Monday, September 26, 2022

Phishing Is Too Easy - 3

Last week I received another traditional phishing email; apologies for the lack of images because my email account is setup not to load externally attached pictures. Here it is, with my address removed:

Phishign email disguised as an invoice with attached PDF pretending to come from Norton

Yes, this is pretty much a variation of the last one I commented on months ago, namely:

  • It is an invoice for some product, in this case it implies to be some kind of Norton product.
  • It creates a veil of credibility by alluding itself (blue box) in a rather half-ass way to be related a real company. Note it claims to be "Norton Support LLC," which I have no idea who it may be. Since the average person probably heard of Norton, who sells an antivirus and other security products, it is easy for said person to associate both.
  • Still on the credibility standpoint, the sender address is supposedly from quickbooks (I did not bother to check the header). Yes, a large company right Norton would not be using quickbooks to send its bills. However, if you have to deal with purchasing you probably have seen invoices from smaller business which use the online quickbooks site; when they send their invoices, their invoices will have "<>" as the email. But, we hope they will look more like "Something Of Doom LLC <>" instead of "Intuit E-Commerce Service <>"; I think the later is not the default value, but it sounds credible enough.
  • To create the urgency, the invoice is for $800. That will make someone's heart beat a bit faster and immediately want to open the attached PDF file (red box) to find what this invoice is all about. This is a bit lazier than the last phishing email we posted about as some mail services will disable attachments with macros in hope to block malicious payloads. However, most of the mail services do not do that; mine could not be bothered and told me if I want to see it, and be properly infected, I need to have Adobe Acrobat Reader (green box). Since my mail service does not automagically open anything, I have some extra time to read the email and decide what I want to do next.
  • It provides a number which may be tied to the phisher (VoIP?) so if the frantic recipient of the email calls, the phisher (we called him Peggy in the last phishing post) can then social engineer his way into the victim's computer.
  • The return address is a typical quasi-randomly created Gmail one; they could not be bothered with making it sound like it came from a billing department as it claims to be.

How effective it is? I think it depends on where people will focus on. The phishers hope their marks will see the value of the invoice -- $800 -- and immediately open the pdf to find out what is going on. The best thing to do here is stop -- but not stop/drop/roll as you are not on fire -- whenever you see something suspicious, specially when it claims to be urgent. Then ask yourself if you expected an invoice from Norton. Then look at the email addresses and see if they are not overly suspicious.

Remember: phishers are lazy, and they hope you are equally lazy!

Saturday, September 17, 2022

There and Back again: DEFCON 30

Second slide in the workshop reminds the audience we had put instructions on github for what to do before attending the event.

No, I did not postpone posting about my trip to DEFCON30 until now because I did not have anything to post this month. The truth is I was slacking. There, I said it.

This will be a bit of a post morten of our workshop. Will this post have any useful info? Don't hold your breath; what I can promise is there will be many opportunities to laugh at our expense.

The Plan

For those who read the announcement for our workshop at the Crypto and Privacy Village, you know that there are two authors -- Matt and yours truly -- who put together the mess without killing each other; the fact we had half a continent between us probably helped.

Originally, the plan was to start with an explanation of why this phone privacy thing was so important and then get show how to do it. Ideally people would have read the announcement, followed our instructions, and show up with a phone ready to be configured. While one of us would be on the podium, the other would then be helping the audience.

After we had the entire workshop done and did a few dry runs, we started thinking: how many people will bring a phone that meets the requirements? Probably not many -- not many people have spare phones that can take CalyxOS or LineageOS in their kitchen drawer -- and we will not be able to bring enough loaners as all the resources in the workshop are coming out of our own pockets. We could just shrug it off and tell people "Hey you did not bring a phone, so we will bore you with screenshots."

Thing is, we had taken a lot of screenshots of everything we would be showing in the phone, in case we would not be able to share the phone screen or point a camera at it. So, this was an option but we felt that would detract from the workshop; instead of being something interactive it would be no better than watching a video.

We needed a plan B.

What if we provided an emulator? It will not do everything a real phone can but it will allow the audience to follow along on their laptops. Since we were going to focus on CalyxOS (we had only an hour to run the entire workshop; compromises had to be made), we then decided to create that image, make it available somewhere, and then update the wiki with instructions on how to use it. We also asked the Crypto and Privacy Village (CPV) people to add a single line in the workshop announcement, indicated with a green line in the picture below, to tell people they should install Android Studio in their laptop.

Wrokshop announcement, with the line 'Alternatively, a laptop with Android Studio installed' added to it, indicating you may want to install it if you do not have a phone to use in the hands-on bit

The plan was to have everything finished two weeks before the event and then take the last week to practice, and ensure we had a reliable way to hand out the emulator images.

Things did not happen according to the plan.

Matt was able to go to DEFCON from the beginning of the event; I do not know if he also was able to stop by BSidesLV. I, on the other hand, was a bit more time constrained: I flew the first flight on Friday and was going to return on Saturday after the workshop. In any case, we were going to try to attend as many events and talks as possible, and meet up with people we have not seen in ages. I also planned on volunteer to the CPV.

What really happened?

  1. Building the CalyxOS phone image was not as smooth as we hope for. In plain English, I could not make it work. I had no issues building LineageOS ones in my docker build environment -- if someone reminds me I can post instructions on how to do that later -- but CalyxOS was fighting me all the way. Fortunately we were working in parallel and Matt was able to make it work.

    I will let Matt post how to create the CalyxOS image with all the apps already installed in his blog, as he is the one that made it work. In fact, it worked so well, he used that instead of a real phone during the hands-on part of the workshop.

  2. We spent too much time trying to come up with a clever way to deploy the phone image. After days of frustration we came up with a simpler way to do that, wrote the docs that worked whether you had a Linux, Mac, or Windows laptop, and put it with the image.
  3. The emulator stopped working. I do not know why but it went on strike. More frustration ensued. Was it the emulator itself or the image? Once again Matt rose to the occasion and made it work.
  4. We also found out it would take too long to download the image we built using the DEFCON public network. Fortunately we had a bunch of USB drives and decided to put in each, formatted in some Windows file system so all 3 OS could mount them, the image and instructions.

