The IT Privacy and Security Weekly update Hangs up the Phone for the Week Ending December 12th. 202312/12/2023 Episode 169 This week we hang up the phone with a couple of definitive stories, the first coming from a huge US phone company and the last a Dutch phone company that is ripping the title of “The phone to be seen with” out of the hands of Apple, Google and Samsung. - click the pic to hear the podcast - Second in our stories this week is a blatant example from the UK of an individual in the public sector courting the private sector. In at story three is yet another US healthcare provider getting breached. Then we find Apple commissioning a report about data breaches and ransomware while at the same time crippling an app that delivered their secure iMessages to Android. We have a creepy move by Google to potentially provide context to your interactions with their bots by feeding them your photo data. And we bring Microsoft into the mix with a story about how their Active Directory could end up delivering what it shouldn’t to a certain type of query. There’s only one way to stop that ringing in your ear. Let’s pick up the phone! US: Verizon Gave Phone Data to Armed Stalker Who Posed as Cop Over Email https://www.404media.co/verizon-gave-phone-data-to-stalker-edrs-search-warrant-pose-as-cop/ The FBI investigated a man who allegedly posed as a police officer in emails and phone calls to trick Verizon to hand over phone data belonging to a specific person that the suspect met on a dating a dating site, according to a newly unsealed court record. Despite the relatively unconvincing cover story concocted by the suspect, including the use of a clearly non-government ProtonMail email address, Verizon handed over the victim's data to the alleged stalker, including their address and phone logs. The stalker then went on to threaten the victim and ended up driving to where he believed the victim lived while armed with a knife, according to the record. The news is a massive failure by Verizon who did not verify that the data request was fraudulent, and the company potentially put someone's safety at risk. The news also highlights the now common use of fraudulent emergency data requests (EDRs) or search warrants in the digital underworld, where criminals pretend to be law enforcement officers, fabricate an urgent scenario such as a kidnapping, and then convince telecoms or tech companies to hand over data that should only be accessible through legitimate law enforcement requests. So what's the upshot for you? This certainly isn't going to create more warm and phuzzy feelings toward US phone company Verizon. UK: U.K. Ex-Commissioner For Facial Recognition Tech Joins Facewatch Firm He Controversially Approved https://www.theguardian.com/technology/2023/dec/10/ex-commissioner-for-facial-recognition-tech-joins-facewatch-firm-he-approved We felt we had to cover this story simply because the public to private role change was just so blatant. Please read on... Backstory: With a rise in shoplifting across the UK, FaceWatch tech has been embraced by retailers as a way to fight back. Facewatch uses biometric cameras to check faces against a watch list and, despite widespread concern over the technology, has received backing from the Home Office, and has already been introduced in hundreds of high-street shops and supermarkets. And now the recently-departed watchdog in charge of monitoring facial recognition technology in UK has joined the private firm he controversially approved, paving the way for the mass roll-out of biometric surveillance cameras in high streets across the country. In a move critics have dubbed an "outrageous conflict of interest," Professor Fraser Sampson, former “Biometrics and Surveillance Camera Commissioner”, has joined Facewatch as a non-executive director. Sampson left his watchdog role on 31 October, with Companies House records showing he was registered as a company director at Facewatch the following day, 1 November. Campaigners claim this might mean he was negotiating his Facewatch contract while in post, and have urged the advisory committee on business appointments to investigate if it may have "compromised his work in public office." It is understood that the committee is currently considering the issue. Meanwhile privacy groups are up in arms: “Something like Facewatch is basically normalizing what is airport-style security [for] something as mundane as going to get a pint of milk at the shops,” Madeleine Stone, senior advocacy officer at Big Brother Watch, a UK civil liberties campaign group. Recording shoppers’ biometric data is the equivalent to asking them to “hand over their fingerprint or even a DNA sample just to walk into the