Secrecy, privacy, security, intrusion

Days later. No pressure to make this statement. None at all. Right!

Not a trade war although that is part of the tool kit, but a war of wills and US supremacy.

2 Likes

From the linked article:

US counterpart Mike Pompeo said the UK had made the right “sovereign” call and Chinese “bullying” must be resisted.

Pot, meet kettle. :roll_eyes:

2 Likes

An email I received today from GEDmatch regarding a massive security breach.

Dear GEDmatch member,

On the morning of July 19, GEDmatch experienced a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account. We became aware of the situation a short time later and immediately took the site down. As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt-in for law enforcement matching were available for law enforcement matching, and, conversely, all law enforcement profiles were made visible to GEDmatch users.

On Monday, July 20, as we continued to investigate the incident and work on a permanent solution to safeguard against threats of this nature, we discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks. It was later confirmed that GEDmatch was the target of a second breach in which all user permissions were set to opt-out of law enforcement matching.

We can assure you that your DNA information was not compromised, as GEDmatch does not store raw DNA files on the site. When you upload your data, the information is encoded, and the raw file deleted. This is one of the ways we protect our users’ most sensitive information.

Further, we are working with a leading cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures. We expect the site will be up within the next day or two.

We have reported the unauthorized access to the appropriate authorities and continue to work toward identifying the individuals responsible for this criminal act.

Today, we were informed that MyHeritage customers who are also GEDmatch users were the target of a phishing scam. Please remember to exercise caution when opening emails and clicking links. Never provide sensitive information via email. If an email seems suspicious, contact the company in question directly through the phone number or email address listed on their website, not via a reply to the suspicious email. You can reach GEDmatch at gedmatch@verogen.com or (858) 285-4101. At this time, we have no evidence to suggest the phishing scam is a result of the GEDmatch security breach this week. We are continuing to investigate the incident.

Please be assured that we take these matters very seriously. Our Number 1 responsibility is to protect the data of our users. We know we have not lived up to this responsibility this week, and we are working hard to regain your trust. We apologize for the concern and frustration this situation has caused.

Sincerely,

Brett Williams
CEO, Verogen Inc.
Copyright © 2020 Verogen, Inc. All rights reserved.

Our mailing address is:
Verogen, Inc., 11111 Flintkote Avenue San Diego, CA 92121

Not interested in these emails?
You can unsubscribe here."

5 Likes

This email raises a lot of questions. The most obvious: if the ‘sophisticated attack’ was made via a user account, then how was the account able to change user permissions? That sounds more like a failure in design than an ‘attack’ - someone found a vulnerability and exploited it.

Same with the ‘second breach’. May or may not have been the same attacker, but sounds like the same vulnerability.

Finally, it doesn’t matter that the DNA data is encoded if an attacker can access both that data and the encoding mechanism.

GEDmatch probably needs to find some decent lawyers, fast.

5 Likes

Thanks @Fred123. Have the same email.

Most concerning as to what else may not have been said.

GEDmatch accounts can contain much more than just DNA data and an account users ID. It’s used as a family history tool, and often to trace relationships from adoption or identify true parentage, Very private circumstances for some. Direct contact details are not shared and rely on establishing contacts through GEDmatch. There after there is the option to continue to communicate using private email etc using their natural identities. I read the note to suggest this other content may have been exposed.

3 Likes

Possibly should have been posted here: Data Breaches 2016 to 2021

Likely, yes, a privilege escalation attack.

The underlying problem would seem to be the fundamental idea and why this breach is relevant to this topic: opt-in for law enforcement matching.

On what planet would anyone think it appropriate that this data be used by law enforcement?

Of course, collect it and they (law enforcement) will come.

One could, partly facetiously, suggest that the first hack was a state actor (law enforcement) needing access to the data for someone who had opted out of sharing their DNA with law enforcement and the second hack was a privacy vigilante denying law enforcement access to everything.

