Get fit with the IT Privacy and Security Weekly Update for March 2nd 2021

How are you feeling today Daml’ers?

Good, we hope! We are starting this week’s update with healthcare and ending with an insurance story in a journey that blows right past the doctors’ office.

In between buildings, your coveted iPhone 12 gets a lesson in how to improve battery life and then gets hacked.

We have great gossip about the Gab hack and one more amazing story about SolarWinds that will raise your heart rate and make you blush.

This really is the best IT Privacy and Security Weekly Update ever, so limber up with a couple of toe touches, chug those vitamins and let’s get that Zimmerframe going!

US: Just how Sick United Health Services was last autumn

Referring to it as an “information technology security incident,” UHS officials said the ransomware/cyberattack forced the organization to suspend user access to several information technology applications in the US during the attack.

No evidence of unauthorized access, copying or misuse of any patient or employee data was identified to date, according to UHS, one of the largest hospital and healthcare services providers in the US.
The disruption caused by the attack prompted UHS staff to divert ambulance traffic and elective/scheduled procedures at UHS acute care hospitals to competitor facilities during the recovery time, which UHS said affected its finances.

So what’s the upshot for you? How sick did they get? Well, one estimate was US$67M in pre-tax losses. Don’t know about you, but that would make us pretty ill.

IN: China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions

A detailed Technical report said that 10 distinct Indian power sector organizations, including 4 of the 5 Regional Load Despatch Centers (RLDC) responsible for the operation of the power grid through balancing electricity supply and demand, had been identified as targets in a concerted campaign against India’s critical infrastructure.

Other targets identified included 2 Indian seaports.

So what’s the upshot for you? It’s like watching someone with absurdly large muscles, flexing at the gym just before they walk over to you and punch you in the head. You certainly feel threatened, and you know why, but there is not much you can do about it without a crazy amount of defense work.

US: Just another cost of doing business for Facebook

The settlement class included approximately 6.9 million Facebook users whose face templates were created and stored by the social media company after June 7, 2011.
The 1.6 million claim forms filed by the deadline represented only about 22% of eligible Facebook users in Illinois.
The substantial settlement was approved Friday, February 26, by a California federal judge, James Donato, who described it as “a major win for consumers in the hotly contested area of digital privacy.”
That works out to about $345 for each person in the class action suit and US$98,000,000 for the lawyers.
So what’s the upshot for you? You should have studied law.

US: Verizon tells users to disable 5G to preserve battery, then deletes the tweet

Verizon has reluctantly agreed to stop running ads that falsely imply the carrier’s 5G mobile service is available throughout the United States.
Verizon 5G makes heavy use of millimeter-wave signals that don’t travel far and are easily blocked by walls and other obstacles.
On top of that, 5G is generally only available in small areas instead of throughout entire cities. Yet Verizon has been running a commercial that “falsely implies that Verizon 5G service is broadly available nationally,” the National Advertising Division (NAD) of the BBB National Programs organization said yesterday.
The NAD recommended that Verizon discontinue two TV commercials and refrain from making the same claims in future ads.
Verizon has spent years hyping 5G despite it bringing just a minor speed upgrade outside the limited areas where millimeter-wave spectrum has been deployed, but the carrier’s support team advised users yesterday to shut 5G off if their phones are suffering from poor battery life.
“At this time, the 5G networks are only used for data connections, and are not yet capable of carrying phone calls and messages. Your phone will need to maintain a connection to the 3G or LTE network in addition to the 5G network so that phone calls, text messages, and data will be delivered consistently.
Because your phone is connected to multiple networks simultaneously, the battery will drain faster than one would typically expect, and the phone may get warmer than when solely on 3G or LTE.
As the 5G networks grow in capacity and capability, they will be able to handle more of your phone’s functions with less battery drain.”

So what’s the upshot for you? Two things related to 5g that shorten your phones battery life:
The 5G components are first gen. and probably a little larger in this iteration. They had to go somewhere and the easiest thing to reduce is the size of the battery.
The 5G infrastructure (in the US at least) is only starting to go into place in the most densely populated areas. This means that if you don’t have it available in your area, your phone will still try to search for it, which consumes extra power.
Most people will find that they get better battery life by turning off 5G for the next couple years.

