Paid a ransom? Now tell your government | Facebook and Yandex illegally track Android user's browsing activities
#189 - New Australian law requires victims of ransomware to tell the government if they paid a ransom | Facebook / Yandex apps send tracking cookies to localhost to monitor browsing habits
Australia 🇦🇺 is the first country to mandate informing ransomware payments to the government
Could it lead to legal complications? And could it start a trend of similar laws?
“If you pay something, say something” says the new Australian law.
You can download the law here.
Who does this apply to?
If you are an Australian business with an annual turnover greater than AUD $3 million, then this reporting rules apply to you How soon do you report?
Within 72 hours of paying the ransomWhat data has to be reported?
- when the incident occurred or is estimated to have occurred
- when the reporting business entity became aware of the incident
- the impact of the incident on the reporting business entity
- the impact of the incident on the reporting business entity’s customers
- what variant (if any) of ransomware or other malware was used
- what vulnerabilities (if any) in the reporting business entity’s systems were exploited; and
- information that could assist the response to, mitigation or resolution of the cyber incident by a Commonwealth body, or State body – for example, this may include the Australian Signal’s Directorate or the Australian Cyber Security Centre
the other entity’s contact and business details including the ABN and address (in cases where the ransom was paid by another entity);
- the demand made by the extorting entity
-- the amount or quantum of the ransomware or cyber extortion payment (including non-monetary benefits) demanded and the method of provision demanded
- the ransomware payment
-- the amount or quantum of the ransomware or cyber extortion payment (including non-monetary benefits) given and the method of provision
- communications with the extorting entity relating to the incident, demand and the payment
-- the nature and timing of any communications with the extorting entity
-- a brief description of those communications (if any)
-- a brief description of any pre-payment negotiations undertaken in relation to the ransomware demand or payment
- other information relating to the cyber security incident in the ransomware payment reportAustralia - have you thought this through?
Payment of any kind of ransom is not illegal in most countries. However, Australia has a strict “No Ransom Payment” policy.
This is for the traditional ‘Kidnap and Ransom’ — not for ransomware as we know it. Not much thought has been given to how these policies will translate to the digital world.
Will a government hospital be allowed to pay a ransom? Will it be considered as going against the no ransom payment policy? Or will the policy be different for ransomware?
The law says that a ransomware payment report is not admissible in criminal proceedings. However, there are some exceptions.
What happens if the payment made for ransomware decryption is traced to money laundering or terror finance? Will the payer of ransom be tried for financing terror even though the payment was made to an unknown faceless entity?
I hope the Aussie government figures this out before enforcing this law in full effect.
Take Action:
Companies operating in Australia with more than AUD $3 million in revenue should be prepared to submit a report on any ransomware payments within 72 hours of making the payment.
Watch out for other countries that might follow this and set up their own laws.
How to track a user illegally in six easy steps
An elaborate connection to https://localhost:port allows Facebook and Yandex to deanonymize users on Android
When your business model is based on targeted advertising, you will do everything in your power to get better targets and send more advertising.
To get better targets, Facebook has been using tracking cookies. I wrote about it 2 years ago:
Things have not changed. Meta is still trying to get as much information about your browsing habits as possible. On Android systems they are able to do this as you browse the internet using the browser app.
How do they do it?
If you have any Meta apps (Facebook / Instagram for sure. No idea about WhatsApp) running in the background on an Android phone, these apps open ports that listen on localhost. (Localhost or 127.0.0.1 is the computer talking to itself)
Leaving apps open in the background is not uncommon since most mobile app users do not close an app - they merely go to the Home Screen and go to the next app.
Then, when a user starts browsing the internet using chrome or any other browser app, the Meta Pixel (yes, the same one I wrote about a couple of years ago) cookie sends the browsed URL to a port that the Facebook / Instagram app is listening on (like https://localhost:12387 or https://localhost:12580). From here, the browsing history is sent to Meta.
It works somewhat similar for Yandex as well.
The article by Dan Goodin on ArsTechnica is very detailed and a very interesting read.
Take Action:
No, really, uninstall the Facebook and Instagram app — and WhatsApp too, while you are at it.
If it’s a matter of life and death and you cannot uninstall these apps, then try to use two phones - one for your social media and one for your browsing and other activities. (Rich man’s solutions)
If you are a one phone person and cannot uninstall doomscrolling apps, then at least update your Android and Chrome as soon as a patch is released.