For this site in isolation, it would not seem to matter. However, as with passwords generally, it could matter. I am assuming that the encoding is one-way i.e. irreversible i.e. hash-like in nature.

(That might mean though that the hash is not salted, since it is intended for bulk comparison against a known sample, which in turn may mean that it is vulnerable to generating tables for reversing it.)

I would check the FAQ on their web site in order to get greater clarity on these points but … for the above reason, the web site is completely down while they sort out their security.

4 Likes

Law enforcement in the US allegedly solved a ‘cold case’ because a fourth cousin of the murderer had submitted their DNA to GEDmatch.

I say allegedly because the coincidences involved bear the hallmarks of ‘parallel construction’.

One suspects that certain law enforcement and/or ‘intelligence’ agencies noticed the ‘breach’ very quickly and did what they could to grab everything in sight. (Were I in that kind of role, I would want to have bots out on the web sniffing whatever they can whenever they can from such websites.)

The assumption that the data is hashed is a big one in itself. The company states that it is ‘encoded’ - leaving questions about how this encoding occurred and whether it is reversible whether using rainbow tables or some other means.

5 Likes

rot13 encoding?

I hear a song playing in my distant memory …
image

Cattle and horses have escaped, so we’ve hired the best cowboys … now … they are on foot, and running fast, but they are the best …

… as do their shareholders …

5 Likes

ACCC takes Google to court for misleading consumers on targeted ads

The Australian Competition and Consumer Commission announced on Monday it had commenced proceedings claiming Google failed to properly inform consumers and did not get their explicit informed consent to expand the scope of personal information that it could collect and combine a user’s activity on non-Google sites with the information on their Google accounts.

Google disputes the allegations and said it intends to defend its position.

5 Likes

I remained puzzled for a few days, and finally did an image search. Imagine my horror when Google claimed that this was One Direction. Further suggestions included Gwen Stefani, but eventually a Czech site directed me to Dead or Alive.

Problem solved, and as a bonus the opportunity to feel superior about my taste in music. (Oh, wait - I own that song.)

4 Likes

Interesting blog post by the Proton mob, in relation to the Big 4 Tech companies fronting Congress this week.

5 Likes

It appears that Nielsen is the latest target for hacking. In terrible news for anyone who actually watches TV, this means the delay in the latest TV ratings!

Were I one of Nielsen’s data points I would be extremely concerned, regardless of the company’s statement that:

Nielsen can confirm, however, that all households are still collecting viewing data and that referencing sites have not been impacted.

Oh, and at the time of writing Telstra is apparently having problems with a Denial of Service (DoS) attack on its Domain Name System (DNS) servers. (Poor Gizmodo got this initialism wrong.)

If you are up to changing your own DNS settings, there are plenty of options available including encrypted DNS over HTTPS (Hyper Text Transport Protocol - Secure) so your Internet provider cannot simply vacuum up details on every site you visit.

4 Likes

questioned by Rep. Hank Johnson about its monopoly on app distribution on its smartphones

This is a complicated area for the politics of regulation because actually governments like this. If Apple didn’t control the distribution of apps on the phones, it would be much more difficult for government to control the distribution of apps on the phones.

I would go even further, if Apple didn’t control the distribution of apps on the phones then the government’s Backdoor legislation would be used to force Apple to put in that level of control (not just in Australia but in the UK or in China, for example).

After all, we can’t have the masses installing apps that the government doesn’t approve of.

It is fairly difficult to argue that Apple, with a declining global market share of just 25% in the smartphone market, is a “monopoly” as such (assuming we are only talking about phones because its share in the desktop/laptop market is even smaller). However clearly it is a significant player, and in any case “monopoly” can look at subsets of the market e.g. segmented by geography or segmented by product type.

2 Likes

I would instead suggest that it is part of an oligopoly.

5 Likes

And yet, they do. Governments dont have control. That is a step too far, where is your tinfoil hat?

