Viva la IT Privacy and Security Weekly Update for June 7th., 2022!


This week is all about food, travel, and adventure, where we start abandoned at the altar and end with bizarrely overweight baggage.
Elvis and the Fax machines e

In between those carefully seasoned toasted sesame seed buns of IT Privacy and Security are a flame-broiled update that shared too much, got shut down, and hacked, a tangy slice of database encryption, a leafy new mobile phone OS, and a large dollop of savory lawsuit.

It’s a meal made in heaven, worthy of a Michelin 3-star rating served hot and fresh off the grill.

So grab your bags, tuck that serviette under your chin and mind your manners as we experience the best Update yet!

US: Vegas chapels all shook up by Elvis likeness crackdown

The company that lords over the King’s image and likeness is cracking down on Las Vegas chapels that book Elvis-themed weddings and otherwise embrace his persona.

Authentic Brands Group (ABG), which licenses Elvis Presley-related merchandise, issued a cease-and-desist letter dated May 19 to several Las Vegas chapels.

“This couldn’t hit at a worse time. It’s not a good thing,” Clark County Clerk Lynn Goya, who has presided over Las Vegas’ wedding marketing campaign, said. “It might destroy a portion of our wedding industry. A number of “Elvises” might lose their livelihood.”

ABG is a licensing company that manages the estates of Marilyn Monroe and Muhammad Ali, and its holdings include about 50 consumer brands (Shaquille O’Neal is among its leading investors).

In this instance, ABG intends to stop the unauthorized use of (quoting from the company’s document) “Elvis Presley’s name, likeness, voice image, and other elements of Elvis Presley’s persona in advertisements, merchandise, and otherwise.”

So what’s the upshot for you? What is a wedding without Elvis? How can they be this unreasonable?

RU: Leaks Show Conti Ransomware Group Working on Firmware Exploits

In late February, after Conti expressed support for Russia following its invasion of Ukraine, a Ukrainian hacker started leaking information stolen from the cybercrime group, including chat logs, credentials, email addresses, C&C server details, and malware source code.

The leaked information showed that the cybercrime gang operated just like a regular company, with contractors, employees, and HR problems.

An analysis of the leaked chats conducted by firmware and hardware security company Eclypsium showed that the Conti group has been looking into firmware-based attacks, specifically ones targeting Intel ME.

Intel ME provides various features for computers powered by Intel processors, including out-of-band management and anti-theft protection.

According to Eclypsium, Conti developers have been fuzzing the ME interface in an attempt to find undocumented commands and flaws, and they were trying to generically bypass protections. The hackers were also looking into creating a System Management Mode (SMM) implant that would allow them to stealthily modify the kernel.

The cybercriminals’ conversations revealed that they were also analyzing research made public by major Russian cybersecurity companies.

No new or unmitigated vulnerabilities appear to have been discovered in Intel chipsets but warned that the main problem is related to organizations failing to regularly update chipset firmware.

So what’s the upshot for you? You have a 6-month look ahead before these exploits go mainstream. It was reported recently that the Conti brand had become toxic due to its affiliation with the Russian government — it was difficult for victims to pay ransoms due to sanctions against Russia.

As a result, the threat actor seems to have switched to a more decentralized operation that includes several autonomous groups. While some of these groups do not use file-encrypting malware and rely solely on data theft to make a profit, others still leverage locker malware.

UA/RU: Ukraine-Russia war teaching US military a lesson about secure communications?

The ongoing war in Ukraine is teaching the U.S. Army a lesson about the need for secure battlefield communication and the potential for soldiers to undermine it.

Russian troops there have reportedly been using unencrypted devices, including their cell phones, to talk to other units and people back home. That has made them vulnerable to Ukrainian forces who can eavesdrop on what they’re saying and pinpoint their locations.

That includes “the importance of secure communications and the consequences of when soldiers use their cell phones, whether it’s because that’s just everyone is used to using cell phones, or because secure communication systems and radios are not working."

“When soldiers use unencrypted comms that makes them targetable.

So what’s the upshot for you? A military’s fighting ability isn’t solely determined by technology — it also depends on leadership, training, and discipline, but tech is starting to play a larger part.

US: California sheriff to stop sharing license-plate data after settlement

The sheriff’s office in Marin County, California, agreed to stop sharing license-plate and location data it collects with agencies from other states and federal authorities, like Immigration and Customs Enforcement, according to a legal settlement made public Wednesday.

