We won't get fooled again. The IT Privacy and Security Weekly Update for April 20th 2021

Daml’ers we confess we wrote this intro with the Apple product announcement running in the background. We saw the new iPad, iMac, tags, TVs, and M1 features, and “Oh my word” nothing about the privacy update in iOS 14.5!!!. Grrr…

So swiftly moving onto other matters of very little privacy, we have a couple of FBI stories, one about e-mail and another about iPhones (Grrr…).

Shocking revelations about online cameras…

Updates about Google that will leave you shaken, not stirred…

A scandalous, awful, treacherous, plot that could impact any wine drinker!!!

And then we finish the update with a story about what some would call arrogance, from Facebook… also regarding your privacy.

This update promises to bring you everything you need in the world of privacy and security… except of course for the “dang” details on the new iPhone privacy update. (again Grrr…)

Let’s roll up our sleeves, and not get fooled again!

US: FBI accessed hundreds of private computers in Microsoft Exchange remediation bid

The FBI accessed hundreds of vulnerable computers using remote backdoors installed by hackers — with the goal of collecting evidence against the hackers and removing the backdoors. In a press release issued last Tuesday, the U.S. Department of Justice announced the operation and explained the rationale behind it.

The Microsoft Exchange Server breach was a serious threat, and while it’s definitely a good thing that APT groups no longer have backdoor access to U.S. companies, there are aspects of the FBI’s operation that deserve a closer look.

For one thing, it appears that the FBI accessed the affected organizations without informing them ahead of time. In their press release, the Department of Justice said:

“The FBI is attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells.”


So what’s the upshot for you? It’s understandable that the FBI wanted to take swift action to remove the threat. It’s also likely that they needed to preserve forensic evidence for their investigation. Nevertheless, the fact that the government used an APT’s hacking tools to access private companies “for their own good”, and did it without first notifying the companies, may strike the more privacy-minded among us as a little troubling!

AU: The FBI wanted to unlock the San Bernardino shooter’s iPhone. It turned to a little-known Australian firm.

The iPhone used by a terrorist in the San Bernardino shooting was unlocked by a small Australian hacking firm in 2016, ending a momentous standoff between the U.S. government and the tech titan Apple.

The identity of the hacking firm has remained a closely guarded secret for five years. Even Apple didn’t know which vendor the FBI used, according to company spokesman Todd Wilder. But without realizing it, Apple’s attorneys came close last year to learning of Azimuth’s role — through a different court case, one that has nothing to do with unlocking a terrorist’s device.

In September 2015, Apple released its new operating system, iOS 9, which it billed as having enhanced security to “protect customer data.” The new iOS was running on the iPhone 5C used by Syed Farook, a public health inspector for San Bernardino County.

The FBI suspected the iPhone 5C might have valuable clues about why Farook and Tashfeen Malik opened fire on a holiday party at Farook’s office. Both Farook and Malik were killed in a shootout with police.

Seeing the media reports, Dowd realized he might have a way to help. Around that time, the FBI contacted him in Sydney. He turned to 30-year-old Wang, who specialized in exploits on iOS, the people said.

Using the flaw Dowd found, Wang, based in Portland, Ore., created an exploit that enabled initial access to the phone — a foot in the door. Then he hitched it to another exploit that permitted greater maneuverability, according to the people. And then he linked that to a final exploit that another Azimuth researcher had already created for iPhones, giving him full control over the phone’s core processor — the brains of the device. From there, he wrote software that rapidly tried all combinations of the passcode, bypassing other features, such as the one that erased data after 10 incorrect tries.

Azimuth demonstrated the solution at FBI headquarters, showing FBI Director James B. Comey and other leaders how Condor could unlock an iPhone 5C. Then, one weekend, the FBI lab did a series of forensic tests to be sure it would work without destroying data. The tests were all successful, according to the people. The FBI paid the vendor $900,000, according to remarks by Sen. Dianne Feinstein (D-Calif.) in May 2017.

