Fines, Miracles and the IT Privacy and Security Weekly Update for the Week ending September 20th 2022


This week we start out fine but falter somewhat when we hear how many healthcare facilities have been breached in the first six months of 2022.

Spirits lift with an Uber joke and the reassurance that if you lose your phone but are one of ten thousand lucky travelers across, around, and near, US borders each year, Uncle Sam might just have a full backup of it.

We hear how one guy who ran a farm has become a victim to hackers, and this time we hope he suffers a good crop rotation.

There is a new data protection bill from the world’s fourth largest country… And we’re betting you can’t guess its name.

Finally, we end up asleep. Dare we say that for new parents this calculated bit of privacy might just be the best algorithm we’ve ever shared?

Keep it on the down low, but “Ooooh Baby” have we got an IT Privacy and Security Weekly Update for you!

EU: Google loses appeal against record $4 billion EU fine

Google (GOOGL) suffered one of its biggest setbacks on Wednesday when a top European court fined it 4.125 billion euros ($4.13 billion) for using its Android mobile operating system to thwart rivals, offering a precedent for other regulators to ratchet up the pressure.

“The General Court largely confirms the Commission’s decision that Google imposed unlawful restrictions on manufacturers of Android mobile devices and mobile network operators in order to consolidate the dominant position of its search engine,” the court said.

So what’s the upshot for you? The Commission in its 2018 decision said Google used Android to cement its dominance in general internet search via payments to large manufacturers and mobile network operators and restrictions and that’s anti-competitive in their opinion.

Global: Uber apparently hacked by teen, employees thought it was a joke

Uber is currently responding to what could be one of the worst breaches in the company’s history — all because of a few text messages.

Why it matters: The hacker who has claimed responsibility for the ongoing Uber breach is believed to have access to the company’s source code, email, and other internal systems — leaving employee, contractor, and customer data at risk.

The breach also comes as Uber’s former security chief stands trial for charges related to his handling of a 2016 data breach affecting 57 million Uber riders and drivers.

Uber employees on Thursday discovered that huge swaths of their internal network had been accessed by someone who announced the feat on the company Slack channel. The intruder, who sent screenshots documenting the breach to The New York Times and security researchers, claimed to be 18 years old and was unusually forthcoming about how it occurred and just how far it reached, according to the news outlet, which broke the story.

It didn’t take long for independent researchers, including Bill Demirkapi of Microsoft, to confirm The New York Times coverage and conclude that the intruder likely gained initial access by contacting an Uber employee over WhatsApp.

After successfully obtaining the employee’s account password, the hacker tricked the employee into approving a push notification for multifactor authentication. The intruder then uncovered administrative credentials that gave access to some of Uber’s crown-jewel network resources. Uber responded by shutting down parts of its internal network while it investigates the extent of the breach.

It’s not yet clear precisely what data the hacker had access to or what other actions the hacker took. Uber stores a dizzying array of data on its users, so it’s possible private addresses and the hourly comings and goings of hundreds of millions of people were accessible or accessed.

So what’s the upshot for you? A hacker first gained access to Uber’s systems on Thursday after sending a text message to an employee claiming to be an IT person and asking for their login credentials.

Managing threats to an employee’s phone is nearly impossible since most people use their phones for both personal and work purposes.

Targeting employees through phone-based phishing campaigns suggests hackers have found a good way to breach large organizations with layered and sophisticated cybersecurity practices.

Uber believes the attacker is affiliated with the Lapsus$ group, infamous for targeting Microsoft, Cisco, Samsung, Nvidia, Okta, and, just recently, Rockstar Games.

US: U.S. Health Sector Suffered 337 Healthcare Data Breaches in First Half of Year

The Healthcare Sector suffered at least 337 breaches in the first half of 2022 alone, impacting roughly 19 million records.

A majority of these breaches originated from third-party vendors, indicating that threat actors are shifting their tactics and finding success by targeting vendors rather than large healthcare systems directly.

The FBI also indicated that it received multiple reports of threat actors increasingly targeting healthcare payment processors to redirect victim payments.

Threat actors were observed compromising user login credentials of healthcare payment processors and diverting payments to accounts controlled by cybercriminals.

So what’s the upshot for you? Current reporting indicates that threat actors will continue targeting healthcare payment processors through a variety of techniques, from phishing campaigns and social engineering to spoofing support centers to obtain user access.

US: Customs officials have copied Americans’ phone data at Massive Scale

U.S. government officials are adding data from as many as 10,000 electronic devices each year to a massive database they’ve compiled from cellphones, iPads, and computers seized from travelers at the country’s airports, seaports, and border crossings, leaders of Customs and Border Protection told congressional staff in a briefing this summer.

