Bagpipes and the IT Privacy and Security Weekly Update for January 18th., 2022


In this week’s adventure, we go from Open Source to Open Dish and the perils each face.

In between those open ends, we have Kiteworks, bagpipes, Teslas, cakeism, the new Spoof league tables, and perhaps a bit of evidence that “the Great Resignation” of 2021 is also affecting the dark web.

Join us as we don our kilts, sporrans, Ghillie brogues, tuck our Sgian Dubhs into our socks, and hit the highlands in the most “Barry” IT Privacy and Security adventure yet!!

US: The Tech sector supports public-private collaboration on open-source software security

Hoping to foster improved security of open-source software, the White House hosted a meeting last week with some of the largest public and private users and maintainers of open-source software. Widely used open-source software “brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance,” the White House said.

The meeting was organized in December, shortly after a dangerous vulnerability in the Java-based logging utility Log4j emerged.

Industry participants came out of the White House meeting expressing their support for further government collaboration. After the meeting concluded, Kent Walker, president of global affairs and chief legal officer for Google and Alphabet, shared a series of proposals for new collaborative models to secure open-source software.

  • The first proposal is to establish a public-private partnership to identify and maintain a list of critical open-source projects, with criticality determined based on the influence and importance of a project.

  • The second proposal calls for the government and industry “to come together to establish baseline standards for security, maintenance, provenance, and testing,” emphasizing frequent updates, continuous testing, and verified integrity.

  • The third proposal is to set up “an organization to serve as a marketplace for open-source maintenance, matching volunteers from companies with the critical projects that most need support.”

Google says it has already contributed resources and stands ready to contribute more resources to these efforts.

So what’s the upshot for you? There are a huge number of companies that have critical dependencies on open-source software. Setting guidelines and establishing some level of responsibility from the enterprise users that depend on it, shouldn’t have to happen, but we are glad that Google and the White House are leading this initiative. After all, for so many, it can’t be all “take” and no “give”.

US: Accellion reaches $8.1 mln settlement to resolve data breach litigation

Enterprise content firewall provider Accellion has reached an $8.1 million settlement to end a lawsuit over a data breach involving its legacy file sharing service FTA, Reuters reports.

Accellion, which changed its brand name to Kiteworks in October 2021, provides services such as secure email, collaboration, content access, file sharing, and enterprise app sharing capabilities.

In May 2021, professional services firm KPMG published a report claiming that Accellion failed to notify customers of the zero-day vulnerability that was exploited in the December 2020 cyberattack.

Accellion also faces claims that it failed to secure the sensitive information that customers entrusted to it, settlement papers filed in a California federal court show. The compromised information is said to include names, dates of birth, medical information, drivers’ license details, and Social Security numbers.

More civil lawsuits await court dates.

So what’s the upshot for you? The upside of this story is that because the Accellion name is now destroyed they picked the lovely KiteWorks to trade under. Kiteworks? What’s that got to do with anything? It’d be like the IT Privacy and Security weekly update changing our name to … “Bagpipes”.

US: An old bagpipe story from a cyber security expert.

"As a bagpiper, I play many gigs. Recently I was asked by a funeral director to play at a graveside service for a homeless man. He had no family or friends, so the service was to be at a pauper’s cemetery in the Kentucky back-country. As I was not familiar with the backwoods, I got lost, and being a typical man I didn’t stop for directions. I finally arrived an hour late and saw the funeral guy had evidently gone and the hearse was nowhere in sight.

There were only the diggers and crew left and they were eating lunch. I felt badly and apologized to the men for being late. I went to the side of the grave and looked down and the vault lid was already in place. I didn’t know what else to do, so I started to play. The workers put down their lunches and began to gather around. I played out my heart and soul for this man with no family and friends.

I played like I’ve never played before for this homeless man. And as I played ‘Amazing Grace,’ the workers began to weep. They wept, I wept, we all wept together. When I finished I packed up my bagpipes and started for my car. Though my head hung low, my heart was full."

As I opened the door to my car, I heard one of the workers say, “I never seen nothin’ like that before and I’ve been putting in septic tanks for twenty years.”

So what’s the upshot for you? Quick pass us another tissue and let’s bury this story too.

Global: "Nevertheless I now can remotely run commands on 25+ Tesla‘s in 13 countries without the owners’ knowledge."

