Category Archives: Google

Cybersecurity News for the Week Ending March 25, 2022

FCC Publishes Notice of Inquiry on Digital Redlining

The recently passed jobs act gave the FCC two years to adopt rules that will “facilitate equal access to broadband internet access service.” Congress says that these rules should prevent “digital discrimination … based on income level, race, ethnicity, color, religion, or national origin”. The FCC is asking, publicly, an awful lot of questions. Stay tuned for what happens next. Comments are due by May 16th. Credit: Wiley Law

EU and US Sign New Data Transfer Deal

The EU and US signed a deal to replace Privacy Shield today, in Brussels. We have not seen the details of the deal and Max Shrems, who killed the last two versions of the deal in court says his group will review it in detail for compliance with EU law, so this is not over yet, but it is a good sign for US businesses who are looking for some certainty when it comes to data transfers. Credit: Security Week

Hackers Unlock and Remote Start Honda Civics for $300 in Parts

Nobody told Honda that sending security information from the fob to the car unencrypted or sending the same information each and every time to unlock or start the car is a problem. If you are worried about your Honda being stolen, the only thing you can do is, well, not much. The article says you can put your key fob in Faraday bag, but reality is, that doesn’t help at all. Credit: The Register

Google Trains Employees to CC: Attorneys to Claim Privilege

In the face of the massive anti-trust lawsuit between the feds, 14 attorneys general and Google, the government is asking the judge to sanction Google for arbitrarily CC:ing lawyers on sketchy emails and ask for an opinion. Google’s attorneys understand this is a scam and don’t respond. Google even trains its employees to do this. We shall see what the judge decides. Credit: Ars Technica

Security News for the Week Ending March 11, 2022

Trump is Not Happy About Launch of Twitter-Like Truth Social

Apparently not happy is a bit of an understatement. He has a lot to lose if this is not successful. As part of the SPAC deal with Digital World, he has a lot of shares. If the stock, which is still going up slowly, tanks, he stands to lose a bunch of dough. Many people who downloaded the app said that they could not create accounts or were waitlisted. The reality is that people use social media to stay connected and if you have a choice between Twitter’s billions of users and Truth Social’s thousands of users, the choice is pretty clear. Analysis suggests that it is doing about the same as or worse than Gab and Gettr, which is also a problem. Twitter won because it was the only player. Now you have 3 players all going after the same highly targeted slice of market. At least it has not been hacked (publicly) since it’s launch which is more than Gab and Gettr can say. Credit: MSN

Hackers Targeted US LNG Producers in Run-Up to Ukraine Invasion

In February hacjkers penetrated computers belonging to current and former employees at nearly two dozen major natural gas suppliers including Chevron and Kinder Morgan.

Security firm Rescurity discovered a small group of hackers including one linked to Strontium, nickname for a hacking group inside Russia’s GRU military intelligence.

The wanted to gain and maintain access into the U.S. energy supply so that they could destabilize the world energy market when Russia invaded Ukraine. Unfortunately for Putin, while these early attacks were successful, they were discovered before they could do any significant damage. Credit: Bloomberg Quint

 Google Acquires Mandiant for $5 Billion in Cash

It is nice to be able to write a check for $5 billion.  Mandiant, best known for its breach response and threat intelligence services, is being acquired by Google.  Depending on what Google does with it, that could be good news for Google cloud services users. Mandiant does have its own cloud security products and together, if Google doesn’t do anything stupid, it will give Mandiant access to a lot of capital.  Credit: CSO Online

Alexa, Go Hack Yourself

The good news is that Amazon patched this feature after researchers demonstrated that they could get an Alexa to unlock your door, set your microwave to run with nothing in it, possibly causing a fire and other cute stuff. The attack is very simple, so it is good that it has been patched now. Aren’t you glad that you don’t have any smart devices in your house? Credit: Ars Technica

Chinese Use Herd Management App to Hack State Networks

Mandiant says that the Chinese hackers APT41 AKA Barium used a bug in an app that many state governments use to track animal diseases in livestock herds called USAHERDS. Mandiant warned the developer of the high severity bug and they have patched it. In the meantime, Mandiant thinks the Chinese have successfully hacked at least 6 state government networks. Maybe as many as 18 states. Think about that before you install that next app. Credit: Wired