There are probably more things that went wrong, but I cannot think of them right now. Bottom line is we spent most of the time that week working on these bugs. And, we made it work.


The CPV people did a great job. Everything was working smoothly on their side. I did most of the overview and then Matt took over for the technical part:

Matt Nash presenting the hands-on part of the workshop. Audience is spaced out following the social distancing requirements

You will note on the above picture the audience (picture was taken from the back out of respect) has set some chairs apart for social distancing's sake. I then came back from the podium sporting one of my favourite shirts (bonus points if you recognize it) with the final comments and we then took questions. After it ended, Matt was surrounded on the podium with members of the audience for a long while until the Defcon Goons kicked us out.

Mauricio Tavares on the podium spreading lies and misinformation while sporting the classic Oregon Trail shirt.

Thank you for all the fish

  • Avi Zajac and the rest of the Crypto and Privacy Village crew for not only having us there but making the event possible. And the badge. And the shirt (I am afraid of wearing it out because it is nice). And keeping the Goons at bay. And the sticker!
  • The NCC Group for mentioning us in its August announcement.
  • DEFCON for, well, being defcon. I do with I had more time to see it all this year instead of being in a hotel room trying to get all working. But, it was all worth in the end.
  • CalyxOS for trying to make a more secure and private Android distro easier to install. There is more around this line item, but I am getting ahead of myself.

Wednesday, August 31, 2022

Good Cookies, Bad Cookies, and Privacy

Cookies "banners" are a particular pet peeve of me. As in don't get me started or I will be on it for hours if not days on end. So, I will struggle a bit to get this short enough so not to kill any reader of boredom. I am not claiming I will accomplish this goal, so you have been warned.

I should also warn this article has been in the making for months; I collected a lot of real samples I need to cover the names of the companies to protect the guilty. If you recognize the site by looking at the cookie policy form, smirk and keep it to yourself.

So, are cookies bad?

That is an oversimplified question. Cookies are used to track what users are doing in a website, and that may mean storing some personal data no t only of site users but also visitors. Some of which have very valid and important applications, like ensuring users can authenticate and are the right people to access a given resource, like their bank accounts, or repository of cat videos. Then we have the ones companies are interested on, such as:

  • Which pages users are going to and spending most of the time on. That may help them figure out which content -- primarily cat videos -- their audience seek and which ones they are avoiding. Or find out whether a given page is too convoluted, causing visitors to spend too much time and frustration in them. I can see why anyone wants to provide a website that does not suck.
  • Which products or keywords they search for. This may tell the product lines the websites need to be providing and which ones may be taken down.

None of these are really needed to provide a service to users, so GDPR would say you must ask the visitors if they give you consent (Articles 6, 7, and Recital 32) to collect said data, and provide a way for them to remove their consent. CCPA and CPRA are less restrictive, having a set of thresholds (selling personal information of more than 50,000 Californian households, or making more than half of its annual revenue selling that data) before they are applicable and providing a the get-out-of-jail-free card (Art.9(2),e).

The Good

  • Let's start with a nice bright example of someone who respects the privacy of its website visitors.
    It is written in plain language, gives a quick blurb on what it is being used for, and allows the user the choice to accept all the cookies, deny all of them, or do something in between (which leads to a more itemized list you can enable item by item).
  • The next one, from one of the European Union's official websites, is not as nice but at least they are trying.
    Why am I not impressed with their banner? Because it is an all-or-nothing, without a proper explanation, and mentions these "essential cookies" (is this like "essential oils?") without explaining them. Yes, if you click the link explaining how they use the cookies you realize they are not out to suck you dry of your private info, which is why it is listed here. But, I think they could do a better job given the resources they have.

The Bad

This list is but a tiny sample of my fun collection. Still, get the popcorn.

  • First we will start with one that is on the slippery slope as far as GDPR is concerned. It mentions collected data with "trusted third parties." Who are they? Google Analytics? We have talked before that you can no longer use it on a site that is accessed by European residents.
  • We really should just get serious and look at an example of conning the user. For convenience, I highlighted the relevant wording in their privacy note.
    First we have "This information might be about you" (red), which uses the "might" word to imply that it is ok because maybe the information is really not about you. Well, knowing your IP (considered by GDPR personal data), OS, browser, and other facts that we will not go over here (username?) suffice to uniquely identify you. If you use the same computer without bothering to run VPN later, they will know you are back... specially if from home as your external/public IP rarely changes if at all. But then they smother your worries claiming that "the information does not usually directly identify you" (blue). It is personal data already, sunshine.
  • Here is one from a bank that prides itself to have branches in many countries across the world.
    At first I thought the following cookie banner was just for the American market, but when connecting from Japan and Europe I still was "welcomed" by the very same banner; I do not need to say what that means. I have a ton of other examples following the same pattern, but I think we only need one to get the idea.
  • This one is a variation of the bank banner we saw earlier seen in the website of a professional society. I would not have posted it if it did not have one single word: consent.

    I must assume the reason this specific term was used is because of the language in GDPR, specifically article 7 states that if you do not have a legal reason to collect personal data, you must obtain consent from the user, who must freely give it. They seem to beleive that by having the word "consent" in the banner, they satisfied this GDPR article. However, if the only option is to surrender your private data, this consent is not freely given. Or can be easily revoked.

    "But," one can argue, "you did not consider they are probably an American-based society which does not cross the CCPA requirements by keeping the number of Californian households under the limit." How would that work? Geolocating may be hard: one of the VPN services I use has servers in California; there might be other services with servers somewhere else in the US being used by Californian citizens. Given the banner you are seeing, how would you distiguish the two cases? And besides, if this is an international (they hope they are, as one of the letters in their name stands for that) professional society, GDPR, LGDP, and APPI just to name a few are bound to be triggered. I did my Westen Europe test, and it did not switch to a GDPR-compliant cookie banner.

The Sleazy

Now we get to the really special ones, the ones that decided laughing at the privacy rights of individuals was not enough; they had to make a point.

