IT's most Fashionably Private and Secure Weekly Update for October 12th 2021


October is Cyber awareness month; coincidentally it is also the one month in twelve that has the highest number of reported cyber attacks. So how do we acknowledge that? By irreverently engaging drinks, food, and fashion.

While others rush out to the shops to buy everything baggy, those in the know have security tighter than a fresh pair of Burberry leggings.

For our show we have free beers on the far side of the Catwalk, a Twitch portrait of Jeff B’s new look, outfits with chains that are breaking, a company making schoolteachers look bad, and a fantastic new rap artiste to name but a few.

Of course, we can’t give the ending away … before we surface with more snacks… but do watch that you don’t get sensitive data stuck in your teeth.

Whether you are a fashionista or a “securisto” this is the best update yet!

So go grab your Chanel, Stella, and Fendi, let’s jump on a catwalk where IT Privacy and Security are trendy!

UK: “Free Beers!” Wait? Did they just say free beers?

BrewDog exposed the details of over 200,000 ‘Equity for Punks’ shareholders for over 18 months plus many more customers.

Every mobile app user was given the same hard-coded API Bearer Token, rendering request authorization useless.

It was therefore trivial for any user to access any other user’s PII, shareholding, bar discount, and more…

The disclosure was rather fraught. Instead of being ‘cool’ as we had hoped, given their reputation as being a bit counter-culture, BrewDog instead declined to inform their shareholders and asked not to be named. It took 4 failed fixes to properly resolve the problem.

But, best of all, shareholders get a free beer on the 3 days before or after their birthday under the terms of the Equity for Punks scheme. One would simply access an account with the required date of birth, generate the QR code and the beers are on BrewDog!

It’s public knowledge that BrewDog is considering an IPO. We might be concerned for future investors if BrewDog’s wider approach to security and disclosure is this weak.

So what’s the upshot for you? Don’t know about you, but we are parched right now. Sure could use beer.

Global: How The Twitch hack continues to make Jeff Bezos look bad.

More fallout from Twitch hack, Bezos doesn’t look good. The Amazon-owned streaming service Twitch, which admitted to getting its servers snooped last week, may have bigger problems.

Multiple Twitch users reported that on Friday morning something strange was afoot – a rather unflattering picture of former Amazon CEO Jeff Bezos was being posted as a faint background image on the site’s header pages for games. Let’s just say it wasn’t Jeff’s best look.

So what’s the upshot for you? Beauty is in the “eye” of the bevi-holder.

Global: FontOnLake: Previously unknown malware family targeting Linux

ESET researchers have discovered a previously unknown malware family that utilizes custom and well-designed modules, targeting systems running Linux.

Modules used by this malware family, which we dubbed FontOnLake, are constantly under development and provide remote access to the operators, collect credentials, and serve as a proxy server.

To collect data (for instance ssh credentials) or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake’s presence is always accompanied by a rootkit. These binaries such as cat, kill or sshd are commonly used on Linux systems and can additionally serve as a persistence mechanism.

The nature of FontOnLake’s tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks. FontOnLake’s currently known components can be divided into three following groups that interact with each other:

  • Trojanized applications – modified legitimate binaries that are adjusted to load further components, collect data, or conduct other malicious activities.
  • Backdoors – user-mode components serving as the main point of communication for its operators.
  • Rootkits – kernel-mode components that mostly hide and disguise their presence, assist with updates, or provide fallback backdoors.

So what’s the upshot for you? Thankfully these have turned up in a very limited number of targeted attacks, where the C&C servers are immediately withdrawn after use, but wow! What an arsenal!

Global: Risky Business

Some 93% of global organizations have suffered a direct breach due to weaknesses in their supply chains over the past year, according to BlueVoyant.

The cybersecurity services company polled 1200 IT and procurement leaders responsible for supply chain and cyber-risk management from global companies with 1,000+ employees to compile its report: Managing Cyber Risk Across the Extended Vendor Ecosystem.

It revealed the average number of breaches experienced in the past 12 months grew from 2.7 in 2020 to 3.7 in 2021 – a 37% year-on-year increase.

Pain points highlighted by the report include:

  • Managing false positives and large data volumes.
  • Prioritizing risk.
  • Understanding the company’s risk position.

So what’s the upshot for you? Understanding the risks a company face becomes more important to the success of a company with every integrated application and data source. We applaud this initiative to call that out.

UK: Ooh, nasty response, but at least the spelling is OK

An email marketing company with details on a million UK teachers and school admin personnel was exposing those to the public internet thanks to a misconfigured error page on its website.

Not only that, but the Schools Marketing Company (SMC) seemingly dismissed the findings of the infosec company which spotted the flaw when the infosec’ers tried to draw its attention to the problem.

