Internet Security, Abuse, Data Harvesting, Etc.

[andydp]

Apr 22, 2022 14:27:46 GMT LFC said:

Apr 22, 2022 11:54:05 GMT indy said:

I have only ever had the dumb TV and smart add on devices (Apple TV and Apple speakers for us) solution.

We bought a 55" for when we finished the garage conversion a few months back. Every set we were interested in was "smart" with built-in streaming apps, ability to surf the web, blah, blah, blah. And the web is brimming with complaints about software bugs and even people with TVs that completely brick.

A couple of years ago, the old tube TV in Maine went to the "great circuit in the sky".  I was in need of a TV, so I looked in Walmart because it's the biggest game in Skowhegan.  Found a "dumb" TV for a good price.  It has a hookup for a ROKU or other internet gizmo, but its basically a "dumb" TV.  Seeing as I'm in Maine for about a month a year, this fits my bill perfectly. 

We also have the same sort of TV in our bedroom, but I have a ROKU hooked to it.

[Bact PhD]

Apr 22, 2022 13:39:24 GMT goldenvalley said:

Apr 22, 2022 13:20:19 GMT indy said:

I generally will repair them myself, depending on what is wrong. I replaced the electronics board on our fridge went it went bad (bought a used one off ebay). This time the compressor died so not worth it.

Our washer is entirely mechanical---no electronics to speak of,  and I have replaced the agitators twice (kids overloaded it and stripped the plastic), replaced the pressure switch when it went bad, and have replaced a couple of the rotary switches (selects wash cycle, etc.). Probably some other stuff I have forgotten about.

Dryer I have replaced one maybe two rotary switches and otherwise trouble free.

I have replaced the oven igniter (at least twice) on the stove; electronics boards, igniter, flame detector, and vacuum switch on the furnace. Furnace has been---by far--the most troublesome but it is 22 now too.

All made possible with the help of youtube. Places that sell replacement parts will often have a video on how to replace the part they are selling.

I was more interested in the front loaders, realizing that at some point bending down to reach the bottom of the washer will get difficult.  They don't make dumb versions of front loaders.  

I hear you on the mechanical aspects of your machine. I don't have the expertise to do it. Mostly, I don't have the desire to figure it out. I briefly looked at ye olde' Speed Queens which are about as stripped down as you get these days.  They remind me of the washers that were in my granddad's laundromat back in the 60's and 70's.  I think he always bought Frigidaires.  They were built for heavy use.

Same here. I know the limits of my DIY capabilities, and I have to be able to pretty much handle it solo. Chem PhD is brilliant in many areas, but fixing mechanical or electronic things isn’t one of those areas. If it’s beyond my skill, it’s time to call a pro or consider replacement.

[LFC]

Every ISP in the US has been ordered to block three pirate streaming services

A federal judge has ordered all Internet service providers in the United States to block three pirate streaming services operated by Doe defendants who never showed up to court and hid behind false identities.

The blocking orders affect Israel.tv, Israeli-tv.com, and Sdarot.tv, as well as related domains listed in the rulings and any other domains where the copyright-infringing websites may resurface in the future. The orders came in three essentially identical rulings (see here, here, and here) issued on April 26 in US District Court for the Southern District of New York.

Each ruling provides a list of 96 ISPs that are expected to block the websites, including Comcast, Charter, AT&T, Verizon, and T-Mobile. But the rulings say that all ISPs must comply even if they aren't on the list:

[LFC]

Gear from Netgear, Linksys, and 200 others has unpatched DNS poisoning flaw

Hardware and software makers are scrambling to determine if their wares suffer from a critical vulnerability recently discovered in third-party code libraries used by hundreds of vendors, including Netgear, Linksys, Axis, and the Gentoo embedded Linux distribution.

The flaw makes it possible for hackers with access to the connection between an affected device and the Internet to poison DNS requests used to translate domains to IP addresses, researchers from security firm Nozomi Networks said Monday. By feeding a vulnerable device fraudulent IP addresses repeatedly, the hackers can force end users to connect to malicious servers that pose as Google or another trusted site.