  • First jewel is what I call a BannerWall: you cannot use the website until you click on the only option ("Accept"), so site owners can then say "here! User consented to use collecting all personal info. We have the log showing the Accept button was clicked!" Hopefully you do not need to use this site, so you can just close your browser and find some other place with similar information but more privacy conscious.
    Looking at the screen capture, do you know if "Privacy Policy" and "Terms of Service" are links? No? You are not alone. Can you say hiding in plain sight?
  • But, what if you have to use the website? For instance, what if you need to log into the site to pay your utilities or rent, and they do not offer another way (mail or in person) to make said payment? Can you say coercion?

Don't Be That Guy

  • Instead of having you site collect personal data based on the location of the site visitor, assume they are all coming from the EU and build it for that, as it is one of the more restrictive ones. Make your life easier, be your website a commercial or educational/research one; we covered that a while ago.
  • What is wrong with asking users if it is ok to collect their data and tell them how you are going to use it without vague words? And by that, ask properly, not like the no-real-option seen in some of the examples above.
  • Document everything, logs included, because the world is changing and you may be audited or even fined for non-compliance. Remember, you do not need to have suffered a personal data breach before a GDPR Data Protection Authority takes legal action against you. Don't believe me? We commented on some cases earlier this year. All is needed to get that avalance running is for someone to file a complaint.

Wednesday, August 24, 2022

Measuring Company Reputation

One of the bullet buttons in the (ISC)2 Security Domain 1 (security and risk management) is risk analysis (yes, you with the beard on the back row, that would be under NIST 800-53r5 Security Domain 14). There are many ways to define it but I will be lazy and steal the defition of it from NIST 800-160 because it is short and to the point:

Risk Analysis is the process to comprehend the nature of risk and to determine the level of risk.

We can subdivide this analysis into two groups based on the criteria we use in the decision process: quantitative and qualitative analysis. Without going over the details, the bottom line is a lot of people ignore qualitative analysis because it does not directly tie into money: how can you ask for fundings to executives if you cannot provide a proper cost-benefit analysis? For instance, if you are asked to measure and tie to the yearly budget, say, your company reputation (a topic picked out of blue which has absolutely nothing to do with the title of this article), what would you do? After all, this is the typical topic qualitative risk analysis is built for.

The answer is we can quatify it if we look at it in a non-direct way. If you think about it, company reputation can be "itemized" by the things that affect it:

  • Your cyber insurance, which is affected by how the insurers think you are about protecting your assets. So you can say "since we have not been breached in X years and we have great security policy which is enforced and audited, our insurance is lower than from our competitors." Can you see how close this narrative now is to that associated with the Annualized Loss Expectancy (ALE)? You may be able to ask the insurers to explain how a recent loss of personal data will affect the premium. There is no guarantees they will talk, but there is a compelling argument to work together to decrease their risk.
  • Customer confidence, which is affected by how many data breaches you had, how you handled them, and how you deal with the customer's data. This can be estimated by investigating the decrease of sales of other companies due to loss of personal data including credit card info. People vote with their wallets, and their letters to elected officials.
  • Your suppliers confidence on you, which leads to whether they will provide you with discounts, less interest, and longer times to pay your orders. If they do not trust you, they may say any bill is due on receipt. That affects cashflow in a very definite way.
Each of these in the end of the day affects the bottom line ($), which is what matters to upper management.

Sunday, July 31, 2022

Phone Privacy at DEFCON 30!

So our workshop on smart (I will keep a straight face here, just saying) phone privacy was accepted by the Crypto and Privacy village at DEFCON 30. If you are there, we will be presenting it on Saturday Aug 13th. As it will be only one hour, we strongly recommend to first to folow the instructions in the co-author's github-based wiki; this link is also in the official DEFCON accouncement, but it is so important we would rather mention it a few times.

So, what is it all about?

Short version: how to make your smart phone more private and why you should care. I could elaborate on that, but this post is not about the contents of the workshop: go watch it and find out!

Anything useful you want to tell us?

People have told me I have some kind of fixation with bullet points; let's not disappoint them, shall we?

  • No pictures will be taken with my phone; I will be bringing a camera -- ancient but trusty Canon ELF -- to take some pictures of the event. Yes, compared to modern smart phones its resolution is pathetic. But, it has a real zoom, using real lenses, has no understanding of wireless file transfer (great during DEFCON), and does not keep you up at night when vendor stopped creating patches for it. As this will be a real camera, not smart phone, they will not be posted in real time.
  • I was comparing our abstract with the other presenters' and realized ours is gigantic by comparison! This is not a size competition, and I realized it may e nd up being a bit of a turnoff. But, there is some logic behind the madness: we really wanted to make sure people knew what to expect and that they need to prep are for the workshop. Which leads to...
  • The "talk" part of this workshop will be rather short because the main dish is the hands-on part.
  • If you to get your hands dirty, bring an Android phone. It's two main requirements are
    • A phone you are fine if it is bricked. That can happen. And, you can find out if it does brick before attending the event because we put the setup instructions in the wiki.
    • Ideally, you want to have a phone such as Google Pixel (3 and above), OnePlus, or Fairphone. Main reason is because a lot of Android phones have a closed source "blob" of code that is only updated for a brief period of time (a year? A week?), until not longer after replacement hit the shelves. However, we are not saying "for best experience you should have bought the latest $1000 phone" (bonus point if you know where I took that from). We do think everyone should be able to strive for a private focused phone (sounds like a tag line for a product, eh?). In fact, we will have a Pixel 4 to show things, but a Pixel 3 will work just fine and can be found for around $50 if you look hard enough. When I checked this morning, an used Pixel 4 was hoving around $100.
    • FYI, I have issues with the Google Pixel phones, primarily how hard it is to repair it.
  • I would love if we could make the phone fully private from a GDPR (we tend to mention it a lot in this blog?) standpoint, but that won't happen. Compounding that, some countries do not take your efforts to protect your privacy in your phone very kindly.
  • I really would like to thank the Crypto and Privacy village for having us. This may sound the typical fake message you associate with Facebook and LinkedIn, but for a change it is real. One of the hints is that I am not starting this thread with "I am excited that;" the truth is that we have been working hard and long hours on this and the CPV crowd have put up with all of our stupid questions and rewrites and whatnots. And have not tried to strangle us!

