Trucking with the IT Privacy and Security Weekly update for the week ending December 6th., 2022


Heavens to Betsey! This week we start with liars and end in a Pepsi Cola loading bay.

We discover stuff under our desks, new ways to get into pictures at the airport, and something unexpected flying over our heads.

We discover the extent of Telegram’s much-touted privacy even as we give up our own for the sake of a sharper picture and a few more channels.

Tim Cook’s team share how an iPhone can save you lugging around a heavy tape measure and then we glean some insight on the balancing act of one country’s Zero tolerance Covid-19 budget … potentially paid for by another county’s Covid -19 funding.

We have a couple more breaches and then Australia’s plan to prevent companies from losing our data … by driving them into bankruptcy.

It’s all here, but the truck’s out back. Race you!

Global: Anker’s Eufy lied to us about the security of its security cameras

Despite claims of only using local storage with its security cameras, Eufy has been caught uploading identifiable footage to the cloud. And it’s even possible to view the camera streams using VLC.

Eufy’s commitment to privacy is remarkable: it promises your data will be stored locally, that it “never leaves the safety of your home,” that its footage only gets transmitted with “end-to-end” military-grade encryption, and that it will only send that footage “straight to your phone.”

So you can imagine our surprise to learn you can stream video from a Eufy camera, from the other side of the country, with no encryption at all.

This week, we repeatedly watched live footage from two of our own Eufy cameras using that very same VLC media player, from across the United States — proving that Anker has a way to bypass encryption and access these supposedly secure cameras through the cloud.

Also, it seems like it only works on cameras that are awake.

We had to wait until our camera’s owner pressed a button before the VLC stream came to life.

Your camera’s 16-digit serial number — likely visible on the box — is the biggest part of the key

But it also gets worse: Eufy’s best practices appear to be so shoddy that bad actors might be able to figure out the address of a camera’s feed — because that address largely consists of your camera’s serial number encoded in Base64, something you can easily reverse with a simple online calculator.

The address also includes a Unix timestamp you can easily create, plus a token that Eufy’s servers don’t actually seem to be validating (we changed our token to “arbitrarypotato” and it still worked), and a four-digit random hex whose 65,536 combinations could easily be brute forced.

There are other worrying signs that Anker’s security practices may be much, much poorer than it has let on. This whole saga started when infosec consultant Moore started tweeting accusations that Eufy had violated other security promises, including uploading thumbnail images (including faces) to the cloud without permission and failing to delete stored private data. Anker reportedly admitted to the former but called it a misunderstanding.

You have some serious questions to answer @EufyOfficial

Here is irrefutable proof that my supposedly “private”, “stored locally”, and “transmitted only to you” doorbell is streaming to the cloud - without cloud storage enabled.#privacy
— Paul Moore (@Paul_Reviews) November 23, 2022

Most worrying if true, he also claims that Eufy’s encryption key for its video footage is literally just the plaintext string “ZXSecurity17Cam@”. That phrase also appears in a GitHub repo from 2019, too.

Anker didn’t answer The Verge’s straightforward yes-or-no question about whether “ZXSecurity17Cam@” is the encryption key.

We couldn’t get more details from Moore, either; he told The Verge he can’t comment further now that he’s started legal proceedings against Anker.

Now that Anker has been caught in some big lies, it’s going to be hard to trust whatever the company says next — but for some, it may be important to know which cameras do and do not behave this way, whether anything will be changed, and when.

When Wyze had a vaguely similar vulnerability, it swept it under the rug for three years; hopefully, Anker will do far, far better.

So what’s the upshot for you? Until then if you have a Eufy camera for security, the most secure option might be not having it.

US: It’s Not Science, Just Surveillance (and it’s Under Your Desk)

“Graduate students at Northeastern University were able to organize and beat back an attempt at introducing invasive surveillance devices that were quietly placed under desks at their school.”