The vulnerability and the lack of a patch underscore a problem with third-party code libraries that has gotten worse over the past decade. Many of them—even those like the OpenSSL cryptography library that are widely used to provide crucial security functions—face funding crunches that make the discovery and patching of security vulnerabilities difficult.

“Unfortunately I wasn't able to fix the issue by myself and hope someone from the rather small community will step up,” the maintainer of uClibc-ng wrote in an open forum discussing the vulnerability. uClibc, meanwhile, hasn’t been updated since 2010, according to the downloads page for the library.

[andydp]

We've posted a few articles on IP theft. Obviously its not going to end soon.


Intellectual property theft operation attributed to Winnti group

Research from cyber security firm Cybereason found that Winnti’s campaign, dubbed Operation CuckooBees, ran from at least 2019 to 2021, and saw the Chinese state-linked APT group target companies in East Asia, Western Europe and North America.

Cybereason has published a two-part report on the campaign, the first part examining Winnti’s tactics and techniques, and the second providing a deeper analysis of the malware and exploits used.

www.computerweekly.com/news/252516710/Intellectual-property-theft-operation-attributed-to-Winnti-group

[goldenvalley]

May 5, 2022 13:47:58 GMT andydp said:

We've posted a few articles on IP theft. Obviously its not going to end soon.


Intellectual property theft operation attributed to Winnti group

Research from cyber security firm Cybereason found that Winnti’s campaign, dubbed Operation CuckooBees, ran from at least 2019 to 2021, and saw the Chinese state-linked APT group target companies in East Asia, Western Europe and North America.

Cybereason has published a two-part report on the campaign, the first part examining Winnti’s tactics and techniques, and the second providing a deeper analysis of the malware and exploits used.

www.computerweekly.com/news/252516710/Intellectual-property-theft-operation-attributed-to-Winnti-group

All this makes me resent all the passwords we are constantly exhorted to create...make them complicated, change them quarterly, monthly, weekly. I think it's sheer luck that any of us escape some sort of hacking of some account or another...plus our personal data is spread everywhere no matter what we do.

[Bact PhD]

May 5, 2022 16:03:29 GMT goldenvalley said:

All this makes me resent all the passwords we are constantly exhorted to create...make them complicated, change them quarterly, monthly, weekly. I think it's sheer luck that any of us escape some sort of hacking of some account or another...plus our personal data is spread everywhere no matter what we do.

Agreed. Owing to prior breaches, the data is already out there. Remember when LinkedIn got breached several *years* ago? The e-mail address I had associated with my LinkedIn account at the time of the breach (one that was little-used otherwise) just in the last couple of months has fallen into the hands of extreme spammers. Don’t get me wrong, I’m not using “Password” or “abc123” or anything along those lines (never did), but at some point the guidelines resemble the equivalent of “Lock your door, use a deadbolt, oh, and have a moat filled with alligators to prevent your home from being burglarized.” At some point it’s not worth the effort.

[andydp]

In this case they listened, mostly because they were hacked a couple of years back.  I know we've read stories of companies ignoring warning from FBI or Homeland Security.  As the article also points out many companies do not report breaches.

'Despicable' cyberattack attempt on Boston Children's Hospital thwarted, FBI director says

BOSTON - The FBI last year thwarted a planned cyberattack on Boston Children's Hospital that was to have been carried out by hackers sponsored by the Iranian government, FBI Director Christopher Wray said Wednesday.

"In the summer of 2021, hackers sponsored by the Iranian government tried to conduct one of the most despicable cyberattacks I've ever seen, right here in Boston, when they decided to go after Boston Children's Hospital," Wray said in a speech at a Boston College cybersecurity conference.

Wray said a report from an intelligence partner indicated that Children's was about to be targeted, and the hospital was immediately notified.

"Quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids who depended on it," he said.


www.cbsnews.com/boston/news/boston-childrens-hospital-cyberattack-fbi-iran/?fbclid=IwAR1LEPmwNaQKwvbz6_XoN4Vw4xnbbfselipVDCxY1wt17TY-Cb3I1HJK_Zc

[LFC]

Tim Horton's? Say it ain't so! That's why I keep my phone relatively clean. Sure I download apps that I will truly use but I've seen people with an order of magnitude more than I have installed.

