from account takeovers by proactively warning them when their password has been compromised.

Cool"

So what’s the upshot for you? Troy Hunt has done an amazing job with this, but it’s been such a load to carry on his shoulders. We are glad to see that others are providing a little more help to what must be becoming a relatively costly adventure to maintain.


TR: Drones may have attacked humans fully autonomously for the first time

This story provided to the Update by DA’s own “DJ KK”

The March 2020 attack was in Libya and perpetrated by a Kargu-2 quadcopter drone produced by Turkish military tech company STM “during a conflict between Libyan government forces and a breakaway military faction led by Khalifa Haftar, commander of the Libyan National Army,” the Star reports, adding: “The Kargu-2 is fitted with an explosive charge and the drone can be directed at a target in a kamikaze attack, detonating on impact.”

The drones were operating in a “highly effective” autonomous mode that required no human controller and the report notes:

“The lethal autonomous weapons systems were programmed to attack targets without requiring data connectivity between the operator and the munition: in effect, a true ‘fire, forget and find’ capability” – suggesting the drones attacked on their own.

“How brittle is the object recognition system?” Kallenborn asked in the report. “… how often does it misidentify targets?”

Jack Watling at UK defense think tank Royal United Services Institute, told New Scientist: “This does not show that autonomous weapons would be impossible to regulate,” he says. “But it does show that the discussion continues to be urgent and important. The technology isn’t going to wait for us.”

In August of last year, Human Rights Watch warned of the need for legislation against “killer robots” while NYC mayoral candidate Andrew Yang has called for a global ban on them – something the US and Russia are against.

So what’s the upshot for you? Quick call Arnold. We’d like these “terminated”.


Global: Tesla has activated its in-car camera to monitor drivers using Autopilot

In a software update, Tesla indicated the “cabin camera above the rearview mirror can now detect and alert driver inattentiveness while Autopilot is engaged.” Notably, Tesla has a closed-loop system for the data, meaning imagery captured by the camera does not leave the car. The system cannot save or transit information unless data sharing is enabled, according to Tesla.

Tesla has faced criticism for not activating a driver monitoring system within the vehicle even as evidence mounted that owners were misusing the system. Owners have posted dozens of videos on YouTube and TikTok abusing the Autopilot system — some of whom have filmed themselves sitting in the backseat as the vehicle drives along the highway. Several fatal crashes involving Tesla vehicles that had Autopilot engaged put pressure on the company to act.

The move comes just a week after Tesla tweeted that its Model Y and Model 3 vehicles bound for North American customers are being built without radar. The decision to pull radar out of the vehicles has caused some blowback for the company. Consumer Reports no longer lists the Model 3 as a Top Pick and the Insurance Institute for Highway Safety said it plans to remove the Model 3’s Top Safety Pick+ designation. The National Highway Traffic and Safety Administration has said that Model 3 and Model Y vehicles built on or after April 27, 2021, will no longer receive the agency’s checkmark for automatic emergency braking, forward collision warning, lane departure warning, and dynamic brake support.

So what’s the upshot for you? Paparazzi was the most downloaded app from Apple this past weekend. You actually cannot take selfies with it. Is Elon trying to buck the trend? “Honey, I’m just going out to the car to do some selfies…”


NO: Tesla is found guilty of throttling charging speed, asked to pay $16,000 to thousands of owners

In court in Norway, Tesla was found guilty of throttling charging speed and battery capacity through a software update. Unless it appeals, Tesla is going to have to pay $16,000 to each of the thousands of owners affected in the country. The fine could be even more significant as other similar legal efforts are on the way in other countries. Only Model S and Model X vehicles with 85 kWh battery packs, which were discontinued in 2016, seem to be affected at that point.

For most owners, the range drop happened after updating to Tesla’s 2019.16.1 and .2 software updates. Tesla told us that the goal of the update is to “protect the battery and improve battery longevity,” and it resulted in a range loss for only “a small percentage of owners.”

There could be over 10,000 Tesla owners affected by the update in Norway alone, which could make the fine quite pricey for the automaker, but more importantly, it could also set the tone for several other similar lawsuits, including one in the US.

So what’s the upshot for you? When a battery preserving software update happens with an iPhone you go from 10 hours to 3. When it happens with a Tesla you go from 200 miles to 20. And then what is the point of the car?


