Amazon World Domination 👑 Rise of Ransomware 🤖 Ad Gold Rush 🏅
News, thoughts, and puns about Amazon buying Roomba, North Korea's increasingly sophisticated attacks, DuckDuckGo's Microsoft partnership, Cloudflare workers, and more!
I published a review of Basecamp⛺️ along with a Tiktok story about how Basecamp could have saved me headaches when purchasing a ginkgo tree 🌲
🧔Personal News
I've been told my life would make a funny YouTube series. I guess it's worth sharing!
After a decade of serving my increasingly large household, my washing machine bit the dust (or the smelly underpants?) last week. I ended up with a new kit with slight imperfections for a 20% discount. Kids usually bump furniture all the time anyway. With six family members and a dog, I got the biggest consumer-grade model available. Plus, they are connected! I already had my IoT subnet set up which would be my #1 recommendation to anyone venturing into smart homes. I stayed with a reputable vendor as well. I think going cheap on IoT is where you end up getting hacked. Yes, nerding out over smart washing machines and drum volume is where I'm at in life.
Alright here is a joke I just made up:
What's the favourite music band of faulty washing machines?
The White Stripes
🔦This week's spotlight: Ransomware Running Rampant
Insurance and security companies have grown so used to ransomware that cyber-threat researchers can now become "negotiators". One of them shares his experience to the register. Based on previous discussions with designated criminal groups, negotiators can tell which is more likely to give back the key if you are healthcare and who will greedily maintain its ransom demand. Don't picture Casa de papel-like verbal scuffles. It looks more like a tedious MSN Messenger chat, minus the WIZZ and song lyric statuses.
One area of concern outlined in the article and confirmed in a recent British School attack (therecord) is criminals using their own research into the victim's cyber insurance to set their ransom demands. This vicious attack against minors is another sad landmark for the Hive ransomware family, which also targets healthcare services. Trendmicro's research on the organized group shows how far the threat has come. While details on the latest attack against an IT vendor providing the '111' service (equivalent to 911) in the UK remain scarce, it appears to carry the signature of Hive.
Sophisticated cybercriminals are not our only worry, though. The Lazarus group and APT38 have been linked to the North Korean government. Their attacks, which include the high-profile theft of the SWIFT network, are reportedly used to fund the nation's missile program. North Korea has also been recently associated with recent malware "SHARPEXT" which can read your Gmail using a malicious browser extension. The ArsTechnica has a detailed technical breakdown. I found the attack quite clever because we tend to think of the browser as "sandboxed". Why try to escape the sandbox when you can exfiltrate from within?
Pictured: And old-fashioned person still trying to escape sandboxes.
Where does that leave us? IBM recently published its "Cost of Data Breach Report" which, if you are like me, has LIT UP your Twitters and LinkedIns more than charli d'amelio's latest nail polish. Highlights are summarized in the article below.
My biggest takeaway is not the $4.4 million per breach price tag. It feels meaningless given there are so many different contexts. What concerns me are the top 5 worse events in probability and impact. The usual suspects of phishing, stolen credentials and email compromise still reign, but you suddenly see "cloud misconfiguration" and "third-party software vulnerability" creeping up over more "traditional" scenarios such as social engineering, physical security compromise, and stolen devices.
I have to admit, I was always the one laughing the hardest at the cybersecurity industry's marketing of NATION STATES and HIGHLY ORGANIZED CYBERCRIMINALS~!!! While I still believe such marketing tactics to be irritating, there is at least a foment of sound data underlying the fear-mongering.
What should we do? Probably not rush to subscribe to a quarter million's worth of AI-based endpoint detection software. My two cents:
- Getting rid of e-mails. I'm not kidding! Everybody hates email anyway! Use mobile and push notifications, plus your instant messaging apps. Aim to decrease your e-mail traffic by 80% in the next 3 years. Those phishing scams will stick out!
- Invest in cloud visibility. Gross cloud misconfiguration should trigger alerts. Vetted software libraries, server images and container images should be easy to use and find in your environments. Internal apps not using vetted components should trigger alerts. People should look at alerts.
On a more personal note: back up your baby's pictures in the cloud and to a portable drive not connected to your computer. Now.
And don't forget your puppy pictures!
🥑Legal Jam
Changes to the regulatory landscape regarding technology, privacy, security, and more.
🧑⚖️👩⚖️Criteouch
Adtech giant Criteo sanctioned $65 million GDPR breach by France's CNIL. I have skimmed the complaint against Criteo. It seems a tailor-made case for why GDPR exists. Criteo built detailed profiles of every web user by tracking them over all their partners' and clients' websites, cross-referencing them with other data brokers, and inferring information about their personalities. Such profiles were re-sold to advertisers. Crieto is the reason why people keep using AdBlockers.
My disappointment is that the CNIL needed an egregious 4 years to reach this point. EU authorities must improve their velocity if GDPR is to be taken seriously.
🛡Post-️Privacy Shield World
Meta threatens to pull Facebook and Instagram from EU over the absence of legal rules that would allow Facebook to transfer EU residents' personal information to the US. Meta's approach screams bluff. I really like seeing the contrast between GDPR and the transatlantic data transfer pact. On one hand, the GDPR feels like a regulation based on Human Rights. It aims to protect individuals from powerful online schemes which go beyond what a reasonable person can grasp. On the other, this "wrestling with Meta" screams bad faith to me. I do not feel the ban on the SCCs is done to protect citizens. I feel it is a proxy to "go after big tech". Government surveillance remains serious. I am not sure the pressure points are being applied to the best areas though.
🎯Quick Hits
A series of relevant news items from the week, with my grain of salt.
