Posts

FaceApp and Its Targeted Audience

[NB: Please check the byline, thanks! /~Rayne]

You may have seen the buzz earlier this week across social media when cellphone users loaded and used a mobile app which applied an aging filter to a selfie photo so users could see a predictive image of their future face.

Except the vain and foolish downloaded an app developed in Russia — an app with the most ridiculous terms of service. More at this Twitter thread by @PrivacyMatters:

The app doesn’t make it easy to find their Terms of Service (TOS) or Privacy Policy, which to me is a red flag.

Russia does not fall under the EU’s Global Data Privacy Regulation, meaning users cannot have expectations of privacy and government oversight protecting their data. Russia ratified the Council of Europe’s Data Protection Convention 108 in 2013 but this appears to be little more than a head fake when Russians have taken Facebook data and used it for adverse micro-targeting against U.S. citizens in 2016. If the convention had been taken seriously, Russia’s government would also have investigated the Internet Research Agency for abusing personal data without users’ consent after the Department of Justice indicted IRA members.

The app’s developers say users’ data isn’t hosted in Russia, clarifying after initial inquiries that only a limited amount of each users’ data was hosted on Amazon Web Services and Google Cloud — but how would the average user be able to validate this claim? The question of hosting seems at odds with the developers’ explanation that

The Democratic National Committee issued a warning to 2020 campaigns that FaceApp should not be used and should be removed from devices.

It’s ridiculous that after the DNC was hacked and state election systems breached or targeted by Russia in 2016 that any sentient Democrat working or volunteering for a Democratic candidate’s campaign would be stupid enough to download and use this app, if they even read the TOS. But the  viral popularity of the application and the platforms on which its output was most often shared likely propelled its dispersion even among those who should know better.

Which brings up the app’s targeted audience: younger people who share images frequently in social media.

The app required users’ social media identity; it captured the IMEI address of the device they were using. Imagine being able to TREASUREMAP all these users over the internet and LANs.

Finally, the app captured the users’ image for editing. Imagine this data linked to all of a user’s Facebook data, matched to their DMV records including their photo, validated by phone number if recorded by DMV.

It’d be insanely easy to ‘clone’ these users in both content and in photos and in videos using Deep Fake technology.

It’d be a snap to micro-target them for political messaging and to make threats using manufactured kompromat.

All of this should be particularly worrying since the audience for this application is the youngest voter age groups which are least likely to vote for Trump and the GOP.

And they are the largest portion of the U.S. military. Think of what the FitBit app disclosed to any snoopers watching military bases. How many users who downloaded FaceApp were active duty or their family members?

Imagine FaceApp and all the other social data, public and private, synced with their phone which reveals their physical location. These users are entirely touchable.

There’ve been quite a few rebuttals to those worried about FaceApp; most complain that such concerns are merely Russia-as-boogeyman fearmongering and that U.S. Big Tech and Chinese apps like TikTok are just as bad (or worse) about collecting too much personal data and misusing it without users’ consent. Or they minimize the risk by theorizing the estimated 150 million selfies collected may train a Russian facial recognition app without users’ consent.

Except Europeans can rely on the GDPR for recourse and Americans have recourse through U.S. laws; they can also press for changes in legislation (assuming the obstructive Senate Majority Leader pulls his thumb out of his backside and does something constructive for once).

One other concern not touched upon is that we don’t know what this particular app can do over the long run even if deleted.

Researchers looking at it now may find it is rather inert apart from the invasive collection of personal photos.

But what about future updates? Can this app push malware which can collect other information from users’ devices?

And what about the photos themselves, once captured and stored. Could the developers embed detailed tracking in the images just as Facebook has?

Bottomline: FaceApp is a huge security risk. It may not be the only one but it’s one we know about now.

We need to regulate not only personal data collection but applications which collect data — their developers must be more transparent and upfront with what the app does with data before the app is downloaded.

We also need to work with Big Tech platforms through which apps like FaceApp are downloaded. We’re back to the question whether they’re publishers or utilities and what role they play in enabling dispersion of apps which can be weaponized against users.

And we may need to institute some kind of watchdog to detect risks before they reach the public. Perhaps as part of the regulation of personal data collection a licensing or clearinghouse process should be established before apps are permitted access to the marketplace. Apple has done the best job of the Big Tech so far in policing which apps are permitted in its market. Should gatekeeping for national security interests rest solely on a few corporations, though?

