From Missiles to Monk Seals with the IT Privacy and Security Weekly Update for February 8th., 2022


This week we discover where stolen crypto and discarded fishing nets end up and we’re pretty sure you will be surprised by both.

We then swim from vigilantes, newspapers, washed NFTs, and crypto-mining before landing on a pile of VB scripts.

astro-boy boots
So put your Astro-boy boots on, grab those speedos and let’s rocket!

KP: North Korea: Missile program funded through stolen crypto, UN report says

Between 2020 and mid-2021 cyber-attackers stole more than $50m (£37m) of digital assets, investigators found. Such attacks are an “important revenue source” for Pyongyang’s nuclear and ballistic missile program. The cyber-attacks targeted at least three cryptocurrency exchanges in North America, Europe, and Asia.

North Korean cybercriminals had a banner year in 2021, launching at least seven attacks on cryptocurrency platforms that extracted nearly $400 million worth of digital assets last year. These attacks targeted primarily investment firms and centralized exchanges, and made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations’ internet-connected “hot” wallets into DPRK-controlled addresses.

Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out.

in 2019, the UN reported that North Korea had accumulated an estimated $2bn for its weapons of mass destruction programs by using sophisticated cyber-attacks.

North Korea - formally known as the Democratic People’s Republic of Korea (DPRK) - carried out nine missile tests last month alone.

More than 65% of DPRK’s stolen funds were laundered through mixers this year, up from 42% in 2020 and 21% in 2019, suggesting that these threat actors have taken a more cautious approach with each passing year.

Why mixers? DPRK is a systematic money launderer, and their use of multiple mixers —software tools that pool and scramble cryptocurrencies from thousands of addresses—is a calculated attempt to obscure the origins of their ill-gotten cryptocurrencies while off ramping into fiat.

Why DeFi? DeFi platforms like DEXs provide liquidity for a wide range of ERC-20 tokens and altcoins that may not otherwise be convertible into cash. When DPRK swaps these coins for ETH or BTC they become much more liquid, and a larger variety of mixers and exchanges become usable. What’s more, DeFi platforms don’t take custody of user funds and many do not collect know-your-customer (KYC) information, meaning that cybercriminals can use these platforms without having their assets frozen or their identities exposed.

So what’s the upshot for you? This is the downside of the anonymity associated with crypto and certainly serves as a good warning sign for why you may want to proceed with caution when approaching this asset class.

KP: North Korea Hacked Him. So He Took Down Its Internet

FOR THE PAST two weeks, observers of North Korea’s strange and tightly restricted corner of the internet began to notice that the country seemed to be dealing with some serious connectivity problems. On several different days, practically all of its websites—the notoriously isolated nation only has a few dozen—intermittently dropped offline en masse, from the booking site for its Air Koryo airline to Naenara, a page that serves as the official portal for dictator Kim Jong-un’s government. At least one of the central routers that allow access to the country’s networks appeared at one point to be paralyzed, crippling the Hermit Kingdom’s digital connections to the outside world.

But responsibility for North Korea’s ongoing internet outages doesn’t lie with US Cyber Command or any other state-sponsored hacking agency. In fact, it was the work of one American man in a T-shirt, pajama pants, and slippers, sitting in his living room night after night, watching Alien movies and eating spicy corn snacks—and periodically walking over to his home office to check on the progress of the programs he was running to disrupt the internet of an entire country.

Just over a year ago, an independent hacker who goes by the handle P4x was himself hacked by North Korean spies. P4x was just one victim of a hacking campaign that targeted Western security researchers with the apparent aim of stealing their hacking tools and details about software vulnerabilities. He says he managed to prevent those hackers from swiping anything of value from him. But he nonetheless felt deeply unnerved by state-sponsored hackers targeting him personally—and by the lack of any visible response from the US government.

