Leaving on a Jet Plane with the IT Privacy and Security Weekly Update for September 7th 2021


We start this week’s journey at the site of the Twin towers in New York before moving to Russia, and then to Germany and then, a little bit late, to the airport before boarding our flight for Australia, Scotland, Pakistan, Ireland, and China.

Then, in the haze of jetlag, the American military finally leaves us with no words.

Grab your go-bag, passport, vaccination certificate, pillow, and let’s do some long-overdue globe-trotting. This week’s travel won’t be drama-free, but it will be Covid free.


US: Frozen in fear


On the eve of the 20th anniversary of the World Trade Center attack in New York City, we’d like to give pause in remembrance to those who lost loved ones, dads, mums, brothers, sisters, and children on that fateful sunny September morning.

From offices above the site where the twin towers once stood we look out across an area that by 9 am on the 11th., of September 2001 was shrouded in smoke, and where minutes later the South tower and then the North tower fell.

2,977 people from 77 different countries died that morning and a further 25,000 were left injured.

That action lead the US into a 20-year war, from which, 12 days before this 20th anniversary they extricated themselves … only to sadly return Afghanistan to the control of the Taliban.

So what’s the upshot for you? We’ll never forget.

Global: Microsoft Outlook shows real person’s contact info for IDN phishing emails

If you receive an email from ITPaSWU@DіgіtalAsset.com, is it really from someone at DA? Most definitely not—the domain in that email address is not the same DigitalAsset.com that you know.

The ‘і’ character in there is from the Cyrillic script and not the Latin alphabet. Don’t believe us? Copy and paste the DіgіtalAsset.com from ITPaSWU@DіgіtalAsset.com into Chrome and see what it returns. It should be something like http://dіgіtalasset.com/ and you might get a message like: “This site can’t be reachedxn--dgtalasset-x2ib.com’s server IP address could not be found.”

Now try it with Digital Asset.com and you will have an opportunity to read a great article about “The Global Economic Network” from CEO, Yuval Rooz.

Up until a few years ago, modern browsers did not make any visible distinction when domains containing mixed character sets were typed into the address bar.

And it turns out Microsoft Outlook is no exception, but the problem just got worse: emails originating from a lookalike domain in Outlook would show the contact card of a real person, who is actually registered to the legitimate domain, not the lookalike address.

It wasn’t obvious that Microsoft Outlook for Windows and the Address Book feature would make no distinction when showing the contact details of the person.

“We recently discovered a vulnerability that affects the Address Book component of Microsoft Office for Windows that could allow anyone on the internet to spoof contact details of employees within an organization using an external look-alike Internationalized Domain Name (IDN),” wrote a pentester in a blog post. “This means if a company’s domain is ‘somecompany[.]com’, an attacker that registers an IDN such as ‘ѕomecompany[.]com’ (xn–omecompany-l2i[.]com) could take advantage of this bug and send convincing phishing emails to employees within ‘somecompany.com’ that used Microsoft Outlook for Windows.”

Coincidentally, the following day, another report on the topic emerged from Mike Manzotti, a senior consultant at Dionach. For a contact created on Manzotti’s “onmìcrosoft.com” domain (notice the ì), Outlook displayed valid contact details of the person whose email address contained the real “onmicrosoft.com” domain.

It is unclear if Microsoft is inclined to fix the issue in Outlook at this time: “We’ve finished going over your case, but in this instance, it was decided that we will not be fixing this vulnerability in the current version,” a Microsoft staff member told the researcher in an email.

So what’s the upshot for you? More and more people are noticing the time lag between Microsoft receiving notice of vulnerabilities or security issues and their remediation, if at all. It seems like the responsibility is now shifting to the user, almost completely. In which case, you want to confirm communications through a secondary channel be it for opening attachments or clicking on a website link.

RU: If you contact the police, we will leak your data – warns Ragnar Locker ransomware gang

“So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the Police/FBI/Investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised Data immediately.”

The Ragnar Locker group, a gang of cybercriminals behind a series of costly ransomware attacks against companies, has warned victims that they should not seek the assistance of law enforcement agencies.

The group, which also tells victims that they should also not work with firms that specialize in helping companies negotiate with cybercriminals in the wake of a ransomware attack, posted a statement on its darknet website saying that it would punish any “clients” by publishing their stolen data immediately.

