Celebrating the Holidays with my Adidas and the IT Privacy and Security Weekly update for December 21st. 2021


Looking for great gifts? We’ve got one person on the team who’s happy to sport the finest in athletic shoewear and would probably happily back them up with a wallet full of corresponding NFTs…. If he could get them….

From that metaverse, we travel across the US to Israel and from there to Uganda to get the down-low on the NSO. We check in on Belgium, Germany, and Ukraine before losing our paychecks.

We have a great gift not to buy and then we finish off strong…. with a song!

This week’s IT Privacy and Security weekly update is the best one yet and a gift to us all! imgbin-christmas-pudding-brandy-figgy-pudding-bread-pudding-christmas-cake-the-frozen-dairy-plate-

Have the caribou bid adieu,
get the sleigh in gear too,
put on your stocking cap, red velvet suit,
and let’s take off, as the billionaires do!

Global: Adidas sold more than $22 million in NFTs, but it hit a few snags along the way

All 30,000 of Adidas’ Into the Metaverse NFTs were minted within a matter of hours of going on sale Friday. Each NFT cost 0.2 ETH, which currently equates to about $765, and the company sold 29,620 NFTs (“Adidas and partners” held onto 380 for “future events”), meaning the company earned more than $22 million from the sales in the span of an afternoon. (The price of Ethereum has been falling while writing this story, making an exact number difficult to pinpoint.)

Adidas made the NFTs in partnership with Bored Ape Yacht Club, Punks Comics, and GMoney (a pseudonymous crypto enthusiast). Buying an NFT gives owners access to special physical goods, like a hoodie and the tracksuit worn by the Bored Ape that Adidas owns, and upcoming digital experiences. However, the physical merch won’t be available until 2022, according to Adidas’ FAQ, so buyers essentially just put in expensive pre-orders for the clothes.

It’s unclear exactly when the NFTs were fully sold out, but Adidas’ website showed that all the NFTs had been minted minutes after the public sale began. However, one person was apparently able to mint many of the NFTs, which may have disrupted how many were actually available.

So what’s the upshot for you? It’s unclear if Adidas plans to offer more NFTs in the future, but it teases on its website that “this is just the beginning.” Given how quickly the first batch sold out — and how much money Adidas made in just a few hours — it seems unlikely this will be the only NFT offering from the apparel maker. And it will almost certainly want to compete against archrival Nike, which just bought a company that makes virtual shoes and NFTs.

IL: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution

When Apple announced Nov. 23 that it filed a lawsuit against Israeli spyware firm NSO Group, it claimed that the firm and its clients “devote the immense resources and capabilities of nation-states to conduct highly targeted cyberattacks.” An independent analysis published Wednesday backs that claim up.

Google Project Zero researchers Ian Beer and Samuel Groß took a deep dive into FORCEDENTRY, the malware developed by NSO Group that allowed adversaries to infect targeted Apple devices — without the owner’s knowledge — with NSO Group’s Pegasus spyware. The researchers concluded that it’s “one of the most technically sophisticated exploits” they’ve ever seen, rivaling “those previously thought to be accessible to only a handful of nation-states.”

“Short of not using a device, there is no way to prevent exploitation by a zero-click exploit,” the researchers wrote Wednesday. “It’s a weapon against which there is no defense.”

Previous iterations of the Pegasus software required the victim to click a link in an SMS message. But FORCEDENTRY was an example of NSO Group’s zero-click exploitation technology, where no interaction from the target was required.

So what’s the upshot for you? Citizen Lab, a human rights group based in Toronto, discovered FORCEDENTRY in September during an analysis of a Saudi activists phone. It turned the information over to Apple, and also provided a sample to the Project Zero researchers.

NSO Group’s malware has been under scrutiny for years as an enabling factor for authoritarian governments around the world to target human rights activists, journalists, and political opponents. The U.S. government added the company to its sanctions list on Nov. 4, making it difficult for the company to interact with any U.S. business. On Tuesday, a group of U.S. lawmakers asked the Treasury Department and State Department to sanction NSO Group, along with surveillance firms in the United Arab Emirates and in Europe.

The pressure has mounted to the point that the company is reportedly mulling a shutdown of its Pegasus unit and a possible sale.

