Daml’ers,
This week we zoom from your face to space, dodging flying objects as we go.
We learn a bit more about Putin’s pre-war prep and its effect on Google and Apple. We discover a new website that helps us deliver a text to one of the millions of Russian citizens who may not have access to different perspectives on the Ukraine invasion.
We see an amazing data collection mapped to within 150 meters of where it happened, the issuance of new DNS certs and the quick sprint of the ruble into crypto.
We discover a new computer virus and get rid of an old computer anti-virus.
Then we get yet another lesson on why password hygiene is so important from one of the most unlikely sources yet.
This is definitely the best IT Privacy and Security Weekly update yet, so grab your butterfly nets and let’s see what we can clear out of low Earth orbit.
Global: Online Sleuths Are Using Face Recognition to ID Russian Soldiers
On March 1, Chechnya’s leader, Ramzan Kadyrov, posted a short video on Telegram in which a cheery bearded soldier stood before a line of tanks clanking down a road under an overcast sky. In an accompanying post, Kadyrov assured Ukrainians that the Russian army doesn’t hurt civilians and that Vladimir Putin wants their country to determine its own fate.
In France, the CEO of a law enforcement and military training company called Tactical Systems took a screenshot of the soldier’s face and got to work. Within about an hour, using face recognition services available to anyone online, he identified that the soldier was likely Hussein Mezhidov, a Chechen commander close to Kadyrov involved in Russia’s assault on Ukraine, and found his Instagram account.
Not long ago, a commander or prisoner of war pictured in a news report might be recognizable only to military and intelligence analysts or the individual’s own colleagues, friends, and family. Today a stranger on the other side of the globe can use a screenshot of a person’s face to track down their name and family photos—or those of a look-alike.
This Bellincat article steps you through the process, and results of several identification attempts. “The Russian website SearchFace has been taken offline and replaced with FindClone, a far easier tool to use than SearchFace was. You need to use a mobile telephone number to create an account for FindClone, which then gives you 20 or so searches over a set number of days to run your searches (unless you register for a relatively low fee). I personally used a “burner phone” (pre-paid phone not tied to my real number) for this, and I am not aware if there are any dangers to your privacy in using your “real” phone number. Additionally, the new FindClone(dot)ru site will directly link you to the profile that matches the face you search. The facial recognition algorithms are outstanding, and we at Bellingcat have used this site quite a bit and broken a long-dormant investigation wide open by identifying a few individuals whom we never previously thought we could confidently identify.”
That power to identify people from afar could bring new accountability to armed conflict but also open new avenues for digital attack. Identifying—or misidentifying—people in videos or photos said to be from the front lines could expose them or their families to online harassment or worse.
Face algorithms can be wrong, and errors are more common on photos without a clear view of a person’s face, as is often the case for wartime images.
So what’s the upshot for you? While Google lets you put in a name and search for a face, it hasn’t switched on facial recognition for searches so that you can perform the inverse. The Russian website Yandex has.
RU: How Putin’s Pre-War Moves Against Google and Apple Prepared His Clampdown on Free Speech
The Washington Post shares a story that hasn’t been previously disclosed. “Russian agents came to the home of Google’s top executive in Moscow to deliver a frightening ultimatum last September: take down an app that had drawn the ire of Russian President Vladimir Putin within 24 hours or be taken to prison.”
Google quickly moved the woman to a hotel where she checked in under an assumed name and might be protected by the presence of other guests and hotel security, according to people with knowledge of the matter.
The same agents — believed by company officials to be from Russia’s FSB, a successor to the KGB intelligence service — then showed up at her room a short while later to tell her the clock was still ticking.
Within hours, an app designed to help Russians register protest votes against Putin could no longer be downloaded from Google or Apple, (whose main representative in Moscow faced a similarly harrowing sequence…)
The unnerving encounters, which have not previously been disclosed, were part of a broader campaign that Putin intensified last year to erode sources of internal opposition — moves now helping him maintain his hold on power amid a global backlash over the invasion of Ukraine. In a single year, Putin had his political nemesis Alexei Navalny imprisoned after a poisoning attempt failed to kill him; pushed independent news outlets to the brink of extinction; orchestrated a Kremlin-controlled takeover of Russia’s Facebook equivalent; and issued “liquidation” orders against human rights organizations.
