Information Technology

Invisible pixels used to track email activity are now an “endemic” issue that breaches our privacy, analysts suggest. 

This week, the Hey messaging service analyzed its traffic following a request from the BBC and discovered that roughly two-thirds of emails sent to its users’ private email accounts contained what is known as a “spy pixel.”
Spy pixels, also known as tracking pixels or web beacons, are invisible, tiny image files — including .PNGs and .GIFs — that are inserted in the content body of an email. 
They may appear as clear, white, or another color to merge with the content and remain unseen by a recipient and are often as small as 1×1 pixels.
The recipient of an email does not need to directly engage with the pixel in any way for it to track certain activities. Instead, when an email is opened, the tracking pixel is automatically downloaded — and this lets a server, owned by a marketer, know that the email has been read. Servers may also record the number of times an email is opened, the IP address linked to a user’s location, and device usage. 
Similar pixels are also widely used on web domains to track visitors. 
Tracking pixels have been around for some time but are not well-known. For marketers, pixels can be an invaluable method to measure engagement levels, estimate the success of marketing campaigns, and potentially to send follow-ups and more personalized notes when a message has been read, but not responded to. 

However, according to Hey co-founder David Heinemeier Hansson, they also represent a “grotesque invasion of privacy.”
Hansson told the publication that on average, the company processes one million emails and over 600,000 pixel tracker attempts are blocked every day. If you bring these levels up to the millions and millions of emails processed by services such as Gmail or Outlook, the suggestion that pixel tracker usage is “endemic” may be realistic. 
In Europe, GDPR demands that organizations tell recipients of the use of such pixels. However, the water has been muddied surrounding the transparency necessary to implement pixel tracking, as consent is not always required — and when it is, this could be ‘obtained’ automatically when a user signs up to an email service and is asked to read a privacy notice published on a website.
The UK’s own Information Commissioner’s Office (ICO), which acts as a data protection watchdog, uses pixels to track email openings in its newsletter, as noted by the publication. Users are clearly told of the trackers at sign-up; however, the ICO intends to remove this functionality soon. 
It is possible to prevent tracking pixels from triggering by disallowing automatic image uploads in your web browser, or by downloading email and browser add-ons to block trackers.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Electronic Frontier Foundation (EFF) has called for the Indonesian government to amend its internet regulation legislation, labelling the laws as a “serious threat to Indonesians’ free expression rights”.
The internet regulatory laws came into force in November last year as part of efforts to create a regulatory framework regarding the management and supervision of electronic system providers by private entities.
The laws, currently only available in Bahasa Indonesian, have made it mandatory for all private electronic system operators (ESO) to register and obtain an ID certificate issued by the Indonesian government,  according to international law firm Hogan Lovells.
The obligation extends to all private ESOs that operate internet portals, websites, and applications that are used for trading, delivering content, search engines, or cloud computing, Hogan Lovells partner Chalid Heyder wrote [PDF].  
Failure to register by May 24 will result in the domestic internet regulator sanctioning non-registrants by blocking their services and content.
The Indonesian laws also provide government with the power to compel private ESO, except for cloud providers, to take down prohibited information, which includes content that creates “anxiety for society” and “disturbs public order”.
“This creates a chilling effect on free expression: Platforms will naturally choose to err on the side of removing gray area content rather than risk the punishment,” EFF said in a blog post. 

“In fact, the Indonesian government is exploring new lows in harsh, intrusive, and non-transparent internet regulation. The MR5 regulation, issued by the Indonesian Ministry of Communication and Information Technology, seeks to tighten the government’s grip over digital content and users’ data.”
Private ESOs are also required to appoint a local point of contact based in Indonesia that would be responsible for responding to content removal or personal data access orders. 
According to the EFF, platforms will find it much harder to resist orders and be vulnerable to domestic legal action, including potential arrest and criminal charges.
In response to blocking orders received from the Indian government that threatened to imprison the company’s employees, Twitter permanently banned or hidden over 500 accounts on its platform last month.
On the same day of the EFF criticising the Indonesian government, both Google and Reddit published updates that focused on the impact of coordinated influence operation campaigns and spam, respectively, on their platforms.
Google’s quarterly threat analysis group update revealed that it blocked almost 3,000 YouTube channels as part of ongoing investigations into coordinated influence operations linked to China.
The near-3,000 blocked channels primarily posted spammy content in Chinese about music, entertainment, and lifestyle, while a small subset uploaded content in Chinese and English criticising the US response to COVID-19 and political divisions.
In the Reddit transparency update, the platform revealed it removed 85 million pieces of spam content. It also said it received 611 standard requests for user information by law enforcement or government and 324 emergency disclosure requests, although it did not specify what types of warrants were used to issue these requests and only described one such request in detail.
That one request came from the Pakistan Telecommunication Authority, which alleged that 812 Reddit communities contained obscenity and nudity that violated its domestic online criminal laws. Of those 812 subreddits reported by the Pakistani regulator, the platform restricted access in the country to 753 of them. 
Related Coverage
GitHub reinstates youtube-dl library after EFF intervention
GitHub also establishes a $1 million “developer defense fund” to help open source developers fight against abusive DMCA Section 1201 takedown claims.
Google reveals sophisticated Windows and Android hacking operation
The attackers used a combination of Android, Chrome, and Windows vulnerabilities, including both zero-days and n-days exploits.
Google said it took down ten influence operation campaigns in Q2 2020
Google said the influence ops were traced back to China, Russia, Iran, and Tunisia.
Hacker leaks 15 million records from Tokopedia, Indonesia’s largest online store
The Tokopedia data has been published on a well-known hacking forum. More

