Greetings "citizens of the world" and Welcome to the IT Privacy and Security Update for June 8th., 2021

This week we start with the Danish spying on the Germans. The Germans hacking .PDFs. The Cook keeping things private. The Tag"ee" smashing things with hammers.
You… now with 8.5 billion reasons to use 2-factor authentication for your logins … and a very special article just for teens. Aw.

Then, a story about how the coppers recover loads of Bitcoin from the Colonial Pipeline ransomware attack, but they still need Elon Musk to up-tweet Bitcoin or they’ll be out 20%!

Finally, we finish with an Anonymous video to Elon Musk that has viewers asking for more!

It’s all here in an entertaining, fun, thrilling, mix of the best stories for all “citizens of the world”, so let’s get this party started!

DK: Danish Secret Service Helped NSA Spy On European Politicians

Using the telephone numbers of politicians as search parameters, the report alleged that the NSA “intercepted everything from text messages to phone calls that passed through the cables on their way to and from the phones of politicians and officials.”

The spying operation involved deploying a special technical software called XKeyscore in a data center located at Sandagergårdan in the city of Dragoør to search and analyze data streams flowing in and out of the internet cables.

XKeyScore is a data-retrieval system that enables unlimited surveillance of people anywhere in the world, allowing the intelligence agency to track individuals, read emails, and listen in on their telephone calls and browsing histories.

German Chancellor Angela Merkel, the then-German Foreign Minister Frank-Walter Steinmeier, and the opposition leader at the time, Peer Steinbrück, are said to have been targeted through the Danish-American pact.

So what’s the upshot for you? The Danish police spying on politicians? Just be careful you don’t upset your neighbors to the south!

DE: Researchers disclosed two attack techniques that allow modifying visible content on certified PDF documents

Researchers from Ruhr-University Bochum in the western portion of Germany, have disclosed two new attack techniques, dubbed “Evil Annotation” and “Sneaky Signature” attacks, on certified PDF documents that could potentially allow attackers to modify visible content without invalidating their digital signature.

“By inserting a signature field, the signer can define the exact position of the field, and additionally its appearance and content. This flexibility is necessary since each new signature could contain the signer’s information.

The information can be a graphic, a text, or a combination of both. Nevertheless, the attacker can misuse the flexibility to stealthy manipulate the document and insert new content.” continues the post. “The attacker modifies a certified document by including a signature field with the malicious content at a position of attacker’s choice.

The attacker then needs to sign the document, but he does not need to possess a trusted key. A self-signed certificate for SSA is sufficient. The only restriction is that the attacker needs to sign the document to insert the malicious signature field.”

So what’s the upshot for you? Ouch! Although unlikely to be exploited by private parties, the whole point of this format was to have trusted content.

Global: Yesterday Apple Sells you its position on Privacy

A year after angering software developers with new privacy features aimed at making it harder to track iPhone users’ digital footprints, Apple Inc. yesterday doubled down with even more changes that will roil the digital advertising industry.

The year of discontent began at last year’s worldwide developer conference or WWDC, when Apple said it planned to introduce new privacy tools, including one dubbed App Tracking Transparency, or ATT, in its iOS 14 mobile operating system.

Developers, including Facebook, complained that ATT would disrupt their ad businesses. In-app ads are often targeted at users based upon data about their activity online, which is collected by apps. Developers spent months puzzling out new strategies to deal with Apple’s privacy-policy changes, which now require users to agree to be tracked.

Mr. Cook has forcefully defended the change to protect users’ privacy and help them control how their data is used. But, in January, Mr. Zuckerberg said Apple had every incentive to “use their dominant platform position to interfere with how our apps and other apps work.”

Ben Wood, an analyst at CCS Insight, said in an email about Monday’s changes: “Hiding information such as IP addresses, location and whether users have opened or read emails could severely limit the way many companies track and monetize users but will be welcomed by consumers who are becoming increasingly aware of how much data is being captured.”