UG: The secret Uganda deal that has brought NSO to the brink of collapse

In February 2019, an Israeli woman sat across from the son of Uganda’s president and made an audacious pitch—would he want to secretly hack any phone in the world? The son of the president was keen, said two people familiar with the sales pitch. After all, the woman, who had ties to Israeli intelligence, was pitching him Pegasus, a piece of spyware so powerful that Middle East dictators and autocratic regimes had been paying tens of millions for it for years.

A few months after the initial approach, NSO’s chief executive, Shalev Hulio, landed in Uganda to seal the deal, according to two people familiar with NSO’s East Africa business. Hulio, who flew the world with the permission of the Israeli government to sell Pegasus, liked to demonstrate in real-time how it could hack a brand-new, boxed iPhone.

The eventual business was small for NSO, between $10 and $20 million, a fraction of the $243 million that the privately owned NSO made in revenues in 2020. But about two years after the sales pitch, someone deployed Pegasus to try to hack the phones of 11 American diplomats and employees of the US embassy in Uganda, and that’s when things really started to go wrong for NSO.

NSO has always told its customers that US phone numbers are off-limits. In this case, all 11 targets were using Ugandan numbers but had Apple logins using their State Department emails, according to the two US officials. Israeli and US officials declined to confirm that the Ugandan hack directly triggered a decision to blacklist NSO.

When Google reverse-engineered the hack used against American diplomats in Uganda, it found an elegant, tiny piece of code that adapted software from 1990s Xerox machines to fit a so-called Turing machine—essentially a complete computer—into a single GIF file. “Pretty incredible, and at the same time, pretty terrifying,” said Google’s engineers

Last Wednesday, that window also narrowed—18 US senators wrote to Secretary of State Antony Blinken and Treasury Secretary Janet Yellen to sanction NSO under the Magnitsky Act, alongside a handful of other cyber-surveillance firms.

If the US acts upon that request, NSO would be cut off from the US banking system, and its employees would be barred from traveling to the US.

So what’s the upshot for you? If you become the gunmaker, you must always remember to take care not to shoot yourself in the foot.

BE: Intruders leverage Log4j flaw to breach Belgian Defense Department

Parts of the Belgian Defense Ministry’s computer networks have been down since Thursday after a cyber incident in which attackers exploited the Apache Log4j vulnerability, government officials said.

“All weekend our teams have been mobilized to control the problem, continue our activities, and warn our partners. The priority is to keep the network operational. We will continue to monitor the situation.”

Log4j is a widely used logging software present in hundreds of millions of devices. Hackers associated with the governments of China, Iran, North Korea, and Turkey have all raced to take advantage of the exploit, according to Microsoft and Mandiant researchers. Ransomware groups have also sought to exploit the vulnerability.

The Belgian Defense Ministry is the first reported high-profile government victim of the vulnerability, but unlikely to be the last given the ubiquity of Log4j in a host of enterprise software popular in the public and private sector.

So what’s the upshot for you? The Belgian Defense Ministry is the first reported high-profile government victim of the vulnerability, but unlikely to be the last given the ubiquity of Log4j in a host of enterprise software popular in the public and private sector.

CISA director Jen Easterly has called the vulnerability “one of the most serious I’ve seen in my entire career, if not the most serious.”

Global: Fragility in the Cloud

In the past three weeks, two major outages at Amazon’s cloud computing service “led to widespread disruptions at other online services,” reports NBC News. And they also cite June’s “service configuration” issue at cloud CDN Fastly, which took countless sites offline including PayPal, Reddit, and GitHub, and an AWS outage in November of 2020 which affected clients like Apple.

“The drumbeat of issues underscores that the internet, despite all it’s capable of, is sometimes fragile…”

The latest disruption occurred last Wednesday when customers of DoorDash, Hulu, and other websites complained that they couldn’t connect. The problems were traced to Amazon Web Services, or AWS, the most widely used cloud services company, which reported that outages in two of its 26 geographic regions were affecting services nationwide. A similar disruption took place on Dec. 7, crippling video streams, halting internet-connected robot vacuum cleaners, and even shutting down pet food dispensers in a series of reminders of how much life has moved online, especially during the coronavirus pandemic. AWS published an unusually detailed description of what went wrong, along with an apology.

“There are many points of failure whose unavailability or suboptimal operation would affect the entire global experience of the internet,” said Vahid Behzadan, an assistant professor of computer science at the University of New Haven… “The fact that we’ve had repeated outages in a short period of time is a cause for alarm,” Behzadan said, noting that U.S. businesses have staked a lot on the assumption that cloud services are resilient.

