Recorded January 28, 2020 at G-Unit Studios in Rhode Island!
Security Weekly News -- Week of 28 -- January -- 2020
- As all modern vehicles get connected, all vehicles can be hacked
- Misinformation on the internet? No way. Big players focus on health scares due to coronavirus
- Jersey police are barred from using Clearview.
- London Metro Police say full steam ahead on facial recognition.
- Twitter bars Clearview and sends them a nasty letter.
- 5g from Huawei dangerous? The UK says not but the US says Yes!
- Oh, and don't go to China for a while.
- CDC report on the Coronavirus.
- Cisco has a vulnerability in Webex Meetings that may let uninvited guests join the party.
- Intel says a third patch is now available for Zombieland 2.
- Coveware reports said that ransomware payments increased over 100% in Q4 of 2019.
- Reuters said that insurance prices had risen up to 25% due to ransomware and losses in 2019.
- NIST published guidelines this week for ransomware defense.
- NIST guidelines
- NFL teams twitter accounts hacked.
- Impossible Pork!
Expert Commentary: Jason Wood
This story goes into the “why am I not surprised” category of news. Motherboard and PCMag worked together on an investigation into Avast’s data collection and reselling services and came up with some results that people may not have known. The basics are this. Avast uses its antivirus software to collect information about users’ web browsing habits, their search engine queries, and the clicks they perform. They claim to then de-identify the data and then resell it via a subsidiary to companies who can use it for their own needs. There are several problems here, but the basic issue is that users have little idea of what is being collected or why.
Avast reports that they have “435 million active users per month” and their subsidiary Jumpshot claims data on 100 million different devices. The data collected by Avast is authorized by the users via an opt-in mechanism. I assume this would be that checkbox that we see when installing an app that allows a company to collect diagnostic data and other information about what goes on in the app. Without fail, these opt-ins appear to be vague and promise not to collect any data that would allow me to be identified. I personally have always been wary of these promises and the vague nature of what will be collected.
In the case of Avast, the data collected includes search terms, links clicked, and even actions performed on individual web pages. Avast claims that they do not collect any information about the user themselves and only tie the data back to the device using a unique ID for each install of the software. The only way this can be changed is to uninstall and reinstall the application. The data is sent to Jumpshot where it is packaged up for resale in different services. This data is presumably of interest to the marketing teams of Jumpshot’s customers. Several of Jumpshot’s customers are listed in the article and several are rather ironic. (Really, Google needs to be search term and web activity data??)
There are several things that are mentioned that seem rather questionable to me. Not in the sense of being illegal, but Avast does appear to be playing some games to keep their data collection going. Initially, a lot of this data was coming from browser extensions that are supposed to protect users from going to malicious sites. Mozilla and Opera found out about the collection efforts and pulled the extensions from their marketplaces. Avast realized that they couldn’t rely on the browser makers for an uninterrupted flow of data, so they’ve moved the collection function into the core AV software itself. So they know this is a bit dodgy into people, so they are making it more difficult to avoid.
The idea of this is also just questionable to me. Avast advertises that they are selling an application to help secure users' systems. They then collect user data and sell it to others. No installed Avast with the idea that they were opening themselves up to this type of monitoring. It is possible that Avast took this route to allow them to get at least some revenue from their free antivirus software. While wanting to stay in business while offering a free tier product is understandable, I really don’t like this type of activity. It seems somewhat dishonest to me.
And finally, it is noted that there are some concerns about just how anonymous the data actually is. Günes Acar, a researcher who works at a university group that studies large scale internet activity monitoring, states that data de-identification is an error-prone process and can be eventually pointed back to the person that was supposedly unidentifiable. Acar states, "Most of the threats posed by de-anonymization—where you are identifying people—comes from the ability to merge the information with other data.” So even if you are anonymized in one data set, another data set may unmask you.
There’s not much that we as individuals may be able to do regarding this type of activity. We can notify lawmakers and regulatory organizations. We can let other people know about it so that they can protect themselves. One of the effects of our connected world is that being online and avoiding tracking is not a simple process. Governments and businesses all have an interest in what we are doing online. Either because they want to make money off of our activities or because they are concerned people might be up to something against the law. In this case, we can see how easy it is to fall into a very detailed tracking system without realizing it. If this concerns you, then be sure to keep opting out of the collection of “diagnostic data” on all software installs. It won’t provide complete protection, but we can at least avoid that level of collection.