Eileen Gu and the IT Privacy and Security Weekly Update for February 15th., 2022


This week we start and end with Gu in an unabashed attempt to have this update returned in at least fifteen million search queries.
eileen Gu Small

In between the Gu at the beginning and the end, we Freeski through TikTok, pull a reverse 1440 to strange noises from cars, do a left side 1080 for Facebook, before ending with a double cork 1620 with a safety grab.

Yes, this is the greatest IT Privacy and Security update yet, and yes, we have all the freshest stories and tricks for you from this winter’s games.

So, skis waxed, goggles on, boots fastened, poles back, ready, set, go!

CN: Eileen Gu Boasts How Easy It Is To Dodge China Social Media Censors; Post Vanishes | #socialmedia

California-born skier Eileen Gu, who won Olympic gold for China (her mum is Chinese and she has traveled extensively between the US and China through her lifetime), gushed on Instagram about the ease of ducking social media censorship in her adopted nation. Then her post vanished, apparently a result of censorship.

Gu’s chirpy Instagram posts during the Olympics have touched off furious debate in China, where the government blocks Instagram, as well as Google, Facebook, Twitter, and WhatsApp, in its so-called Great Firewall.

“Why can you use Instagram and millions of Chinese people from the mainland cannot?” an angry follower asked Gu last week in a post.

Gu seemed surprised by the question, suggesting it was simple to skirt restrictions by using a VPN — Virtual Private Network — which can slip past internet surveillance.

“Anyone can download a VPN it’s literally free on the App Store,” Gu wrote, according to a screenshot of the conversation that has since vanished.

“Literally, I’m not ‘anyone.’ Literally, it’s illegal for me to use a VPN. Literally, it’s not f**king free at all,” one Weibo user complained, referring to fees required when someone in China manages to obtain a VPN.

So what’s the upshot for you? The Taiwan News quipped that Gu had her “Marie Antoinette moment,” revealing her cluelessness about what most Chinese people deal with.

Gu could not be reached for comment.

…A word in her defense, after graduating a year early from her San Francisco high school, achieving a near-perfect SAT score with an astounding 1580 out of a possible 1600 she was accepted by Stanford University where she studies/will study Physics.

Global: TikTok shares your data more than any other social media app — and it’s unclear where it goes, study says

Two of your social media apps could be collecting a lot of data on you — and you might not like what one of them is doing with it.

That’s according to a recent study, published last month by mobile marketing company URL Genius, which found that YouTube and TikTok track users’ personal data more than any other social media apps.

The study found that YouTube, which is owned by Google, mostly collects your personal data for its own purposes — like tracking your online search history, or even your location, to serve you relevant ads. But TikTok, which is owned by Chinese tech giant ByteDance, mostly allows third-party trackers to collect your data — and from there, it’s hard to say what happens with it.

With third-party trackers, it’s essentially impossible to know who’s tracking your data or what information they’re collecting, from which posts you interact with — and how long you spend on each one — to your physical location and any other personal information you share with the app.

As the study noted, third-party trackers can track your activity on other sites even after you leave the app.

To conduct the study, URL Genius used the Record App Activity feature from Apple’s iOS to count how many different domains track a user’s activity across 10 different social media apps — YouTube, TikTok, Twitter, Telegram, LinkedIn, Instagram, Facebook, Snapchat, Messenger, and Whatsapp — over the course of one visit, before you even log into your account.

YouTube and TikTok topped the other apps with 14 network contacts apiece, significantly higher than the study’s average number of six network contacts per app. Those numbers are all probably higher for users who are logged into accounts on those apps, the study noted.

Ten of YouTube’s trackers were first-party network contacts, meaning the platform was tracking user activity for its own purposes. Four of the contacts were from third-party domains, meaning the social platform was allowing a handful of mystery outside parties to collect information and track user activity.

For TikTok, the results were even more mysterious: 13 of the 14 network contacts on the popular social media app were from third parties. The third-party tracking still happened even when users didn’t opt into allowing tracking in each app’s settings, according to the study.

TikTok tracks user data, including your location, search history, IP address, the videos you watch, and how long you spend watching them. According to that guide, TikTok can “infer” personal characteristics from your age range to your gender based on the other information it collects. Google and other sites do the same thing, a practice called “inferred demographics.”