shops.” So what's the upshot for you? The UK already has the highest number of CCTV cameras in use outside of China. Adding this tech to the mix will put the UK on the same privacy trampling trajectory. US: US Healthcare Giant Norton Says Hackers Stole Millions of Patients' Data During Ransomware Attack https://techcrunch.com/2023/12/11/norton-cyberattack-ransomware-hacker-millions/ Norton Healthcare, a major Kentucky-based nonprofit healthcare system, disclosed a significant data breach, confirming that hackers accessed sensitive information during a ransomware attack in May. The breach impacted approximately 2.5 million patients, employees, and dependents. The hackers gained access to network storage devices between May 7 and May 9, excluding compromise to the medical record system or electronic medical record system. Following an extensive internal investigation completed in November, Norton Healthcare revealed a wide range of exposed sensitive information, including names, dates of birth, Social Security numbers, health and insurance details, and more. The exposed data for some individuals extended to financial account numbers, driver licenses, government ID numbers, and digital signatures. It remains unclear whether any of the accessed data was encrypted. Norton Healthcare promptly reported the breach to law enforcement, emphasizing that no ransom payment was made. The hackers responsible for the cyberattack were allegedly linked to the ALPHV/BlackCat ransomware gang, although their identity remains undisclosed. Affected individuals received notifications, and Norton Healthcare advises heightened cybersecurity measures across the healthcare sector. The organization did not provide details on encryption status. So what's the upshot for you? These breach reports are becoming so common that we have greatly reduced coverage of them. Most people throughout Europe, the US and Australia can already assume all their SPII (sensitive personally identifiable information) is available for purchase through databrokers or on the dark web. This latest breach just increases its availability. Global: Apple Report Finds Steep Increase in Data Breaches, Ransomware https://www.apple.com/newsroom/pdfs/The-Continued-Threat-to-Personal-Data-Key-Factors-Behind-the-2023-Increase.pdf Data breaches and ransomware attacks are getting worse. Some 2.6 billion personal records have been exposed in data breaches over the past two years and that number continues to grow, according to a new report commissioned by Apple. Apple says the escalating intrusions, combined with increases in ransomware means the tech industry needs to move toward greater use of encryption. According to the report, prepared by MIT professor emeritus Stuart E. Madnick:
So what's the upshot for you? So once again, even if a company is a good corporate citizen, there's a 98% chance that one of its vendors, if involved in data processing, would lead to a data breach. Global: Apple breaks "Beeper Mini" Android iMessenger app. https://www.engadget.com/beeper-mini-team-says-a-fix-is-coming-soon-and-promises-to-extend-users-free-trials-171310651.html A 16-year-old high school student reverse engineered Apple's messaging protocol, leading to the launch of an interoperable Android app called "Beeper Mini". But on Friday the Verge reported that "less than a week after its launch, the app started experiencing technical issues when users were suddenly unable to send and receive blue bubble messages." Reached for comment, Beeper CEO Eric Migicovsky did not deny that Apple has successfully blocked Beeper Mini. As at yesterday Beeper Mini is functional again but works a little differently this time: you must now sign in with an Apple ID, whereas previously it would automatically register you to iMessage via your phone number. Beeper says it's working on a fix to restore phone number registration with iMessage, but until then, your friends won't be able to send iMessages directly to your phone number. Instead, the blue bubbles will have to come to and from your email address. That's not nearly as convenient, but at the end of the day, it's still iMessage. So what's the upshot for you? For now, owing to what could escalate into a cat-and-mouse game with Apple, Beeper Mini will be free to use. "Things have been a bit chaotic, and we're not comfortable subjecting paying users to this," the company wrote in a blog post today about the update. The app originally required a $2-per-month subscription. Apple's statement on Friday made clear that it won't hesitate to shut down further attempts to dupe its servers into believing Android phones are genuine Apple devices. Global: Time to get really creeped out