Free Running across the IT Privacy and Security Weekly Update for January 4th 2022



Daml’ers,

In true year-end, year-start style we wall-run over some of the top hacks of 2021 before turn-vaulting with a 2022 resolution to get fit that has no security or privacy involved except that the whole story should probably be secured and kept private.

We backflip onto the LastPass fiasco, corkscrew through a few stories on Apple (is it any wonder they are a three trillion $ company if we cover them?), punch into a fresh duck story and triple front somersault into the differences between Misinformation, Dis-information, and Mal-information.

As we stop, drop, and roll, this just might be the best new year IT Privacy and Security weekly update yet!

So let’s load up those Parkour kit bags and J-step into our first adventure for 2022! dogParkourTshirt


Global: Looking back over the worst hacks of 2021

In early May, ransomware hit Colonial Pipeline, which operates a 5,500-mile pipeline that carries nearly half of the East Coast’s fuel—gasoline, diesel, and natural gas—from Texas all the way to New Jersey. As a result of the attack, the company shut down portions of the pipeline both to contain the malware and because the attack knocked its billing systems offline. As lines grew at gas stations through the southeastern US, the Department of Transportation released an emergency order to allow expanded fuel distribution by truck. The FBI also named the notorious Russia-linked ransomware gang DarkSide as the perpetrator of the attack.

At the beginning of July, hackers associated with the Russia-based ransomware gang REvil exploited a flaw in Kaseya’s Virtual System Administrator tool. VSA is popular among managed service providers, companies that run IT infrastructure for organizations that don’t want to do it themselves. As a result of this interdependent ecosystem, attackers were able to exploit the flaw in VSA to infect as many as 1,500 organizations around the world with ransomware. At the beginning of November, the US Justice Department announced that it had arrested one of the key alleged perpetrators of the Kaseya attack, a Ukrainian national who was apprehended in October and is currently awaiting extradition from Poland.

The live-streaming service Twitch, which is owned by Amazon, confirmed that it had been breached in October after an unknown entity released a 128 GB trove of proprietary data stolen from the company. The breach included Twitch’s complete source code.

In the wake of Russia’s SolarWinds digital espionage spree, the Chinese state-backed hacking group known as Hafnium went on a tear. By exploiting a group of vulnerabilities in Microsoft’s Exchange Server software, they compromised targets’ email inboxes and their organizations more broadly. The attacks impacted tens of thousands of entities across the United States beginning in January and with particular intensity in the first days of March.

The communications platform WhatsApp sued NSO in 2019 and Apple followed suit this year in November, after a string of revelations that NSO created tools to infect iOS targets with its flagship Pegasus spyware by exploiting flaws in Apple’s iMessage communication platform. In July, an international group of researchers and journalists from Amnesty International, Forbidden Stories, and more than a dozen other organizations published forensic evidence that a number of governments worldwide—including Hungary, India, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates—might be NSO customers.

JBS SA, the world’s largest meat processing company, suffered a major ransomware attack at the end of May. Its subsidiary JBS USA said in a statement at the beginning of June that “it was the target of an organized cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems.” JBS is headquartered in Brazil and has roughly a quarter-million employees around the world. The incident came just a couple of weeks after the Colonial Pipeline attack

Firewall vendor Accellion released a patch in late December, and then more fixes in January, to address a group of vulnerabilities in one of its network equipment offerings. The patches didn’t come or get installed quickly enough for dozens of organizations worldwide, though. Many suffered data breaches and faced extortion attempts as a result of the vulnerabilities.

Wireless carrier T-Mobile admitted in August that data from more than 48 million people had been compromised in a breach that month. Of those, more than 40 million victims weren’t even current T-Mobile subscribers, but rather former or prospective customers who had applied for credit with the company. The rest were mostly active “postpaid” customers who get billed at the end of each cycle instead of the beginning. Victims had their names, dates of birth, social security numbers, and driver’s license details stolen.

So what’s the upshot for you? And that is your top 8 to ring out 2021 with. Will 2022 be any better? We’ll let you know…. Week by week!


Global: LastPass users warned their master passwords are compromised, just before being thrown into total confusion.

Many LastPass users report that their master passwords have been compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations.

The email notifications also mention that the login attempts have been blocked because they were made from unfamiliar locations worldwide.

“Someone just used your master password to try to log in to your account from a device or location we didn’t recognize,” the login alerts warn.

Some customers have also reported changing their master passwords since they received the login warning, only to receive another alert after the password was changed.

To make things even worse, customers who tried disabling and deleting their LastPass accounts after receiving these warnings also report receiving “Something went wrong: A” errors after clicking the “Delete” button.

