Privacy groups blast Google, IAB over data leak via ad auctions

Happy Data Privacy Day! You will likely be hearing a lot about how companies care about your privacy, but as the Washington Post pointed out, it’s 2019 and “big tech firms still don’t care your privacy.”

Evidence: Websites need to make money, and many do that via ads that use your data for money. While you likely know ad tracking is creepy as can be, privacy-focused browser Brave added new evidence to an ongoing GDPR complaint that shows how ad categories used by Google and the Internet Advertising Bureau (IAB) profile you and apply potentially sensitive labels to you. This new evidence describes how “ad auction companies, including Google, unlawfully profile Internet users’ religious beliefs, ethnicities, diseases, disabilities, and sexual orientation.”

When you visit a website that uses ad auctions, personal data about you is broadcast in “bid requests.” Loading one web page can trigger numerous bid request broadcasts. In fact, it was estimated that “ad auction companies broadcast intimate profiles about an average U.K. internet user 164 times per day. These are received by thousands of companies, and there is no way of knowing what then is done with these intimate data.”

According to Michael Veale, University College London technology policy researcher, “Actors in this ecosystem are keen for the public to think they are dealing in anonymous, or at the very least non-sensitive data, but this simply isn’t the case. Hugely detailed and invasive profiles are routinely and casually built and traded as part of today’s real-time bidding system, and this practice is treated though it’s a simple fact of life online. It isn’t: and it both needs to and can stop.”

Other cybersecurity and privacy news

Japanese government will hack into citizens’ vulnerable IoT devices

Vint Cerf, one of the father’s of the internet, is concerned about the Internet of Things, specifically about all the buggy and insecure IoT devices being hacked. And he’s “enthusiastic” about development tools that Google and other companies are working on that will help expose software bugs in the devices.

On that note, thanks to a new law amendment, the Japanese government plans to hack into citizens’ IoT devices. In February, the National Institute of Information and Communications Technology will begin testing the password security of more than 200 million IoT devices by using default passwords and password dictionaries. Easy-to-hack devices will be added to a list and shared with ISPs which are to notify users about making the devices secure. Although the goal is to better cybersecurity before the Tokyo Summer Olympics in 2020, the new law allows authorities to try to gain access to IoT devices over a five-year period.

Cisco RV320/RV325 routers under attack; update firmware now

As you know, routers are a part of the IoT, and two Cisco routers, Cisco RV320 and RV325 WAN VPN routers, are under attack. After Cisco released advisories for CVE-2019-1652 and CVE-2019-1653, thanks to RedTeam Pentesting for reporting the command injection and two information disclosure flaws, security researcher David Davidson released proof-of-concept code and the search was on to find and exploit these routers.

Bad Packets published an interactive map of vulnerable devices that were found in 122 countries and on the network of 1,619 unique ISPs – a hefty portion of which are in the U.S. Bad Packets explained, “Using data provided by BinaryEdge, we’ve scanned  15,309 unique IPv4 hosts and determined 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653. 6,247 out of 9,852 Cisco RV320 routers scanned are vulnerable and 3,410 out of 5,457 Cisco RV325 routers scanned are vulnerable.”

Affected users are urged to upgrade to the latest firmware version and change the device password ASAP.

Dailymotion suffers credential stuffing attack

The video-sharing platform Dailymotion admitted to being a victim of “a large-scale computer attack aimed at compromising the data of its users.” Affected users have been contacted, were part of a forced log out, and were told to change their password.

Uncover agents target internet watchdog CitizenLab

Internet watchdog group CitizenLab has been targeted by “international undercover operatives” intent on honing in on CitizenLab’s work, which repeatedly revealed details about surveillance by Israeli surveillance vendor NSO Group. NSO denied having anything to do with the undercover operations.

Citizen Lab said, “This failed operation against two Citizen Lab researchers is a new low. Citizen Lab research is public, and the evidence that we use to draw our conclusions is public as well. We have always welcomed debate and dialogue about our work, but we condemn these sinister, underhanded activities in the strongest possible terms. Such a deceitful attack on an academic group like the Citizen Lab is an attack on academic freedom everywhere.”

To help you smile

Since there’s little to make you smile about today’s news, I’ll leave you with this funny tidbit that was shared by security researcher Ankit Anubhav.

https://t.co/l1bqobWykN Offensive security deployed by using offensive words on hacker. 😂 pic.twitter.com/sXnUCz51eC

— Ankit Anubhav (@ankit_anubhav) January 28, 2019