https://www.cnbc.com/2023/12/08/google-weighing-project-ellmann-uses-gemini-ai-to-tell-life-stories.html After a number of recent AI related missteps Google is considering a groundbreaking project, dubbed "Project Ellmann," utilizing Gemini Large Language Models (LLMs) to create a comprehensive overview of users' lives. This goes beyond text processing, extending to images, video, and audio. The concept involves LLMs ingesting search results, identifying patterns in user photos, and generating a chatbot capable of answering intricate questions. Named after Richard David Ellmann, a biographer, the project aspires to be a personalized "Life Story Teller." While it remains unclear if these features will be integrated into Google Photos or other products, the exploration aligns with Google's commitment to enhancing user experiences through AI. With over 1 billion users and a vast repository of 4 trillion photos and videos, Google Photos is at the center of this transformative endeavor. The Project Ellmann presentation, viewed during an internal summit, emphasized the synergy between large language models and the creation of a nuanced "bird's-eye" perspective on users' life stories. By leveraging biographies, contextual moments, and subsequent photos, Ellmann aims to provide a deeper understanding beyond mere pixel labels and metadata. The project envisions trawling through photos to identify meaningful moments, culminating in a holistic narrative of users' lives. As part of the demonstration, the team showcased "Ellmann Chat," envisioning a scenario where users engage with an AI that already possesses comprehensive knowledge about their lives. This raises intriguing possibilities for user interactions and inquiries. Google emphasized that this exploration is in its early stages, highlighting its commitment to prioritizing user privacy and safety. The company assured that any potential new features derived from this exploration would undergo meticulous consideration to ensure their utility and safeguard user interests. In response to inquiries, a Google spokesperson acknowledged the use of AI in Google Photos for enhancing search capabilities. They expressed excitement about the potential of LLMs to unlock more “helpful” experiences. So what's the upshot for you? Google also parses our emails through Gmail and texts via Google Voice and has our location data and even the browser queries we submit, why not knit those in too? Oh and then when your shareholders demand higher profits the data could always be sold to a data broker or police department. US: Meta Defies FBI Opposition To Encryption, Brings E2EE To Facebook, Messenger https://arstechnica.com/tech-policy/2023/12/meta-defies-fbi-opposition-to-encryption-brings-e2ee-to-facebook-messenger/ Meta has announced the implementation of default end-to-end encryption (E2EE) for personal messages and calls on Messenger and Facebook. Despite objections from law enforcement agencies, including the FBI, Meta defends users' privacy rights, emphasizing people's reluctance to have their messages read. In April, a global law enforcement consortium urged Meta to abandon its encryption plans, expressing concerns about criminals exploiting encrypted messages. Meta is using the Signal Protocol and its proprietary Labyrinth Protocol for the E2EE implementation. The company has released technical papers outlining its approach. Law enforcement agencies fear that widespread encryption could aid criminals, including terrorists and sex traffickers, in evading detection. Meta's decision to proceed with default E2EE comes despite these concerns, highlighting the ongoing tension between privacy advocates and law enforcement agencies over the use of encryption technology. Implementing default E2EE required Meta to redesign its entire system to ensure functionality without Meta's servers having access to message content. This shift is a major undertaking, given Messenger's historical reliance on server-side processing. Meta acknowledges the effort involved and emphasizes the importance of maintaining certain features while limiting access to message content to user-controlled devices. So what's the upshot for you? Meta run like a company with a split personality. One week we write about something they have done that really seems to move matters of privacy forward and then following week we get further detail on how valuable the data of our children is for Meta’s future profits. Global: Reports of Active Directory Vulnerability Allowing DNS Record Spoofs to Steal Secrets https://www.akamai.com/blog/security-research/spoofing-dns-by-abusing-dhcp#detecting Akamai security researchers have found a way to hack Active Directory and obtain the information stored within it. The researchers go on to say that Microsoft is NOT planning to fix the vulnerability. While the current report doesn't provide technical details or proof-of-concept exploits, Akamai has promised, in the near future, to publish code that implements these attacks called DDSpoof — short for DHCP DNS Spoof. 