What did Apple say? Well remember this is their sales speech, but Key statements follow:

"Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.

  • Your data. Your choice. App Tracking Transparency lets you control which apps are allowed to track your activity across other companies’ apps and websites.
  • Safari throws trackers off your trail. Intelligent Tracking Prevention helps stop advertisers that follow you from site to site.
  • Maps make your location history, history. The Maps app doesn’t associate your data with your Apple ID, and Apple doesn’t keep a history of where you’ve been.
  • Photos protects your images from unwanted exposure. The Photos app uses machine learning to organize photos right on your device. So you don’t need to share them with Apple or anyone else.
  • Messages are only seen by who you send them to. Apple can’t read your iMessages while they’re being sent between you and the person you’re texting.
  • Siri learns what you need. Not who you are. Your Apple ID isn’t connected to Siri, and your requests are associated with a random identifier. Not you.
  • Apple News delivers content based on your interests, but it isn’t connected to your identity. So Apple doesn’t know what you’ve read.
  • Wallet and Apple Pay help hide what you buy. Your credit and debit card numbers are hidden from Apple, and Apple doesn’t keep transaction information that can be tied back to you.
  • Health keeps your records under wraps. You control which information goes into the Health app and who you share it with.
  • App Store shows you what’s in store for your data. Privacy labels on the App Store help you choose apps based on how they use your data and whether they track you.

So what’s the upshot for you? As privacy becomes more of a concern, Apple slips right in with a nice sales differentiator. Overall though, it’s a good direction to be moving in.

Global: How to disable a suspicious AirTag and prevent it from tracking you

Apple designed AirTag with privacy in mind. If you find an AirTag that was suspiciously placed (i.e., it looks as though someone is attempting to track you or your property), you can easily disable the AirTag.

If an AirTag is found moving with you that isn’t your AirTag, your iPhone will receive an AirTag Found Moving With You message on your Lock Screen–tapping this message will allow you to play a sound on the AirTag in question.

But remember, this only works if you have an iPhone.

If the AirTag is on an item you’re borrowing, you can pause this safety alert for up to one day at a time. If the AirTag is on an item that belongs to a Family Sharing group you’re a part of, you may be able to turn off this safety alert indefinitely.

If the AirTag is suspicious and you feel you’re in danger of the AirTag being with you and reporting your location to an unknown owner, Apple has a way to easily disable the AirTag indefinitely.

Follow these steps:

  • Locate the AirTag you wish to disable.
  • Push down and twist counterclockwise on the back of the AirTag.
  • Take the cover off and remove the battery.

After you do this, even if you replace the battery, the AirTag will no longer allow the user to track it; however, if the owner of the AirTag placed it in Lost Mode, the AirTag can only ever be re-registered with Find My by the original owner because once an AirTag is placed into Lost Mode, it is locked using Activation Lock similar to iOS.

So what’s the upshot for you? If you are sure you don’t know the tag’s source, you have already tried to return it and been unsuccessful or you simply use an Android phone: As a second option, you could also just place the tag on the ground and swiftly hit it with a hammer.

Always remember to be kind to the environment and recycle the remains.

Global: Cyber-Insurance Premiums Surged by Up to 30% in 2020

Although not named in the update, ransomware is a key factor driving these trends. According to insurer Coalition, it was the biggest source of insurance claims in the first half of 2020.

Many have argued that insurers’ continued coverage perpetuates the ransomware problem as it encourages more threat actors to target organizations, knowing that the ransom will be reimbursed by providers.

So what’s the upshot for you? We think cyber insurance will continue to skyrocket in 2021.

The US gov. Has put together a little fact sheet.

For those who want to learn more.

Global: Today is the Tuesday that Sidewalk gets turned on!

Today, Amazon turned on Sidewalk to extend internet service between Amazon devices like Echo smart speakers and Ring cameras. Unless you opt out, your Amazon devices will automatically start participating.

