Hanging on the phone for the IT Privacy and Security Weekly update: March 23rd 2021

This week we invite you to join us as we make a bunch of long-distance calls, starting with India, moving across the world, and finally ending up in Egypt.

During our phone dialing journeys we find over five hundred, sixty-seven thousand good reasons not to be vengeful, we tell you about how the FBI tried to make friends with us and failed on the first click, and we share the EU’s new strategy that has us stopping at the start.

We redefine Sassy and give you yet another example of why using SMS for authentication is just … not that good.

We finish with a story about an Egyptian TikTok user after he filed a vulnerability report that had him dancing around his phone.

Daml’ers, It’s all here, you just have to answer the call!

And now on to our first story…

IN: That fake call centre that kept calling your grandmother, just got busted with 34 arrested.


UniIndia: New Delhi, Mar 21 (UNI) Delhi Police Cyber Crime Unit has busted a fake call center and arrested 34 people for allegedly duping foreign nationals in the name of Apple and McAfee technical support.
Police said the accused own two call centers in Uttam Nagar and cheated more than 7,000-8,000 US and Canadian nationals of US$1.5M over the last three years.
“They would call foreign nationals and tell them their bank accounts were used in illegal transactions made to drug cartels in Mexico and they would be arrested. Fearing arrest, the. victims would put their money into Bitcoin or Google gift cards. This was done on the instructions of the accused. The money was then transferred to other accounts,” DCP (Cyber Crime Unit) Anyesh Roy said.
The accused also sent ad pop-ups to people and told them their devices were hacked, and they would pose as officials from McAfee or Apple technical support. “They would talk to the victims and convince them that their devices are hacked or their data has been compromised. The victims were then induced to pay to clean their device or pay for tech support,” said DCP Roy. The Special Cell had received information about two illegal call centers in Dwarka and conducted raids. Police have arrested 34 persons in total with 18 from one center and 16 from the other. Kshitiz Bali (32) was running one center on the third floor, and his associate Dhananjay Negi. (28) was running another center on the fourth floor of the same building.

So what’s the upshot for you? Add this to the 54 people arrested in a different part of India last December and it may be time for your grandmother to breathe a little easier before taking that call.

IN: 2 years for the disgruntled IT contractor

Indian national Deepanshu Kher was hired by an American IT consulting firm in 2017. The firm sent Kher to the headquarters of a company in Carlsbad, California, to assist the business with its migration to a Microsoft Office 365 (MS O365) environment.
According to court documents, Kher was employed by an information technology consulting firm from 2017 through May 2018.
In 2017, the consulting firm was hired by the Carlsbad Company to assist with its migration to a Microsoft Office 365 (MS O365) environment. In response, the consulting firm sent its employee, Kher, to the company’s Carlsbad headquarters to assist with the migration.
The company was dissatisfied with Kher’s work and relayed their dissatisfaction to the consulting firm soon after Kher’s arrival.
In January 2018, the consulting firm pulled Kher from the company’s headquarters. A few months later, on May 4, 2018, the firm fired Kher, and a month after that, in June 2018, Kher returned to Delhi, India.
On August 8, 2018, two months after his return to India, Kher hacked into the Carlsbad Company’s server and deleted over 1,200 of its 1,500 MS O365 user accounts. The attack affected the bulk of the company’s employees and completely shut down the company for two days.
Court documents record the company’s vice president of IT stating: "In my 30-plus years as an IT professional, I have never been a part of a more difficult and trying work situation.”
Kher was arrested when he flew to the United States on January 11, 2021. On March 22, the 32-year-old was sentenced to two years in prison and three years supervised release. He was further ordered to pay $567,084 in restitution to the company whose operations he sabotaged.

So what’s the upshot for you? Don’t think you won’t get caught. These types of stories play out badly for the inflicted but even worse for the “inflictee”.

Global: Accellion’s File Transfer Appliance (FTA) file sharing service fallout rolls on and on.

Royal Dutch Shell (Shell) revealed that it too had been breached toward the end of 2020, adding them to the list including U.S.-based grocery and pharmacy chain Kroger, law firm Jones Day, information security and compliance solutions provider Qualys, Australian health and transport agencies, the Office of the Washington State Auditor (SAO), the Reserve Bank of New Zealand, and jet maker Bombardier.
So what’s the upshot for you?. That’s 25 of the 300 companies running the software. Let’s see how far this goes.

US: Suffer a cyber attack? The FBI really would like to help.