According to the settlement, entered in a state superior court, Marin County Sheriff Robert Doyle — and his successors — will limit access to information collected by the county’s automated license plate readers to agencies within California, in compliance with a law restricting how immigration-related data can be shared with federal agencies.

According to the original suit, the Marin County Sheriff’s Office collected 821,244 scans of license plates in 2020, with only 216 — or 0.02% — matching plates that were of interest to investigations. The activists also argued that an annual report on the sheriff’s office published last year listed information sharing with 18 federal agencies, including ICE, CBP, the FBI, and the Drug Enforcement Administration, as well as more than 400 out-of-state law-enforcement organizations.

So what’s the upshot for you? Even with the reforms announced in the Marin County settlement, federal immigration authorities’ data-sharing appetite continues to grow. A report last month by Georgetown Law’s Center for Privacy and Technology found that ICE’s data collection now has images of roughly 75% of all Americans.

DE: Telegram Surrendered User Data To Authorities

Messaging apps that offer end-to-end encryption can claim that they’re protecting their users by saying that they’ve thrown away the key – metaphorical and literal – and can’t undo what’s been scrambled in transmission.

Telegram, however, claims it protects every user whether they use E2EE or not, saying that government data requests have to pass an especially high muster before they would comply and that they have never acceded to such requests.

Not so, a report claims.

Der Spiegel reports from sources that Telegram has fulfilled a number of data requests from Germany’s Federal Criminal Police Office involving terror and child abuse suspects.

In a similar vein, Russia purged the company’s app in 2018 from the country for refusing to surrender its encryption keys under federal anti-terrorism laws.

Telegram reached an agreement with the Kremlin in 2020 that would see the app return to Russia with increased enforcement across the platform.

It’s a good sign that Telegram continues to provide Russian users with an uncensored window into the military’s invasion of Ukraine despite a greater domestic crackdown on anti-patriotic sentiment.

So what’s the upshot for you? All of this leaves questions unanswered about how much user data the company has given to governments.

IN: Rejecting Data Demands, ExpressVPN Removes VPN Servers In India

ExpressVPN has removed its servers from India, becoming the first major virtual private network (VPN) provider to do so in the aftermath of the recent cybersecurity rules introduced by the country’s cybersecurity agency.

The rules require VPN providers to store user data for five years. ExpressVPN said it “refuses to participate in the Indian government’s attempts to limit internet freedom.”

In a blog post, the British Virgin Island-based company said that with the introduction of the new cybersecurity rules by the Indian Computer Emergency Response Team (CERT-In), it has made a “very straightforward decision to remove our Indian-based VPN servers.” While ExpressVPN is the first to pull its services from India, other VPN providers like NordVPN have also taken a similar stance.

The guidelines, released by CERT-In on April 26, asked VPN service providers along with data centers and cloud service providers, to store information such as names, e-mail IDs, contact numbers, and IP addresses (among other things) of their customers for five years. The government said it wants these details to fight cybercrime, but the industry argues that privacy is the main selling point of VPN services, and such a move would be in breach of the privacy cover provided by VPN platforms.

ExpressVPN described the cybersecurity rules as “broad” and “overreaching.” “The law is also overreaching and so broad as to open up the window for potential abuse. We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it,” ExpressVPN said. It added that while CERT-In’s rules are intended to fight cybercrime, they are “incompatible with the purpose of VPNs, which are designed to keep users’ online activity private.”

Indian users of ExpressVPN will still be able to use its service via “virtual” India servers located in Singapore and the UK. "We will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries.

We also never store connection logs, meaning no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session duration," the company said.

So what’s the upshot for you? This horse has already left the barn, and like last week’s Aadhaar story, comes about 13 years too late from the Indian government.

Global: Investor sues the Winklevoss twins’ troubled crypto business over security failures

IRA Financial Trust, a platform that lets users save for retirement in alternative assets like cryptocurrency, is suing the Gemini cryptocurrency exchange over an alleged failure to protect its customers from a heist that resulted in the theft of $36 million in crypto. The financial platform partners with Gemini, owned by the Winklevoss twins, Cameron and Tyler, to allow customers to trade and store cryptocurrency.