Amid this internal offensive, Putin also moved to bring foreign technology companies to heel. Moscow deployed new devices that let it degrade or even block Russians’ access to Facebook and Twitter, imposed fines totaling $120 million on firms accused of defying Kremlin censors, and ordered 13 of the world’s largest technology companies to keep employees in Russia and thus exposed to potential arrest or other punishment for their employers’ actions — a measure that U.S. executives refer to as the “hostage law.”
On their own, these moves were seen as disparate signs of Russia’s descent into authoritarianism. But they also laid the groundwork for the Soviet-style suppression of free expression now underway in Russia, much as the months-long military buildup set the stage for the invasion of Ukraine.
The article also notes "preliminary evidence” that the suppression strategy is working.
“Polls, whose reliability is always uncertain in Russia, show that a majority of Russians support the war. In interviews with Western journalists that have gone viral online, Russians who rely on state-controlled media have consistently echoed Kremlin falsehoods about eradicating alleged Nazism in Ukraine while seeming to be genuinely oblivious to the war’s carnage.”
The article also notes how Apple is responding to Ukraine’s crisis — but also includes this anecdote:
Apple has similarly kept employees in Russia and taken other steps to placate the Kremlin. The company last year began configuring iPhones sold in Russia to promote Kremlin-backed social media companies, enabling users to activate them with a single click. It is an accommodation Apple has rarely made elsewhere and advances Putin’s goal of migrating Russian people to platforms controlled by the government, according to Russian analysts.
So what’s the upshot for you? These activities by the Kremlin were building toward an end goal. Now that the intent has been fully revealed, our only thought is to why we are just learning of them, what with the West’s free press and all…
Global: How To Text Random Russians The Truth About Putin’s War In Ukraine
https://1920.in/
To the average Russian, Vladimir Putin’s war in Ukraine might be just a “special military operation” designed to liberate an oppressed Russian minority from evil Ukrainian Nazis.
And thanks to Russia’s recently beefed-up censorship, a new law with a 15-year jail term against contradicting official stories about the war, and another new Russian Internet Law designed to help Russia disconnect from the wider global internet, who’s to tell them differently?
You.
It’s called 1920.in, after a World War II unit of Polish pilots who joined Britain’s Royal Air Force to continue the fight against Hitler even after their country was conquered. And here’s how to use it:
Go to 1920.in.
Wait while Cloudflare passes you through anti -DDOS (distributed denial of service) protection. This is necessary since Russian hackers may try to flood the website with traffic, making it inaccessible.
Enter the number you see at the top of your screen into your texting app. (Note: this is easier if you’ve enabled text on your computer, in which case you can simply click to copy the phone number and paste it in your computer’s messaging app.)
Click the Copy Text button to copy the already translated-into-Russian message you’re going to send. Open a new browser window, navigate to translate.google.com, and paste it in. Read the English translation and ensure you’re in agreement with the message. (This is optional, but I always would like to know what I’m going to send someone.)
Now, if you’re on your laptop, paste the Russian-language message into your messaging app, and hit Send. If you’re not, use AirDrop (on iPhone/Mac) or Android Nearby Share on Android to send the message to your phone. (You could also email it.)
This works because Squad303, the group of programmers behind the project, “obtained some 20 million cellphone numbers and close to 140 million email addresses owned by Russian individuals and companies,” according to the Wall Street Journal.
Now you can send individual, personal messages to Russians who are behind a re-emerging and newly digitalized Iron Curtain.
Suggestion: keep them positive and pleasant. Be prepared for some angry responses from people who have bought the official Russian government’s story hook, line, and sinker. (In this case, you can simply block the number in your messaging settings.)
