z3r0trust Privacy Newsletter #33–20
This week in privacy news there are many issues to discuss. I hope you’re sitting in your comfy chair because it might get a little bumpy. You might want to strap in folks.
The average cost of a data breach according to a recent IBM-sponsored report is said to be “$3.86 million globally, with that number ranging as high as $8.64 million depending on location, industry, and other risk factors” (Ikeda, 2020).
Canon was infected by Maze Ransomware which affected their internal operations and 24 domains owned by the company for approximately six days from July 30 to August 4, 2020. Supposedly, the cybercriminals behind the attack were likely inside Canon’s network for at least several days before the attack to be able to infect so many domains and to exfiltrate 10 TB of data that were leaked from customer private databases (Hope, 2020). Maze ransomware both encrypts files and exfiltrates them at the same time on infected hosts and the cybercriminal gang behind the ransomware is known to perform “double extortion,” in which they threaten to publish the data online for the entire world to see unless the organization pays up (Hope, 2020).
Chipmaker Intel continues to have a rough year since the discovery in March by security researchers that involves a critical Intel processor vulnerability in the Converged Security Management Engine (CSME) which secures the machine firmware allowing for Trusted Platform Module (TPM) hardware-based encryption and Digital Rights Management (DRM) protections (Warren, 2020). Just to put this in some kind of context, a machine compromise at the Layer 1 (Physical) of the Open Systems Interconnection (OSI) stack is a major threat to the security and privacy of your files.
“The problem is not only that it is impossible to fix firmware errors that are hard-coded in the Mask ROM of microprocessors and chipsets,” warns [Mark] Ermolov [of Positive Technologies]. “The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole.”
Now, a Swiss software engineer, Till Kottmann, has publicly shared 20 GB of Intel’s confidential and restricted data on MEGA, a file-sharing site, after an unnamed hacker on Telegram that included chipset designs protected by Non-Disclosure Agreement (Hope, 2020). The worst part about all of this is the sheer and utter denial by Intel Corp’s executives that they’ve been hacked at all. Intel is insisting that this was an inside job by a malicious insider or perhaps a trusted third-party associate and other companies like SpaceX who are customers of Intel also had data exposed (Hope, 2020). Given the fact that the data leaker never requested any sort of ransom indicates that it may have been someone who just wanted to see Intel take a massive hit to their industry reputation.
Shutting Down the Internet as a Means of Government Control
The government of Belarus, specifically their Ministry of Information, has partially blocked the internet to its citizens, essentially shunning many of them from the rest of the world temporarily amid the controversial Lukashenko presidential reelection. In my view, the controversial and rather unpalatable aspect of this action is that governments think it is appropriate to turn off the internet in the first place. Just because you have the power to do something as Draconian as that does not mean that you should ever actually do it. I could lock everyone out of their work accounts if I wanted to but I’d surely be fired after doing so unless there was a damn good reason.
From a privacy perspective, this type of ill-conceived action reeks of government spy agencies snooping on your private communications and crooked regimes attempting to hide what they are doing to repress their people. It should not stand. A government like this doesn’t want its citizens to be able to think for themselves or seek outside opinions. This is what oppression looks like in a police state, as minor as it may seem. Belarussian officials say that they took this unprecedented action out of concern of foreign interference in their election process which is understandable considering they are neighbors with their former Russian rulers.
Immediately, your thoughts wander to wondering if your government could shut off all internet access wherever you live? The answer is, it depends. Governments can get away with pretty much anything they want to and as long as they can justify their actions to the international community, there isn’t much that anyone else can do about it. Let’s be clear, no one is going to war over being temporarily denied internet access. There are many nuanced factors involved with how quickly it could be shut off, however.
In America, we are a much larger country geographically speaking. Therefore, it would be significantly more difficult to shut off the internet because it is decentralized with many different major Internet Service Providers (ISPs) and other smaller players that offer everything from dial-up modem internet access to cable broadband, FiOS, and even satellite internet subscription services. Could the government order the internet shutdown in a national emergency? Of course, they could but it's highly unlikely that they would do so considering how reliant the federal government, emergency services, military, and every one of the 16 sectors of critical infrastructure depend on it.
