We Are, We Are, the IT Privacy and Security Weekly update for May 31st. 2022


With a backing track that is probably the worst cover version we have ever heard, we learn what just flew past the bedroom window.

In the US this week the focus has been on our children. Any way you look at it, from school shootings to privacy violations, to destroying the ecological balance of the world we are leaving them to live in, the only way you can describe societies’ actions is broad-scale child abuse.

We learn what political leaders already know, “if you don’t like the news, just turn off the Internet.” We have an update for Elon from Twitter, a warning from the Indian government that came 13 years late, and a petition to stop apps from accepting the Digital Yuan… for reasons that would surprise you.

We typically start this with a rush of excitement. This week. Let’s stop for a moment and think of the kids.

school crossing

US: "Honey, what just went past the bedroom window?"

“Oh, it looks like the neighbors are getting another Walmart delivery.”

Walmart is expanding drone delivery across six states this year, making it possible for many more customers to get a box of diapers or dinner ingredients delivered in 30 minutes or less.

Through an expansion with operator DroneUp, the big-box retailer said it will be able to reach 4 million households in parts of Arizona, Arkansas, Florida, Texas, Utah and Virginia.

The deliveries by air will be fulfilled from a total of 37 stores — with 34 of those run by DroneUp.

Walmart has been testing how the small, unmanned aircraft could change the game for retail, drive e-commerce growth and turn its stores into a way to outmatch Amazon on speed.

Two years ago, it struck deals with three operators — Flytrex, Zipline, and DroneUp — and began pilot projects to deliver groceries, household essentials, and at-home Covid-19 test kits to customers.

Walmart will be able to deliver over 1 million packages by drone in a year.

So what’s the upshot for you? One of the surprises of the drone tests has been what customers order. Walmart anticipated customers would use the drones to get emergency items, such as over-the-counter medication.

Instead many have used it for convenience. At one store, for instance, the top seller for drone delivery was Hamburger Helper.

Other frequent items delivered by drones are batteries, trash bags, laundry detergent, and Welch’s fruit snacks.

US: Exclusive: Supreme Court leak investigation heats up as clerks are asked for phone records in an unprecedented move

Supreme Court officials are escalating their search for the source of the leaked draft opinion that would overturn Roe v. Wade, taking steps to require law clerks to provide cell phone records and sign affidavits, three sources with knowledge of the efforts have told CNN.

Some clerks are apparently so alarmed over the moves, particularly the sudden requests for private cell data, that they have begun exploring whether to hire outside counsel.

The court’s moves are unprecedented and the most striking development to date in the investigation into who might have provided Politico with the draft opinion it published on May 2.

The probe has intensified the already high tensions at the Supreme Court, where the conservative majority is poised to roll back a half-century of abortion rights and privacy protections. Chief Justice John Roberts met with law clerks as a group after the breach, CNN has learned, but it is not known whether any systematic individual interviews have occurred.

Lawyers outside the court who have become aware of the new inquiries related to cell phone details warn of potential intrusiveness on clerks’ personal activities, irrespective of any disclosure to the news media, and say they may feel the need to obtain independent counsel.

“That’s what similarly situated individuals would do in virtually any other government investigation,” said one appellate lawyer with experience in investigations and knowledge of the new demands on law clerks.

“It would be hypocritical for the Supreme Court to prevent its own employees from taking advantage of that fundamental legal protection.”

Sources familiar with efforts underway say the exact language of the affidavits or the intended scope of that cell phone search – content or time period covered – is not yet clear.

So what’s the upshot for you? And we still can’t figure out what makes people call the US a litigious society.

Global: The 15th annual Verizon Data breach investigations report is out and guess what?

Regulars here will find no surprises.

  • Ransomware was up 13% in 2021 from 2020.
  • Supply chain was responsible for 62% of System Intrusion incidents in 2021
  • Misconfigured cloud storage owned 13% of all data breaches in 2021.
  • and 82% of breaches involved people er… messing up … with stolen credentials, phishing, misuse, or simply making mistakes.

So what’s the upshot for you? The “year in review” section provides a chance to look back over all the phreaking, hacking, cracking shenanigans we have had to put up with over the past year.

