General IT Security related News for week ending 2020 05 12

Clearview AI won’t sell vast faceprint collection to private companies

Clearview AI – the web-scraping, faceprint-amassing biometrics company that’s being sued over collecting biometrics without informed consent – says it’s no longer going to sell access to its program to a) private entities or b) any entity whatsoever that’s located in Illinois.

Clearview’s artificial intelligence (AI) program can identify someone by matching photos of unknown people to their online photos and the sites where they were posted. Clearview AI founder and CEO Hoan Ton-That has claimed that the results are 99.6% accurate.

The company’s change of heart was revealed in court documents submitted during the course of a class-action suit against Clearview that was filed in Illinois in January. It’s just one of multiple suits: Clearview’s also up against similar lawsuits in Vermont, New York and California.

The Illinois suit charges the company with breaking the nation’s strictest biometrics privacy law – Illinois’s Biometric Information Privacy Act (BIPA) – by scraping some 3 billion faceprints from the web to sell to law enforcement and to what’s turned out to be a motley collection of private entities, including Macy’s, Walmart, Bank of America, Target, and Major League Baseball team The Chicago Cubs.

From a court declaration by their legal counsel last Wednesday: “Clearview is in the process of canceling the accounts of every remaining user who was not either a law enforcement body or other federal, state, or local government department, office or agency. At the same time, Clearview is in the process of canceling all user accounts belonging to any entity located in Illinois.”

However, that statement doesn’t quite mesh with reports that Clearview had been aggressively pursuing clients outside of law enforcement, including in law, retail, banking, and gaming, and that the company had been trying to gain traction outside of the US and Canada by pushing into Europe, South America, Asia Pacific, and the Middle East.

Texas courts hit by a ransomware attack

Charlie Osborne: The attack took place overnight last Thursday and was discovered on Friday morning according to the agency responsible for providing IT services to the Texan court system. The malware made its way through the Office of Court Administration (OCA)'s branch network. As soon as the ransomware was spotted, linked servers and websites were disabled in an attempt at damage limitation. “OCA was able to catch the ransomware and limit its impact, and will not pay any ransom,” the agency added. “Work continues to bring all judicial resources and entities back online.”

Over 4000 Android Apps Expose Users’ Data via Misconfigured Firebase Databases

More than 4,000 Android apps that use Google’s cloud-hosted Firebase databases are ‘unknowingly’ leaking sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data. “4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users’ personal information, access tokens, and other data without a password or any other authentication.”

Purchased by Google in 2014, Firebase is a popular mobile application development platform that offers a variety of tools to help third-party app developers build apps, securely store app data and files, fix issues, and even engage with users via in-app messaging features.

Perhaps there needs to be a little more instruction on securing the databases (or flashing lights on the instructions that are provided)!

Forget Apple And Google—Contact-Tracing Apps Just Dealt Serious New Blow - reality

A month ago, Apple and Google stepped in to bring technical rigor and privacy safeguards to the wave of contact-tracing apps now under development. Apple and Google’s joint initiative will not develop apps. Instead, their operating system updates will make the tech work more efficiently in the background. The price those apps will have to pay for this convenience is adhering to strict privacy rules. That has itself caused issues—Apple and Google want all data to be held only on devices, with no central data repositories or tools. Health services in the U.K., France, and elsewhere claim this prevents the analysis of infection hotspots and rates. The tech giants have also banned location pings to be recorded by these apps.

Data modelers have said that effectiveness needs as many as 80% of smartphone owners in any country to install the app and adhere to its instructions. This take-up and adherence need to run for many months. Singapore started the push towards these types of Bluetooth apps with TraceTogether and has only reached around 20-25% of its population. Others are seeing the same.

And so there’s a serious irony to the latest news to come from Singapore. Hit by a second wave of infections and with the take-up of its TraceTogether app hovering at too low a level to make enough of a difference, the city-state has moved to the next level, launching a new contact-tracing surveillance program called SafeEntry that will strike fear into privacy groups campaigning against the use of these technologies.

But let’s step back and get an opinion on contract tracing apps from a fellow who should know. “My problem with contact tracing apps is that they have absolutely no value,” Bruce Schneier, a privacy expert and fellow at the Berkman Klein Center for Internet & Society at Harvard University, told BuzzFeed News. “I’m not even talking about the privacy concerns, I mean the efficacy. Does anybody think this will do something useful? … This is just something governments want to do for the hell of it. To me, it’s just techies doing techie things because they don’t know what else to do.”

