Buzzing with the IT privacy and Security Weekly Update for April 5th 2022


Damlers,

This week we fly from an apiary to a cuddly puppy.

But all is not as it seems: We triple peak before a bout of melancholy and find an unwelcome foe back after a “short break”.

We have lawsuits, legal requests, and cameras all divulging way more than they should. We sequence the missing 8% and finally, we have a couple of lists that will turn you into such a security guru that you might be writing this update next week.

Then we end with possibly the best reason to own a cat.

You are going to love this week’s IT privacy and Security Weekly Update, it is simply the best one yet!

Grab your veil and gloves, pull up your socks, and let’s have an adventure!
bumblebee-honey-bee-icon-png-favpng-MZSpn1HbbLY4S7fGw0czxtSux


IL: Israeli robotic beehive maker raises $80 mln in private funds

JERUSALEM, March 30 (Reuters) - Security? Privacy? Perhaps not but Beewise, an Israeli maker of robotic beehives aimed at saving bees from climate change, said on Wednesday it raised $80 million in a private funding round led by private equity firm Insight Partners.

The round brings total funds to date to $120 million, it said, adding the new financing will go towards meeting the rising demand for its robotic beehives.

Beewise said its agricultural technology has saved more than 160 million bees in the past year. Climate controlled and using automated harvesting, the robotic beehives - sheds that are populated by bees and used by farmers - are powered by solar panels.

Artificial technologies (AI) can detect threats, such as pests and pesticides, to a honeybee colony.

So what’s the upshot for you? Pollination is crucial to life on the planet since 30% of the global food supply and more than 70% of vegetables, fruit, seeds, and nuts are pollinated by bees.


US: Wo/Men At Work

After work, do you … get back to work? For some, there’s a new pattern replacing the 9 to 5

Last week, Microsoft published a study that offers an eerie reflection of my working life. Traditionally, the researchers said, white-collar workers – or “knowledge workers,” in modern parlance – have had two productivity peaks in their workday: just before lunch and just after lunch. But since the pandemic, a third and smaller bump of work has emerged in the late evening. Microsoft’s researchers refer to this phenomenon as the “triple peak day.”

For the new study, workers allowed Microsoft to track their “keyboard events”—a funny euphemism for sending emails or engaging with productivity applications on a work computer. While most people didn’t show the third mountain of work in the evening, 30 percent did. They were working almost as much at 10 p.m. as they were at 8 a.m.

Microsoft has also found that the pandemic has simply led to more overall work. According to company research, the average workday has expanded by 13 percent—about an hour—since March 2020, and average after-hours work has increased by twice as much.

As work becomes more like life, it also becomes more of life.

Something else is pushing work into our evenings: White-collar work has become a bonanza of meetings. In the first months of the pandemic, Microsoft saw online meetings soar as offices shut down. By the end of 2020, the number of meetings had doubled. In 2021, it just kept growing. This year it’s hit an all-time high.

“People have 250 percent more meetings every day than they did before the pandemic,” said a research manager of the Human Understanding and Empathy group at Microsoft. “That means everything else—like coding and email and writing—is being pushed later.” Workday creep and meeting creep aren’t two separate trends; they’re the same trend.

So what’s the upshot for you? It’s certainly something to remember the next time you call a meeting.


RU: Russians plan melancholy version of Instagram after the Ban

Russia restricted access to Instagram from March 14 and subsequently found its owner Meta Platforms guilty of “extremist activities,” as Moscow battles to control information flows with Big Tech after it sent tens of thousands of troops into Ukraine on Feb. 24.

Instagram said the decision to block it would affect 80 million users in Russia. Although people can still sometimes access the photo-sharing platform using a Virtual Private Network, domestic alternatives have started appearing, the latest being ‘Grustnogram’, or ‘Sadgram’ in English.

“Post sad pictures of yourself, show this to your sad friends, be sad together,” a message on the platform’s website read.

Russia has also enacted laws to exert influence on non-Russian social media platforms, including passing legislation stating companies need to place their servers for Russian accounts on Russian territory.

“Presumably so they can do whatever kind of surveillance they need to.”

TikTok’s refusal to cooperate with this law is what led to the development of a video-sharing platform called Yappy at the end of 2021.

“There’s a huge generational gap in Russia, not just with social media platforms, but in where they go for their news.”

According to the Levada Center report, television is where most Russian people get their news, but its dominance is declining — dropping from 90% to 62% in five years.

Younger generations are more likely to get their news on social media sites and use virtual private networks (VPNs) to access sites that have been blocked by the government. The ability to use international platforms with less government control also results in access to media that’s more critical of Putin and the Kremlin.

