Hang up the Phone with the IT Privacy and Security Weekly update for December 28th 2021


We start with exactly what happened to your 2022 fridge calendar and end in wet cat food.

In between, we get frauded, threatened, discharged, breached, dropped, and schooled.

Before you call us on what? chatterbox phone small

For the last pod of 2021, we’ve got you covered with what’s trending in IT Privacy and Security way into 2022.

We may stroll out of 2021, but we hit 2022 in a full sprint!

Cloud: Shutterfly hit by Ransomware attack just before the holidays

If you, like us, found your Shutterfly gifts arriving a little late this holiday season, there was good reason:

“Photography and personalized photo giant Shutterfly has suffered a Conti ransomware attack that allegedly encrypted thousands of devices and stole corporate data.

On Friday, a source told BleepingComputer that Shutterfly suffered a ransomware attack approximately two weeks ago by the Conti gang, who claims to have encrypted over 4,000 devices and 120 VMware ESXi servers.”

And the ransomware gang is demanding millions of dollars.

Conti has created a private Shutterfly data leak page containing screenshots of files allegedly stolen during the ransomware attack, as part of this “double-extortion” tactic. The attackers threaten to make this page public if a ransom is not paid.

While Shutterfly states that no financial information was disclosed, one of the screenshots contains the last four digits of credit cards, so it is unclear if there was further, and more concerning, information stolen during the attack.

So what’s the upshot for you? No mention given by Shutterfly for missing the holidays completely, but the personalized calendars made it out in time for the new year, and for some, that’s the important part.

US: What is Synthetic Identity Fraud?

How bad is it? “By our estimates, synthetic identity fraud is the fastest-growing type of financial crime in the United States, accounting for ten to fifteen percent of charge-offs in a typical unsecured lending portfolio.”

What happens? Cybercriminals use synthetic identities to create a typical usage pattern and repayment history — and then “max out the loan or card with no intention of paying the bill.”

Why is it gaining in popularity? "Access to compromised networks is cheap, thanks to the availability of initial-access brokers and RaaS tools that can turn everyday petty crooks into full-blown cybercriminals in an afternoon.

This trend is most prevalent in the United States because of the emphasis on static PII to verify identity." Also, the popularity of social media is another reason for the increase in synthetic identity fraud. People are more comfortable putting personal information on the internet. What appears to be benign questions such as place of birth, first car or first boyfriend or girlfriend are details that can be used as identity confirmations.

In Summary, what is Synthetic identity fraud? It melds factual information with fake information to create a unique identity that cybercriminals can exploit.

An example of factual information commonly used by digital fraudsters would be Social Security numbers (SSNs) — especially SSNs of young children and deceased adults, due to a lack of activity and monitoring of those accounts. False information tends to include fake addresses, social media profiles, or any required information to complete the targeted financial application. “Together, this creates an entirely new identity through which fraudulent and illicit activity can go unchecked.”

So what’s the upshot for you? Minimize the personal detail you share publicly through social media: Facebook, Google, or even LinkedIn. Then freeze your credit. Have your parents freeze their credit too (remind them how to keep their pin safe to unlock the credit freeze, and finally, if your state allows it, freeze your children’s credit. There are many stories about huge six-figure bank loans that kids find attached to their social security numbers when they go to enquire about credit for university.

Global: Global Cyberattacks from Nation-State Actors Posing Greater Threats

Attackers don’t seem to care about getting caught anymore. We have seen an increase in the temerity of attacks by nation-states, such as the Russian attack on SolarWinds, and seen their attack tactics shift from targeted, stealthy operations into opportunistic hacks for potential future use, such as the attacks attributed to Hafnium.

Such a brazen approach hasn’t been a common tactic of nation-states in the past but now seems to be the status quo. In part, this trend may also be due to a destabilization of the international relations climate stemming from COVID-19, as well as work-from-home forcing core business services out onto the internet to facilitate employee access.

Broadly speaking, we should see China as a rising cybersecurity threat on the international stage. That has been the case for some time in terms of their economic, defense, and military posture, but 2021 has quite clearly demonstrated that the relationship has deteriorated into a sort of Cold War, with espionage playing out in the cyber-domain

So what’s the upshot for you? When you see nation-states testing ringfencing Internet access for the whole country, as Russia did a year ago, doesn’t that make you think that something is afoot?

Global: First the Petrol pumps and now the EV charging stations: New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking

Schneider Electric has patched several new vulnerabilities that expose its EVlink electric vehicle charging stations to remote hacker attacks.

The company noted that exploitation of the vulnerabilities requires physical access to the system’s internal communication port, but admitted that attacks can also be launched from the local network and even the internet if the charging station is accessible from the web.