Telstra has asked Australia’s pending national critical infrastructure laws to avoid creating duplicate or conflicting requirements for the telecommunications sector, highlighting that existing regimes it is bound by already “work well”.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 aims to implement “an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure”.
Among other things, the Bill introduces a positive security obligation (PSO) for critical infrastructure entities, along with sector-specific requirements and mandatory reporting requirements to the Australian Signals Directorate (ASD). Telecommunications is one such sector that would be deemed as “systems of national significance” under the Bill, which would update the Security of Critical Infrastructure Act 2018 (SOCI Act).
As a telecommunications provider, Telstra is covered by the Telecommunications Sector Security Reforms (TSSR) regime.
“The telecommunications sector has a well-established and robust security regime in the TSSR,” Telstra told the Parliamentary Joint Committee on Intelligence and Security (PJCIS). “Industry has invested capital and resources into its network security and resilience to comply with the TSSR security obligation. The TSSR works well and has resulted in excellent engagement with the Department of Home Affairs along with operational compliance with the security requirements.”
As a result, Telstra has recommended that government achieve its systems of national significance objectives by leveraging existing obligations under the TSSR as far as possible and working closely with industry to ensure those obligations align with those under the SOCI Act.
“The TSSR framework has been in place for more than two years, enabled the telecommunications sector to mature and uplift its security awareness and posture, more so than other sectors, and is a regime that works well,” it said.

It suggested that this be done by applying the Act to only those critical telecommunications assets declared as systems of national significance which, therefore, would have the enhanced cybersecurity obligations applied to only those assets; enhancing the TSSR to have the new Bill’s PSO applied there; and having more “objective” criteria and thresholds applied to elements of the PSO and government assistance powers.
“Telstra’s recommended approach avoids potential operational and compliance issues resulting from duplicated security regimes for the telecommunications sector,” Telstra said.
“It also recognises the maturity of the sector and the significant capital and resources this sector has already invested into network security and resilience over several years, to comply with the TSSR security obligation.”
The Bill also introduces government assistance to entities in response to significant cyber attacks on Australian systems.
Tech giants operating in Australia, such as Amazon Web Services (AWS), Cisco, Microsoft, and Salesforce, have all taken issue with these “last resort” powers, but the ASD expects intervention in the cyber attack response of companies considered critical infrastructure to only occur in rare circumstances.
Telstra has asked these powers be inserted into the TSSR and for them to be used only as a final resort.
Meanwhile, despite reiterating many of the concerns it shared during the Bill’s pre-consultation, AWS has provided the PJCIS with a further 11 recommendations to consider when reporting on the draft legislation.
One of the recommendations is the complete removal of government powers to respond to serious cybersecurity incidents.
“The powers are too broad and give the government exceptionally broad powers to gather information, issue directions, or act autonomously to directly intervene in an asset without adequate limitations or guardrails,” it wrote [PDF].
Instead, AWS recommends talking with industry about what its aims actually are to come to a more appropriate resolution.
The cloud giant also wants the removal of government ability to enact sector-specific rules without consultation.
Meanwhile, the Group of Eight (Go8) — comprising the University of Adelaide, the Australian National University, the University of Melbourne, Monash University, UNSW Sydney, the University of Queensland, the University of Sydney, and the University of Western Australia — believe the government has in fact not yet identified any critical infrastructure assets in the higher education and research sector.
As a result, the Go8 wants the government to set out a detailed and compelling case for why higher education and research should be included as a critical infrastructure sector, given the regulatory ramifications.
In doing so, it has suggested the use of established mechanisms, such as the Guidelines to Counter Foreign Interference in the Australian University Sector, as a way of meeting the PSO for the sector.
“The Go8 considers the catch-all nature of the legislation as proposed for the higher education and research sector to be highlight disproportionate to the likely degree and extent of criticality of the sector,” its submission [PDF] to the PJCIS reads.
The group is concerned Australia is the only Five Eyes nation to consider higher education and research as critical infrastructure.
MORE ON THE BILL More

Getty Images/iStockphoto
French software company Centreon said today that none of its paid customers were the victims of a years-long hacking campaign that came to light on Monday.