In February, IRA was the victim of a major attack that drained the millions in funds customers had stored with Gemini. The company was reportedly swatted, the act of calling the police to report a fake crime at someone’s location, when the cyberattack occurred. Police showed up at IRA’s South Dakota headquarters after false reports of a robbery, while bad actors made off with millions in crypto.

According to IRA’s complaint, problems started when Gemini “strongly pressured” the company to use the Gemini API (Application Programming Interface) over the web-based platform so its systems could better handle customer onboarding.

This, IRA claims, had a “fatal flaw” in the form of the master key that allegedly let holders “bypass” Gemini’s security protections, giving them the ability to “transfer and withdraw crypto assets without getting a client’s second-factor authorization.”

Gemini provided IRA with this master key, but IRA claims it was never told about its “power,” alleging Gemini nonchalantly included it in unsecured and unencrypted emails.

IRA’s complaint states that hackers got ahold of its master key and were allegedly able “to exploit the vulnerabilities in Gemini’s API.”

The result was bad actors “transferring tens of millions of dollars worth of Bitcoin and Ether belonging to hundreds of customers into a single customer retirement account, and then withdrawing all such assets.”

So what’s the upshot for you? Apparently Gemini had not even provided a phone number for IRA to contact them on, so 2 hours’ worth of account siphoning went on before Gemini got to the e-mail that said, “Freeze the accounts!”

CA: Tim Horton’s did What??!

The Canadian federal privacy commissioner’s investigation into the Tim Hortons mobile app found that the app unnecessarily collected extensive amounts of data without obtaining adequate consent from users.

The commissioner’s report, which was published Wednesday morning, states that Tim Hortons collected granular location data for targeted advertising and the promotion of its products but that the company never used the data for those purposes.

“The consequences associated with the App’s collection of that data, the vast majority of which was collected when the App was not in use, represented a loss of Users’ privacy that was not proportional to the potential benefits Tim Hortons may have hoped to gain from improved targeted promotion of its coffee and associated products,” the report read.

The joint investigation was launched about two years ago by the Office of the Privacy Commissioner of Canada in conjunction with similar authorities in British Columbia, Quebec and Alberta.

It came after reporting from the Financial Post found that the Tim Hortons app tracked users’ geolocation while users were not using the app. According to a presentation to investors shared in May, the restaurant chain’s app has four million active users.

Tim Hortons was using a third-party service provider, Radar, to collect geolocation data of users. In August 2020, Tim Hortons stopped collecting location data. However, the investigation found that there was a lack of contractual protections for users’ personal information while being processed by Radar.

The report describes the language in the contractual clauses to be “vague and permissive,” which could have allowed Radar to use the personal information collected in aggregated or de-identified form for its own business.

The report states that Tim Hortons also agreed to delete all granular location data and to have third-party service providers do so as well, as per recommendations from the privacy authorities.

The company also agreed to establish a privacy management program for its app and all future apps to ensure they are compliant with federal and provincial privacy legislation.

Given these remedies, the report found that while the Tim Hortons app was not compliant with privacy laws, the company has since taken measures to resolve the issues.

“We’ve strengthened our internal team that’s dedicated to enhancing best practices when it comes to privacy and we’re continuing to focus on ensuring that guests can make informed decisions about their data when using our app,” a statement from Tim Hortons released last week said.

So what’s the upshot for you? “The location tracking ecosystem, where details of our daily lives are treated as a commodity to be exploited to sell us products and services such as a cup of coffee, heightens the risk of mass surveillance,” said Daniel Therrien, Canada’s privacy commissioner.

Global: Looking for Mobile phone privacy? Try /e/OS V1

If you value privacy and you use a smartphone, you’ve got a problem. Both Apple and Google constantly collect data on you.

A Vanderbilt University study found that Android sends data to Google even if your phone is sitting idle with Chrome running in the background at a rate of 340 times a day.

Murena and Mandrake Linux founder Gael Duval was sick of it by 2017. He wanted his data to be his data, and he wanted open-source software.

Almost five years later, Duval and his co-developers launched the Murena One X2. It’s the first high-end Android phone using the open-source /e/OS Android fork to arrive on the market.

It’s good but, the fundamental issue is this: Murena does all it can to separate its operating system and applications from Google, but it can’t – yet – replace Google’s e-commerce and software store system.

You can download only programs with no Google connection, but there aren’t many of them. If you take this path, you likely won’t be able to use many apps you’re currently using every day.

