Category Archives: Privacy

Thank You California For Keeping Me Permanently Employed

OK, so the headline is a bit of a hook because at this point, it is only a bill, but if it passes, it will be a nightmare for anyone who does business in California, which is good for my company, bad for everyone else. While this is not in my personal best interest, I hope the bill does not become law.

CA AB 2273 pretends to protect children and that is good in an election year. Who could be against motherhood, apple pie and protecting the children?

If passed, websites will, unless they can show that they are not attractive to kids, have to verify the age of everyone who visits the website.

That means that businesses will need to collect personal data (and keep it) for everyone who visits their website. It also means no more anonymous web surfing because they won’t be able to tell your age if they don’t know who you are.

It is also based on a UK age appropriate law. In Europe, you can get an A if you try hard, even you don’t succeed. In the U.S., you can get an F, even if you do succeed. That will be a problem.

The bill also delves into content moderation, which would turn the California Privacy Protection Agency into the California Internet Regulator Agency.

Some pieces of the bill:

It applies to business that provide an online services or feature likely to be accessed by a child – whatever that means. A child is anyone under 18, so that means you have to treat a 5 year old and a 17 year old the same. Under the current law, COPPA, businesses are affected if they KNOW that users are under 13 or specifically direct their services to those under 13. If it is reasonable to expect that one person, aged 17 years and 364 days will visit your website, you must comply.

It says that businesses should consider the best interests of children in the design of their website. SHOULD? That is different than must. This will keep lawyers employed for a long time.

The bill also tries to say that businesses owe a duty of loyalty or a fiduciary duty to their customers. Other than certain financial advisors, accountants, lawyers, etc. this does not exist today. Great for lawyers, not so good for businesses.

It would require businesses to do a data protection impact assessment. We do those. It is not cheap because it is a lot of work.

Establish the age of consumers with a reasonable level of certainty. How do you do that? What is reasonable?

Configure default settings to a “high level of privacy protection”. No more collecting or selling data. There goes that business model. And what is a high level, anyway?

This feature might be good. Disclosures must use language that is age appropriate, so maybe we could all understand that legalese on web sites.

Provide an “obvious signal” if parents can monitor their kids’ activities online. Huh? How?

Enforce published terms, policies and community standards – not just for kids.

And it goes on for a long time.

The good news is that this is not law yet. If you do business in California, you probably need to watch this bill. If you live there, get involved.

Credit: Professor Eric Goldman

Security News for the Week Ending June 24, 2022

Want Some BidenCash?

This is not a political statement – at least not by me. There is a new carding site that uses the President’s name and likeness to sell stolen credit card data for as little as 15 cents each. Last week the admins gave away a CSV file with names, addresses, phone numbers, emails and credit card number for free. Kind of a marketing push. Of the 8 million records in the free dump, only 6,600 had valid card numbers, but the other data could be useful anyway. Credit: Bleeping Computer

TikTok China Had/Has Access to 80 American Users’ Data

According to leaked audio recordings of internal TikTok meetings, Chinese TikTok employees had and probably have access to the data of all American TikTok users, a security concern of the US government. According to the report, TikTok mislead US officials and users with claims that the data is stored in the US and can’t be accessed in China. When the report came out TikTok said the data is being stored in Oracle Cloud systems – a creative diversion from whether Chinese employees and, by extension, the Chinese government, can access that data. Credit: Cybernews

UK Government Approves Extraditing Assange on Spying

The British government has okayed the extradition of Julian Assange to the U.S. on charges of spying. The U.K. Home Office says that it would not be oppressive, unjust or and abuse of process to extradite Mr. Assange. There are still appeals possible, so he is not likely to get on an airplane soon. Credit: CBS

GAO is Worried About Cyber Insurance for Major Attacks

Cyber insurance companies are trying to limit their losses. In 2021 they paid out 69% of premiums to claims; this is a number that is way too high for comfort. Insurance companies are adding “acts of war” clauses and terrorism clauses to create a way not to pay. The Terrorism Risk Insurance Act (TRIA) was created by Congress as a backstop for insurance companies in case of major terror attacks like 9-11. Unfortunately, the way the law is worded, it is likely that companies would not be covered – either by TRIA or by their insurance carriers. The GAO wants Congress to fix this. Credit: ZDNet

