From Sausage Rolls to the IT Privacy and Security Weekly Update for January 25th., 2022


We start this week’s update in Wyoming and end in the empty arms of the lovelorn.

As we go rolling about between those two endpoints we chance upon gammy QR codes, supercomputers, schoolkids, high anxiety, and a couple of phone apps you won’t want to be installing this season.

So let’s jump into the overalls, don our builder’s boots, and put on those safety glasses, as we deconstruct this weeks’, and might we add, the best IT privacy and Security Weekly Update yet! sausageRolls

US: People Building ‘Blockchain City’ in Wyoming Scammed by Hackers

A week or two back, CityDAO—the group that bought 40 acres of Wyoming in hopes of "building a city on the Ethereum blockchain”—announced that its Discord server was hacked and members’ funds were successfully stolen as a result.

“EMERGENCY NOTICE. A CityDAO Discord admin account has been hacked. THERE IS NO LAND DROP. DO NOT CONNECT YOUR WALLET,” the project’s Twitter account declared.

So what’s the upshot for you? We built this city on sausage rolls.

US: Cybercriminals Tampering with QR Codes to Steal Victim Funds

The FBI is issuing this announcement to raise awareness of malicious Quick Response (QR) codes. Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information.

A QR code is a square barcode that a smartphone camera can scan and read to provide quick access to a website, to prompt the download of an application, and to direct payment to an intended recipient. Businesses use QR codes legitimately to provide convenient contactless access and have used them more frequently during the COVID-19 pandemic. However, cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use.

Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes. A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information. Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.

Malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim’s mobile device and steal the victim’s location as well as personal and financial information. The cybercriminal can leverage the stolen financial information to withdraw funds from victim accounts.

So what’s the upshot for you? It took some time for the US to catch up to Europe, but have reached parity now, "While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code. "

Global: Facebook Trumpets Massive New Supercomputer

Facebook’s parent company Meta announced on Monday it was launching one of the world’s most powerful supercomputers to boost its capacity to process data, despite persistent disputes over privacy and disinformation.

The US tech giant said the array of machines could process images and video up to 20 times faster than their current systems. Meta said the machine, known as AI Research SuperCluster (RSC), was already in the top five fastest supercomputers and would become the fastest AI machine in the world when fully built in the next few months.

Platforms like Facebook and Google have long been criticized for the way they process and utilize the data they take from their users. “Nothing good can come from all of that computer power in the hands of such a tech superpower,” Diego Naranjo, the group’s head of policy, told Agence France-Presse

So what’s the upshot for you? It’s like giving a hand grenade to a 5-year-old and having them reassure us they won’t pull the pin. We believe Zuck will treat this responsibly, after all, look what he’s done for Privacy and Security so far…what could possibly go wrong?

US: US Data Breaches Surge 68% to All-Time High

The volume of publicly reported data compromises in the US soared 68% year-on-year to a record high of one thousand eight hundred and sixty two, according to new data from the Identity Theft Resource Center (ITRC).

The non-profit said the figure was 23% higher than the previous record, set in 2017.

So what’s the upshot for you? “The number of breaches in 2021 was alarming. Many of the cyber-attacks committed were highly sophisticated and complex, requiring aggressive defenses to prevent them. If those defenses failed, too often we saw an inadequate level of transparency for consumers to protect themselves from identity fraud.”

US: The education sector was hounded by cyberattacks in 2021

Education and research were the top targets for cyberattackers in 2021, with an average of 1605 attacks per organization per week, a 75% increase from 2020, according to research by Check Point Software Technologies.

**So what’s the upshot for you?**Understand that schools never end up with IT budget after the pay and perks that the teachers receive, but no one hesitates to pay the ransom. Bad planning? Any school kid can tell you that is bad planning.

RU: High anxiety spreads among Russian criminal groups in wake of REvil raid

“In the past, cybercriminals felt very safe in Russia. As long as they didn’t attack local targets, they felt they’d be fine. Russian cybercriminals had been arrested traveling outside the country, but this time they were arrested in Russian cities. That was a shocking moment.”

So what’s the upshot for you? They (the FSB) needed to sacrifice a few expendables to stall more serious geopolitical pressure. “In three months, if there isn’t another major arrest, it’s safe to assume no real change has happened with Russia’s approach.”

EU: European Regulators Hand Out €1.1bn in GDPR Fines

Europe’s data protection regulators issued over €1bn ($1.1bn) in GDPR fines since January 2021, a massive 594% year-on-year increase, according to international law firm DLA Piper.

According to DLA Piper, organizations risk suspension orders, fines, claims for compensation and service disruption if they export data to third countries outside the remit of the GDPR without first carrying out detailed assessments. These are required to ascertain the risk of interception of EU citizens’ data by public authorities such as local police and intelligence services in those countries.

So what’s the upshot for you? This ball has only started rolling.

BY: Belarusian hacktivist group attacks Belarusian Railways as military frictions mount

A group of Belarusian hackers claims to have encrypted the servers, databases, and workstations of Belarusian Railways with the aim of slowing down Russian troop movements as tensions continue to mount toward a potential Russian invasion of Ukraine.

The Belarus Cyber Partisans — a group of pro-democracy hacktivists who have been targeting the Russia-friendly Belarusian government with a series of hack-and-leak operations aimed to expose government corruption.

So what’s the upshot for you? “It’s fascinating to see ransomware being used to benefit the underdog in what’s ostensibly a revolutionary struggle. That’s a nuance that we seldom deal with as we think primarily of targeted ransomware as an enterprise or financial concern.”

US: A white supremacist website got hacked, airing all its dirty laundry

Chat messages, images, and videos leaked from the server of a white supremacist group called Patriot Front purport to show its leader and rank-and-file members conspiring in hate crimes, despite their claims that they are a legitimate political organization.

