Daily Demand for VPNs Spikes in Iran Following Protests

According to a report from Top10VPN.com, demand for VPNs in Iran rose by 3000% over the month of September. The spike comes after the Iranian government implemented a social media blackout in response to countrywide protests following the death of 22-year-old Mahsa Amini while in police custody.

Iran already blocks many social media services. However, following the start of the protests, the country’s government began blocking WhatsApp and other previously unblocked sites. Eventually, the block extended to basic online services. In response, the US government loosened certain restrictions to allow US companies to help Iranians more easily access online services. Many Iranians have flocked to tools like Outline to create and maintain VPN networks.

Google Shared Data About Users With Russian Company Currently Sanctioned By US Government

A recent investigation by ad analysis firm Adalytics found almost 700 instances of Google sharing sensitive user data with RuTarget, a company currently under US sanctions. RuTarget is owned by Sberbank, and both companies are under US sanctions since February 24. That means no US companies are allowed to have any business transactions with them. Despite this, Adalytics found that RuTarget was able to access information such as mobile phone IDs, IP addresses, location information, and details about users’ interests and online activity as late as June 23, 2022, almost four months after the initial bans were initiated.

Anti-Encryption Legislation Clears Senate Hurdle

An anti-encryption bill disguised as child safety legislation has cleared the Senate Judiciary Committee and will be reintroduced on the Senate Floor. The bill contends to hold companies liable for users who may upload child sexual abuse material (CSAM) to their sites. While this is an important issue, it is already addressed in other, settled legislation. But what is this really about?

Lawmakers want to force companies to include backdoors in their end-to-end encrypted systems to allow them to be monitored for CSAM. Many in the tech community feel like this is a slippery slope to a surveillance state, where private companies are forced to spy on their own users for the government. Once the government gets a small peek into private conversations, who knows where it could end, and many feel this is an attack on encryption itself.

Google Revises Third Party Cookie Plan Again

Early last year, Google announced their plan to replace third-party cookies with FLoC (Federated Learning of Cohorts), which was quickly met with criticism. Privacy advocates noted that advertisers could still easily gather individual user information with FLoC as it could add to your digital fingerprint just a little too much.

Instead, Google will assign five topics out of 350 to each individual user to help their advertising partners decide how to best sell to potential customers. Topics would be tied to each user for just 3 weeks before dropping off, and random fake topics would be sent to partners 5% of the time to make it even more difficult to trace. Could this be the future of non-personal advertising campaigns?

IRS Starts Requiring Biometric Information

The IRS is now starting to require taxpayers to utilize facial recognition to access the IRS website. While this is being done to thwart identity thieves from stealing tax refunds, the IRS has contracted a private company, rather than administer the program themselves. Of course, this means that a random company will now have access to your biometric profile.

What’s worse is that the company, ID.me, forces you to agree to terms of service where they can share your data with the police, government and random “select partners.” On top of this, creating your biometric profile can take upwards of 3 hours, or even more if it cannot be automated! Unfortunately, the move is part of a growing trend by companies, local governments, and even nations to embrace the use of biometric data for a variety of purposes, so biometric profiles may be here to stay.

Italy to Commence Crackdown On Cookie Consent

Italy’s Data Protection Authority (Garante) will start enforcing new cookie guidelines for websites starting January 10, 2022. One of the guidelines is something you’ve likely seen on many websites: a cookie banner requesting permission to place/use cookies. All companies based in Italy as well as those with customers in Italy will have to abide by the new guidelines.

This is an effort by the Italian Government to ensure GDPR compliance within their country. For consumers, it is a small boost to online privacy, though most consumers will simply click “Allow” to get rid of the banner as quickly as possible, as many websites make things difficult if you decline.

Log4Shell Vulnerability Threatens the Internet

A critical flaw called Log4Shell has been discovered in the Apache Log4j Java-based logging utility which is used worldwide. The vulnerability was being exploited for at least 9 days before it was disclosed to the public, and its use has only gotten worse since then. Log4Shell can allow a hacker to easily execute remote code on services such as Cloudflare, iCloud, AmazonAWS, Tencent QQ, and more. 

Tenable said that this is “the single biggest, most critical vulnerability of the last decade,” and the flaw has a CVSS rating of 10, the highest possible score. Anyone with an internet-facing server should act quickly to patch their systems, lest they be used as attack vectors to deliver ransomware, cryptominers, or steal data.