The rapid expansion of the database and the ability of 2,700 CBP officers to access it without a warrant — two details not previously known about the database — have raised alarms in Congress about what use the government has made of the information, much of which is captured from people not suspected of any crime.

CBP officials told congressional staff the data is maintained for 15 years.

CBP’s inspection of people’s phones, laptops, tablets, and other electronic devices as they enter the country has long been a controversial practice that the agency has defended as a low-impact way to pursue possible security threats and determine an individual’s “intentions upon entry” into the U.S.

But the revelation that thousands of agents have access to a searchable database without public oversight is a new development in what privacy advocates and some lawmakers warn could be an infringement of Americans’ Fourth Amendment rights against unreasonable searches and seizures.

The database, known as the Automated Targeting System, is used “to further review, analyze, and assess information CBP obtained from electronic devices associated with individuals who are of a significant law enforcement, counterterrorism” or national security concern, he said.

Law enforcement agencies must show probable cause and persuade a judge to approve a search warrant before searching Americans’ phones. But courts have long granted an exception to border authorities, allowing them to search people’s devices without a warrant or suspicion of a crime.

So what’s the upshot for you? “It’s not just what you say or do that’s of interest to DHS, it’s what everybody you know says and does.

You may become suspicious just because someone you’re only tangentially related to says something on your timeline or is on your call log. …

And when you have 2,700 people with access, you have very little control over the uses to which they put this information.”

Global: Microsoft Teams has been storing authentication tokens in plaintext

Microsoft Teams stores authentication tokens in unencrypted plaintext mode, allowing attackers to potentially control communications within an organization, according to the security firm Vectra.

The flaw affects the desktop app for Windows, Mac and Linux built using Microsoft’s Electron framework.

Microsoft is aware of the issue but said it has no plans for a fix anytime soon since an exploit would also require network access.

“This enables attackers to modify SharePoint files, Outlook mail, and calendars, and Teams chat files. Even more damaging, attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks.”

So what’s the upshot for you? The issue for a lot of companies is that in the event of a network breach, this could provide a secondary means for “lateral movement”. Come on Microsoft!

Global: Microsoft Edge, Google Chrome Enhanced Spellcheck Feature Exposes Passwords

Recent research from the otto-js Research Team has uncovered that data that is being checked by both Microsoft Editor and the enhanced spellcheck setting within Google Chrome is being sent to Microsoft and Google respectively. This data can include usernames, emails, DOB, SSN, and basically anything that is typed into a text box that is checked by these features.

As an additional note, even passwords can be sent by these features, but only when a ‘Show Password’ button is pressed, which converts the password into visible text, which is then checked.

The key issue revolves around sensitive user personally identifiable information (PII), and this is a key concern for enterprise credentials when accessing internal databases and cloud infrastructure.

Some companies are already taking action to prevent this, with both AWS and LastPass security teams confirming that they have mitigated this with an update.

The issue has already been dubbed ‘spell-jacking’.

What’s most concerning is that these settings are so easy to enable by users, and could result in data exposure without anyone ever realizing it.

So what’s the upshot for you? The team at otto-js ran a test of 30 websites, across a range of sectors, and found that 96.7% of them sent data with PII back to Google and Microsoft.

At present, the otto-js Research Team recommends that these extensions and settings are not used until this issue is resolved. That is: No spellchecking until there is a fix!

Global: Kiwi Farms gets hacked.

"Further to our September 6th update where Cloudflare had stopped hosting KiwioFarms content: The head of Kiwi Farms, the Internet forum best known for organizing harassment campaigns against trans and non-binary people, said the site experienced a breach that allowed hackers to access his administrator account and possibly the accounts of all other users.

On the site, creator Joshua Moon wrote:

The forum was hacked.
You should assume the following.

  • Assume your password for the Kiwi Farms has been stolen.
  • Assume your email has been leaked.
  • Assume any IP you’ve used on your Kiwi Farms account in the last month has been leaked."

So what’s the upshot for you? Kiwi Farms launched in its current form in 2013 and quickly became a hub for online harassment campaigns.

At least three suicides have been tied to harassment stemming from the Kiwi Farms community.

Forum participants often openly admit their goal is to drive their targets to take their own lives.

Trans and non-binary people, members of the LGBTQ community, and women are frequent targets.

Moon didn’t respond to an email seeking comment and additional details about the breach.

On Sunday, he attempted to cast himself as the victim with no indication of irony as he explained the work that would be required to get the site running again.

Global: Still using Last Pass?

LastPass says the attacker behind the August security breach had internal access to the company’s systems for four days until they were detected and evicted.