NBC cites reports that some companies are now taking a look at using multi-cloud solutions. And these outages may encourage businesses to finally take the plunge.

So what’s the upshot for you? That which does not kill the Internet makes it stronger. Französisch Nietzsche. <— the real Nietzsche’s cousin twice removed who lives somewhere on the French Riviera.

Global: Surveillance-for-Hire

In a recent report, Meta (formerly Facebook) exposed and disrupted the activities of seven entities that targeted people worldwide in more than a hundred countries. Those entities originated in China, India, Israel, and North Macedonia.

All seven provided intrusion software tools and surveillance services that, according to Facebook, regularly targeted journalists, dissidents, critics of authoritarian regimes, families of opposition, and human rights activists around the world. Those services are sold to just about any person or entity who needs it and are illegal.

Three steps are needed to fully provide their surveillance service:

  1. Reconnaissance: This is the initial step that consists mainly of profiling the target and
    collecting useful information about it.

  2. Engagement: This part consists of engaging contact with the target or people close to it in an effort to build enough trust to entice the target to download/execute files or click on infecting links. This is where social engineering and attacking experience come into play. Attackers may use fake social media profiles and reach out directly to their targets.

  3. Exploitation: This is the final step in the surveillance operation setup. The goal is to compromise the targets device(s) and start enabling surveillance. While the tools and exploits used in this stage greatly vary from a technical perspective, generally the attacker is from this moment able to access any data on the target’s phone or computer, including passwords, cookies, access tokens, photos, videos, messages, and address books. The attacker might also silently activate the microphone, camera, and geolocation tracking of the device.

So what’s the upshot for you? The more you know the better you can protect.

US: T-Mobile Releases 2021 Scam and Robocall Report

What’s the news: T-Mobile released its 2021 year-end report on Scams and Robocalls and T-Mobile Scam Shield identified or blocked over 21 billion scam calls — that’s 700 calls identified or blocked every second — in 2021. Overall, scam attempts increased by 116% this year.

Why it matters: Scammers and spammers worked harder than ever in 2021 as scam calls continue to be the number one complaint to the FCC. U.S. wireless customers are projected to lose $29.8 billion this year alone to these bad actors.

Currently, scam call attempts are clocking in at an average of 425 million calls every week.

The data collected on scam calls by T-Mobile showed that these robocalls are largely being made during standard business hours. The timing makes sense. Overwhelmingly, fraudsters are making scam calls disguised as businesses.

Interesting facts:

  • Scam volume doubled from 2020 to 2021. The lowest measured month for scam traffic was January 2021, identifying 1.1 billion calls as Scam Likely. By November, volume had increased exponentially, and T-Mobile identified double the January traffic at 2.5 billion calls as Scam Likely.
  • Scammers take it easy on the weekends. The T-Mobile network tracked about an 80% drop in calls identified as Scam Likely from Monday-Friday to over the weekends!
  • Scammers are posing as businesses in large volumes. In terms of volume, the number one scam attempt in 2021 was related to fake vehicle warranties with over 51% of the Scam Likely volume. Other top scam attempts included pretending to be with the Social Security office (10%), wireless provider (9%), car insurance company (6%), or package delivery (4%). Scammers were also posing as health insurance or health providers, the IRS, or credit card companies.
  • Scammers enjoy holiday downtime. This year, April 4 (Easter), had the lowest scam volume of the year. And while the six weeks leading up to Christmas are historically the busiest time of the year for scam volume, call volume typically drops off sharply starting December 23.
  • Scammers target some areas of the USA more than others. Texas, Florida, Arizona and Georgia had the highest volume of scam calls. The top metro area was Dallas/Fort Worth with the 214, 832, 210 and 817 area codes being the top four targeted in the country.

So what’s the upshot for you? From this autumn, phone companies in the US are required by the FCC to implement caller ID to reduce spoofing, to make consumer complaints public, and to allow users to block calls that aren’t in their contact list, but we thought the list of the preventative measures from the Telecoms companies was a little bit longer than this.

DE: Lights Out: Cyberattacks Shut Down Building Automation Systems

The smart building system is an oft-forgotten attack vector that straddles the physical security and cybersecurity worlds. Building hacks thus far have been rare, with a couple of notable ones making headlines to date: a 2016 ransomware attack on a hotel in Austria that hit room locks, and a distributed denial-of-service attack on heating systems in two apartment buildings in Finland in 2016.