Don’t Trust Blockchain With More Than Your Lunch Money

$100 million here, $320 million there, $600 million the other day. After a while, it adds up. Harmony is a vendor that offers cross blockchain bridges. In this week’s story, their Horizon Ethereum Bridge was hacked and lost 85,000 ETH tokens, worth about a hundred million bucks. At this point they have not said how they were hacked or if they are going to pay people back. The Grift Counter, which tracks crypto losses, says that losses have exceeded $10 billion just since 2021. Credit: The Register

Ransomware Continues to Morph

The FBI, CISA, Treasury and FinCEN put out a new alert about a hacking group with a different tactic. While this has been done in the past, it has not been done at scale.

The group, Karakurt, does not encrypt your data. Instead they just steal it.

What they do after that is give the hacked companies a week and if they don’t pay the ransom, they threaten to auction it or publish it. Their demands have ranged from $25,000 to $13,000,000.

To confirm that they have stolen the data, they provide screenshots or directory listings.

In addition to simplifying their business model by not encrypting the data and therefore, not having to write code to encrypt and decrypt or manage encryption keys, they also don’t hack web sites.

Instead, they just buy stolen credentials via a variety of techniques.

They also use intrusion broker networks who know things like who is running vulnerable Sonicwall firewalls or outdated Log4j libraries.

They also try to steal as much data as they can, as a result they are less stealthy than some players.

But then they keep the pressure up.

They send harassing emails to employees and business partners, making the hack as noisy as possible. This encourages the company that was hacked to pay up, just to make the noise go away. They even make threatening phone calls to employees, business partners and clients.

Needless to say, backups are a useless defense to this type of attack.

Credit: ZDNet and CISA

How Many Times is Your Fav App Spying on You?

I don’t know whether to think this is abnormal or not. I think it is not.

Tim Hortons is fast food chain, based in Canada with about 5,000 restaurants in 15 countries, including the United States.

Like many companies, Timmies (yup, that is one of the names for it) has an app.

And, like many companies, the app asked the user for permission to capture the user’s location.

What Timmies didn’t understand is that Canadian privacy laws take user privacy a bit more seriously that U.S. laws do.

Canadian Federal Privacy Commissioner Daniel Therrein said that Tim Hortons app tracked and recorded users’ movements every few minutes on a daily basis, even when the app was not open.

Before you say that your favorite app would not do that, there are many cases in the U.S. and other countries where companies have been accused of similar things.

The Canadian Privacy Commissioner called Hortons’ app a mass invasion of Canadians’ privacy that violated Canadian laws. There are probably other countries where they could also be charged, but likely the U.S. is not one of them. Possible, but not likely.

Timmies generated an “alert” every time a user-entered or exited a Hortons competitor, a major sports venue, their home or their workplace.

The federal investigation was started after a reporter found that the app had tracked his movements more than 2,700 times in less than five months.

The Hortons app had more than a million and a half users as of two years ago.

After they got caught, Hortons says that they removed the geolocation technology from their app.

They changed their data collection tactics in 2019 to reduce the number of events to 10 per day per user. They used this data to collect trends and to push ads to app users.

Once the investigation started, they disabled the location tracking feature. That is probably an indication that they thought they were in trouble.

However, the Canadian feds are smart. They looked at Hortons deal with their new data collection partner, a U.S. company called Radar.

The Privacy Commissioners said that while Hortons was no longer using the data, their contract with Radar did not stop the third party from using and selling the location data to other people. While they said the data was de-identified, researchers say it only takes, on average, 4 pieces of data to re-identify that user.

Unfortunately, this is the norm, and, for the most part, in the U.S., it is not illegal. Credit: Yahoo Financ

Security News for the Week Ending May 6, 2022

Tomorrow is the one-year anniversary of the Colonial Pipeline attack. The government has done more to improve cybersecurity in the last year than it had done in the last 10 years. But there is still a lot more to do.