Early in October, Senior Vice Provost David Luzzi installed motion sensors under all the desks at the school’s Interdisciplinary Science & Engineering Complex (ISEC), a facility used by graduate students and home to the “Cybersecurity and Privacy Institute” which studies surveillance.

These sensors were installed at night — without student knowledge or consent — and when pressed for an explanation, students were told this was part of a study on “desk usage,” according to a blog post by Max von Hippel, a Privacy Institute Ph.D. candidate who wrote about the situation for the Tech Workers Coalition’s newsletter…

Students began to raise concerns about the sensors, and an email was sent out by Luzzi attempting to address issues raised by students… Luzzi wrote, the university had deployed “a Spaceti occupancy monitoring system” that would use heat sensors at groin level to “aggregate data by subzones to generate when a desk is occupied or not.”

Luzzi added that the data would be anonymized, aggregated to look at “themes” and not individual time at assigned desks, not be used in evaluations, and not shared with any supervisors of the students.

Following that email, an impromptu listening session was held in the ISEC. At this first listening session, Luzzi asked that grad student attendees “trust the university since you trust them to give you a degree…”

After that, the students at the Privacy Institute, which specializes in studying surveillance and reversing its harm, started removing the sensors, hacking into them, and working on an open-source guide so other students could do the same.

Luzzi had claimed the devices were secure and the data encrypted, but Privacy Institute students learned they were relatively insecure and unencrypted…

After hacking the devices, students wrote an open letter to Luzzi and university president Joseph E. Aoun asking for the sensors to be removed because they were intimidating, part of a poorly conceived study, and deployed without IRB approval even though human subjects were at the center of the so-called study.

von Hippel notes that many members of the computer science department were also in a union, and thus networked together for a quick mass response.

The controversy ultimately culminated with another listening session in which Luzzi “struggles to quell concerns that the study is invasive, poorly planned, costly, and likely unethical.”

"Afterwards, von Hippel took to Twitter and shared what became a semi-viral thread documenting the entire timeline of events from the secret installation of the sensors to the listening session occurring that day. "

So what’s the upshot for you? “Hours later, the sensors were removed…”

US: Just in time for the holidays: America’s TSA Begins Quietly Testing Facial Recognition Tech at 16 Airports

This system is for general passenger security screening.

You step up to the travel document checker kiosk and stick your ID into a machine.

Then you look into a camera for up to five seconds and the machine compares your live photo to the one it sees on your ID.

They call this a “one-to-one” verification system, comparing one face to one ID.

Even though the software is judging if you’re an impostor, there’s still a human agent there to make the final call (at least for now).

So how accurate is it?

The TSA says it’s been better at verifying IDs than the manual process.

“This technology is definitely a security enhancement,” Lim said. “We are so far very satisfied with the performance of the machine’s ability to conduct facial recognition accurately.”

The TSA hasn’t actually released hard data about how often its system falsely identifies people, through incorrect positive or negative matches.

Some of that might come to light next year when the TSA has to make its case to the Department of Homeland Security to convert airports all over the United States into facial recognition systems.

“I am worried that the TSA will give a green light to technology that is more likely to falsely accuse black and brown and nonbinary travelers and other groups that have historically faced more facial recognition errors,” said Albert Fox Cahn, the founder of the Surveillance Technology Oversight Project, or STOP.

Research has shown facial recognition algorithms can be less accurate at identifying people of color. A study published by the federal National Institute of Science and Technology in 2019 found that Asian and African American people were up to 100 times more likely to be misidentified than White men, depending on the particular algorithm and type of search.
Federal study confirms racial bias of many facial-recognition systems, casts doubt on their expanding use

“I don’t trust the TSA to evaluate the efficacy of its own facial recognition systems,” said Cahn.

The TSA already has a plan to expand the scope of how it’s using the tech. It’s running a pilot of a second system at a few airports where you don’t even have to present your physical ID for inspection. Your face is your ID.