A particular German engineering firm’s building automation system was initially infiltrated via an unsecured UDP port left exposed on the public Internet. From there, the attackers — who were knowledgeable about KNX architecture (KNX is a building automation system technology widely deployed in Europe). The attackers “unloaded” or basically wiped the building automation system devices of their functionality, and then set them with the BCU (bus coupling unit) key, which they locked with a password of their own.

The victims believe the attackers got in via an IP gateway that had been temporarily installed in the construction phase of the building. The IP gateway “was supposed to be removed after handing over the building, But it was forgotten and never deactivated.”

On inspection, the researchers said, “We found good documentation and recommendations in the building automation system installation guides. They try to include a lot of security awareness in their material. Perhaps the contractors just missed it.”

So what’s the upshot for you? If you get bored over the hols., go to a building site and send us a count of how many people you see reading construction manuals.

UA: Ukraine hosts large-scale simulation of cyber-attack against energy grid

Cybersecurity professionals from across Ukraine have tackled a large-scale cyber-attack simulation with echoes of the hugely damaging real-world assault against the country’s power grid in 2015.

Tim Conway, technical director of the industrial control systems (ICS) and supervisory control and data acquisition (SCADA) programs at SANS, mentored event participants with the help of two other US-based infosec experts.

Comprising 250 participants, 49 teams competed – either virtually or in-person at a venue in Kiev – to accrue points in remediating an attack against a fictional energy provider after it suffered several unexplained system failures.

The hours-long exercise, which featured private industry experts and participants from universities and other institutions, focused on three key elements: finding out what had happened, ejecting the intruders, and remediating affected systems.

The latest, Ukraine-based event had successfully enabled “participants to face real-world challenges, develop skillsets, gain exposure to technical tools, and most importantly ‘practice the way they play’ through collaboration, and provided the opportunity to work together in teams just like they would in a real-world incident response."

Conway helped to investigate the 2015 attack on three Ukrainian power distribution centers that left around 225,000 residents without power for up to six hours. The country’s energy grid was struck again a year later, and Ukraine’s then-president Petro Poroshenko said thousands of recent attacks against state institutions were evidence that Russian security services were waging a cyberwar against the country.

Russia currently has massed about 100,000 troops on its side of the Ukrainian border. The US’s Joe Biden has warned Putin of “sanctions like he’s never seen” should Russian troops attack Ukraine.

So what’s the upshot for you? We don’t know about you, but this one has got us a bit unnerved.

US: Did you miss your last paycheck before the Holidays?

Some people did. According to a post on the Kronos Community Page, a cyber security incident due to a ransomware attack is affecting UKG Workforce Central, UKGTeleStaff, Healthcare Extensions, and Banking Scheduling. Although they are currently working with cyber security experts on the issue, they say that it may take several weeks to restore full system availability.

CNN reported: Ultimate Kronos Group, one of the largest human resources companies, disclosed a crippling ransomware attack on Monday [December 13th], impacting payroll systems for a number of workers. After noticing “unusual activity” on Saturday [December 11th], Kronos noted that its systems were down and could remain that way for several weeks. Kronos has a long list of notable customers across the public and private sector, including the city of Cleveland, New York’s Metropolitan Transportation Authority (MTA), Tesla, and MGM Resorts International. It also works with many hospitals across the country. Some employers find themselves having to make contingency plans in order to pay workers, such as shifting to paper checks. And some impacted employees have been unable to access payroll systems…

In addition to the potential payroll issues, there are also data privacy concerns. The city of Cleveland said in a statement Monday that Kronos alerted it that sensitive information may have been compromised in the attack. Employee names, addresses, and the last four digits of social security numbers may have been stolen by the hackers inside Kronos’s network.

Other Kronos customers include Whole Foods, GameStop, and Honda, as well as state and local government agencies like the state of West Virginia, reports NBC News: John Riggi, the senior advisor for cybersecurity at the American Hospital Association, an industry group, said that he had spoken with multiple hospitals that have had to create contingency plans for getting employees paid, managing their schedules and tracking their hours. “Quite frankly, this could not have happened at a worse time. We’ve had a surge in Covid patients, flu patients,” Riggi said. “It’s a distraction to hospital administrators at a time when they don’t need any additional burden or diversion of resources.”