A young hacker and IT security researcher found a way to remotely interact with more than 25 Tesla electric vehicles in 13 countries, according to a Twitter thread he posted.

David Colombo explained in the thread that the flaw was “not a vulnerability in Tesla’s infrastructure. It’s the owner’s fault.” He claimed to be able to disable a car’s remote camera system, unlock doors and open windows, and even begin keyless driving. He could also determine the car’s exact location.

However, Colombo clarified that he could not actually interact with any of the Teslas’ steering, throttle, or brakes, so at least we don’t have to worry about an army of remote-controlled EVs doing a Fate of the Furious reenactment.

So what’s the upshot for you? Colombo says he reported the issue to Tesla’s security team, which is investigating the matter.

Global: Linux-Targeted Malware Increases by 35% in 2021

A Crowdstrike report looking into attack data from 2021 summarizes the following:

  • In 2021, there was a 35% rise in malware targeting Linux systems compared to 2020.
  • XorDDoS, Mirai, and Mozi were the most prevalent families, accounting for 22% of all Linux-targeting malware attacks observed in 2021.
  • Mozi, in particular, had explosive growth in its activity, with ten times more samples circulating in the wild the year that passed compared to the previous one.
  • XorDDoS also had a notable year-over-year increase of 123%.

The Crowstrike findings aren’t surprising as they confirm an ongoing trend that emerged in previous years. For example, an Intezer report analyzing 2020 stats found that Linux malware families increased by 40% in 2020 compared to the previous year.

In the first six months of 2020, a steep rise of 500% in Golang malware was recorded, showing that malware authors were looking for ways to make their code run on multiple platforms.

This programming, and by extension, targeting trend, has already been confirmed in early 2022 cases and is likely to continue unabated.

So what’s the upshot for you? The interesting observation about this report is that no hard numbers are given, only percentages. 1 piece of observed malware becoming 2 is, therefore, a 100% increase in observed cases. We think the numbers are still low, but that it’s healthiest to respect the growing trends.

UK: Revealed: UK Gov’t Plans Publicity Blitz to Undermine Privacy of Your Chats

The UK government is set to launch a multi-pronged publicity attack on end-to-end encryption, Rolling Stone has learned. One key objective: mobilizing public opinion against Facebook’s decision to encrypt its Messenger app.

The Home Office has hired the M&C Saatchi advertising agency — a spin-off of Saatchi and Saatchi, which made the “Labour Isn’t Working” election posters, among the most famous in UK political history — to plan the campaign, using public funds.

According to documents reviewed by Rolling Stone, one of the activities considered as part of the publicity offensive is a striking stunt — placing an adult and child (both actors) in a glass box, with the adult looking “knowingly” at the child as the glass fades to black.

Multiple sources confirmed the campaign was due to start this month, with privacy groups already planning a counter-campaign.

So what’s the upshot for you? "…the policy is technological ‘cakeism’— the government is trying to eat its lawful access cake while having end-to-end encrypted protection for citizens more generally … Most experts are highly doubtful, and believe the government is searching for the digital equivalent of alchemy.”

EU: Joint Law Enforcement Action Takes Down VPN Service

An international law enforcement collaboration has targeted the users and infrastructure of VPNLab(dot)net.

The action was taken in response to the use of the VPN provider’s service to support cybercrime activities, including ransomware deployment.

The operation, led by the Central Criminal Office of the Hannover Police Department in Germany, took place under Europol’s EMPACT security framework objective Cybercrime - Attacks Against Information Systems.

Europol revealed the strike followed multiple investigations showing that cyber-criminals were using VPNLab(dot)net’s service for malware distribution. In addition, it was regularly used to help set up infrastructure and communications behind ransomware campaigns and as its actual deployment. Investigators even discovered the service was being advertised on the dark web.

VPNLab(dot)net was established in 2008, offering users online anonymity via services based on OpenVPN technology and 2048-bit encryption. It also provided double VPN, with servers located in multiple countries. This offering made it attractive to cyber-criminals seeking to avoid detection by law enforcement.

So what’s the upshot for you? The seizure or disruption of 15 servers that hosted VPNLab(dot)net’s service happened on January 17 2022.

Global: DHL takes the top spot as the most imitated brand in phishing attacks

{Drumroll } …And the league tables for being spoofed in phishing attacks:

For the final quarter of 2021, DHL took over the top spot from Microsoft as the most impersonated brand by cybercriminals using phishing tactics.