In tests with Delta, machines compare passengers’ live faces to a database of photos the government already has, typically from passports.

For now, this system only works for passengers with PreCheck or Global Entry and passengers also have to request it from Delta.

A colleague recently tried it in Atlanta and reported it was like an extra-fast version of PreCheck that probably saved him five minutes on his trip.

So what’s the upshot for you? Just remember: Any time data gets collected somewhere, it could also be stolen — and you only get one face.

IN: Telegram Shares Users’ Data in Copyright Violation Lawsuit

Telegram has disclosed the names of administrators, their phone numbers, and IP addresses of channels accused of copyright infringement in compliance with a court order in India in a remarkable illustration of the data the instant messaging platform stores on its users and can be made to disclose by authorities.

The app operator was forced by a Delhi High Court order to share the data after a teacher sued the firm for not doing enough to prevent unauthorized distribution of her course material on the platform.

Neetu Singh, the plaintiff teacher, said a number of Telegram channels were re-selling her study materials without permission at discounted prices.

An Indian court earlier had ordered Telegram to adhere to Indian law and disclose details about those operating such channels.

Telegram unsuccessfully argued that disclosing user information would violate the privacy policy and the laws of Singapore, where it has located its physical servers for storing users’ data.

In response, the Indian court said the copyright owners couldn’t be left “completely remediless against the actual infringers” because Telegram has chosen to locate its servers outside the country.

In an order last week, Justice Prathiba Singh said Telegram had complied with the earlier order and shared the data.

So what’s the upshot for you? India is one of the largest markets for Telegram, which has amassed nearly 150 million users in the South Asian market.

Telegram has gained popularity among some users in part due to its piracy problem, as previously reported.

The platform remains littered with easily discoverable channels — sometimes with tens of thousands of users — where movies and TV shows are widely shared.

DE: Hive Social turns off servers after researchers warn hackers can access all data

Hive Social, a social media platform that has seen meteoric growth since Elon Musk took over Twitter, abruptly shut down its service on Wednesday after a security advisory warned the site was riddled with vulnerabilities that exposed all data stored in user accounts.

“The issues we reported allow any attacker to access all data, including private posts, private messages, shared media, and even deleted direct messages,” the advisory, published on Wednesday by Berlin-based security collective Zerforschung, claimed.

“This also includes private email addresses and phone numbers entered during login.”

The post went on to say that after the researchers privately reported the vulnerabilities last Saturday, many of the flaws they reported remained unpatched.

They headlined their post “Warning: do not use Hive Social.”

Hive Social responded by pulling down its entire service.

“The Hive team has become aware of security issues that affect the stability of our application and the safety of our users,” company officials wrote.

“Fixing these issues will require temporarily turning off our servers for a couple of days while we fix this for a better and safer experience.”

Technical details are being withheld to prevent the active exploitation of them by malicious hackers.

According to Business Insider, Hive Social’s user base has doubled in the last few weeks, going from about 1 million to 2 million as of last week.

So what’s the upshot for you? Apparently, the site is staffed by just two people, “neither of whom have much of a background in security.”

US: Florida state tax website bug exposed filers’ data

A security flaw on the Florida Department of Revenue website exposed at least hundreds of taxpayers’ Social Security numbers and bank account numbers, a security researcher found.

Kamran Mohsin, the researcher, said the security flaw – now fixed – allowed him, or anyone else who was logged in to the state’s business tax registration website, to access, modify and delete the personal data of business owners whose information is on file with the state’s tax authority by modifying the part of the web address that contains the taxpayers’ application number.

Mohsin said there were more than 713,000 applications in the system, which the department did not dispute when reached for comment.

So what’s the upshot for you? Mohsin said that application numbers are sequential, allowing anyone to enumerate taxpayers’ information by incrementing the application number by a single digit. Gulp.

AU: It Passed. Australian Parliament approves Government’s new privacy penalty bill.