Canadian regulators on Wednesday found that Tim Hortons—a popular fast-food chain owned by the same multinational company as Burger King—changed its mobile app in 2019 to track and collect sensitive location data on its customers.

An investigation led by Canada’s privacy commissioner found that, indeed, with the help of a U.S.-based company called Radar, Tim Hortons was able to collect data on its customers’ locations “as often as every few minutes.”

Regulators found the collection, described as “continual and vast,” ultimately served no legitimate purpose, and was “not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products.”

“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance,” Privacy Commissioner of Canada Daniel Therrien said.

The government investigation into the company began in 2020 after a journalist at the Financial Post claimed the Tim Hortons app had recorded his GPS coordinates over 2,700 times in five months. The tracking occurred even when the app was not in use, the journalist, James McLeod, said.

[LFC]

Supposedly this will help reduce the spam robocalls. We dropped our land line because it was getting hit 8-10 times a day. After years of being virtually untouched my cell has recently starting getting hit 2-3 times a day.

The Federal Communications Commission today said it closed a robocall loophole by requiring small phone companies to implement the caller ID authentication technology known as STIR and SHAKEN.

Large voice providers were required to implement STIR/SHAKEN a year ago. But there was an exemption for carriers with 100,000 or fewer customers that would have given those smaller companies until June 30, 2023, to comply.

The FCC voted in December to move that deadline up to June 30, 2022, because small phone companies were apparently carrying a disproportionately high number of illegal robocalls.

"Starting today, certain small phone companies must comply with FCC rules to implement caller ID authentication tools on their networks, just as large voice service providers are required to since June 30, 2021," an FCC announcement said. "These small phone companies are suspected of facilitating large numbers of illegal robocalls and, as a result, the FCC rolled back an extended caller ID authentication implementation timeline granted to them in its original 2020 rules."

[LFC]

Routers are under attack, again.

An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on Tuesday.

So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.


A high level of sophistication

The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.

"While compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported," Black Lotus Labs researchers wrote. "Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization."

The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai Internet of Things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.

Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware. Two of those malware pieces—dubbed CBeacon and GoBeacon—are custom-made, with the first written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.

[LFC]

Google has long since abandoned "do no harm." Here they kept on selling data to a sanctioned Russia company.

The day after Russia’s February invasion of Ukraine, Senate Intelligence Committee Chairman Mark Warner sent a letter to Google warning it to be on alert for “exploitation of your platform by Russia and Russian-linked entities,” and calling on the company to audit its advertising business’s compliance with economic sanctions.

But as recently as June 23, Google was sharing potentially sensitive user data with a sanctioned Russian ad tech company owned by Russia’s largest state bank, according to a new report provided to ProPublica.

Google allowed RuTarget, a Russian company that helps brands and agencies buy digital ads, to access and store data about people browsing websites and apps in Ukraine and other parts of the world, according to research from digital ad analysis firm Adalytics. Adalytics identified close to 700 examples of RuTarget receiving user data from Google after the company was added to a US Treasury list of sanctioned entities on Feb. 24. The data sharing between Google and RuTarget stopped four months later on June 23, the day ProPublica contacted Google about the activity.

RuTarget, which also operates under the name Segmento, is owned by Sberbank, a Russian state bank that the Treasury described as “uniquely important” to the country’s economy when it hit the lender with initial sanctions. RuTarget was later listed in an April 6 Treasury announcement that imposed full blocking sanctions on Sberbank and other Russian entities and people. The sanctions mean US individuals and entities are not supposed to conduct business with RuTarget or Sberbank.

Of particular concern, the analysis showed that Google shared data with RuTarget about users browsing websites based in Ukraine. This means Google may have turned over such critical information as unique mobile phone IDs, IP addresses, location information, and details about users’ interests and online activity, data that US senators and experts say could be used by Russian military and intelligence services to track people or zero in on locations of interest.

They're also being investigated in Europe for deceptive signup practices.

More than a billion people worldwide have signed up for Google accounts, clicking through screens promising that “your personal info is private and safe.” This week, Google’s sign-up process came under fire when European Union consumer rights groups issued new privacy complaints suggesting that the opposite is true—that Google intentionally designs default settings to deceive new users into granting permissions to harvest and share a broad swath of personal info.