TikTok’s privacy policy states that the app can share user data with its Chinese parent company

So what’s the upshot for you? The more concerning aspect of this data collection is the age of the typical TikTok user. Typically there are higher protections for children, but in this case, the regulations appear to be skirted.

US: Radio station snafu in Seattle bricks a bunch of Mazda infotainment systems

The problem began on January 30 and afflicted Mazdas from model years 2014 to 2017 when the cars were tuned to the local NPR station, KUOW 94.9.

At some point during the day’s broadcast, a signal from KUOW caused the Mazdas’ infotainment systems to crash—the screens died and the radios were stuck on 94.9 FM.

From there, the infotainment systems became trapped in a rebooting loop, never successfully completing the task. When afflicted owners took their cars to be checked at local Mazda dealers, they were told that the “connectivity master unit” was dead and needed to be replaced.

The problem, according to Mazda, was that the radio station sent out image files in its HD radio stream that did not have “extensions”, and it seems that Mazda’s infotainment system of that generation needs an extension (and not a header) to tell what a file is. No extension, no idea, and the system gets corrupted.

The snag? A new CMU costs $1,500—if you can find one, which you can’t, because of supply chain problems.

So what’s the upshot for you? Apparently if the infotainment system is stuck in a boot loop there likely isn’t any way for them to erase or update the firmware on it, as the updater likely requires the system to be running.

So maybe not technically bricked, but for all useful purposes, these can’t be field repaired.

US: Musk blames ‘fun police’ for recall of feature that makes fart and goat noises

Tesla is recalling over 500,000 vehicles in the United States due to its Boombox feature, a 2020 update that allows drivers to play sounds such as a bleating goat or a fart noise outside the vehicle.

The Boombox feature allowed drivers to play preset or custom sounds from an external speaker while the vehicle is moving.

The National Highway Traffic Safety Administration said the Boombox feature may hinder pedestrians’ ability to hear a mandatory warning sound, increasing the risk of a crash.

The pedestrian warnings are required in all-electric and hybrid vehicles, the NHTSA said, because EVs are quieter than cars with internal combustion engines.

So what’s the upshot for you? The affected vehicles are the 2020-2022 Model S, Model X, Model Y, and certain 2017-22 Model 3s. Tesla’s driver-assist system Autopilot and its in-vehicle video game feature have also been under NHTSA scrutiny.

Global: Microsoft Defender will soon block Windows password theft

When threat actors compromise a network, they attempt to spread laterally to other devices by stealing credentials or using exploits.

One of the most common methods to steal Windows credentials is to gain admin privileges on a compromised device and then dump the memory of the Local Security Authority Server Service (LSASS) process running in Windows.

This memory dump contains NTLM hashes of Windows credentials of users who had logged into the computer that can be brute-forced for clear-text passwords or used in Pass-the-Hash attacks to login into other devices. While Microsoft Defender block programs like Mimikatz, a LSASS memory dump can still be transferred to a remote computer to dump credentials without fear of being blocked.

To prevent threat actors from abusing LSASS memory dumps, Microsoft has introduced security features that prevent access to the LSASS process.

One of these security features is Credential Guard, which isolates the LSASS process in a virtualized container that prevents other processes from accessing it.

However, this feature can lead to conflicts with drivers or applications, causing some organizations not to enable it.
As a way to mitigate Windows credential theft without causing the conflicts introduced by Credential Guard, Microsoft will soon be enabling a Microsoft Defender Attack Surface Reduction (ASR) rule by default.

The rule, ’ Block credential stealing from the Windows local security authority subsystem,’ prevents processes from opening the LSASS process and dumping its memory, even if it has administrative privileges.

While enabling the ASR rule by default will significantly impact the stealing of Windows credentials, it is not a silver bullet by any means.

This is because the full Attack Surface Reduction (ASR) feature is only supported on Windows Enterprise licenses running Microsoft Defender as the primary antivirus. (However, early tests show that the LSASS ASR rule also works on Windows 10 and Windows 11 Pro clients.)