Security News for the Week Ending Feb. 11, 2022

Google Decreased Account Takeovers by 50% by Mandating 2FA

Late last year Google forced about a hundred fifty million users to start using multi-factor authentication. What results did they see? Account takeovers in that group were reduced by 50%. Google has previously said that only 10% of their users were using MFA. Now they are forcing the issue. Credit: Cybernews

Attacks on Crypto Continue – $320 Million in Ethereum Stolen

The Wormhole token bridge that allows users to send and receive cryptocurrency between Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra without a centralized exchange experienced a security exploit resulting in the loss of 120,000 wETH tokens worth $321 million from the platform. Again, the hackers found a bug in the software that allowed them to hack the company. This is the root problem with decentralized finance – it is counting on software being bug free and that just does not exist. In their case, they are very lucky because the Jump Trading Group, which is an investor in Wormhole ponied up the $320 mil to make their customers whole. That doesn’t happen often. Credit: Metacurity and Decrypt.co

Apple Says It Won’t Do Biz With Companies that Use Conflict Minerals

According to a report that Apple filed with the SEC, they have terminated relationships with 163 smelters and refiners since 2009 for failing to pass human rights and mineral standards. This is the seventh year of requiring these firms to pass a third party audit. This year 12 companies got axed from the vendor list. Good for Apple. Credit: Vice

French Data Protection Authority Says Google Analytics Violates GDPR

The problem, the French privacy folks say, is that Google transfers your data to the U.S. and, after Shrems II, in which the EU high court struck down the US-EU Privacy agreement called Privacy Shield, the US was deemed to not have equivalent privacy protections. They would like you to forget that they are playing with a stacked deck because the European intelligence agencies do the same stuff the US does, but they don’t have to comply. They suggest anonymizing the data, which is okay for stats but not targeted ads or kicking Google to the curb, which was kind of the EU’s goal in the first place. I think Google could choose to leave EU data in the EU, which simplifies the privacy stuff, but it makes life more complicated for Google because the probably could not do a number of things with your data that they would like to. Credit: The Record

Senators Say CIA is Collecting Bulk Data on US Citizens

Executive Order 12333, issued by Reagan in 1981, covers, among many activities, the data collection practices of the intelligence agencies who operate outside the rules of the FISA court. There is a group that is supposed to watch over the CIA called the PCLOB, but many people think it has a pretty cozy relationship with the CIA and doesn’t have the same level of (very limited) transparency that the FISA Court does. Unlike the Patriot Act and USA Freedom Act, which have to be reauthorized, EO 12333 lives forever with no public discussion. Senators Wyden and Heinrich wrote the Director of National Intelligence asking for more transparency. Credit: Data Breach Today

Schools (And Others) Will Pay More for Cyber Insurance

As a result of the massive increase in cyberattacks against schools (and others), cyber insurance premiums will likely face major premium hikes this year, assuming that you can even get coverage. Hikes of from 100% to 300% are likely if you don’t have the best security controls. One California insurance executive said her school clients were declined for insurance 37 times, saw deductibles climb from $25,000 to a million dollars and premiums increase by up to ten times. This will force some organizations to become self insured, making cybersecurity practices even more important. Credit: The Journal

Google Says They Don’t Sell Your Data – That is True, They Give it Away!

Google is being sued. Again. This is not news. What is news is why they are being sued.

Google says that they don’t sell your data. While that may be accurate, they do, according to a new lawsuit, give it away to anyone who wants it.

How does that work?

Google sells ads. While some of those ads are blind, meaning that the buyer does not know who it is being presented to, those ads don’t sell for much. My kids are fully grown. Showing me a diaper ad is not terribly useful to the diaper company. I am highly unlikely to buy any diapers any time soon.

Most ads are sold using Google’s real time bidding system. This bidding happens in a blink of an eye.

It works something like this.

You visit a web page. The site owner has a deal to buy ads from Google. While the page is loading, the site owner tells Google that it has a box that is so many inches by so many inches available.

They also tell Google everything they know about you. This includes everything the browser tells them like your system information and IP address and any other information the site owner has about you. Then Google adds information it knows about you based on other data they have collected from other sites you have visited and other data that they have bought.

So far, it would appear, they are not lying.

But they also have not sold any ads.

What happens next is this. Google provides all of this information to anyone who is bidding for ads at the moment. That entire collection of data is provided, free of charge, the lawsuit says, to all of the potential buyers.

