A recent cybersecurity incident revealed how a single company can disrupt major airlines and hospitals. Google's shift on third-party cookies raises concerns about online privacy. The ethical dilemmas of using mobile ad location data for tracking individuals are scrutinized. Notable vulnerabilities in digital payment systems and mobile forensics are discussed, highlighting risks like sextortion that target minors. Plus, useful tips on protecting public data online are shared.
The significant payment by AT&T to a hacker highlights troubling data security practices and the troubling normalization of ransom-like transactions for data breaches.
Google's reversal on phasing out third-party cookies illustrates the complexities of privacy policy changes amidst strong industry resistance and the need for better user control.
The outage resulting from a flawed CrowdStrike update underscores the critical need for rigorous testing of software updates to protect essential services.
Deep dives
AT&T's Payment Controversy
AT&T's decision to pay a hacker $373,000 to delete stolen customer data raises significant concerns about data security practices. Although the payment resolved an immediate threat, it does not guarantee that the data has been permanently erased, as copies might still be circulating. This incident highlights the troubling reality that data breaches and responses to them can resemble conventional business transactions. The involvement of a middleman in this scenario underscores an emerging business model where data recovery and deletion are monetized.
Google's Cookie Dilemma
Google has officially abandoned its plan to phase out third-party cookies in its Chrome browser, shocking many who anticipated a stronger stance on privacy. Instead of blocking these cookies, Google will introduce a new system that gives users greater control over their data choices, engaging with regulators and industry players in the process. The change follows extensive feedback from various stakeholders, including complaints from advertising interests. Google's dominant market position in web browsing complicates the landscape, suggesting that any shifts in privacy policy will be met with significant industry pushback.
Privacy Implications of Location Data
The Heritage Foundation's claims of using mobile ad location data to track the movements of an individual related to an assassination attempt on Donald Trump illustrate potential privacy risks associated with location tracking technology. This situation demonstrates how easily available data, typically used for advertising, can be repurposed for politically motivated tracking. The situation reveals the growing acknowledgment of such data's implications, blurring the lines between ethical usage and invasive surveillance. This trend of utilizing location data for tracking individuals raises alarms about the potential for misuse by various parties, from political groups to private sectors.
Sextortion Scams on Social Media
Meta's crackdown on thousands of accounts linked to sextortion scams reinforces the growing concerns about online safety, particularly for minors. Recent reports indicate a significant rise in sextortion cases, primarily targeting young boys, where victims are manipulated into sharing explicit content and then extorted for money. Meta's actions included the removal of multiple accounts and groups operating as part of a larger scheme, emphasizing the need for vigilance against these deceptive tactics. Users are advised to remain cautious of unsolicited messages and to refrain from sharing explicit content, as the consequences of these scams can be severe.
CrowdStrike's Software Outage Incident
A recent outage caused by a flawed CrowdStrike software update has exposed vulnerabilities in major security protocols used by critical infrastructures like hospitals and airports. The update, intended to enhance security, inadvertently crashed systems globally by failing to properly handle errors, rendering many devices inoperable. This incident underscores the necessity for rigorous testing and controlled rollouts of system updates to prevent widespread failures. It serves as a reminder of the importance of investing in robust security measures and preparing organizational responses to potential disruptions resulting from software malfunctions.
Last week, we all learned about a company called CrowdStrike that apparently has the capability to single-handedly bring multiple airlines, hospitals and other large companies to their knees in an instant. There are many lessons we should be learning from this incident, though I'm not going to hold my breath. I'll tell you what happened and what I think we should be doing to avoid a repeat of this incident in the future.
In other news: Google finally throws in the towel on blocking third-party cookies; a private organization claims to have gained access to advertising-based location data on Trump's shooter; Republican VP candidate JD Vance forgets to make his Venmo data private; leaked docs show what phones Cellebrite can and can't hack; Meta takes down thousands of accounts related to sextortion ring; and for my Tip of the Week, we'll tackle part 1 of my article on deleting your public data from the web.
Article Links
[AppleInsider] Google gives up on Chrome plan to ditch third-party cookies https://appleinsider.com/articles/24/07/23/google-gives-up-on-chrome-plan-to-ditch-third-party-cookies
[404media.co] Heritage Foundation Claims to Use Location Data to Track Trump Shooter's Movements https://www.404media.co/heritage-foundation-claims-to-use-location-data-to-track-trump-shooters-movements/
[9to5Mac] J.D. Vance Venmo connections public, as privacy failing still in place six years later https://9to5mac.com/2024/07/19/jd-vance-venmo-connections-public/
[404media.co] Leaked Docs Show What Phones Cellebrite Can (and Can’t) Unlock https://www.404media.co/leaked-docs-show-what-phones-cellebrite-can-and-cant-unlock/
[The Washington Post] Meta takes down thousands of Facebook, Instagram accounts running sextortion scams from Nigeria https://www.washingtonpost.com/business/2024/07/24/meta-nigeria-sextortion-scam-instagram-facebook/fce496c6-49b8-11ef-9149-c75da5dd9201_story.html
[Schneier Blog] The CrowdStrike Outage and Market-Driven Brittleness https://www.schneier.com/blog/archives/2024/07/the-crowdstrike-outage-and-market-driven-brittleness.html
Tip of the Week:OSINT Reconnaissance: https://firewallsdontstopdragons.com/osint-reconnaissance/
Further Info
Book surge results: https://fdsd.me/booksurge
Moxie Marlinspike (Signal) on Cellebrite vulnerabilities: https://signal.org/blog/cellebrite-vulnerabilities/
Send me your questions! https://fdsd.me/qna
Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book
Subscribe to the newsletter: https://fdsd.me/newsletter
Become a patron! https://www.patreon.com/FirewallsDontStopDragons
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Give the gift of privacy and security: https://fdsd.me/coupons
Support our mission! https://fdsd.me/support
Generate secure passphrases! https://d20key.com/#/
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:51: AT&T breach update
0:01:44: News rundown
0:03:56: Google gives up on Chrome plan to ditch third-party cookies
0:08:28: Group Claims to Use Location Data to Track Trump Shooter's Movements
0:13:42: J.D. Vance Venmo connections public
0:19:28: Leaked Docs Show What Phones Cellebrite Can (and Can’t) Unlock
0:27:35: Meta takes down thousands of accounts running sextortion scams
0:31:21: Lessons from the CrowdStrike Outage
0:44:52: Tip of the Week: OSINT Reconnaissance
0:55:20: Book surge report
0:57:06: More help will be needed
0:58:10: Looking ahead
Remember Everything You Learn from Podcasts
Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.