An e-mail to “Pen Test Partners”, described by the firm’s consultant Andrew Tierney as “the most arrogant response I’ve ever had to a disclosure.” The Schools Marketing Company (SMC)'s response surprised Tierney, who said, “We’ve disclosed hundreds of issues over the years, but this ranks as one of the worst responses to date. The most obvious issue – the error page – is easier to fix than sending a nasty response. It’s a bit worrying for a company that claims to hold contact details of over a million school staff.”

Portions of the mail read: “Thank you for your email, and the subsequent one, and the one after that. You mention the word ‘Chasing’, what exactly are you ‘chasing’? You sent us an email, we were not interested in discussing the contents of the email, and as far as we are concerned the matter is closed. Please do not continue to contact us except to acknowledge this email.”

It is unclear for how long the credentials were in the public domain but it was long enough for them to be indexed by the Internet Archive’s Wayback Machine.

So what’s the upshot for you? The UK Information Commissioner has been made aware of the potential breach and confirmed that Schools Marketing Company is a registered data processor. The regulator has the power to investigate and can issue fines if it believes wrongdoing or malpractice was involved in any proven data breach.

Global: Hot patches this week and the new Kanye East Patch Rap

First. The maintainers of LibreOffice and OpenOffice have shipped security updates to their productivity software to remediate multiple vulnerabilities that could be weaponized by malicious actors to alter documents to make them appear as if they are digitally signed by a trusted source.
The weaknesses have been fixed in OpenOffice version 4.1.11 and LibreOffice versions 7.0.5, 7.0.6, 7.1.1 as well as 7.1.2. The Chair for Network and Data Security (NDS) at the Ruhr-University Bochum has been credited with discovering and reporting all three issues.

Next iPhones: The newly released iOS 15 already needs a patch.
Apple on Monday released a security update for iOS and iPad to address a critical vulnerability that could allow an application to execute arbitrary code with kernel privileges… and is being exploited in the wild, making it the 17th zero-day flaw the company has addressed in its products since the start of the year.’ Apple iPhone and iPad users are highly recommended to update to the latest version (iOS 15.0.2 and iPad 15.0.2) to mitigate the security vulnerability.

And lastly …
Apache servers. Only the Apache 2.4.49 and 2.4.50 builds are affected but… “It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.” Patches are now available, so if you run either of those versions of Apache, yes… it’s time for another round of patching.

So what’s the upshot for you? All this calls for a bad rap:

Patch Tuesday, patch Monday,
Wait, which day to patch?
Our phones and our laptops
What version will match?

Patch lightbulbs and TVs
Patch autos and Router
We don’t get the tech
But the icons look cuter.

If you find us missing
There might be a catch,
We’ve paused all our projects,
…We had to go patch.

US: Who has fended off the largest DDoS attack? Now Microsoft enters the ring.

In early August, we shared Azure’s Distributed Denial-of-Service (DDoS) attack trends for the first half of 2021. We reported a 25 percent increase in the number of attacks compared to Q4 of 2020, albeit a decline in maximum attack throughput, from one terabyte per second (Tbps) in Q3 of 2020 to 625 Mbps in the first half of 2021.

The last week of August, we observed a 2.4 Tbps DDoS attack targeting an Azure customer in Europe. This is 140 percent higher than 2020’s 1 Tbps attack and higher than any network volumetric event previously detected on Azure.

The attack traffic originated from approximately 70,000 sources and from multiple countries in the Asia-Pacific region, such as Malaysia, Vietnam, Taiwan, Japan, and China, as well as from the United States. The attack vector was a UDP reflection spanning more than 10 minutes with very short-lived bursts, each ramping up in seconds to terabit volumes.

So what’s the upshot for you? OK AWS it’s your turn.

US: Good news for Insurance companies and Bad News for the Rest of Us.

Wholesale insurance broker Risk Placement Services (RPS) warns that providers have been “battered” by higher-than-anticipated recent losses and are now generally charging much more for less coverage.

Sectors hit hard over the past year, including education, government, healthcare, construction, and manufacturing, have seen premiums increase by 300% or more at renewal time… even if policyholders have the right set of security controls in place.

Multi-factor authentication (MFA) is now described as a “must-have” to even qualify for coverage.

Insurers are finding other ways to reduce their risk of losses, the report said. “Insurance companies are incorporating the same scanning technology used by hackers into their own underwriting process. This allows them to assess an organization’s perimeter security and also develop a metric-based estimate for a potential cyber-attack. These scanning tools can be used to identify unused, vulnerable open ports that could provide a bad actor with a network entry point.”

A Government Accountability Office study last May confirmed that take-up of cyber-specific insurance policies had doubled in 2020 and that successful attacks had led to rising premiums and reduced coverage limits in numbers of cases.