Additionally, how long would such a shutdown order take to carry out? It most certainly wouldn’t happen immediately and would likely be issued in the form of some type of Federal Communications Commission (FCC) or presidential declaration of a national emergency. How many ISPs would willingly comply with such an order when the First Amendment of the Constitution specifically addresses the right to freedom of speech?
What internet redundancies are already built into the infrastructure and what kinds of internet traffic loads can they support? There are a lot of variables to consider which make such an order that much more improbable. With a small nation or a severely restricted nation like the DPRK, a government (or regime) might be able to shut off the Internet quickly and effectively. Even a much larger nation that is configured properly, like China for instance, with a ‘Great Firewall’ can do so at the drop of a hat.
TikTok Tracking Android Users Via Obfuscated Encryption Layer
According to a recent article in the Wall Street Journal, TikTok had until November 2019 been secretly tracking Android users who had the TikTok app installed on their devices by collecting their unique device Media Access Control (MAC) addresses. This happened even though this practice was and still is explicitly prohibited by Google (Montalbano, 2020). This allowed TikTok to digitally fingerprint users anywhere they go on the internet like a permanently attached Web browser cookie that you can’t delete.
You can change IP addresses by going online with a VPN and you could spoof your own MAC address but it’s a bit more advanced than normal users would bother with which translates in Layman’s terms to, that’s not happening. iPhone users are also being actively targeted by TikTok in a seemingly ongoing data collection practice where the TikTok app is reading and collecting iPhone users’ cut-and-paste clipboard memory data (Montalbano, 2020).
Let’s face it, most American TikTok users are completely oblivious to what is going on with their device and user data behind the scenes unless they follow cybersecurity news reports. Many users likely don’t care either if there are security or privacy risks to using apps like TikTok. They just want to have fun and watch funny videos. I don’t think there is anything wrong with that so long as it is on their personal device. It is their device, their private data at risk.
There are other risky apps out there, some of which have been found in the Apple Store and Google Play Store with embedded malware. I have stated previously, TikTok is not unusual in that the app shadily collects all sorts of data it shouldn’t be collecting. Other apps collect if not the same, close to the same, types of data that TikTok collects which is used for various purposes such as market analysis, feature improvements, and resale to third-party marketers and data brokers.
It also turns out that among the growing list of investigations and litigation against TikTok, the CNIL, a French data watchdog agency, has publicly admitted that it is investigating TikTok (Lomas, 2020). The European Union (EU) General Data Protection Regulation (GDPR) is unlikely to look favorably upon TikTok either when it comes to individual user data protection. So, TikTok has a tough road ahead of it.
There is an interesting piece in Wired that addresses something known as “dark patterns” which is essentially a term for how social media sites try to trick users into giving up more of their online privacy and make it as difficult as possible for them to opt out of data collection (Pardes, 2020). Facebook, Twitter, Snapchat, Instagram, Reddit, all of the major social networking sites use dark patterns to some extent, some more so than others. “Are you sure?” “You’re in control,” are some of the pop-up messages used by Facebook and Twitter when users try to opt-out of personalized ads. The disturbing part is the facial recognition system used by Facebook, if a user declined personalization Facebook would ask, “Are you sure? Allowing instant personalization will give you a richer experience as you browse the web” (Pardes, 2020).
Dark patterns are why we, as users of these social media platforms, have to be very careful about which features we enable. The sites do not make it easy on purpose for users to lock down their privacy because they lose money by encouraging users to do so. Since the GDPR went into effect in 2018, every website is supposed to have a banner at the bottom that displays the They cannot collect as much data, though they still collect some, which could be sold to third-party data brokers. When is the last time you went through all of your Web accounts to check the privacy control settings? Would it surprise you to learn that Tech companies will change your settings sometimes? Facebook used to be bad about doing that. So, you might want to continually go back and check that every few months.
