Getting Hatty in the IT Privacy and Security Weekly Update for the Week ending August 9th, 2022


From outer space to time travel: this week it’s “All systems go!”

We find ourselves in the cow flower and then get “compromised by” Twitter, Slack, and Twilio.

We find the legal detail in the class action lawsuit behind the company which must have one of the worst ads on US television right now.

We discover a couple of new players in the phone security arena and perhaps come away with some ideas for holiday gifts (they say you can’t start too soon).

White Hat Up

This week’s update is unquestionably the best one yet so grab that hat and let’s go!

Outer Space: Russian Military Satellite Appears To Be Stalking A New U.S. Spy Satellite

When a U.S. satellite passed over Russia’s Plesetsk Cosmodrome, a Russian satellite was launched close behind it “with capabilities unknown, getting suspiciously close…”

Russia has launched satellite 14F150 Nivelir into orbit under a mission dubbed Kosmos-2558, and its current orbital path could soon place it in close proximity to what is reported to be the spy satellite designated USA-326.

Unconfirmed rumors that the asset will serve as an ‘inspector’ satellite to covertly spy on nearby spacecraft have begun to circulate online following the launch and would line up with Russia’s known on-orbit anti-satellite weapons capabilities and developments.

Its exact purpose is unknown at present, but it has been described as an “inspector” satellite, a term that is often associated with so-called “killer satellites…” Jonathan McDowell, an astronomer at the Center for Astrophysics has noted that Kosmos-2558’s current orbital path will place it within 80 km of what is believed to be the USA 326 satellite.

For reference, the Center for Astrophysics is a collaborative effort run jointly by the Smithsonian Astrophysical Observatory and Harvard College Observatory…

USA-326 was launched in February of this year by a SpaceX Falcon 9 rocket out of Vandenberg Space Force Base, its mission was designated NROL-87, which is a classified national security operation led by the National Reconnaissance Office (NRO) in partnership with SpaceX.

A press release shared by the NRO following the initial launch claimed that NROL-87 was designed, built, and now operated by the NRO to support its “overhead reconnaissance mission,” which is largely centered around protecting national security through the exploitation of space-based intelligence, surveillance, and reconnaissance.

So what’s the upshot for you? We don’t think there was a collision between the 2 satellites (they came within 80k of each other last Thursday), but even if there was, it’d probably be classified information.

CN: Cow Flower to you

Cisco Talos has discovered a relatively new attack framework called
“Manjusaka” (which can be translated to “cow flower” from the Simplified
Chinese writing) by their authors, being used in the wild.

“Manjusaka” has the potential to become prevalent across the threat landscape.

This framework is advertised as an imitation of the Cobalt Strike framework.

The implants for the new malware family are written in the Rust language for Windows and Linux.

A fully functional version of the command and control (a.k.a. C2), written in
GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.

We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province.

These maldocs (documents that carry malware) ultimately led to the delivery of Cobalt Strike beacons on infected endpoints.

We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.

So what’s the upshot for you? Right now, not a huge threat, but expect to see a lot more about Manjusaka (or cow flower) in the months to come.

Global: Twitter confirms zero-day was used to expose data of 5.4 million accounts

Twitter has confirmed a recent data breach was caused by a now-patched zero-day vulnerability used to link email addresses and phone numbers to users’ accounts, allowing a threat actor to compile a list of 5.4 million user account profiles.

Last month, BleepingComputer spoke to a threat actor who said that they were able to create a list of 5.4 million Twitter account profiles using a vulnerability on the social media site.

This vulnerability allowed anyone to submit an email address or phone number, verify if it was associated with a Twitter account, and retrieve the associated account ID. The threat actor then used this ID to scrape the public information for the account.

So what’s the upshot for you? At this time, Twitter tells us that they cannot determine the exact number of people impacted by the breach. However, the threat actor claims to have used the flaw to gather the data of 5,485,636 Twitter users.

While no passwords were exposed in this breach, Twitter is encouraging users to enable 2-factor authentication on their accounts to prevent unauthorized logins as a security measure.

Global: Slack admits to leaking hashed passwords for five years

Popular collaboration tool Slack (not to be confused with the nickname of the world’s longest-running Linux distro, Slackware) has just owned up to a long-running cybersecurity SNAFU.

According to a news bulletin entitled Notice about Slack password resets, the company admitted that it had inadvertently been oversharing personal data “when users created or revoked a shared invitation link for their workspace.

”From 2017-04-17 to 2022-07-17 (we assume both dates are inclusive), Slack said that the data sent to the recipients of such invitations included……wait for it……the sender’s hashed password.