For the quarter, DHL was spoofed in 23% of all brand phishing attempts, up from just 9% in the year’s previous quarter.

At the same time, Microsoft appeared in 20% of all attempts, down from 23% in the prior quarter.

Rounding out the top 10 we have

  • WhatsApp in 11% of phishing attempts,
  • Google in 10%,
  • LinkedIn in 8%,
  • Amazon in 4%,
  • Fedex in 3%
  • Roblox in 3%,
  • PayPal in 2% and
  • Apple in 2%

So what’s the upshot for you? We are not sure it’s any kind of honor to be in these league tables, but they do say, “Any publicity is good publicity”

Global: 2021’s top 10 vulnerabilities according to CrowdSourced Bugtrack.

The changes in the top 10 most commonly identified vulnerability types demonstrates the natural life cycle of vulnerability categories and the “cat and mouse” nature of the interaction between builders and breakers: the Crowd is incentivized to find new, prevalent vulnerability types, those vulnerabilities are eventually addressed by automated tools (causing incentives to fall), and then new vulnerability types emerge that the Crowd is highly incentivized to find.

1.) Cross-Site Scripting (XSS): Reflected

2.) Broken Access Control (BAC): Insecure Direct Object References (IDOR)

3.) Sensitive Data Exposure: Disclosure of Secrets for Internal Assets

4.) Server Security Misconfiguration: Missing Secure or HTTPOnly Cookie Flag

5.) Broken Authentication & Session Mgmt: Privilege Escalation

6.) Sensitive Data Exposure: Disclosure of Secrets for Publicly Accessible Assets

7.) Server Security Misconfiguration: No Rate Limiting on Form/Email

8.) Broken Authentication & Session Mgmt: Failure to Invalidate Session

9.) Unvalidated Redirects & Forwards: Open Redirects

10.) Server Security Misconfiguration: Directory Listing Enabled

So what’s the upshot for you? The big changes in last year’s vulnerability table were brought on by an increased emphasis on scanning as a means of uncovering vulnerabilities.

The average time for a host to be on the Internet before a scan picks it up is now under 4 minutes.

Global: The evolution of Ransomware attacks.

Among the high-level security trends that were in the spotlight last year, ransomware “went mainstream” in 2021, overtaking personal data breaches and eliciting a broad government response to disruptive attacks like the one on Colonial Pipeline last May.

“We are now seeing ransomware gangs applying lean startup principles to their operations. They begin with skeleton teams making scattergun, speculative attacks, and crudely requesting their rewards in crypto. Following one or two successful attacks, these teams treat the ransoms paid as seed capital, using it to grow their operations and invest in better software, talent, and exploits.”

The most elite ransomware groups now run processes that include detailed recon/research to identify targets, advanced communications, and media relations to stoke fear and increase the likelihood of a payout occurring, researchers noted.

These processes also include tracking critical vulnerabilities to find gaps for exploitation that have remained undetected by organizations, heightening the need for a proactive security approach by organizations.

So what’s the upshot for you? Business specialization? With each area of ransomware covered by a higher degree of professionalism.

RU: Top Illicit Carding Marketplace UniCC Abruptly Shuts Down

UniCC accounted for about 30 percent of carding scam business and since it was launched in 2013, handled about $358 million in cryptocurrency transactions, according to the Elliptic Threat Intel team, which published the announcement from UniCC leadership.

“Our team retires,” the UniCC leadership posted on underground carding sites in both English and Russian. “Don’t build any conspiracy theories about us leaving, it is (a) weighted decision, we are not young and our health do(es) not allow to (us) work like this any longer.”

UniCC’s business was booming after the December 2020 takedown of Joker’s Stash, formerly the carding marketplace of choice. The overall market for stolen credit-card data last year topped more than $1.4 billion just in Bitcoin.

But in recent months other underground marketplaces appeared to be hanging up the towel: The White House Market announced it was shutting down in October; and by November, Cannazon went dark. In December it was Torrez’ turn. By early January, Monopoly Market was unexpectedly inaccessible, the report added.

The departures could be a reaction to law-enforcement activities, but it’s just as likely underground carding marketplace admins are using the chaos to make off with their users’ account balances.

“The wave of recent departures has potentially been a trigger for UniCC’s retirement, as illicit actors see an opportunity in the turbulence to either run away with users’ funds or retire to avoid increased law-enforcement attention."