Based on internet searches conducted with services such as Shodan and Censys there are thousands of home-based internet-exposed systems.

“It should be noted that this amount greatly increases when discussing EVlink charging stations that are not currently Internet-facing but yet are network-configured and can still be attacked locally by exploiting the aforementioned vulnerabilities through specific vectors on LAN for instance,” the researcher noted.

So what’s the upshot for you? This doesn’t sound like much of a reason not to charge at a public charger and certainly we can expect patches for the home units, but the rest is down to your home networking configuration. In the meantime “go Forth and charge!!”

Global: Why WINCE? Norman tells us

This story should make you laugh as Norman give us the lowdown on how Win CE got its name.

The project to develop Windows for handheld systems had been operating under its code name of Pegasus when one of the project managers was given the task of picking a public product name.

He took this job seriously, trying hard to avoid a name of the form Windows + two-letter acronym since the sting of “Windows NT = Windows Nice Try” was still fresh. He asked the product team members for suggestions. He hired a marketing firm to come up with names. He ran focus groups with users to see which names resonated best with them. He exercised the due diligence you would expect to make sure the name carried the desired connotations while being resistant to ridicule and avoiding being unintentionally salacious or offensive.

However, the executive in charge of approving the name insisted on the name Windows CE, for no reason other than “it sounded good.”

When asked what the letters CE stood for, the answer was that they didn’t stand for anything, although they hinted at Consumer Edition or Compact Edition.

And then somebody abbreviated the product name to WinCE, or wince.

So what’s the upshot for you? His lesson from this entire experience: Do everything you can to prevent upper management from naming your product.

US: Congress Calls Out Amazon for Careless Data Security

After an investigation, last month by Reveal from the Center for Investigative Reporting lawmakers has called for both a Federal Trade Commission investigation of Amazon’s shoddy data protection and for a federal privacy law.

Reveal’s report showed that Amazon had let many internal employees look up customer orders at will and that a data company in China likely obtained access to the personal data of millions of customers, among other lapses.

Amazon has said that those incidents don’t reflect current practices.

But senators Ron Wyden (D-Oregon) and Jon Tester (D-Montana), along with several representatives, have pointed to the series of failures as proof that US companies need to do more to protect their customers’ data.

So what’s the upshot for you? Although the United States lacks a federal data privacy law, the European Union passed a far-reaching one, called the General Data Protection Regulation, or GDPR, which went into effect in 2018 and limited how companies could use customer data. At the time, Amazon didn’t have adequate controls for how sensitive personal data was used internally, according to a former Amazon lawyer who worked on preparing the company for GDPR: “User personal data flowed like a river.”

Amazon is already fighting an $883 million GDPR fine by authorities in Luxembourg, where Amazon has its European headquarters. There could be more trouble ahead.

Global: Messy NFT drop angers infosec pioneers with unauthorized portraits

An unauthorized NFT drop celebrating infosec pioneers has collapsed into a mess of conflicting takedowns and piracy.

Released on Christmas Day by a group called “ItsBlockchain,” the “Cipher Punks” NFT package included portraits of 46 distinct figures, with ten copies of each token. Taken at their opening price, the full value of the drop was roughly $4,000. But almost immediately, the infosec community began to raise objections — including some from the portrait subjects themselves.

The portrait images misspelled several names — including EFF speech activist Jillian York and OpenPGP creator Jon Callas — and based at least one drawing on a copyright-protected photograph.

More controversially, the list included some figures who have been ostracized for harmful personal behavior, including Jacob Appelbaum and Richard Stallman.

So what’s the upshot for you? Tuesday morning, the ItsBlockchain team announced in a Medium post that it would be “shutting down” the collection in response to the backlash, offering full refunds to any purchasers and covering any gas fees involved in the transfer.

“We were not aware of the likeness laws in NFTs as the market is not regulated,” the post reads. “It’s our mistake. We have to own up to it.”

In the wake of the post, OpenSea appears to have taken central action to remove the collection, which is no longer visible on the platform.

US: 6 Security Tech Trends for 2022

The Rise of Privacy-Enhancing Computation
Privacy-enhancing computation is a growing body of encryption, data obfuscation, and privacy technologies meant to help secure data as it’s being crunched and handle particularly tricky situations, such as when data is shared within digital ecosystems across geographic boundaries, brand lines, or different corporate entities. Technologies like homomorphic encryption, differential privacy, and trusted execution environments make it possible for various entities to combine and analyze data sets without sharing the data they own in the clear. This will be key for getting the most out of digital transformation while remaining compliant and keeping the trust of customers and partners. Gartner says that by 2025, half of all large organizations will utilize privacy-enhancing computation, and 2022 is likely to be a big year for building that momentum.