"The language Google uses at every step of the registration process is unclear, incomplete, and misleading," the European consumer organization BEUC told Reuters. BEUC is helping to coordinate a potential civil lawsuit in Germany and several new complaints to data-protection authorities from consumer rights groups in France, Greece, the Czech Republic, Norway, and Slovenia.

The key issue in these complaints is how hard Google makes it for account users to choose privacy-friendly options. It’s much easier, the consumer groups argue, to set up an account to share personal info than to protect it. As Tech Crunch reported, Google designed a one-click “express personalization” option allowing data tracking, while “manual personalization” requires 10 clicks to turn off tracking.

A Google spokesperson told Reuters that “we are committed to ensuring these choices are clear and simple,” denying any wrongdoing because “these options are clearly labelled and designed to be simple to understand. We have based them on extensive research efforts and guidance from DPAs (data protection authorities) and feedback from testers.”

I guess now it's "do no harm to the stock price."

[LFC]

Another ugly Android virus. It's been around in some form or another for a long time.

Android malware developers are stepping up their billing fraud game with apps that disable Wi-Fi connections, surreptitiously subscribe users to pricey wireless services, and intercept text messages, all in a bid to collect hefty fees from unsuspecting users, Microsoft said on Friday.

This threat class has been a fact of life on the Android platform for years, as exemplified by a family of malware known as Joker, which has infected millions of phones since 2016. Despite awareness of the problem, little attention has been paid to the techniques that such "toll fraud" malware uses. Enter Microsoft, which has published a technical deep dive on the issue.

[LFC]

Google really doesn't want to keep up with the competition on safeguarding people's personal information.

Chrome's browser competitors Safari and Firefox have both been blocking third-party tracking cookies used by advertisers, by default, for over two years now. Google, the world's largest advertising company, totally wants to match its competition and reduce user tracking; it will just take a little longer to do it. Google's latest blog post details the second delay to the shutdown of third-party tracking cookies. Google says it will now support the tracking method until "the second half of 2024."

Google explains the delay by saying, "The most consistent feedback we’ve received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome." Presumably, Google is talking about feedback from competing advertisers, not users.

[AnBr]

"The most consistent feedback"? That can only come from those that are abusing the tracking potential from Chrome. Problem is that Google has released code on sites they control that will lock up other browsers, specifically Firefox. Ever wonder why Firefox has trouble loading a YouTube page?

[LFC]

All 50 state AGs say they're going after the companies allowing an enormous number of foreign spam calls through. Good! Shut them down and drain their bank accounts.

Attorneys general from all 50 states have created an Anti-Robocall Litigation Task Force "to investigate and take legal action against the telecommunications companies responsible for bringing a majority of foreign robocalls into the United States," they announced yesterday.

In the task force's first action, it "issued 20 civil investigative demands to 20 gateway providers and other entities that are allegedly responsible for a majority of foreign robocall traffic," said an announcement from North Carolina Attorney General Josh Stein. The task force's formation was led by Stein and the attorneys general of Indiana and Ohio, the announcement said.

Stein cited data suggesting that "more than 33 million scam robocalls are made to Americans every day," such as "Social Security Administration fraud against seniors, Amazon scams against consumers, and many other scams targeting all consumers, including some of our most vulnerable citizens."

Robocalls bring in revenue

Gateway providers are responsible for ensuring that foreign traffic is legal but "are not taking sufficient action to stop robocall traffic," Stein's announcement said. "In many cases, they appear to be intentionally turning a blind eye in return for steady revenue."

The task force plans to "take action against phone companies that violate state and federal laws," focusing on "the bad actors throughout the telecommunications industry." Stein also previously sued a gateway provider called Articul8.

[LFC]

Nice try, Intel.

Intel’s latest generation of CPUs contains a vulnerability that allows attackers to obtain encryption keys and other confidential information protected by the company’s software guard extensions, the advanced feature that acts as a digital vault for security users’ most sensitive secrets.

