The IT Privacy and Security Weekly Update Loses the Car for the week ending February 27th., 20242/27/2024 Episode 180 - Spot the car, then click the pic for the podcast - They giveth and they taketh away. This week one vendor announced we’d be getting post-Quant encryption for our messages, while another works feverishly to ensure we can find our car when we are done at the supermarket. We have a discovery at one vending machine that does its tracking while you are snacking. We shine some new light into nation-state spy versus spy wars. Then the FTC lets loose on a free antivirus provider that slurped up so much of your data for the last 10 years that it’s making the NSA look amateur. Following that is a class action lawsuit against a license plate scanning company out in Cali that you can join if your plate been scanned at least 15 times. You’ll want to be sitting when we do the reveal on how many people will be joining you. This week’s update is all about right and wrong, left and right, and er... “where did you say we parked the car?” Global: Apple’s iMessage Is Getting Post-Quantum Encryption https://www.wired.com/story/apple-pq3-post-quantum-encryption/ Apple announces the integration of PQ3, its post-quantum cryptographic protocol, into iMessage. The update will roll out in iOS and iPad OS 17.4 and macOS 14.4, replacing existing encryption protocols. PQ3 aims to safeguard against potential quantum computing-based attacks, marking a significant security upgrade. The new protocol, externally assessed and deemed robust, combines ECC with post-quantum primitives for enhanced security. Apple's proactive approach aligns with industry efforts to preemptively address quantum computing threats. With quantum computing advancements looming, tech companies, governments, and security agencies intensify efforts. The pursuit of post-quantum cryptography accelerates to counter potential vulnerabilities in current encryption systems. Quantum computing's theoretical ability to crack encryption underscores the urgency for preemptive measures. Governments and tech giants invest billions in quantum research, fueling a race to develop practical quantum computers. Post-quantum encryption emerges as a critical defense strategy against future quantum-based cyber threats. Apple's adoption of PQ3 follows Signal's introduction of post-quantum algorithms in encrypted messaging. PQ3, utilizing the Kyber algorithm, enhances iMessage's security by generating dynamic encryption keys. Apple emphasizes continuous key updates to mitigate the risk of quantum-powered decryption attacks. Third-party assessments validate PQ3's efficacy, positioning it as a robust defense mechanism. The industry witnesses a gradual shift towards post-quantum encryption to preemptively address emerging threats. So what's the upshot for you? Deployment of post-quantum encryption serves to mitigate the looming risk of quantum-based decryption. Companies proactively embrace post-quantum protocols to thwart potential "harvest now, decrypt later" attacks. Post-quantum encryption standards evolve to fortify data security against future quantum computing capabilities. Preemptive measures aim to limit adversaries' ability to exploit encrypted data amassed for future decryption. Industry stakeholders acknowledge the imperative of early adoption to mitigate quantum computing threats. CA: Vending machine error reveals secret face image database of college students https://preview.redd.it/zw28uf2pxuhc1.jpg?width=2992&format=pjpg&auto=webp&s=a5b0d9f21ad0e5d9b46e90bcc7dd5fe33842215a https://arstechnica.com/tech-policy/2024/02/vending-machine-error-reveals-secret-face-image-database-of-college-students/ Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting facial-recognition data without their consent. The scandal started when a student using the alias SquidKid47 posted an image on Reddit showing a campus vending machine error message, "Invenda.Vending.FacialRecognitionApp.exe," displayed after the machine failed to launch a facial recognition application that nobody expected to be part of the process of using a vending machine. "Hey, so why do the stupid M&M machines have facial recognition?" SquidKid47 pondered. The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS. University of Waterloo students like Stanley now question Invenda's "commitment to transparency" in North American markets, especially since the company is seemingly openly violating Canadian privacy law, Stanley told CTV News. On Reddit, while some students joked that SquidKid47's face "crashed" the machine, others asked if "any pre-law students wanna start up a class-action lawsuit?" One commenter summed