Iran reports failed cyber-attack on Strait of Hormuz port

Iranian officials said on Sunday that hackers damaged a small number of computers in a failed cyber-attack against the port of Bandar Abbas, the country’s largest port in the Strait of Hormuz. When the attack took place, local officials from the Ports and Maritime Organization (PMO) in the state of Hormozgan denied that anything had gone wrong, but Central government officials eventually admitted the cyber-attack on Sunday, due to media pressure following an unrelated incident that also took place in the Strait of Hormuz where Iranian soldiers fired on one of their own ships killing 19 soldiers and injuring 15 others.

US Says Chinese are Hacking Vaccine Research

The FBI and Department of Homeland Security are planning to release a warning about the Chinese hacking as governments and private firms race to develop a vaccine for COVID-19, the Wall Street Journal and New York Times reported. The hackers are also targeting information and intellectual property on treatments and testing for COVID-19. US officials alleged that the hackers are linked to the Chinese government.

Celebrity data taken in ransomware attack on legal firm. Law firm Grubman Shire Meiselas & Sacks, or just for short, has experienced a ransomware attack that apparently involved the appropriately named REvil malware. Rather than simply knocking the law firm out of action temporarily, the ransomware crooks are said to have stolen personal data from a laundry list of celebrity clients, allegedly more than 750GB in total including contracts, contact information and personal correspondence. “Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, HBO’s “Last Week Tonight With John Oliver,” and Run DMC. Facebook also is on the hackers’ hit list.”

UK: The 5G Coronavirus Conspiracy Theory Has Taken a Dark Turn

Wired UK: Though social networks have pledged to take more concerted action against it, the theory has continued to spread, inspiring a surge of attacks.

MOBILE PHONE MASTS in the UK are still being attacked by arsonists on a daily basis because of a conspiracy theory linking 5G to the spread of coronavirus. New data seen by WIRED UK reveals that dozens of attacks have taken place in the last fortnight, with conspiracy theorists targeting both infrastructure and key workers in the misguided belief that they are somehow spreading coronavirus. In one incident, a broadband engineer was spat at in the face by an enraged member of the public. The engineer is now ill with suspected coronavirus.

Since March 30, there have been 77 arson attacks on mobile phone masts across the UK, with staff working on mobile infrastructure also reporting 180 incidents of abuse. There have been 13 additional incidents of sabotage reported, ranging from failed arson attacks to attempts to damage mobile network infrastructure in other ways. From April 20 through May 5, more than a week after the supposed peak of attacks in early April, there were 16 arson or sabotage attacks on mobile phone masts. When failed or attempted attacks are added to the tally, that number increases to 74.

The figures from the mobile phone sector are mirrored by Openreach, which is responsible for maintaining much of the UK’s broadband infrastructure. The company has recorded 63 incidents of abuse directed towards its staff while out working since April 1, with conspiracy theorists often filming such encounters while shouting and swearing at terrified key workers. Footage of these confrontations is then shared on social media. In the last two weeks of April, Openreach recorded 20 incidents of this nature.

The worry for industry figures is that despite a widespread and concerted effort to debunk the dangerous 5G coronavirus conspiracy theory, it continues to thrive both online and in the real world. “It’s deeply frustrating and saddening that our engineers are facing abuse of this kind,” says Catherine Colloms, managing director of corporate affairs and brand at Openreach. “We’ve seen a worrying surge in incidents where our engineers are being subjected to mindless verbal abuse or intimidation linked to the bogus 5G theory. It really needs to stop.”

One malicious MMS is all it takes to pwn a Samsung smartphone.

Samsung has patched a serious security hole in its smartphones that can be exploited by maliciously crafted text messages to hijack devices.

It appears no user interaction is required: if Samsung’s messaging app bundled with phones since 2015 receives a booby-trapped MMS, it will parse it automatically before the user even opens it. This will trigger a vulnerability in the Skia graphics library, used by the app to decode the message’s embedded Qmage image. The end result is code execution on the device, allowing the miscreant who sent it to potentially snoop on their victim and come up with other mischief.

The remote-code execution flaw, labeled SVE-2020-16747, was discovered and reported by Google Project Zero’s Mateusz Jurczyk. Those with supported Google-branded devices should get the May fixes directly from Google, while other Android devices should see the fixes come from their respective vendors and carriers. This can happen anywhere from immediately to several weeks from now, to never, depending on the supplier.

US Marshals Service exposed prisoner details in security breach

According to breach notification letters sent this month, the USMS said the incident came to light on December 30, 2019, when the USMS Information Technology Division (1TD) received an alert from the Department of Justice Security Operations Center (JSOC) about a breach of a public-facing USMS server.

The USMS said the hacked server housed information on current and former USMS prisoners, including data such as names, dates of birth, social security numbers, and home addresses. The leak has exposed the personal details of both US citizens arrested for serious crimes who are now serving long prison sentences, but also Americans detained for short periods of time, without a case being brought against them.