More Robust API Security Options
The latest studies show a whopping 97% of organizations have experienced delays in releasing new applications and software features due to their concerns about API security. The struggle is real, as business needs dictate better integration of applications — both inside and outside organizational boundaries — but security and compliance demands require it to be done securely. API security solutions are starting to grow more mature, and the venture funding in this niche over the past year points to more innovation inbound on this front in 2022.

Better Discipline in AI Hardening
As enterprises increasingly depend on AI modeling for everything from predicting supply chain needs to fraud prevention, the confidentiality, integrity, and availability of AI technology will continue to grow in importance in 2022. Security leaders are increasingly getting their arms around the idea that AI models and AI data have the potential to become the next battlefield of cybersecurity. Fortunately, researchers and innovators are working on bringing some discipline to the field of AI hardening. Earlier in 2021, Microsoft released a new AI security risk assessment framework designed to help improve AI security, which is a solid follow-up to ongoing work by MITRE on a collaborative project called the Adversarial ML Threat Matrix. All signs point to more work in this field unfolding over the next 12 months as practitioners and researchers alike innovate to secure the next generation of enterprise AI tooling.

Security Applications of Siamese Neural Networks
Major challenges in applying machine learning and AI to cybersecurity include the typical necessity of large training data sets, as well as constant retraining in the face of changing conditions to make the models perform well. Security researchers are trying to get over the hump of these limitations by using siamese neural networks (SNNs) — a type of model that uses a smaller sampling of data for better predictions — to make usable predictions.

All Things Identity
It’s been at least a decade now since the cybersecurity pundits first declared identity as the new perimeter, but it has taken a while for innovators and practitioners to catch up to this idea in the real world. Now, though? Identity innovation is red-hot, as evidenced by the latest numbers from Omdia, which show that the identity, authentication, and access market grew 13.4% in 2021 to reach $28.9 billion, with lots more runway to go in 2022 and beyond.

That bucket includes everything from maturing privileged access management (PAM) and identity-as-a-service (IDaaS) to increasingly viable-looking passwordless authentication technologies.

Improved Cloud Workload Security
The explosion in containerization, microservices, and cloud prevalence across the enterprise has stimulated a huge need for improved cloud workload security. Not only are the major cloud and security providers working on folding these protections in their native stacks, but the market is seeing a big influx of new and newly funded startups seeking to bring their cloud workload protection innovations to the market.

So what’s the upshot for you? They are safe bets, but with so much else flying around us, we’re not laying money on anything.

US: Study finds “serious security risks” in K-12 School Apps


Many apps used by schools contain features that can lead to the “unregulated and out of control” sharing of student data to advertising companies and other security issues, according to a report published Monday by the nonprofit Me2B Alliance.

The report follows up on research published by the group in May, which audited 73 apps used by 38 schools to find that 60% of them were sending student data to a variety of third parties. Roughly half of them were sending student data to Google, while 14% were sending data to Facebook.

The report offers several recommendations to mitigate security risks highlighted in the report, including training for app administrators, creating processes at schools for keeping track of expiring URLs, requiring schools to report lost or dangling domains within a specific time, and launching a “privacy bounty program” at the US Department of Education to audit school apps.

However, the fastest way to reduce these risks would be to alter the way the apps work. “Apple and Google can change rules for in-app WebView links to ensure app developers can’t overrule a local device browser preference."

So what’s the upshot for you? As far as children are concerned, this is simply unacceptable. This needs to be tidied up, and quickly.

US: You are ringing me on what?

Many adults found it charming when Mattel upgraded its classic Fisher-Price Chatter telephone for its 60th anniversary in October with actual Bluetooth capabilities, so grownups, too, can use it — and for actual mobile phone calls.

But flaws in the way the toy pairs with Bluetooth mean that other people with bad intent can listen in on private conversations.

A team at Pen Test Partners revealed earlier this month that the implementation of Bluetooth used in the device has no secure pairing process, allowing for audio bugging by anyone nearby when someone is using Chatter to talk on the phone.

So what’s the upshot for you? The moral of this story? Stay away from your kids’ toys for business calls.

US: Top (and bottom) delivery items according to Instacart for 2021

…just add in your US city zip code to find out what’s trending in your area.

So what’s the upshot for you? For our neighborhood one of the top three groceries trending upward was wet cat food. We can almost guess from that, 2022 has got to be better.

That’s it for this week Damlers!
With the holidays over.
And the parties behind,
It’s time for the diets,
And the mid-Winter grind.
From the treadmills and gym,
And the yoga at home,
Resolutions to reach out,
To those all alone.
Just make us a promise,
This one you can own,
Call us on anything
but your kid’s Fisher-Price phone!
chatterbox phone small

Be kind, stay safe, stay secure, Happy New Year, and see you in se7en!

1 Like