From Peking... to Duck: The IT Privacy and Security Update for April 6th., 2021

Hello Daml’ers!

This week we go from Peking to Duck (literally), and we are sure you’re going to find the tastiest treats anywhere.

We take you crashing down a staircase with a wireless data communication company, add more evidence for spellchecking your child’s tweets, and an idea why this team won’t be looking like Tony Stark (Iron Man) any time soon.

We give you a light pole update. Yes, we got that right, a light pole update. And what college students should do quickly if the school they are going to, or even applied to, is one of those caught up in the Accellion file transfer software compromise.

We finish with something that we thought was pretty cool… It’s almost the gamification of tracker blocking. We loved it for Android and iOS and we think you will too.

OK dinner guests. Adjust your place settings, tuck in your napkins and let’s give a toast to the best IT Privacy and Security menu yet!

CN: Cops Take Down the ‘World’s Biggest’ Video Game Cheat Ring

An organization called “Chicken Drumstick” had allegedly taken in $76 million in revenue for its subscription video game cheat service before law enforcement broke them up this week. The group had charged $10 a month for cheats to games like Overwatch and Call of Duty Mobile. In addition to confiscating $46 million in assets—which included no small number of luxury cars—police say they destroyed 17 cheats and arrested 10 people in the takedown. Chinese tech titan Tencent, which has a stake in several major gaming companies, collaborated with authorities in the operation.

So what’s the upshot for you? North Korean hackers are turning up everywhere and becoming quite brazen about it. Now they go after the gamers, but not without some pushback from an area of the world formerly known as Peking.

KP: North Korean Hackers Are Targeting Security Researchers … Again…

In January, Google reported that North Korea’s Lazarus Group hackers had spent a considerable amount of energy attempting to dupe security researchers, and had even had some success in doing so. This week, the search giant’s Threat Analysis Group followed up, saying that the North Korean campaign continued apace, this time armed with a fake website and bogus social media profiles. In an inspired bit of trolling, one of the Twitter puppets was named Sebastian Lazarescue (…One of the fake researchers working for the fake SecuriElite with Lazarus a reference to the name the US authorities had given the North Korean hacker group).
The attacker’s latest batch of social media profiles continues the trend of posing as fellow security researchers interested in exploitation and offensive security. On LinkedIn, Google identified two accounts impersonating recruiters for antivirus and security companies. They have reported all identified social media profiles to the platforms to allow them to take appropriate action.

So what’s the upshot for you? Trolling the security researchers is so ex-presidential.
LinkedIn is where the business world goes to reaffirm references and contacts, so we’d like to see them step up with some sort of credentialing system to validate people are who they say they are. Until then, you can report fictitious profiles as Google did, but don’t expect fast action, or any action if our experience is anything to go by… Although the Piper Webster in the blog post now seems to have become female.

Global: 533 Million Facebook Users’ Phone Numbers and Personal Data Leaked Online

Personal information associated with approximately 533 million Facebook users worldwide has been leaked on a popular cybercrime forum for free—which was harvested by hackers in 2019 using a Facebook vulnerability.
The leaked data includes full names, Facebook IDs, mobile numbers, locations, email addresses, gender, occupation, city, country, marital status, account creation date, and other profile details down by country, with over 32 million records belonging to users in the U.S., 11 million users the U.K., and six million users in India, among others.
In total, the data being offered includes user information from 106 countries. Additionally, the data seems to have been obtained by exploiting a vulnerability that enabled automated scripts to scrape Facebook users’ public profiles and associated private phone numbers en masse.

The flaw has since been fixed by Facebook.

So what’s the upshot for you? The Facebook leak has been added to the data breach website HaveIBeenPwned. This website is owned by Microsoft regional director and MVP Troy Hunt, a respected member of the security community, so you can trust his site with your details. Go to put in the e-mail address you want to check and the database will return all the breaches it was associated with. At that point, go to those websites and ensure that your password was updated. (Note that even after the update your e-mail will still show as being associated with that site breach… that is part of history, so you cannot change its presence, but you have made it safe).

UK: The UK Is Trying to Stop Facebook’s End-to-End Encryption

Home Secretary Priti Patel is planning to deliver a keynote speech at a child protection charity’s event focused on exposing the perceived ills of end-to-end encryption and asking for stricter regulation of the technology. At the same time, a new report will say that technology companies need to do more to protect children online.