After his experience as a target of state-sponsored cyberespionage, P4x spent much of the next year on other projects. But after a year had passed, still without public or private statements from the federal government about the targeting of security researchers and no offer of support from any US agency, P4x says he decided it was time to make his own statement to both the North Korean and American governments.

So after a year of letting his resentment simmer, P4x has taken matters into his own hands. “It felt like the right thing to do here. If they don’t see we have teeth, it’s just going to keep coming. I want them to understand that if you come at us, it means some of your infrastructure is going down.”

P4x says he’s found numerous known but unpatched vulnerabilities in North Korean systems that have allowed him to singlehandedly launch “denial-of-service” attacks on the servers and routers the country’s few internet-connected networks depend on.

So what’s the upshot for you? …And what’s the final goal of his cyberattacks on that totalitarian government’s internet infrastructure? “I just want to prove a point. I want that point to be very squarely proven before I stop.”

US/CN: Cyberattack on News Corp, Believed Linked to China, Targeted Emails of Journalists, Others

A cyberattack discovered on Jan. 20 accessed emails and documents of some employees at News Corp. business units, including The Wall Street Journal and its parent Dow Jones; the New York Post; the company’s U.K. news operation; and News Corp headquarters, according to an email the company sent to staff Friday.

News Corp. notified law enforcement and hired Mandiant for incident response, according to the report. “Mandiant assesses that those behind this activity have a China nexus, and we believe they are likely involved in espionage activities to collect intelligence to benefit China’s interests,” said David Wong, vice president of incident response at Mandiant, the newspaper said.

The investigation detected that the intrusion appeared to date to at least February 2020, according to people briefed on the matter, and scores of employees were impacted. The hackers were able to access reporters’ emails and Google Docs, including drafts of articles, the people said. News Corp was still trying to determine the full extent of emails and documents that were accessed, the people said.

The attackers appeared to be interested in a range of topics, including issues of importance to Beijing such as Taiwan and China’s Uyghur ethnic group, according to other people briefed on the matter and a review of some of the document target lists. Other areas of interest included draft Journal articles and notes about U.S. military troop activity, U.S. technology regulation related to China, and articles about President Joe Biden, Vice President Kamala Harris, and senior White House officials.

Law-enforcement officials and cybersecurity experts say that journalists are often high-priority targets for hackers seeking to gain intelligence on behalf of foreign governments because they speak to sources who might have valuable or sensitive information. Powerful surveillance tools have been used against journalists and human-rights activists.

So what’s the upshot for you? China has denied all allegations.

EU: Europe’s Move Against Google Analytics Is Just the Beginning

THE AUSTRIAN WEBSITE of medical news company NetDoktor works like millions of others. Load it up and a cookie from Google Analytics is placed on your device and tracks what you do during your visit. This tracking can include the pages you read, how long you are on the website, and information about your device—with Google also assigning an identification number to your browser that can be linked to other data.

NetDoktor can use this analytics data to see how many readers it has and what they’re interested in—the website picks what it collects. But by using Google Analytics, the tech giant’s traffic monitoring service, all this data passes through Google’s servers and ends up in the United States. For data regulators in Europe, the shipping of personal data across the Atlantic remains problematic. And now a small Austrian medical website finds itself at the center of an almighty tussle between US laws and Europe’s powerful privacy regulations.

On December 22, the Austrian data regulator, Datenschutzbehörde, said the use of Google Analytics on NetDoktor breached the European Union’s General Data Protection Regulation (GDPR). The data being sent to the US wasn’t being properly protected against potential access by US intelligence agencies, the regulator said in a decision that was published last week. Days earlier it was revealed that European Parliament’s Covid-19 testing website had also breached GDPR by using cookies from Google Analytics and Stripe, according to a decision from the European Data Protection Supervisor (EDPS).

NetDoktor isn’t unique—but it is the clearest hint yet that European regulators still don’t like the way US tech companies send data across the Atlantic. Current US surveillance laws, including Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333, don’t protect data held on people living outside the US as well as they do those living inside it. In short: It’s theoretically possible for US surveillance agencies to collect huge amounts of data that’s moved to the country.