Set an automatic quarterly reminder on your calendar and while you’re at it, use that calendar reminder as an opportunity to perform a “privacy and security tune-up” on all your accounts and computer devices. Often we call this “cyber hygiene” in the infosec community but there is also “privacy hygiene” that we should all be doing. Let’s just keep it simple and call it a privacy and security tune-up.
Go through your password manager, whichever flavor you chose. I use KeePass at the moment but I have used others like LastPass. BitWarden is another good option. I don’t use Web or browser-based password managers because they are susceptible to attacks much more so than a password manager that is installed directly on your drive. It is not much different in terms of ease of use. Several factors go into picking a solid password manager which I won’t get into here and now, but KeePass is a good choice for the reasons I listed in the Tweet snapshot below. Ensure you don’t have any duplicate passwords.
· Go the extra mile and on all the sites that allow you to do so, ensure you have passphrases or passwords of 20+ characters in length.
· Check for things like full device encryption.
· Smartphone screen lock enabled
· Two-factor authentication (2FA) enabled on all accounts that allow it.
· Automatically install software updates on your computer(s) and device(s).
· Anti-virus software installed on both your computer(s) and smartphone(s) with automatic scans configured.
· VPN software installed on both your computer(s) and smartphone(s).
· Automatic daily incremental and full weekly data backups to an external drive or Cloud.
· Disable remember passwords from the browser.
· Now, go back and delete your browser history and cookies.
· Remove all of the program applications on your computer and phone that you don’t use.
· Freeze your credit with all 3 credit bureaus and check your credit report every 4 months (1 per credit bureau every 4 months as you get 1 free credit report from each per year).
· Check your privacy settings on all of the different accounts you maintain to ensure the company hasn’t changed them or “added” new features that arbitrarily changed your privacy settings.
This is a really good start in terms of both security and privacy. This is always going to be an uphill battle because technology is always changing and well, we are humans after all. We can’t be expected to stay on top of all of these constant changes. Those odds are stacked against us. The most we can hope to do is be aware and try the best we can to ensure our data is protected and doesn’t fall into the wrong hands. Choosing not to use internet technology because it is too risky for privacy is in my opinion, the way of a Luddite. I am not about that life. I am about using technology intelligently, securely, and privately.
One of the biggest data collection kingpins is Google. It is unfathomable how much data Google collects. Put it this way, Google collects so much data on internet users that it can pinpoint users who use VPNs and Tor because they can see the bigger picture of what traffic goes in and comes out the other end. So while your IP address has changed, perhaps several times, you’re still easily identifiable by other unique indicators such as MAC address, or your mobile device’s IMSI number.
Google users, and even those who don’t use Google products and services, are tracked as they surf the Web. Every time you visit Google.com and perform some random search, it is being tracked by Google. Google uses its Analytics and Signals services to collect data from Internet traffic all over the Internet, even across devices. It does this by collecting data points like the MAC address of the connected device, the IP address, browser cookies from websites it uses to track you wherever you go online.
Instagram, owned by Facebook as you recall, failed to delete pictures and direct messages from its servers despite GDPR requirements that results in still fines for all companies operating in Europe. One researcher found that after he had deleted some of his data the year prior, he downloaded his data from Instagram and it was still there (Montalbano, 2020). Imagine that, Facebook companies not deleting data despite users requesting it be deleted forever. If there is one constant when it comes to data privacy, it seems that it is Facebook never doing the right thing ethically. I honestly don’t know how people can work there with all that has transpired in recent years to include the Cambridge Analytica scandal.
