Chillin' with the IT Privacy and Security Weekly Update for May 10th, 2022



Daml’ers,

From the blustery cold volcanic slopes of Iceland to the Freeze you put on Equifax, this week’s update may drop local temps. by several degrees.
iceCube

We apply the heat by moving through downed satellite relays, Vodka DDoS attacks, and the weaponization of Windows event logs.

From there we discover the newest US surveillance agency and the latest arms race. Finally, there is the gravitational pull toward the privacy of outer space, and even that is coming into sharper focus.

Throw on that jacket, grab a scarf, and let’s prep for a sudden chill with the latest (and greatest) IT Privacy and Security Weekly Update adventure!


AU/IS: Australian police unsuccessfully seek to have a hosting company pull down leaked data website.

Australian Federal Police this week asked an Icelandic hosting company to pull down a website dedicated to documenting hacker history.

The hosting company, FlokiNET, said no.

“Dear Australian Federal Police,” the company tweeted Wednesday. “Nice try to shut down whistleblower websites but this will not be possible with the ones we host. The public has a right to know what’s happening in Nauru…”

The hackers said in their statement that they were motivated by the September 2021 deal that Australia signed with Nauru to keep the offshore immigration processing center open indefinitely.

General elections are taking place in Australia on May 21 and immigration is a contentious issue. The hackers asked that the “newly elected Australian government” end its policy of mandatory immigration detention and permanently close immigration detention facilities by the end of 2022.

So what’s the upshot for you? There is a good chance these Icelandic web hosting company employees walk past active volcanoes to get to work each morning. Did you really think they would give in that easily?


US: After the most recent court revelation, your phone could be your biggest liability.

Phones can record communications, search histories, body health data, and other information. Last Tuesday, there was new evidence revealed that commercial data brokers sell location information gathered from the phones of people who visit abortion clinics.

It is now common for law enforcement to make use of the contents of people’s phones, including location and browsing information. One case against an alleged Jan. 6 insurrectionist drew upon thousands of pages of data from the suspect’s phone as well as Facebook records, prosecutors said.

Phones can collect precise information about your whereabouts — right down to the building — to power maps and other services. Sometimes, though, the fine print in-app privacy policies give companies the right to sell that information to other companies that can make it available to advertisers, or whoever wants to pay to obtain it.

Last week Vice’s Motherboard blog reported that for $160, it bought a week’s worth of data from a company called SafeGraph showing were people who visited more than 600 Planned Parenthood clinics came from and where they went afterward.

This kind of data could be used, for example, to identify clinics that provide abortions to people from out of state in places where that is illegal.

Privacy watchdogs say you can learn a lot by connecting the dots on multiple places a single person has visited. For example, last year, a Catholic blog obtained location information originally generated by the dating app Grindr to out a priest as gay. Those behind the blog were able to infer that a person at a church-related location also was visiting gay bars.

Private messages also can become evidence. In 2015, text messages about getting an abortion helped convict a woman of child neglect and feticide.

A 2020 report by Upturn, a nonprofit organization focused on technology and justice, found that law enforcement agencies use “mobile device forensic tools” — which can give them access to Internet histories as well as to unencrypted emails and texts — when investigating matters as varied as marijuana possession and graffiti.

Millions of people use apps to help track their menstrual cycles, logging and storing intimate data about their reproductive health. Because that data can reveal when periods, ovulation, and pregnancy stops and starts, it could become evidence in states where abortion is criminalized.

Last year, the Federal Trade Commission settled with the period-tracking app Flo after the app promised to keep users’ data private but then shared it with marketing firms including Facebook and Google.

A recent investigation by Consumer Reports found shortcomings in the way five popular period-tracking apps handle sensitive user data, including sending it to third parties for targeted advertising.

How are the apps allowed to share such personal data? In the US our interactions with healthcare providers are covered by a federal privacy law called the Health Insurance Portability and Accountability Act, or HIPAA. However, period-tracking apps, for example, aren’t defined as covered entities, so they can legally share data.

So what’s the upshot for you? In many respects that held closest… can turn into your worst enemy.


US/UA/RU: U.S. Government Attributes Cyberattacks on SATCOM Networks to Russian State-Sponsored Malicious Cyber Actors

You may recall at the start of the war on Ukraine that the SATCOM network was knocked out across Europe.

Now in an update to the March 17th, 2022 report on the SATCOM cyberattack the United States has assessed Russia launched those cyberattacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion… which had significant spillover impacts into other European countries.

The outcome was that the Russian attack disrupted the firmware on the local routers preventing communication.

The devices were not permanently bricked, but had to have the firmware updated.

So what’s the upshot for you? This sounds like a Nation-state attack on the communications network of other countries and could provide grounds for retaliation (should that decision ever be exercised).


UAl: Ukrainians DDoS Russian Vodka Supply Chains

Ukrainian hacktivists reportedly disrupted alcohol shipments in Russia after committing distributed denial of service (DDoS) attacks against a critical online portal.