The FBI are constantly trying to build relationships with businesses in the private sector.
“Any FBI contact can help direct you. But do speak with us as early as possible. If you wait to tell us about an incident that happened six months ago, we may not be able to get all of the evidence we need or to put the steps in place that may have helped you much sooner”
Building rapport and establishing relationships between the private sector and the FBI helps the agency, to evolve its investigation methods to meet evolving threats and for that …the Office of Private Sector (OPS), part of the FBI’s Intelligence Branch, came into being. The OPS “allows for one ‘FBI voice’ and connects private industry with whom they need to connect with — whatever the concern.” This means you can contact almost anyone in the FBI and that person will see to it that any concern you express gets to the right agents within the FBI. It also means you will have contact with the same FBI agent(s) and not have to talk to different people each time there is a concern or incident.
Also, you might want to ask your attorney to join the meeting with the FBI too.
“Legal counsel is desirable for several reasons. For one, bringing them up to speed afterward on our evidence collection delays progress. It’s better to include legal counsel early on rather than repeat everything again later. But also, given data privacy laws, you may not have the authority to give us consent — and you may not know that, but your lawyer will. It’s imperative that we collect the evidence according to the rules.”
Having legal counsel present isn’t perceived as an obstacle or a confrontation. “I’ve never encountered a situation that legal counsel wasn’t helpful,” said one FBI section-chief.

So what’s the upshot for you? Having worked to create a relationship with the FBI is not as straightforward as you might imagine. Even for some of the largest financial and healthcare institutions in the US, working with the limited resources of the FBI will always present a challenge. And even now, when we clicked on the OPS fact sheet, we got a 404, or “page not found”.
So, while an ongoing relationship ahead of problems is ideal, it might not provide the highest return on investment: however, when you need them, you can still reach out to the local FBI field office, file a report online at ic3.gov, or simply call 1-800-CALL-FBI (1-800-225-5324).

EU: Yesterday the EU announced a strategy for CyberSecurity!


Actions laid out in the conclusions include:

  • the creation of a network of security operation centers across the Union to improve both threat detection and anticipation and the possible establishment of a cyber-intelligence working group to strengthen the EU Intelligence and Situation Centre (INTCEN).
  • the definition of a joint cyber unit that “would provide clear focus to the EU’s cybersecurity crisis management framework.”
  • the adoption of key internet security standards will require “a joint effort,” described as: “instrumental to increase the overall level of security and openness of the global internet while increasing the competitiveness of the EU industry.”
  • the cybersecurity of connected devices.

and finally the one that had us scratching our heads…

  • “addressing the need to support the development of strong encryption as a means of protecting fundamental rights and digital security” …er… “while simultaneously ensuring that law enforcement agencies and judicial authorities can exercise the offline and online powers that have been granted to them.”

So what’s the upshot for you? We applaud any effort to set standards, share information between relevant agencies and ultimately protect the consumer. The encryption statement has left us a little confused though. If the EU wants backdoors in encryption technologies, they should say that and then prepare for the eventuality that any back door is an “open door”, because secrets can only be kept for so long.

US: The Dept of Energy Needs to Ensure Its Plans Fully Address Risks to Distribution Systems

https://www.U.S. Government Accountability Office.gov/assets/U.S. Government Accountability Office-21-81.pdf

After conducting semistructured interviews with 38 key federal and nonfederal entities associated with the cyber-security of grid distribution systems and reviewing reports from both Dept. of Energy and the Dept. of Homeland Security (DHS) and other relevant documentation, U.S. Government Accountability Office has concluded that, in its plans to implement the national cyber-security strategy, Dept. of Energy needs to fully address cyber-risks to the grid’s distribution systems.
“The grid’s distribution systems face significant cyber-security risks—that is, threats, vulnerabilities, and impacts—and are increasingly vulnerable to cyber-attacks. Threat actors are growing more adept at exploiting these vulnerabilities to execute cyber-attacks. However, the scale of the potential impacts of such cyber-attacks on the grid’s distribution systems is unclear,” U.S. Government Accountability Office says.
The growing exposure to cyber-risks, U.S. Government Accountability Office points out, is the result of increased use of monitoring and control technologies within distribution systems, such as remote control capabilities in industrial control systems (ICS), global positioning systems (GPS) for grid operations, and the connecting of networked consumer devices and distributed energy resources to distribution systems networks.
Vulnerabilities related to the increased use of technology advancements are “compounded for distribution systems because the sheer size and dispersed nature of the systems present a large attack surface,” the report reads.
It also states that the Department of Energy’s plans do not address distribution systems’ vulnerabilities related to supply chains.
According to officials, the Department of Energy has not fully addressed such risks in its plans because it has prioritized addressing risks to the grid’s generation and transmission systems. Without doing so, however, the Department of Energy’s plans will likely be of limited use in prioritizing federal support to states and industry to improve grid distribution systems’ cybersecurity.
So what’s the upshot for you? You have to look at all elements of a comprehensive cyber-security plan, not just the ones you oversee. If you are dependent on partners outside your realm of responsibility, they need to be considered for inclusion. The cybersecurity of one or more elements in a complex mesh could severely impact the delivery to all others.