up students' frustration by typing in all caps, "I HATE THESE MACHINES! I HATE THESE MACHINES! I HATE THESE MACHINES!" So what's the upshot for you? Adaria Vending Services, the company responsible for putting the machines on campus said, "The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface." What? And they need facial recognition software to do that? CN: Leaked hacking files show Chinese spying on citizens and foreigners alike https://www.pbs.org/newshour/world/leaked-hacking-files-show-chinese-spying-on-citizens-and-foreigners-alike Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to the nation's top policing agency and other parts of its government -- a trove that catalogs apparent hacking activity and tools to spy on both Chinese and foreigners. Among the apparent targets of tools provided by the impacted company, I-Soon: ethnicities and dissidents in parts of China that have seen significant anti-government protests, such as Hong Kong or the heavily Muslim region of Xinjiang in China's far west. The dump of scores of documents late last week and subsequent investigation were confirmed by two employees of I-Soon, known as Anxun in Mandarin, which has ties to the powerful Ministry of Public Security. The dump, which analysts consider highly significant even if it does not reveal any especially novel or potent tools, includes hundreds of pages of contracts, marketing presentations, product manuals, and client and employee lists. They reveal, in detail, methods used by Chinese authorities used to surveil dissidents overseas, hack other nations and promote pro-Beijing narratives on social media. The documents show apparent I-Soon hacking of networks across Central and Southeast Asia, as well as Hong Kong and Taiwan. The hacking tools are used by Chinese state agents to unmask users of social media platforms outside China such as X, formerly known as Twitter, break into email and hide the online activity of overseas agents. Also described are devices disguised as power strips and batteries that can be used to compromise Wi-Fi networks. I-Soon and Chinese police are investigating how the files were leaked, the two I-Soon employees told the AP. One of the employees said I-Soon held a meeting Wednesday about the leak and were told it wouldn't affect business too much and to "continue working as normal." The AP is not naming the employees - out of concern about possible retribution. The source of the leak is not known. Jon Condra, an analyst with Recorded Future, called it the most significant leak ever linked to a company "suspected of providing cyber espionage and targeted intrusion services for the Chinese security services." So what's the upshot for you? On Monday, Mao Ning, a Chinese Foreign Ministry spokeswoman, demanded the U.S. “stop using cybersecurity issues to smear other countries.” US/UK: FTC To Ban Avast From Selling Browsing Data For Advertising Purposes https://www.bleepingcomputer.com/news/security/ftc-to-ban-avast-from-selling-browsing-data-for-advertising-purposes/ The U.S. FTC will order Avast (the free AntiVirus maker) to pay $16.5 million and ban the company from selling the users' web browsing data or licensing it for advertising purposes. The complaint says Avast violated millions of consumers' rights by collecting, storing, and selling their browsing data without their knowledge and consent while misleading them that the products used to harvest their data would block online tracking. "While the FTC's privacy lawsuits routinely take on firms that misrepresent their data practices, Avast's decision to expressly market its products as safeguarding people's browsing records and protecting data from tracking only to then sell those records is especially galling," said FTC Chair Lina M. Khan. "Moreover, the volume of data Avast released is staggering: the complaint alleges that by 2020 Jumpshot had amassed "more than eight petabytes of browsing information dating back to 2014." More specifically, the FTC says UK-based company Avast Limited harvested consumers' web browsing information without their knowledge or consent using Avast browser extensions and antivirus software since at least 2014. So what's the upshot for you? "Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite. Avast's bait-and-switch surveillance tactics compromised consumers' privacy and broke the law," said Samuel Levine, the head of the FTC's Bureau of Consumer Protection. US : License Plate-Scanning Company Violates Privacy of Millions of California Drivers, According to Class Action Lawsuit https://www.sfgate.com/tech/article/privacy-license-plate-scanning-lawsuit-18685303.php https://drnprivacyclassaction.com/form/ If you drive a car in California, you may be in for a payday thanks to a lawsuit alleging privacy violations by a Texas company. The 2021 lawsuit, given class-action status in September, alleges that Digital Recognition Network is breaking a California law meant to regulate the use of automatic license plate readers. DRN, a Fort Worth-based company, uses plate-scanning cameras to create location data for people’s vehicles, then sells that data to marketers, car repossessors and insurers. What’s particularly notable about the case is the size of the class. The court has established that if you’re a California resident whose license plate data was collected by DRN at least 15 times since June 2017, you’re a class member. The plaintiff’s legal team estimates that the tally includes about 23 million people. So what's the upshot for you? They are apparently aiming for $2500 per driver represented... so let's see, after legal fees and associated costs that would leave about 3 cents for each person affected. Global: "Honey, where's the car?" https://www.theguardian.com/money/2024/feb/24/smart-keys-car-crime-thieves-hi-tech-arms-race "One London resident watched on CCTV as a thief walked up to his £40,000 car and drove away," reports the Observer. "Now manufacturers say they are being drawn in to a hi-tech 'arms race' with criminals." [H]i-tech devices disguised as handheld games consoles are being traded online for thousands of pounds and are used by organised crime gangs to mimic the electronic key on an Ioniq 5, opening the doors and starting the engine. The device, known as an "emulator", works by intercepting a signal from the car, which is scanning for the presence of a legitimate key, and sending back a signal to gain access to the vehicle... Hyundai says it is looking at measures to prevent the use of emulators "as a priority". But it is not the only carmaker whose vehicles appear to be vulnerable. An Observer investigation found that models by Toyota, Lexus and Kia have also been targeted... British motorists now face an increase in the number of thefts and rising insurance premiums... Car thefts are at their highest level for a decade in England and Wales, rising from 85,803 vehicles in the year to March 2012 to 130,270 in the year to March 2023 — an increase of more than 50%. Part of the reason, say experts, is the rise of keyless entry... Kia did not respond to a request for comment. A spokesperson for Toyota, which owns Lexus, said: "Toyota and Lexus are continuously working on developing technical solutions to make vehicles more secure. So what's the upshot for you? In the meantime... "Many owners of Ioniq 5s, which sell from around £42,000, now use old fashioned steering locks to deter thieves." or you could go with a car coat, although getting your car into it could be a challenge. - click the pics for the podcast - So to recap: This week Apple jumped ahead of the pack and announced we’d be getting post-Quant encryption for our messages in iOS 17.4. We discovered an M&Ms vending machine that does its tracking while you are snacking and how one university is quickly banishing them from campus. In the Spy vs. Spy wars there’s been a huge leak that seems to have performed an embarrassing partial reveal on China’s cyber-spying on it’s neighbors Then, perhaps it was latent NSA induced jealousy, but the US Federal Trade Commission (FTC) let Avast antivirus software have it right in the chops for collecting 8 Petabytes of user data over 10 years. Calling it a “Bait and Switch” they said Avast purported to be securing users computers and instead it was collecting and selling absolutely everything!!! Following that is the huge class action lawsuit against a license plate scanning company out in Cali that you can be part of if your car’s plates been scanned at least 15 times. The estimate is that there will be up to 23 million Californians joining in on that one…. And potentially some incredibly well paid lawyers. Finally we ended with the suggestion that Hyundai gift one of those big, beautiful, heavy steel Crook-lock steering wheel locks with each Ioniq 5 they sell, because while the gadgets are all in place, the security is not. - click the pic for the podcast - Our quote of the week - “The only thing worse than forgetting where you parked is forgetting your keys in the car.” - click the pic for the podcast - That's it for this week. Stay safe, stay secure, stay out with car and we'll see you in se7en!
Larissa
2/27/2024 09:03:45 pm
Very timely update. Our brand new Ioniq5 just was stolen. I wish I had known about this problem earlier. Hopefully this will help other people.
Reply
Leave a Reply. |