'We will show how unauthenticated attackers can collect necessary data from DHCP servers, identify vulnerable DNS records, overwrite them, and use that ability to compromise AD domains,' Akamai security researcher Ori David said. The DHCP attack research builds on earlier work by NETSPI's Kevin Roberton, who detailed ways to exploit flaws in DNS zones. So what's the upshot for you? When the DHCP server registers or modifies a DNS record on behalf of its clients, it uses DNS Dynamic Updates — and therein lies the problem. DHCP DNS Dynamic Updates does not require any authentication by the DHCP client, and Microsoft DHCP servers enable DHCP DNS Dynamic Updates by default. "So an attacker can essentially use the DHCP server to authenticate to the DNS server on behalf of themself. This grants the attacker access to the ADIDNS zone without any credentials." For AD admins: there is a tool link in the article that accompanies this story that you can use to check your environment. - click the pic to hear the podcast - NL: Fix your own phone? https://www.ifixit.com/News/87664/fairphone-5-keeping-it-10-10 https://www.fairphone.com/wp-content/uploads/2023/12/Fairphone-5-Information-on-how-to-repair-and-recycle.pdf While we close our eyes to the waste created with our semi-annual phone updates, one Dutch company is making significant headway, having recently received iFixit's 10/10 for ease of repair of their latest carbon neutral phone. The phone has the longest software support of any mobile phone manufacturer and buys it's cobalt and lithium from fair trade providers. The one downside? It comes with the fastest industrial chip made by Qualcomm and although fast, it's not as fast as a consumer based Snapdragon, but the chip receives longer support compared to Qualcomm's consumer products. That puts it squarely in the mid-range group of phones available now. So who is the target market for this phone? Consumers who care about sustainability, and device longevity. It might not appeal to gamers as an 8 year old phone certainly won't be cutting edge, but for those who have a tendency to smash their phone on a regular basis, this thing is a Godsend. So what's the upshot for you? According to iFixit co-founder and CEO Kyle Wiens: "Fairphone's promise of five Android version upgrades and over eight years of security updates with the Fairphone 5 is a bold statement in an industry that leans towards fleeting product life cycles. This is a significant stride towards sustainability and sets a new benchmark for smartphone lifespan." So to recap: This week we hung up the phone with a couple of definitive stories, the first coming from a huge US phone company Verizon and their liberal distribution of subscriber data and the last Dutch phone company Fairphone launching a superb, supported and user repairable model that could become “The phone to be seen with.” Second in our stories this week is a blatant abuse of power by “Biometrics and Surveillance Camera Commissioner” Professor Fraser Sampson, who quit his job after a very controversial vote to endorse Facewatch technology and the next day turned up as a director of Facewatch. In at story three was Norton Healthcare who lost another 2.5 million patient, employee and dependent records to hackers. We find Apple commissioning a report about data breaches and ransomware while at the same time crippling an app that delivered their secure iMessages to Android. Yes, that could have been what last week’s update was about. Apple swore it was to do with security, if so, isn’t it better to extend iMessage use to Android, rather than knee-cap it? We have a creepy move by Google to potentially provide context to your interactions with their bots by feeding them your photo data. What we found so uncomfortable about that story was just how easily Google’s AI could ingest all the other data that Google collects on you, so that their bot has a better handle on your life than you do. Then there was a DNS DHCP spoof attack against Microsoft’s Active Directory that returns data it shouldn’t with Microsoft saying it’s nothing they will fix. And our quote of the week - “If the phone doesn't ring, it's me." - Jimmy Buffet That's it for this week. Stay safe, stay secure, you can turn your ringer back on now, and we'll see you in se7en!
Mike I.
12/13/2023 11:37:57 am
Great content. Keep up the good work. Love the podcast!
Reply
Leave a Reply. |