Alcohol producers and distributors are required by law to register their shipments with the EGAIS portal, loosely translated as the “Unified State Automated Alcohol Accounting Information System.”

However, several entities in the sector told local news site Vedomosti last week that DDoS attacks by Ukrainian hacktivists downed the site on May 2 and 3.

The outage impacted not only vodka distribution but also wine companies and purveyors of other types of alcohol.

Of course, Russian government sources claim that the site was running normally and any excessive waiting times were merely due to heavy demand.

So what’s the upshot for you? Probably a bad move for Ukrainians, especially if they see the Russian’s aim suddenly improving.


US: …and a lightbulb goes on in the Whitehouse: Quantum Computing Has White House Mulling the Risks and Rewards

The White House released a memorandum Wednesday that outlines a national effort to promote leadership in quantum computing and calls for security advances to prepare for future cyber threats from quantum computing before they arise.

“Quantum information science – we’ll call it ‘QIS,’ for short – is a rapidly emerging scientific discipline that combines our best understanding of the subatomic world – quantum mechanics – with our best understanding of information systems – information theory – to generate revolutionary technologies and insights,” said a senior administration official during a background press call on Tuesday.

The announcement goes on to note that quantum computers could be a problem for digital communications and security.

Quantum research is thought to soon reach a point where a “cryptanalytically relevant quantum computer” is possible.

These computers could jeopardize US communications, control systems of critical infrastructure, and security protocols used for most internet-based financial transactions, according to the memorandum.

“Current research shows that at some point in the not-too-distant future, when quantum information science matures and quantum computers are able to reach a sufficient size and level of sophistication, they will be capable of breaking much of the cryptography that currently secures our digital communications,” said the senior administration official.

So what’s the upshot for you? Quant is the next arms race.


Global: GitHub Will Require All Code Contributors To Use 2FA

GitHub, the code hosting platform used by tens of millions of software developers around the world, announced recently that all users who upload code to the site will need to enable one or more forms of two-factor authentication (2FA) by the end of 2023 in order to continue using the platform.

The new policy was announced Wednesday in a blog post by GitHub’s chief security officer Mike Hanley, which highlighted the Microsoft-owned platform’s role in protecting the integrity of the software development process in the face of threats created by bad actors taking over developers’ accounts.

“The software supply chain starts with the developer,” Hanley wrote. “Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain.”

So what’s the upshot for you? One step closer to securing the supply chain. Good move.


Global: Facebook To Discontinue ‘Nearby Friends’ and Other Location-Based Features

https://www.documentcloud.org/documents/21716382-facebook-data-lineage-internal-document

Facebook on Thursday began informing users that Nearby Friends and other location-based features will soon be discontinued at the end of the month.

"Nearby Friends and Weather alerts will no longer be available after May 31, 2022.

Information you shared that was used for these experiences, including Location History and Background Location, will stop being collected after May 31, 2022, even if you have previously enabled them."

While the reasons are currently unclear, the company claims that all information related to these features will be deleted from Facebook’s servers.

Why? Their explanation was this: "We fundamentally lack closed-form properties in Facebook systems.

For more than a decade, openness and empowering individual contributors has been part of our culture.

We’ve built systems with open borders.

The result of these open systems and open culture is well described with an analogy: Imagine you hold a bottle of ink in your hand. This bottle of ink is a mixture of all kinds of user data (3PD, 1PD, SCD, Europe, etc.)

You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere.

How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?"

So what’s the upshot for you? Well, if you were designed to leak data the only way to prevent more leakage is not to collect it in the first place.

Good business move on Facebook’s part.


US: Clearview AI Agrees To Limit Sales of Facial Recognition Data In the US

Notorious facial recognition company Clearview AI has agreed to permanently halt sales of its massive biometric database to all private companies and individuals in the United States as part of a legal settlement with the American Civil Liberties Union, per court records.

Monday’s announcement marks the close of a two-year legal dispute brought by the American Civil Liberties Union (ACLU) and privacy advocate groups in May of 2020 against the company over allegations that it had violated BIPA, the 2008 Illinois Biometric Information Privacy Act.

This act requires companies to obtain permission before harvesting a person’s biometric information — fingerprints, gait metrics, iris scans, and faceprints for example — and empowers users to sue the companies who do not.

So what’s the upshot for you? Clearview AI was slapped with a €20 million fine by Italian regulators in March and £17 million in November by the UK, both for violations of national data privacy laws.

Australia has been investigating the company’s scraping schemes since 2020.

Given that the company boasted in February that it had amassed 100 billion images in its “index of faces,” the right to anonymity in America may remain in peril.


US: DATA-DRIVEN DEPORTATION IN THE 21ST CENTURY

When you think about government surveillance in the United States, you likely think of the National Security Agency or the FBI.

You might even think of a powerful police agency, like the New York Police Department.

But unless you or someone you love has been targeted for deportation, you probably don’t immediately think of Immigration and Customs Enforcement (ICE).