Global:New Jailbreak Tool Works on Most iPhones

Unc0ver, a team of hackers behind the jailbreak tool, released a new tool that works on nearly every iPhone model and exploits a flaw that Apple reported was under active attack last month.
The group says its new tool works on iOS 11 to iOS 14.3, which was rolled out in December 2020.

It reportedly includes an exploit for CVE-2021-1782, an iOS vulnerability in the kernel that allows an attacker to gain privilege escalation and affects devices including the iPhone 6 and later; iPad Air 2 and later; iPad mini 4 and later, and the 7th-generation iPad touch. In a tweet, a hacker with the Unc0ver team says the group wrote its own exploit for the vulnerability.

The flaw was under active attack at the time Apple deployed a patch in iOS 14.4 earlier this year, along with fixes for two other iOS zero-days. It did not provide details on attacks using the flaw. At the time, it gave “an anonymous researcher” credit for reporting each of the vulnerabilities.

So what’s the upshot for you? This is why you patch your personal phone and your PC as expediently as possible.

Global: Passwords, Private Posts Exposed in Hack of Gab Social Network

Distributed Denial of Secrets (DDoSecrets), a self-proclaimed “transparency collective,” claim they have received more than 70 gigabytes of data exfiltrated from social media network Gab.

Gab, which touts itself as “a social network that champions free speech, individual liberty and the free flow of information online” has drawn in various alt-right and far-right users. A hacker was reportedly able to obtain the exposed data through an SQL injection vulnerability in the site, DDoSecrets claims.

Wired, which said they viewed a sample of the data, said that the data appears to include both individual and group profiles for Gab users, as well as hashed account passwords and 40 million public and private posts. These profiles include users’ descriptions and privacy settings, they said.

So what’s the upshot for you? If you are going to climb onto a soapbox to speak freely, make sure you don’t fall off.

US: Rookie coding mistake prior to Gab hack came from Gab’s own CTO

Over the weekend, word emerged that a hacker breached far-right social media website Gab and downloaded 70 gigabytes of data by exploiting a garden-variety security flaw known as an SQL injection. A quick review of Gab’s open-source code shows that the critical vulnerability—or at least one very much like it—was introduced by the company’s chief technology officer.
The change, which in the parlance of software development is known as a “git commit,” was made sometime in February from the account of Fosco Marotto, a former Facebook software engineer who in November became Gab’s CTO. On Monday, Gab removed the git commit from its website.
Gab had long provided commits at Then, on Monday, the site suddenly removed all commits—including the ones that created and then fixed the critical SQL injection vulnerability. In their place, Gab provided source code in the form of a Zip archive file that was protected by the password “JesusChristIsKingTrumpWonTheElection”.

Besides the commit raising questions about Gab’s process for developing secure code, the social media site is also facing criticism for removing the commits from its website. Critics say the move violates the terms of the Affero General Public License, which governs Gab’s reuse of Mastodon, an open-source software package for hosting social networking platforms.

So what’s the upshot for you? You couldn’t make this up. And, yes, Donald J. Trump’s account was also compromised in this one.

US: Aspirational billing scheme crashes on United Airlines.

Between 2012 and 2015, United engaged in a scheme to defraud the United States Postal Service (USPS) by submitting false delivery-scan data that made it appear as though mail was being delivered to meet the full payment requirements of the contract.

However, the airline submitted automated scan data that was not tethered to the actual delivery of the mail but was based merely on aspirational delivery times.

Through this data automation scheme, United secured millions of dollars in payments from the USPS that the airline was not entitled to under the terms of the contracts.

So what’s the upshot for you? Our biggest question is why the US government entered into a non-prosecutional agreement with United. United is paying criminal penalties and false claims act settlements. They are admitting they cheated, so why not toss a couple of people in jail to disincentivize others?

Global: Shedding new light on the risks associated with browser extensions.

