This week it’s all about food. Well, some of it is, anyway. Listen to this blog here.
We start with too many cooks in the kitchen and end with positive prospects for cheeseburgers on Mars.
Moving through the meal have all our ducks in a row with a possible bit of overcompensation from the US government on Cybersecurity, a huge leak out of Israel, three Apple stories, a food fight between the US and China, and cyber threats to the food industry.
There are lots of additional tasty tidbits sprinkled in among the various courses too.
So let’s roll up our sleeves, tuck our napkins into our shirt collars, and chow down on the most satisfying serving of IT Privacy and Security Weekly update nourishment yet!
US: From too few cooks in the kitchen to too many?
The US now has five overlapping Cyber security-related roles jockeying for limited federal budgets, authorities, and bureaucratic victories. Could it be too many cooks in the kitchen?
1.) Jen Easterly as the second-ever director of the federal government’s domestic cybersecurity agency at CISA—which oversees the US federal government’s civilian cybersecurity efforts and interfaces with election officials and critical infrastructure sectors to protect local, state, and tribal systems, as well as private company networks and industries.
2.) General Paul Nakasone holds the so-called “dual hat” role of heading the National Security Agency’s signals-intelligence efforts and US Cyber Command, the nation’s offensive cyber military capability. He is also in charge of securing the military’s own communications and computer networks.
3.) At the White House, Biden created a new senior-level post for Anne Neuberger, now deputy national security adviser for cyber and emerging technology. Neuberger acts as the internal coordinator for Biden’s sweeping, cyber-focused executive order, and she has thus far served as the administration’s public face on cyber incidents.
4.) Biden also nominated Chris Inglis to serve in a position newly created by Congress known as the national cyber director, an amorphous and largely undefined role that is meant to serve as the president’s top cyber adviser and coordinator. It’s authorized for up to 75 of its own staff, which would make it one of the largest cyber policy shops in the entire government, although where Inglis will recruit staff and what they would do remains unclear.
5.). There’s also the Justice Department, where deputy attorney general Lisa Monaco and principal deputy associate attorney general John Carlin have led efforts to confront foreign adversaries through indictments, bringing a groundbreaking series of cases beginning in 2014 against Chinese military hackers. Monaco and Carlin moved quickly to establish and assert the Justice Department’s role this spring amid the flood of ransomware, announcing an April task force and a surprise seizure that recovered some $2.3 million of the ransom paid by Colonial Pipeline.
So what’s the upshot for you? Despite the multitude of agencies with a slice of the cyber pie, a significant gap still remains. No agency has real ownership over; identifying, combating, and fighting disinformation and misinformation online.
And who is interested in stepping into the information operations space? Yet another player: the DHS’s Office of Intelligence and Analysis, whose new leader this month, John Cohen, is himself a 30-year veteran of law enforcement and intelligence.
We’ll be interested to see what gets cooked up. We just hope that the souffle does not sink in the meantime.
UK/FR/US: Huge data leak shatters the notion that the innocent need not fear surveillance
Billions of people are inseparable from their phones. Their devices are within reach – and earshot – for almost every daily experience, from the most mundane to the most intimate.
An Israeli firm accused of supplying spyware to governments has been linked to a list of 50,000 smartphone numbers, including those of activists, journalists, business executives, and politicians around the world, according to reports this past Sunday.
Israel’s NSO Group and its Pegasus malware have been in the headlines since at least 2016 when researchers accused it of helping spy on a dissident in the United Arab Emirates.
The extent of the use of Pegasus was reported by The Washington Post, the Guardian, Le Monde, and other news outlets, who collaborated on an investigation into a data leak.
The leak of 50,000 phone numbers, suggests human rights lawyers, activists, and dissidents across the globe were selected as possible candidates for invasive surveillance through their phones.
Their mobile phone numbers appeared in records, indicating they were selected prior to possible surveillance targeting by governmental clients of the Israeli company NSO Group, which developed the Pegasus spyware.
Few pause to think that their phones can be transformed into surveillance devices, with someone thousands of miles away silently extracting their messages, photos, and location, activating their microphone to record them in real-time. Such are the capabilities of Pegasus, the spyware manufactured by NSO Group, the Israeli purveyor of weapons of mass surveillance.
The Washington Post said that 15,000 of the numbers on the list were in Mexico and included those of politicians, union representatives, journalists, and government critics. The list reportedly included the number of a Mexican freelance journalist who was murdered at a carwash. His phone was never found and it was not clear if it had been hacked.