Exposed in a report published by ANSSI, France’s cyber-security agency, the hacking campaign lasted between 2017 and 2020, and targeted companies running Centreon’s primary product, a software package of the same name, used for monitoring IT resources inside large companies.
Hackers, believed to be linked to the Russian government, breached companies running the software and installed malware to perform silent surveillance.
But in a press release today, Centreon said that none of its primary commercial customers were hit in these attacks. Only companies that downloaded the open-source version of the Centreon app, which the company freely provides on its website, were impacted, Centreon said.
“According to discussions over the past 24 hours with ANSSI, only about fifteen entities were the target of this campaign, and that they are all users of an obsolete open source version (v2.5.2), which has been unsupported for 5 years,” the French company said today.
Released in November 2014, Centreon said companies deployed the outdated version “without respect for the security of servers and networks.”
“Since this version, Centreon has released eight major versions,” the company said.

Centreon, who declined to comment yesterday, immediately after the ANSSI report’s release, had to issue a statement to prevent its reputation from being impacted, similar to how companies have started abandoning the SolarWinds Orion IT monitoring platform following news of a major security breach last December.
On its website, Centreon lists customers such as Airbus, Agence France Press, Euronews, Orange, Lacoste, Sephora, ArcelorMittal, Total, SoftBank, Air France KLM, and several French government agencies and city governments.
However, none of these appear to have been attacked, according to Centreon. Furthermore, according to the ANSSI report, the cyber-security agency also said the attackers targeted web hosting companies primarily.
The French cyber-security agency also drew some thin lines between the attacks and a hacking group known as Sandworm, linked last year by the US government to Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency part of the Russian Army.
The connection between the attacks and Sandworm was the use of Exaramel, a type of multi-platform backdoor trojan that the attackers installed on servers after gaining a foothold via the Centreon software.
Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, also said on Monday that Sandworm was the only group seen using the Exaramel malware described in the ANSSI report, confirming the agency’s report.

6/9 Hades / Sandworm is the only known group that uses Exaramel. Exaramel has code similarities with the Industroyer main backdoor. The report does not include other public links to Hades / Sandworm.
— Costin Raiu (@craiu) February 16, 2021 More

Image: WebKit
A cybercrime group specialized in showing malicious ads has abused an unpatched zero-day vulnerability in WebKit-based browsers to break security restrictions and redirect users from legitimate portals to shady sites hosting online gift card scams.
The attacks were first spotted in June 2020 and are still active today; however, patches for the WebKit zero-day have been released at the start of the month.
According to a report from cyber-security firm Confiant, shared with ZDNet last week, the culprits behind the attacks are a group previously known as ScamClub.
Active since 2018, this group operates by buying large quantities of ad slots on multiple platforms in the hope that some of its bad ads make it through security checks.
Since it was first discovered almost three years ago, ScamClub has typically targeted iOS users with malicious ads that often redirected users to sites hosting online scams that tried to collect users’ financial information.
Its most recent operation also follows this pattern. In a campaign that appears to have started last summer, Confiant said it saw the group abuse a novel method to allow the malicious code that it typically hides in ad slots to break out of the ad slot’s iframe HTML element’s sandbox, a security system that prevents the code from interacting with the underlying website.
Using a quirk in how the Webkit browser engine handles JavaScript event listeners, the ScamClub group has been delivering malicious ads for the past months that redirected users from legitimate sites to shady domains hosting gift card scams, similar to what they’ve done in previous campaigns in previous years.