Jury Finds Norton/Lifelock Infringed on Two Columbia University Patents

Even in the world of cybersecurity, patent infringement is a problem. A jury decided that Norton’s use of emulators to detect malicious behavior violated patents owned by Columbia. Norton says they will stop using the technology and appeal the verdict. Among the Norton products affected are Norton Security and Symantec Endpoint Protection. Since the infringement was deemed to be willful, the judge could triple the $185 million judgement. The suit goes back to 2013. Credit: Data Breach Today

Data Broker Stops Selling Location Data of Planned Parenthood Visitors One Day After Being Outed

Yesterday I read a piece that one of the security trade magazines bought data on visitors to all Planned Parenthood visitors, including where they went after (home) and where they came from before (work). They paid $160. I think the company, SafeGraph, decided the incredibly negative PR wasn’t worth $160, so today they decided to stop selling it. That doesn’t mean other greedy data brokers will do the same – In the U.S. there is nothing illegal about it. Credit: Motherboard by Vice

Cryptocurrency Projects Are As Secure As a Screen Door

In just four days hackers stole over $100 million in cryptocurrency. Who pays for that? Fei Protocol lost $77 million, Saddle Finance $10 million, Deus Finance $13 million and Bored Apes $6 million. There is no government insurance for cryptocurrency owners. Credit: Metacurity

Ukrainians Figure Out How to Beat Russia – Shut Off its Booze

Ukraine’s army of hackers have figured out how to hit Russia where it hurts. Russia requires the booze industry to use a government run portal call EGAIS. Hackers have kept it out of commission, so stores can’t “receive” alcohol, factories can’t accept tanks of alcohol, and distributors can’t ship or receive products. As a result, factories are reducing or stopping production. Interesting attack. Credit: Bleeping Computer

Spain Admits It Hacked Some of its Politician’s Phones

After a week of public reporting that some Spanish politician’s phones had been hacked using the Pegasus spyware, a leading Catalan separatist politician said that Spain’s top intelligence official said that her agency did, in fact, hack some opposing politician’s phones. But, she said, it was all legal. Reports say that the court orders were for far fewer people than Citizen Labs found infected, so who hacked the rest of the phones? If you are high profile in any way you should assume your phone is not secure. Even secure message apps like Signal or iMessage would not be secure since the phone itself is compromised. This follows the disclosure, earlier in the week, that Spain’s Prime Minister and Defense Minister’s phones were both infected with Pegasus spyware by someone. Pegasus is so stealthy that even the government’s cyber sleuths did not detect it until the facts were reported in the media. Credit: ABC News

Treasury Sanctions Cryptocurrency Mixer BLENDER

Mixers are apps that are designed to obfuscate cryptocurrency transactions, to make them harder to track. I am not sure that sanctioning one of the hundreds of these mixers will really help, but I guess it can’t hurt. Credit: The Register

Ya Know Those Stories About People Listening in on Your Microphone? Yup!

Ya Know Those Stories About People Listening in on Your Microphone?

We often hear stories about people listening to you (eavesdropping) using your phone or PC’s microphone even when you think they are not. We usually attribute that to the “tin foil hat” crowd, but, apparently, that might be a bit optimistic.

Researchers at U Wisconsin Madison and Loyola Chicago say that they tested the top 10 video conferencing apps and here is what they found.

IF you are using the vendor’s platform native app, the mute button doesn’t work the same way that the OS muting function works.

Web apps that run in the browser without a local app or use WebRTC controls, turned off the mic correctly.

Software based app mute buttons – well, it depends.

Many smart speaker vendors put a physical button on the device to make people more comfortable that the mic is really off.

The researchers say that they found “fragmented policies” for dealing with the microphone when muted.

Among the apps studied – Zoom (Enterprise), Slack, Microsoft Teams/Skype, Cisco Webex, Google Meet, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord – most presented only limited or theoretical privacy concerns.

The researchers found that all of these apps had the ability to capture audio when the mic is muted but most did not take advantage of this capability.

Cisco Webex does transmit audio metrics (but not actual voice) when your mic is muted. Cisco says they changed the way Webex works after they were outed.

The only sure way to disable the audio is with a hardware switch, which some headsets have. Beyond that, you are trusting the vendor.

Credit: The Register