This is a news item roundup of privacy or privacy-related news items for 29 DEC 2024 – 4 JAN 2024. Information and summaries provided here are as-is for warranty purposes. Note: You may see some traditional “security” content mixed-in here due to the close relationship between online privacy and cybersecurity – many things overlap; for example, major vulnerabilities in popular software, which may compromise the security of user’s devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed. Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or “popular” stories.
Privacy Tools and Services
Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com
Privacy Tools
DivestOS, Mull, Mulch, and Hypatia discontinued DivestOS Mobile The developer behind DivestOS (a privacy-oriented Android operating system forked from LineageOS), Mull (a privacy browser for Android), Mulch (security-oriented webview for Android), and Hypatia (an open source virus scanner for Android) has announced these projects will no longer be supported/updated as of December 2024. For years DivestOS was a recommended alternative privacy-oriented Android operating system on avoidthehack. In a future site update, I will regretfully remove it as an official recommendation due to its EOL status.
Vulnerabilities and Malware
Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user. This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.
Vulnerabilities
Hackers exploit Four-Faith router flaw to open reverse shells Bleeping Computer Attackers are exploiting an OS command injection vulnerability, tracked as CVE-2024-12856, to open reverse shells, which can be used for further exploitation of the device. Specifically, a command used for adjusting the system time can be manipulated (via HTTP POST request) to include a shell command. As of writing, there is no security update available. It appears that primarily internet-facing devices are vulnerable (they typically have remote management interfaces exposed to the internet in most cases). Users should keep routers updated, use strong admin passwords (avoid using the default credentials), and avoid exposing the admin login page to the internet. Note that affected router models are typically deployed in some critical infrastructure sectors, but may apply to some users. Malware botnets exploit outdated D-Link routers in recent attacks Bleeping Computer Two botnets (Ficora and Capsaicin) continue to target D-Link routers that are EOL or running outdated firmware. Commonly, these botnets exploit CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112 for initial access to vulnerable D-Link routers. They then execute their payloads, which can steal data and/or recruit the device into the botnet. Users should be sure to keep their devices updated – especially routers. EOL devices should be replaced as soon as possible, as they are no longer supported by the manufacturer. For EOL devices, depending on model and/or submodel, users may be able to flash firmware (such as OpenWRT) to extend the life of the device.
Malware
New details reveal how hackers hijacked 35 Google Chrome extensions Bleeping Computer A phishing campaign targeting Chrome extension developers (including a cybersecurity firm, Cyberhaven) has enabled attackers to compromise multiple Google Chrome extensions. The compromised extensions were injected with data-stealing code. Developers were sent phishing emails pretending to be from Google; the emails linked to Google’s OAuth authorization flow for the threat actor controlled app “Privacy Policy Extension,” requesting permissions such as editing/updating Chrome store extensions users have access to. Naturally, after permissions are granted, the threat actors publish an “updated” (malicious version of the extension). It appears threat actors in this campaign were specifically interested in targeting and hijacking Facebook business accounts, attempting to grab information such as the user’s Facebook ID, access token, account info, account information, and any CAPTCHA mechanisms/QR code images associated with MFA.
Service Providers’ Privacy Practices
This section is dedicated to notable changes or developments in popular/large service provider’s privacy practices. Service providers listed here are not necessarily “privacy-focused,” but may have privacy practice changes positively (ex: adopting end-to-end encryption for messaging or) or negatively (ex: increased sharing of data with affiliates) affecting a large amount of users.
Negative changes
Apple auto-opts everyone into having their photos analyzed by AI for landmarks The Register Apple appears to have auto-opted users into a new feature, likely introduced in an iOS 18.1 update, known as Enhanced Visual Search. The auto opt-in is believed to have happened in late October 2024. Apparently, the process by which this feature works is “private enough,” but the lack of notification and not seeking consent from users is concerning.
Legislation/Lawsuits/Regulations
Predominately focused on legal/regulation privacy practices outlined in US law (ex: FTC banning certain companies from sharing location data), but large enough changes in EU law may also be covered here. Also notable privacy-related lawsuits (again, predominately in the US) are found here.
Lawsuits
Apple to pay $95 million to settle Siri privacy lawsuit Reuters Lawsuit alleges Apple used Siri to listen to what people were saying – ads were then targeted at them based on what they mentioned. Apple pays the settlement but continues to deny any “wrongdoing.” Interestingly, Google is being sued by the same law firm for similar concerning Google Assistant (Google’s answer to Siri).
Legislation
The US proposes rules to make healthcare data more secure The Verge US Department of Health and Human Services has proposed new cybersecurity requirements for covered entities (healthcare organizations). This is in response to the severity and scale of data breaches in the healthcare sector in the last ~3 years. The requirements will require these organizations to encrypt patient data (I’m assuming both in transit and at rest), use multifactor authentications (MFA) for accessing systems, and keep compliance documentation. Will be the first update to HIPAA in over a decade (the last update was in 2013)
Data Breaches and Leaks
Generally covers large data breaches (or data leaks) exposing sensitive information of users – typically the focus is on US companies and on data breaches…
First seen on securityboulevard.com
Jump to article: securityboulevard.com/2025/01/privacy-roundup-week-1-of-year-2025/