Apple sought to recruit Wang to work on security research, according to the people. Instead, in 2017 he co-founded Corellium, a company based in South Florida whose tools help security researchers. The tools allow researchers to run tests on Apple’s mobile operating system using “virtual” iPhones. The virtual phones run on a server and display on a desktop computer.
Two months after the attack, Comey testified to Congress that investigators were still unable to unlock the terrorist’s iPhone.

In 2019, Apple sued Corellium for copyright violation. As part of the lawsuit, Apple pressed Corellium and Wang to divulge information about hacking techniques that may have aided governments and agencies such as the FBI.

Apple then subpoenaed Azimuth, Corellium’s first customer, according to court documents. Apple wanted client lists from Azimuth, which is now owned by L3 Harris, a major U.S. government contractor, that might show malign entities such as, potentially, authoritarian governments.

A month or two after the FBI unlocked the terrorist’s iPhone, finding nothing of particular note, Mozilla discovered the flaw in its software and patched it in a routine update. So did vendors that relied on the software, including Apple.

The exploit was rendered useless. All exploits have a shelf life.

So what’s the upshot for you?. Correlium seems to understand that the computers we used to work on at our desks… are now less powerful than those in our back pockets and that’s where the secrets … and the future lies.

Global: Over 380 thousand IP cameras might be easily accessible worldwide… with the US and Germany in the lead

For this research, we have analyzed cameras connected to the internet worldwide and made by the 30 most recognized manufacturers. We have found over 380,000 public-facing cameras online. Since all internet-connected cameras are part of IoT ubiquitous computing, it is possible to find all of them.

These are all CCTV/IP cameras that can be used for CCTV surveillance, outdoors, indoors, for commercial and personal use. That is to say, that it can be everything from a remote parking lot or a warehouse to a smart doorbell or a baby camera.

Alarmingly, we found that the vast majority of the most used cameras are shipped with default credentials, which, if not changed before use, can leave the device open for anyone interested to look. Be it a pet camera or a security device.

According to our research, most public-facing cameras are operational in the United States, where we identified over 53,000 such devices.

Germany was a close second with over 50,000 cameras. Interestingly, Germany has a relatively conservative position towards privacy, famously banning Google from taking pictures for its Street View service, making Germany a rather exceptional case in Europe.

We identified at least 25,000 public-facing cameras in China, making the country third on our list. Fourth, with 18,000 cameras, is the Republic of Korea. The last to make it to the top 5 is Brazil with over 10,000 cameras.

Chinese HIKVision cameras produce the highest number of cameras and the country with the most HIKVision cameras is the United States, where at least 10,000 devices are online. Brazil operates 9,600 cameras from the same manufacturer, with China using 9,200 devices.

HIPCam, a US-based manufacturer known for its indoor and outdoor cameras, was second on our team’s list with at least 85,000 cameras connected to the world-wide-web.

We’ve also identified over 73,000 public-facing cameras from the Taiwanese manufacturer D-Link. Interestingly, most of their camera models were automatically identified by HTTP headers the company provides.

27 out of 30 manufacturers we’ve analyzed provided default passwords for their products. With some reports indicating that a whopping 15% of users do not personalize passwords, that would translate to at least 57,000 public cameras accessible to anyone worldwide.

So what’s the upshot for you?. Change the standard password, consider putting the feed through a VPN, and point the camera at something nondescript.

CH: Verkada surveillance cameras at Tesla, hundreds more businesses breached

As a reminder, last month Reuters featured a story about Swiss software developer Tillie Kottmann, who gained attention for finding security flaws in mobile apps and other systems when she shared screenshots on Twitter from inside a Tesla warehouse in California and an Alabama jail in messages to Reuters. .

Kottmann said she sought to draw attention to the pervasive monitoring of people but instead found login information for Verkada’s administrative tools publicly online this week.

Verkada acknowledged an intrusion, saying it had disabled all internal administrator accounts to prevent unauthorized access to the over 5200 connected cameras.

So what’s the upshot for you? Wait, What?!!! Verkada could view our feeds through those cameras? That’s far too creepy.

Global: You already know Google scans your email looking for purchase data but what about Google maps?