So what’s the upshot for you? “anything Russia touches has the potential to land you in jail.”


US: FBI says Russian hackers scanning U.S. energy systems and pose ‘current’ threat

“The threat from Russia in a criminal sense, in the nation-state sense, is very, very real - and current,” said Bryan Vorndran, an assistant director in the FBI’s cyber division, during a hearing before a U.S. House of Representatives panel.

In the weeks since Russia’s unprovoked attack against Ukraine, the White House and the Justice Department have been warning U.S. companies about intelligence suggesting that Russia has been taking early steps toward possibly launching cyberattacks.

Vorndran told lawmakers that “instances of Russian scanning” networks in the U.S. energy sector have increased recently, and he said such activity represents a “reconnaissance phase” by Russia to try and understand a company’s defenses and whether it has vulnerabilities that could be exploited.

“It’s an extremely important part of the overall attacks,” he noted, adding later in his testimony that Russia represents “one of the two most capable cyber adversaries we face globally.”

So what’s the upshot for you? Time to buy extra batteries.


BR: “After a short break we are back!” Globant hacked by Lapsus$

IT and software consultancy firm Globant has confirmed that they were breached by the Lapsus$ data extortion group, where data consisting of administrator credentials and source code was leaked by the threat actors.

As part of the leak, the hacking group released a 70GB archive of data stolen from Globant, describing it as “some customers’ source code.”

Globant is an IT and software development firm with over 16,000 employees worldwide and $1.2 billion in revenue for 2021.

Following the leak from Lapsus$, Globant issued a press release confirming that some of the company source code has been exposed to an unauthorized party.

“We have recently detected that a limited section of our company’s code repository has been subject to unauthorized access” - Globant

Among the data published by Lapsus$, there is a screenshot the group claims to be of an archived directory from Globant, containing folder names that appear to be company customers.

Some of the source code folders listed in the screenshot include Abbott, apple-health-app, C-span, Fortune, Facebook, DHL, and Arcserve.

So what’s the upshot for you? “We’re back!”


US: Google Cloud Security Exec: US Government Reliance on Microsoft Is a Security Vulnerability

Jeanette Manfra, director of risk and compliance for Google’s cloud services and a former top U.S. cybersecurity official, said Thursday that the government’s reliance on Microsoft is an ongoing security threat.

“Overreliance on any single vendor is usually not a great idea. You have an attack on one product that the majority of the government is depending on to do their job, you have a significant risk in how the government can continue to function.”

Microsoft pushed back strongly against the claim, calling it “unhelpful.” The study comes as Google is positioning itself to challenge Microsoft’s dominance in federal government offices, where Windows and Office programs are commonly used…

The blog post comes as hackers continue to discover critical software vulnerabilities at an increasing pace across major tech products, but especially in Microsoft programs.

Last year, researchers discovered 21 “zero-days” — an industry term for a critical vulnerability that a company doesn’t have a ready solution for — actively in use against Microsoft products, compared to 16 against Google and 12 against Apple.

The most prominent zero-day was used against Microsoft’s Exchange email program, which cybersecurity experts say was first employed by Chinese cyberspies and then quickly adopted by criminal hackers, leading to hundreds of companies becoming compromised.

So what’s the upshot for you? Expect competitors to poke at each other, but the fact is that Microsoft had some very slow responses to vulnerabilities last year … which can’t instill confidence in anyone.


US: Writing about IT Security can be dangerous: Ubiquiti sues security researcher Brian Krebs

Journalist Brian Krebs is being sued by network-equipment maker Ubiquiti for defamation over his coverage of a data breach which was eventually revealed to be the work of a company insider.

Ubiquiti initially disclosed a data breach on January 11, 2021, telling customers that the breach was minor and had occurred at a “third-party cloud provider.” But on March 30, 2021, Krebs reported that an unidentified whistleblower told him the data breach was worse than Ubiquiti had said. Krebs’ story and others like it published the next day caused Ubiquiti’s market cap to drop by $4 billion, the lawsuit alleges.

Then, in December 2021, the Department of Justice said that it had charged Nickolas Sharp “for secretly stealing gigabytes of confidential files from a New York-based technology company where he was employed.” The DOJ also said, “while purportedly working to remediate the security breach, [Sharp] extort[ed] the company for nearly $2 million for the return of the files and the identification of a remaining purported vulnerability.” Sharp reportedly worked for Ubiquiti at the time of the attack.

Ubiquiti alleges that Krebs knew Sharp was his source but published a story about the charges against Sharp that was “intentionally misleading.”