Patel will headline an April 19 roundtable organized by the National Society for the Prevention of Cruelty to Children (NSPCC), according to a draft invitation seen by WIRED. The event is set to be deeply critical of the encryption standard, which makes it harder for investigators and technology companies to monitor communications between people and detect child grooming or illicit content, including terror or child abuse imagery.

End-to-end encryption works by securing communications between those involved in them—only the sender and receiver of messages can see what they say and platforms providing the technology cannot access the content of messages. The tech has been increasingly made standard in recent years with WhatsApp and Signal using end-to-end encryption by default to protect people’s privacy.

So what’s the upshot for you? Destroying everyone’s privacy in the guise of protecting children from being exploited in child porn is not an effective solution. Maybe our friends in the middle east have the best idea with the public removal of the body parts of the adults involved. Do it in a few high-profile cases and that might prove the most effective deterrent of all.

Global: Ubiquiti Downplayed a ‘Catastrophic’ Breach

A whistleblower tells independent security journalist Brian Krebs that a recent breach of networking equipment company Ubiquiti was much worse than initially reported. The source said that hackers “obtained full read/write access to Ubiquiti databases at Amazon Web Services,” as well as root administrator access to Ubiquiti’s AWS accounts. That’s basically the keys to the kingdom. Ubiquiti has said in response that it has no indication that user data was accessed or stolen, although Krebs’s source says the company doesn’t keep logs that would give them that information in the first place. Anyways, it’s a mess!
The warning from Ubiquiti carries particular significance because the company has made it fairly difficult for customers using the latest Ubiquiti firmware to interact with their devices without first authenticating through the company’s cloud-based systems.

So what’s the upshot for you? Forcing users to log on to a cloud-based UI to configure their local equipment, means you have to keep their account data safe. This is like watching someone fall down a flight of stairs in slow motion. It’s just… one thing… after… another…

Global: Hey @Ubiquiti, why are you pushing ads on the management interface for hardware I bought outright?

First it was a breach that they claimed didn’t happen, now you get ads in the UI on hardware you purchased. Ubiquity can do no right.
“Right. Them taking out 30% of the usable screen space on the management UI is not ads. It’s a “new look”. What the actual FCK? To make matters worse, the markup has randomly generated class names, so it’s not like you can even use an ad blocker for this.”
So what’s the upshot for you? You’d be a little peeved if the networking equipment you paid for forced you to log on through a service that had been breached and then found the UI suddenly used 30% of the screen real estate to load up ads for things not even related to your networking.

Please expect more outrage to follow.

US: the US CISA Is Running on Fumes

It’s safe to say that many, many people are feeling pandemic burnout these days. But consider the men and women of the US Cybersecurity and Infrastructure Security Agency. After its widely respected leader Chris Krebs was fired by presidential tweet last fall, CISA has had to grapple with the fallout of SolarWinds and Hafnium, one of the biggest hacking campaigns to hit the US in recent history. Politico reports that the agency’s 2,000 workers are stretched dangerously thin—which could leave the United States ill-prepared to deal with the next attack.

So what’s the upshot for you? “Morale is generally really high,” the second employee said because even though many people feel overworked, they still love CISA’s mission and “are excited about the political appointees.” This will get them through the short term.

Let’s hope there is some staffing relief for the longer term.

US: The agency that controls U.S. nukes had its Twitter account accessed by a child

An unintelligible tweet made by U.S. Strategic Command (USSTRATCOM) on Sunday was produced by a small child, the Daily Dot has learned.

USSTRATCOM, which is responsible for the U.S. nuclear arsenal, stirred confusion after releasing a tweet that appeared to be gibberish: “;l;;gmlxzssaw.”

The tweet was deleted shortly after. USSTRATCOM issued an apology in a follow-up tweet and asked users to “disregard” the previous post.

Given USSTRATCOM’s role, Twitter users began joking that the agency had inadvertently sent out a nuclear launch code. The tweet was even used by followers of QAnon to further their conspiracy theory.

But it turns out the tweet was just an accident. The Daily Dot filed a Freedom of Information Act (FOIA) request with USSTRATCOM and learned that a small child had produced the tweet.

USSTRATCOM’s FOIA officer stated that the tweet had been made when the agency’s Twitter manager momentarily left his computer unattended.

