Daml’ers,
For this IT Privacy and Security adventure, and this must surely be the best one yet, we start at the Costco checkout and end up in space.
In between the check-out and the way-out we get a quick reminder about online safety in the run-up to Black Friday, we get an update on how one group is working to make software secure, app tracking protection for Android, and tips to foil the Memento hacking team.
We’re so glad that Costco sells moon boots ‘cause we can gear up at the cash-only checkout and keep this adventure rolling until we hit an asteroid! Come on y’all, let’s take off!
US: A Card Skimmer Snuck Its Way Into a Costco
A Card Skimmer Snuck Its Way Into a Costco. You may normally associate card-skimmer attacks—which impersonate credit card readers to steal your payment info—with ATMs and gas pumps, to the extent that you think of them at all. But recently someone placed a card-skimming device in a Costco warehouse, of all places. An employee discovered the interloping equipment during a “routine check,” according to a report from BleepingComputer. The company has informed people whose credit card info may have been stolen. It’s a good reminder to double-check where you stick your plastic—or stick with NFC payments.
So what’s the upshot for you? Scammers are now printing these skimmers with 3-D printing machines and they look absolutely like they should be there. Our advice? Use credit cards rather than bank debit cards as they offer greater protection against loss.
Global: Online Payment Fraud Surges by 208% in the run-up to Black Friday
During the first 10 months of 2021, Kaspersky detected 40, 584, 415 phishing attacks targeting e-commerce and e-shopping platforms, as well as banking institutions.
The total number of financial phishing attempts targeting e-payment systems more than doubled from September 2021 (627,560) to October 2021 (1,935,905), showing a 208% increase.
Amazon was consistently the most popular lure used by cybercriminals to launch phishing attacks. The second most popular was, for most of 2021, eBay, followed by Alibaba and Mercado Libre.
From January 2020 through October 2021, the most targeted e-commerce platforms were in e-shopping (eBay, Alibaba, etc.) and entertainment (eg. streaming services, online games) with 30.61% of attacks.
So what’s the upshot for you?
- Do not open attachments or click on links in emails from banks, e-payment apps, or shopping portals, particularly if the sender insists. It is better to go to the official website directly and log in to your account from there.
- Double-check the format of the URL or the spelling of the company name, as well as read reviews and check the domain’s registration data before filling out any information.
- Be wary of any deals that seem too good to be true. They typically are.
- In order to protect your data and finance, it is safe practice to make sure the online checkout and payment page is secure. You’ll know it is if the web page’s URL begins with HTTPS instead of the usual HTTP; a padlock icon typically appears beside the URL, and the address bar in some browsers is green. If you don’t see this, do not proceed.
- Patch. Make sure all of your software is up to date — update your operating system and software applications (attackers exploit loopholes in widely used programs to gain entry).
- Make sure you’re on a secure network — logging on to the public Wi-Fi at the local coffee shop makes it far easier for attackers to access your online activity. It’s also better and safer to do online shopping on your own computer or device to avoid the possible risks of using someone else’s.
Despite taking as many precautions as possible, you probably won’t know something is amiss until you see your bank or credit card statement. So, if you’re still getting paper statements, don’t wait until they hit your mailbox. Log online to see if all of the charges look legitimate – if not, contact your bank or credit card immediately to fix the situation.
US: National Institute of Standards and Technology (NIST) starts to form a plan around addressing Secure Software development
After a first draft and a workshop earlier on the 8th of this month NIST is closer to something, it calls the secure software development framework (SSDF) to enhance software supply chain security after an executive order from the US president.
A high-level list of times suggests that organizations should:
- Ensure that their people, processes, and technology are prepared to perform secure software development
- protect all components of their software from tampering and unauthorized access.
- produce well-secured software with minimal security vulnerabilities in its releases.
- identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.
- generate “artifacts,” which can contain a host of information about how the software was developed;
- provide the provenance or origin of software code and components;
- create software bills of materials (SBOMs);
- use vulnerability disclosure programs; and
- attest to conformity with secure software development practices.
