The IT Privacy and Security Weekly update Gets Pumped for the week Ending January 16th. 20241/16/2024 Episode 174 This week we are pumping, probing, questioning and querying on all fronts. We start with a couple of fan faves from the Consumer Electronics show, but wonder if we’ll get as much use out of them as the V-logging contingent. - click the pic to hear the podcast - From there we siphon out some subtle word-smithing that might mean we are not the only ones left quaking in our boots. Apple, the company selling us on the importance of privacy, drops another privacy bomb on us. We tap into supply-side typo that should have everyone in San Francisco more than a little angry at the lack of due care and attention being paid by their judges The Emmy’s are over yet Reddit pushes out an update about being chased by the movie studios and it doesn’t to want to be caught in this spotlight. The swell of Quantum computing-proof encryption difficulties continues to grow with another set of vulnerabilities exposed. And we finish this week with a story about a water pump that “spills” a little more detail from one of the biggest security mysteries in years. The pace is bumping, the beat is thumping, the stories pumping so let’s get jumping. US: Most coveted, covered accessory From the CES? https://www.tomsguide.com/news/best-of-ces-awards-2024 https://www.wired.com/gallery/best-of-ces-2024/ From this year's Consumer Electronics Show the most regular mention goes to a feature rich phone charger: Belkin’s Auto-Tracking Stand Pro With DockKit ($180). This MagSafe charger for the iPhone launches very soon and doubles as a 360-degree swiveling tripod for your iPhone’s camera. The interesting thing here is that you don’t have to do anything to make sure you’re always framed properly in the shot. It’s one of the first products to support Apple’s Works With DockKit program, and this allows the Stand Pro to pair with the iPhone’s camera via NFC. After pairing, the device will swivel to always try and keep you in the frame, whether you’re using the rear or selfie camera. It also doesn’t matter which app you’re using to access the camera. You can dock the iPhone and start a presentation in Microsoft Teams or you can start filming a dance on Instagram Stories and move around the room with no worries of not being in the scene. It can be plugged into the wall or run off a battery for around five hours. - click the pic to hear the podcast - Slightly more radical is our Fav.: The Supernal S-A2. Normally you avoid all talk of flying cars at consumer electronics shows, but Supernal's eVTOL, the S-A2, is clearly much more than a pipe dream for the company, a division of the Hyundai Motor Group. If Supernal is true to its word, you'll see this all-electric pilot-plus-four-passenger vehicle in the skies in just four years time, whisking people over distances of 25 to 40 miles at max speeds of 120 mph at up to 1,500 feet above the ground. Not only is the design striking (and honed using bio-mimicry based on, of all things, the shapes of bees), it's apparently going to be almost unfathomably quiet. In the vertical takeoff and landing phases, it clocks at 65 dB, which is less noisy than your dishwasher. So what's the upshot for you? Ok, so until you get your very own vertical take off and landing craft, you may have to make due with a phone charger that follows you around the room. Vloggers rejoice, both items will be perfect for your upcoming podcasts! US: OpenAI Quietly Deletes Ban On Using ChatGPT For 'Military and Warfare' https://theintercept.com/2024/01/12/open-ai-military-ban-chatgpt/ https://web.archive.org/web/20240109122522/https:/openai.com/policies/usage-policies OpenAI this week quietly deleted language expressly prohibiting the use of its technology for military purposes from its usage policy, which seeks to dictate how powerful and immensely popular tools like ChatGPT can be used. Up until January 10, OpenAI's "usage policies" page included a ban on "activity that has high risk of physical harm, including," specifically, "weapons development" and "military and warfare." That plainly worded prohibition against military applications would seemingly rule out any official, and extremely lucrative, use by the Department of Defense or any other state military. The new policy retains an injunction not to "use our service to harm yourself or others" and gives "develop or use weapons" as an example, but the blanket ban on "military and warfare" use has vanished. "OpenAI is well aware of the risk and harms that may arise due to the use of their technology and services in military applications," said Heidy Khlaaf, engineering director at the cybersecurity firm Trail of Bits and an expert on machine learning and autonomous systems safety, citing a 2022 paper she co-authored with OpenAI researchers that specifically flagged the risk of military use. "There is a distinct difference between the two policies, as the former clearly outlines that weapons development, and military and warfare is disallowed, while the latter emphasizes flexibility and compliance with the law," she said. "Developing weapons, and carrying out activities related to military and warfare is lawful to various extents. The potential implications for AI safety are significant. Given the well-known instances of bias and hallucination present within Large Language Models (LLMs), and their overall lack of