In the blink of an eye, someone wins the bid and Google charges them and gives the ad to the website to display. This could be Facebook. Or your web site if you display ads.

But what happens to all that data that was sent to the losers?

According to the lawsuit, they get to keep it.

Some people bid on ads with the intention of NOT winning. All they want is your data. They offer to pay a penny knowing that they will never win. Maybe they have to shell out a few pennies if literally no one else bids.

After the bidding period (blink) is over, they can take that data, aggregate it and sell it. Or use it in some other way.

This is the crux of the lawsuit.

If there are a hundred bidders for that ad. Or a thousand – they all get to keep the data according to the plaintiffs.

You would think Google would care, but maybe, because they collect some much data every second, they don’t.

I guess we will see how this plays out in court. Credit: Law Street Media

Google Accused of Selling Your Data – SHOCKING!

Google is facing a class action lawsuit for, the plaintiffs say, selling your data.

The law firm that filed the case knows a bit about these kind of lawsuits. The firm, Bleichmar Fonti & Auld LLP has previously won settlements in the tens and hundreds of millions of dollars. The were part of the team that separated Volkswagen from $17 billion, so if I were Google, I would be at least a little concerned.

The case centers around how Google’s real time ad bidding process works.

Apparently, Google hands potential advertisers a whole portfolio of information about you like Google ID, IP address, cookie match, user agent, location, device ID, race, identity, health, divorce and other key ad match criteria.

In exchange, in those few milliseconds, the advertiser decides if they want to bid on an ad for you.

If they don’t, they get to keep your data. For free.

They can, apparently, aggregate that information and sell it. Companies like Venntel do just that.

You don’t ever have to make a bid, never mind win one.

Government agencies like ICE and Customs buy this data too.

Google, of course, says that this isn’t selling your data.

In a sense they are right.

If you are not the winning bidder, they are giving it away for free.

This case was just filed in March, so we are a long way from a decision, but maybe this law firm could separate Google from a few of those billions of dollars.

It will be interesting to see if Google changes the way bids work. They are damned either way. If they do, they are admitting to what they are accused of. If they don’t and they lose, it probably increases their liability.

Stay tuned and get y our popcorn out.

Credit: Vice

Google to Test Replacement for Third Party Cookies

First, what are cookies? For those who don’t know, they are small text files, often encrypted, placed on your phone or computer by web sites so that they can track your actions. Cookies come in two flavors. FIRST PARTY cookies are cookies placed on your device by the website that you are visiting. THIRD PARTY cookies are those cookies put on your device by others, trying to track your broader activities across websites.

While first party cookies are usually used to track what you are doing on the web site you are visiting, tracking your “state” on that site, third party cookies are used to track you as you move from site to site.

Many browsers are completely blocking third party cookies, making this method of tracking you less effective. Many users have installed blocking software like Ad Block Plus which also blocks many cookies.

Some companies are using first party cookies in a covert manner to replace third party cookies. In this case, lets say you are visiting XYZ.Com . XYZ sets up a subdomain called, lets say, TRACKME.XYZ.Com and lets the tracking company control what is in there. If a lot of companies do the same thing then these covert first party subdomains work in the same manner to track your actions. One company detected 6,000 web sites doing this.

Since Google need to protect its ad revenue, it is trying to come up with a replacement for third party cookies that will satisfy at least some privacy folks.

FLoC or Federated Learning of Cohorts is a technique that Google is about to test. Instead of tracking your individual actions, it instead categorizes your activities and puts you in a FLoC Cohort. Each cohort has an ID and advertisers can pay to show their ads to a particular cohort. Since cohorts have similar surfing patterns, maybe they have similar buying habits.

Of course, this is far from perfect and there are concerns that people could wind up being put in cohorts based on say, race or sexual orientation, since it is possible that those characteristics could have similar browsing habits.

At this point even Google doesn’t know if this will work, but you are soon become a guinea pig, whether you know it or not.

The EFF is not fond of the idea saying that websites might uniquely fingerprint FLoC users to better target ads.

Personally, I think the whole thing is a losing battle. I visit hundreds of websites a week and I cannot recall the last time I clicked on any ad. Still, it must work to some degree as companies continue to buy these ads. Credit: The Hacker News