Abbreviated as SGX, the protection is designed to provide a fortress of sorts for the safekeeping of encryption keys and other sensitive data, even when the operating system or a virtual machine running on top is maliciously compromised. SGX works by creating trusted execution environments that protect sensitive code and the data it works with from monitoring or tampering by anything else on the system.[SNIP]

Since 2018, researchers have poked at least seven serious security holes in SGX, some of which completely undermined the assurances Intel makes about them. On Tuesday, a research paper publicly identified a new hole, which also completely breaks SGX guarantees in most 10th, 11th, and 12th generation Intel CPUs. The chipmaker said it released mitigations that prevent the researchers’ proof-of-concept exploit from working any longer. The researchers will present their findings on Wednesday at the Black Hat security conference in Las Vegas.

On a side note, that's not the only hardware they're struggling with.

Almost a year ago, Intel made a big announcement about its push into the dedicated graphics business. Intel Arc would be the brand name for a new batch of gaming GPUs, pushing far beyond the company's previous efforts and competing directly with Nvidia's GeForce and AMD's Radeon GPUs.

Arc is the culmination of years of work, going back to at least 2017, when Intel poached AMD GPU architect Raja Koduri to run its own graphics division. And while Intel would be trying to break into an established and fiercely competitive market, it would benefit from the experience and gigantic install base that the company had cultivated with its integrated GPUs.

Intel sought to prove its commitment to Arc by showing off a years-long road map, with four separate named GPU architectures already in the pipeline. Sure, the GPUs wouldn't compete with top-tier GeForce and Radeon cards, but they would address the crucial mainstream GPU market, and high-end cards would follow once the brand was more established.

All of that makes Arc a lot more serious than Larrabee, Intel's last effort to break into the dedicated graphics market. Larrabee was canceled late in its development because of delays and disappointing performance, and Arc GPUs are actual things that you can buy (if only in a limited way, for now). But the challenges of entering the GPU market haven't changed since the late 2000s. Breaking into a mature market is difficult, and experience with integrated GPUs isn't always applicable to dedicated GPUs with more complex hardware and their own pool of memory.

Regardless of the company's plans for future architectures, Arc's launch has been messy. And while the company is making some efforts to own those problems, a combination of performance issues, timing, and financial pressures could threaten Arc's future.

[LFC]

DuckDuckGo is patching an issue that allowed Microsoft trackers to get through.

DuckDuckGo, the privacy-minded search company, says it will start blocking trackers from Microsoft in its mobile apps and browser extensions, and soon its desktop web browser, following revelations in May that certain scripts from Bing and LinkedIn were getting a pass.

In a blog post, DuckDuckGo founder Gabriel Weinberg says that he's heard users' concerns since security researcher Zach Edwards' thread that "we didn't meet their expectations around one of our browser's web tracking protections." So now the company's mobile browsing apps and browser extensions will add Microsoft to the list of third-party tracking scripts blocked from loading on pages, with the company's beta browser to follow next month. (Update: A DuckDuckGo spokesperson clarified the timing of the company's blocklist updates for different apps and extensions. Ars regrets the confusion.)

"Previously, we were limited in how we could apply our 3rd-Party Tracker Loading Protection on Microsoft tracking scripts due to a policy requirement related to our use of Bing as a source for our private search results," Weinberg writes. "We're glad this is no longer the case. We have not had, and do not have, any similar limitation with any other company."

[LFC]

The FTC is going after a massive data brokering company.

The Federal Trade Commission on Monday sued a data broker for allegedly selling location data culled from hundreds of millions of phones that can be used to track the movements of people visiting abortion clinics, domestic abuse shelters, places of worship, and other sensitive places.

In a complaint, the agency said that Idaho-based Kochava has promoted its marketplace as providing "rich geo data spanning billions of devices globally." The data broker has also said it "delivers raw latitude/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device."

The FTC said Kochava amassed the data by tracking the Mobile Advertising ID, or MAID, from phones and selling the data through Amazon Web Services or other outlets without first anonymizing the data. Anyone who purchases the data can then use it to track the comings and goings of many phone owners. Many of the allegations are based on the agency's analysis of a data sample the company made available for free to promote sales of its data, which was available online with no restrictions on usage.