Jumbo is a privacy app launched in April 2019 that is compatible with both Android and iOS that looks promising. It offers users the choice between “weak,” “medium,” or “strong” privacy settings for handling social media invasiveness. This app automatically adjusts 30 Facebook privacy settings and deletes old tweets on Twitter after saving them to your phone (Constine, 2019). The biggest problem I see about privacy apps like Jumbo is that they rely upon the Application Programming Interface (API) for each social media site. What that means is that Tech giants like Facebook and Twitter get to decide how far they will allow privacy apps like Jumbo can go in locking down user privacy settings.
At any given point in time, the Tech giants could block access to their API. It would be a controversial move but Tech giants have that right if they feel apps like Jumbo are a threat to their business and stranger things have happened. What social media platforms like Facebook and Twitter are banking on is the fact that most users don’t care too much about privacy and these apps won’t find a large enough user support base. Then, it becomes just a matter of time before they die off on their own because they can’t sustain themselves for long.
Mobile Sentinel is “an Android App that allows you to detect vulnerabilities in deployed LTE and (future) 5G networks. With the current release, Mobile Sentinel focuses on the detection of the ReVoLTE vulnerability (www.revolte-attack.net). Mobile Sentinel requires a Qualcomm-based Android phone with root access as it builds upon the Qualcomm’s mdlog tool” (Karakoc & Rupprecht, 2020). The application includes:
· An automized test run to detect the ReVoLTE vulnerability
· A logging view to capture cellular traffic (currently RRC only) and view protocol messages in-app
· Writing the captured traffic into PCAP files
· Upload function of logs to an HTTP server (under development)
The README text file states that the app has been tested on the Xiaomi Mi A3 (Andriod OS v9.0) and One Plus 6T (Android OS v9.0) phones. This application is featured this week due to its ability to self-test for the Android phone ReVoLTE vulnerability which poses a threat to the security and privacy of users as it allows an attacker to eavesdrop on phone calls.
Smart Home Assistants
Smart home assistants like Alexa, Siri, and Google Home are always on, rarely do they receive firmware updates from manufacturers if they are ever updated at all and most users do not perform updates frequently. So, these devices are always on listening unless you happen to be in the habit of unplugging them. But, let’s be honest here. Unplugging a home assistant kind of defeats the purpose of owning one in the first place. Home assistants are essentially a backdoor into what’s going on inside your home and can be an entry point into your home Wi-Fi network if not properly updated and maintained. The problem is that most of these types of Internet of Things (IoT) devices have numerous vulnerabilities because they weren’t designed by manufacturers with security and privacy in mind and they were shipped out en masse as fast as possible for maximum profit purposes.
I am highly confident that many vulnerabilities for IoT simply haven’t been discovered yet or users own older models of IoT devices that the manufacturer no longer provides security patches for as well as to encourage users to upgrade to new devices and, of course, to keep the profits flowing in. Oded Vanunu, Check Point’s head of product vulnerability research stated that “…we found a chain of vulnerabilities in Alexa’s infrastructure configuration that eventually allows a malicious attacker to gather information about users and even install new skills” (Newman, 2020).
The vulnerability allowed attackers to expose a user’s voice history but to be honest, it seems like a lot of trouble for an attacker to go to. In cybersecurity, we call this a “cost factor.” If the cost factor is too high to pull off a particular hack, then the chances that such a vulnerability will ever be exploited in the wild drop considerably unless you’re someone very important. Then, perhaps the GRU, FSB, Mossad, CIA, FBI, NSA, MI6, or Chinese Ministry of Defense APT groups may go to great lengths to target your Alexa home assistant. But for Karen from Inglewood who drives a Yugo, the chances are that you are completely safe from such a high-cost factor novel attack.
A Privacy Company is America’s Fastest-Growing Company
OneTrust is a privacy, security, & governance company that according to Inc. 500 is the #1 fastest-growing company with 48,000% growth, 6,000 customers, and a $2.7B valuation (Foster, 2020). It is great to see a privacy-centric company like OneTrust get such positive attention and growth results because hopefully, that also means that digital privacy is something that companies are beginning to take seriously with the enactment of laws such as the EU’s GDPR and the California Consumer Privacy Act (CCPA).
