Childishness and the IT Privacy and Security Weekly Update for August 31st 2021


In our most childish update, we bring you the up high, low down, and all the topics shaking around us.

We start with one of the most entertaining helicopter chases we have ever heard, move through 58 websites, then into an Airbnb, a swimming pool, where drenched, we embark on a transatlantic chase, a breach, a leak, an upgrade, and finally finish with a boat.

If you weren’t out of breath from all that, we can promise, we are.


And if only for a few moments, we’ll try to pull it together, stand upright, act mature, and set off on a superbly childish adventure!

US: “Drone” follows US airForce plane at 13,000 feet

Radio Transmissions From Police Helicopter’s Chase Of Bizarre Craft Over Tucson Add To Mystery

“Its abilities were pretty incredible” — FAA audio points to confusion during and after police helicopter’s encounter with strange aircraft.

On February 9, 2021, a U.S. Customs and Border Protection (CBP) helicopter encountered what was described as a “highly modified drone” hovering in controlled airspace above Tucson, Arizona. A Tucson Police Department (TPD) helicopter was called in to aid the CBP aircraft in its pursuit of the small aircraft, but the drone, or whatever it was, was able to outrun both of them as it flew through military airspace, deftly maneuvered around both helicopters with bizarre agility, and ultimately disappeared into cloud cover above the altitude the helicopters could safely fly.

A police report previously obtained by The War Zone showed that the TPD crew described the drone as “very sophisticated/specialized” and “able to perform like no other UAS” they had previously encountered.

Now we have the actual audio from the CBP helicopter’s interactions with air traffic controllers in Tucson during the incident, as well as audio from an after-action call between the TPD crew and the air traffic control tower.

So what’s the upshot for you? The audio takes patience, but listening to the incredulous voices of the pilots as they see this thing run rings around them at 12 to 13 thousand feet for almost an hour is worth it! Who makes these things? We want one!

CN: Chinese espionage tool exploits vulnerabilities in 58 widely used websites

A security researcher has discovered a web attack framework developed by a suspected Chinese government hacking group and used to exploit vulnerabilities in 58 popular websites to collect data on possible Chinese dissidents.

The attacker could collect information such as usernames, phone numbers, or real names, user keystrokes, a large swath of operating system details, geolocation data, and even webcam snapshots of a target’s face.

The behavior to scrape data from the 58 third-party websites was completely silent. However, if the attackers couldn’t collect enough information to unmask a user, they also had additional plugins at their disposal that, while noisier, could be used as a last-ditch attempt to unmask users.

So what’s the upshot for you? This espionage tool exploits vulnerabilities in 57 Chinese websites plus the New York times site. Users who’d like to protect themselves against such tools are recommended to use the “NoScript” browser add-on or to visit sites using Incognito (Private Browsing) Mode.

Global: Airbnb says it plans to temporarily house 20,000 Afghan refugees

Airbnb is planning to start housing 20,000 Afghan refugees around the world free of charge, the company’s CEO, Brian Chesky, said Tuesday.

The refugees will be housed in properties listed on Airbnb’s platform, he tweeted.

The stays will be funded by the company, but Chesky did not specify how much Airbnb plans to spend on the commitment or how long officials plan to house refugees.

Companies of all shapes and sizes rush to show their support to victims in times of a major crisis; it’s an opportunity to be charitable and boost public relations in the process.

So what’s the upshot for you? Airbnb, which is valued at around $92 billion, often offers to cover the cost of housing in emergencies. It says that 75,000 people have found a place to stay with Airbnb “in a time of crisis” since 2012.

US: One splash too far?

With the argument of child abuse and prevention of child porn being used to justify backdoors into encrypted communications, and even Apple potentially taking up searches on your phone for kiddie porn, we thought this story was cashing in on the commotion.

LOS ANGELES — Spencer Elden, the man whose unusual baby portrait was used for one of the most recognizable album covers of all time, Nirvana’s 1991 album “Nevermind,” filed a lawsuit Tuesday alleging that the nude image constituted child pornography.