Indian investigative news website The Wire reported that 300 mobile phone numbers used in India – including those of government ministers, opposition politicians, journalists, scientists, and rights activists – were on the list. The numbers included those of more than 40 Indian journalists from major publications such as the Hindustan Times, The Hindu, and the Indian Express as well as two founding editors of The Wire, it said. The Indian government denied in 2019 that it had used the malware to spy on its citizens after WhatsApp filed a lawsuit in the United States against NSO, accusing it of using the messaging platform to conduct cyber espionage.
The Post said a forensic analysis of 37 of the smartphones on the list showed there had been “attempted and successful” hacks of the devices, including those of two women close to Saudi journalist Jamal Khashoggi, who was murdered in 2018 by a Saudi hit squad.
Among the numbers on the list are those of journalists for Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El Pais, the Associated Press, Le Monde, Bloomberg, the Economist, Reuters and Voice of America, the Guardian said.
Pegasus is reportedly a highly invasive tool that can switch on a target’s phone camera and microphone as well as access data on the device, effectively turning a phone into a pocket spy. In some cases, it can be installed without the need to trick a user into initiating a download.
NSO issued a denial on Sunday that focused on the report by Forbidden Stories, calling it “full of wrong assumptions and uncorroborated theories,” and threatened a defamation lawsuit. “We firmly deny the false allegations made in their report,” NSO said.
It is not possible to know without forensic analysis whether the phone of someone whose number appears in the data was actually targeted by a government or whether it was successfully hacked with NSO’s spyware. But when Amnesty International’s Security Lab, conducted forensic analysis on dozens of iPhones that belonged to potential targets at the time they were selected, they found evidence of Pegasus activity in more than half.
So what’s the upshot for you? The Pegasus project is likely to put an end to the old adage “If you have done nothing wrong, you have nothing to fear.” With software like Pegasus, Law-abiding people – including citizens and residents of democracies globally, are apparently not immune from unwarranted surveillance.
Global: Turns Out That Low-Risk iOS Wi-Fi Naming Bug Could Hack iPhones Remotely
The Wi-Fi network name bug that was found to completely disable an iPhone’s networking functionality had remote code execution capabilities and was silently fixed by Apple earlier this year, according to new research.
The denial-of-service vulnerability, which came to light last month, stemmed from the way iOS handled string formats associated with the SSID input, triggering a crash on any up-to-date iPhone that connected to wireless access points with percent symbols in their names such as “%p%s%s%s%s%n.”
While the issue is remediable by resetting the network settings (Settings > General > Reset > Reset Network Settings), Apple is expected to push a patch for the bug in its iOS 14.7 update, which is currently available to developers and public beta testers.
But in what could have had far-reaching consequences, researchers from mobile security automation firm ZecOps found that the same bug could be exploited to achieve remote code execution (RCE) on targeted devices by simply attaching the string pattern “%@” to the Wi-Fi hotspot’s name.
“As long as the Wi-Fi is turned on this vulnerability can be triggered,” the researchers noted. “If the user is connected to an existing Wi-Fi network, an attacker can launch another attack to disconnect/de-associate the device and then launch this zero-click attack.”
“This zero-click vulnerability is powerful: if the malicious access point has password protection and the user never joins the Wi-Fi, nothing will be saved to the disk,” the company added. “After turning off the malicious access point, the user’s Wi-Fi function will be normal. A user could hardly notice if they have been attacked.”
So what’s the upshot for you? All iOS versions starting with iOS 14.0 and prior to iOS 14.3 were found to be vulnerable to the RCE variant, with Apple “silently” patching the issue in January 2021 as part of its iOS 14.4 update. No CVE identifier was assigned to the flaw.
Given the exploitable nature of the bug, it’s highly recommended that iPhone and iPad users update their devices to the latest iOS version to mitigate the risk associated with the vulnerability.
Yesterday officially released iOS 14.7 for iPhones with bug fixes and security enhancements, which also comes with a patch for the Wi-Fi denial-of-service issue. However, the company has not yet released security details that could indicate whether it has addressed the vulnerability.
Global: Apple’s Stunning New iPhone Feature Is A Triumphant Success
iOS 14.5’s App Tracking Transparency (ATT), is proving to be a triumphant success and as predicted, has really hurt the likes of Facebook and its advertisers. In fact, the latest figures from Branch, which analyses mobile app growth, show that 75% of iPhone users are opting out of being tracked across their iPhones.
So what’s the upshot for you? We are starting to understand the value of keeping our data private, which makes our next story even more interesting.
Global: Turning off that deeply buried iPhone Location Tracking Setting
iPhone users. Have you turned off the “Significant Location” setting on your device? Have you even heard of the “significant location” tracking? If not, it’s OK because it’s 5 layers deep down into the menu items.