The lawsuit says that Krebs was intentionally deceitful because “first he describes Sharp as a current employee. He then describes Sharp as a ‘former Ubiquiti developer’ to deceive readers into believing that the sourcing for his original story was a legitimate source—someone other than Sharp.”

Krebs notes that the individual in question was a Ubiquiti employee as of March 2021 and that, at the time of the December charges, a “former” developer was implicated. If those individuals are the same person and if that person were fired from or left Ubiquiti between March 2021 and December 2021, then both of these things can be true, of course.

So what’s the upshot for you? Ubiquiti is asking for $425,000 in damages. Ouch!


Global: Wyze Cam Security Flaw Gave Hackers Access To Video for 3 years

A major Wyze Cam security flaw easily allowed hackers to access stored video, and it went unfixed for almost three years after the company was alerted to it, says a new report today. Additionally, it appears that Wyze Cam v1 – which went on sale back in 2017 – will never be patched, so it will remain vulnerable for as long as it is used.

Bleeping Computer reports: "A Wyze Cam internet camera vulnerability allows unauthenticated, remote access to videos and images stored on local memory cards and has remained unfixed for almost three years.

The bug, which has not been assigned a CVE ID, allowed remote users to access the contents of the SD card in the camera via a webserver listening on port 80 without requiring authentication.

Upon inserting an SD card on the Wyze Cam IoT, a symlink to it is automatically created in the www directory, which is served by the webserver but without any access restrictions."

And as if that weren’t bad enough, it gets worse. Many people re-use existing SD cards they have laying around, some of which still have private data on them, especially photos.

The flaw gave access to all data on the card, not just files created by the camera. Finally, the AES encryption key is also stored on the card, potentially giving an attacker live access to the camera feed.

Altogether, Bitdefender security researchers advised the company of three vulnerabilities. It took Wyze six months to fix one, 21 months to fix another, and just under two years to patch the SD card flaw.

The v1 camera still hasn’t been patched, and as the company announced last year that it has reached end-of-life status, so it appears it never will.

So what’s the upshot for you? This story is so awful in so many ways. and another reason to consider security cameras not just on price but also for their own security.


Global: Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests

https://www.bloomberg.com/news/articles/2022-03-30/apple-meta-gave-user-data-to-hackers-who-forged-legal-requests?sref=ylv224K8

Apple Inc. and Meta Platforms Inc., the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials, according to three people with knowledge of the matter.

Apple and Meta provided basic subscriber details, such as a customer’s address, phone number, and IP address, in mid-2021 in response to the forged “emergency data requests.” Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, emergency requests don’t require a court order.

Cybersecurity researchers suspect that some of the hackers sending the forged requests are minors located in the U.K. and the U.S. One of the minors is also believed to be the mastermind behind the cybercrime group Lapsus$, which hacked Microsoft Corp., Samsung Electronics Co., and Nvidia Corp., among others, the people said. City of London Police recently arrested seven people in connection with an investigation into the Lapsus$ hacking group; the probe is ongoing.

An Apple representative referred Bloomberg News to a section of its law enforcement guidelines.

The guidelines referenced by Apple say that a supervisor for the government or law enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate,” the Apple guideline states.

“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone said in a statement. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”

Snap had no immediate comment on the case, but a spokesperson said the company has safeguards in place to detect fraudulent requests from law enforcement.

Law enforcement around the world routinely asks social media platforms for information about users as part of criminal investigations. In the U.S., such requests usually include a signed order from a judge. The emergency requests are intended to be used in cases of imminent danger and don’t require a judge to sign off on it.

Hackers affiliated with a cybercrime group known as “Recursion Team” are believed to be behind some of the forged legal requests, which were sent to companies throughout 2021, according to the three people who are involved in the investigation.

Recursion Team is no longer active, but many of its members continue to carry out hacks under different names, including as part of Lapsus$, the people said.

So what’s the upshot for you? From July to December 2020, Apple received 1,162 emergency requests from 29 countries. According to its report, Apple provided data in response to 93% of those requests.

Meta said it received 21,700 emergency requests from January to June 2021 globally and provided some data in response to 77% of the requests.

“In emergencies, law enforcement may submit requests without legal process,” Meta states on its website. “Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good-faith reason to believe that the matter involves imminent risk of serious physical injury or death.”


Global: Nearly two-thirds of ransomware victims paid ransoms last year

Why do companies pay up? Insight from this year’s Cyberthreat Defense Report suggests:

  • 85% of organizations suffered from a successful cyberattack last year
  • A record 63% of ransomware victims paid ransoms last year, encouraging cybercriminals to increase their attacks
  • 84% of organizations are experiencing a shortfall of skilled IT security personnel; IT security administrators, analysts, and architects are in shortest supply

What was the result in the majority of cases? Pay off those attacking them via ransomware. With the reasoning that there was a:

  • Threat of exposing exfiltrated data
  • Lower cost of recovery
  • Increased confidence for data recovery

and finally, those polled said that 72% of the time after suffering an attack ransom-paying victims were able to recover their data.