The Australian parliament has approved a bill to amend the country’s privacy legislation, significantly increasing the maximum penalties to AU$ 50 million for companies and data controllers who suffered large-scale data breaches.

The financial penalty introduced by the new bill is set to whichever is greater: AU$50 million, three times the value of any benefit obtained through the misuse of information, and 30% of a company’s adjusted turnover in the relevant period.

Previously, the penalty for severe data exposures was AU$ 2.22 million, considered wholly inadequate to incentivize companies to improve their data security mechanisms.

The new bill comes in response to a series of recent cyberattacks against Australian companies, including ransomware and network breaches, resulting in the exposure of highly sensitive data for millions of people in the country.

"The Albanese Labor government has wasted no time in responding to recent major data breaches.

We have announced, introduced, and delivered legislation in just over a month," reads the media announcement.

So what’s the upshot for you? “These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect.”

US: Governments seek ways to avert quantum’s encryption apocalypse

As scientists, academics, and international policymakers attended the first-ever Quantum World Congress conference in Washington last week, alarmism around the future of secure data was undercut by foundational questions of what quantum computing will mean for the world.

“We don’t even know what we don’t know about what quantum can do,” said Michael Redding, chief technology officer at Quantropi, during a panel about cryptography at the Quantum World Congress…

Some governments are believed to have already started stealing enemies’ encrypted secrets now, so they can unlock them as soon as quantum computing is available.

“It’s the single-largest economic national-security issue we have ever faced as a Western society,” said Denis Mandich, chief technology officer at Qrypt and a former U.S. intelligence official, at this week’s conference.

“We don’t know what happens if they actually decrypt, operationalize and monetize all the data that they already have.”

So what’s the upshot for you? A lot of post-quantum encryption research is happening in tandem with quantum development projects, so researchers have a more informed understanding of what they could be protecting against.

Eyes are on the Commerce Department’s National Institute of Standards and Technology as it prepares to release a second set of post-quantum encryption tools for security experts to test and analyze, but that number is already down to three.

CN/US: Chinese Hackers Stole Millions Worth of US COVID Relief Money, U.S. Secret Service Says

Chinese hackers have stolen tens of millions of dollars worth of U.S. COVID relief benefits since 2020, the Secret Service said on Monday.

The Secret Service declined to provide any additional details but confirmed a report by NBC News that said the Chinese hacking team that is reportedly responsible is known within the security research community as APT41 or Winnti.

APT41 is a prolific cybercriminal group that had conducted a mix of government-backed cyber intrusions and financially motivated data breaches, according to experts.

Several members of the hacking group were indicted in 2019 and 2020 by the U.S. Justice Department for spying on over 100 companies, including software development companies, telecommunications providers, social media firms, and video game developers.

“Regrettably, the Chinese Communist Party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China,” former Deputy Attorney General Jeffrey Rosen said at the time.

So what’s the upshot for you? Perhaps this is how the Chinese supported their years-long Zero-Covid program… with grant money from the US program.

US: South Dakota first to ban TikTok on state-owned devices

South Dakota is the first US state (and so far as we know, the first region anywhere) to officially ban the top-rated and fast-rising social media app TikTok on state-owned or state-leased smartphones, laptops, and other internet-enabled devices.

This will affect people working for the state government and contractors.

The South Dakota TikTok ban was announced on multiple platforms, from Twitter to the South Dakota State News.

"Effective immediately, we are banning TikTok for state government in South Dakota. States across America should follow suit.

We will play no part in allowing China to continue to gain intel and influence in our state.
— Kristi Noem (@KristiNoem) November 30, 2022"

So what’s the upshot for you? S.D. pulls ahead in signaling they would like to protect against potential data exfiltration. Now they just have to have everyone remove the externally controlled apps from their phones for health trackers, IP cameras, and online merchants (Wish, Baidu …)

O.K. at least it signals good intent.