Image: Confiant

“Over the last 90 days, ScamClub has delivered over 50 million malicious impressions, maintaining a low baseline of activity augmented by frequent manic bursts — with as many as 16 million impacted ads being served in a single day,” said Eliya Stein, a Senior Security Engineer at Confiant.
The vulnerability abused in these malvertising campaigns only worked with browsers using the open-source WebKit engine. This includes Apple’s Safari and Google Chrome for iOS.
Stein said his company reported the bug to both the Apple WebKit team and Google last June. A patch for the WebKit bug shipped last December, and the fix has eventually reached Safari for macOS and iOS, released at the start of the month.
Victims of this malvertising campaign will be hard to trace. Anyone who bought gift cards from unofficial websites using a Safari or Chrome for iOS browser can be considered a candidate. If they shared payment card details with these sites, users might need to check their payment card history for any suspicious transactions, which might suggest that the group might have abused or shared their financial details with other scam groups.
Confiant has released a list of sites where the ScamClub group hosted gift card scams as part of its recent malvertising campaign. Users can check their browser history to see if they accessed any of these sites before taking other steps to secure their payment card data.
goodluckpig.spacegoodluckman.spacegoodluckguy.spacegoodluckdog.spaceluckytub.xyzluckyguys.xyzluckyguys.tophknewgood.xyzhknewgood.topusgoodwinday.topusgoodwinday.xyz2020workaffnew.topvip.peopleluck.xyzvip.fortunatefellow.xyzvip.fortunateman.xyzvip.fortunatetime.xyzvip.fortunatepeople.xyzvip.luckydevil.xyzvip.superlucky.xyzvip.luckydraw.spacevip.hipstarclub.comworkcacenter.spacetrkcenter.xyztrkingcenter.xyzgotrkspace.xyztrkmyclk.spacedbmtrk.xyztrkmyclk.xyz More

Microsoft is continuing to try to differentiate its Chromium-based Edge browser from the competition with new features. On February 16, Microsoft made yet another of these features available to testers in the Canary Mode: Kids Mode.Some Edge Insider testers running the daily Canary builds will be able to test Kids Mode starting today. The Dev Channel branch should get the feature relatively soon. Kids Mode will be able to be launched through the profile picker inside Edge. Closing Kids Mode or granting an exception to it will require a device password.Kids Mode will make new customized themes and “child-friendly” content available on the New Tab page. It also will include privacy and security features like tracking prevention, InPrivate mode and Bing Safe Search, which filters adult text, images and videos from search results.I’m hearing Kids Mode won’t require a child to have a Microsoft Account or for parents to create a Family Group in order to take advantage of the feature. It also sounds as if ads won’t be show on the New Tab Pag in Kids Mode.
Kids Mode is currently for Edge on Windows and macOS only in U.S. English.
If you care more about enterprise features in Chredge than consumer ones, don’t forget to check out the relatively new What’s Next page on the Insider site. More

Singapore is setting aside SG$24 billion ($18.1 billion) over the next three years to help local businesses innovate and build capabilities needed to take them through the next phase of transformation. The financial boost will go towards various initiatives such as the Emerging Technology Programme, which will see the government co-fund the cost of trials and adoption of emerging technologies including 5G, artificial intelligence (AI) and cybersecurity. 
This was necessary to ensure the country remained competitive and ready to tap future opportunities, said Deputy Prime Minister and Finance Minister Heng Swee Keat, during his parliamentary speech Tuesday detailing Singapore’s budget for fiscal 2021. He noted that last year’s series of budgets had tilted towards “emergency support” in light of the global pandemic, but there was a need to focus this year’s investment towards accelerating “structural adaptation”. 
He pointed to the changing competitive landscape, fuelled by the speed of technological advances and reconfiguration of global supply chains, as a key driver for all stakeholders to move and respond swiftly to tap the various opportunities. 

Heng said: “We must move from just counter-cyclical fiscal and monetary stabilisation policies, to structural economic policies to equip our businesses and workers with deep and future-ready capabilities.”
In this aspect, the government would look to cultivate a business community “with a strong spirit of innovation” and that was “deeply connected” with Asia and the world. A range of capital also would be provided to support businesses in their transformation and ability to scale, he said.
This would include the Corporate Venture Launchpad, which would offer co-funding for companies to build new ventures through pre-qualified venture studios. Slated for pilot this year, the new platform would be relevant for larger enterprises keen to nurture a startup mindset within their organisation, the minister explained. 
The BCG Digital Ventures, for example, is a venture studio that partnered local food and agricultural company Olam to develop Jiva, a farmer services platform designed help farmers increase their crop yield and connect directly to potential buyers.  