Slack’s security advisory doesn’t explain the breach very clearly, saying merely that “[t]his hashed password was not visible to any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers.”

We’re guessing that this translates as follows:

“Most recipients wouldn’t have noticed that the data they received included any hashed password information, because that information, although included in the network packets sent, was never deliberately displayed to them. And because the data was sent over a TLS connection, eavesdroppers wouldn’t have been able to sniff it out along the way, because it wouldn’t get decrypted until it reached the other end of the connection.”

So what’s the upshot for you? Slack says that about 1 in 200 of its users (0.5%, presumably based on records of how many shared invitation links were generated in the danger period), and that it will be forcing those users to reset their passwords.

Global: Twilio Incident Report: Employee and Customer Account Compromise - August 4, 2022

Communications giant Twilio has confirmed hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials.

The San Francisco-based company, which allows users to build voice and SMS capabilities – such as two-factor authentication (2FA) – into applications, said in a blog post published Monday that it became aware that someone gained “unauthorized access” to information related to some Twilio customer accounts on August 4.

Twilio has more than 150,000 customers, including Facebook and Uber.

According to the company, the as-yet-unidentified threat actor convinced multiple Twilio employees into handing over their credentials, which allowed access to the company’s internal systems.

The attack used SMS phishing messages that purported to come from Twilio’s IT department, suggesting that the employees’ password had expired or that their schedule had changed, and advised the target to log in using a spoofed web address that the attacker controls.

So what’s the upshot for you? Smishing is a form of phishing that uses mobile phones as the attack platform.

The criminal executes the attack with the intent to gather personal information, including social insurance and/or credit card numbers or others.

Smishing is implemented through text messages or SMS, giving the attack the name “SMiShing.” Text Phishing.

US: Class Action Lawsuit Targets Experian Over Account Security

A class action lawsuit has been filed against big-three consumer credit bureau Experian over reports that the company did little to prevent identity thieves from hijacking consumer accounts.

The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim’s personal information and a different email address.

The lawsuit, filed July 28, 2022, in California Central District Court, argues that Experian’s documented practice of allowing the re-registration of accounts without first verifying that the existing account authorized the changes is a violation of the Fair Credit Reporting Act.

Most lenders rely on the big-three consumer credit reporting bureaus, including Equifax, Experian, and Trans Union — to determine everyone’s credit score, fluctuations in which can make or break one’s application for a loan or job.

Last week, The Wall Street Journal broke a story saying Equifax sent lenders incorrect credit scores for millions of consumers this spring.

Meanwhile, the credit bureaus keep enjoying record earnings. For its part, Equifax reported a record fourth quarter 2021 revenue of 1.3 billion. Much of that revenue came from its Workforce Solutions business, which sells information about consumer salary histories to a variety of customers.
So what’s the upshot for you? Isn’t Experian the company that is running the moronic TV ads pushing their phone app in the US right now?

We think so. We also think these idiots have more capability to wreck people’s lives than just about any other type of company in the US, and that they should pay huge fines to anyone who wants them

US/EU: A Phone Carrier That Doesn’t Track Your Browsing or Location

As marketers, data brokers, and tech giants endlessly expand their access to individuals’ data and movements across the web, tools like VPNs or cookie blockers can feel increasingly feeble and futile.

Short of going totally off the grid forever, there are few options for the average person to meaningfully resist tracking online.

Even after coming up with a technical solution last year for how phone carriers could stop automatically collecting users’ locations, researchers Barath Raghavan and Paul Schmitt knew it would be challenging to convince telecoms to implement the change.

So they decided to be the carrier they wanted to see in the world.

The result is a new company, dubbed Invisv, that offers mobile data designed to separate users from specific identifiers so the company can’t access or track customers’ metadata, location information, or mobile browsing.

Launching in beta last week for Android, the company’s Pretty Good Phone Privacy or PGPP service will replace the mechanism carriers normally use to turn cell phone tower connection data into a trove of information about users’ movements.

And it will also offer a Relay service that disassociates a user’s IP address from their web browsing.

PGPP’s ability to mask your phone’s identity from cell towers comes from a revelation about why cell towers collect the unique identifiers known as IMSI numbers, which can be tracked by both telecoms and other entities that deploy devices known as IMSI catchers, often called stingrays, which mimic a cell tower for surveillance purposes.

Raghavan and Schmitt realized that at its core, the only reason carriers need to track IMSI numbers before allowing devices to connect to cell towers for service is so they can run billing checks and confirm that a given SIM card and device are paid up with their carrier.

By acting as a carrier themselves, Invisv can implement their PGPP technology that simply generates a “yes” or “no” about whether a device should get service.