US: DTV’s Successor: NextGen TV

North and South America have two entirely different broadcast TV standards — both of which are different from the DVB-T standard used in Europe/Africa/Australia and 2022 ends with us already talking about DTV’s successor in North America: the new broadcast standard NextGen TV.

This time the new standard isn’t mandatory for TV stations, CNET points out — and it won’t affect cable, satellite, or streaming TV. But now even if you’re not paying for a streaming TV service, another article points out, in most major American cities “an inexpensive antenna is all you’ll need to get ABC, CBS, Fox, NBC and PBS stations” — and often with a better picture quality:

NextGen TV, formerly known as ATSC 3.0, is continuing to roll out across the U.S. It’s already widely available, with stations throughout the country broadcasting in the new standard.

There are many new TVs with compatible tuners plus several stand-alone tuners to add NextGen to just about any TV.

As the name suggests, NextGen TV is the next generation of over-the-air broadcasts, replacing or supplementing the free HD broadcasts we’ve had for over two decades.

NextGen not only improves on HDTV, but adds the potential for new features like free over-the-air 4K and HDR, though those aren’t yet widely available.

Even so, the image quality with NextGen is likely better than what you’re used to from streaming or even cable/satellite. If you already have an antenna and watch HD broadcasts, the reception you get with NextGen might be better, too… Because of how it works, you’ll likely get better reception if you’re far from the TV tower.

The short version is: NextGen is free over-the-air television with potentially more channels and better image quality than older over-the-air broadcasts.

So what is the downside? ATSC 3.0 will also let broadcasters track your viewing habits, for information that can be used for targeted advertising, just like companies such as Facebook and Google use today…

"Ads specific to your viewing habits, income level, and even ethnicity (presumed by your neighborhood, for example) could get slotted in by your local station…

But here’s the thing: If your TV is connected to the internet, it’s already tracking you. Pretty much every app, streaming service, smart TV, and cable or satellite box all track your usage to a greater or lesser extent."

So what’s the upshot for you? It’s reassuring to know that eventually, you will have no option in the US except to let something into your home that tracks you. That’s privacy.

Perhaps it’s time to go back to reading printed books by candlelight.

Global: Rackspace loses hosted Microsoft Exchange services

“On Friday, Dec 2, 2022, we became aware of an issue impacting our Hosted Exchange environment. We proactively powered down and disconnected the Hosted Exchange environment while we triaged to understand the extent and the severity of the impact. After further analysis, we have determined that this is a security incident.”

The incident is further described as “isolated to a portion of our Hosted Exchange platform”

Rackspace has no idea when it will be able to restore its service to those impacted by the security incident.

“We are actively working with our support teams and anticipate our work may take several days,” its status page advises.

The incident manifested as what Rackspace described as “connectivity and login issues".

An update time-stamped 8:19 PM Eastern Time on December 2nd went a little further, describing it as “a significant failure in our Hosted Exchange environment.”

But no information about the cause of the incident is available at this time, however, the combination of an outage and a lengthy restoration process suggests ransomware could well be a factor.

So what’s the upshot for you? And when the crush comes, companies are often judged by their customer support. Er, but in this case, that is not looking good for Rackspace either…

“The way they have handled this has been HORRIBLE. NO SUPPORT. NO EMAIL. NO NOTHING. Who knows when we will have answers,” one customer wrote.

“I called the support line, held and listened to lousy music for three hours and 14 minutes and 19 seconds and finally had to terminate the call,” wrote another.

OuterSpace: SpaceX Unveils ‘Starshield,’ a Military Variation of Starlink Satellites

Elon Musk’s SpaceX is expanding its Starlink satellite technology into military applications with a new business line called Starshield.

“While Starlink is designed for consumer and commercial use, Starshield is designed for government use,” the company wrote on its website.

Few details are available about the intended scope and capabilities of Starshield.

The company hasn’t previously announced tests or work on Starshield technology.