Someone tried my @LastPass master password earlier yesterday and then someone just tried it again a few hours ago after I changed it. What the hell is going on?

— Valcrist (@Valcristerra) December 28, 2021

So what’s the upshot for you? LastPass users are advised to enable multifactor authentication to protect their accounts and perhaps have a second option with an open-source tool like Bitwarden. Note that they can both be run concurrently but have independent log-ins.


CA: Apple AirTags are Being Used to Stalk People and Steal Cars Say, Researchers

According to the researchers, Apple’s AirTags equipped with Bluetooth technology could be revealing a “widespread problem of tech-enabled tracking,” something which privacy groups had predicted could happen when Apple introduced the devices earlier this year.

Unlike similar tracking products, such as Tile, the AirTags present a “uniquely harmful” threat because “the ubiquity of Apple’s products allows for more exact monitoring of people’s movements,” said Eva Galperin, a cybersecurity director at the Electronic Frontier Foundation.

“Apple automatically turned every iOS device into part of the network that AirTags use to report the location of an AirTag,” Ms. Galperin said. “The network that Apple has access to is larger and more powerful than that used by the other trackers. It’s more powerful for tracking and more dangerous for stalking.”

So what’s the upshot for you? Until this is resolved it unquestionably makes not carrying an iPhone (where you would get notice of unauthorized tags) a liability. We are surprised the matter has gotten so little attention from the press and politicians.


Global: Did you get an iPhone or Android for the holidays? Like used cars, you may find phone depreciation needs to be built into your next letter to Santa.

The Pixel 6, Google’s latest flagship smartphone, launched just two months after Apple’s ‌iPhone 13‌ lineup. Despite being touted as a leading Android competitor to the iPhone, the Pixel 6 suffers from considerably worse depreciation.

In the first month after launch, all of the ‌iPhone 13‌ models depreciated by 24.9 percent on average. The Pixel 6 models, on the other hand, lost 42.6 percent of their value on average.

Since then, the ‌iPhone 13‌ has regained some of its value, with a recovery of 3.1 percent of its value since the first month.

Overall, the ‌iPhone 13‌ models are holding their value significantly better, leading to minimized losses for customers looking to sell their new device.

So what’s the upshot for you? Although we do find Apple bias creeping into this report, Apple laptops and phones do generally do better than their Windows or Android equivalents in the resale market.


Global: Apple’s wearable gadget business grew like gangbusters over the holidays

Apple sold 27 million pairs of its newest AirPods model over the holidays, according to top Apple analyst Ming-Chi Kuo of TFI Asset Management Limited.

Kuo expects 20% year-over-year growth for Apple’s wearables business for the holiday quarter.

So what’s the upshot for you? This year is expected to be a big one for Apple’s wearables business thanks to the impending launch of its augmented reality headset. We just hope that their carry case doesn’t end up looking like an AirPods Max bra. Apple's AirPods Max Carrying Case Draws Comparisons to a Purse or Bra


Global: HomeKit Vulnerability Exposes iPhones, iPads to DoS Attacks

https://trevorspiniolas.com/doorlock/doorlock.html

The flaw, dubbed doorLock, was reported to Apple on August 10 by Trevor Spiniolas, who decided to disclose his findings on January 1. The researcher said the tech giant had initially planned on rolling out a fix by the end of the year, but in December that deadline changed to “early 2022.”

The vulnerability is related to HomeKit, the software framework provided by Apple for configuring and controlling smart home appliances from iPhones and iPads.

The security bug is related to the name assigned to a HomeKit device. If the name is a large string — 500,000 characters were used in the tests conducted by Spiniolas — the device that loads the string significantly slows down or becomes unresponsive. The victim will not be able to access data stored on the phone or tablet and the problem persists across a device reboot or update.

The vulnerability can be triggered by a malicious application, by manually renaming a device, or by sending out an invitation with a specially crafted device name to the targeted user.

While Apple has introduced a limit on the name length in iOS 15, devices running this version of the operating system can still be attacked by sending them an invitation containing the specially crafted device name.

So what’s the upshot for you? Nothing like a little publicity to shake the patch tree. (and this is nothing like a “little” publicity!)


US: Online privacy: DuckDuckGo just finished a banner year and looks for an even better 2022

It’s unclear how many people deeply care about their online data. After all, Facebook (hardly a paragon of protecting privacy) boasts 2.89 billion daily active users. And Facebook isn’t alone in this – it just happens to be above average in the scale and scope of how it leverages personal data to sell ads/drive engagement.