 

This is an open thread.

Cyber-spawn Duqu 2.0: Was Malware Infection ‘Patient Zero’ Mapped?

Cybersecurity_MerrillCollegeofJournalismKaspersky Lab reported this morning a next-generation version of Duqu malware infected the information security company’s network.

Duqu is a known reconnaissance malware. Its complexity suggests it was written by a nation-state. The malware appears closely affiliated with the cyber weapon malware Stuxnet.

WSJ reported this particular version may have been used to spy on the P5+1 talks with Iran on nuclear development. Dubbed ‘Duqu 2.0,’ the malware may have gathered audio, video, documents and communications from computers used by talk participants.

Ars Technica reported in depth on Kaspersky’s discovery of the malware and its attributes. What’s really remarkable in this iteration is its residence in memory. It only exists as a copy on a drive at the first point of infection in a network, and can be wiped remotely to destroy evidence of its occupation.

The infosec firm killed the malware in their networked devices by mimicking a power outage. They detached from their network suspect devices believed to contain an infecting copy.

Kaspersky’s Patient Zero was a non-technical employee in Asia. Duqu 2.0 wiped traces of its own insertion from the PC’s drive.

Neither WSJ or Ars Technica noted Kaspersky’s network must have been subject to a program like TREASUREMAP.

…Because the rest of the data remained intact on the PC and its security patches were fully up to date, researchers suspect the employee received a highly targeted spear phishing e-mail that led to a website containing a zero-day exploit. … (bold mine – source: Ars Technica)

How was a single non-technical point of contact in Asia identified as a target for an infected email? Read more

Someone Treasure Mapped JP Morgan

Treasure Map

Map the entire Internet — any device, anywhere, all the time. — NSA TREASUREMAP PPT

Last week, The Intercept and Spiegel broke the story of NSA’s TREASUREMAP, an effort to map cyberspace, relying on both NSA’s defensive (IAD) and offensive (TAO) faces.

As Rayne laid out, it aspires to map out cyberspace down to the device level. As all great military mapping does, this will permit the US to identify strategic weaknesses and visualize a battlefield — even before many of adversaries realize they’re on a battlefield.

Against that background, NYT provided more details on the penetration of JP Morgan’s networks that has been blamed on Russia. The new details make it clear this was about reconnaissance, not — at least not yet — theft.

Over two months, hackers gained entry to dozens of the bank’s servers, said three people with knowledge of the bank’s investigation into the episode who spoke on the condition of anonymity. This, they said, potentially gave the hackers a window into how the bank’s individual computers work.

They said it might be difficult for the bank to find every last vulnerability and be sure that its systems were thoroughly secured against future attack.

The hackers were able to review information about a million customer accounts and gain access to a list of the software applications installed on the bank’s computers. One person briefed said more than 90 of the bank’s servers were affected, effectively giving the hackers high-level administrative privileges in the systems.

Hackers can potentially crosscheck JPMorgan programs and applications with known security weaknesses, looking for one that has not yet been patched so they can regain access.

Though the infiltrators did observe metadata — which, the NSA assures us, is not really all that compromising.

A fourth person with knowledge of the matter, also speaking on condition of anonymity, said hackers had not gained access to account holders’ financial information or Social Security numbers, and may have reviewed only names, addresses and phone numbers.

I’m not trying to make light of the mapping of one of America’s most important banks. Surely, such surveillance may enable the same kind of sophisticated attack we launched against Iran, having done similar kind of preparation.

But we should keep in mind what the US has been doing as we consider these reports. If and when Russia or Germany catch us conducting similar reconnaissance on the networks of their private companies, they will surely make a big stink, as we have been with JP Morgan (though the response to the Spiegel story has been muted enough I suspect Germany’s intelligence services knew about that one, particularly given NSA’s reliance on Germany for targets in Africa).

But if the US is going to treat digital reconnaissance as routine spying (and the President’s cyberwar Presidential Policy Directive makes it pretty clear we consider our own similar reconnaissance to be mere clandestine spying), then we should expect the same treatment of our most lucrative targets.

That doesn’t make it legal or acceptable. But that does make it equivalent to what we’re doing to the rest of the world.

One final point. If you’re going to map the entire Internet, any device, anywhere, by definition you need to map America’s Internet as well. Are we so sure our own Intelligence Community hasn’t been snooping in JP Morgan’s networks?