So what’s the upshot for you? The Dutch data protection authority, Autoriteit Persoonsgegevens, says it is finalizing its investigation and hasn’t ruled out the possibility that the use of Google Analytics in its current form will be banned. In Germany, where data issues are regulated by region, Hamburg’s data protection authority received two complaints from noyb and says in one case the website has removed Google Analytics, so it “does not plan to issue any orders or a fine” in this case. It is still investigating the other case.

US: Mark Zuckerberg and team consider shutting down Facebook and Instagram in Europe if Meta can not process Europeans’ data on US servers

If Meta is not given the option to transfer, store and process data from its European users on US-based servers, Facebook and Instagram may be shut down across Europe, the social media giants’ owner reportedly warned in its annual report.

The key issue for Meta is transatlantic data transfers, regulated via the so-called Privacy Shield and other model agreements that Meta uses or used to store data from European users on American servers. The current agreements to enable data transfers are currently under heavy scrutiny in the EU. In its annual report to the U.S. Securities and Exchange Commission, Meta warns that if a new framework is not adopted and the company is no longer allowed to use the current model agreements “or alternatives,” the company will “probably” no longer be able to offer many of its “most significant products and services,” including Facebook and Instagram, in the EU, according to various media reports, including in iTWire, The Guardian newspaper and Side-Line Magazine.

If Meta is not given the option to transfer, store and process data from its European users on US-based servers, Facebook and Instagram may be shut down across Europe, the social media giants’ owner reportedly warned in its annual report.

The key issue for Meta is transatlantic data transfers, regulated via the so-called Privacy Shield and other model agreements that Meta uses or used to store data from European users on American servers. The current agreements to enable data transfers are currently under heavy scrutiny in the EU.

So what’s the upshot for you? Facebook used to use Privacy Shield as the legal basis to carry out data transfers to the US (It provided a reassurance that the data would be handled with the same protection in the US as Europe.

However, this treaty was annulled by the European Court of Justice in July 2020, because of data protection violations. Since then, the EU and the US have not agreed on a new or updated version of the treaty.

In addition to the Privacy Shield, Meta also uses so-called model agreements, or Standard Contractual Clauses, as the primary legal basis for processing data from European users on American servers.

These model agreements too are under scrutiny in Brussels and other parts of the EU.

DE/FR: We’re Fine Without Facebook, German and French Ministers Say

Meta Platforms Inc.’s veiled threat to quit Europe because of blocked talks over privacy rules was more like music to the ears of two top German and French politicians.

“After being hacked I’ve lived without Facebook and Twitter for four years and life has been fantastic,” German Economy Minister Robert Habeck told reporters at an event alongside French Finance Minister Bruno Le Maire in Paris on Monday.

“I can confirm that life is very good without Facebook and that we would live very well without Facebook,” Le Maire added. “Digital giants must understand that the European continent will resist and affirm its sovereignty.”

So what’s the upshot for you? The pair were responding to comments in Meta’s annual report published Thursday, warning that if it couldn’t rely on new or existing agreements to shift data, then it would “likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe.”

Global: Washing NFTs

The NFT marketplace is rife with people buying their own NFTs in order to drive up prices, according to a report released this week by blockchain data firm Chainalysis.

Known as “wash trading”, the act of buying and selling security in order to fool the market was once commonplace on Wall Street and has been illegal for nearly a century. But the vast, unregulated NFT marketplace has shown to be a golden opportunity for scammers.

The report tracked instances of the same traders selling the same NFTs back and forth at least 25 times, a likely incident of wash trading. It identified a group of 110 alleged NFT wash traders who have made roughly $8.9 million in profit from this practice. Researchers also discovered significant evidence of money laundering in the NFT marketplace in the last half of 2021.