There’s a battle taking place right now—as big tech fights for its right to monetize you and your data, with just enough obfuscation to stop you short of reaching for the off switch. Apple is about to push the whole mobile marketing industry into a spin, forcing app developers to ask for your permission to be tracked. The industry rightly fears that most of us will say no—and they’re right to be worried.
Google and Facebook have an issue. Apple has turned user privacy into a unique selling proposition, and the two rivals are playing into its hands. I don’t expect Apple considered these comparisons as an immediate outcome from its privacy labels, but it will have gone down well. ESET’s Jake Moore talks of Apple “ramping up its privacy claim, firing on all cylinders to keep its users’ data protected.” He calls data “the currency of the 21st century,” and the staggering profits generated by Google and Facebook certainly back this up.
On the surface, the privacy label for Google Maps is another conduit for collecting associated user data, especially when compared to Apple’s stock alternative “App Privacy labels show all possible data that could be collected,” Google told me, pointing out that Apple collects data through its OS as well, per its privacy policy. As for Maps, Google says, the actual data “depends on the specific features a person decides to use.”
Just as with Chrome, Google Maps does not collect data that isn’t linked to user identities. Perhaps the company should rethink this as a strategy? It’s fairly blatant.
But, as we saw with Gmail and Chrome, the privacy labels speak for themselves. Too much data in too many categories, everything linked to user identities; if there’s a balance to be struck, then Google Maps appears to have missed the mark.
Chrome collects more data than Microsoft Edge and Mozilla Firefox, and critically, it links all its data fields to user identities, which is unique among all leading browsers. This is a good illustration of the issue, and you can assume this is a broad-brush approach across Google’s other flagship apps, including Maps.
So what’s the upshot for you?
We are at the point where any Google app on an iPhone must be assumed to be slurping data about you. If you can deal with the inconvenience, then it may be best to leave them off.

Global: Google is testing FLoC on Chrome users worldwide. Find out if you’re one of them.

According to Google, the trial currently affects 0.5% of users in selected regions, including Australia, Brazil, Canada, India, Indonesia, Japan, Mexico, New Zealand, the Philippines, and the United States.

Third-party cookies are the technology that powers much of the surveillance-advertising business today. But cookies are on their way out, and Google is trying to design a way for advertisers to keep targeting users based on their web browsing once cookies are gone. It’s come up with FLoC.

FLoC runs in your browser. It uses your browsing history from the past week to assign you to a group with other “similar” people around the world. Each group receives a label, called a FLoC ID, which is supposed to capture meaningful information about your habits and interests. FLoC then displays this label to everyone you interact with on the web. This makes it easier to identify you with browser fingerprinting, and it gives trackers a head start on profiling you.

The most prevalent threat to our privacy is the slow, steady, relentless accumulation of relatively mundane data points about how we live our lives. This includes things like browsing history, app usage, purchases, and geolocation data. These humble parts can be combined into an exceptionally revealing whole. Trackers assemble data about our clicks, impressions, taps, and movement into sprawling behavioral profiles, which can reveal political affiliation, religious belief, sexual identity and activity, race and ethnicity, education level, income bracket, purchasing habits, and physical and mental health.

To keep track of who is who, trackers need identifiers that are unique, persistent, and available. In other words, a tracker is looking for information (1) that points only to you or your device, (2) that won’t change, and (3) that it has easy access to. Some potential identifiers fit all three of these requirements, but trackers can still make use of an identifier that checks only two of these three boxes. And trackers can combine multiple weak identifiers to create a single, strong one.

So what’s the upshot for you? The Electronic Frontier Foundation (EFF) has a great white paper about corporate tracking and your privacy called “Behind the one-way mirror”. If your privacy is of interest to you will be very interested in this paper.

NL: Two cloggies demonstrate another Zoom attack

Two Dutch researchers this week demonstrated that they could remotely get control of a PC running Zoom with no interaction from the user. Specific details haven’t been disclosed, as Zoom has yet to patch the underlying bugs.

The team’s finding won them $200,000 at Pwn2Own, a twice-yearly competition for white-hat hackers.