But also be ready for real, honest, and worthwhile interactions with average Russians, many of whom do not share their government’s or Vladimir Putin’s motivations in pursuing this war against Ukraine.
So what’s the upshot for you? This is an amazing opportunity to share perspective with a Russian citizen. There may be pushback, but be patient, be kind and be persistent. You may come away amazed at the changes you help create.
RU/UA: The Russia-Ukraine Monitor Map
The Russia-Ukraine Monitor Map is a crowdsourced effort by Centre for Information Resilience (https://twitter.com/Cen4infoRes), Bellingcat, Conflict Intelligence Team, and the wider open source community to map, document, and verify significant incidents during the conflict in Ukraine.
“The aim of our work is to provide reliable information to the world.”
The content is logged in a central database where the material is archived for future use by researchers, reporters as well as justice and accountability bodies.
For more information on this effort, please visit: Follow the Russia-Ukraine Monitor Map - bellingcat
WHAT THIS MAP IS: The pins on this map represent incidents or events depicted through video, photo, or satellite imagery and have undergone verification to identify where and when it was taken.
Content has also been marked with a violence level to indicate the level of graphic content that is seen in the links – please keep this in mind when viewing the content.
Some of the pins on this map may have randomized locations within 150meters to maintain the safety of those who produced the content.
So what’s the upshot for you? This is an important piece of work that must be seen to be believed.
RU: Moscow to issue HTTPS certs to Russian websites
https://www.gosuslugi(dot)ru/tls
Moscow has set up its own certificate authority to issue TLS certs to Russians affected by sanctions or otherwise punished for president Putin’s invasion of Ukraine.
A notice on the government’s unified public service portal states that the certificates will be made available to Russian websites unable to renew or obtain security certificates.
The portal is silent on which browsers will accept the certs. This is a critical matter because if browsers don’t recognize or trust the certificate authority that issued a cert, a secure connection isn’t generally possible.
So what’s the upshot for you? If these certs were made to function, it’s a bonus for Putin, because it’s easy for the Kremlin to intercept, decrypt, and eavesdrop on connections encrypted using certificates issued by the government. The more websites using Moscow-issued certs, the more connections Putin’s agents can quietly monitor.
We certainly can’t imagine that any of the mainstream browser devs. will rush to make these Russian certs work in their applications.
RU/UAE: Russians Liquidating Crypto in the UAE To Seek Safe Havens
Crypto firms in the United Arab Emirates (UAE) are being deluged with requests to liquidate billions of dollars of virtual currency as Russians seek a safe haven for their fortunes, Reuters is reporting, citing company executives and financial sources.
Some clients are using cryptocurrency to invest in real estate in the UAE, while others want to use firms there to turn their virtual money into hard currency and stash it elsewhere, the sources said one crypto firm has received lots of queries in the past 10 days from Swiss brokers asking to liquidate billions of dollars of bitcoin because their clients are afraid Switzerland will freeze their assets, one executive said, adding that none of the requests had been for less than $2 billion.
So what’s the upshot for you? “We’ve seen a lot of Russians hedging their bets against the devaluation of the rouble by moving a lot of assets into crypto. And the UAE is relatively loose in terms of its regulation and authorities over transferring crypto here.”
DE: Hackers Hit Rosneft
According to a report by Stuttgarter Nachrichten, Rosneft reported the cyber-attack to the Berlin State Criminal Police Office on Saturday.
Although Rosneft’s systems have been impacted by the attack neither the company’s business nor its ability to supply energy had been disrupted.
Security sources cited by the newspaper suspected the hacking collective “Anonymous” of being behind the attack after the group declared its intention to hit Russian targets in response to Russia’s invasion of Ukraine.
Anonymous has published a statement on social media claiming responsibility for the attack. The group wrote: “Anonymous has attacked the energy company Rosneft. It is confirmed to have caused extensive damage. The attack captured a total of 20TB of data.”