The album cover depicts Elden underwater in a swimming pool as a then-infant with his genitalia exposed. The image has generally been understood as a statement on capitalism, as it includes the digital imposition of a dollar bill on a fishhook that the baby appears to be enthusiastically swimming toward. Non-sexualized nude photos of infants are generally not considered child pornography under law.

However, Robert Y. Lewis, Elden’s lawyer, offers an unusual interpretation of the image to argue that it crosses the line into child porn, writing that the inclusion of currency in the shot makes the baby appear “like a sex worker.”

So what’s the upshot for you? Elden has repeatedly recreated the pose as a teenager and adult, diving into pools to pose (with swim trunks on) on the occasion of the album’s 10th, 17th, 20th, and 25th anniversaries. However, in most of the interviews accompanying these photoshoots, he expressed deeply mixed feelings about being famous for the “Nevermind” cover and whether he was exploited by it. Until now, despite his ongoing ambivalence about the photo’s legacy, he hadn’t described it as pornographic.
Apparently, now he is.

US/UK: Man Robbed of 16 Bitcoin Sues Young Thieves’ Parents

In 2018, Andrew Schober was digitally mugged for approximately $1 million worth of bitcoin.

After several years of working with investigators, Schober says he’s confident he has located two young men in the United Kingdom responsible for using a clever piece of digital clipboard-stealing malware that let them siphon his crypto holdings. Schober is now suing each of their parents in a civil case that seeks to extract what their children would not return voluntarily.

In a lawsuit filed in Colorado, Schober said the sudden disappearance of his funds in January 2018 prompted him to spend more than $10,000 hiring experts in the field of tracing cryptocurrency transactions. After months of sleuthing, his investigators identified the likely culprits: Two young men in Britain who were both minors at the time of the crime (both are currently studying computer science at U.K. universities).

A forensic investigation of Schober’s computer found he’d inadvertently downloaded malicious software after clicking a link posted on Reddit for a purported cryptocurrency wallet application called “Electrum Atom.” Investigators determined that the malware was bundled with the benign program, and was designed to lie in wait for users to copy a cryptocurrency address to their computer’s temporary clipboard.

When Schober went to move approximately 16.4 bitcoins from one account to another — by pasting the lengthy payment address he’d just copied — the malware replaced his bitcoin payment address with a different address controlled by the young men.

Schober’s lawsuit lays out how his investigators traced the stolen funds through cryptocurrency exchanges and on to the two youths in the United Kingdom. In addition, they found one of the defendants — just hours after Schober’s bitcoin was stolen — had posted a message to GitHub asking for help accessing the private key corresponding to the public key of the bitcoin address used by the clipboard-stealing malware.

Investigators found the other defendant had the malware code that was bundled with the Electrum Atom application in his Github code library.
Met with continued silence from the parents for many months, Schober filed suit against the kids and their parents in a Colorado court. A copy of the May 2021 complaint is here (PDF).

Now they are responding. One of the defendants —Hazel D. Wells — just filed a motion with the court to represent herself and her son in lieu of hiring an attorney. In a filing on Aug. 9, Wells helpfully included a letter, and volunteered that her son had been questioned by U.K. authorities in connection with the bitcoin theft.

Neither of the defendants’ families is disputing the basic claim that their kids stole from Mr. Schober. Rather, they’re claiming that time has run out on Schober’s legal ability to claim a cause of action against them.

“Plaintiff alleges two common law causes of action (conversion and trespass to chattel), for which a three-year statute of limitations applies,” an attorney for the defendants argued in a filing on Aug. 6 (PDF). “Plaintiff further alleges a federal statutory cause of action, for which a two-year statute of limitations applies. Because the plaintiff did not file his lawsuit until May 21, 2021, three years and five months after his injury, his claims should be dismissed.”