Global: What’s SASE (pronounced Sassy!)?

“Sase” (Sassy) is a term you are going to be hearing a lot more over the next few years, so let’s dive in and figure out what it means. Apparently only defined by the Gartner Group in 2019, SASE is composed of five main technologies:

  • Software-defined wide area network SD-WAN - SD-WAN is an acronym for software-defined networking (SDN) in a wide area network (WAN). SD-WAN simplifies the management and operation of a WAN by decoupling the networking hardware from its control mechanism. IT allows you to use different networking technologies to connect to resources including MPLS, LTE, and broadband internet services.
  • firewall as a service (FWaaS), - These protect users and assets located in an office or connected via VPN against a wide range of modern-day threats
  • cloud access security broker (CASB) - provides visibility into which SaaS or cloud-based applications are being accessed by users, so security controls may be applied.
  • secure web gateway - employees browse websites to conduct research and to interact with vendors or customers but also for reasons completely unrelated to their jobs. The protection of a secure web gateway follows users virtually anywhere they are located to help provide that the sites they visit are both safe and appropriate for the workplace.
  • zero-trust network access. Some of its core tenants are the principles of least privilege and that all traffic, regardless of its origin be inspected. Legacy access technologies, including VPN, typically provided users access to everything within a network segment, which is often more than needed to complete job duties and may needlessly expose sensitive data. ZTNA enables administrators to grant access to specific applications, by role or by user, oftentimes without having to connect to the network.

Who provides this combination of services into one Sase bundle? Vendors like Cato Networks, Open Systems, Palo Alto Networks, Versa Networks, VMware, and now Cloudflare.

So what’s the upshot for you? The best way to find out about product offerings often is to ask one vendor about what makes them better. In this case, we got the strong impression that the best solutions to avoid are ones that integrate existing solutions (potentially) from different vendors, which then cuts the field of viable candidates substantially and might make the CloudFlare offering an interesting starting point if you are feeling sassy.

US: A Hacker Got All My Texts for $16

I didn’t expect it to be that quick. While I was on a Google Hangouts call with a colleague, the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me.
Looking down at my phone, there was no sign it had been hacked. I still had reception; the phone said I was still connected to the T-Mobile network. Nothing was unusual there. But the hacker had swiftly, stealthily, and largely effortlessly redirected my text messages to themselves. And all for just $16.
I hadn’t been SIM swapped, where hackers trick or bribe telecom employees to port a target’s phone number to their own SIM card. Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him. This overlooked attack vector shows not only how unregulated commercial SMS tools are but also how there are gaping holes in our telecommunications infrastructure, with a hacker sometimes just having to pinky swear they have the consent of the target.
A few minutes after they entered my T-Mobile number into Sakari, Lucky225 started receiving text messages that were meant for me. I received no call or text notification from Sakari asking to confirm that my number would be used by their service. I simply stopped getting texts.
As for how Sakari has this capability to transfer phone numbers, Nohl from Security Research Labs said “there is no standardized global protocol for forwarding text messages to third parties, so these attacks would rely on individual agreements with telcos or SMS hubs.”
In Sakari’s case, it receives the capability to control the rerouting of text messages from another firm called Bandwidth, according to a copy of Sakari’s LOA obtained by Motherboard. Bandwidth told Motherboard that it helps manage number assignment and traffic routing through its relationship with another company called NetNumber. NetNumber owns and operates the proprietary, centralized database that the industry uses for text message routing, the Override Service Registry (OSR), Bandwidth said.
Sakari did not send any sort of message to the target number to confirm whether the user consented to the transfer. Bandwidth said it was the responsibility of the retail service provider, which in this case was Sakari, to obtain the consent.

So what’s the upshot for you? It would not be so scary if it weren’t for the fact that it is that simple. Still.

US: Proof

How many messages will you send per month? 500?
$16/Month Additional Messaging Credits $0.0320

So what’s the upshot for you? We found 4 more companies providing this service with only a LOA (Letter of Authorization).
Textedly: Best for Growing Businesses. Textedly. Textedly offers built-in CTA and mobile carrier compliance. …
SimpleTexting: Most Flexible Text Message Marketing Service. SimpleTexting. …
EZ Texting: Best Overall Text Message Marketing Service. EZ Texting. …
SlickText: Best Low-Cost Text Message Marketing Service. SlickText.
We expect all the aforementioned to tighten their processes in the aftermath of the Vice expose.

US: An example of an SMS monitoring service


Out-of-band security gaps exist which allow hackers to virtually steal your phone from anywhere. In today’s world, if they have your personal or business telephone number, they are “Authentically” you.

Okey Systems’ monitoring tool works by creating a fingerprint of a user’s phone number, including the carrier it is connected to and its SMS routes, Tuketu, the company’s CEO, said. The company has also sought access to telecoms’ SIM databases, meaning they could monitor for changes there too.