“Your iPhone and iCloud-connected devices,” the company explains, “will keep track of places you have recently been, as well as how often and when you visited them, in order to learn places that are significant to you.”
Your home and office, favorite places to eat, shop, and visit. It links to photo memories and calendar entries, dictating when you should “leave now.” It knows how you travel and how long you take to get there. Just like Google’s Timeline, it’s a data cache worthy of the best collections efforts of a major intel agency—right there on your iPhone.
Apple only stores its data on your iPhone and protects this with end-to-end encryption. But data in storage is data at risk—wherever that might be at rest. “When I used to investigate digital forensics for the police,” Moore told me. “This little-known feature became extremely useful when searching for evidence on iPhones.”
The level of accuracy seems a bit invasive and provides a reminder that Apple’s tracking is still a large part of their business model. The more information they have, the more they can profile and target, so we think you might want to look at the privacy settings and perhaps turn off location tracking.”
Apple says it uses significant location data to optimize battery charging. But if your iPhone really needs to capture and store everywhere you go to a hidden database, just so that it can improve your battery life, then we have a serious issue.
Ok so this is how you turn it off:
- Location Services
- System Services
- Significant locations
- Significant locations (subhead) slide the button to the left.
You will get a pop-up message telling you about all the great things that might work less well because you won’t allow the phone to track you anymore.
Then go to the bottom of that page on your phone and click on “clear history” and confirm that by clicking on the red “Clear history” once again.
So what’s the upshot for you? We certainly were not expecting this from Apple, and no, your apps do not break if your phone is not tracking your every move.
US: The future of policing is all around you
Flock Safety wants to reduce crime nationwide by 25% in three years. That goal might seem extreme, but the upstart company says it typically sees a 25% drop in crime soon after partnering with a city, and it’s operating in more than 1,200 nationwide.
“It’s very rare we don’t see a 20 or 30% reduction,” said, CEO Garrett Langley. The company just announced a $150 million Series D fundraise led by Andreessen Horowitz, one of the world’s leading venture capital firms.
Flock Safety makes surveillance cameras more affordable by using existing cellphone-camera technology to build cameras that read license plates and capture traffic data. Then Flock gives police the software to narrow and find suspect vehicles. The roadside cameras catalog vehicles — model, color, make, and any distinguishing features, as well as the date and time they pass by.
If a crime is reported and the victim can describe the vehicle, police can narrow cars down within a few clicks alongside access to an owner’s open warrants or criminal history.
The cameras also ping law enforcement when a stolen vehicle or a vehicle related to an Amber or Silver Alert crosses their path.
Doesn’t that sound like Big Brother? Advances in surveillance tech have prompted debate about privacy, and whether trade-offs are justified in the name of “public safety”. Langley says that the company’s products are ethically built and actually reduce bias because the focus is on the vehicle, not gender or race.
So what’s the upshot for you? Just reading through the home page of the website left us feeling uneasy. We understand this is the direction of travel for many people, but we are just wondering what will happen when the privacy we all took for granted is gone.
US: Biden administration, US allies condemn China’s malicious hacking, espionage actions
Following a push by the White House to address the ransomware crisis emanating from Russia and the imposition of sanctions on Russia for its spree of malicious cyber actions, the Biden administration has launched a multi-part strategy to shame another digital security adversary, China, into halting its digital malfeasance.
The US, the UK, and the EU attributed the Microsoft Exchange attack to a Chinese threat group known as APT40. As part of the administration’s campaign to get China to back down, the US Department of Justice announced charges unrelated to the Microsoft Exchange hack against four Chinese individuals, including three Chinese cybersecurity officials. The charges were filed in May but not announced until yesterday. The indicted individuals also allegedly work for APT40, and prosecutors say they worked for the Hainan State Security Department (HSSD) of China’s MSS.
In addition to these condemnations and charges, the NSA, CISA, and FBI released a series of advisories detailing Chinese cyber threat activity and how administrators can best protect against APT40’s threats.
First, the administration formally accused China of breaching Microsoft’s Exchange email servers to implant what most experts consider reckless and damaging surveillance malware. Although Microsoft has long attributed that incident to a Chinese hacking group it calls HAFNIUM, the White House has now finally and officially acknowledged China’s role in that supply chain attack.
In a statement, the White House said it is attributing “with a high degree of confidence that malicious cyber actors affiliated with PRC’s [People’s Republic of China] MSS [Ministry of State Security] conducted cyber-espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021.”
So what’s the upshot for you? Say what you feel on a Monday.