So what’s the upshot for you? Unfortunately, once another antivirus solution is installed, ASR is immediately disabled on the Windows device. So the choice is yours. Go with Windows defender and get this added protection, or move to another AV that kills it off. Hmmnnn…

US: Does a $3.6B Bitcoin Seizure Prove How Hard It Is to Launder Crypto?


What’s the lesson after $3.6 billion in stolen bitcoin was seized by America’s Justice Department from the couple who laundering it?

In the hours since the cybersecurity world has ruthlessly mocked their operational security screwups: Lichtenstein allegedly stored many of the private keys controlling those funds in a cloud-storage wallet that made them easy to seize, and Morgan flaunted her “self-made” wealth in a series of cringe-inducing rap videos on YouTube and Forbes columns. But those gaffes have obscured the remarkable number of multi-layered technical measures that prosecutors say the couple did use to try to dead-end the trail for anyone following their money.

Even more remarkable, perhaps, is that federal agents, led by IRS Criminal Investigations, managed to defeat those alleged attempts at financial anonymity on the way to recouping $3.6 billion of stolen cryptocurrency.

In doing so, they demonstrated just how advanced cryptocurrency tracing has become — potentially even for coins once believed to be practically untraceable.

Ari Redbord, the head of legal and government affairs for TRM Labs, a cryptocurrency tracing and forensics firm…points to the couple’s alleged use of “chain-hopping” — transferring funds from one cryptocurrency to another to make them more difficult to follow — including exchanging bitcoins for “privacy coins” like monero and dash, both designed to foil blockchain analysis.

Court documents say the couple also allegedly moved their money through the Alphabay dark web market — the biggest of its kind at the time — in an attempt to stymie detectives…Lichtenstein and Morgan appear to have intended to use Alphabay as a “mixer” or “tumbler,” a cryptocurrency service that takes in a user’s coins and returns different ones to prevent blockchain tracing…

In July 2017, however — six months after the IRS says Lichtenstein moved a portion of the Bitfinex coins into AlphaBay wallets — the FBI, DEA, and Thai police arrested AlphaBay’s administrator and seized its server in a data center in Lithuania.

That server seizure isn’t mentioned in the IRS’s statement of facts. But the data on that server likely would have allowed investigators to reconstruct the movement of funds through AlphaBay’s wallets and identify Lichtenstein’s withdrawals to pick up their trail again, says Tom Robinson, a co-founder of the cryptocurrency tracing firm Elliptic.

The arrests and “largest financial seizure ever show that cryptocurrency is not a safe haven for criminals…It may take a while, but thanks to the meticulous work of law enforcement the department once again showed how it can and will follow the money, no matter what form it takes.”

So what’s the upshot for you? The message to the Lichtensteins and Morgans of the world: even if your rap videos and sloppy cloud storage accounts don’t get you caught, your clever laundering tricks may still not save you from the ever-evolving sophistication of law enforcement’s crypto-tracers.

Global: "Facebook said it would be different this time."

To test Meta’s Horizon World (their new social VR platform), BuzzFeed News created an area that was “filled with content banned from Facebook and Instagram.”

“Content moderators said the world was fine — until we told Meta’s PR team about it.”

Meta has kept secret much of how it plans to enforce its safety protocols in VR, declining to answer detailed questions about them…

Instead, Meta spokesperson Johanna Peace provided BuzzFeed News a short statement: “We’re focused on giving people more control over their VR experiences through safety tools like the ability to report and block others. We’re also providing developers with further tools to moderate the experiences they create, and we’re still exploring the best use of AI for moderation in VR. We remain guided by our Responsible Innovation Principles to ensure privacy, security, and safety are built into these experiences from the start…”

We went back and asked again for Meta to consider our questions. The company declined.

So, to find out what we could on our own, we strapped on some Oculus headsets, opened Horizon Worlds, and ran a rudimentary experiment.

In a matter of hours, we built a private Horizon World festooned with massive misinformation slogans… We called the world “The Qniverse,” and we gave it a soundtrack: an endless loop of Infowars founder Alex Jones calling Joe Biden a pedophile and claiming the election was rigged by reptilian overlords.

We filled the skies with words and phrases that Meta has explicitly promised to remove from Facebook and Instagram… Time and time again, Meta has removed and taken action on pages and groups, even private ones, that use these phrases…

We kept the world “unpublished” — i.e., invitation only — to prevent unsuspecting users from happening upon it, and to mimic the way some Meta users seeking to share misinformation might actually do so: in private, invitation-only spaces.