“The Command’s Twitter manager, while in a telework status, momentarily left the Command’s Twitter account open and unattended,” the response reads. “His very young child took advantage of the situation and started playing with the keys and unfortunately, and unknowingly, posted the tweet.”

USSTRATCOM further stressed that the tweet was not the result of a hacking incident.

“Absolutely nothing nefarious occurred, i.e., no hacking of our Twitter account,” the response added, “The post was discovered and notice to delete it occurred telephonically.”

So what’s the upshot for you? If the fate of one of the world’s largest nations is in your hands and you are working from home, the least you could do is check your child’s spelling.

Global: iOS 14.5: 2 Game-Changing New iPhone Features Coming Any Minute Now

here are the two game-changing updates coming with iOS 14.5.
iOS 14.5’s App Tracking Transparency
The App Tracking Transparency feature that will hurt the likes of Facebook was actually due when iOS 14 launched last year. However, Apple delayed the major new privacy update to give app developers more time to adjust to the shake-up ATT would cause to the advertising industry.

If you haven’t heard of it yet, ATT effectively does away with the so-called identifier for advertisers (IDFA), a means of helping advertisers to assess how well their campaigns are doing.

Facebook argues that this will impact the ability to offer personalized advertising, but Apple quite rightly points out that iPhone users have a right to know they are being tracked and to opt-out of this if they wish.

iOS 14.5: Open your phone using your Apple Watch
The second feature which I’m sure many iPhone users will be excited about is pandemic related. For a year now, it’s been an absolute pain to open your iPhone while out and about wearing a mask. Apple did make an adjustment that makes your passcode come up when it detects a mask, but this can be time-consuming.

In iOS 14.5, Apple will allow you to use your Apple Watch to open your phone. It’s not as secure as Face ID, and it’s not the Touch ID

So what’s the upshot for you? Patience is a virtue, and we have been looking forward to this for a long time, but do we really have to buy a watch … to unlock our phones?

US: Hackers Demand $40M in Ransom From Florida School District

Hackers left district leaders stunned when they broke into systems belonging to Broward County Public Schools and encrypted district data in a recent ransomware attack.

The criminals attempted to collect a $40 million ransom and threatened to erase files and post students’ and employees’ personal information online if the money was not paid.

Officials with Broward County Public, one of the nation’s largest school districts, said in a statement that initial investigations find no indication that any personal information was stolen.

During several days of communications a district official tries to negotiate a lower price for the ransom and explains the district does not have access to enough funds to pay the exorbitant fee requested by the attackers. The district offered to pay $500,000, but negotiations broke down soon after.

Other public school districts have also been victims of ransomware attacks in recent years. Districts in Baltimore County, Md.; Fairfax County, Va.; Hartford, Conn.; and Fort Worth, Texas, all reported being hit in the last year.

So what’s the upshot for you? Don’t know if the hackers have any idea what school teachers get paid in the US, but globally, school budgets are pretty low.

US$40M sounds like the hackers need to go back to school for a lesson or two in finance.

US: Accellion File transfer service yields a massive security breach at US universities

A massive data breach has hit US Universities including Stanford University, University of California, University of Miami, University of Colorado Boulder, Yeshiva University, Syracuse University, and University of Maryland, Baltimore. Hackers have stolen terabytes of student, prospective student, and employee personal information including transcripts, financial info, mailing addresses, phone numbers, usernames, passwords and Social Security Numbers.

These breaches are part of the larger Accellion FTA leak which has affected ~50 organizations.

Students who applied to these colleges (or even have an account in the case of UC) are at risk of having their personal and financial information leaked publicly online including their Social Security Numbers. The hackers have sent emails to some victims. If you receive one of these emails, do not click the attached link unless you understand how to use Tor. The hackers are holding the universities at ransom. Unless the universities pay the ransom, the hackers will continue publishing student information.

So what’s the upshot for you? Steps to take if you have been affected

1 Change all of your passwords
While passwords are usually stored as hashes, it is still important to change your passwords after a data breach because poor security practices can allow for your password to be decoded using a Rainbow table.

2 Enable Two Factor Authentication
If you want to stay super-safe, you can enable two factor authentication on your accounts. Two factor authentication secures your account by requiring a second form of authentication. For example, a phone app that generates a temporary security code that resets every 30 seconds or a smart card.

3 Check your bank statements
Check your bank statements to make sure that no unauthorized payments have been made. If you believe your card number has been exposed, ask your bank for a new card number.

