Daily Digest (7/21)

DHS Fears Widespread Mask-Wearing Will Break Facial-Recognition Software; UK Admits Breaking Privacy Law With NHS Test-and-Trace Program; 7 ‘No Log’ VPN Providers Accused of Leaking 1.2TB of User Logs Onto Internet; Twitter Hack Targeted 130 Accounts, Breached Personal Information. Click “Continue reading” below.

DHS Fears Widespread Mask-Wearing Will Break Facial-Recognition Software

U.S. Department of Homeland Security officials expressed concern that the widespread use of face masks would impede the agency’s facial-recognition surveillance technology.

The revelation came in a document leaked by Anonymous in their “BlueLeaks” hack of law-enforcement agencies and first reported last week by The Intercept.

The information purportedly came from the Counterterrorism Mission Center.

According to the DHS bulletin: “Violent extremists and other criminals who have historically maintained an interest in avoiding face recognition are likely to opportunistically seize upon public-safety measures recommending the wearing of face masks to hinder the effectiveness of face-recognition systems in public spaces by security partners.”

DHS acknowledged that the Centers for Disease Control and Prevention (CDC) urged people to wear masks for their safety.

However, the document admitted that DHS had “no specific information that violent extremists or other criminals in the United States are using protective face coverings to conduct attacks.”

But the agency speculated that such a threat was possible because “some of these entities have previously expressed interest in avoiding face recognition and promulgated simple instructions to conceal one’s identity,” according to the report.

Sources (all sources external links):

UK Admits Breaking Privacy Law With NHS Test-and-Trace Program

The U.K. government broke the law in rolling out its test-and-trace program without a full assessment of the privacy implications, the Department of Health and Social Care has admitted after a legal challenge.

The program already has led to three data breaches involving email mishaps and unredacted personal information being shared in training materials, The Guardian reports.

“The reckless behavior of this government in ignoring a vital and legally required safety step known as the data-protection impact assessment (DPIA) has endangered public health,” said Jim Killock, executive director of the Open Rights Group (ORG). “We have a ‘world beating’ unlawful test-and-trace program.

“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the program without basic privacy safeguards,” Killock added. “The government bears responsibility for the public health consequences.”

A DPIA is required before carrying out any “high-risk” processing of personal data, the Guardian reports.

The government had argued that the test-and-trace programs, which involve carrying detailed personal information from patients across the country, did not qualify as high risk, until the ORG threatened to take it to court over the claim.

A DHSC spokesperson told the Guardian that the department had “undertaken a number of separate DPIAs covering the constituent parts of the NHS test-and-trace service” and that an “overarching DPIA” was “in development.”


7 ‘No Log’ VPN Providers Accused of Leaking 1.2TB of User Logs Onto Internet

Seven “zero-logging” VPN providers have been accused of storing more than a terabyte of user logs on their servers unprotected, making them available to the open internet.

The data included clear-text passwords, personal information and lists of websites visited — all for anyone to stumble upon, TheRegister.com reports.

The breach was discovered July 1 by Bob Diachenko of the U.K.’s Comparitech Ltd., who found 894GB of records in an unsecured Elasticsearch cluster that belonged to UFO VPN.

The silo contained streams of log entries as netizens connected to UFO’s service.

The data included account passwords in plain text, VPN session secrets and tokens, IP addresses of users’ devices and the VPN servers they connected to — along with connection timestamps, location information, device characteristics and OS versions, and web domains from which ads were injected into the browsers of UFO’s free-tier users.

UFO has stated in its privacy policy: “We do not track user activities outside of our site, nor do we track the website browsing or connection activities of users who are using our services.”

More than 20 million entries were added a day to the logs, according to Comparitech, and UFO boasts on its website that it has 20 million users.

Diachenko said he alerted the provider to the misconfiguration on July 1, the day he found the unprotected database, yet has heard nothing back, TheRegister.com reports.


Twitter Hack Targeted 130 Accounts, Breached Personal Information

Last week’s Twitter hack of named verified accounts included disclosures of personal data from 130 targeted accounts — allowing access to email addresses, phone numbers and potentially more information.

Eight unverified accounts had direct messages, tweets and profile information downloaded by hackers in the July 15 attack, Twitter said in a Saturday blog post.

“The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections,” the company said.

“As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts,” the post continued. “For 45 of those accounts, the attackers were able to initiate a password reset, login to the account and send tweets.

“We are continuing our forensic review of all of the accounts to confirm all actions that may have been taken,” the company said. “In addition, we believe they may have attempted to sell some of the usernames.”

As a result of the hack, U.S. Sen. Josh Hawley, R-Mo., sent a letter to Twitter CEO Jack Dorsey last week, calling on Dorsey to reach out to the Justice Department and the FBI about the attack and demanding that the company disclose whether anyone’s data had been stolen in the breach.

In addition, Democratic Sen. Ron Wyden, Ore., also demanded that Twitter improve security around its messaging systems.


—  By DPN Staff