From the white-paper we see a very low transmission, pulse based, triply encrypted, protocol that creates a mesh network and appears seemingly very safe.

"The issue is not today’s use, but how that interconnectedness might expose us or be used in the future that poses concerns.”

Even if you’re comfortable with Sidewalk using up to 500MB of your data each month to help your neighbor set kitchen timers, you need to consider also how a network like this might evolve.

Especially given the cozy relationship between law enforcement and Amazon’s Ring devices.

So what’s the upshot for you? Well, you can turn Sidewalk off! For the Echo family of speakers:

  • open the Alexa mobile app and
  • go to More,
  • Settings,
  • Account Settings,
  • Amazon Sidewalk and
  • choose Disable.

In the Ring app:

  • go to the Control Center,
  • Amazon Sidewalk,
  • click Disable,
  • and then Confirm.

Note that there doesn’t appear to be any way to opt-out of Sidewalk from a browser (yet).

Global: RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries

What seems to be the largest password collection of all time has been leaked on a popular hacker forum. A forum user posted a massive 100GB TXT file that contains 8.4 billion entries of passwords, which have presumably been combined from previous data leaks and breaches.

According to the post author, all passwords included in the leak are 6-20 characters long, with non-ASCII characters and white spaces removed.

The same user also claims that the compilation contains 82 billion passwords. However, after running our own tests, the actual number turned out to be nearly ten times lower – at 8,459,060,239 unique entries.

So what’s the upshot for you? Why is this important to you? It means that hackers using a brute force application, one where your account details are attempted with password after password, from one or multiple machines, could have an easier time getting into your account.

We always suggest turning on 2fa (2-factor authentication) where you are texted a code or you generate one from an authenticator application on your phone or PC.

Global: 5 common scams targeting teens – and how to stay safe

  1. Social media scams
    With social media being the digital playground for most teenagers, it’s only natural that enterprising fraudsters will try to target them where they spend most of their time. Social media scams take on a variety of shapes and sizes, so there isn’t a one-size-fits-all. Some of the more common ones pose as links to tabloid articles with shocking headlines about celebrities; however, once you click on such a link, you’ll be rerouted to a malicious website.
    Alternatively, scammers may contact their victims directly through messages with offers of partaking in competitions or sweepstakes, but again, the shared link will almost certainly redirect the teenager to a fraudulent website that will either infect their devices with malware or try to wrangle their sensitive information from them.

  2. Discounted luxury goods
    Another common scam that proliferates online, including through fake advertisements posted on social media, involves offers for luxury goods at ridiculously low prices. To make their offers attractive to teens, scammers try to offer brands and goods that would appeal to them, like limited edition sneakers that are too expensive, clothes from brands that are usually too pricey to afford on a normal allowance, or part-time job, or bogus Ray-Ban online stores.
    The ruse consists of creating a fake retail website that offers a wide assortment of these goods; however, once you go through with the purchase, you’ll either receive a knock-off product, or nothing at all. And in the worst-case scenario, if you shared your credit card information, the cybercriminals will rack up charges on it and clean out your bank account.

  3. Scholarship scams
    As graduation from high school nears, teenagers start looking towards their next step in life; often that entails pursuing a degree at a university. But, depending on where you are attending college, it can turn out to be quite expensive, which leads to a search for a scholarship that would, at least in part, cover tuition fees. Scammers prey on students looking for financial aid by creating fraudulent scholarships, which take various forms.
    For example, these faux scholarship programs will often require the applicant to pay a “registration fee”; however, there is no scholarship to be had and the fraudster will pocket the fee.
    Alternatively, the scam can take the form of a scholarship raffle, which will require the participant to pay either a “processing fee” or a “disbursement fee” citing tax costs, but ultimately the result is the same.