So what’s the upshot for you? These are top-down, very open-ended process descriptions at this point, but expect the evolution of standards for rating each vendor to grow out of the list.
Global: GoDaddy file breach report with the SEC
https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm
GoDaddy revealed that it discovered on November 17 2021 that an “unauthorized third party” had gained access to its managed WordPress hosting environment.
WordPress is an open-source content management system used by many millions of website owners around the world as a backend for their websites and blogs. To make administration for site owners easier, many companies - like GoDaddy - offer a managed hosting platform to handle automated backups, automatic security updates, and general tasks.
A password seems to have been central to the attack. The hacker may have accomplished unauthorized access to GoDaddy’s “legacy codebase” for managed WordPress sites using a compromised password. It is unclear whether the password fell into the hands of the cybercriminal as the result of a phishing attack, or because it was weak, or had been reused.
The attack began September 6, 2021, when “up to 1.2 million active and inactive Managed WordPress customers” accounts were compromised. Email addresses and customer numbers were exposed.
So what’s the upshot for you? “We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down.” said GoDaddy CISO Demetrius Comes.
We say, “GoDaddy you should use 2fa”!
Global: Google Cloud Load Balancer Post Mortem
https://status.cloud.google.com/incidents/6PM5mNd43NbMqjCZ5REh
“The total duration of impact,” said Google, “was one hour and 53 minutes.”
But what had happened? It transpired that six months ago a bug was introduced into the configuration pipeline that propagates customer configuration rules to GCLB. The bug itself permitted a race condition that “in very rare cases” could push a corrupted config file to GCLB and dodge the validation checks in the pipeline.
An engineer found the bug on 12 November, and the team had set about fixing it via a two-pronged approach – fix the bug itself and also add some extra validation to stop such a corrupted file from making it into the system. It was declared a high-priority incident, except – the bug had been there for months without anything exploding, so a decision was taken not to opt for a same-day emergency patch, but to roll out the fix in a controlled manner.
And what could possibly go wrong?
By the 15th of November, the validation patch had been rolled out. On the 16th of November, the rollout of the patch to fix the bug itself was about 30 minutes away from being completed when good old Murphy’s law hit and, as Google put it, “the race condition did manifest in an unpatched cluster, and the outage started.”
Oops and to make matters worse, it turns out that the validation patch didn’t actually handle the error produced by the race condition, so the corruption was cheerfully accepted regardless.
Behind the blushes, Google assures us all that they are ready for both Black Friday and Cyber Monday!
So what’s the upshot for you? Well, stuff like this happens. We’re just happy we weren’t directing the activities when it did.
Global: Firefox brings back mail relays
The idea has been around for a while. Give out e-mail addresses that are forwarded to your real address, then if the volumes of spam become too high, just delete the forwarding address.
Firefox gives you 5 with a free relay account at relay dot firefox dot com
The issue we discovered early on trialing the free account is the 150k attachment limit, the ugly randomly generated e-mail, and the 5-count limit (you get new addresses up to 5 if you are deleting the old ones.).
That aside, if you are signing up for some or another “deal” and you have to give out a working e-mail address, you may have a way to protect yourself… oh and they make a relay extension for Firefox!
So what’s the upshot for you? Try it. You might find a use.
Global: New Security Vulnerability For Windows 10, 11
The most recent round of Windows security fixes landed just a couple of weeks ago as part of the monthly Patch Tuesday rollout and included one for CVE-2021-41379.
This variant was discovered by security researcher Naceri during the analysis of CVE-2021-41379 patch. “The bug was not fixed correctly, instead of dropping the bypass,” explains Naceri, “I have chosen to drop this variant publically as it is more powerful than the original one.”
Yesterday, Naceri published a working proof-of-concept exploit for the new zero-day on GitHub, explaining that it works on all supported versions of Windows.
Furthermore, Naceri explained that while it is possible to configure group policies to prevent ‘Standard’ users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway.
BleepingComputer tested the ‘InstallerFileTakeOver’ exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with ‘Standard’ privileges. The test was performed on a fully up-to-date Windows 10 21H1 build 19043.1348 install.