Dude, I have an iPhone! What should I do?

Dude, I have no clue; I do not have an iPhone to research on!

Saturday, July 30, 2022

The private life of a privacy screen

Let's say you have a laptop which you take to libraries, coffee places, and other public locations to get fresh air and inspiration while you write away a new article or piece of code. How do you keep what you are doing to yourself?

You on the corner who said "VPN" (when you think aloud, you do think aloud), you are right. That helps with the network connection. But what about keeping the prying and curious eyes off other customers of the same establishment you are in? Yes, this time the answer is the privacy screen, which has not only been around for decades but also is the name of this post.

How good is a privacy screen

Some are really useless. I remember when I was in college one that was so bad the person using the computer could barely see what she was doing. It was just a step above bolting a steel plate to the front of the monitor; I guess if you the user cannot see what you are done, the same happens to the potential attacker, who then has to rely on keylogging and scanning the screen contents using software.

Others work well enough to be useful within some limitations. Case in point is the one I will be test driving today. It's brand is... well, I have no idea. I found it besides the trash can in an office once. It is one of the common polarized ones and had no scratches nor too many fingerprints on its surface. As it was larger than the (old) laptop monitor I wanted to use, I grabbed it. And then cut it to size and secured it using Scotch tape (I am calling the brand out here because that is the roll I have).

It is one of those garden-variety polazided screens, which blocks the light if you move too far from being perpendicular to it. How far must you move from looking straight at it before the privacy part of the privacy screen is "engaged"? It depends on the make. Let see how it works by simulating the kind of situation that can happen anywhere.

  • Here is a picture of it installed in the test laptop, which is currently setup to replicate that of Mort Villanous, an aspiring supervillain who is in some public library writing his current world domination plot. In fact, this would be the point of view of our evildoer in-the-making. Note the tape on the corners of the privacy screen.

    From his point of view, he can clearly see the screen and, as a result, work on his important and secret document. The eagle-eyed members of the audience may have seen my exclusive and expensive camera cover; I will try to provide a link to it later on. But if you have to ask how much, you can't afford it.

  • Next let's pretend we are the Tom Goodfellow, secret agent tasked to observe what villanous things our villanous villain, Villanous, is up to. Wearing his trademark 30 gallon white hat, chaps, and 7 Gold Chains or Virtue, he discretely approaches Mort from the right, this is what Tom sees.
    From his current point of view, the laptop looks as if it is turned off, as the surrounding background is reflected on its back screen. That won't do.
  • Knowing Mort has not noticed him yet, Tom heroically slides a bit closer to the aspiring villain. This time the privacy screen proves no match to the hero's eyes, as at this angle it exposes a hint of an evil deed in the making, namely a document is open and being worked on: he can see there are words written using different font sizes, but he still can't read them. These clues tell Tom he is dealing with a polarized privacy screen!
  • Embolded with confidence and knowledge of how this kind of screen works, our hero inches even closer to the villain. And he is rewarded with being able to finally begin read the contents of the document!
    Unfortunately, the secret agent made the typical hero's mistake. Being a bit myoptic, he leaned too much towards the computer. As a result Mort Villanous not only heard the gently clanking of the secret agent's gold chain as it touched the table, but also felt it crushing his arm. Aware now of the presence of his enemy, Mort immediately closed the laptop, shouted "do you mind?" ignoring proper library ethiquette, and walked away.

Moral of the Story

Whether you are plotting to rule the world, or just trying to read email in peace at a public location, getting a privacy screen is not a bad idea. However, test it first to see how large is its "non-private" region so you can plan where you will be seating and what will be behind you.

Thursday, June 30, 2022

You may Unsubscribe, but give me your Personal Data

I signed up for some online three-hour class two weeks ago. It was good, and the instructor did end it with the usual upsale you expect in some of these classes. I cheefully turned it down.

Also as expected, I started receiving emails from this instructor about new classes and programs. I ignored them for a week until last Monday I decided I was getting too many sales emails from him and wanted to cut it down. So I clicked on the "click here to unsubscribe to this list," which is a trackable link as expected: I would expect the link to know I am the one who want to be removed from that list.

Well, the link led me to the following page; I did remove the top banner identifying the 3rd party company being used and my name and email, which were automagically autofilled. But below is what the form looks in all of its glory:

This form caused a few questions to pop in my head:

  1. Why is there no reference to the instructor, his business, or something that refers to the mailing list? It is not like I erased that before posting. This sure looks like a great phishing page, but what do I know?
  2. Note that it asks for my address and phone number. Why does it need that? I mean, when I signed up for the class I did not need to provide either; so why now?
  3. Who is collecting this information: the instructor or this third party?
  4. Why is it called Update Information? I am here to unsubscribe to a mailing list!
  5. Why is a button called Update Information the default choice in a page you supposedly use to leave a mailing list? This is a classic example of Dark Pattern in use, steering the user to select a less privacy conscious option.
  6. Why would I want to update personal information to unsubscribe to a mailing list? In fact, let me put my GDPR hat and say there is no lawful case for this form to collect (and process) personal data beyond email (Articles 5 and 6, and recital 39). I have belonged to many mailing lists that either require just the email or an username/password pair to leave them.
  7. Given there is no lawful case to collect the personal data mentioned in the previous question, the only other option is consent. GDPR Article 7 is very particular about how consent should be given and taken away. Does this form's request for consent is presented in a clear manner, distiguishing it from other items in the same form (Art 7.2)? And, does it indicates a way to withdraw this consent in a manner that is easy to do so (Art 7.3)? Finally, is it freely given (Art 7.4)? Looking at the form I have no idea if I am freely giving it or I am required to, so the answer is no.
  8. Besides the company's banner, which is not a link to their website, and the buttons below, is there a way to interact with this website (say, to contact someone) and its owner? As far as I can see, none.

Given all the questions raised above, it seems that the safest and most privacy-conscious way to leave this mailing list is to tell my mail client to label amy future email from that list as spam.

