z3r0trust Privacy Newsletter_47.20

*Note: This article was originally published by the author on November 21, 2020. A concise weekly privacy digest with expert security insights. This article is also available in Spanish here.

credit: NPR

“The Supreme Court must strike down the government’s illegal spying program as a violation of our Fourth Amendment right to privacy.” — Rand Paul

This week in digital privacy, how owning a cell phone remains a massive threat to your privacy. Also, several developments with app privacy failures, and browser privacy wars.

App Privacy

On the privacy cringe scale, the smartphone app landscape ranks at the nightmare level. Even with well-intentioned COVID19 contact tracing apps, there are privacy tradeoffs that users are likely unaware of. Professor and technology researcher, Jonathan Albright, published an investigation of 493 COVID-related iOS apps from 98 countries with a data set of March 24, 2020, to October 25, 2020. Albright conducted a deep dive into the data set and organized it into a spreadsheet that is useful and it’s no surprise that the U.S. has the most COVID19 contract tracing apps despite having nearly 255,000 COVID-attributed deaths as of the time of writing.

Lifesaving disaster apps expose personal data despite what their privacy policies say. The gift that keeps on giving, these disaster apps continue tracking people long after the disaster has ended and it gets stored in a Cloud bucket somewhere for who knows how long? More often what happens is these app companies share or sell this collected user data with third parties. Try to be in the habit of disabling or uninstalling apps you don’t use often. The less attack surface, the better.

The U.S. military has been buying app location data from the ‘AI-enabled data-to-knowledge’ company Babel Street. One example of how the location data is being used by the military is the Muslim Pro and Muslim Mingle apps, Muslim Pro having over 98 million downloads. Reportedly, the U.S. military has been quietly purchasing user location data to help target suspected terrorists in drone strikes. DHS, CBP, and ICE have been buying this same app location service data so I am not surprised the DoD is also frankly. They kill people based on metadata and your smartphone is a liability, like it or not.

Google claimed that it is now going to be end-to-end encrypting (E2EE) its Android messaging app so great news everyone, you can now stop using Signal, WhatsApp, Telegram, or whatever other E2EE messaging apps you are currently using. Actually, don’t do that. Just kidding. This is a step in the right direction but the trust factor with Google is just too far gone at this point. If implemented correctly, however, E2EE will ensure not even Google can read your encrypted messages. The catch is that Android is a much less secure mobile OS than iOS in terms of privacy. So, I wouldn’t rely on this new feature.

Data Breaches & Privacy Exposures

Jackson County, Oregon suffered a REvil (i.e., Sodinokibi of the GOLD SOUTHFIELD APT group) ransomware attack which caused the County’s web host provider to go offline and led to all of the ISP’s servers being taken offline as a precaution. It is not known if data was exfiltrated by the ransomware attackers but that should be assumed until proven otherwise. An alternate County website has been temporarily established in the meantime.

Independent HackerOne security researcher Sanjana Sarda discovered after reverse-engineering the Bumble dating app that it had an API bug that exposed nearly 100 million users’ private romance interaction data. Oof, let’s face it. Nobody wants their sexual communique publicly exposed. Ok, maybe some do but not most. Even more disturbing is that Sarda was able to access users’ Facebook and ‘wish’ data from the Bumble app among other personal info. Use dating apps at your own risk. They are often targeted.

Browser Privacy Wars

The new Ghostery search engine

In case you wondered how Google makes its billions, it’s from ads. Tons of ads are placed everywhere and the ability to route internet users via its notorious search engine to ‘preferred’ websites that pay to be ranked in the top search results. The ad-blocking browser extension maker Ghostery has developed a beta ad-free search engine and internet browser that will run on top of the underlying Mozilla Firefox and Microsoft Bing search engine software architectures and will cost $5 per month to use. I plan to continue using the free DuckDuckGo search engine which makes its money from private ads that aren’t based on collecting users’ personal information.

Meanwhile, Mozilla is soliciting feedback from Firefox users about whether or not it should implement DNS-over-HTTPS (DoH) to enhance the privacy of websites users visit by encrypting the website’s IP address. Even when visiting an HTTPS website, the DNS address resolves in an unencrypted readable state that is vulnerable to hijacking and interception. DoH is on by default in the U.S. but worldwide implementation is long overdue. It should be widely adopted by all the major browsers despite the risks DoH presents with making it harder to spot illegal material on the Web. There are other ways to find the bad stuff, everyone can benefit from the extra security DoH affords users.

NIST SP 800–53 (rev. 5) Privacy Control of the Week

PM-3 — Information Security and Privacy Resources- requires organizations to include the resources needed to implement the information security and privacy programs in capital planning and investment requests. Additionally, they must document all exceptions to this requirement; prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and make available for expenditure, the planned information security and privacy resources. This control is important because you can’t make real privacy reform progress without the proper resource allocations.

Low-Tech Privacy Tips

Check out EFF’s new podcast mini-series called How to Fix the Internet. It will focus on 6 major issues the internet faces and some potential solutions that will probably never be applied in our lifetimes. Surely, digital privacy will be a prevailing theme.

The Amazon Echo Frames (2nd Gen) Smart glasses

Also, maybe think about not buying the new $250 Amazon Echo Frames (2nd Gen) Smart glasses with open ear audio and Alexa if you’re at all concerned about privacy. While they are hands-free and can be used the same as a traditional home assistant device can, they are equipped with a microphone that Amazon claims only activates when the voice of the person wearing the frames talks and can be easily turned off. Can the mic be remotely activated by an attacker though? My guess is it can. How long before these things are worn into a classified briefing?

That’s it for this week folks, keep a low profile and be safe out there.

Trust No One. Verify Everything. Leave No Trace.

Additional Privacy Resources

z3r0trust Privacy Newsletters: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, #4–20, #5–20, #6–20, #32–20, #33–20, #8–20, #9–20, 16, 17, 45–20, 46–20, 47–20, 48–20, #1–21, #2–21, #3–21, #6–21

*Privacy-related articles also published by the author can be found here.

Other helpful privacy info: EFFector | Atlas of Surveillance | Privacy Tools | IAPP | ACLU | PogoWasRight.org | DataBreaches.net