You aint seen nothin yet but from your linked article:

We [ProtonMail] have experienced Apple’s problematic behavior first-hand with our ProtonVPN iOS app, in which they threatened to remove our app entirely unless we deleted information from our app description that the Chinese and other authoritarian governments deemed objectionable.

ProtonMail can pretend that the problem here is Apple but who believes that?

In this case, for now, it doesn’t seem that the Chinese government insisted on the removal of the app, just alteration of the description. (It would be amusing to know what the description change was!)

It would seem to be a small further step for the Chinese government to force Apple to remove the app completely. If Apple doesn’t comply then the Chinese government - GFWC - blocks the AppStore and all new iPhones become largely useless and hence no further iPhones are sold in China. Governments also have other ways of harassing a company e.g. physically blocking imports or, in the case of iPhones, shutting down the factory (which would be most devastating for Apple) or e.g. interfering with normal operation of all iPhones.

Money talks. So the app goes.

The only good news would be that one could guess from a government’s wanting to remove an app that the app is effective i.e. does bypass government surveillance and censorship. When governments no longer want to do this you might guess that there is a bigger problem e.g. encryption broken or e.g. client endpoint broken or e.g. less plausibly, server endpoint broken.

1 Like

ProtonMail referred to Chinese “and other authoritarian governments”. This presumably includes the US, and undoubtedly Australia would be on the list as it requires back-doors on demand.

The obvious solution for Apple and/or ProtonMail is to stop offering the app in certain markets. This already happens - I don’t know why it should be a sudden issue specific to ProtonMail.

Of course Apple is not an open platform. Android is more open but still has controls - largely to protect users, but also in some cases to protect Google. Windows and Linux are probably the only reasonably open platforms you can find in the sense that anyone with the skillset can write and publish software for them. Microsoft has tried to wind this back with Windows RT and the Windows Store, but is fighting an uphill battle. Linux is open by design.

1 Like

The word “solution” should be in quotes in your sentence. Not offering the app in a market is not a solution. It’s a surrender.

I think that they were just illustrating their point (and Congress’s point) - that Apple’s “monopoly” control over what apps are available in the Apple AppStore is a problem - but in doing so illustrated the real point - that the government’s control over what apps are available in the AppStore is the real problem - at least in the case of ProtonMail’s app, where it has attracted the attention of “authoritarian governments”.

1 Like

So, for example, an Australian ban on an Afghan app that helps the user find the right child bride would be a surrender?

We have a world that is made of countries and their governments. Whether this is ‘right’ or not is not the issue under debate - it is a fact. Another fact is that different countries and governments have different norms. I chose a relatively extreme example to illustrate my point, but more broadly as soon as you start saying that governments should or should not do this or that you are heading down a potentially very dangerous path.

Would I like to live in China? No - but over a billion people do live there and the society functions. Does it function the way I would like it to function? Not my business, sorry - any more than I should tell the British or the US how idiotic they have been in their recent leadership choices.

We live in a world with various shades of grey, but our politicians and media want it to be black and white. I do not trust China’s politicians any more than I trust our own - but I would like to hear reality-based reporting and see governments that actually work for their citizens for a change. Not sure that makes me pro-China, but it probably makes me anti-most current governments.

And to be clear, China is not just a government - it has people, a lot of whom have made their way out of poverty over the last couple of decades. That suggests to me that at least something is being done correctly there.

3 Likes

That may be so but then what business is it of an authoritarian (or otherwise) government to dictate to a foreign company how it operates?

I understand that said government can do that - based on all the coercive measures available to it.

Case in point: China demands that Qantas list flights to Taiwan as being flights to China (Chinese territory).

However the internet blurs those lines. Governments are fighting for, and sometimes getting, local relevance - in a world where app user (customer), app store server, phone manufacturer, app author, app author’s server, peer, … may all be located in different countries, and may change country in a millisecond in the case of the server locations.

1 Like