This Center on Privacy & Technology at Georgetown Law report argues that you should.

Our two-year investigation, including hundreds of Freedom of Information Act requests and a comprehensive review of ICE’s contracting and procurement records, reveals that ICE now operates as a domestic surveillance agency.

  • ICE has scanned the driver’s license photos of 1 in 3 adults.

  • ICE has access to the driver’s license data of 3 in 4 adults.

  • ICE tracks the movements of drivers in cities home to 3 in 4 adults.

  • ICE could locate 3 in 4 adults through their utility records.

So what’s the upshot for you? Let’s hope they never get together with Clearview AI.


Global: Hackers are now hiding malware in Windows Event Logs

Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.

The method enabled the threat actor behind the attack to plant file-less malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.

One of the most interesting parts of the attack is injecting shellcode payloads into Windows event logs for the Key Management Services (KMS), an action completed by a custom malware dropper.

The dropper’s purpose is to loader on the disk for the side-loading process and to look for particular records in the event logs (category 0x4142 - ‘AB’ in ASCII).

If no such record is found, it writes 8KB chunks of encrypted shellcode, which are later combined to form the code for the next stager.

Additional tools used in the attack are the commercial penetration testing frameworks Cobalt Strike and NetSPI (the former SilentBreak).

In the majority of cases, the ultimate purpose of the targeted malware with such last stager functionality is to obtain elements of valuable data from the victims.

So what’s the upshot for you? We had a couple of proof of concept papers lined up to share, but since starting this write-up they have both been pulled.


Outer Space: Will there be new privacy complaints from outer space? NASA Releases Ridiculously Sharp Webb Space Telescope Images

If you have ever been out on a bright day, realized your sunglasses were dirty, taken them off, given them a clean, and marveled at the clarity of view, now with pin-sharp images, you might understand the mirth of astronomers worldwide on seeing the results of the new Webb space telescope.

Webb’s image of the same region makes Spitzer’s (the last space telescope) look like a finger painting, showing interstellar gas clearly distributed across the starfield. The stars—blots in Spitzer’s view—are seven-pointed beacons of light in the MIRI test.

“This is a really nice science example of what Webb will do for us in the coming years,”

From these early results, it appears that Webb will be something of an intergalactic palantir (This stands for Precision Array of Large-Aperture New Telescopes for Image Reconstruction, and is meant to reference the “far-seeing stones in Lord of the Rings”), dropping scientists into various parts of deep space that were previously inaccessible.

It’s the next best thing to actually being there for the universe’s infancy.

The telescope was designed to operate for five years at a minimum, but its ultra-precise launch back in December means the telescope may have enough fuel to stay in position for more than 20 years.

Stay tuned.

So what’s the upshot for you? We liked the comment about the unique lens refraction due to the shape of the mirrors. Very pretty.


US: Freezing your credit to keep your cool

After a recent text message from an ex-work colleague saying she just got a message from her bank that her Social security number and Driver’s license had been found on the dark web and asking what she could do to further protect herself, we thought we would share this information again.

  • Please start with a credit freeze, also known as a “security freeze.” This locks your credit report, blocking all new inquiries. Since most credit lines require a credit check to process your application, an application for credit would be denied during a freeze. This makes it more difficult for identity thieves to open an account in your name.

  • Enable multi-factor authentication for all your logins around the web. There are plenty of authenticator apps you can use with your mobile devices, or you could carry around a hardware security key on your keychain. Entering passcodes is an extra step in the login process, but it could be the safeguard that keeps malicious individuals out of your accounts in the event of a data breach.

  • Use a password manager to keep track of your credentials. Getting a randomly-generated password from an app is a much safer option than trying to remember the same three passwords and using them for every website. Most modern passwords also allow you to store photo attachments and sensitive documents in your encrypted vault.

  • Read app and website privacy policies. This step takes the longest, but it’s the key to understanding how companies are using your data. Keep an eye out for anything unusual, like a calculator app that also collects your health metrics.

  • Lie while filling out web forms. We’re not recommending you do this when communicating with government agencies or your bank, but yes, go ahead and lie to the cooking website that wants your birthday, full name, phone number, and physical address in exchange for a chili recipe. If you can’t figure out why an app or website needs the information they’re harvesting from you, it’s not a good idea to give them the real data.

  • Just say no to unnecessary data collection. In many cases, all of the information requested on a company’s web form is not required information, so you can get away with leaving out important data about yourself. You can also choose not to accept cookies on many websites, and deny certain data requests made by applications without harming your user experience in any way.

So what’s the upshot for you? As Brian Krebs remarked in this blog a few weeks ago, if you give it to them they’ll either “sell it, leak it, lose it, or be hacked and relieved of it.”


Our quote this week is from the lovable Steve Wozniak, co-founder of Apple. “Never trust a computer you can’t throw out a window.”


That’s it for this week. Stay safe, stay, secure, watch out for large falling objects, and we’ll see you in se7en.

iceCube