The purpose of our test was to assess whether the content moderation systems that operate on Facebook and Instagram also operate on Horizon.

At least in our case, it appears they did not…

Using Horizon’s user reporting function, a BuzzFeed News employee with access to the world used his own name and a linked Facebook account to flag the world to Meta. After more than 48 hours and no action, the employee reported the world again, followed quickly by another report from a different BuzzFeed News user with access to the world who also used her real name, which was linked to her Facebook and Oculus profiles.

Roughly four hours after the third report was filed, the employee who submitted it received a response from Meta: “Our trained safety specialist reviewed your report and determined that the content in the Qniverse doesn’t violate our Content in VR Policy.”

Six hours after that, the original reporter received the same message…

We went to Meta’s comms department, a channel not available to ordinary people.

We asked about its content moderators’ decisions: How could a world that shares misinformation that Meta has removed from its other platforms, under the same Community Guidelines, not violate Horizon’s policies?

The following afternoon, the experimental world disappeared. The company had reversed its original ruling…

The article pinpoints the dilemma Meta is facing at this virtual crossroads. If users congregate to share harmful misinformation, “Without recording everything users say in VR, how can Meta know whether such a situation is happening? But recording everything users say and do, even in private groups, raises stark privacy questions.” Yet the article also remembers what Mark Zuckerberg promised the day he’d announced the company’s rebranding to Meta.

“Facebook said it would be different this time.”

So what’s the upshot for you? “If we’re trying to make a metaverse for all people, we’d better be ready for all types of people.”

CA: “Freedom Convoy” sensitive donor information is still up for grabs.

GiveSendGo, the donation service being used by the Canadian trucker protest known as the “Freedom Convoy,” is still leaking sensitive user data despite allegedly fixing the issue earlier this week.

Now, the journalistic collective DDoSecrets says it’s obtained files the site failed to secure, even after being alerted to the problem.

Last week TechCrunch reported that a security researcher had discovered an unsecured Amazon S3 bucket containing over 50 gigabytes of data. Files in the data cache included everything from scans of passports to drivers’ licenses.

The Freedom Convoy had recently begun using GiveSendGo after its GoFundMe account was shut down in response to allegations that members were engaging in violence and harassment on the streets of Canada.

Given the sensitivity of the data, DDoSecrets announced that it would only provide access to journalists and researchers. DDoSecrets said they were provided with at least 1,000 images they deemed were of sensitive information.

So what’s the upshot for you? A security researcher had previously left a note in the company’s S3 bucket back in late 2018 in an attempt to alert the company to its security woes and poor configuration of its S3 bucket.

The Daily Dot reached out to GiveSendGo to inquire about the security issue and was told that previous reporting on the issue was “fake news.”

RU: Russian Cybercriminals Drive Significant Ransomware and Cryptocurrency-based Money Laundering Activity

Overall, roughly 74% of ransomware revenue in 2021 — over $400 million worth of cryptocurrency — went to strains we can say are highly likely to be affiliated with Russia in some way.

Blockchain analysis combined with web traffic data also tells us that after ransomware attacks take place, most of the extorted funds are laundered through services primarily catering to Russian users.

Russia is home to several cryptocurrency businesses that have processed substantial transaction volume from illicit addresses.

Interestingly, over half of the businesses have reportedly operated in the same Moscow City skyscraper: Federation Tower.

So what’s the upshot for you? Russian cybercriminal organizations are some of the biggest perpetrators of cryptocurrency-based crime — especially ransomware — and local cryptocurrency businesses provide money laundering services that enable this activity.

2021 saw positive momentum against this trend, from the seizure of funds from ransomware organization DarkSide to the sanctioning of Suex and Chatex. Let’s hope it continues.

Global: Member of ISOC? Oops!

The Internet Society (ISOC) is one of the oldest and most important international non-profit organizations related to the internet, but, despite its prestigious reputation, the personal details of its members were found to have been exposed in a recent data security breach.

“The open and unprotected Microsoft Azure blob repository contained personal and login details belonging to tens of thousands of ISOC members and potentially putting their privacy at risk.”