Murena replaced Google Cloud’s services with its Murena Cloud instead. There, you’ll find storage, e-mail, and even an online office suite, powered by the open-source OnlyOffice. And, unlike its corporate rivals, Murena promises that its cloud services (just like its phone and operating system) puts privacy first.

So what’s the upshot for you? Updating an old phone with /e/OS/ Might be fun as a rainy day project. We will keep you posted if we try it, but be forewarned, it’s been pretty sunny lately!

AU: Researcher Hacks Australian Digital Driver’s License

An Australian digital driver’s license (DDL) implementation that officials claimed is more secure than a physical license has been shown to be easily modified, but authorities insist the credential remains secure.

New South Wales, Australia’s most populous state, launched its DDL program in 2019, and as of 2021 officials there said that slightly more than half of the state’s eight million people use the “Service NSW” app that displays the DDL and offers access to many other government services.

Now, a security researcher at cybersecurity company Dvuln claims he was able to brute force his way into the app with nothing but a Python script and a consumer laptop. Once inside, he found numerous security flaws that made it simple to alter the DDL stored in the app.

Five separate design flaws were discovered in the NSW DDL app. Combining the flaws “presented a favorable scenario that could be exploited by any would-be attacker or fraudster,.”

First, and most important for efforts at cracking the app, it only uses a four-digit PIN to unlock, and that code is also the decryption key for the license, which is stored in a JSON file. With a Python script and a laptop, the researcher was able to brute force the app in minutes, giving him access to the DDL.

Additionally, the app never validates stored DDL data with NSW government records, fails to “refresh” license data properly, transmits minimal info in its QR code (which is also alterable) and includes license data in device backups, “which means that attackers or anyone wanting to commit fraud can modify their license details without needing to jailbreak their device”.

So what’s the upshot for you? Some argue that the material needed for a Plastic license card in N.S.W. make it much harder to forge than the digital variant… which is apparently pretty trivial. Whatever the case, we’ve noticed a large uptick in underage drinking in that 16-18 age group in NSW!

Global: LastPass no longer requires a password to access your vault

LastPass no longer requires a password to access your vault

LastPass says they’re now the first password manager with a passwordless sign-in feature.

Grant permission through the LastPass Authenticator mobile app and you can update account info on the web without entering your master password.

The approach relies on FIDO-compliant password-free technology. The feature is available to both personal and business users. LastPass is also promising options beyond the Authenticator app in the future, such as relying on biometric scans or hardware security keys.
So what’s the upshot for you? Expect to see similar announcements from other password managers… and …

Global: Apple Just Killed the Password—for Real This Time

For years, we’ve been promised a more secure, password-free future, but it seems like 2022 will actually be the year that millions of people start to move away from passwords.

The FIDO Alliance, a tech industry group, has been working on the underlying standards needed to ditch passwords for almost a decade, and Apple’s Passkeys are the company’s implementation of these standards.

At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using “Passkeys” with iOS 16 and macOS Ventura.

So how does it work? Passkeys replace your passwords by creating new digital keys using Touch ID or Face ID.

When you are creating an online account with a website, you can use a Passkey instead of a password. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done."

FIDO has taken a series of important steps to bring the password’s demise closer to reality.

In March, FIDO announced it has figured out a way to store the cryptographic keys that sync between people’s devices, calling them “multi-device FIDO credentials” or “passkeys.”

This was followed in May by Apple, Microsoft, and Google declaring their support for the FIDO standards.

The three tech giants said they would start rolling out the technology “over the course of the coming year.”

Microsoft account owners have been able to ditch their passwords since September of last year, and Google has been working on its passwordless technology since 2008.

So what’s the upshot for you? While Apple’s Passkey and Google and Microsoft’s equivalents are still some months away that doesn’t mean you should idly keep using your weak or repeated passwords.

Instead, your passwords should be long and strong. The best way to achieve this is by using a password manager, which can help you create and store better passwords.

It should also take care of you having to rename your cat every time your account is hacked.

DE: Vodafone to save the world from Apple protecting users privacy

Vodafone is piloting a new advertising ID system called TrustPid, which will work as a persistent user tracker at the mobile Internet Service Provider (ISP) level. Vodafone explains that TrustPiD will be generated through randomness, and its subscribers will have the option to manage their consent over accepting the tracking via the company’s Privacy Portal.