In an update to the security incident notification published last month, Lastpass’ CEO Karim Toubba also said that the company’s investigation (carried out in partnership with cybersecurity firm Mandiant) found no evidence the threat actor accessed customer data or encrypted password vaults.

“Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults,” Toubba said.

While the method through which the attacker was able to compromise a Lastpass developer’s endpoint to access the Development environment, the investigation found that the threat actor was able to impersonate the developer after he “had successfully authenticated using multi-factor authentication.”

After analyzing source code and production builds, the company has also not found evidence that the attacker tried to inject malicious code.

This is likely because only the Build Release team can push code from Development into Production, and even then, Toubba said the process involves code review, testing, and validation stages.

Additionally, he added that the LastPass Development environment is “physically separated from, and has no direct connectivity to” Lastpass’ Production environment.

So what’s the upshot for you? The company says it has since “deployed enhanced security controls including additional endpoint security controls and monitoring,” as well as additional threat intelligence capabilities and enhanced detection and prevention technologies in both Development and Production environments.

So comforting. But we’d still be very tempted to change all our passwords…

CN: TikTok won’t commit to stopping US data flows to China

TikTok repeatedly declined to commit to US lawmakers on Wednesday that the short-form video app will cut off flows of US user data to China, instead promising that the outcome of its negotiations with the US government “will satisfy all national security concerns.”

TikTok Chief Operating Officer Vanessa Pappas affirmed in Wednesday’s hearing that the company has said, on record, that its Chinese employees do have access to US user data.

She also reiterated that TikTok has said it would “under no circumstances … give that data to China” and denied that TikTok is in any way influenced by China.

However, she avoided saying whether ByteDance would keep US user data from the Chinese government or whether ByteDance may be influenced by China.

So what’s the upshot for you? Time to rethink TikTok?

CN: Record Chinese Cyber Breach Spurs Eruption in Data for Sale

Since the data of about roughly 1 billion Chinese citizens appeared for sale on a popular dark web forum in June, researchers have observed a surge in other kinds of personal records from China appearing on cybercriminal marketplaces.

In the aftermath of that record leak, an estimated 290 million records about people in China surfaced on an underground bazaar known as Breach Forums in July, according to Group-IB, a cybersecurity firm based in Singapore.

In August, one seller hawked personal information belonging to nearly 50 million users of Shanghai’s mandatory health code system, used to enforce quarantine and testing orders. The alleged hoard included names, phone numbers, IDs and their Covid status – for the price of $4,000.

“The forum has never seen such an influx of Chinese users and interest in Chinese data,” said Feixiang He, a researcher at Group-IB.

“The number of attacks on Chinese users may grow in the near future.”

So what’s the upshot for you? Bloomberg was unable to confirm the authenticity of the datasets for sale on Breach Forums.

The website, like other markets where illicit goods are sold, has been home to false advertisements meant to generate attention, as well as legitimate data apparently stolen in security incidents, including an instance where users marketed user information taken from Twitter.

ID: Indonesia Parliament Passes Long-Awaited Data Protection Bill

Indonesia’s parliament passed into law on Tuesday a personal data protection bill that includes corporate fines and up to six years imprisonment for those found to have mishandled data in the world’s fourth most populous country.

The bill’s passage comes after a series of data leaks and probes into alleged breaches at government firms and institutions in Indonesia, from a state insurer, telecoms company and public utility to a contact-tracing COVID-19 app that revealed President Joko Widodo’s vaccine records.

Lawmakers overwhelmingly approved the bill, which authorizes the president to form an oversight body to fine data handlers for breaching rules on distributing or gathering personal data.

So what’s the upshot for you? The biggest fine is 2% of a corporation’s annual revenue and could see their assets confiscated or auctioned off.

The law includes a two-year “adjustment” period but does not specify how violations would be addressed during that phase.

The legislation stipulates individuals can be jailed for up to six years for falsifying personal data for personal gain or up to five years for gathering personal data illegally.

JP: A team led by Japanese researchers reveals the best way to put a crying baby to sleep

Japanese researchers have discovered the perfect way to put a baby to sleep.

The algorithm is: walk with them for five minutes, sit and wait with them for 5-8 minutes, and then lay them down in bed.

The trick is the second step which avoids going from walking to bed, which wakes them up.

So what’s the upshot for you? If you don’t have a baby in your life dictating when and how little you will sleep, this story will have no meaning, but if you do, you may now be one of the happiest people you know.

And our quote of the week: “The only way to maintain privacy on the internet is to not be on the internet.” - Abhijit Naskar

That’s it for this week. Stay safe, stay secure, don’t wake the baby, and see you in fourt33n.

1 Like