The blob container named “ISOC” contained millions of JSON files that were structured to include the following: login, password hash, isActive / Visible flags, accountID, social media tokens (if used to log in): LinkedIn/Google/Facebook/Twitter, join date, preferredLanguage, email, address (with zip and coordinates), gender, full name, total donation account (amount).

So what’s the upshot for you? They notified all members who had been affected and had the firm who had performed the misconfiguration do the remediation, but the negative reputational and financial impact still lie with the ISOC.

Global: Hackers Rigged Hundreds of Ecommerce Sites to Steal Payment Info

The attackers exploited a known vulnerability and installed credit card skimmers on more than 500 websites.

Sansec, the security firm that discovered the latest batch of infections, said the compromised sites were all loading malicious scripts hosted at the domain naturalfreshmall[.]com. Attackers abused a (known) leak in the Quickview plugin. While this is typically abused to inject rogue Magento admin users, in this case, the attacker used the flaw to run code directly on the server.

“The Natural Fresh skimmer shows a fake payment popup, defeating the security of a (PCI compliant) hosted payment form,” firm researchers wrote on Twitter. “Payments are sent to https://naturalfreshmall[.]com/payment/Payment.php.”

The hackers then modified existing files or planted new files that provided no fewer than 19 backdoors that the hackers could use to retain control over the sites in the event the malicious script was detected and removed and the vulnerable software was updated. The only way to fully disinfect the site is to identify and remove the backdoors before updating the vulnerable content management system that allowed the site to be hacked in the first place.

The researchers eventually determined that the attackers combined a SQL injection exploit with a PHP object injection attack in a Magento plug-in known as Quickview. The exploits allowed the attackers to execute malicious code directly on the webserver.

Magecart definition
Magecart is a type of fraud where transaction data is intercepted during the checkout of an online store. Magecart is also known as digital skimming, e-skimming, or form jacking.
Magecart does not refer to a particular criminal organization, as some media suggest. There simply isn’t a single actor or group responsible for this fraud.

How does Magecart work?
Online skimming is just like physical skimming: your card details are stolen so that other people can spend your money. However, online skimming is more effective because a) it is harder to detect and b) it is near impossible to trace the thieves.

In short: hackers gain access to a store’s source code using unpatched software flaws in various popular e-commerce software. Once a store is under the control of a perpetrator, a wiretap or keylogger is installed that funnels live payment data to a collection server. This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark web for $5 to $30 each.

So what’s the upshot for you? Note: While the Magento 1 platform has been declared End-Of-Life by Adobe, thousands of professional merchants are still using it. Adobe does not provide security patches anymore so monitoring for malware is vital. Also, there are community-provided patches available for Magento 1. Either open-source via “OpenMage” or with commercial support via “Mage-One”.

Global: YouTube’s Olympics Highlights Are Riddled With Propaganda

SPORTS FANS WHO tuned in to watch the Beijing Winter Olympics on YouTube are instead being served propaganda videos.

An analysis of YouTube search results by WIRED found that people who typed “Beijing,” “Beijing 2022,” “Olympics,” or “Olympics 2022” were shown pro-China and anti-China propaganda videos in the top results.

Five of the most prominent propaganda videos, which often appear above actual Olympics highlights, have amassed almost 900,000 views.

This flurry of propaganda videos was first spotted earlier this month by John Scott-Railton, a researcher at the University of Toronto’s research laboratory, Citizen Lab.

On February 5, Scott-Railton found that after he’d watched skating and curling videos, YouTube automatically played a video by a pro-China YouTube account.

One You Tuber thinks it’s keywords that start a video trending, “The reason that my video is showing up frequently is because ‘Eileen Gu’ is a trending topic. One of the key things about being a YouTuber is to find popular topics and publish the videos just as people start going to Google and type in that interesting topic.”

So what’s the upshot for you? If you were wondering why this week’s Podcast is called Eileen Gu and the Privacy and Security Weekly Update, it’s because we thought we’d test out that theory!

That’s enough Gu for this week.


Stay safe, stay secure, try to land in an upright position, and remember that even maintaining privacy and security take practice (and that the fails can be epic).

Watch for us on the podcast podium and see you in se7en!