On its website, SpaceX said the system will have “an initial focus” on three areas: Imagery, communications, and “hosted payloads” – the third of which effectively offers government customers the company’s satellite bus (the body of the spacecraft) as a flexible platform.

The company also markets Starshield as the center of an “end-to-end” offering for national security: SpaceX would build everything from the ground antennas to the satellites, launch the latter with its rockets, and operate the network in space.

SpaceX notes that Starshield uses “additional high-assurance cryptographic capability to host classified payloads and process data securely,” building upon the data encryption it uses with its Starlink system.

Another key feature: the “inter-satellite laser communications” links, which the company currently has connecting its Starlink spacecraft.

It notes that the terminals can be added to “partner satellites,” so as to connect other companies’ government systems “into the Starshield network.”

So what’s the upshot for you? We’re not surprised to see military use announced but glad at the very least that they are encrypting the communication flying between the things over our heads.

Global: Teslas used to come with Lidar, but did you know that newer iPhones do too?

iPhone 12 Pro and Pro Max, iPhone 13 Pro, and Pro Max, and iPhone 14 Pro and Pro Max models feature a LiDAR Scanner next to the rear camera that can be used to measure a person’s height instantly in Apple’s pre installed Measure app.

To measure a person’s height, simply open the Measure app, point your iPhone at the person you want to measure, and make sure they are visible on the screen from head to toe. After a brief moment, a line should appear at the top of the person’s head with their height measurement. You can choose to have the measurement displayed in feet-and-inches or in centimeters in the Settings app under Measure / Measure Units.

The app measures a person’s height from the floor to the top of their head, hair, or hat. You can even measure the seated height of a person in a chair.

The circular shutter button in the bottom-right corner allows you to take a photo of the person with their height measurement and share it with them.

The feature is not available on iPhones without a LiDAR Scanner.

So what’s the upshot for you? Apparently the measure app is actually pretty accurate, and way more convenient than a tape measure… and you can actually use it to measure lots of other things too.

US: Tesla finally delivers its first production Semi

Five years after CEO Elon Musk officially unveiled his Semi, Tesla’s electrified tractor-trailer, the company delivered its first official production vehicle to Pepsi last Thursday during its “Semi Delivery Event” held at Tesla’s Nevada Gigafactory.

The beverage maker has ordered 100 of the vehicles in total.

First shown off in 2017, the Tesla Semi originally was set to retail for $150,000 and $180,000 for the 300- and 500-mile versions, respectively.

Those prices are significantly higher than the $60k a standard diesel cab runs but Tesla estimates that its vehicles can operate 20 percent more efficiently (2kWh per mile, Musk revealed Thursday), and save up to $250,000 over the million-mile life of the Semi.

Each rig is “designed like a bullet,” Musk said at the vehicle’s unveiling, and would come equipped with a massive 1Megawatt-hour battery pack.

This reportedly offers a 20-second 0-60, which is impressive given that these vehicles are towing up to 80,000 pounds at a time, and a spent-to-80 percent charge time of just 30 minutes.

The Semis are also outfitted with Enhanced Autopilot capabilities, as well as jackknife-mitigation systems, blind-spot sensors, and data-logging for fleet management.

So what’s the upshot for you? The fact that this is arriving to Pepsi in time for the 2022 holidays is attributed to production delays and supply chain issues brought on by the COVID-19 pandemic, but it’s nice to see the first of these roll in (even if it is 3 years late).

And what does this have to do with Security and Privacy? Nothing, but what better way to end than with a good truck story.

Quote of the week - “for security to be effective, the secure solution must be easier to use than the non-secure solution”. - Ashutosh Kapse

That’s it for this week. Stay safe, stay secure, leave the truck keys with Betsey, and see you in se7en.

Indeed, while reading SMS from a Nokia 6310.

Pretty similar, no? :face_with_raised_eyebrow:

1 Like