When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft’s decreasing payouts in their bug bounty program. A payout for a bounty like this has gone from US$10,000 to US$1,000
So what’s the upshot for you? “The best workaround available at the time of writing this is to wait for Microsoft to release a security patch, due to the complexity of this vulnerability. Any attempt to patch the binary directly will break windows installer.”
Global: The Memento team uses password-protected archives to bypass encryption protection software
The ransomware used by this new group, who identify themselves as “Memento Team,” doesn’t encrypt files. Instead, it copies files into password-protected archives, using a renamed freeware version of the legitimate file utility WinRAR—and then encrypts the password and deletes the original files.
The ransomware actors appear to have taken advantage of a flaw in VMware’s vCenter Server web client first revealed in February. The vulnerability allowed anyone who had TCP/IP port 443 access to the server to execute commands remotely with system-level privileges; a firewall had been misconfigured, and the vCenter Server was exposed to the Internet on that port. This server had outdated malware protection and was not configured with endpoint detection and response.
After over 6 months of dwell time on the victim’s network, the attack had finally been sprung. Unfortunately for the Memento actors, all that extra work did not pay off as planned. The victim did not negotiate with the ransomware actors.
Toward the end of October, they demanded $1 million US to restore the files and threatened data exposure if the victim did not comply.
Thanks to backups, the targeted organization was able to restore most of its data and return to somewhat normal operations.
Perhaps the long dwell time by the ransomware actor was in part because they didn’t have ransomware ready to drop at the time of the initial compromise. By keeping a low profile, modifying timestamps on files, and wiping logs of telltale signs of compromise, they were able to evade detection for an extremely long time and fully explore the network. The extent to which RDP services were enabled throughout the network made hands-on-keyboard lateral movement throughout the network much easier, further reducing the signature of their intrusion.
So what’s the upshot for you? The extent to which one unpatched server exposed to the Internet by a misconfigured firewall could be used by multiple malicious actors to exploit the server (and in the case of the ransomware operator, the entire network) offers a further emphasis on the urgency of applying vendors’ security patches.
How do companies avoid these guys?
-
Use MFA
-
keep the patches up to date
-
Audit machine access: Who, when, where, and what.
-
Monitor what you are auditing.
-
regularly test restore the backups you are running.
-
Segment the network where you can.
-
Don’t run services you don’t need and if they are on critical internal only servers, access them via jump boxes or VPNs
Global: DuckDuckGO App Tracking Protection for Android
At the end of April, Apple’s introduction of App Tracking Transparency tools shook the advertising industry to its core. iPhone and iPad owners could now stop apps from tracking their behavior and using their data for personalized advertising. Since the new privacy controls launched, almost $10 billion has been wiped from the revenues of Snap, Meta Platform’s Facebook, Twitter, and YouTube.
Now, a similar tool is coming to Google’s Android operating system—although not from Google itself. Privacy-focused tech company DuckDuckGo, which started life as a private search engine, is adding the ability to block hidden trackers to its Android app. The feature, dubbed “App Tracking Protection for Android,” is rolling out in beta from today and aims to mimic Apple’s iOS controls. “The idea is we block this data collection from happening from the apps the trackers don’t own,” says Peter Dolanjski, a director of product at DuckDuckGo. “You should see far fewer creepy ads following you around online.”
The vast majority of apps have third-party trackers tucked away in their code. These trackers monitor your behavior across different apps and help create profiles about you that can include what you buy, demographic data, and other information that can be used to serve you personalized ads. DuckDuckGo says its analysis of popular free Android apps shows more than 96 percent of them contain trackers. Blocking these trackers means Facebook and Google, whose trackers are some of the most prominent, can’t send data back to the mothership—neither will the dozens of advertising networks you’ve never heard of.
Using a box-fresh Google Pixel 6 Pro, we installed 36 popular free apps—some estimates claim people install around 40 apps on their phones—and logged into around half of them. These included the McDonald’s app, LinkedIn, Facebook, Amazon, and BBC Sounds. Then, with a preview of DuckDuckGo’s Android tracker blocking turned on, we left the phone alone for four days and didn’t use it at all. In 96 hours, 23 of these apps had made more than 630 tracking attempts in the background.