On the PGPP “Mobile Pro” plan, which costs $90 per month, users get unlimited mobile data in the US and, at launch, unlimited international data in most European Union countries.

Users also get 30 random IMSI number changes per month, and the changes can happen automatically (essentially one per day) or on-demand whenever the customer wants them.

The system is designed to be blinded so neither INVISV nor the cell towers you connect know which IMSI is yours at any given time.

There’s also a “Mobile Core” plan for $40 per month that offers eight IMSI number changes per month and 9 GB of high-speed data per month.

Both of these plans also include PGPP’s Relay service.

Similar to Apple’s iCloud Private Relay, PGPP’s Relay is a method for blocking everyone, from your internet provider or carrier to the websites you visit, from knowing both who you are and what you’re looking at online at the same time.

Such relays send your browsing data through two-way stations that allow you to browse the web like normal while shielding your information from the world.

When you navigate to a website, your IP address is visible to the first relay – in this case, Invisv – but the information about the page you’re trying to load is encrypted.

Then the second relay generates and connects an alternate IP address to your request, at which point it is able to decrypt and view the website you’re trying to load.

The content delivery network Fastly is working with Invisv to provide this second relay.

Fastly is also one of the third-party providers for iCloud Private Relay.

In this way, each relay knows some of the information about your browsing; the first simply knows that you are using the web, and the second sees the sites you connect to, but not who specifically is browsing there.

In addition to being included in the two PGPP data plans, customers can also purchase the Relay service on its own for $5 per month and turn it on while connected to mobile data or Wi-Fi.

The carrier is still working to bring its services to Apple’s iOS.

It’s also worth noting that Invisv only offers mobile data; there are no voice calling services.

So what’s the upshot for you? We downloaded the app on an android device and with three price tiers providing data-only anonymity you have options for pricing and security levels. (Straight voice is notoriously insecure.). Time will tell if they have success but we are betting on this to be successful.

US: Not too early to give to the Girl who has everything: Purism’s 'Librem 5 Smartphone

Good news for those who’d like privacy and the convenience of a PC in their pocket: Purism posted an announcement Thursday about their privacy-focused “Librem 5 USA” smartphones.

“New orders placed today will ship within our standard 10-business-day window.”

The Librem 5 USA now joins the Librem Mini and Librem 14 as a post-Just In Time product, one where instead of relying on Just In Time supply chains to manufacture a product just as we need it, we have invested in maintaining much larger inventories so that we can better absorb future supply chain issues that may come our way.

“For anyone who is new to the product, the Librem 5 USA is our premium phone that shares the same hardware design and features as our mass-produced Librem 5, but with electronics we make in the USA using a separate electronics supply chain that sources from US suppliers whenever possible.

This results in a tighter, more secure supply chain for the Librem 5 USA.”

The Librem 5 USA uses the same PureOS as our other computers and so it runs the same desktop Linux applications you might be used to, just on a small screen.

PureOS on the Librem 5 USA demonstrates real convergence, where the device becomes more than just a phone, it becomes a full-featured pocket-sized computer that can act like a desktop when connected to a monitor, keyboard, and mouse, or even a laptop (or tablet!) when connected to a laptop docking station.

All of your files and all of your software remains the same and follows you where you go.

Applications just morph from the smaller screen to the larger screen when docked, just like connecting an external monitor to a laptop.

Everyone who has backed the Librem 5 and Librem 5 USA projects haven’t just supported the production of the hardware itself, they have also supported a massive, multi-year software development effort to bring the traditional Linux desktop to a phone form-factor.

Projects such as Phosh (the GUI), Phoc (the Compositor), Squeekboard (the Keyboard), Calls (for calling), Chats (for texting and messaging), and libhandy/libadwaita (libraries to make GTK applications adaptive) all required massive investment and many of these projects have already been moved to the GNOME infrastructure to better share our effort with a larger community.

We are delighted to see that many other mobile projects have recognized the quality of our efforts and adopted our software into their projects…

The Librem 5 USA was designed for longevity and because we support the right to repair, we also offer many spare parts in our shop, including replacement modems so you can make sure you support all the cellular bands in a particular continent, replacement batteries for when you ultimately wear out your existing battery, and plenty of other spare parts that haven’t had sufficient demand to post formally on our shop (yet). If you need a spare part that isn’t yet in the shop, just ask.

So what’s the upshot for you? We love the idea of privacy and the pocket computer, and well that takes us right back to the days of the Psion 3, but at $1300 for the Chinese sourced Librem 5 and $2000 for the US variant, perhaps we’ll just dig out the old Psion 3.