And yet, DuckDuckGo. The privacy-oriented search engine netted more than 35 billion search queries in 2021, a 46.4% jump over 2020 (23.6 billion). That’s big. Even so, the company, which bills itself as the “Internet privacy company,” offering a search engine and other products designed to “empower you to seamlessly take control of your personal information online without any tradeoffs,” remains a rounding error compared to Google in search dollar volumes.

Our personal data is not actually worth much … to others. “Your own data is worthless — it only has value in the aggregate of millions,” analyst Benedict Evans said.

Still, while it’s not worth much to others, it’s worthwhile to us to keep things private.

DuckDuckGo’s rising success suggests that plenty of people agree and are actually doing something about it.

So what’s the upshot for you? Because of this growing reputation for protecting privacy, DuckDuckGo is now the most downloaded browsing app on Android in its major markets like the U.S., and second only to Chrome on iOS.


US: Misinformation, Disinformation, and Mal-information

After a conversation during the holidays about the differences in the molecular structure between Glucose and Fructose and how the body handles them, a conversation moved to the lobbying, special interest groups, and the following:

Data alone means nothing. For example, a date is just a series of numbers until it’s tied to a specific action or event. Context is what gives data value — it’s what turns data into its more useful counterpart: information. The same goes for misinformation.

“From a misinformation perspective, context is key. Often, misinformation is the twisting of context.”

Twisting the context has led to information pollution, which, in turn, has led to what the Council of Europe calls “information disorder” — a state that breaks down into three separate categories: misinformation, disinformation, and mal-information.

Misinformation is something inaccurate or purposefully misleading. This could range from rumors to misleading advertising or even satire taken the wrong way. So, misinformation is not intended to be harmful, but it can do damage.

Where misinformation is meant to make people think twice about what they see or read, disinformation is designed to be deliberately wrong, sharing outright false information as truth. It is designed to cause harm.

Mal-information, or malicious information, is false information that is intended to do grievous harm to an individual or organization. This is a process of deliberately changing content for malicious intent.

So what’s the upshot for you? Always consider the context in which you gather the information. Consider the source. Consider how it stands among the other information you have And then when a survey states that HFCS does not contribute to the occurrence of the NAFLD that afflicts 30% of the global adult population, check to see if the American Beverage Association is sponsoring it!


Global: "Microsoft fixes harebrained Y2K22 Exchange bug that disrupted email worldwide"

Microsoft has released a fix for a harebrained Exchange Server bug that shut down on-premises mail delivery around the world just as clocks were chiming in the new year.

The mass disruption stemmed from a date check failure in Exchange Server 2016 and 2019 that made it impossible for servers to accommodate the year 2022, prompting some to call it the Y2K22 bug. The mail programs stored dates and times as signed integers, which max out at 2147483647, or 231 - 1. Microsoft uses the first two numbers of an update version to denote the year it was released. As long as the year was 2021 or earlier, everything worked fine.

So what’s the upshot for you? The date and time check was performed when Exchange checked the version of the FIP-FS, a scanning engine that’s part of Exchange antimalware protections. Once FIP-FS versions began with the numbers 22, the check was unable to complete, and mail delivery was abruptly halted.

Apparently, the bug has been around and in place since Exchange Server 2016.


Global: Wait What? HTTP/3?!!

A Brief History of HTTP: The first official version of HTTP (Hypertext Transfer Protocol 1.0) was finalized in 1996. There were some practical issues and parts of the standard that needed updating, so HTTP/1.1 was released a year later in 1997.

It would be 18 more years before a new version of HTTP was released. In 2015, and with much fanfare, RFC 7540 would standardize HTTP/2 as the next major version of the protocol.

But a problem still remained: If a web page requires 10 javascript files, the web browser needs to retrieve those 10 files before the page can finish loading. In HTTP/1.1-land, the web browser can only download a single file at a time over a TCP connection with the server. This means the files are downloaded sequentially, and any delay in one file would block everything else behind it. This is called Head-of-line Blocking and it’s not good for performance.

To work around this, browsers can open multiple TCP connections to the server to parallelize the data retrieval. But this approach is resource-intensive. Each new TCP connection requires client and server resources, and when you add TLS in the mix there’s plenty of SSL negotiation happening too. A better way was needed.

Enter HTTP/3. The major difference between HTTP/2 and HTTP/3 is which transport protocol they use. Instead of TCP, HTTP/3 uses a new protocol called QUIC. QUIC is a general-purpose transport protocol meant to address the head-of-line blocking issues HTTP/2 has with TCP. It allows you to create a series of stateful streams (similar to TCP) over UDP.