Verizon Disregards Opt-Outs of Customer Information

Verizon has decided that simply changing the name of their “Verizon Selects” program to something else gives them carte blanche to scan user search and website history. With the changeover to “Verizon Custom Experience Plus,” the company has re-enrolled customers that previously opted out of browser and app-usage history collection. Verizon has advised customers who previously opted-out to opt-out again if they do not wish to have their data tracked.

The company claims that their programs do not use location detail or specific customer identification and that they don’t sell the information. However, they still say that they share the collected information with “service providers who work for us.”

More Netgear Stock Firmware Flaws Emerge

By now, you may be tired of hearing about all of the flaws that stock router firmware has. Well, once again it has been discovered that Netgear firmware allows attackers to snoop on private internet use. This is why it is so important to make sure you’re using a router with DD-WRT open-source firmware on it, like the ones we offer at FlashRouters.

The flaw this time allows users on a local network to overflow the character limit in the UPnP protocol and give the attacker full control of the network. While many routers running stock firmware can be patched, there are still 40 older models that are not supported anymore and cannot be fixed.

Facebook (aka Meta) to Remove Facial Profiles of Over A Billion People

In the next few weeks, Meta plans to shut down their facial recognition system, in a move that will affect nearly a third of its users. The recognition system is currently used to suggest tags on photos. You may have seen it in action yourself, if you’ve ever seen a photo not fully load on the site. 

This does not necessarily mean an end to Meta’s use of facial recognition forever. VP of artificial intelligence, Jerome Pesenti, stated that “We believe facial recognition can help for products like these with privacy, transparency, and control in place.” But, he also recognized the many concerns people have for the use of this technology. “We believe that limiting the use of facial recognition to a narrow set of use cases is appropriate,” he added.

Net Neutrality Looms in the Balance as New FCC Picks are Finally Submitted

President Biden has finally nominated people for the FCC. The commission has been forced to operate in a deadlock as they awaited new appointments for nine months since the president was sworn into office. Jessica Rosenworcel was appointed permanent chair, but she and the other appointee must be confirmed by the Senate before January.

Time seems to be running out on reinstating net neutrality rules. If the two are not confirmed, Republicans will be given a 2-1 majority in the beginning of 2022. This could lead to an even longer suspension of net neutrality, where ISPs can continue to throttle users and charge more for certain services.

ISPs Invade Privacy & Collect Huge Amounts of Customer Data, FTC Says In New Report

A bombshell report from the FTC details ISP data collection practices and how they can be harmful for the consumer. The FTC compiled information from the six largest ISPs in the country, including Verizon, Comcast, AT&T,Charter, and T-Mobile, and found that ISPs invade customer privacy in multiple ways.
Most ISPs have been found to collect data on a level at greater than large advertising platforms, collect customer data in ways that could cause customer harm, and separate customers into large pools of advertising segments. On top of that, ISPs seem to offer “illusory” or confusing privacy options, generally causing consumers to allow data sharing without meaning to. Stay tuned for more developments on this breaking story.

Google Creates Cybersecurity Action Team

Google has announced that they are creating a Cybersecurity Action Team consisting of experts across their company. The purpose is to help companies and government entities strengthen their systems against online attacks, such as the recent Colonial Pipeline hack or the Solarwinds hack. Their services will include rapid response capabilities, threat briefings, and preparedness drills to keep organizations sharp and ready to handle malicious attacks.

Google hopes these strategic advisory services will help them build their partnerships with public and private sector organizations amid rising cyber attacks. The initiative is part of a $10 billion program that Google started in August to strengthen cybersecurity.

Twitch Blames Server Configuration Errors For Huge Hack

Much like the Facebook outage earlier this week, Amazon has gone ahead and blamed the huge Twitch hack on server configuration errors. The hack led to a massive amount of data being leaked, including how much it’s streamers were paid since 2019.
The highest payout was to a collective streaming channel about D&D tabletop games, which earned over $9.6 million. A single Canadian streamer earned $8.4 million. Also leaked was the source code for every Twitch client, as well as Twitch’s internal security tools.

Facebook Says Router Problems Caused Massive Outage

As you are probably aware, all of Facebook’s sites were down yesterday, including Instagram and WhatsApp. Many theories were put forth including DDoS attacks to a massive data breach, and it was strange timing immediately following a 60 Minutes interview with a whistleblower on internal Facebook investigations. However, Facebook has come forward and said that it was all due to a faulty router configuration.

The routers affected normally coordinated network traffic between Facebook data centers, and when they failed it led to a cascading failure. All of this led to massive border gateway protocol and DNS issues, rendering every Facebook online property inaccessible for over six hours.