More Chrome extensions Removed by Google

Danny Bradbury: Google deleted 49 malicious Chrome extensions from the Chrome Web Store in mid-April after security researcher Harry Denley found them phishing cryptocurrency users. The extensions impersonate Chrome extensions for legitimate cryptocurrency wallets, but when installed they pilfer the users’ private keys and other secrets used to access digital wallets so that their authors can steal victims’ funds. Now Denley has found more.

Talking to Naked Security, Denley explained that he finds new ones each day. He pointed us to this Pastebin entry showing the original 49 he reported in April, along with another 22. The new ones impersonated the Ledger, KeepKey, MetaMask, and Jaxx wallets. The IDs on the left are extension IDs, which show up at the end of an extension’s URL when viewed in the Chrome store. Google had already taken down most of the offending wallets at the time of writing, and has been generally pretty responsive.

How do you keep yourself safe?

  • Install as few extensions as possible and, despite the above, only from official web stores.

  • Check the reviews and feedback from others who’ve installed the extension.

  • Pay attention to the developer’s reputation, how responsive they are to questions and how frequently they post version updates.

  • Study the permissions they ask for (in Chrome, Settings > Extensions > Details) and make sure they’re in line with the extension’s features. Be suspicious if the permissions change.

Black Hat USA and DEF CON Cancelled Due to #COVID19

Black Hat USA and DEF CON have become the latest victims of the COVID-19 pandemic, after organizers announced plans to cancel the cybersecurity conferences and replace them with virtual events. For DEF CON, the decision has turned a long-running joke on its head. For the past few years mischief-makers have taken to the internet to spread fake news about the event being canceled. “The #DEFCONiscanceled meme has crossed over into real life, courtesy of #COVID19,” wrote the organizers on Twitter on Friday. “In early March we had hopes that things would be stable by August. That is no longer realistic.”

DEF CON 28 Safe Mode will now run online from August 7-9, with 101 orientation Thursday. “Expect events like a new on-line Mystery Challenge, a DEF CON is Canceled music album, remote CTFs like Hack-a-Sat, Villages like the Packet Hacking Village, contests like the TeleChallenge, Ham Exams, and more. We are also planning a remote movie night and drink-up.”

Google Authenticator 2SV codes transferable across Android devices

In celebration of World Password Day on the 7th of May), Google updated its Authenticator app to make it easier to transfer 2-Step Verification (2SV) codes from one Android device to another. Touting it as “one of the most anticipated features”, the Chocolate Factory said the ability to port “2SV secrets, the data used to generate 2SV codes across devices” would be particularly useful “when upgrading from an old phone to a new phone”… but only if your new phone is an Android too. The feature is available in v5.10 of Google Authenticator.

Dating site news:

MobiFriends data on 3.6 million users available for download online

Teri Robinson: The leaked personal data of more than 3.6 million users registered on dating site MobiFriends was made all the more vulnerable because the site used the notoriously weak MD5 hashing. The information posted online – including mobile numbers, usernames, birthdates and app activity – was taken during a January 2019 breach.

Hacking group puts millions of Zoosk dating profiles up for sale

If you have been trying to find love on the Zoosk app we’ve got some bad news for you.

Hackers are offering for sale what they claim is the stolen account information of millions of online daters who have used the popular Zoosk app.

Thunderspy: More Thunderbolt Flaws Expose Millions of Computers to Attacks

The new attack method, dubbed Thunderspy, was discovered by Björn Ruytenberg of the Eindhoven University of Technology in the Netherlands. The researcher has discovered a total of 7 vulnerabilities related to improper firmware verification, weak device authentication, the use of unauthenticated device metadata, downgrade attacks, unauthenticated controller configurations, SPI flash interface issues, and the lack of Thunderbolt security when using Boot Camp, the tool that allows users to install Windows on Apple computers. Thunderbolt is the hardware interface created by Intel and Apple for connecting peripheral devices to a computer. Millions of laptops and desktop computers with a Thunderbolt port could be vulnerable to Thunderspy attacks.

Having watched the full proof of concept, we’d say there is relatively little immediate risk of this exploit due to the complexity of the kit needed to set it up. However, it’s one to watch out for especially when entering a country on the DA nation-state watchlist if your laptop has been away from you for any period of time.

Shuttered restaurants, bars, hotels speed up TV cord-cutting even more

WSJ: Residential customers have been cutting the cord for years, but now commercial subscribers to pay-TV companies have started jumping into the cancellation heap. Restaurants, bars, hotels, and airlines aren’t continuing to pay for pricey channel bundles when nobody is coming in, and even if they could, those viewers would have nothing to watch.

Cable operators continue to charge fees for sports programming that currently doesn’t exist thanks to a fairly tangled web of rights and contracts. And while some customers could receive rebates down the line, managing cash flow today may be easier if you just cancel the package altogether.