accuracy, their use within military warfare can only lead to imprecise and biased operations that are likely to exacerbate harm and civilian casualties." So what's the upshot for you? Slightly worried after this update? We are. CN/US: Apple knew AirDrop users could be identified and tracked as early as 2019 https://edition.cnn.com/2024/01/12/tech/china-apple-airdrop-user-encryption-vulnerability-hnk-intl/index.html https://www.macrumors.com/2024/01/09/airdrop-cracked-chinese-authorities/ Security researchers warned Apple as early as 2019 about vulnerabilities in its AirDrop wireless sharing function that Chinese authorities claim they recently used to track down users of the feature, the researchers told CNN, in a case that experts say has sweeping implications for global privacy. The Chinese government's actions targeting a tool that Apple customers around the world use to share photos and documents -- and Apple's apparent inaction to address the flaws -- revive longstanding concerns by US lawmakers and privacy advocates about Apple's relationship with China and about authoritarian regimes' ability to twist US tech products to their own ends. AirDrop lets Apple users who are near each other share files using a proprietary mix of Bluetooth and other wireless connectivity without having to connect to the internet. The sharing feature has been used by pro-democracy activists in Hong Kong and the Chinese government has cracked down on the feature in response. A Chinese tech firm, Beijing-based Wangshendongjian Technology, was able to compromise AirDrop to identify users on the Beijing subway accused of sharing "inappropriate information," judicial authorities in Beijing said this week. Although Chinese officials portrayed the exploit as an effective law enforcement technique, internet freedom advocates are urging Apple to address the issue quickly and publicly. So what's the upshot for you? This is the second massive compromise to Apple user privacy in the last few weeks. Apple is starting to look more like the Israeli spyware company NSO group than a tech firm. US: A Geofence Warrant Typo Cast a Location Dragnet Spanning Two Miles Over San Francisco https://techcrunch.com/2024/01/11/geofence-warrant-dragnet-error/ Civil liberties advocates have long argued that "geofence" search warrants are unconstitutional for their ability to ensnare entirely innocent people who were nearby at the time a crime was committed. But errors in the geofence warrant applications that go before a judge can violate the privacy of vastly more people -- in one case almost two miles away. Attorneys at the ACLU of Northern California found what they called an "alarming error" in a geofence warrant application that "resulted in a warrant stretching nearly two miles across San Francisco." The error, likely caused by a typo, allowed the requesting law enforcement agency to capture information on anyone who entered the stretch of San Francisco erroneously marked on the search warrant. "Many private homes were also captured in the massive sweep," wrote Jake Snow, ACLU staff attorney, in a blog post about the findings. It's not known which law enforcement agency requested the nearly two-mile-long geofence warrant, or for how long the warrant was in effect. The attorneys questioned how many other geofence warrant application mistakes had slipped through and resulted in the return of vastly more data in error. So what's the upshot for you? What may be more concerning is the fact that the judge who signed off on that warrant didn't question the scope of it either. US: 3rd Time Lucky? Reddit Must Share IP Addresses of Piracy-Discussing Users, Film Studios Say https://arstechnica.com/tech-policy/2024/01/film-studios-demand-ip-addresses-of-people-who-discussed-piracy-on-reddit/ For the third time in under a year, film studios are pressing Reddit to reveal users allegedly discussing piracy, despite two prior failed attempts. Studios including Voltage Holdings and Screen Media have filed fresh motions to compel Reddit to comply with a subpoena seeking IP addresses and logs of six Redditors, claiming the information is needed for copyright suits against internet provider Frontier Communications. The same federal judge previously denied the studios' bid to unmask Reddit users, citing First Amendment protections. However, the studios now argue IP addresses fall outside privacy rights. Reddit maintains the new subpoena fails to meet the bar for identifying anonymous online speakers. So what's the upshot for you? Copyright suits for studios should not be something that Reddit is involved in. Global: Post-Quantum Encryption Algorithm KyberSlash Patched After Side-Channel Attack Discovered https://www.bleepingcomputer.com/news/security/kyberslash-attacks-put-quantum-encryption-projects-at-risk/ "Multiple implementations of the Kyber key encapsulation mechanism for quantum-safe encryption, are vulnerable to a set of flaws collectively referred to as KyberSlash, which could allow the recovery of secret keys." Crystals-Kyber "was chosen to be the U.S. government's post-quantum cryptography system of choice last year, but a side-channel attack has been identified. But in the article, NIST says that this is an implementation-specific attack (the reference implementation) and not a vulnerability in Kyber itself." Backstory: the goal with the next encryption algorythm is to have something that is