IT: The majority of hackers are sharing vulns rather than working too hard to find new Zero days

Security researchers at the University of Trento in Italy did an assessment of how organizations can best defend themselves against advanced persistent threats or APTs in a recent report published online. What they found goes against some common security beliefs many security professionals and organizations have, they said.

The team manually curated a dataset of APT attacks that covers 86 APTs and 350 campaigns that occurred between 2008 to 2020. Researchers studied attack vectors, exploited vulnerabilities–e.g., zero-days vs public vulnerabilities–and affected software and versions.

The results suggest that you should spend your time on fix known flaws in organizations’ systems.

"Software updates reduce the opportunity for exploitation. However, since updates can also introduce breaking changes, enterprises face the problem of balancing the need to secure software with updates with the need to support operations.

We propose a methodology to quantitatively investigate the effectiveness of software updates strategies against attacks of Advanced Persistent Threats (APTs). "

We consider strategies where the vendor updates are the only limiting factors to cases in which enterprises delay updates from 1 to 7 months based on SANS data.

If an enterprise could theoretically update as soon as an update is released, it would face lower odds of being compromised than those waiting one (4.9x) or three (9.1x) months.

Organizations could perform “12 percent of all possible updates, restricting themselves only to versions that fix publicly known vulnerabilities” without significantly changing their odds of being compromised, researchers wrote.

So what’s the upshot for you? And for everyone else, update your computer, your phone, and your apps as regularly and promptly as possible.

PK: Pakistan shuts down internet ahead of protests over ousting of prime minister

Real-time network data show internet disruptions across #Pakistan as ousted Prime Minister Imran Khan organizes mass rallies; metrics show the impact to multiple providers in cities including Karachi, Lahore, and Islamabad.

NetBlocks’ analysis shows that the activity “is consistent with previously recorded internet shutdowns, and is likely to significantly impact the flow of information as ousted PM Khan calls for anti-government protests,” Toker said.

The company’s report corroborated what hundreds of Pakistani citizens and residents reported on social media.

The government sent out a message on TV across Pakistan announcing the internet shut down.

“The disruption affects service at the network layer and cannot be readily worked around through the use of VPN services. Some service remains available via alternative internet providers,” NetBlocks noted.

The current government, run by Shehbaz Sharif, shut down roads leading to the capital and fired tear gas at Khan supporters in the province of Punjab who attempted to remove the roadblocks.

Pakistani leaders, including Khan himself, have a long history of imposing nationwide internet restrictions at times of unrest. An April report from Access Now, a nonprofit tracking internet access globally, found that Pakistan shut down the internet in response to protest movements several times throughout 2021.

According to Access Now, the longest internet shutdowns they tracked occurred in Pakistan, where 4.5 million residents of the Federally Administered Tribal Area spent nearly four years without internet. The blackout ended in December 2021 after starting in 2016.

So what’s the upshot for you? More evidence that political leaders who don’t like the news now just turn the Internet off.

US: Cybercriminal scams City of Portland, Ore. for $1.4 million

Portland, Ore. is investigating a cybersecurity breach that resulted in a $1.4 million fraudulent transaction with city funds in April — one discovered after the same compromised account tried again the next month, the city said in a press release late last week.

“Preliminary evidence indicates that an unauthorized, outside entity gained access to a City of Portland email account to conduct this illegal activity,” according to the statement.

Although the specifics of the situation remain unclear, the details could point to a Business Email Compromise (BEC) attack.BEC fraud is a growing source of cybercrime that targets organizations and the people inside, either by compromising accounts that can approve fraudulent transactions or by tricking employees in control of those accounts.

So what’s the upshot for you? “In this particular case, they detected it a month after so I’m guessing that money has gone to a gazillion other bank accounts. Typically, with this amount of time, it would be hard to trace.”

Time to look for budget line items to cut…

IN: India Withdraws Warning on Biometric ID Sharing Following Online Uproar

A regional office of UIDAI, the body that oversees the national biometric ID system Aadhaar, warned users on Friday that “unlicensed private entities” such as hotels and theatre halls are “not permitted to collect or keep copies of Aadhaar,” a 12-digit unique number that ties an individual’s fingerprints and retina scan, and people should avoid sharing photocopies of their Aadhaar to prevent misuse.

The warning prompted an immediate and wide backlash from individuals.