CN: China Says Washington Hack Claims ‘Fabricated’, Condemns US Allies
China on Tuesday said the US had “fabricated” allegations it carried out a massive Microsoft hack, countering that Washington was the “world champion” of cyberattacks while raging at American allies for signing up to a rare joint statement of condemnation.
“The Chinese government, not unlike the Russian government, is not doing this themselves, but are protecting those who are doing it, and maybe even accommodating them being able to do it,” Biden told reporters.
In an effort to put the diplomatic squeeze on Beijing, the United States coordinated its statement Monday with allies – the European Union, Britain, Australia, Canada, New Zealand, Japan, and NATO.
China hit back, calling the allegations of a Beijing-supported cyber-attack campaign “fabricated”.
“The US has mustered its allies to carry out unreasonable criticisms against China on the issue of cybersecurity,” foreign ministry spokesman Zhao Lijian told reporters in Beijing.
“This move is fabricated out of nothing.”
So what’s the upshot for you? Keep your head down, keep patches, antivirus, antimalware, and your OS up to date and don’t click on or download any unexpected links or documents. This is all going to get worse before it gets better.
IR: Facebook catches Iranian spies catfishing US military targets
If you’re a member of the US military who’s gotten friendly Facebook messages from private-sector recruiters for months on end, suggesting a lucrative future in the aerospace or defense contractor industry, Facebook may have some bad news.
On Thursday, the social media giant revealed that it has tracked and at least partially disrupted a long-running Iranian hacking campaign that used Facebook accounts to pose as recruiters, reeling in US targets with convincing social engineering schemes before sending them malware-infected files or tricking them into submitting sensitive credentials to phishing sites. Facebook says that the hackers also pretended to work in the hospitality or medical industries, in journalism, or at NGOs or airlines, sometimes engaging their targets for months with profiles across several different social media platforms. And unlike some previous cases of Iranian state-sponsored social media catfishing that have focused on Iran’s neighbors, this latest campaign appears to have largely targeted Americans and, to a lesser extent, the UK and European victims.
“Our investigation found that Facebook was a portion of a much broader espionage operation that targeted people with phishing, social engineering, spoofed websites, and malicious domains across multiple social media platforms, email, and collaboration sites,” Facebook’s director for threat disruption, said Thursday in a call with the press.
Facebook has identified the hackers behind the social engineering campaign as the group known as Tortoiseshell, believed to work on behalf of the Iranian government.
So what’s the upshot for you? Aw, and we thought they liked us for our wonderful Facebook profiles… not just the fact that we held the keys to the nuclear bunker!
Global: Report on password security and some simple things to remember.
Findings from Ponemon Institute’s Cybersecurity in the Remote Work Era: A Global Risk Report, commissioned by Keeper Security in 2020
Use a unique password for every account. When employees reuse passwords across accounts, they greatly increase the risk that their employer will be breached.
44% of respondents to this survey admit to reusing passwords across personal and work accounts.
Strong passwords are at least eight characters long (preferably more) and consist of random strings of letters, numerals, and special characters. Passwords should never include dictionary words, which are easy to guess, or personal details, which cybercriminals can scrape off social media channels.
- 37% of respondents to the survey said they’ve used their employer’s name as part of their work-related passwords
- 34% have used their significant other’s name or birthday
- 31% have used their child’s name or birthday
Never share work-related passwords with unauthorized parties. Work passwords are confidential business information that employees should never share with anyone outside the organization, not even their spouses. Survey says:
- 14% of remote workers have shared work-related passwords with a spouse or significant other.
- 11% have shared them with other family members.
Store your passwords securely. The survey says that is not happening…
- 57% of respondents write down their passwords on sticky notes.
- 62% write down their passwords in a notebook or journal, which anyone else living in or visiting the home can access.
- 49% store their passwords in a document saved in the cloud,
- 51% use a document stored locally on their computer, and
- 55% save them on their phone.
Because these aren’t encrypted, if a cybercriminal breaches the cloud drive, computer, or mobile phone, they can open the employee’s password file.
So what’s the upshot for you? Passwords have their limitations, but are always best served with another authentication component, hence 2FA or two-factor authentication. Try to use it in addition to these tips wherever it is available! The following is the best equation for security:
You = Username + Something you know = password + Something you have = authentication code or physical key (like a Yubikey).
UK/CH: Telegram Encryption Vulnerabilities
About the research: The researchers are an international team from the UK and Switzerland. Martin Albrecht and Lenka Mareková work at the University of London; Kenny Paterson and Igors Stepanovs at ETH Zurich.
They note that Telegram uses a proprietary encryption protocol (MTProto) that has not been very well studied by cryptographers. This is despite the fact that Telegram is popular with “higher-risk users” like activists and protesters. As the researchers put it, even though so many people around the world depend on it, “the security that Telegram offers is not well understood”.