Schober’s attorneys argue that “the statute of limitations begins to run when the plaintiff knows or has reason to know of the existence and cause of the injury which is the base of his action,” and that inherent in this concept is the discovery rule, namely: That the statute of limitations does not begin to run until the plaintiff knows or has reason to know of both the existence and cause of his injury.

The plaintiffs point out that Schober’s investigators didn’t pinpoint one of the young men’s involvement until more than a year after they’d identified his co-conspirator, saying Schober notified the second boy’s parents in December 2019.

So what’s the upshot for you? What? You are at 3 years and 5 months and the statute of limitation ran out at 3 years? Good luck with that defense.

TR: T-Mobile Hacker Who Stole Data on 50 Million Customers: ‘Their Security Is Awful’

The hacker who is taking responsibility for breaking into T-Mobile US Inc.’s systems said the wireless company’s lax security eased his path into a cache of records with personal details on more than 50 million people and counting.

John Binns, a 21-year-old American who moved to Turkey a few years ago, told The Wall Street Journal he was behind the security breach. Mr. Binns, who since 2017 has used several online aliases, communicated with the Journal in Telegram messages from an account that discussed details of the hack before they were widely known.

In messages with the Journal, Mr. Binns said he managed to pierce T-Mobile’s defenses after discovering in July an unprotected router exposed on the internet. He said he had been scanning T-Mobile’s known internet addresses for weak spots using a simple tool available to the public.

The young hacker said he did it to gain attention. “Generating noise was one goal,” he wrote. Many of the records reported stolen were from prospective clients or former customers long gone. “That to me does not sound like good data management practices,” said Glenn Gerstell, a former general counsel for the National Security Agency.

Mr. Binns said he used that entry point to hack into the cellphone carrier’s data center outside East Wenatchee, Wash., where stored credentials allowed him to access more than 100 servers.

“I was panicking because I had access to something big,” he wrote. “Their security is awful.”

So what’s the upshot for you? The sad thing is this is a troubled kid from a broken family, who could, given half a chance, turn out to be a great asset to a company somewhere… We hope you hear the call T-Mobile!

ID: Pick your own title for this one: Indonesians Told to Delete Unsecured Tracing App …or…
Indonesian Government’s Covid-19 App Accidentally Exposes Over 1 Million People in Massive Data Leak

Researchers discovered that the Indonesian Government’s COVID-19 test and trace app developers “failed to implement adequate data privacy protocols and left the data of over 1 million people exposed on an open server.”

In total, 2GB of data belonging to the Republic’s Ministry of Health were exposed on an Elasticsearch server. Researchers said the data included more than 1.4 million records and that approximately 1.3 million individuals had been impacted.

Information left unsecured included Personal Identifiable Information (PII), medical records, contact details, travel information, and COVID-19 infection status.

The database of unprotected records was discovered by researchers on July 15. It was reported to the Ministry of Health on July 21 and to the Indonesian Computer Emergency Response Team (ID-CERT) on July 22.

Despite twice flagging the open database to the Indonesian government and CERT, the researchers only received a response about the security incident in August after contacting Indonesia’s National Cyber and Encryption Agency (BSSN), which shut down the server over a month later, on August 24.

The eHAC app has now been integrated into a new app called PeduliLindungi. However, the Health Ministry, which publicly responded to the research findings earlier today, urged eHAC users to delete the app as a precaution.

So what’s the upshot for you? The horse has bolted. We left the data online and unsecured. You can shut the gate now and delete the eHAC app.

“Oh and try our new PeduliLindungi app.” Same developers, same security but with a great new name!

UK: Leaked UK “Guntrader” firearms data file shared.

The names and home addresses of 111,000 British firearm owners have been dumped online as a Google Earth-compatible CSV file that pinpoints domestic homes as likely firearm storage locations – a worst-case scenario for victims of the breach.

As an exercise in amplifying a data theft to levels that endanger public safety, the latest evolution of the Guntrader database break-in is likely to become an infosec case study in how security breaches can become worse over time as stolen information is put to ever more intrusive uses.