"In fact, in just the data Kochava made available in the Kochava Data Sample, it is possible to identify a mobile device that visited a women's reproductive health clinic and trace that mobile device to a single-family residence," the complaint alleged. "The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user's routine. The data may also be used to identify medical professionals who perform, or assist in the performance, of abortion services."

The FTC went on to allege: "In addition, because Kochava's data allows its customers to track consumers over time, the data could be used to identify consumers' past conditions, such as homelessness. In fact, the Kochava Data Sample identifies a mobile device that appears to have spent the night at a temporary shelter whose mission is to provide residence for at-risk, pregnant young women or new mothers."

[LFC]

Oof! People bitch about the restrictiveness of the Apple Store but Google / Android just seems to get hit with one sneaky piece of software after another. There's clearly a trade-off.

Google has removed browser extensions with more than 1.4 million downloads from the Chrome Web Store after third-party researchers reported they were surreptitiously tracking users’ browsing history and inserting tracking code into specific ecommerce sites they visited.

The five extensions flagged by McAfee purport to offer various services, including the ability to stream Netflix videos to groups of people, take screenshots, and automatically find and apply coupon codes. Behind the scenes, company researchers said, the extensions kept a running list of each site a user visited and took additional actions when users landed on specific sites.

The extensions sent the name of each site visited to the developer-designated site d.langhort.com, along with a unique identifier and the country, city, and zip code of the visiting device. If the site visited matched a list of ecommerce sites, the developer domain instructed the extensions to insert JavaScript into the visited page. The code modified the cookies for the site so that the extension authors receive affiliate payment for any items purchased.

To help keep the activity covert, some of the extensions were programmed to wait 15 days after installation before beginning the data collection and code injection. The extensions McAfee identified are:

[LFC]

The surveillance state is here and the police don't want to talk about it. The usual talking point from the providers concern police being short staffed. Somehow warrantless and continual tracking is the solution rather than, you know, funding police properly. After all those pesky warrants just get in the way and it's not like police would EVER abuse the system if they didn't have some level of oversight.

Much is known about how the federal government leverages location data by serving warrants to major tech companies like Google or Facebook to investigate crime in America. However, much less is known about how location data influences state and local law enforcement investigations. It turns out that's because many local police agencies intentionally avoid mentioning the under-the-radar tech they use—sometimes without warrants—to monitor private citizens.

As one Maryland-based sergeant wrote in a department email, touting the benefit of "no court paperwork" before purchasing the software, "The success lies in the secrecy."

This week, an investigation from the Electronic Frontier Foundation and Associated Press—supported by the Pulitzer Center for Crisis Reporting—has made public what could be considered local police's best-kept secret. Their reporting revealed the potentially extreme extent of data surveillance of ordinary people being tracked and made vulnerable just for moving about small-town America.

Reports showed how police in nearly two dozen agencies—one record shows the total figure could possibly be up to 60—use Google Maps-like tech called Fog Reveal. Licensed by Fog Data Science, Fog Reveal gives state and local police power to surveil what the company's marketing materials claimed in 2019 amounts to "hundreds of billions of records from 250 million mobile devices."

EFF found that Fog Reveal draws its data from Venntel, the same data source the feds use. Although neither company disclosed the nature of their business relationship to AP or EFF, it appears that because of their partnership with Venntel, Fog Reveal provides location data services to local police at a steep discount. This makes it more affordable for smaller police agencies and private security companies to access broad swaths of data and trace devices across months or even years.

Venntel provided Ars with the same statement it gave AP: "The confidential nature of our business relationships" prevents the company from responding to questions.

Typically, EFF found that police agencies have licensed the software annually for costs as low as $6,000 to $9,000. Some agencies were willing to spend more on the tech, though. Ars reviewed one annual contract in Anaheim, California, that was for more than $40,000.

It took the Electronic Frontier Foundation months and more than 100 public records requests to gather thousands of pages of evidence to compile a clear picture that shows how local law enforcement increasingly mines location data. Records showed Fog Reveal has been used in criminal investigations, including, as AP reports, "tracing the movements of a potential participant in the Jan. 6 insurrection at the Capitol."

Fog Data Science managing partner Matthew Broderick told AP that Fog Reveal has been critical to police to save time and money on investigations, suggesting police were under-resourced and investigations suffered from reliance on outdated tech. (Bloomberg reported that most cities increased local police budgets last year.)