Moral of the Story

If you are going to provide some kind of mechanism for people to unsubscribe to your newsletters, please keep it simple, clear, and transparent. If it also doubles as a way for users to update their info, label what is required for unsubscribing and what is used for updating profile/account info. And, do not try to sneak collecting of personal data in.

Thursday, May 26, 2022

Children's Right to Privacy, Education, and COVID

"Never let a good crisis go to waste" Sir Wiston Churchill
road sign-based School Children watched by cameras. Copyright 2022 Mauricio Tavares, Privacy Test Driver

Cases where educational institutions in more technologically advanced nations used third party apps to monitor students are not new. The first one that comes to mind is from 2010, when the Pennsylvania school district had been sued by turning the camera in the laptops they issued to the students on. If we fast forward to these post-GDPR times when data privacy is rising in importance amongst businesses and government, we find this habit is still alive and well:

Yesterday the Human Rights Watch announced the completion of a global study run between March and August 2021 regarding privacy and online learning platforms. In this study, 164 education technology (EdTech) products -- websites, apps installed in laptops and phones, etc -- used by 49 nations were considered. Their conclusion is most of these products either put children's privacy and other rights at risk or directly violates them. At best this data is being sent to companies that collect and sell personal data: AdTech companies

To understand the impact of these findings, we should take a look at the list of 49 countries that were subject to this work. It contains countries which are supposed to have strong privacy laws:

If we were to pick one, GDPR, we see it specifically describes not only what is legitimate case to process data (Article 6), when to get consent to collect said data (Art 7 and Recital 32), how to deal with children's consent (Art 8), and what needs to be considered when handling children's personal data (Recital 38). In other words, there were laws and regulations in place to protect this data. So, why that did not happen?

When COVID mandatory lockdowns started, schools switched to online means for presenting their lectures to their students. Some schools were already prepared -- they already had a online system in place -- but the majority had to struggle to find a solution. With the help of their government, they selected EdTech products they thought were best suited to their requirements. In their hurry, they did not do a proper Data Privacy Impact Analisys on these products, specially as applied to children's personal data. And, these programs require children to surrender their personal data or they will be reported as absent and possibly dropping them out of school as a result.

We do not know if this data collection code was accidentally added to the app or not, but we think the solution is simple: the EdTech companies have to

  • Ask the children (and their parents) for consent. And by that we do not mean the implied consent common with badly written software, but proper consent as defined in, GDPR articles 7 and 8.
  • Be transparent about how the collected personal data is to be used.
  • Ensure their applications' features should still work even if consent to use biometrics is not provided. In other words, it should have an alternative authentication method. From a programming best practices point of view, this means to abstract the authentication instead of having its code interwined with the rest of the program. And that means it can be updated to the next technology. Good programs do this already.
If students (and/or their parents) chose not to allow their biometric data (facial recognition in this example) be used, they should not be penalized (reported as absent), and the school must provide another, less intrusive, means of identification. It also needs to explain to vendors that not being able to offer an alternative authentication system will seriously hurt the chances of their online educational product being selected. COVID is not an excuse to suspend children's privacy and security.

Monday, May 23, 2022

Got my Freaky Dolphin

So, I too received, after waiting for almost a year from the time I joined the original group buy, for my Flipper Zero. I have already started playing with it, but that will be the subject for another post. For now you will have to make do with its glorious pre-8bit artwork.

Thursday, March 31, 2022

Facebook, Ireland, and GDPR inconsistencies

Early this month Meta Platforms, Facebook's parent company, was fined € 17 million by the Irish Data Protection Commission (DPC) fined after concluding the American business failed to comply with GDPR requirements in 12 breach notifications between June and December of 2018, and which affected 30 million Facebook users.

Meta has downplayed the severity of the violation in an emailed statement:

"This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people's information."
However, this lack of "record keeping" means Facebook is not documenting/proving they are protecting people's information. And that not only violates the principle of Due Care but also infringes GDPR Articles 5(2) and 24(1).

But, this is not important.

This is not the first time Meta had been fined for GDPR violations, nor it is the largest fine it has received; the € 60 million penalty from Jan 2022 and the € 225 million from Sept 2021 top that by such a long margin they are in a different league.

And this is not important either.

It is significant that the Irish GPC fined it; that does not happen very often. Ireland is the European headquarters of most of the American companies, including the 10 tech giants -- Apple, Google, Twitter, etc -- with an European presence. Since 2018, an average of 10,000 complaints per year have been filed with the Irish GPC. According to the Irish Data Protection Commissioner Helen Dixon, of those thousands of complaints, two were issued decisions in 2020, and she expected up to six decisions to be made in 2021, or 0.07% of all GDPR complaints.

Then we have the issue of the fines. Per the GDPR, they can be up to 4% of a firm’s global revenue. While Dixon said any fine would reflect the significant number of users affected, in June 2018 Facebook reported a bug caused 14 Million users to share friends-only content with strangers. Then September 2018 thr social medial giant disclosed a major hack which could have compromised up to 50 million user accounts. Later it claimed this hack resulted in a data breach where the data of only 30 Million users was stolen. Finally in December of that year another bug compromised 5.6 Million users.

And yet the Irish DPA decided € 17 million was enough to reflect the significant number of users affected.

Max Schrems, who has stated that

The [Irish] DPC simply interprets the word "handle" to mean that the DPC can also simply dispose of complaints on the fundamental right to privacy. She openly argued “In fact, there is no obligation on the DPC under the 2018 Act to produce a decision in the case of any complaint.”
has also accused the Irish DPC of advising Facebook on how to bypass GDPR by redefining their agreement with the user as a "contract," which would make the GDPR "consent" requirement no longer applicable.

But, this too it also not important.

What is important anyway?

This show a clear inconsistency between the how Ireland and the rest of the EU handles GDPR complaints. The Irish DPA is the lead supervisory authority for cross-border cases that fall into its jurisdiction. Given its past history, it is probable it may not side with the Austrian and the French Data Protection Authorities regarding Google Analytics.