Using your phone on a daily basis—opening and interacting with apps—sees a lot more attempted tracking. When we opened the McDonald’s app, trackers from Adobe, cloud software firm New Relic, Google, emotion-tracking firm Apptentive, and mobile analytics company Kochava tried to collect data about me. Opening the eBay and Uber apps—but not logging into them—was enough to trigger Google trackers.
The beta of App Tracking Protection for Android is limited. It doesn’t block trackers in all apps, and browsers aren’t included, as they may consider the websites people visit to be trackers themselves. In addition, DuckDuckGo says it has found some apps require tracking to be turned on to function; for this reason, it gives mobile games a pass. While the tool blocks Facebook trackers across other apps, it doesn’t support tracker-blocking in the Facebook app itself. In DuckDuckGo’s settings, you can whitelist any other apps that don’t function properly with App Tracking Protection turned on.
So what’s the upshot for you? Again, the bad news is… this is only in beta now, The good news is that if you have an Android phone you can download the DuckDuckGo privacy browser, go into settings, and the privacy section, and request app tracking protection. DuckDuckGo will send an invitation when the app is ready.
OuterSpace: Once in place NASA’s DART mission goes solar.
https://www.nasa.gov/planetarydefense/dart
One of the best ways to ensure your security is to run exercises and to test. Do it with your backups, do it with your security settings, and do it with a Double Asteroid Redirection Test Mission.
DART is a spacecraft designed to impact an asteroid as a test of the technology. The binary near-Earth asteroid (65803) Didymos is the target for the DART demonstration. While the Didymos primary body is approximately 780 meters across, its secondary body (or “moonlet”) is about 160-meters in size, which is more typical of the size of asteroids that could pose the most likely significant threat to Earth. DART’s target asteroid is NOT a threat to the security of Earth.
This asteroid system is a perfect testing ground to see if intentionally crashing a spacecraft into an asteroid is an effective way to change its course, should an Earth-threatening asteroid be discovered in the future. No known asteroid larger than 140 meters in size has a significant chance to hit Earth for the next 100 years but we only know about 40% of what is out there.
The DART spacecraft will achieve the kinetic impact deflection by deliberately crashing itself into the moonlet at a speed of approximately 6.6 km/s, with the aid of an onboard camera (named DRACO) and sophisticated autonomous navigation software. The collision will change the speed of the moonlet in its orbit around the main body by a fraction of one percent, but this will change the orbital period of the moonlet by several minutes - enough to be observed and measured using telescopes on Earth.
The DART spacecraft will demonstrate the NASA Evolutionary Xenon Thruster – Commercial (NEXT-C)solar electric propulsion system as part of its in-space propulsion. NEXT-C is a next-generation system based on the Dawn spacecraft propulsion system, developed by NASA. Once launched, DART will deploy Roll-Out Solar Arrays (ROSA) to provide the solar power needed for DART’s electric propulsion system. By utilizing electric propulsion, DART could benefit from significant flexibility to the mission timeline while demonstrating the next generation of ion engine technology, with applications to potential future NASA missions.
The DART spacecraft launch window begins November 24, 2021. DART will launch aboard a SpaceX Falcon 9 rocket from Vandenberg Space Force Base, California. After separation from the launch vehicle, the DART spacecraft will intercept Didymos’ moonlet in late September 2022, when the Didymos system is within 11 million kilometers of Earth, enabling observations by ground-based telescopes and planetary radar to measure the change in momentum imparted to the moonlet.
So what’s the upshot for you? There are a number of things about this test that feel right. Pre-emptive testing of a critical safety system, the implementation of solar power for long-term availability, and notice that the uplift is being provided by SpaceX, not BlueOrigin or Virgin Galactic.
That’s it for this week Damlers! While we’re up here, we thought we’d try and find Pluto with Steve Seow. Looking skyward you can expect to see us flame out as we re-enter the atmosphere to get ready for next week’s episode.
Until then, be kind, stay safe, stay secure and see you in a spacey se7en!