So what’s the upshot for you? If the insurance company can hack you, you may get no coverage at all. Be forewarned!

EU: European Parliament backs ban on remote biometric surveillance

AI-powered remote surveillance technologies such as facial recognition have huge implications for fundamental rights and freedoms like privacy but are already creeping into use in public in Europe.

To respect “privacy and human dignity”, Members of the European Parliament (MEPs) said that EU lawmakers should pass a permanent ban on the automated recognition of individuals in public spaces, saying citizens should only be monitored when suspected of a crime.

The parliament has also called for a ban on the use of private facial recognition databases — such as the controversial AI system created by U.S. startup Clearview (also already in use by some police forces in Europe) — and said predictive policing based on behavioral data should also be outlawed.

MEPs also want to ban social scoring systems that seek to rate the trustworthiness of citizens based on their behavior or personality.
The resolution also takes aim at algorithmic bias, calling for human supervision and strong legal powers to prevent discrimination by AI — especially in law enforcement and the border-crossing context.

Human operators must always make the final decisions, MEPs agreed, saying that subjects monitored by AI-powered systems must have access to remedy.
They also called for public authorities to use open-source software to be more transparent, wherever possible.

So what’s the upshot for you? It’s the bias built into the AI Algorithm that most are concerned with and as long as we have human-trained AI, there will be an inherent bias.

US: FTC nominee’s research shows focus on facial recognition, privacy rights

The nomination of legal scholar Alvaro Bedoya to the Federal Trade Commission signals the potential for the agency to tackle regulations regarding the use of facial recognition technology.

Bedoya’s 2016 paper, “The Perpetual Line-Up: Unregulated Police Face Recognition in America,” outlined several limits that could be placed around the software’s use, including requiring that facial-recognition-powered searches of drivers licenses and ID photos should occur only with a court order. The paper also suggests requiring mug shot databases that use facial recognition technology to exclude people who were ultimately found innocent of an offense or who had charges against them dropped.

Alvaro Bedoya Nominee for a member of the Federal Trade Commission Founding director of the Center on Privacy & Technology at Georgetown Law School, where he is a visiting professor of law Age 39 | Education Bachelor’s degree, Harvard College, 2003; Yale Law School, 2007 Previous roles Bedoya served as the first chief counsel to the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law upon the subcommittee’s creation in 2011. Bedoya has drafted bipartisan legislation to protect victims of sexual assault, conducted oversight hearings of technology companies, and helped negotiate and draft bipartisan legislation to rein in the National Security Agency.

Notable publications “The Perpetual Line-Up: Unregulated Police Face Recognition in America,” written in 2016, and “Privacy as Civil Right” New Mexico Law Review, in 2020

Several states in recent years have enacted their own legislation on facial recognition technology in the absence of a federal standard. Maine passed a facial recognition ban in June that requires law enforcement officials to only use facial recognition technology if they can show probable cause to do so. California in 2019 enacted a law that prohibits law enforcement agencies from using biometric surveillance systems in officer body cameras.

So what’s the upshot for you? This man seems to have a little background in the nuances of facial recognition technology. We hope he is confirmed.

US: Classified Data in That PB&J

Ok, first for those outside the US making lunches for the kids, a PB&J is a peanut butter and jelly (jam) sandwich, a staple of North American lunches.

The U.S. Department of Justice on Saturday unsealed charges against a Navy engineer who allegedly tried passing classified information about nuclear submarines in exchange for a payment.

The engineer is accused of working with his wife to transmit military secrets to a removable memory card, hiding the device in a peanut butter sandwich, and then passing it to an individual they believed was an agent for an unnamed foreign government. In fact, the agent worked for the FBI.

The complaint against the couple, Jonathan and Diana Toebbe, reads like a modern-day spy thriller, complete with details about protected national secrets, cryptocurrency, and the use of encrypted email in an attempt to secure sensitive communications. Like the Russian government’s weaponization of social media to influence American voters, and Chinese spies’ reliance on LinkedIn to recruit sources in the U.S., the case is the latest representation of how traditional espionage tactics — dead drops and undercover identities — are upended by innocuous tools that are part of daily life.

So what’s the upshot for you? Here is an area where facial recognition tools with built-in bias are working. Caucasian males and females in place as spies in foreign territories are getting picked off like flies.
What do we think? Proof that James Bond types also need some diversification. Could AI bias be Bond’s ultimate undoing?

That’s it for this week. If we were in the fashion industry we’d have just made a cut against the bias, but alas, this week we are only middling rappers.

Thanks for joining in the fun. listen_tiny

Stay kind, be safe, stay secure and we will see you in a shapely se7en.