This regulatory discrepancy creates an incentive for companies which want to use Google Analytics and other means of data transfer between the US and EU that are considered against the GDPR to set up shop in Dublin. While this may be good for the Irish economy,

  • How will this different interpretation of the GDPR articles play out given that one of the goals of the GDPR is to regulate the processing personal data within the entire European Union?
  • Is this even an inconsistency or do EU members have some latitude to interpret GDPR articles based on local laws? Remember that when the French Data Protection Authority decided that Google Analytics was not GDPR compliant, the Austrian one had already made the same decision. That seems to imply there is some jurisdiction independence across the EU, and perhaps the Google Analytics ruling will only become applicable to the entire EU/EEA if enough Data Protection Authorities decide to support that.
  • Will other European countries invoke Article 65(1)(a) and request the European Court of Justice, or the European Data Protection Board, to intervene and enforce some kind of legal consistency for all member countries?
Only time will tell.

Saturday, March 12, 2022

Phishing Is Too Easy - 2

A long while ago I posted here about how easy it was to phish. Yes, it was that long; where has time gone?

Anyway, some phishers seem to have decided that embeding malicious code as payloads into either the email itself (thanks to HTML-aware emails) or into attached documents -- Microsoft Word/Excel/Powerpoint documents, PDF files, or even some image formats -- was a bit too time consuming. Or, it was being picked up by the usual mail scanners and deleted. So, what can they do? Well, elicit the help from the user! Ok, you may argue that all phishing campaigns rely on social engineering, and you would be correct. But, how can that be craft to evade scanners once the users are conned? Let me answer that by presenting this gem of phishing email, which I added to my collection a few days ago:

Phishing email which does not have its payload as an attachment, but contains a phone number to contact the attacker and get instructions on how to download and install the maware.

At first glance, it seems this email will be innefective, as it starts rather carelessly:

  1. The return address is a typical quasi-randomly created Gmail one; they could not be bothered with making it sound like it came from a billing department as it claims to be.
  2. Also notice they do not even specify the company they are hailing from; they just said something about a Billing Department.
  3. This email from some billing department from an unknown company is about the purchase of McAFEE Total 360.

What seems to be carelessness is actually genius. You see, most people who read this email will not pay attention to the return email address and lack of a business name. All they will focus on is the 3rd item listed above: they just received what seems to be a bill for a software they can't remember ordering. What to do?

There is a phone number prominiently on the bottom of the email. That is the clever move. I expect the next moves to play out as follows:

  • Customer's (the mark) mind will focus on, as mentioned above, the fact they are seeing an unexpected $300 bill. Why did they receive it? Was that an accident? Did someone with a similar name ordered it? This is the fear component of the phishing email.
  • It says the charge mode is "Auto Debit!" I too have no idea of what "Auto-Debit" means. Maybe they wanted to say auto renewal using a debit card. But the point is these words create a sense of urgency, which is another component of a good phishing email.
  • So, they call the phone number to fing what is going on. The person on the other end, who is an Eastern European man called Peggy (bonus points if you know which old ad I am alluding to), will maybe ask for the mark's personal (before you get excited, GDPR does not apply to criminals since by definition they do not follow the law) and credit/debit card information to "confirm" (read: store and sell) if that was the card used. However, it would make more sense if he...
  • Peggy will probably ask the mark to go to a website and then download and install something in the mark's computer (ideally a work one) to check if the McAFEE program is installed and then uninstall it. As expected, that is a trojan horse to help deploy the real payload. The good thing about being on the phone is that Peggy can help the mark work around the malware protection software in place so the trojan can be successfully installed.


If you receive such email, take a break before acting on it. Then, if you received it at work, reach out to your IT security people and ask for help. Relying on software to magically find and delete such emails does not work all the time. You the user is the most important line of defense.

Thursday, February 24, 2022

Thoughts on taking the CISSP exam - 2

Plan Your Dive, Dive By Your Plan

That is the motto of the Divers Alert Network, and I think it is very appropriate here... and on job interviews.

One thing I did not add to the original post on taking the CISSP exam is that on the day before the exam, I drove to it about the same time I expected to leave. Reason is that I wanted to know where the place was and how long it would take so I would be there 30min or so before it started. In other words, I wanted to eliminate a source of pre-test stress.

Without further ado, here are the real pictures I took that day:

  1. First, here is the building. After driving there on the day before, I decided to leave home 15 minutes earlier to account for the traffic I saw. Also, I am glad I did the dry run since on the exam day, when I drove into the road that leads to the parking lot the building is located, it was packed. I then realized by looking at the vehicles they were going to the construction site I noticed in the previous day, so I was able to go around them instead of sitting there and missing my appointment.

    If you are not driving there, it is even more important to figure out how to get to the test site well in advance. Imagine if you need to take a few trains and maybe a subway or a tram in the process? Are they schedule reliable? If you miss one of those public transports, how long will you have to wait until the next?

  2. Once inside, I was very happy to find out there was a nice sign pointing to where the Pearson VUE office was. Nice touch, Pearson VUE!
  3. The actually office where the exam took place was down the corridor. I also took the opportunity to find out where the bathroom is. Remember you can take bathroom breaks; it might be wise to find its location so you do not waste valuable exam time hunting for it when you really need to go.

    Incidentally, there was a water fountain across the corridor from the bathroom.

  4. During exam day, I had no problem getting there ahead of time. In fact, I was so ahead of time the suit was still locked. By then a few more candidates, for other exams it turned out, had showed up. We chatted a bit until they let us in. And it was smooth sailing until the exam started.

TL;DR: Make your life easier! Eliminate as many variables before the exam as you can.

Sunday, February 20, 2022

GDPR, France, Schrems II, and Google Analytics

If you grew up in The United States, you may recognize the picture below and remember television ads (yes, I have watched network television with commercials) that would push some trinket (think on the lines of a "belt that doubles as straw" or "self-cleaning shoe rack" which in fact is really complicated). When it came the time in the ad to say how much it was and how to order it, there was always a "But wait! There is more!" segment where they would bundle more junk in hopes the viewers would think they are getting a deal.

With that piece of Americana in mind, we will start this article asking if you remember when we talked about the Austrian Data Privacy Authority (DSB) decided Google Analytics is not GDPR-compliant. You do? Great!