So what’s the upshot for you? Some have asked just what they are getting when they purchase an NFT. It’s different in every case and now with a little light shown on how pricing is established, you may want to stick with the “authentic, bona fide, certifiable, certified, dinkum [Australian & New Zealand], echt, genuine, honest, pukka (also pucka), right, sure-enough, true” … thing for a while longer.

US: IRS To Ditch Biometric Requirement for Online Access

The Internal Revenue Service (IRS) said today it will be transitioning away from requiring biometric data from taxpayers who wish to access their records at the agency’s website. The reversal comes as privacy experts and lawmakers have been pushing the IRS and other federal agencies to find less intrusive methods for validating one’s identity with the U.S. government online.

Late last year, the login page for the IRS was updated with text advising that by the summer of 2022, the only way for taxpayers to access their records at irs(dot)gov will be through ID(dot)me, an online identity verification service that collects biometric data — such as live facial scans using a mobile device or webcam.

The IRS first announced its partnership with ID(dot)me in November, but the press release received virtually no attention. On Jan. 19, KrebsOnSecurity published the story IRS Will Soon Require Selfies for Online Access, detailing a rocky experience signing up for IRS access via ID(dot)me. That story immediately went viral, bringing this site an almost unprecedented amount of traffic. A tweet about it quickly garnered more than two million impressions.

It was clear most readers had no idea these new and more invasive requirements were being put in place at the IRS and other federal agencies (the Social Security Administration also is steering new signups to ID(dot)me).

So what’s the upshot for you? Many were aghast that the IRS would ask people to hand over their biometric and personal data to a private company that begin in 2010 as a way to help veterans, teachers, and other public servants qualify for retail discounts.

Who has (or will have) access to this data? Why should it be stored indefinitely (post-verification)? What happens if ID(dot)me gets breached?

IL: Israel To Probe If Notorious Spyware Used Illicitly at Home

Israel will investigate allegations that police illicitly used homegrown spyware that’s gained notoriety abroad against its own citizens.

The government will form a committee to look into a series of reports by Calcalist, a Hebrew business daily, that law enforcement officials used NSO Group’s Pegasus software without a court order to tap into the phones of citizens both prominent and obscure, including a key prosecution witness in former Prime Minister Benjamin Netanyahu’s corruption trial.

Others allegedly targeted include an anti-Netanyahu protester, the former Israeli leader’s son, high-ranking officials, and the heads of some of the country’s biggest companies. Israeli officials, including the minister in charge of police, initially denied any impropriety. But the police later backtracked, citing “additional findings,” and on Monday, Public Security Minister Omer Bar-Lev ordered the investigation. “The reports about Pegasus, if they are true, are very serious,” Prime Minister Naftali Bennett said in a statement on Monday. “This tool (Pegasus) and similar tools, are important tools in the fight against terrorism and severe crime, but they were not intended to be used in phishing campaigns targeting the Israeli public or officials – which is why we need to understand exactly what happened.”

So what’s the upshot for you? Yet another “interesting” story surrounding the NSO Group

Global:Google Cloud Adds New Cryptomining Threat Detection Capability

Google has launched today a new security feature for Google Cloud tenants that is meant to detect and block crypto mining operations that may be taking place behind the owners’ backs.

Named Virtual Machine Threat Detection (VMTD), Google said this new feature is an agentless system that continually scans the memory of virtual machines deployed in Google Cloud environments for tell-tale signs of increased CPU or GPU usage—specific to crypto-mining operations.

To avoid false-positive detections, the feature has been left disabled by default; however, any customer can enable it for their GCP VMs. They can do this by going to the Settings page of their Security Command Center and looking under the Manage Settings section.

So what’s the upshot for you? In a report published last year, the Google Cloud team said that after analyzing 50 recently compromised GCP instances, 86% were infected with crypto-mining payloads that hijack tenants’ resources such as the CPU or RAM to mine cryptocurrency for the attacker.

Global: Microsoft to block internet macros by default in five Office applications

Starting with early April 2022, Access, Excel, PowerPoint, Visio, and Word users will not be able to enable macro scripts inside untrusted documents that they downloaded from the internet.