The QUIC transport protocol incorporates stream multiplexing and per-stream flow control, similar to that provided by the HTTP/2 framing layer. By providing reliability at the stream level and congestion control across the entire connection, QUIC has the capability to improve the performance of HTTP compared to a TCP mapping.

Testing:
London, England: HTTPv3 vs HTTPv2 and HTTPv1. HTTPv3 is hands-down the fastest protocol. The speed increase is even more pronounced when greater distances over the network are in play. HTTP/3 is:
600ms faster for a Small Site (3x the speedup compared with New York)
1200ms faster for a Content Site (over 3.5x the speedup compared with New York)
1000ms faster for a Single Page Application (over 3x the speedup compared with New York)

Bangalore, India: The performance improvement with HTTP/3 is extremely pronounced when loading pages from a server in India. We didn’t even run an HTTP/1.1 test because it was so slow.
HTTP/3 continues to pull ahead of HTTPv2 when larger geographies and more network hops are involved. What’s perhaps more striking is just how tightly grouped the response times are for HTTP/3. QUIC is having a big impact when packets are traveling thousands of miles. In every case, HTTP/3 was faster than its predecessor!

Why is HTTP/3 so Much Faster?

  • Real Multiplexing: The true multiplexed nature of HTTP/3 means that there is no Head-of-line blocking happening anywhere on the stack. When requesting resources from further away, geographically, there is a much higher chance of packet loss and the need for TCP to re-transmit those packets.

  • 0-RTT Is a Game Changer: Additionally, HTTP/3 supports O-RTT QUIC connections, which lowers the number of round trips required to establish a secure TLS connection with the server. The 0-RTT feature in QUIC allows a client to send application data before the handshake is complete. This is made possible by reusing negotiated parameters from a previous connection. To enable this, 0-RTT depends on the client remembering critical parameters and providing the server with a TLS session ticket that allows the server to recover the same information.

Security concerns?

  • 0-RTT should not be blindly enabled. There may be some security concerns depending on your threat model. The security properties for 0-RTT data are weaker than those for other kinds of TLS data. Specifically:
  • This data is not forward secret, as it is encrypted solely under keys derived using the offered PSK.
  • There are no guarantees of non-replay between connections.

So what’s the upshot for you? Can you use HTTP/3 today? Maybe. While the protocol is currently in Internet-Draft status, there are plenty of existing implementations.

The big tech players like Google and Facebook are serving their traffic over HTTP/3 already. Google.com is entirely served over HTTP/3 for modern browsers. NGINX also has experimental support and is working towards an official HTTP/3 release in the near future.

Ultimately it seems that HTTP3 could present big speed benefits to your website, but those have to be balanced against the ostensibly weaker security.


US: CES 2022: Oral-B Unveils Three New smartphone-connected iO Smart Toothbrushes

“A key new feature of the iO10 is real-time oral health coaching built directly into the toothbrush’s charging base, allowing you to monitor your brushing time, pressure, and coverage without needing to take your phone into the bathroom. Your brushing data then syncs to the Oral-B app for greater insights into your brushing habits.

The rechargeable electric toothbrush features seven different cleaning modes for a personalized clean, including Daily Clean, Sensitive, Super-Sensitive, Intense, Whiten, Gum Care, and Tongue Clean. A built-in pressure sensor helps keep your gums healthy and protected by displaying a red light when you are brushing too hard and a green light when you are brushing just right, according to Oral-B.

Oral-B did not reveal pricing or a release date for the iO10, but customers can sign up on a waitlist to be notified when the toothbrush becomes available.”

So what’s the upshot for you? Sit down, stand up, no, sit down first. Still no pricing details available, but the last version of the toothbrush went for $299. And just imagine, if the Proctor and Gamble elastic search database was ever left unsecured, the whole world would finally know the secret behind your pearly white smile!


DE: New year’s resolution to get fit?

Keep it secure and keep it private, but this Grandmum and her workouts are taking TikTok by storm.

So what’s the upshot for you? Wait! A couple of questions first:

  • Do they wear Lederhosen to work out in Deutschland?
  • And ParKour with your dog?

Perhaps following the logic: “If she can do it, then so can I” Erika can keep you motivated straight the way through to fitness. If not, well, there are always next year’s resolutions.


That’s it from the first few days of 2022. Expect a lot in the areas of IT Privacy and Security in 2022 and expect us to keep bringing you the best of it all!
dog parkour

Be kind, stay safe, stay secure, we made it through 2021! Woo Woo 2022! See you in se7en!



1 Like