UK: GPs urged to refuse to hand over patient details to NHS Digital

Senior GPs (General practitioners/doctors) have called on colleagues to refuse to hand over patients’ personal data to NHS Digital, in a move they hope will buy time to raise awareness of plans to place all medical records in England on a central database.

NHS Digital says the data, which will include information on patients’ physical, mental and sexual health, will be anonymized. But critics warn anonymization can be easily reversed. And they argue the six weeks between the announcement of the plan and the beginning of collection has not given patients enough time to understand what is happening to their medical records.

Doctors fear that the automatic transfer of medical records will undermine the trust patients have in them.

What’s being asked for here is people’s entire health record, so everything that we’ve coded in people’s records from the time of their birth to the time of their death, including their physical, mental, and sexual health, including their health-related concerns with family and work and including their drug and alcohol history.

Essentially all your most intimate private details of your life is being asked to be handed over."

So what’s the upshot for you? We agree with the doctors. Inform people so they understand and then have a plan to encrypt all the data coming into the database. Otherwise, you may be just collecting it for hackers to walk away with.


SE: Swedish Public Health Agency Says Disease Database Targeted in Cyberattacks

https://www.securityweek.com/swedish-public-health-agency-says-disease-database-targeted-cyberattacks

SmiNet was shut down on Thursday after the agency identified several attempts to gain unauthorized access to the database, but it was restored by Friday night.
On Thursday, the Public Health Agency announced that it had shut down the database to prevent hacking attempts, and immediately launched an investigation into the matter. The incident was also reported to the relevant authorities.

“Work is underway to investigate as quickly as possible whether anyone may have accessed sensitive personal data from the database, as well as sort out and rectify any deficiencies.”

So what’s the upshot for you? Might the doctor’s ears in the UK be ringing over this story?


CN: China maintains ‘artificial sun’ at 120 million Celsius for over 100 seconds, setting new world record

China broke the record by keeping the Experimental Advanced Superconducting Tokamak (EAST) by achieving plasma temperature at 120 million Celsius for 101 seconds and 160 million Celsius for 20 seconds, a major step toward the test run of the fusion reactor.

The Tokamak device is located at the Hefei Institutes of Physical Science of the Chinese Academy of Sciences. It is designed to replicate the nuclear fusion process that occurs naturally in the sun and stars to provide almost infinite clean energy through controlled nuclear fusion.

Achieving a plasma temperature above 100 million C is one of the key challenges to harness nuclear fusion. At the end of 2020, South Korea reached 100 million C for 20 seconds. The temperature at the core of the sun is widely believed to be 15 million C, meaning that the plasma at the device’s core will be seven times hotter than that of the sun.

If the technology can be applied commercially, it will have huge economic benefits, but that is many, many years away.

So what’s the upshot for you? We hope the scientists remembered to don their sunglasses before this last test!


Global: How Well Can You Hear Audio Quality?

Apparently many listeners of our podcast cannot hear the difference between uncompressed audio files and MP3s, so when it comes to audio quality, the size of the file isn’t everything.

There are plenty of other ingredients to consider, from the quality of your headphones to the size of the room you’re sitting in to, well, your own ears.

So what’s the upshot for you? Don’t be sad, if you tried the test and missed a few of these. It means next time, you can buy cheaper headphones. Whatever the case, our podcasts will always be high fidelity!


That’s it for this week. Thanks for joining us and keeping it private, safe and secure! What? What did you say? Oh, yes. See you in Se7en!



1 Like

Agree 100%.

They need to take a leaf out of the MPAA, RIAA and IFPI’s playbooks in relation to online service dismantling.

Disable their comms channels, seize their Domain names & get them barred from that Domain Registrar, deny them their Web & Cloud hosting, deny them payment providers, notify the upstream providers of same etc etc etc.

Pretty hard to do online business, without online tools & access.

We are perfectly aligned here. I am not sure what the holdup is, except that no one wants to get involved. They will when they see the price rise on their bill for Cyber-insurance this year. There is going to be sticker shock this year after some of the payouts that have been made.
Thanks, as always, Quidagis for your insight. We all really enjoy your participation!

1 Like