“I might have stayed in almost 100 hotels who kept a copy of my Aadhaar! Now this,” an individual tweeted, summing up the dilemma of tens of millions of people in the country, if not more.

About 1.33 billion people in India, or roughly the nation’s entire population, have enrolled in Aadhaar, an ID system that was unveiled about 13 years ago, according to government’s official figures.

This scale of adoption makes Aadhaar the world’s largest biometric identity system.

So what’s the upshot for you? On Sunday afternoon, India’s Ministry of Electronics and IT downplayed the warning following the backlash, saying the original advisory was issued by the Bengaluru Regional Office of UIDAI in the context of spreading awareness about the potential “misuse” of a “photoshopped Aadhaar card.”

Ah… that’s a bit different.

IN: GoodWill ransomware forces victims to donate to the poor and provides financial assistance to patients in need

“GoodWill ransomware group propagates very unusual demands in exchange for the decryption key,” reports CloudSEK.

“The Robin Hood-like group is forcing its victims to donate to the poor and provides financial assistance to the patients in need.”

[“Once infected, the GoodWill ransomware worm encrypts documents, photos, videos, databases, and other important files and renders them inaccessible without the decryption key,” reports CloudSEK.]

In order for the victims to obtain the decryption keys, they must provide proof of donating to the homeless, sharing a meal with the less fortunate, and pay a debt of someone who can’t afford it.

[The decryption kit includes the main decryption tool, password file and a video tutorial on how to recover all important files. It’s only given to infected users after the three activities are verified by the ransomware operators, who appear to be operating out of India.]

So what’s the upshot for you? A noble cause, stupidly executed.

Global: Time to update: Google Chrome 102 arrives with 32 security fixes, one critical

This week Google began a rolling release for stable Chrome version 102 “with 32 security fixes for browser on Windows, Mac, and Linux”.

Chrome 102 for the desktop includes 32 security fixes reported to Google by external researchers.

So what’s the upshot for you? If you haven’t done it yet, hit the little update button on your Chrome browser.

US: US Bill Would Bar Google, Apple From Hosting Apps That Accept China’s Digital Yuan

Republican Senators want to bar U.S. app stores including Apple and Google from hosting apps that allow payments to be made with China’s digital currency, according to a copy of proposed legislation seen by Reuters, amid fears the payment system could allow Beijing to spy on Americans.

The bill to be unveiled on Thursday by Senators Tom Cotton, Marco Rubio, and Mike Braun states that companies that own or control app stores “shall not carry or support any app in [their] app store(s) within the United States that supports or enables transactions in e-CNY.”

According to Cotton’s office, the digital yuan could provide the Chinese government with “real-time visibility into all transactions on the network, posing privacy and security concerns for American persons who join this network.”

So what’s the upshot for you? The Chinese Embassy in Washington called the legislation “another example of the United States wantonly bullying foreign companies by abusing state power on the untenable ground of national security.”

US: FTC Fines Twitter $150 Million For Using 2FA Phone Numbers For Ad Targeting


“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” said FTC Chair Lina Khan.

Twitter requires users to provide a telephone number and email address to authenticate accounts.

That information also helps people reset their passwords and unlock their accounts when the company blocks logging in due to suspicious activity.

But until at least September 2019, Twitter was also using that information to boost its advertising business by allowing advertisers access to users’ phone numbers and email addresses.

That ran afoul of the agreement the company had with regulators.

More than 140 million Twitter users provided this kind of personal information based on “Twitter’s deceptive statements,” according to federal prosecutors.

So what’s the upshot for you? Elon, are you seeing this?

US: Tech Industry Groups Are Watering Down Attempts at Privacy Regulation, One State at a Time

In late 2019, Utah state senator Kirk Cullimore got a phone call from one of his constituents, a lawyer who represented technology companies in California. “He said, ‘I think the businesses I represent would like to have some bright lines about what they can do in Utah,’” Cullimore said.

At the time, tech companies in California were struggling with how they could comply with a new state law that gave individual Californians control over the data that corporations routinely gather and sell about their online activities.

The lawyer, whom Cullimore and his office wouldn’t identify, recounted how burdensome his corporate clients found the rules, Cullimore remembered and suggested that Utah proactively pass its own, business-friendly consumer privacy law.