“We are working to mitigate this issue with respect to Zoom Chat, our group messaging product,” Zoom said in a statement. “In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue. The attack must also originate from an accepted external contact or be a part of the target’s same organizational account.”

So what’s the upshot for you? You can look at this two ways: Either Zoom was the most insecure web conferencing tool ever or it’s now one of the most secure.

Global: Absolute monsters.

Phishing Scams Are Coming for Wine Fans.

In these quarantined times, it’s natural to experience an uptick in personal wine consumption. That hasn’t gone unnoticed by scammers, who according to new research from Recorded Future and Area 1 Security have increasingly registered malicious domains targeting oenophiles. At its June peak, malicious domains comprised 7 percent of all wine-themed domains registered. Talk about … sour … grapes.

So what’s the upshot for you? Where there is money to be divined, even in fine wine…

US: GEICO Auto Insurance Notifies customers of a Data Breach

A wholly-owned subsidiary of Berkshire Hathaway, the Government Employees Insurance Company (GEICO), think little green Gecko with the British accent, is the second-largest car insurer in the United States.
Between January 21 and March 1, 2021, using customer information acquired elsewhere, fraudsters managed to gain unauthorized access to driver’s license numbers by abusing the online sales system on Geico’s website.

So what’s the upshot for you? The interesting thing about this story was that the baddies used information on individuals they already had to coax out additional driving license details. It seems like they really are doing their homework.

US: Congress is considering mandating breach disclosure to the Feds

The U.S. intelligence apparatus is pressing Congress to propose measures that require private industry to share security breach information and other threat intelligence to the federal government.
Directors of the National Security Agency (NSA), National Intelligence, and the Federal Bureau of Investigation (FBI) told bipartisan members of the Senate Intelligence Committee in a recent hearing that a law requiring the private sector to report a breach can help stitch together the nation’s cyber defenses against attacks on critical industry.

While calls by federal security officials for the private sector to disclose breaches have become more frequent and insistent, it’s the massive SolarWinds attack that hit at least nine federal agencies and roughly 100 companies that has raised the volume of those voices.

Many enterprise businesses back away from disclosing security lapses for competitive reasons, not wanting to admit cyber vulnerabilities for fear of additional attacks, avoiding unease among their shareholders and customers, and potential legal entanglements.

So what’s the upshot for you? It sounds like a really good idea until their database gets breached… and it will.

NL: Interne mail toont hoe Facebook veiligheidsproblemen wil ‘normaliseren’ or "Facebook wants to ‘normalize’ security problems"


DataNews editor Pieterjan Van Leemputten sent several queries to Facebook requesting an update on the data scraping incident and further clarity concerning the breach timeline. It seems he was included in a response that FaceBook didn’t intend to send to him…

Translated by Google, it reads something like this:

“Assuming press volume continues to decline, we’re not planning additional statements on this issue. Longer-term, though, we expect more scraping incidents and think it’s important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly.”

“The team is proposing a follow-up post in the next several weeks that talks more broadly about our anti-scraping work and provides more transparency around the amount of work we’re doing in this area. While this may reflect a significant volume of scraping activity, we hope this will help to normalize the fact that this activity is ongoing and avoid criticism that we aren’t being transparent about particular incidents.”

So what’s the upshot for you? Facebook may also have plans for the normalization of all your private data being exposed on this internet. It doesn’t mean you have to go along with those plans.

That’s it for this week. Stay safe, Stay secure, and see you in Se7en.

Great post :+1:t2:

… you can’t. If you are using Google’s Android OS, and most of us on Android handsets are, you are stuck with the entire Google Suite. The only alternative is to install comparable apps, remove the Google icons from the handset desktop, and never use any Google default app.

The handset will still be tracking you though and reporting to the Google Mothership, and your DNS provider(s), and your ISP, and any of their third party … why do we have them again?

1 Like

Unfortunately, you are exactly right. When you add that into data collected through mail and maps and texts collected year after year, you have a company that is more capable of accurately profiling you, than you are of yourself.


BTW Thanks Quidagis! The whole Daml community thank you for your interactions here.