🍎Apple wants to kill the password
An exclusive look at Apple's plan on TomsGuide reveals how the FaceID-protected iPhone will store a private key of individuals in the key chain and act as the source of authority for public keys of its users. It seems apps will encrypt a challenge that the client will decrypt and sign to authenticate. I love this. Count me in! Death to the passwords!
📑Data Exfiltration via bookmarks
This attack described in Help Net Security uses compromised Google credentials to "sync" content between a user's authentic browser and an attacker's Chrome browser. An obvious attack is simply to replace a bookmark with a known malicious one. Somebody could prank you by switching all your news bookmarks with kittens.
👺Trolling the trolls
Security communicator superstar Troy Hunt described how he used sordidly complex password requirements to drive spammers mad in a recent blog post that went viral:
What I find impressive is how Hunt interweaved his post with a tutorial on how to use Cloudflare Workers to deliver JavaScript apps. I think Cloudflare's edge computing is a big part of the solution to the EU's data transfer issues. It will revolutionize cloud (well, edge) gaming as well. Given Cloudflare is investing in web3, I am excited about what innovation they will come up with. Hopefully, it's better than that era where razor companies would just add one more "edge" to pretend they innovated.
🦆DuckDuckGo backtracks on Microsoft ads partnership
Notorious anti-tracking browser DuckDuckGo was caught with their pants, err, plumes down this spring due to allowing partner Microsoft's Ad trackers. It has now been announced that Microsoft will get a similar treatment as the rest of the agencies, being blocked by default (except for a few domains to track conversions). Shall we call this DuckDuckStop?
Shut up, dad!
This news comes off the heels of Microsoft and Netflix announcing a partnership to enable advertisement on Netflix. Microsoft's burgeoning ad platform is likely to clash with Apple's, which is also accelerating. It has been theorized that Apple's so-called privacy messaging and tracker blocking was in fact a corporate strategic move to "steal away" some of Meta's ad shares. With Amazon's ad business growing 18% in the last year, the clash of the titans is sure going to feel, well, Titianesque!
That does not mean we should just sit back and eat popcorn while watching billionaires whine in the media! As online consumers (and privacy advocates), I think we each have to reflect on what type of advertisement we want and which platform we want to give our precious attention to.
🐶This week's rant: Amazon is taking over!
Amazon made waves last week by announcing its deal to acquire robot vacuum-maker iRobot for $1.7 billion. iRobot's 🤖 leading product is smart "Roombas" that use AI to clean your floors. I own three of them myself! The integration with Alexa is obvious here. iRobot's app is rather limited and Amazon is uniquely positioned to create a "hub" for your smart home. Roomba requires extensive maintenance (brushes, filters, wheels, bags, etc.) and I can imagine a scenario where the Roomba orders itself its replacement parts off Amazon.
What could go wrong? Plenty, it turns out. Smart doorbell company Ring, owned by Amazon, was surrounded by controversy over admitting to complying with authorities to hand footage without user consent. As if Ring wasn't already enough under fire, a judge ordered that a class action lawsuit against Ring's biometrics collection practices could proceed under super bad-ass Illinois’ Biometric Information Privacy Act. Longtime readers will know my fascination with BIPA's enforcement. Its swiftness makes EU Court's GDPR proceedings look shamefully sluggish. Maybe GDPR could use some bipedalism?
But Amazon was not done! The company that also owns Whole Foods announced the purchase of healthcare tech services OneMedical, sparking a thunderstorm of privacy concerns and snarky tweets.
With such purchases, Amazon immerses itself in our most crucial services, from alimentation to health to home-caring and beyond. It is easy to feel like Amazon's data harvesting could lead to galactic-empire-like control, and to feel a sentiment of loss of ownership over your intimacy. I share some of these feelings.
Yet, I can't help but feel optimistic about Amazon's behemoth methods coming to healthcare. Why? Because I believe healthcare services are broken. As a matter of fact, I believe they are FUBAR. I fully admit this is due to my bias as somebody living in Quebec who has been dealing with the worst access to frontline healthcare services in the modern world all my life. It is not uncommon to go to the ER in Quebec and bring your camping gear to wait in a corridor for 20+ hours with no water fountain, no bathroom, and no electrical outlet in sight before you see a doctor. Walls are plastered with general awareness posters reminding individuals not to get violent with personnel over waiting times.
When I hear the biggest tech company in the world wants to give a shot to telemedicine, health mobile services, and same-day delivery of prescriptions, I am listening. I love privacy as much as the next guy (in fact, probably more). However, my "Maslow Pyramid" of needs puts the quality of healthcare services for my family above concerns over Amazon being a super-power full of data. Call me "big corp stooge" or whatever, but after living through two awful covid curfews to protect our so-called "fragile healthcare system", I am beyond exhausted. If it means selling my soul to the devil of large corporations to fix this mess, then so be it.
From an information security perspective, as Daniel Miessler explained in "Why I'm OK With Amazon Buying OneMedical", the most mature tech company in the world is also probably our best bet to stave off reckless ransomware groups. Hospital systems are struggling to deploy centralized digital patient records. Can they really compete with the company that runs 30% of the internet on the security front? The existence of the Hive group proves otherwise.
This brings me back to the Roomba and my smart washing machine, to Crieto and Meta's struggles with the Privacy Shield ban. Privacy's duty certainly is to uphold large corporations and governments to respect human rights, but it should not be reduced to this. Its core concepts remain choice and express consent for individuals who are evolving in a world where technology breezes by at a pace impossible to grasp for the reasonable person. I hope this rant comes across as educative or challenging, as my mission is to allow you to make choices in your digital life, not to provide dopamine rushes of experiencing schadenfreude over Meta looking bad in EU court.