But wait! There is more!

Earlier this month the French Data Privacy Authority (Commission Nationale de l'Informatique et des Libertés, or CNIL for those like me who are not typing-trained) concluded, after receiving a complaint from the NYOB association regarding a French website using Google Analytics, that data transfers performed by Google Analytics are illegal in France. The reasoning is the same as their Austrian counterpart: Schrems II, as in there are not enough safeguards to protect this data collected from European Union residents from US intelligence agencies.


We mentioned them before, so let's just focus on the most important ones:

  1. Stop using Google Analytics; it violates GDPR Article 44. Google Ireland does not cut it.
  2. If you really need the functionality provided by Google Analytics, find a tool that transfer data outside the EU.
  3. Any data collected by a Google Analytics-like but GDPR-friendly program should either be immediately anonymized (before being fed to the analytics program), has a Legitimate Purpose as defined in GDPR Article 6, or requires explicit consent from the data subject.

According to the CNIL ruling, the French website in question has 1 month to comply.

Given that NYOB filed complaints the 27 European Union Member States and the three other states belonging to the European Economic Area (EEA), expect more of these decsions to come.

Saturday, February 5, 2022

GDPR, Austria, Schrems II, and Google Analytics

EU vs Google Analytics. EU flag and Google Analytics logo copyright of its respective owners

By now you may have learned that if you are an European company, or a company which does business with European residents, you really should not be using Google Analytics. Case in point happened in Oct 2nd 2020 when, according to The Register, the Austrian Data Protection Authority (Datenschutzbehörde or DSB) received a NOYB-sponsored complaint regarding NetDoktor, a website which offers medical knowledge and health information. It also has versions of this website in English (TLD ".uk") and Danish (TLD ".dk") languages; there may be more but I could not be bothered to look for them. Because this Hubert Burda Media-owned website is financed through advertising and licensing, it chose to Google Analytics probably (educated guess here!) to track what each of its users have done during their visit:

  • Identifiers
  • IP address
  • Browser version, operating system, and other system identifying parameters
  • Which pages were read
  • How much time was spent on each page

Per the General Data Protection Regulation (GDPR), this kind of personal data collection is not viewed as a Legitimate Purpose as defined in Article 6, so it needs to have explicit permission from the data subject. One should also notice that because of the service provided by this website, the personal data collected using Google Analytics, unless properly anonymized, may be used to infer the medical condition -- which is one of the special categories of personal data per GDPR -- of the data subject.

It gets better:

  1. Google is an American company, so it must follow the US CLOUD Act of 2018 and section 702 of the FISA Amendments Act of 2008, which allows US intelligence agencies to collect any personal data stored in servers owned by US businesses that are identified as "electronic communication service provider" by 50 U.S. Code § 1881(b)(4) without the need of a warrant.
  2. Google cannot protect the personal data being collected by Google Analytics in the NetDoktor website to satisfy the Article 44 (transfer of data to be processed on a country outside the European Union or European Economic Area).
  3. Google cannot base the data transfer on standard data protection clauses as the US does not ensure adequate protection
  4. And that means this personal data transfer between NetDoktor and Google violates the Schrems II decision of 2020, where the European Court of Justice (ECJ) declared the Privacy Shield mechanism was not a valid means of transfer data between EU/EEA and the US.

As a result, the DSB declared this data transfer illegal.

Some EU and US companies may have tried to work around these limitations by using Standard Contractual Clauses to transfer data between them. That does not satisfy Schrems II.

What can I do as a US business?

The ideal solution is for the US to adopt privacy laws that are closer to those in the EU. Until that happens,

  • What if I run a website that is not offering a product or a service specifically directed to an EU or EEA resident, like a blog? Even though technically you would not be subject to Article 3 of GDPR, you have no reason to collect any personal data. Let's use Blogger, which is owned by Google, as an example. According to google's documentation, to use analytics with blogger you must
    1. Sign up for an analytics account
    2. Add analytics tracking to blogger.

    Continuing with the Blogger theme, is Google honoring your decision not to collect data? i.e. does it collect any other additional data from the blog users it has not divulged to the blog owner? Good question; IMHO the onus here would be with Google.

  • What if I am providing services/products targeted at EU/EEA residents? You fall into Article 3, so
    1. Minimize the amount of personal data you have to collect. Remember you are still subject to the CLOUD Act.
    2. Avoid using cookies or other form of analytics to collect data you do not need to provide the service to your customers. Remember the Legitimate Purpose (Article 6).
    3. If you really need the functionality provided by Google Analytics, find a tool that transfer data outside the EU.
    4. Anonymize any data you can as soon as possible. Rememeber anonymization is not tokenization or pseudo-anonymization.
    5. Process and store any personal data in an EU server, ideally one not owned by an American company identified as "electronic communication service provider" by 50 U.S. Code § 1881(b)(4).


Don't use Google Analytics.

Thursday, January 27, 2022

BadUSB, or There and Back Again

In that often misunderstood time between mullets and the switch to laptops without normal USB ports (I am looking at you, Apple), a traditional part of an on-premises pentesting was to grab all those USB drives you got from those many conferences you attended, wipe them to remove the informercials, white papers, and and other cruft, put a little script that would be called when the drive was automounted in a Windows or Mac (primarily Windows because it was easier), and then drop them on the parking lot of the company you are doing your engagement on.

The script was pretty simple: when run it would collect the IP, some computer info, and username. And then it would send that info to a collecting site (cannot call it C&C because it is not doing that much work), which would then parse all the info in a nice spreadsheet which you would then bring to your meeting with your customer as the list of users that may need some security retraining. After all, if a pentester can do that, so can a malicious attacker (are there non-malicious attackers?). It is a nice way to deploy a virus, or a program to help the attacker to get a foothold in the system.

Those were simpler times.

Talks were given and dongles were created to avert such an attack because, well, it was easier to buy them than asking IT department to push a group policy to disable automount. Or telling users not to mount any USB device they find on their computers.