"Local law enforcement is at the front lines of trafficking and missing persons cases, yet these departments are often behind in technology adoption," Broderick told AP. "We fill a gap for underfunded and understaffed departments."

An effort was made to reconstruct just what Fog Reveal provides. AFAIC this kind of data should NEVER be available without a warrant. Mobile phones are now part of our standard infrastructure and this is nothing pretty much a real-time, constantly active tracker on virtually ever phone in America.

Limitations aside, EFF's analysis showed that when police open Fog Reveal, the software appears and functions much like Google Maps. To launch a search, police can run two kinds of queries, an area search and a device search.

For area searches, police can draw circles or squares around areas as wide as 12 square feet or draw unique shapes to target specific buildings and pull up a "list of all cell phone location signals" within a specified area during a specified time. The list includes location, time, and device IDs.

Device searches give police the ability to input one or more devices, narrow down the time frame of their search, and see a list of locations where the device was used.

Examples of Fog Reveal maps that EFF replicated showed the eeriest extent police could trace a device path over time, watching someone's movements as a zigzag through a specified region and knowing where precisely that person was and when.

Cyphers concluded that "Fog's service allows police to track people's movements"—both broadly and specifically—"over long periods of time." Police can start by searching everyone in an area and then toggle to the device search to find out where people connected to those devices "live and work." This, Cyphers wrote, allows local police the same capability federal agencies have when serving geofence warrants to Google, without needing Google's permission or a warrant.

EFF couldn't verify all of Fog's claims about the service, but records showed that some devices being tracked by Fog Reveal could share data with the software as much as an average "several hundred" times per day.

[LFC]

A popular browser extension was purchased by a big company. That company has a less than stellar reputation.

Browser extension I don't care about cookies does one job and does it well. It automatically removes the annoying-but-mandated "This website uses cookies" notices from websites. People like it, donate to it, and don't ask more of it, a rare find for free software.

"Damn, this is the **** bro, it saved like 50 minutes of my gaming time lol," reads one review on the tool's Microsoft Edge Add-Ons page.

The tone changed when the solo developer posted "GREAT NEWS" on the extension's website. Avast, a giant in cybersecurity that just completed an $8.1 billion merger with NortonLifeLock, will acquire the 10-year-old software for an undisclosed price.

"I am proud and happy to say that Avast ... a famous and trustworthy IT company known for the wide range of products that help secure our digital experience, has recognized its value!," developer Daniel Kladnik wrote recently. Kladnik wrote that he would keep working on the extension, it would remain free, and asked for donations to cease.

Commenters on Facebook, Twitter, and the extension's various installation pages did not agree with Kladnik's characterization of Avast. "Congratulations on killing the extension! Avast is cancer on this planet," wrote a Facebook commenter. "The cure is now worse than the disease," wrote another. "Sad to see a great pop-up blocking extension being acquired by a well-known pop-up creating company," someone opined on the Chrome extension page.

There's always a certain amount of knee-jerk "uninstalling" reaction to software acquisitions, but an extension that handles cookie policy for you being acquired by Avast does raise some questions. (We've reached out to both Kladnik and Avast and will update the post with new information).

Beyond the general scale and scope of the recently merged Norton/Avast entity (cleared just four days ago), and long before it, Avast has made news for its history of data management.

Avast closed down data brokerage operation Jumpshot in 2020 after a joint investigation by Vice and PCMag revealed that its antivirus programs were selling browsing data to some of the world's largest companies, including Home Depot, Google, and Microsoft (and, disclosure, Ars Technica parent company Condé Nast). The data included Google searches, GPS coordinates on Google Maps, and searches on various sites, including YouTube and PornHub. Jumpshot touted itself as "the only company that unlocked walled garden data," and, in a now-deleted tweet, touted its ability to collect "Every search. Every click. Every buy. On every site."

In 2019, the creator of AdBlock Plus dug into Avast's Online Security browser extension (and a similar one from AVG, which Avast acquired). The extension was sending extensive details about the pages visited, activity on those pages, and other data that made de-anonymizing people fairly easy. Google soon after removed Avast and AVG's extensions from the Chrome Web Store.