The change, which security researchers have been requesting for years, is expected to put a serious roadblock for malware gangs, which have relied on tricking users into enabling the execution of a macro script as a way to install malware on their systems.

In these attacks, users typically receive a document via email or which they are instructed to download from an internet website. When they open the file, the attacker typically leaves a message instructing the user to enable the execution of the macro script.

While users with some technical and cybersecurity knowledge may be able to recognize this as a lure to get infected with malware, many day-to-day Office users are still unaware of this tec
So what’s the upshot for you? Microsoft said the decision to block VBA macros by default only affects Access, Excel, PowerPoint, Visio, and Word on Windows. Documents that contain VBA macros that have been created and obtained from inside an organization’s trusted network will still be allowed to execute.

“The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022,” Microsoft said yesterday.

US: Breach of state database may expose personal information

SEATTLE (AP) — The Washington State Department of Licensing said the personal information of potentially millions of licensed professionals may have been exposed after it detected suspicious activity on its online licensing system.

The agency licenses about 40 categories of businesses and professionals, from auctioneers to real estate agents, and it shut down its online platform temporarily after learning of the activity in January, agency spokesperson Christine Anthony said Friday. Data stored on the system, which is called POLARIS, could include Social Security numbers, birth dates, and driver’s licenses.

The agency doesn’t yet know whether such data was actually accessed or how many individuals may have been affected, Anthony said. In the meantime, Polaris has been shut down.

The size of the breach remains unclear. Data from 23 professions and business types licensed by the state is processed via POLARIS, Anthony said.

Within those 23 categories, which also include bail bonds agents, funeral directors, home inspectors, and notaries, the agency has around 257,000 active licenses in its system, Anthony said, adding that “there are likely more records that may be identified while conducting our investigation.”

So what’s the upshot for you? If you are house hunting in that area, you may be out of luck. The disruption comes at a busy time for real estate agents, appraisers and home inspectors as the state’s real estate market begins to pick up after its typical winter slowdown.

KR: How your next phone might reduce ghost fishing.

This last story contains only a little security and very little privacy, but it does contain something we think you will be happy to hear about.

When Samsung announces its 2022 Galaxy S lineup on February 9th, the phones it reveals will be partly made from a new, more sustainable material.

On Sunday, the company said it has started using ocean-bound plastic made from discarded fishing nets in its latest devices. Samsung said it would incorporate the material first into the products it announces next week before it eventually begins utilizing it throughout its entire device lineup.

As Samsung notes, we tend to think of plastic bottles and grocery bags as the main culprit of ocean debris like the Great Pacific Garbage Patch, but its microplastics and discarded nets that marine biologists are most worried about.

Derelict fishing gear leads to ghost fishing, a phenomenon where those tools continue to trap and kill marine life, including endangered species like the Hawaiian monk seal.
monk seal

With more than 640,000 tons worth of fishing nets discarded every year, it’s a problem that’s only getting worse.

So what’s the upshot for you? We think they could be on to something big here.

astro-boy boots
That’s it for this week.

Stay safe, stay, secure, leave the boots by the door… and we’ll see you in se7en,

Excellent newsletter. The deficiencies in DeFi et al are becoming obvious and impactful. I for one do not advocate private citizen action (Generally) against Nation States for any reason. However one of the stated goals of Government for which they are well authorised & funded … is to protect infrastructure, and by extension, the People. This is the much spouted ‘social contract’.

If They (Government) do not do, or are seen to not be doing what they should, expect more of this. Food supply degradation, public disorder, internet security etc are all issues that matter to us (People) directly :person_shrugging:t2:

Have to admire his commitment.

Thanks for the comments Ben. I have to say I begrudgingly admire this guy. It may be wrong and it may be naive, but at least he’s not rolling over. And in the meantime, were the officials he elected to protect him offering that protection?

1 Like