“Though it has not been confirmed, there is speculation that the notorious Log4Shell vulnerability was involved,” writes CPO magazine, “given that the Kronos cloud services are known to be built on Java to a great degree…”

So what’s the upshot for you? Oooh the Grinch has his claws out this holiday season…

US/CN: US Treasury claims DJI assists Chinese surveillance of Uyghurs and blocks investments

DJI is one of the biggest drone companies in the world, and last year, the US government added it to the Department of Commerce’s Entity List, which marked it as a national security concern and banned US-based companies from exporting technology to it. Today, the Treasury Department placed further sanctions on DJI, including it as one of eight Chinese companies added to the Non-SDN Chinese Military-Industrial Complex Companies (NS-CMIC) List.

SZ DJI Technology Co., Ltd. (SZ DJI) operates or has operated in the surveillance technology sector of the economy of the PRC. SZ DJI has provided drones to the Xinjiang Public Security Bureau, which are used to surveil Uyghurs in Xinjiang.

So what’s the upshot for you? Darn, and a flash new drone was such a tempting holiday gift…

Global: A quick trip down memory lane

You may have been lucky enough not to have had to deal with the subject of this poetic remix back in 2015, but it really resonates this holiday season.

Twas the night before Christmas, when all through the house, not a creature was stirring, not even a mouse.
But a laptop was open, the network logged on, and unfortunately for its owner, his security had gone.

Unbeknownst to our user, and all others that care, this laptop had malware it wanted to share.
It flew over wi-fi, pushed out through the router, and started its journey, from computer to computer.

The owner worked, for a big corporate bank, who relied on protection to shield it from pranks.
Had the virus arrived at the enterprises’ door, its journey would be halted, and it would have infected no more.

But unluckily this story, has no happy ending, for the virus was clever in seeking out glory.
Instead of the front door, it sneaked round the back, climbed in through a gateway, that had already been hacked!

Now the organization’s CISO was snug in his home, blissfully unaware of what had gone on.
While he dreamed of presents, turkey, and stuffing, the virus had unleashed one great big fat Trojan

“Now Mac.Backdoor.iWorm! Now CryptoWall!
Now, Gameover
Blaknight and Stuxnet!
On, Log4j! On, Shlayer!
On, NanoCore and Zeus!
Slide through the ethers!
And infect one and all!
Now cash away! Cash away!
Cash away all!”

While networks lay slumbering, unaware of the risk, the code was changed slightly, so nothing seemed to be amiss.
But of course, being Christmas, someone would get a surprise
But only if they looked hard, at the damage inside.

No account would be breached, no coins would be pilfered.
Instead, far more damaging, credentials were taken.

Sat at home, at his desk, dressed in furs black as ink
The code writer sat and prepared for a stint.
Lights blinked, alarms sounded, and cogs started whirring, as over the sky came information, unending.
The credentials arrived first, number one on his list, then came account details with how much sat in each.
From here what was required, was dexterity, and more complicated coding to slip through the door.
Back in the bank, not an alarm had he tripped, so the next stage of his plan he gleefully unleashed.
The Trojan allowed him to travel back in, to the heart of the building, to plunder within.

The money, he’d steal, from accounts big and small.
He’d hide each transaction, no suspicion would fall.
Once everything was set, with no stone left unturned, He could slip in and out, as and when at his will.

Back at his desk programming and streaming, he worked hard to ensure his code was unrevealing.
He wiped, and he cleaned, he scoured and he scrubbed.
He obscured the Trojan, it was as if he’d worn gloves,

He sat back from his screen, and gave a strange giggle,
And the tunnel he’d created, it dimmed and it dwindled.
But I heard him exclaim, as he spun out of sight,

“Happy Christmas to all, and to all a good night!”

So what’s the upshot for you? imgbin-christmas-pudding-brandy-figgy-pudding-bread-pudding-christmas-cake-the-frozen-dairy-plate-

To those who have had their holidays, we hope they were joyful,
To those yet to celebrate, great feasts and days restful,
And to those young and small, big and tall, or anything at all, may 2022 be… your best year of all.

That’s it for this week Damlers! Throw another log on the fire, and let’s roast another CVE.

Be kind, stay safe, stay secure, give your mum an extra hug, and see you in se7en!