Global: DuckDuckGo browser’s stricter privacy protection will also apply to Microsoft scripts now

DuckDuckGo’s browser had third-party tracker loading protection by default that already blocked scripts embedded on websites from Facebook, Google, and others, but until now Microsoft’s scripts from the Bing and LinkedIn domains (but not its third-party cookies) had a pass.

A security researcher named Zach Edwards pointed out the exclusion that he uncovered while auditing the browser’s privacy claims, and noted it is especially curious because Microsoft is the partner that delivers ads in DDG’s search engine (while promising not to use that data to create a monitored profile of users to target ads, instead relying on context to decide which ones it should show).

DuckDuckGo CEO Gabe Weinberg said at the time that the reason for it was a search syndication agreement with Microsoft and that more updates on third-party tracker preventions were coming.

A backlash ensued, with some seizing on DuckDuckGo’s own words that “tracking is tracking,” a phrase the company used against Google’s cookie-replacing “privacy sandbox” ad technology.

Now Weinberg writes in a blog post, “I’ve heard from several users and understand that we didn’t meet their expectations around one of our browser’s web tracking protections.”

DuckDuckGo is vowing to be more transparent about what trackers its browser and extensions are protecting users from, making its tracker blocklists available and offering users more information on how its tracking protections with a new help page.

So what’s the upshot for you? We understand you have to buy your search capabilities from someone (Google or Microsoft), but the whole idea of letting Microsoft tracking scripts run was contrary to everything DuckDuckGo stood for.

This is the right decision.

UK: Nevil Maskelyne. Possibly the first White Hat Hacker

First things first: A white hat hacker – or ethical hacker – is an individual who uses hacking skills to identify security vulnerabilities in hardware, software, or networks.

Time of Hack: Springtime 1903.

Imagining a hacker in 1903 generates at first sight too many contradictions: computing didn’t even exist at that time. So, what could be hacked by the first hacker of all time?

To understand the story of Nevil Maskelyne we have to go back to the end of the 19th century, with the discovery of electromagnetic waves: the wireless telegraph would be developed based on this finding and Guglielmo Marconi would be in the right place to become the commercial bastion of one of the century’s inventions.

Who is who in this story:

Although many scientists researched the nature of these waves and their possible applications, it was Guglielmo Marconi (1874-1937) who used them to transmit what is now considered the first wireless telegraphic message in history.

In 1885, he used electromagnetic waves to represent the dashes and dots of the Morse code and managed to send signals at several kilometers of distance: wireless telegraphy was born.

Nevil Maskelyne (1863-1924) is an unknown. The descendent of a family of illusionists and inventors, this British magician became interested in wireless technology at the same time as Marconi.

Marconi boasted publicly that the messages sent via his wireless telegraph were totally safe and could be transmitted privately, as he did in an article in the newspaper London’s St James Gazette in February 1903. Marconi’s promise to deliver “confidential channels”.

Maskelyne developed the technology needed to intercept the signal: it wasn’t so complicated.

With a rudimentary 50-meter radio antenna he managed to intercept the message that Marconi’s company was then sending to different ships at sea, without raising suspicion.

At an exhibition of this technology at the Royal Institution, an expectant audience was waiting for a young demonstrator to organize his equipment in the lecture theatre when the apparatus suddenly began to tap out a message.

To the audience, it sounded just like a rhythmic tapping noise but to the man overseeing the demonstration and his assistant it was a clear message and not the one they were expecting:

At first, the message spelled out just one word repeated over and over ‘Rats, Rats, Rats’.

Then it changed to a poem accusing Marconi of "diddling the public” - “there was a young fellow of Italy, who diddled the public quite prettily”… (further lines followed).

It was obvious that the demonstration had been hacked.

The obscure message that had mysteriously arrived suddenly stopped shortly before Marconi’s own signal from Cornwall arrived, however, the damage was done.

If someone could interrupt the inventor of the apparatus while he was showcasing it to the public then no message could be safe.

Desperate to know how and what had happened the young demonstrator appealed to the London Times readers to unmask the culprit responsible.

This proved unnecessary as Maskelyne was quite happy to reveal his part in his own letter to the Times four days later, justifying his actions because the public needed to know that there were flaws to this secure system.

According to the magician, it had been for the common good.

So what’s the upshot for you? and there you have it, the first white hat hacker 119 years ago!

And our quote of the week: “Very smart people are often tricked by hackers, by phishing. It’s about being smarter than a hacker. Not about being smart.” - Harper Reed

White Hat down

That’s it for this week. Stay safe, stay secure, don’t forget your hat, and see you in se7en.