4 Check your credit report
If you believe that your Social Security Number has been compromised you can get a free credit report from each of the three credit bureaus (Equifax, Experian, and TransUnion).

5 Freeze your credit
To prevent identity fraud, you can freeze your credit. Freezing your credit prevents anyone from opening new credit (e.g. a credit card) in your name. You must freeze your credit with all three credit bureaus. Freezing your credit on one will not freeze your credit on the other two.


US: The U.S. Unemployment System Is Plagued by $63 Billion in Fraud and Dysfunction

Americans have lost $63 billion nationwide of unemployment funds during the pandemic to improper payments and fraud (mostly the latter), according to February 2021 data from a watchdog for the U.S. Department of Labor.

This March, the Federal Trade Commission warned of this new development in a press release. “At a time when many people left jobless by the pandemic are struggling to get by, scammers reportedly are using websites that mimic government unemployment insurance benefits websites,” said Seena Gressin, an attorney in the FTC’s Division of Consumer & Business Education. “These sites trick people into thinking they’re applying for UI benefits, and they wind up giving the scammers their personal information.”
And in case you’re wondering how jobless Americans run across these fake websites in the first place, both Sadler and Gressin put the blame on spam ‘phishing’ emails and texts.

“The Department of Justice’s National Unemployment Insurance Fraud Task Force reports that scammers lure people to their fake websites by sending spam text messages and emails,” Gressin said. “The messages look like they’re from a state workforce agency [SWA] and give people links to these fake sites. When people enter their sensitive personal information on the fake sites, the scammers can use the information for identity theft.”

So what’s the upshot for you? The scammers are getting so quick, pretty soon they will pre-empt the benefits.
Remember to always take your time with these applications, think them through, and if you are not 100% certain about the look or feel of the website you are visiting, back up and start again. Losing a few moments is better than trying to recover a stolen identity or having the onus of trying to prove someone else got your bennies.

KR: Seoul does a light pole update

Seoul Metropolitan Government (SMG) is installing new ‘smart poles’ which act as streetlights, traffic lights, environmental sensors, footfall counters, smartphone chargers, Wi-Fi access points, CCTV and more.

Twenty-six smart poles have already been installed in six areas of the city. SMG plans to continue rolling the poles out as well as piloting a version of the infrastructure which can also charge drones and electric vehicles, and detect parking violations.

The city plans to use drones to “monitor potential disasters and emergency rescue efforts”, and from later this year, drones will be able to recharge from the upper part of the poles while sending data back to SMG.

So what’s the upshot for you? We probably shouldn’t expect adoption of these poles in the US without a ballistics component.

US: US Army AR headsets going for only US$182,333.00 apiece

If you want a cool heads-up helmet like Tony Stark in Ironman (just the helmet) it might be better to wait to buy it secondhand.

Microsoft announced that it has received a contract to outfit the United States Army with tens of thousands of augmented reality (AR) headsets based on the company’s HoloLens tech. This contract could be worth as much as $21.88 billion over 10 years. Microsoft will be fulfilling an order for 120,000 AR headsets for the Army based on their Integrated Visual Augmentation System (IVAS) design. The modified design upgrades the capabilities of the HoloLens 2 for the needs of soldiers in the field.
Microsoft says this announcement marks the transition from prototyping these designs to producing and rolling them out in the field.

So what’s the upshot for you? Many of the industry’s biggest players in augmented reality have been reluctant or outspoken in their avoidance of military contracts but Microsoft has remained undeterred in competing for these contracts and at US$183K per hat, now we know why!

Global: And Finally… If you are looking for a privacy-centric browser for your phone may we suggest…

"DuckDuckGo Privacy Browser has been the second most downloaded mobile browser in the US (after Chrome) "
Why? We think the chart they posted on Twitter showing what is collected in an un-anonymized fashion might be a clue.

So what’s the upshot for you? Well, we tested the duckduckgo browser on an Android phone and we can safely say that it elevates tracker blocking to almost a gamification level… It did crash a couple of times (well it’s new… they will eventually get that right,) but we like it. Let’s see how it goes over time.

And that is it for this week! We hope you liked the stories we cooked up for you and look forward to seeing you back here with a healthy appetite in se7en!

Find this blog post as a podcast along with dozens more on Spotify

1 Like