Patriot Front, or PF, formed in the aftermath of the 2017 Unite the Right rally in Charlottesville, Virginia, in which one attendee rammed his car into a crowd of counterprotesters, killing one and injuring 35 others.

Friday’s published report said that the leak comprised about 400GB of data and came from a self-hosted instance of RocketChat, an open-source chat server that’s similar to Slack and Discord. It’s only the latest example of a hate group being hacked and its private discussions being dumped online.

**So what’s the upshot for you?**Patriot Front has aimed to terrorize non-white and pro-racial justice communities around the U.S. by trying to damage and deface murals and Black Lives Matter art by placing racist messages and other actions at the direction of its national leadership and regional Network Directors.
Members are required to submit proof of weekly ‘activism’ tasks and are criticized, scolded, and punished when they fail to meet their expected quotas.
Exposing this sort of detail is a positive step in throttling these activities. They can’t argue against the evidence presented. (DM) Randolph IL & Kyle MO & ND - Carter MO | DiscordLeaks

CN: Mandatory Chinese Olympics App Has ‘Devastating’ Encryption Flaw

An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.

The “simple but devastating flaw” in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists, and other attendees of the games in China’s capital, could allow health information, voice messages, and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.

The International Olympic Committee responded to the report by saying users can disable the app’s access to parts of their phones and that assessments from two unnamed cyber security organizations “confirmed that there are no critical vulnerabilities. The user is in control over what the… app can access on their device,” the committee told AFP, adding that installing it on cellphones isn’t required “as accredited personnel can log on to the health monitoring system on the web page instead.” The committee said it had asked Citizen Lab for its report “to understand their concerns better.”

Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.

“China has a history of undermining encryption technology to perform political censorship and surveillance,” Knockel wrote. “As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence,” he continued, adding that “the case for the Chinese government sabotaging MY2022’s encryption is problematic.”

The United States Olympic and Paralympic Committee is telling athletes to ditch their personal phones for burners ahead of next month’s Winter Olympics in China, according to a report from the Wall Street Journal. The advisory was reportedly sent out twice last year to warn athletes about the possibility of digital surveillance while in China. “Every device, communication, transaction, and online activity may be monitored,” the bulletin states. “Your device(s) may also be compromised with malicious software, which could negatively impact future use.” As noted by the WSJ, Great Britain, Canada, and the Netherlands have also cautioned athletes against bringing their personal electronics into the country.

So what’s the upshot for you? The advisory was reportedly sent out twice last year to warn athletes about the possibility of digital surveillance while in China. “Every device, communication, transaction, and online activity may be monitored,” the bulletin states. “Your device(s) may also be compromised with malicious software, which could negatively impact future use.” As noted by the WSJ, Great Britain, Canada, and the Netherlands have also cautioned athletes against bringing their personal electronics into the country.

The Committee’s fears aren’t unfounded. In 2019, China was caught secretly installing spyware on tourists’ phones who entered from the Xinjiang region.

IL: Israeli Police Allegedly Used NSO Spyware Against Citizens

The Israeli business and technology news site Calcalist published an investigation this week alleging that Israeli law enforcement used NSO Group’s Pegasus spyware to surveil citizens including prominent members of a protest movement opposed to former Israeli Prime Minister Benjamin Netanyahu, former government employees, and mayors. The police broadly denied the report, but on Thursday, Israeli attorney general Avichai Mandelblit told the chief of police that he is launching an investigation into the claims. “It is difficult to overstate the severity of the alleged harm to basic rights” if Calcalist’s conclusions are found to be true, Mandelblit wrote to Israel Police Commissioner Kobi Shabtai.

Israel Police: “The claims included in your request are untrue. Israel Police acts according to the authority granted to it by law and when necessary according to court orders and within the rules and regulations set by the responsible bodies. Naturally, the police don’t intend to comment on the tools they use. Nevertheless, we will continue to act in a determined manner with all the means at our disposal, in the physical and online spaces, to fight crime in general, and organized crime in particular, to protect the safety and property of the public.”

So what’s the upshot for you? Oops

UK: Romance scammer who targeted 670 women gets 28 months in jail

A UK-based scammer who preyed on nearly 700 women and conned nine of them out of £20,000 (about $27,000), has been sent to prison.

A London resident pleaded guilty to charges of fraud and money laundering, including scamming £9500 out of one victim in the course of a fake 10-month online relationship.

According to the UK National Crime Agency (NCA), scammer spun a hard-luck story about how he’d run short of money after paying for the funerals of a group of people who died in a tragic industrial accident. He needed the money for drilling equipment he was hiring for a business venture overseas.

As Dominic Mugan, a manager at the NCA, explains: "He had no regard for these women. He went to great lengths to gain their trust, fabricating stories to exploit them out of thousands.

This is a typical pattern of romance fraudsters: they work to build rapport before making such requests. Romance fraud is a crime that affects victims emotionally and financially, and in some cases impacts their families.

So what’s the upshot for you? In the run-up to Valentine’s day, we want to encourage all those who think they’ve been a victim of romance fraud to not feel embarrassed or ashamed but rather report it.

And that’s it for this week. Just leave those muddy boots by the door so they’ll be dried off in time for next week’s romp.

Until then stay safe, stay secure, avoid building on sausage rolls
and we’ll see you in seven!


this from a listener in London:

“Heard your podcast today. I installed this but not used it yet, but apparently is a good way to protect yourself against qr hijacking”

QR Scanner-Safe QR Code Reader - Apps on Google Play

Scan QR codes free from worry of scams, malicious, or dangerous websites, No Ads