If there’s anything the last few years have taught us, it’s the importance of protecting the privacy of our personal information online. Coupled with the global pandemic, the privacy landscape has undergone a rapid change as contact tracing and remote practices have increasingly become the norm. Apple — which has ruffled feathers by adopting a strong anti-tracking stance with iOS — marked the occasion by releasing “A Day in the Life of Your Data” report, explaining how third-party companies track user data across websites and apps. The average app, it said, has at least six trackers embedded in them. Mozilla, meanwhile, is rolling out new protections to thwart third-party user tracking and crack down on supercookies, which are much harder to delete and block. In the EU, the General Data Protection Regulation (GDPR) has already caused companies to pay hundreds of millions of dollars in penalties for infringing on users’ privacy. These initiatives, along with heightened data protection regulations, have forced other major platforms to rethink how they bake privacy into their products. Taken together, these moves have shifted the Overton Window for privacy, even if just a little bit, and helped change our default assumptions about privacy. It’s no surprise that the steady infiltration of technology into every aspect of our lives, and the convenience it affords have resulted in privacy taking a backseat. But it doesn’t have to be. Which is why Data Privacy Day is the perfect time to get rid of unwanted devices and services, as well as question the amount of data we give up – voluntary or otherwise — in exchange for this benefit. On that note, it’s time for us to bid you goodbye. This is the final edition of Pardon the Intrusion. I hope you enjoyed reading the newsletter as much as I enjoyed writing them. But fret not, this isn’t the end of the road. I’ll continue to share everything that’s there to know about in the world of privacy and security in a brand new newsletter on Substack, called Zero-day. Subscribe to it here. I want to extend my thanks to every reader and all my editors who made this newsletter what it is today.
What’s trending in security?
Messaging app Signal got blocked in Iran, TikTok fixed a bug that would have allowed hackers to access users’ private information, and Google warned that a North Korean threat group is targeting security experts with a new social engineering campaign.
Ex-ADT technician pled guilty to computer fraud and invasive visual recording for repeatedly breaking into cameras he installed and viewed customers engaging in sex and other intimate acts. [Ars Technica] Here’s another reminder that companies can collect data about you even if you don’t have an account with them. Riccardo Coluccini, writing for Motherboard, found that TikTok not only logged his whole watch history, but also “recorded all my actions in the app and time-stamped them.” [Motherboard] A detailed look at the 2019 security breach of Stack Overflow has found the attacker made extensive use of the Q&A forum to determine how to make the next move. [Stack Overflow] Amid a new surge in popularity for Signal following WhatsApp’s messaging mess, concerns are being raised about what Signal is doing to prevent abuse of its platform. In a related development, the Iranian government has blocked the use of the app, joining other social media apps such as Telegram, Twitter, Facebook, and YouTube that are banned in the country. [The Verge / Al Jazeera]
TikTok fixed a vulnerability that would have allowed hackers to access users’ private information, including phone numbers, avatar pictures, and user IDs. [The Hacker News] Google said security experts focused on vulnerability research and development are targets of a social engineering campaign reportedly conducted by a North Korean government-backed entity. Hackers masqueraded as security researchers to befriend members of the cybersecurity community on Twitter, LinkedIn, Telegram, Discord, Keybase, and email using fake personas. [Google] Researchers disclosed a new variant of the NAT Slipstreaming attack that builds on the original by replacing SIP and piggybacks on the H.323 multimedia protocol to bypass firewalls and open access to any device inside internal networks. [The Hacker News] A survey of 1,515 anonymous Chinese residents has found that 87.46% of respondents oppose the use of facial recognition technology in commercial zones, as the technology becomes more widespread. [South China Morning Post]
The US Defense Intelligence Agency admitted to buying citizens’ location information gathered via smartphone apps from data brokers to get around having to obtain a warrant for location data. [The New York Times] Norwegian Data Protection Authority fined gay dating app Grindr $ 11.7 million for disclosing users’ precise locations to at least five advertisers and tagging users as LGBTQ without their explicit consent. [The New York Times] The Russian government issued a security warning to organizations in Russia about possible retaliatory cyberattacks by the US for the SolarWinds breach. [ZDNet] The last week in data breaches, leaks, and ransomware: Bonobos, MeetMindful, Scottish Environment Protection Agency, Teespring, and The7stars.
Tweet of the week
Adobe Flash was officially discontinued last month following years of security concerns. But just as browsers have moved away from supporting it, the South African Revenue Service (SARS) has taken a puzzling decision: Release a new Chromium-based browser just to enable Flash support so as to submit tax filings through its website. After all, why fix code and move to HTML when you can release your own browser? Worse, the browser supports only Windows.