With these observation points, when something changes, either by a hijack like in this attack or a SIM swap, Okey Systems should be able to detect and warn the user by a text message sent to another number or their email address. Tuketu said the company is also adding support for notifications via Telegram, Keybase, and Signal.

“We didn’t want to disclose it until we had some solutions to address it,” Tuketu said. “We did not want to charge for them, because that just doesn’t seem right. The consumer version of Okey Monitoring is free to use, and the company plans to make money in other ways like corporate partnerships.”

So what’s the upshot for you? We implore you, where possible use an alternate to SMS to authenticate to websites. Google or Microsoft authenticator, Authy, or Duo are all potential options.

US: Unclaimed property? The most recent report from the Cali controller’s office to the attorney general.


The California State Controller’s Office, an agency responsible for handling more than $100 billion in public funds each year got hit with a phishing attack last week according to their data breach notice filed last Saturday.
The phisher-people had access for more than 24 hours and stole Social Security numbers and sensitive files on thousands of state workers, before sending targeted phishing messages to over 9,000 workers and their contacts.
The State Controller’s Office holds an enormous amount of personal and financial information on millions of people and companies that do business with or within California.
An employee of the California State Controller’s Office (SCO) Unclaimed Property Division clicked on a link in an email they received and then entered their user ID and password as prompted, unknowingly providing an unauthorized user with access to their email account. The unauthorized user had access to the account from March 18, 2021 at 1:42 p.m. to March 19, 2021 at 3:19 p.m.

So what’s the upshot for you? Apparently, the State Controller’s Office management, set a new requirement late last year, that they were to be notified of any random phishing tests that are sent to all employees as part of their cyber awareness training program. Looks like that might have been a mistake.

EG: Looking for another way to earn money with TikTok?

We confess we are never going to earn a million dollars with cute videos of us flossing or singing in time with Aretha Franklin, but this method of making money through TikTok caught our eye.
In a blog post published on Medium last week, Sayed Abdelhafiz, an 18-year-old researcher from Egypt, disclosed the details of several vulnerabilities he identified late last year and in early 2021 in the TikTok app for Android.

He discovered a couple of cross-site scripting (XSS) vulnerabilities, an issue related to starting arbitrary components, and a so-called Zip Slip archive extraction vulnerability.
Chaining these vulnerabilities could have allowed an attacker to remotely execute arbitrary code on the targeted user’s Android device simply by convincing them to click on a malicious link.
As for what an attacker could have done with this exploit, he said “anything TikTok can do on your device, the exploit can do.”
“If the victim has given the storage permission to the TikTok application, the exploit can access the storage’s files,” he explained. “If bad people exploit this vulnerability, they may chain it with an Android vulnerability to take over the whole device, even if the TikTok app doesn’t have permission to do anything.”

So what’s the upshot for you? For that little ditty, he got US$ ten grand! Keep dancing Sayed!

That’s all for this week Daml’ers! We hope you enjoyed the call and will join us again in se7en days!

1 Like

… it would be funny were it not so prevalent. Well-funded, high-profile ‘expert’ entities that cannot/do not even run a regular outward-facing link check or accessibility review. I used to contact Government departments about this, but no more.

This scenario is a valid concern far more than we would think. I live in a rental property, we have 2 keys, the Property Manager has at least 3 keys (I saw them), the previous tenant who now lives 2 doors up the street probably had extra keys cut, as likely did the previous tenants over the past 20 years.

Do I feel totally confident that no-one is going to enter this property without our permission, while we are here or not?


1 Like

One way to handle your situation is to change the door lock and give the landlord a copy (one) of the key. And I understand this won’t work in certain buildings, as the keys and locks are registered in some cases… and I’ve actually seen this in place in a couple of places when visiting Zurich, Switzerland.

It might cost you a few bucks, but then you would have the assurance of who could access your place using that key. Landlords typically have conditions of notice that they must provide.

This doesn’t work with encryption. If a backdoor is engineered into the code, at some point, someone is going to let that detail loose and then anything that was encrypted with that algorithm is essentially open to anyone with the desire to decrypt it.

Remember Blackberry phones? They were renowned for their security until we found out they had shared keys with half the governments on the planet.

Additionally, it doesn’t stop someone from using a non-backdoored encryption algorithm if they want to stop police examination of their data or messages. That’s the important part. The encryption cat is out of the bag. We can’t reverse that part of history. It’s already written.

Thanks for your response quidagis! We all enjoy your input and participation here!

1 Like

Thanks for the tip, I just checked our rental agreement,
and it is permissible :+1:t2:

Indeed, we are now in a digital Arms race across many sectors, and it is becoming Government vs Us, or Government/Criminals vs Us. In my naivety I hope that Smart Contracts using Daml will ameliorate some of that risk.

1 Like