So what’s the upshot for you? Here’s the problem: The Rosneft hackers that are part of the Anonymous collective, could be German, American, or from any Nato country. What if Russia interprets that as an act of war?
This is the real danger of a global cyber civil war that has no controls in place.
DE: Germany Warns Kaspersky Software Risks Being Exploited by Russia
Germany warned against using anti-virus software from Moscow-based Kaspersky Lab due to risks it could be exploited by Russia for a cyber attack.
The Federal Office for Information Security, or BSI, issued the warning on Tuesday, saying that companies and authorities with special security status and operators of critical infrastructure could be “, particularly at risk.”
The danger has increased since Russia’s invasion of Ukraine, the Bonn-based agency said in a press release, citing threats made by Moscow against NATO, the European Union, and Germany.
In 2017, the U.S. government banned all use of Kaspersky Lab software in federal information systems, citing concerns about the firm’s links to the Russian government and espionage.
The company denied any wrongdoing in that case and pushed back against Germany’s move now.
So what’s the upshot for you? The BSI announcement prompted soccer club Eintracht Frankfurt, which plays in Germany’s top division, to end its sponsorship deal with Kaspersky.
“We have notified Kaspersky management that we are terminating the sponsorship agreement effective immediately,” club spokesman Axel Hellmann said in a press release. “We very much regret the development.”
UA: New CaddyWiper Data Wiping Malware Hits Ukrainian Networks
Newly discovered data-destroying malware was observed earlier today in attacks targeting Ukrainian organizations and deleting data across systems on compromised networks.
“This new malware erases user data and partition information from attached drives,” ESET Research Labs explained. “ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations.”
While designed to wipe data across Windows domains it’s deployed on, CaddyWiper will use the DsRoleGetPrimaryDomainInformation() function to check if a device is a domain controller.
If so, the data on the domain controller will not be deleted. This is likely a tactic used by the attackers to maintain access inside the compromised networks of organizations they hit while still heavily disturbing operations by wiping other critical devices.
While analyzing the PE header of a malware sample discovered on the network of an undisclosed Ukrainian organization, it was also discovered that the malware was deployed in attacks the same day it was compiled.
"CaddyWiper does not share any significant code similarity with HermeticWiper, IsaacWiper, or any other malware known to us.
The sample we analyzed was not digitally signed," ESET added. “Similarly to HermeticWiper deployments, we observed CaddyWiper being deployed via GPO, indicating the attackers had prior control of the target’s network beforehand.”
So what’s the upshot for you? The point that the miscreants already had access to the Ukrainian networks to push a quick refresh should not be missed.
Global: iPhone iOS 15.4 updates enhance security
Face ID to open your iPhone while wearing a mask …now that you are probably not wearing one.
Apple’s iOS 15.4 allows you to open your iPhone while wearing a mask, without the need for your Apple watch to lend an extra hand.
It’ll do so by scanning the area around your eyes.
Granted, this iOS 15.4 feature won’t be as secure as full Face ID, and it’s really two years too late—but it’ll be super-handy when you are out and about in stores, wearing a mask and need to pay for something, or if there is another variant.
Updates to the Apple Keychain password manager: The Keychain password manager is an alternative to “full service” options such as Bitwarden, LastPass, and 1Password, if you are new to password managers or only use Apple devices.
One of the biggest problems with the Keychain is that it lacks the features of its non-Apple competitors. But the iOS 15.4 upgrade aims to change that because it comes with the ability to add notes to your passwords such as PIN codes and security questions—a very useful addition.
iOS 15.4 arrives with security updates: These features boost your iPhone’s security, and iOS 15.4 comes with fixes for vulnerabilities too.
So what’s the upshot for you? Apple is no longer pushing out important security patches to phones on iOS 14 either. For this reason, it’s actually important to look out for the iOS 15.4 upgrade available from today. Beware, it’s a bigg’un.
IL: Israeli Government Sites Crash in Cyberattack
A number of Israeli government websites went down on Monday in what may be the largest-ever cyberattack carried out against the country.