Many browser extensions have garnered hundreds of thousands or even millions of users.
But here’s the problem: As an extension’s user base grows, maintaining them with software updates and responding to user support requests tends to take up an inordinate amount of the author’s time.
Yet extension authors have few options for earning financial compensation for their work.
In fact last year, Google announced it was shutting down paid Chrome extensions offered on its Chrome Web Store.
Infatica[dot]io is part of a growing industry of shadowy firms trying to woo developers who maintain popular browser extensions.
Infatica seeks out authors with extensions that have at least 50,000 users. An extension maker who agrees to incorporate Infatica’s computer code can earn anywhere from $15 to $45 each month for every 1,000 active users.
Infatica’s code then uses the browser of anyone who has that extension installed to route Web traffic for the company’s customers, including marketers or anyone able to afford its hefty monthly subscription charges. Yes, you become a proxy for some else’s web traffic.
Developers found that their users “didn’t like that the extension might be using their browser as a proxy for going to not so good places like porn sites.”

“It’s a really tough marketplace for extension developers to be able to monetize and get rewarded for maintaining their extensions,” he said. “There are tons of small developers who haven’t been able to do anything with their extensions. That’s why some of them will go into integration with companies like Infatica or sell the extension for some money and just be done with it.”
So what’s the upshot for you? Sometimes it’s best to seek out paid services. It stops developers from having to find alternate means to scrape together a living which might mean they end up with a company like Infatica hijacking your internet connection for things you might never have considered.

Global: Intern caused ‘solarwinds123’ password leak, former SolarWinds CEO says

Top executives of the software firm SolarWinds blamed an intern for having used a weak password for several years, exposing the company to the world’s largest hack… ever.
Top executives of the SolarWinds firm believe that the root cause of the recently disclosed supply chain attack is an intern that has used a weak password for several years.
Initial investigation suggested that the password “solarwinds123” was publicly accessible via a misconfigured GitHub repository since June 17, 2018.

“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad,” Representative Katie Porter of California said. “You and your company were supposed to be preventing the Russians from reading Defense Department emails.”

“I believe that was a password that an intern used on one of his servers back in 2017 which was reported to our security team and it was immediately removed,” CEO Sudhakar Ramakrishna said in response to Porter.

Former SolarWinds CEO Kevin Thompson declared that the password issue was “a mistake that an intern made. They violated our password policies and they posted that password on an internal Github site, and then externally through their own private Github account,” Thompson explained.

So what’s the upshot for you? …I actually blushed writing up this story.
This one just gets more unbelievable by the day. Does this demonstrate that SolarWinds had no security or risk management program? You decide.
As you do your own corporate risk reviews, it is important to understand, completely, what the independent audit covers. It might also seem important that your VP of security holds 18 patents, but that doesn’t help if he lets interns have the SolarWinds123 admin password!

Global: Google teams up with cyber insurers

Cyber insurance providers, Allianz Global Corporate and Specialty (AGCS), Munich Re, and Google have gotten together to create the “Risk Protection Program” for Google Cloud/Google Cloud Platform (GCP).
The program introduces a new Google Cloud security tool called Risk Manager, which gives businesses the ability to measure and manage their risk via Google Cloud and receive reports on their security posture, officials explain.
Organizations can work with their insurance broker to use Risk Manager to send reports to AGCS and Munich Re. In turn, the insurers can use these reports to evaluate a business’s security and eligibility for Cloud Protection +, a cyber-insurance policy created for Google Cloud users.
“Our confidence in Google Cloud’s overall security level and improved data insights provided through the Risk Manager tool reports allowed us to create the Cloud Protection + policy. A specialized cover that provides Google Cloud customers an enhanced cyber coverage and a streamlined application process, tied directly to the implementation of security measures shown in the Risk Manager report.
By “seamlessly” combining Google’s cutting edge cloud technology with our best in class risk transfer expertise, Munich Re and AGCS are now positioned to offer a superior solution to our clients.” - Robert Parisi, Head of Cyber Solutions-North America, Munich Re.

So what’s the upshot for you? We like this idea. Why not? Offer known controls. Clear those with the insurers and then use that tangible control framework to measure risk. Now, while we applaud the initiative, we will wait to see how this all pans out, because, as they say, “the proof is in the pudding!”

and that’s it for this week. We hope your blood pressure has settled after reading this. Dump the Zimmer, put on those track spikes, and we’ll look forward to seeing you next week for another superfit edition!

Stay safe, stay secure, and see you in se7en!


How many years do you have to put in as an Intern at Solarwinds before they take you on as an employee ??