The new system is in test phase in Germany and is intended to be impossible to bypass from within the web browser settings or through cookie blocking or IP address masking. The mobile carrier plans to assign a fixed ID to each customer and associate all user activity with it.

The ID will be based on several parameters so that the system will be able to maintain persistence.

Then, the mobile ISP creates a personal profile based on that ID and helps advertisers serve targeted ads to each customer without disclosing any identification details.

According to Vodafone, the problem that arises for its internet subscribers is that the “free” parts of the internet are threatened by stricter cookie blocking and privacy-boosting schemes.

These new models threaten the targeted advertising industry, and according to Vodafone, the danger of this is losing content and platforms currently supported by ads.

“Consumers appreciate the idea of a ‘free’ Internet, but this comes with a trade-off: publishers need a sustainable revenue model, meaning that it becomes essential to add subscription paywalls or rely on advertising to maintain free access to high-quality content,” reads the explanation on the TrustPiD website, managed by Vodafone Sales and Services Limited.

The industry is looking for alternative tracking ways, and mobile ISPs are in a position to provide a solution that users are likely to find difficult to circumvent.

So what’s the upshot for you? Such a great idea, letting our mobile phone carriers track us. We can’t wait to sign up for this “exciting” opportunity. (loud coughing heard in the background)

Global: A Long-Awaited Defense Against Data Leaks May Have Just Arrived

Mongo DB, “Today we are announcing the Preview release of Queryable Encryption, which allows customers to encrypt sensitive data from the client-side, store it as fully randomized encrypted data on the database server side, and run expressive queries on the encrypted data.”

With the introduction of Queryable Encryption, MongoDB is the only database provider that allows customers to run expressive queries, such as equality (available now in preview) and range, prefix, suffix, substring, and more (coming soon) on fully randomized encrypted data. This is a huge advantage for organizations that need to run expressive queries while also confidently securing their data.

The Queryable Encryption system is built with a combination of established cryptographic protocols and conceptual advances Kamara and Moataz have been working on for years in an area of cryptography known as structured encryption.

The approach involves encrypting data with a specific architecture so it can be searched with special tokens specific to each query without data ever being decrypted.

Other techniques such as homomorphic encryption allow users to do computations on encrypted data, like adding two columns in an encrypted spreadsheet.

But structured encryption is specifically focused on organizing encrypted data so it can be found without exposing the data itself.

“What we focus on is not how to do arithmetic operations on encrypted data, but how to find information fast—like really, really fast,” says Brown University cryptographer Seny Kamara, who is currently on leave from his associate professor role at Brown.

Speed is a challenge in encrypted operations, where every extra key check and computation add complications to basic operations.

But MongoDB claims that searches performed with Queryable Encryption are impressively fast and won’t cause unreasonable performance losses—a claim that customers will be able to test for themselves with the new preview.

So what’s the upshot for you? MongoDB is also open-sourcing much of the Queryable Encryption system, so users and other researchers can vet its underlying cryptography.

IT: The reason for all the overweight baggage in Palermo Italia

Palermo in Southern Italy, home to about 1.3 million people, has shut down all its services, public websites, and online portals following a cyberattack on Friday.

Tourists cannot access online bookings for tickets to museums and theaters (Massimo Theater) or even confirm their reservations on sports facilities.

Limited traffic zone cards are impossible to acquire, so no regulation occurs, and so no fines can be issued for unpaid travel on their buses and trains.

Unfortunately, though, the historical city center requires passes for entrance, so tourists and local residents are kind of stuffed.

Italy recently received threats from the Killnet group, a pro-Russian hacktivist who attacks countries that support Ukraine with resource-depleting cyberattacks known as DDoS (distributed denial of service).

While some were quick to point the finger at Killnet, the cyberattack on Palermo bears the signs of a ransomware attack rather than a DDoS.

The councilor for innovation in the municipality of Palermo, Paolo Petralia Camassa, has stated that all systems were cautiously shut down and isolated from the network while he also warned that the outage might last for a while.

So what’s the upshot for you? The locals have resorted to resurrecting their old fax machines to communicate with … so if traveling to Palermo this Summer you might want to consider packing your own!

Elvis and the Fax machines d

And Finally our quote of the week this week from an anonymous source:

“Before sharing PII, know who, what, and why.”

That’s it for this week. Stay safe, stay, secure, tuck that suitcase into the closet, the PII under the mattress, leave the fax machine with the concierge, and we’ll see you in se7en.