The Israeli cyber authority confirmed the attack was a DDos (Digital-denial of service) attack that had blocked access to government websites, and that all websites were back online.
The websites of the interior, health, justice, and welfare ministries had been taken offline, as was that of the Prime Minister’s Office. A defense establishment source claims that this was the largest-ever cyberattack carried out against Israel.
They believe that a state actor or large organization carried out the attack, but cannot yet determine who is behind it.
The defense establishment and the National Cyber Directorate declared a state of emergency in order to study the extent of the damage, while checking strategic Israeli websites and government infrastructure, such as Israel’s electric and water companies, to see whether they were also attacked.
So what’s the upshot for you? As of now, all of the websites are operational.
US: Nvidia leak shows weak passwords in use
Last month, the LAPSUS$ hacking group stole up to one terabyte of internal data from graphics card maker NVIDIA.
An analysis by Specops Software of 30,000 of the leaked passwords found that these were the top 10 base words:
- nvidia
- nvidia3d
- mellanox
- ready2wrk
- welcome
- password
- mynvidia3d
- nvda
- qwerty
- September
So what’s the upshot for you? Nearly 48% of employees have to remember more than 11 passwords just in their work lives. With that mental burden, it is understandable that employees would rely on simpler passwords, or reusing passwords which is why we advocate two-factor authentication (or 2fa) on every site that accepts it, and use of a password manager.
US: Regular visitor to South Denver Cardiology Associates? You and 287K others now have another heart-stopping problem
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
In a recent privacy incident notice issued to its patients, South Denver Cardiology Associates (SDCA) disclosed that its network had been breached in January 2022.
The unknown perpetrator(s) gained access to files containing information on 287,652 patients during the attack.
SDCA said: “On January 4, 2022, we identified unusual activity within our computer network. We immediately initiated our incident response process, which included taking steps to secure the network and shutting off select computer systems.
“We also began an investigation with the assistance of a computer forensic firm and notified law enforcement.”
Investigators determined that the files accessed in the attack contained patient information, which may have included patients’ names, dates of birth, Social Security numbers and/or drivers’ license numbers, patient account numbers, health insurance information, and clinical information, such as physician names, dates and types of service and diagnoses.
So what’s the upshot for you? In truth, SDCA is still trying to figure out the extent of the intrusion and theft.
Space: Just Hanging out
The US astronaut Mark Vande Hei has made it through nearly a year in space but now faces what could be his trickiest assignment: riding a Russian capsule back to Earth in the midst of deepening tension between the two countries.
Nasa insists Vande Hei’s homecoming at the end of the month remains unchanged, even as Russia’s invasion of Ukraine has resulted in canceled launches, broken contracts, and an escalating war of words from Dmitry Rogozin the leader of the Russian Space Agency.
Many worry Rogozin is putting decades of peaceful partnership at risk, most notably at the International Space Station (ISS).
Vande Hei, who on Tuesday will break the US single spaceflight record of 340 days, is due to leave with two Russians aboard a Soyuz capsule for a touchdown in Kazakhstan on 30 March. He will have logged 355 days in space.
So what’s the upshot for you? All this comes on top of a 4-month delay so a Russian film crew could film at the Space station, and a Russian anti-satellite missile test in November that added junk to debris encircling Earth putting all crew members on high alert for days.
Note that debris is already a significant problem in critical Earth orbits, including low Earth orbit. More than 23,000 orbital debris objects larger than 10 centimeters (about 4 inches) in diameter exist alongside thousands of untracked smaller fragments; these objects travel at immense speeds, averaging 7–8 kilometers (over 6 miles) per second.
Space debris can cause serious structural damage—including catastrophic damage—to satellites.
Intentional debris-creating actions like direct-ascent anti-satellite ASAT tests are particularly egregious sources of orbital pollution and Russia’s ASAT test has significantly contributed to a degraded environment in low Earth orbit.
That’s it for this week. Stay safe, stay, secure, please leave your butterfly net with the armed guard at the door… and we’ll see you in se7en,