So what’s the upshot for you? Largely all three motives for paying off those holding information or devices hostage were driven by convenience.


IL: Security Patch Releases for Critical Zero-Day Bug in Java Spring Framework

The maintainers of Spring Framework have released an emergency patch to address a newly disclosed remote code execution flaw that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system.

Tracked as CVE-2022-22965, users are recommended to upgrade to versions 5.3.18 or later and 5.2.20 or later.

The Spring Framework is a Java framework that offers infrastructure support to develop web applications.

The vulnerability impacts Spring model–view–controller and Spring WebFlux applications running on [Java Development Kit] 9+.

Spring.io, a subsidiary of VMware, noted that it was first alerted to the vulnerability "late last Tuesday.

So what’s the upshot for you? The patch arrived as a Chinese-speaking researcher briefly published a GitHub commit that contained proof-of-concept (PoC) exploit code on March 30, 2022, before it was taken down. Nice.


DE: Hydra Beheaded

Germany Shuts Down Russian Hydra Darknet Market; Seizing $25 Million in Bitcoin

Germany’s Federal Criminal Police Office, the Bundeskriminalamt (BKA), on Tuesday announced the official takedown of Hydra, the world’s largest illegal dark web marketplace.

Launched in 2015, Hydra was a Russian-language darknet marketplace that opened as a competitor to the now-defunct Russian Anonymous Marketplace (aka RAMP), primarily known for its high-traffic narcotics market before expanding its focus to peddle forged documents and stolen credit cards.

So what’s the upshot for you? Visitors to the Hydra marketplace website are now greeted by a seizure banner.


Global: The ultimate loss of privacy? Finally the complete sequencing of a human genome
https://www.science.org/doi/10.1126/science.abj6987

When scientists declared the Human Genome Project complete two decades ago, their announcement was a tad premature. A milestone achievement had certainly been reached, with researchers around the world gaining access to the DNA sequence of most protein-coding genes in the human genome. But even after 20 years of upgrades, eight percent of our genome remained unsequenced and unstudied. Derided by some as “junk DNA” with no clear function, roughly 151 million base pairs of sequence data scattered throughout the genome were still a black box.

Now, a large international team led by Adam Phillippy at the National Institutes of Health has revealed the final eight percent of the human genome

“You would think that, with 92 percent of the genome completed long ago, another eight percent wouldn’t contribute much, but from that missing eight percent, we’re now gaining an entirely new understanding of how cells divide, allowing us to study many diseases we had not been able to get at before. Every single base pair of a human genome is now complete.”

This work will inform research into diseases linked to the heterochromatic genome—chief among them cancer, which is associated with centromere abnormalities. Cancer cells divide wildly when certain heterochromatic centromere genes are overexpressed, and a complete understanding of the centromere genome may open the door to novel therapies.

So what’s the upshot for you? “We are finally digging into that last 8% of DNA, because previously we could not understand it or look at it accurately. We now know that many diseases are linked to structural repeats in the centromere and, now that these sequences are no longer missing from the human reference genome, we can begin to map the origins of these diseases.”


Global: The Personal Security Checklist

This is truly a comprehensive list of recommendations to keep your data private and yourself secure. It covers:

  • Authentication
  • Browsing the Web
  • Email
  • Secure Messaging
  • Social Media
  • Networks
  • Mobile Phones
  • Personal Computers
  • Smart Home
  • Personal Finance
  • Human Aspect
  • Physical Security

So what’s the upshot for you? We recommend that this page be bookmarked in your browser. It provides a rich source of detail on Privacy and Security with links to further resources.


Global: Privacy Respecting Software

https://github.com/Lissy93/personal-security-hecklist/blob/master/5_Privacy_Respecting_Software.md

Large data-hungry corporations dominate the digital world but with little, or no respect for your privacy.

Migrating to open-source applications with a strong emphasis on security will help stop corporations, governments, and hackers from logging, storing, or selling your data.

Note: Remember that no software is perfect, and it is important to follow good security practices

So what’s the upshot for you? Linked from the last article this too provides many great ideas for software to keep you safe.


Local: overheard at the coffee shop


“Someone cracked my password. Now I need to rename my puppy.”
puppy

So what’s the upshot for you? get a cat.



That’s it for this week. Stay safe, stay, secure, don’t forget to put the cat out, and we’ll see you in se7en,


1 Like