Quantum computer crack proof. CRYSTALS-Kyber is the official implementation of the Kyber key encapsulation mechanism (KEM) for quantum-safe algorithm (QSA) and part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) suite of algorithms. It is designed for general encryption... The KyberSlash flaws are timing-based attacks arising from how Kyber performs certain division operations in the decapsulation process, allowing attackers to analyze the execution time and derive secrets that could compromise the encryption. If a service implementing Kyber allows multiple operation requests towards the same key pair, an attacker can measure timing differences and gradually compute the secret key... In a KyberSlash1 demo on a Raspberry Pi system, the researchers recovered Kyber's secret key from decryption timings in two out of three attempts... On December 30, KyberSlash2 was patched following its discovery and responsible reporting by Prasanna Ravi, a researcher at the Nanyang Technological University in Singapore, and Matthias Kannwischer, who works at the Quantum Safe Migration Center. So what's the upshot for you? This is big news for those in security, because so much effort from an international community has gone into finding the next generation of encryption. Entities now are already stockpiling encrypted data in the hopes that current encryption will be easily cracked using quantum computers. - click the pic to hear the podcast - NL: Water Pump Used To Get $1 Billion Stuxnet Malware Into Iranian Nuclear Facility https://www.securityweek.com/dutch-engineer-used-water-pump-to-get-billion-dollar-stuxnet-malware-into-iranian-nuclear-facility-report/ Background: Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. A Dutch engineer recruited by the country's intelligence services used a water pump to deploy the now-infamous Stuxnet malware in an Iranian nuclear facility, according to a two-year investigation conducted by Dutch newspaper De Volkskrant. Stuxnet, whose existence came to light in 2010, is widely believed to be the work of the United States and Israel, its goal being to sabotage Iran's nuclear program by compromising industrial control systems (ICS) associated with nuclear centrifuges. The malware, which had worm capabilities, is said to have infected hundreds of thousands of devices and caused physical damage to hundreds of machines. De Volkskrant's investigation, which involved interviews with dozens of people, found that the AIVD, the general intelligence and security service of the Netherlands, the Dutch equivalent of the CIA, recruited Erik van Sabben, a then 36-year-old Dutch national working at a heavy transport company in Dubai. Van Sabben was allegedly recruited in 2005 -- a couple of years before the Stuxnet malware was triggered -- after American and Israeli intelligence agencies asked their Dutch counterpart for help. However, the Dutch agency reportedly did not inform its country's government and it was not aware of the full extent of the operation. Van Sabben was described as “perfect for the job” as he had a technical background, he was doing business in Iran and was married to an “Iranian woman”. It's believed that the Stuxnet malware was planted on a water pump that the Dutch national installed in the nuclear complex in Natanz, which he had infiltrated. It's unclear if Van Sabben knew exactly what he was doing, but his family said he appeared to have panicked at around the time of the Stuxnet attack. Michael Hayden, who at the time was the chief of the CIA, did agree to talk to De Volkskrant, but could not confirm whether Stuxnet was indeed delivered via water pumps due to it still being classified information. One interesting piece of information that has come to light in De Volkskrant's investigation is that Hayden reportedly told one of the newspaper's sources that it cost between $1 and $2 billion to develop Stuxnet. So what's the upshot for you? Pump it. The details of the mysterious Stuxnet are finally starting to flow. So to recap: This week we started with a couple of fan faves from the Consumer Electronics show, an iPhone phone charger that can turn 360 degrees as it tracks your face around the room, and a flying car that is more quiet than your dishwasher. From there we tracked down a slight alteration in the Open AI policy that, now allows military use of their AI. We find out that Apple knew that Chinese authorities were tracking IP addresses and thereby the identities of AirDrop senders way back in 2019 We tapped into a supply-side typo that meant that everyone within a 2-mile radius in San Francisco had their activities included in a 2 mile police sweep. Reddit goes back to court for a third time in a year as movie studios try to discover the identities of people sharing their films Quantum computing-proof encryption efforts take another hit as a compromise called Kyberslash is used to recover secret keys ....And we finished with some investigative journalism into the Stuxnet worm and how a Dutch engineer installed it and a water pump used in a massive Iranian infrastructure take-down. And our quote of the week - “Good thinkers always prime the pump of ideas. They always look for things to get the thinking process started, because what you put in always impacts what comes out.” - John C. Maxwell That's it for this week. Stay safe, stay secure, get pumped up and we'll see you in se7en! Leave a Reply. |