OneTrust offers an assortment of privacy compliance products and services to help companies stay in compliance and help prevent costly data breaches. OneTrust can help companies map their data because as we all know, you can’t protect what you don’t know you have. The first step in any security and/or privacy risk management framework process should always be asset and data inventory. Once an organization has completed this crucial first step, they can just update it regularly to ensure it remains accurate and protect it accordingly. Any other way is putting the cart before the horse. Hopefully, we will continue to see a vast improvement in the privacy compliance market as it only helps to protect all of us from the disastrous effects of data breach burnout.
Pay For Dinner With Your Face
A new company called PopID, the brainchild of 42-year-old entrepreneur and Pasadena resident John Miller, has become a pioneer in the U.S. by being the first company to market a facial recognition system as a payment system for restaurants (Dean, 2020). They already use such FRS payment systems in China (e.g., Alipay) but because some of us value our privacy as Americans, no company has until now marketed such a system.
FRS technology has horrible implications for digital privacy and reeks of a dystopian surveillance police state but I am sure this guy will be the next billionaire for standing up this business. My question is what is preventing this company from making extra money by sharing the FRS images and time/location data with law enforcement agencies or the government like Amazon, Microsoft, and IBM have been known to?
“The system is simple: A customer signs up on their phone, takes a selfie and adds cash to their Pop Pay account from a credit card or bank account. When it comes time to pay for their meal, they look into the camera of a PopID tablet or kiosk (no smiling necessary), the cashier verifies their name, and money is withdrawn from the account” (Dean, 2020).
The fact that this is an app raises concerns for me as to what access the app requires on a user’s phone besides the obvious camera access? What other types of data does this app require access to or collect that it doesn’t tell users about? That’s one of the reasons why, for me, I will never install an app like this on my phone. This service is an opt-in type of service. The verdict is still out on FRS technology, however, as many cities are deciding to ban them like San Francisco, CA, and Boston, MA.
Practical Privacy Hack of the Week
Think about investing in a bug sweeper, hidden camera finder device. SpyCentre Security has some different options that are affordable for most folks. This type of device comes in handy if you travel often and stay in hotels or if you stay at rental properties listed on sites like Airbnb. You never know when you’re being filmed and there have been cases reported where property owners were found to have planted hidden cameras in inauspicious locations throughout the property. Unless you want to end up Pornhub, I highly suggest bug sweeping the property first. The model shown below claims to be able to find both Wi-Fi and wired cameras but doubles as a Radio Frequency (RF) signal finder capable of detecting frequencies in the range of 1 MHz to 6.5 GHz. I have no affiliation with this company. However, I do think using a product like this is helpful for those who are privacy-conscious. This device model only is only capable of detecting RF signals up to 5FT per its specs list but if you need something stronger there are certainly other pricier options.
Now, I have spoken in previous articles about privacy in the physical sense. Advertising all your favorite car stickers can not only make you and your vehicle stand out like a sore thumb but it also lets every criminal in your area know certain information about you. For instance, check out this graphic shared by the Richland Police Department in Washington.
Perhaps a personalized license plate may not seem like such a big deal, but it is much more recognizable to strangers than say a random DMV plate would be. If you see a silver truck with a random license plate drive past you in traffic you would ordinarily not think anything of it but a vehicle that drives past with a personalized license plate that says something memorable like “FUZZY69,” well you might remember that. Then maybe another day you see the same vehicle again with that personalized plate somewhere else and you remember back to when you last saw it.
Now, you’re kind of doing geographic triangulation and thinking that maybe this is a vehicle that belongs to someone in your community, and holy smokes! That truck just cut me off at the intersection. Grrrr! Another week goes by and you spot the same truck again and it passed you again, driving recklessly. You’re still angry over getting cut off from the week prior so you decide to tail it for a little way and would you know it, that truck belongs to a neighbor who lives a couple of blocks over from you. Now you know where that sucker lives! It only gets worse from there.