But, we are talking about BadUSB! Yes, and it was first mentioned in 2014. The short version is that thanks to the typical development methodologies similar to those used in IoT development, namely get a product out there as quickly and cheaply as possiblw with complete disregard to supply chain security or security testing in general, a lot of USB devices are built on controllers which can be reprogrammed in the field. And reprogrammed they are, this time carrying malicious payloads like programs to spy on the user or get a foothold on the system.

Sounds familiar? I think so. Adding your code to the USB device's hardware to it is but an evolution of the principle of having code in a USB drive that is run when it automounts.

Fast forward almost a decade and we begin the year with the FBI sending warnings about this new attack vector called BadUSB that groups like FIN7 created to deploy ransomware even though they have been doing that for many years now.

There is no one-size-fits-all technical solution for BadUSB, not that have stopped vendors peddling software to address it. We will go over detailed a plan of action to minimize the effectiveness in a future article, but it sufices to say the old adage of "select your partners and wear protection" still applies. Also, end users are one of the most important lines of defense in the security domain. Work with them, empower them to understand and make the call; it can work if you do it right. Make the presentation enjoyable and memorable. I mean, if I could make that work at a medical institution to the point our box of found USB drives had to be replaced with a bucket, so can you.

Monday, January 17, 2022

Proper tab isolation in Firefox (a request for support)

There are a few things I seek on a web browser:

  • Platform independent. While most of my work is done in Linux, I like to have the same experience in OSX, Windows, and even (somewhat) smart phones. This is also important when i recommend a browser to someone.
  • not spying on me. Problem is, most of them do, but that is a topic for another article.
  • Good privacy and security settings.

I am not particularly religious about browsers; I have used Firefox, Chrome, Safari, That Microsoft One, Brave, Opera, and a few others I can't remember the name (short of the screen capture and the crowdcity link, I am trying to type this in one sitting). I think each of them have good and bad features. Let me talk about my favourite feature in Safari; to do so I need a screen capture:

It shows the browser in incognito/secure/secret/sneaky/something mode (pick your term, collect them all). It has 3 tabs right now. The 2nd and the 3rd tabs are connected to two distinct gmail accounts: one with a ton of emails (someone needs to do some cleaning) and one which is not as popular as the first. The third one was me helping someone create a gmail account but I decided to take the screenshot before going any further. Note there are possible 3 gmail sessions using 3 different accounts in 3 different tabs in the same browser. Take your time to process that.

I will wait.

FYI, I normally would use that with slack: at time I have 5 to 6 open slack sessions -- maybe work, vendor, project I am working on (like the conference mentioned in an earlier article), and so on -- using different accounts. Or two different AWS accounts (think developer and test user). And all of that in the same browser at the same time. And they are all happy.

Now, I use Firefox a lot because it is portable and it (and its derived browsers) can be rather privacy-conscious:

There are many features it has, but this kind of tab separation it does not. They have something called containers which (1) only work in normal (not incognito mode) and (2) do not offer the feature Safari does. So this leads into...

And now my shameless request

The Mozilla people has a website where you can ask for features. People post them and they get voted on by viewers like you, thank you. Guess what I requested? Right you are: tabs that are fully isolated so you can run the same program logged in as different users without conflict. If you want to help make this happen, do create an account and vote for it. The link to my request is

Container tabs should work in private/incognito mode


20220212 Update

They are canning the site with where you submitted ideas and requests for Mozilla:

It is being replaced with a new one, but the old stuff is not being transfered. So, thanks for everyone who voted even though it no longer counts.

Saturday, January 8, 2022

Thoughts on taking the CISSP exam

There are a lot of sites, articles, and videos with lots of useful and helpful information on how to prepare for the CISSP exam, including why you should (or not) consider getting this certification to begin with.

This is not one of them.

Everyone has a study strategy -- watching videos, reading books, taking a live/online class -- so I will not comment on that. What I did after is where I want to focus on, namely taking practice exams. Short version is learn from my mistakes. Long version is that there are

  • Known knowns: what you already know from your experience and previous study.
  • Known unknowns: what you know that may be in the exam but you have never studied or dealt with. For many, that would be binary math and cryptography.
  • Unknown unknowns: what may be in the exam and you have no idea it even exists to begin with.

What you know, you know so no need to spend much time on that besides refreshing. What you know you do not know, you can study/practice/figure some way to learn. But, if you do not know that you do not know something that may be in the exam, it will bite you. You need to convert the unknown unknowns into known unknowns so you can work with them. To find them, focus on those practice tests at least for the last two weeks before the exam. You are using these exams to probe were you need to work on. Examine the results and explanations associated with the questions you did get wrong. In my case, they could be grouped as:

  1. Rushing to read and missing a keyword. Read the entire question and all the answers. I know that sometimes the question starts with 5 sentences of story time before getting to the point, but take your time to read it all. Then read it again to identify the key points in both question and answers. Slow is fast, fast is slow. But, there is too slow; don't be James May.
  2. Choosing an answer, second guessing, and then finding out the original answer was right. This is specially true for those questions you are not really 100% sure of the answer, and was how I missed most of the practice questions by far. Train and trust your gut.
  3. Not eliminating the answers you know for sure are not right. As mentioned above, you will face questions that you are not sure of the right answer for some reason, like some encryption detail, but you may be able to deduce it. To do that, remember a Sherlock Holmes quote, "once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth." First thing you need to do then is get rid of all the answers that could not possibly be true. Sometimes that will leave you with two answers, which means you have increased your chances of getting the right answer from 1 in 4 to 1 in 2 (it might be even better depening on how you want to calculate it).
    NOTE: this may not work with questions you need to select 4+ answers from a list. In one of the practice questions I took, it turned out I needed to select all of them. I read the explanation, try to understand the thought process, and then add to my study notes.
  4. Trying to solve it as an engineer instead of as manager. This is reference to the famous "think as a manager" quote associated with this exam. Technical me may want to write my own solution while managerial me would refer to policy, buy a tool, or contract someone. If both technical and managerial questions are listed, pick the later for this exam.
  5. (last but not least) you may be missing some knowledge. When I find those, I look at the explanation, add what I think will help me to my notes, and then check for futher info (in a book or online).

Full Disclosure: Items 1-4 were where I needed to work on.