“He said, ‘I want to make this easy so consumers can make use of their rights and the compliance is also easy for companies.’ He actually sent me some suggested language [for a bill] that was not very complex,” Cullimore said. “I introduced the bill as that.”

What followed over the next two years was a multipronged influence campaign straight out of a playbook Big Tech is deploying around the country in response to consumer privacy legislation. It’s common for industries to lobby lawmakers on issues affecting their business.

But there is a massive disparity in the state-by-state battle over privacy legislation between well-funded, well-organized tech lobbyists and their opposition of relatively scattered consumer advocates and privacy-minded politicians.

During the 2021 and 2022 Utah legislative sessions – when Cullimore’s bill made its way through the legislature – Amazon, Apple, Facebook, Google, and Microsoft collectively registered 23 active lobbyists in the state, according to their lobbying disclosures.

Thirteen of those lobbyists had never previously registered to work in the state, and some of them were influential in shaping Cullimore’s legislation.

But this type of thing is happening at a local level in state after state across the U.S.

So what’s the upshot for you? Privacy groups say they haven’t been asleep; they just can’t fight the multi-state battle Big Tech is waging. And polling suggests Americans are concerned about their online privacy; they just don’t know what to do about it.

“It’s been this coordinated national push to advance really weak privacy bills. We’ve definitely felt outnumbered,” Lee, from the American Civil Liberties Union said. “They have tremendous resources and time to really influence the conversations happening in the legislature.”

US: FBI warns US University/College VPN credentials circulating on Russian forums

Network credentials and VPN logins from numerous U.S. colleges and universities are widely available for sale on cybercriminal forums operating out of Russia, according to an FBI alert issued last Thursday.

The alert read that a “multitude” of U.S. schools were featured on these sites as of January, with malicious actors selling directories of stolen credentials for hundreds or thousands of dollars.

Credential harvesting is often a byproduct of ransomware, spearphishing or another attack, the FBI said, laying the groundwork for identity theft or future cyberattacks.

Their .pdf goes on to list 16 things that Universities should do to bolster their security. Good luck with that. We’re pretty sure not even the FBI has completed this list of recommendations…

So what’s the upshot for you? Wouldn’t it be great to have someone hack into a university and complete a degree?

Global: Remote Learning Apps Tracked Millions of US Children During Pandemic

An international investigation uncovered some disturbing results, reports the Washington Post. “Millions of children had their online behaviors and personal information tracked by the apps and websites they used for school during the pandemic…”

The educational tools were recommended by school districts and offered interactive math and reading lessons to children as young as pre-kindergarten.

But many of them also collected students’ information and shared it with marketers and data brokers, who could then build data profiles used to target the children with ads that follow them around the Web.

Those findings come from the most comprehensive study to date on the technology that children and parents relied on for nearly two years as basic education shifted from schools to homes.

Researchers with the advocacy group Human Rights Watch analyzed 164 educational apps and websites used in 49 countries, and they shared their findings with The Washington Post and 12 other news organizations around the world…

What the researchers found was alarming: nearly 90 percent of the educational tools were designed to send the information they collected to ad-technology companies, which could use it to estimate students’ interests and predict what they might want to buy.

Researchers found that the tools sent information to nearly 200 ad-tech companies, but that few of the programs disclosed to parents how the companies would use it.

Some apps hinted at the monitoring in technical terms in their privacy policies, the researchers said, while many others made no mention at all.

The websites, the researchers said, shared users’ data with online ad giants including Facebook and Google.

They also requested access to students’ cameras, contacts, or locations, even when it seemed unnecessary to their schoolwork.

Some recorded students’ keystrokes, even before they hit “submit.”

The “dizzying scale” of the tracking, the researchers said, showed how the financial incentives of the data economy had exposed even the youngest Internet users to “inescapable” privacy risks — even as the companies benefited from a major revenue stream.

So what’s the upshot for you? School districts felt pressured during the pandemic to quickly replace the classroom with online alternatives, and most teachers didn’t have the technical ability or the inclination to uncover how much data these apps gobbled up.

school crossing right

and the quote of the week: “Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.” — John Perry Barlow

That’s it for this week. Stay safe, stay, secure, close the blinds, tell your kids you love them one more time, and we’ll see you in se7en.

1 Like