Plans also were underway to enhance the Open Innovation Platform with new features to link up companies and government agencies with relevant technology providers to resolve their business challenges. A cloud-based digital bench, for instance, would be develop to facilitate virtual prototyping and testing. 
The Open Innovation Platform also offers co-funding support for prototyping and deployment, Heng said. The Building and Construction Authority, for example, was matched with three technology providers — TraceSafe, TagBox, and Nervotec — to develop tools to enable the safe reopening of worksites. These included real-time systems that enabled construction site owners to conduct COVID-19 contact tracing and health monitoring of their employees.
Enhancements also would be made for the Global Innovation Alliance, which was introduced in 2017 to facilitate cross-border partnerships between Singapore and global innovation hubs. Since its launch, more than 650 students and 780 Singapore businesses had participated in innovation launchpads overseas, of which 40% were in Southeast Asia, according to Heng.
He said investments would continue to go towards increased partnership and infrastructure building across the Asean region, noting that strong connectivity was essential to enable Singapore’s businesses to plug into global and regional supply chains and industry clusters. 
Asean nations collectively were the world’s fifth largest economy, generating a GDP $3.2 trillion in 2019, and became China’s largest trading partner last year, Heng said. With significant growth potential in the region, he said Singapore would continue to work with Asean members to enhance digital connectivity and cybersecurity, as well as further drive initiatives such as the Asean Smart Cities Network.
These included efforts to build up a cluster of industries around medtech, food manufacturing, and electronics that were seeing growing demand across Asean. He said the Southeast Asia Manufacturing Alliance was recently launched to support such efforts, with the aim to promote a network of industrial parks to manufacturers looking to invest in Singapore and the region, and link up local companies with these manufacturers.
To further encourage Singapore companies including large and small and midsize businesses to invest in new technologies to boost their competitiveness, the government would co-fund their adoption of digital tools and emerging technologies. 
Elaborating on the Emerging Technology Programme, Heng said the initiative would buffer the costs of trials and deployment of technologies such as 5G, AI, and “trust” technologies, and support the commercialisation of innovation. 
A new Digital Leaders Programme also would support companies in hiring their core digital team and in developing and deploying digital transformation strategies, he said. 
The minister added that the government would partner equity firms to offer growth capital for local businesses to transform and scale. Here, SG$500 million would be co-invested with state-run investment firm Temasek Holdings in a Local Enterprises Funding Platform, which would be managed commercially. In addition, Temasek would match the government’s investment, making SG$1 billion available in total, he said. 
Heng also underscored the need to groom innovation leaders and businesses, especially in deep technology areas. A new Innovation and Enterprise Fellowship Programme would be established to support 500 Fellowships over the next five years. Led by the National Research Foundation (NRF), this initiative aimed to address requirements in areas such as cybersecurity, AI, and health tech, he said. He added that the NRF would work with various partners including accelerators, venture capital firms, and deep tech startups. 
Going big on green
With climate change “real and urgent”, funds also would be set aside to drive Singapore’s green initiatives. The country last week launched its Green Plan 2030, a decade-long plan to drive efforts in building a “green, liveable, and sustainable” home for future generations. 
Technology, Heng said, played a key role here and would open new possibilities, having already helped Singapore address water and land constraints.
Amongst its goals here were plans to roll out 60,000 electric vehicle charging points at public carparks and private premises by 2030 as well as a SG$30 million investment over the next five years for electric vehicle-related initiatives. 
The government also had identified up to SG$19 billion worth of public sector green projects, including the Tuas Nexus initiative, which would be financed with green bonds. The project integrates waste and water treatment facilities as well as optimises energy and resource recovery in the solid waste and used water treatment processes, according to Heng. 
RELATED COVERAGE More

Palo Alto Networks said Tuesday that it was acquiring Bridgecrew, makers of a developer-centric security platform. The $156 million deal is meant to help Palo Alto Networks extend the functionality of its Prisma Cloud security platform further into the DevOps process.

Prisma Cloud aims to help organizations securely connect office branches and mobile users to the cloud, allow for SaaS adoption with a cloud access security broker, and improve security across multi-cloud deployments. With the addition of Bridgecrew, Palo Alto Networks said it will be able to offer security across the full application lifecycle via a single platform.
Palo Alto Networks said it was most interested in Bridgecrew’s infrastructure as code (IaC) — where infrastructure configuration is codified during development — approach to cloud security. The company said Bridgecrew’s IaC platform offers developers and DevOps teams a way to enforce infrastructure security standards throughout the development lifecycle. Once integrated with Prisma Cloud, developers will have security assessment and enforcement capabilities throughout the DevOps process, the company said.
“Bridgecrew’s product embeds security into every commit, pull request and build job,” said Palo Alto Networks’ product chief Lee Klarich. “In doing so, it alerts the dev teams in realtime and in the tools they know and love so much. This is not only good for developer productivity – it also helps security teams to focus on critical runtime security threats. Both teams win in the end.”
Palo Alto Networks also announced updates to Prisma Access on Tuesday. The updates aim to help organizations better secure their remote workforces and improve productivity with an optimized user experience. New features include ML-powered security for real-time attack prevention, and IoT security tools to safeguard devices across remote branches, sites and workers.
RELATED: More