So what’s the upshot for you? You don’t make the kind of money these guys were making and just go away. We have said it before and we will say it again, keep an eye out for their next adventures. We certainly will!

US: Drone Swarm at DARPA Exercise

A single operator controlled over a hundred physical and simulated drones simultaneously using Raytheon integrated swarm technology at the fifth OFFensive Swarm-Enabled Tactics (OFFSET) program.

The heart of the technology is software that assigns “drones with the right capabilities to the appropriate set of tasks,” Raytheon BBN OFFSET principal investigator Shane Clark explained. The drones then collaborate “most efficiently” to execute the task.

“For example, if the task is to surveil a building, multiple drones will be dispatched with each surveilling portion of the building. The software considers each platform’s sensor capabilities, and tasks drones with downward-facing cameras to surveil the roof,” Clark said.

In addition to traditional camera views, the system employs a speech-based virtual reality interface enabling the operator to act quickly “while maintaining situational awareness over many systems simultaneously.”

So what’s the upshot for you? Is this new? We think we saw the same thing at the Beijing 2008 Olympics, but we understand use cases for this technology are still unfolding. For example fires in high-rise buildings where determining where people are (thermal sensing technology) need to be done rapidly. One question is how do you effectively prep and transport a fleet of drones to a specific location in a reasonable time frame? Another is where do you draw the line? A suspect is holed up in a tower block, do you look in every window to see if you can locate them?

Global: Microsoft patch the patch.

Microsoft has patched the patch that broke large portions of Windows and emitted fixes for a Patch Tuesday that left servers rebooting and VPNs disconnected.

There was a time when out-of-band updates from Microsoft were considered a rarity. Not so much these days. On the receiving end of the company’s attention were Windows desktop and Windows Server installs left dysfunctional following Microsoft’s latest demonstration of its brand of quality control.

To recap, last week’s patches caused all sorts of problems for administrators. The in this case incorrectly named Windows Resilient File System (ReFS)m had problems following the update, which left volumes inaccessible for some users.

Hyper-V hiccoughed and domain controllers experienced surprise restarts.

Windows users also reported problems with VPN connections, something Microsoft acknowledged with an update to its Windows release health dashboard.

**So what’s the upshot for you?**The issue here is with baddies scanning for and finding vulnerabilities in record time, you need to apply the patches forthwith, which means that there is little to no time for testing in a traditional sense. But when the updates take out large swathes of Operating system functionality… it might be time to prepare some readymade statements for the CEO, just in case.

Global: Cat on a hot satellite dish: Elon Musk’s Starlink antenna hits a surprise problem

Elon Musk’s satellite internet company, Starlink, has ambitious plans to bring internet access to people anywhere in the world. But it turns out the venture is providing another service: warming up cats.

A customer tweeted a photo of five cats huddled on his Starlink dish, which links homes to more than a thousand satellites, and noted that the presence of the furtive felines had slowed his internet performance.

“Starlink works great until the cats find out that the dish gives off a little heat on cold days,” Aaron Taylor said.

After the photo was widely shared online, Taylor clarified that the cats had taken to the dish by choice, rather than necessity.

The attraction may be due to a “self-heating” feature on the dish which is designed to melt snow. In 2020, Starlink engineers touted efforts to “upgrade our snow melting ability”.

Taylor said the cats’ attraction to his Starlink dish interrupted movie streaming and affected internet speed. “Doesn’t shut it down completely but definitely slows everything down,” he said.

So what’s the upshot for you? Privacy, Security a warm place to sleep? The cats will never tell.

Cats also seem to be able to sleep through bagpipes. bagpipe-man

That’s it for this week. We will leave you with 7 days of quiet while we try to figure out how to tune a bagpipe.

Be kind, stay safe, stay secure, play with confidence. See you in se7en!

1 Like

Excellent questions. Making a global Technical Panopticon will not solve the issue of Crime, and if it does, it will only ever be the low-hanging, street criminality not the life-threatening and taxation-revenue undermining type.

Large and/or highly-advanced nations will sell these Drone Applications and Platforms to smaller, less advanced nations as ‘solutions’ with no locally-based oversight, discussion or public awareness … until it is too late.

This is why I respect Daml; Privacy is a core feature, not an option.

The world needs Daml, probably more than any of us realize.

1 Like