Pardon the Intrusion #10: Faces faces everywhere

Subscribe to this bi-weekly newsletter here!

Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.

Facial recognition systems for use by law enforcement are all the rage these days. China has employed it on a vast scale to establish a surveillance network of sorts, while law enforcements’ use of facial databases in the US and UK have drawn scrutiny.

These tools often mix AI with a curated database of images pulled from other databases, which could be anywhere from government ID databases to Facebook, Instagram, LinkedIn, and other websites.

As The New York Times’ Kashmir Hill reported recently, Clearview AI’s software can virtually match any face and reveal their true identity. It’s been put to use by 600 law enforcement agencies and other private companies.

India is the latest country to jump on this bandwagon. The tool, developed by INNEFU Labs, converts every face into 512 data points which are fed into an AI algorithm looking for close matches.

According to the company’s founder, Tarun Wig, the tool can be simply plugged into a facial database.

“The original database for the images depend on what the client feeds our tool. This is under the discretion of the customer, and if they want, they can even take data from Google, Facebook and other public sources, and ingest it into the system to recognize the faces,” Wig told News18.

All this is well and good. But good intentions alone don’t always ensure good outcomes. First off, there’s no guarantee the facial matches will be wholly accurate. Then comes the issue of incomplete and biased datasets.

But given the general lack of privacy regulations, deploying such technologies at a vast scale is doubly frustrating from a data privacy and security point of view.

The EU has GDPR, the state of California now has CCPA, but it’s non-existent pretty much elsewhere. For its part, the Indian government presented a revised draft of the Personal Data Protection bill last month, but it has now been deferred and is expected to be passed later this year.

Internet Freedom Foundation, a Delhi-based non-profit that works on digital liberties, said: “While technology is very well a force for good, prior to its integration in society, adequate safeguards and protection of target audiences need to be in place.”

Truer words have never been spoken!

***

Do you have a burning cybersecurity question, or a privacy problem you need help with? Drop them in an email to me, and I’ll discuss it in the next newsletter! Now, onto more security news.

What’s trending in security?

The past two weeks were about Apple’s encryption showdown, the data breaches at Mitsubushi Electric and the United Nations, and how antivirus maker Avast sold its users’ browsing habits to a variety of clients, including Facebook, Google, Microsoft, and Pepsi. In a troubling development, pilfered Wawa restaurant customers’ payment info are now on sale on the dark web.

• The United Nations wants the US government to probe hacking claims of Amazon founder Jeff Bezos’ phone by the Saudi government. [Reuters / Motherboard]
• Apple reportedly nixed its plans for encrypting iCloud backups after the FBI raised concerns that it could harm their ability to gain evidence from suspects’ iPhones. [TNW via Reuters]
• Google found out anti-tracking features in Apple’s Safari browser ironically opened iPhone users to even more tracking. Apple issued fixes for the some of the bugs in Safari 13.04 and iOS 13.3 last month, but Google says “such fixes will not address the underlying problem.” [Financial Times]
• Mac users are being bombarded with fake Flash update prompts (dubbed “Shlayer”) to install malware. It’s so common and effective that nearly 1-in-10 users are targeted this way. [Ars Technica / Kaspersky]
• China-based cyberespionage group TICK (also known as “Bronze Butler” and “REDBALDKNIGHT”) is said to exploited a zero-day flaw in Trend Micro OfficeScan antivirus application to steal personal data on over 8,100 individuals and confidential business information from Mitsubushi Electric on June 28, 2019. [ZDNet]
• Turkey-backed hackers have used DNS hijacking to obtain login credentials, targeting 30 EU and Middle East governments and organizations since 2018. [Reuters]
• WhatsApp disclosed 12 security flaws in 2019 alone, including 7 that were critical. [Financial Times]

• The United Nations was likely the victim of a massive, likely state-sponsored hacker attack this past summer, but it didn’t publicly disclose the breach. [The New Humanitarian]
• SIM swappers are targeting telecom company employees to get hold of internal tools. [Motherboard]
• Microsoft exposed nearly 250 million Customer Service and Support (CSS) records on the web. The records comprised of chat logs between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019. Microsoft said the exposure was limited. [Comparitech / Microsoft]
• Amazon’s Ring doorbell has been caught sharing user data with Facebook and other third-party trackers. [TNW via EFF]
• A hacker leaked passwords for more than 500,000 Telnet servers, routers, and IoT devices for the period October to November 2019. [ZDNet]

• There’s now a web portal that can alert companies when their employees get phished! [I Got Phished]
• WeLeakInfo, a website for finding and purchasing breached personal data, is shut down by the FBI. [The US Department of Justice]
• Hackers put payment card details of more than 30 million Americans and over one million foreigners on Joker’s Stash, the internet’s largest carding fraud forum. The stolen data has been traced to convenience store chain Wawa that reported a major data breach last month. [Gemini Advisory]
• Suspected members of a MageCart cybercrime group have been arrested by the Indonesian police for stealing payment card information from customers of hundreds of hacked online stores by inserting malicious JavaScript code. [Bleeping Computer]
• Citrix released the final patch for a severe flaw that could allow unauthenticated attackers to execute arbitrary code and deploy “NOTROBIN” malware on vulnerable servers. [Citrix / FireEye]
• Online sneaker marketplace StockX suffered a breach last August, but customers are still reeling from the aftermath — ranging from fraudulent purchases to hackers attempting to sell their own shoes for inflated prices. [Input]
• Chipmaker Intel has issued a third patch for the “Zombieland” bug that lets hackers trick the microprocessors into revealing sensitive information. [WIRED]
• Zoom fixed a bug that could have let uninvited folks join video conference calls. [The Hacker News]

Data Point

IBM’s Cost of Insider Threats 2020 Report — which surveyed 964 security professionals in 204 organizations across the world — found over 4,716 insider breaches in the past 12 months. Credential theft emerged as the costliest threat, with an average cost of $871,686 per incident. Negligent employees and criminal insiders were the other two top causes.

According to the report, all the 3 types of insider threats have been steadily rising since 2016. The average number of incidents involving employee or contractor negligence increased from 10.5 to 14.5 in 2019, and the average number of credential theft incidents per company have tripled over the past three years, from 1.0 to 3.2.

That’s it. See you all in a couple of days. Stay safe!

Ravie x TNW (ravie[at]thenextweb[dot]com)