The same goes for bumper and window stickers, unfortunately. I know you want to tell the world how proud you are that little Jimmy is an honor student at such and such junior high school but nobody cares and they certainly don’t need to know where to find your child at such and such school. Having been in the military for several years, it pains me to say that a lot of military service members and their families are egregiously bad about the whole car sticker thing. I mean, does the entire military base and surrounding community need to know that you are an E-5 with a combat action ribbon who served in Afghanistan?
Probably not. You’re just painting a huge target silhouette on yourself by displaying these stickers and quite frankly, a homegrown terrorist or foreign extremist, given the choice between attacking you with all of your military bravado stickers or some nonchalant nobody, will pick you 10 out of 10 times. Oh yeah, and your peace sign sticker tells criminals that you’ll be less likely to use a gun to defend yourself should they decide to break into your home. These are things to think about when considering operational security (OPSEC).
That’s it for this week’s privacy newsletter. I hope you enjoyed it. Remember to Trust No One, Verify Everything, and Leave No Trace.
Additional Privacy Resources
*Privacy-related articles also published by the author can be found here.
Constine, J. (2019, April 9). New privacy assistant Jumbo fixes your Facebook & Twitter settings. Retrieved from https://techcrunch.com/2019/04/09/jumbo-privacy-assistant/
Dean, S. (2020, August 14). Forget credit cards — now you can pay with your face. Creepy or cool? Retrieved from https://www.latimes.com/business/technology/story/2020-08-14/facial-recognition-payment-technology
Foster, T. (2020, August). ‘A Growth Industry Like I’ve Never Seen’: Inside America’s №1 Fastest-Growing Company. Retrieved from https://www.inc.com/magazine/202009/tom-foster/onetrust-kabir-barday-fastest-growing-company-2020-inc5000.html
Hope, A. (2020, August 14). Canon Suffers a Maze Ransomware Attack Leaking Terabytes of Data. Retrieved from https://www.cpomagazine.com/cyber-security/canon-suffers-a-maze-ransomware-attack-leaking-terabytes-of-data/
Hope, A. (2020, August 14). Massive Data Breach Exposes Intel’s Intellectual Property for Its Flagship CPUs and SpaceX Sensors. Retrieved from https://www.cpomagazine.com/cyber-security/massive-data-breach-exposes-intels-intellectual-property-for-its-flagship-cpus-and-spacex-sensors/
Ikeda, S. (2020, August 14). What Is the Real Cost of a Data Breach? New Report Indicates It’s About $4 Million to $9 Million for SMEs. Retrieved from https://www.cpomagazine.com/cyber-security/what-is-the-real-cost-of-a-data-breach-new-report-indicates-its-about-4-million-to-9-million-for-smes/
Karakoc, B., Rupprecht, D. (2020, August 10). Mobile Sentinel. Retrieved from https://github.com/RUB-SysSec/mobile_sentinel
Lomas, N. (2020, August 11). TikTok is being investigated by France’s data watchdog. Retrieved from https://techcrunch.com/2020/08/11/tiktok-is-being-investigated-by-frances-data-watchdog/
Montalbano, E. (2020, August 14). Instagram Retained Deleted User Data Despite GDPR Rules. Retrieved from https://threatpost.com/instagram-retained-deleted-user-data-despite-gdpr-rules/158366/
Montalbano, E. (2020, August 12). TikTok Surreptitiously Collected Android User Data Using Google-Prohibited Tactic. Retrieved from https://threatpost.com/tiktok-surreptitiously-collected-android-user-data-using-google-prohibited-tactic/158289/
Newman, L.H. (2020, August 13). An Alexa Bug Could Have Exposed Your Voice History to Hackers. Retrieved from https://www.wired.com/story/amazon-alexa-bug-exposed-voice-history-hackers/
Pardes, A. (2020, August 12). How Facebook and Other Sites Manipulate Your Privacy Choices. https://www.wired.com/story/facebook-social-media-privacy-dark-patterns/