  4. Employment scams
    Being a teenager with a varied set of interests ranging from going to concerts and traveling to being a sneakerhead or fashionista isn’t easy, especially since you can’t cover it all with your allowance. So naturally, you’d want to look for a part-time job to cover your expenses.
    To target young jobseekers, cybercriminals create fraudulent employment offers that usually sound too good to be true. The fraudsters will post fake job openings on legitimate job boards and will usually offer positions that allow you to work from home and earn a hefty paycheck.
    However, the ultimate goal is to farm their targets for their personal information that will then be used in various illicit activities, such as opening bank accounts in their victims’ names or use their identities to forge documents.

  5. Catfishing scams
    As with a lot of things in the digital age, even searching for romance has also transitioned online, and online dating platforms have become rewarding hunting grounds for romance scammers. These fraudsters, however, don’t just stick to dating sites – they often scour social media for their marks and contact them via private messages.
    The ruse often consists of impersonating a person that their target will find attractive. The scammer will then proceed to woo them until they achieve their ultimate goal – scam them out of money.
    Unfortunately, in some cases, the cyber criminals opt for abhorrent tactics, such as manipulating their marks into sharing risqué photos and then proceed to blackmail them into paying money, threatening to release the incriminating photos to their loved ones and the public if they don’t pay.

So what’s the upshot for you? If you stumble upon a job offer that sounds enticing but you’re in doubt about it, run a quick web search on the company to see if anything suspicious comes up. Also, remember that you provide personal information for salary purposes only after you’re hired.
Similar advice applies in the case of scholarships – if you’re on the hunt for one, be sure to check whether the organization offering the scholarship is legitimate by conducting a web search and even contacting their offices directly. And never wire any kind of “processing” or “advance” fee.
One of the golden rules of the internet is: “if it seems too good to be true, then it probably is”. So, if you stumble upon a ridiculously priced pair of limited-edition Jordans, it’s most assuredly a scam. If you’re still intrigued, do your due diligence on the vendor and research them to see if something comes up.
If you receive an unsolicited message from someone you don’t know, you should remain vigilant especially if it contains a dubious offer or a link. In any case, the best course of action is to ignore the message and you shouldn’t ever click on a link from someone you don’t know
In case a stranger is trying to initiate contact and within a few messages starts professing their undying love for you, it should set your spidey sense tingling. A quick reverse image search should uncover whether they are impersonating someone.

US: Feds recover $2.3 million in cryptocurrency paid by Colonial Pipeline in ransomware attack

On Monday, the U.S. Department of Justice revealed that it had managed to recover part of the ransom paid by Colonial Pipeline to its DarkSide attackers.

The DOJ said it seized 63.7 bitcoins currently valued at $2.3 million, representing around half of the $4.4 million that Colonial Pipeline CEO Joseph Blount told The Wall Street Journal that he had authorized following the attack.

The pipeline operator actually paid 75 bitcoins at the time, but the value of the cryptocurrency has fallen since the attack occurred a month ago.

So what’s the upshot for you? If they could only get Elon to talk up Bitcoin, Colonial might end up making a profit on this attack. More on that with our last story!

AU: Criminal networks smashed after using “secure” chat app secretly run by cops

The Australian Federal Police (AFP) has revealed that it was able to decrypt and snoop on the private messages sent via a supposedly secure messaging app used by criminals… because the app was actually the brainchild of the FBI.

At a press conference, AFP commissioner Reece Kershaw described how the idea of “AN0M” – a back-doored messaging app – was dreamt up by members of the FBI and AFP over a few beers after the shutdown in 2018 of “Phantom Secure,” an encrypted phone network used by criminals and drug cartels.

Keen to fill the vacuum left by the dismantlement of “Phantom Secure,” the FBI secretly ran the “AN0M” service, sharing criminals’ supposedly secret communications in real-time with AFP officers, and other law enforcement agencies around the world.

224 people have been arrested in Australia in what has been dubbed “Operation Ironside,” and 3.7 tonnes of drugs, 104 weapons, AU $44.9 million (US $34.75 million) in cash, as well as millions of dollars of other assets such as luxury cars, have been seized.