Leaked online last week via an animal rights activist’s blog, the stolen reformatted Guntrader database was explicitly advertised as being importable into Google Earth so randomers could “contact as many [owners] as you can in your area and ask them if they are involved in shooting animals.”

Names, home addresses, postcodes, phone numbers, email addresses, and IP addresses are included in the Google Drive-hosted CSV file – along with precise geographic coordinates for a large number of the 111,295 people listed in the breach. Firearms are attractive to criminals.

Guntrader has not explained why it was collecting location coordinates down to six decimal places. It appears likely that the latest version of the Guntrader database break-in may be covered by section 58 of the Terrorism Act 2000, which makes it a crime to collate “information of a kind likely to be useful to a person committing or preparing an act of terrorism.” Breaching Section 58 is punishable with 15 years in prison. The South West Regional Cyber Crime Unit as well as the National Crime Agency are both said to be investigating.

So what’s the upshot for you? The file was linked to from the activist’s blog, a clearnet site hosted in Iceland, and presents a severe risk not only to British firearm and shotgun certificate holders but also anyone who moved house to one of the addresses mentioned in the leak of the stolen database, which contains data up to five years old.

Google has now removed the .CSV file share.

US: CISA Adds Single-Factor Authentication to list of Bad Practices

…and this is the list of 3

1.). Use of unsupported (or end-of-life) software in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety.

2.). Use of known/fixed/default passwords and credentials in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety.

3.) The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety.

These practices are especially egregious in technologies accessible from the Internet.

So what’s the upshot for you? Egregious. Definition: extraordinary in some bad way; glaring; flagrant: an egregious mistake.

Global:Windows 11 starts shipping October 9th. Whee!

As with Windows 10 updates, you’ll be able to download an ISO file to initiate the upgrade yourself. Microsoft also offers tools like the Windows Update Assistant to manually trigger upgrade installs.

For PCs that don’t meet Microsoft’s stringent system requirements—a recent 64-bit Intel, AMD, or Qualcomm processor; enabled Secure Boot support; and a TPM 2.0 module along with 4GB or more of RAM and 64GB or more of storage—Microsoft has been cagey. Neither today’s announcement nor a post from last week explaining the security requirements mentions being able to install Windows 11 on unsupported PCs. But Microsoft told reporters that it won’t disallow installation on incompatible systems as long as you install the operating system manually, but the company can later assert its right to withhold security and driver updates on those PCs if it wants to.

So what’s the upshot for you? Today’s announcement merely says that “Windows 10 is the right choice” for older systems and reiterated that Windows 10 will receive security updates through October 14, 2025.

UK/Global: Own Boaty McBoatface via McNFTs

James Hand, the creator of the Boaty McBoatface name, has teamed up with artist and designer DHW, to create ‘McBoatfaces’; 600 NFT crypto-collectibles that fractionalize ownership of his Boaty McBoatface phenomenon.

Boaty McBoatface is the iconic global phenomenon that transcended from the Internet, while also spawning Trainy McTrainface, Ferry McFerryface, Plowy McPlowface, NASCAR’s Buschy McBusch Race 400, and countless others – an internet superstar, and true internet hall of fame royalty – as seen globally on TV, social media, radio, and press.

James & DHW are donating a portion of the proceeds from McBoatfaces to charity, through the Boaty McBoatface ‘Save The Sea’ initiative, which will donate to charities that are cleaning up the seas and oceans, and championing safety on the water.

James Hand is an ex-BBC, now freelance journalist and presenter, who was unwittingly thrown into the limelight in 2016 when he suggested “Boaty McBoatface” as the name for a new British scientific research vessel. The name was incredibly popular and easily took the top spot, gaining global media attention in the process.

So what’s the upshot for you? You have to spend your money on something. Why not a Boaty McBoatFace Non-Fungible Token!

That’s it for this week! We’ll put the mischief-makers in the corner with the NFTs where we are sure that within a week they will both have increased in value!

Until then, be kind, stay safe, stay secure and see you in se7en!

1 Like