Telegram does offer an end-to-end encrypted (E2EE) chat feature, but the researchers chose to focus on the encryption used in the platform’s “cloud chats”. Cloud chats are encrypted between users and Telegram’s servers but are not encrypted end-to-end. Significantly, Telegram’s default for individual chats is cloud chat, not E2EE chat. In addition, there is no E2EE option when using the app’s group chat functionality.
- A flaw that could allow an attacker to alter the order of messages sent from a user to Telegram’s servers (and thus to change the order of the messages as they would appear to a chat participant on the receiving end).
- A flaw that could allow an attacker to send maliciously crafted messages to a target and theoretically produce a “leak” of unencrypted message data if certain other conditions were met.
- A flaw that could allow an attacker to pretend to be a legitimate Telegram server, thus completely undermining the privacy and security of the chat.
The flaws were reported to Telegram and fixed in version 7.8.1 for Android, 7.8.3 for iOS, and 2.8.8 for desktops.
So what’s the upshot for you? If you use Telegram, make sure you are running the latest version, or simply switch to Signal for an altogether better understood secure messaging app.
US: Cyber Threats in the Food Industry
According to John Hoffman, a senior research fellow at the Food Protection and Defense Institute (FPDI) at the University of Minnesota, many food companies’ computer systems are vulnerable. “If you go to factory floors around this country, you’re going to find a wide range of outdated software still being used, and computer devices that aren’t secure,” he says.
He recalls a visit to one plant a few years ago — he won’t say which company — where he noticed a supervisor sitting at a computer on the production floor, monitoring operations. Hoffman could see it was running Windows 98. He asked the plant manager and a top executive of the company, who were giving him the tour, whether the computer was connected to the internet. "And they said, ‘Oh, no, no. This isn’t connected to the internet.’ "
Hoffman then talked to the supervisor on duty, who acknowledged he could log into that computer from home to monitor and control equipment in the plant.
Today, hackers have recognized the power of taking over control of technology systems that support food processing and manufacturing. A 2019 research report from the FPDI revealed security concerns that threaten this industry. Transnational criminal organizations commit large-scale food-related crimes, such as counterfeiting, smuggling, theft and resale, and economically motivated adulteration. In most cases, the illegal activities take on a cyber-nature because of numerous vulnerabilities introduced in the sector due to recent advances in technology.
In one incident, a malicious actor turned the fan off to suffocate chickens on a farm on Brewer Road, South Carolina. On the same night, hackers sabotaged control systems for three other farms, resulting in the death of more than 300,000 birds, in what appears to be the largest crime against industrial poultry farms.
The food processing and manufacturing industry has become a target of cybercrime because of the sector’s undue reliance on outdated and unpatched industrial control systems at processing plants. In many food processing plants, the hardware and software deployed to run the equipment were developed and implemented in the 1990s and 2000s. Furthermore, many of the ICS components have hard-coded passwords, making them highly vulnerable to cybercriminals.
So what’s the upshot for you? As you lose your appetite, you realize that PC technology has permeated into areas of production that we never expected, and hot on its heels are those that would find any gap in the security of those systems.
Outer Space: We figured out why the food is so bad on the International Space Station… for now.
When we imagine great cruise ships (think the Titanic) and seagoing voyages of discovery, there were cooks, porters, medics, and all sorts of other support staff. But on the great skyward voyages of our time, you find none of that just now.
Today, it costs roughly $10,000 to put one pound into orbit. If you pick a weight of 180 pounds for a space cook (and a good cook as to be a little portly), that means it would cost $1.8 million to get your cook into orbit. Add in food, clothes, and all the other material required to support a human, and it starts to be an awful lot of money for an astronaut to get a decent meal.
The cost of putting people and things into orbit means that everything that goes into the payload section of a rocket has to be directly tied to the mission at hand. On modern space flights, there are no cooks because the astronauts – typically highly trained test pilots, Ph.D. scientists, and engineers, have multiple talents that are rolled into highly skilled packages that prepare their own food. They also straighten up after themselves, clear any sanitation issues, and act as mechanics for the craft when something goes wrong.
So what’s the upshot for you? With both Sir Branson and the Bezos brothers successfully completing their space hops within the last 10 days, and the continuously falling prices of lifting things into orbit, we think it’s a safe bet that you will be able to get a decent meal during your honeymoon on Mars!
Well, that’s all for this week. We’ll be back soon to slake your appetite with another fine serving of IT Privacy and Security!
In the meantime, be kind, stay safe, stay secure, and always observe proper etiquette!
See you in Se7en!