In addition, Australian police say that they have acted on 20 threats to kill.

AN0M ran on modified smartphones sold on the black market, stripped of normal functions like email or the ability to even make a phone call, and which required owners to pay a subscription.

Ironically, those subscription fees were actually destined to go into the coffers of the police force that would ultimately arrest those using the devices.

Sneakily, police encouraged informants to seed the app into the criminal underworld, before it was adopted by drug lords who unwittingly acted as “influencers,” giving the app legitimacy and encouraging other criminals to adopt it for communications.

Rather than promoting its secretly-backdoored app, the AN0M website now declares that it has been seized by the authorities and invites users to enter their contact details if they think their account might be linked to an ongoing investigation!

So what’s the upshot for you? Full marks for creativity! And… something to remember the next time you use a “secure end to end messaging app”.

By the way, we will continue to recommend Signal for confidential messaging … well at least until we hear the faintest trace evidence that might change that opinion.

Global: Fastly outage brings down major websites around the world

Large parts of the internet were temporarily offline today, including Amazon, Reddit, and Twitch, it has been reported.

Other significant organizations whose websites were affected by the incident included media outlets the Financial Times, The Guardian and New York Times, and the UK’s Gov.UK. When users attempted to enter these websites, they were met with messages like “Error 503 Service Unavailable” and “connection failure.”

Experts have traced the issue to a Fastly content delivery network (CDN) failure, which underpins many major websites. Fastly is a cloud computing services provider that runs an “edge cloud” designed to speed up loading times for websites, protect them from denial-of-service attacks, and help them deal with bursts of traffic.

The Guardian reported that the outage started at around 11 am BST, lasting for approximately 30 minutes.

While the failure brought some websites down entirely, specific sections of other services were also damaged. These include the servers on Twitter that host the social network’s emojis.

Other sites affected included news outlets The Guardian, Financial Times, Independent, New York Times, Evening Standard, Bloomberg, and Le Monde, as well as the self-proclaimed front page of the internet Reddit, shopping site eBay, and streaming platform Twitch.

So what’s the upshot for you? “The exact nature of this “issue” is unclear, but given how vast the impact appears to be, it looks to have transcended any failover or redundancies that were in place.

Apparently, the Fastly status page confirmed that this was a global disruption to CDN services, and as of 7:00 a.m. (ET), it stated: “The issue has been identified and a fix has been applied. Customers may experience increased origin load as global services return.”

But at 10am we read this on the Fastly status page: “Fastly’s network has built-in redundancies and automatic failover routing to ensure optimal performance and uptime. But when a network issue does arise, we think our customers deserve clear, transparent communication so they can maintain trust in our service and our team.” and not a single reference to the outage … even after significant digging.

So we call “BS” on Fastly.

This action should simultaneously affect their reputation and stock price. Keep an eye on both.

Doh! We just checked Fastly’s share price and it’s up for the day!

Global: Tired of Elon’s Trolling? You might not be alone

A threatening youtube video targeting Elon Musk, posted on 5 June, has garnered 2,359,687 views:

The main thrust of the video rant warns Musk about his viral Twitter posts concerning Bitcoin.

“Greetings citizens of the World, this is a message from Anonymous, for Elon Musk”, the three minutes 47-second diatribe begins, quickly attacking the billionaire for being “another narcissistic rich dude who is desperate for attention.”
“It seems that the games you have played with the crypto markets have destroyed lives,” and show a clear disregard for the average working person."

So what’s the upshot for you? Here’s the thing… the most popular Twitter Anonymous account, YourAnonNews, with some 6.7 million followers, has already denied being behind the video. When asked if they could confirm the video was published by them, the tweeted response was “Again, all the best - but no.”

So who created the video? Does it matter? Our favorite comment: “DS DS: They should upload daily, love the content!”

And that’s it for this week “citizens of the world”. Be kind, stay safe, stay secure, and see you in se7en!!

1 Like