One bar and grill in Arizona told the WSJ cutting off its cable plan is saving the business $1,600 per month. Although the restaurant does anticipate opening for in-person dining in the next few weeks, tables will be spaced farther apart, capacity will be limited and the screens dark, as there are no professional or college sports to show.

NBA star loses Twitter account to rude hackers

Without any games to play, pro athletes are just as bored as the rest of us, and as they spend more time on social media, they are also more prone to having their accounts hijacked. Such was the case with NBA star Giannis Antetokounmpo, whose account was taken over and used to make a series of profane and insulting tweets about, among other people, the late Kobe Bryant and his daughter. “With these kinds of attacks, it is often less of a typical compromise and more of a drive-by graffiti of these accounts.”

Nintendo console details leak

Shaun Nichols: Fans of Nintendo were treated this week to a rare look at the most basic workings of some of the gaming giant’s best-known consoles. An anonymous hacker leaked some 2TB worth of source code related to the Nintendo Wii, GameCube, and Nintendo 64 designs. This cache includes Verilog code for the hardware – essentially the coded blueprints for the various chips.

Malware miscreants hit German medical group

European hospital operator Fresenius has become the latest organization to fall victim to ransomware. The German company, said to be one of the largest operators of private hospitals in the region, is reportedly dealing with an infection from the Snake ransomware, a relatively new malware group that exclusively targets large businesses.

Cognizant counts cost of malware attack

IT services company Cognizant has put an eye-watering price tag on the damage from its April ransomware ordeal. CEO Brian Humphries told analysts tuned into the company’s quarterly earnings call that the clean-up from the infection would be as high as $70m.

Digital Ocean Inadvertently Exposed Customer Data

Last week, the company started alerting customers that some of their data might have been accessed by third-parties after a document from 2018 was unintentionally made available via a public link. “This document contained your email address and/or account name (the name you gave your account at sign-up) as well as some data about your account that may have included Droplet count, bandwidth usage, some support or sales communications notes, and the amount you paid during 2018.” The email alert also informed customers that the document had been accessed at least 15 times before the leak was noticed and plugged.

UK: Cyber-Attacks on Orgs Up 30% in Q1 2020

Michael Hill: New research from business ISP specialist Beaming has revealed that the volume of cyber-attacks on UK businesses increased by almost a third in the first three months of 2020. Beaming analysts identified 394,000 unique IP addresses used to attack UK businesses in the first quarter of 2020, discovering that companies with internet connections experienced 157,000 attacks each, on average – the equivalent of more than one a minute. This rate of attack was 30% higher than the same period in 2019 when UK businesses received 120,000 internet-borne attempts to breach their systems each.

Microsoft, Intel Introduce ‘STAMINA’ Approach to Malware Detection

We couldn’t resist, in part due to the fascination as to why acronyms are so important to some elements of business and military: Referred to as STAtic Malware-as-Image Network Analysis (STAMINA), the research leverages Intel’s previous work on static malware classification through deep transfer learning and applies it to a real-world dataset from Microsoft to determine its practical value.

The approach is based on the inspection of malware binaries plotted as grayscale images, which has revealed that there are textural and structural similarities between binaries from the same malware families, and differences between different families or between malware and benign software.

The technique is good, but only seems to work in small scale models, however, the researchers have plans to increase their stamina (sampling). Sorry, we could not resist.

“Eurovision Song Contest” song written with AI has some off-key lyrics.

Nic Fildes, A team of Dutch academics named “Can IA kick it” used AI techniques to generate a hit predictor based on the melodies and rhythms of more than 200 classics from the Eurovision Song Contest, an annual celebration of pop music and kitsch. These included Abba’s “Waterloo” (Sweden’s 1974 winner) and Loreen’s “Euphoria” (2012, also Sweden). But to generate the lyrics for the song “Abuss," which the team members hoped to enter in the inaugural AI Song Contest, organized by Dutch broadcaster VPRO, they also mixed in a separate AI system—one based on the social media platform Reddit.

OK, now cast your mind back to the notorious Tay chatbot developed by Microsoft in 2016 that started spewing racist and sexist sentiments after being trained on Twitter and you can imagine you might end up with a song that crescendos as a robotic voice urges listeners to “kill the government, kill the system."

“We do not condone these lyrics!” stresses Janne Spijkervet, a student who worked with Can AI Kick It and ran the lyric generator.

Although we could not hear the koalas, DA’s tip for the top of this new Eurovision type song contest category is an Australian entry from “Team Uncanny Valley“ called “Beautiful the World” that has the same sheen of a chart-topping dance hit but with a distorted AI-generated chorus of koalas, kookaburras, and Tasmanian devils.

Voting is now closed but results will be released later today by VPRO.

We hope to hear this as a selection in an upcoming DA-Radio slot.