In its mainline work providing security, Avast had one notable misstep in distributing a smaller software app it acquired. CCleaner, a tool for fully removing all the pieces of Windows software, was distributed by Avast while it contained malware. The malware, which allowed remote access and control with a seemingly legitimate signing certificate, was inserted by an attacker into CCleaner's update servers through another firm that Avast acquired.

They're apparently not all bad, but they definitely have a mixed history.

[LFC]

We don't know if this Russian company has actually done anything shady or illegal, but we do now know that the owner threw up a lot of obstacles to finding out where the company was really located.

A software company whose code is used in thousands of widely downloaded American apps has been pretending to be based in the U.S. when, in reality, it operates out of Russia, new reporting from Reuters shows. The company, Pushwoosh, used fake street addresses and even fake employee profiles on LinkedIn to create the illusion that it was headquartered in the U.S., according to the recent investigation, but the firm actually calls a remote city in Siberia home.

Reuters reports that, in both regulatory filings and on social media, Pushwoosh has consistently advertised itself as being based in the U.S. The firm provides contract support and software to a broad array of organizations, including “international companies, influential non-profits and government agencies,” the outlet reports. Pushwoosh’s code is used in at least eight thousand different apps currently available on the Google Play and Apple store.

Pushwoosh’s clients have even included the Center for Disease Control and Prevention (CDC), which, until recently, used the company’s code in at least seven different public-facing apps. The U.S. Army also contracted with the company.

However, the Reuters report seems to reveal a variety of shady tactics that see the company misrepresenting itself. Both the CDC and the Army ditched the company’s code after learning that Pushwoosh had misrepresented itself.

The company has made separate filings with the U.S. and Russian governments that provide conflicting information. In its filing with the state of Delaware, where Pushwoosh is registered, the company listed addresses in Washington D.C., California, and Maryland, and never characterized itself as Russian company. However, when it made similar filings with the Russian government, it stated that it was based in the city of Novosibirsk, which is located in southern Russia in the province of Siberia.

The company’s founder, Max Konev, has disavowed suspicions, telling the outlet that Pushwoosh “has no connection with the Russian government of any kind” and that he had not tried to hide the company’s origins. “I am proud to be Russian and I would never hide this,” he said.

In its marketing materials and on its website the company also listed a number of physical addresses based in the U.S. that Reuters says aren’t actually connected to the company. Reporters traveled to one of the addresses and found that it was the residence of a friend of Konev’s; the friend told the reporters that he had “nothing to do with Pushwoosh and had only agreed to allow Konev to use his address to receive mail.” The other address, which was said to be the firm’s “principal place of business” from 2014 to 2016, was for a residence in a California Bay Area town that local officials say doesn’t actually exist.

At the same time, the company created a raft of social media profiles for U.S.-based executives that are also fictional, Reuters reports. Konev claims that the fake profiles were created by a marketing agency in 2018 to “use social media to sell Pushwoosh, not to mask the company’s Russian origins.”

[goldenvalley]

Nov 14, 2022 22:23:47 GMT LFC said:

We don't know if this Russian company has actually done anything shady or illegal, but we do now know that the owner threw up a lot of obstacles to finding out where the company was really located.

At the same time, the company created a raft of social media profiles for U.S.-based executives that are also fictional, Reuters reports. Konev claims that the fake profiles were created by a marketing agency in 2018 to “use social media to sell Pushwoosh, not to mask the company’s Russian origins.”

Or both...  This is life in cyberland, the globally connected internet.  And just think of the many corporations that incorporate in Delaware where they have only a PO Box or ships registered in Panama when they don't even stop in Panamaian ports.  The corporate world has  done this a long time.

[AnBr]

Nov 14, 2022 22:31:16 GMT goldenvalley said:

Or both...  This is life in cyberland, the globally connected internet.  And just think of the many corporations that incorporate in Delaware where they have only a PO Box or ships registered in Panama when they don't even stop in Panamaian ports.  The corporate world has  done this a long time.

Not the same thing. You should realize just how many cyber threats originate from Russia. I would hazard that the vast majority do. China is bad, but not nearly as much as Russia.