There’s only one reason why the Ragnar Locker group would be telling its victims not to bring in ransomware recovery firms and the police – it’s worried that it’s hurting business.

Ransomware gangs aren’t keen on anyone successfully managing to skillfully negotiate a smaller ransom payment, or worse yet help a business recover its data without paying any ransom at all – let alone stirring more interest in the group from law enforcement groups such as the FBI.

So what’s the upshot for you? The ransomware gangs would much rather you only spoke to them, and that the police and others were not brought in to assist and …we can’t imagine why……

DE: Germany Protests to Russia Over Pre-Election Cyberattacks


Germany has protested to Russia over attempts to steal data from lawmakers in what it suspects may have been prepared to spread disinformation before the upcoming German election, the Foreign Ministry in Berlin said Monday.

Foreign Ministry spokeswoman Andrea Sasse said that a hacker outfit called Ghostwriter has been “combining conventional cyberattacks with disinformation and influence operations,” and that activities targeting Germany have been observed, “for some time.”

She said that, ahead of Germany’s parliamentary election on Sept. 26, there have been attempts - using phishing emails, among other things — to get hold of personal login details of federal and state lawmakers, with the aim of identity theft.

“The German government has reliable information on the basis of which Ghostwriter activities can be attributed to cyber-actors of the Russian state and, specifically, Russia’s GRU military intelligence service,” Sasse said. It “views this unacceptable activity as a danger to the security of the Federal Republic of Germany and for the process of democratic decision-making, and as a severe strain on bilateral relations.”

So what’s the upshot for you? Germany calls on the Russian government to end such activity immediately… and so do another 60 or so countries, where according to Putin, this meddling is not occurring.

Global: Something to remember the next time you borrow a USB type-C cable.

This is the new version of a series of penetration testing tools made by the security researcher known as MG. MG previously demoed an earlier version of the cables for Motherboard at the DEF CON hacking conference in 2019. Shortly after that, MG said he had successfully moved the cables into mass production, and cybersecurity vendor Hak5 started selling the cables.

“There were people who said that Type C cables were safe from this type of implant because there isn’t enough space. So, clearly, I had to prove that wrong. :),” MG told Motherboard in an online chat.

The OMG Cables, as they’re called, work by creating a Wi-Fi hotspot itself that a hacker can connect to from their own device. From here, an interface in an ordinary web browser lets the hacker start recording keystrokes. The malicious implant itself takes up around half the length of the plastic shell, MG said.

“We tested this out in downtown Oakland, California and were able to trigger payloads at over 1 mile,” he added.

He said that the Type C cables allow the same sort of attacks to be carried out against smartphones and tablets. Various other improvements include being able to change keyboard mappings, the ability to forge the identity of specific USB devices, such as pretending to be a device that leverages a particular vulnerability on a system.

So what’s the upshot for you? Ouch! The electronics for these bugged cables is getting incredibly small. Click on the vice.com article for links to videos showing how they look and what they do and next time you travel, take cables with you.

AU: Latest Atlassian Confluence Flaw Exploited to Breach Jenkins Project Server

If you have ever worked at or used a setup that integrated Confluence functionality into Jenkins, you might find this one interesting:

The maintainers of Jenkins—a popular open-source automation server software—have disclosed a security breach after unidentified threat actors gained access to one of their servers by exploiting a recently disclosed vulnerability in Atlassian Confluence service to install a cryptocurrency miner.

The “successful attack,” which is believed to have occurred last week, was mounted against its Confluence service that had been deprecated since October 2019, leading the team to take the server offline, rotate privileged credentials, and reset passwords for developer accounts.

The disclosure comes as the U.S. Cyber Command warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments.

According to cybersecurity firm Censys, a search engine for finding internet devices, around 14,637 exposed and vulnerable Confluence servers were discovered right before details about the flaw became public on August 25, a number that has since dropped to 8,597 as of September 5 as companies continue to apply Atlassian’s patches and pull afflicted servers from being reachable over the internet.

So what’s the upshot for you? Lots of us have worked with one of these integrations at one time or another, so if you know someone who still does, tell them to patch their confluence server (for all using Atlassian cloud services, these are patched automatically).

UK: Dial-A-Deal is Done

A Glasgow-based company is facing a £150,000 penalty handed down by the UK’s data watchdog for making more than half a million nuisance calls about bogus green energy deals.

The Information Commissioner’s Office (ICO) fined DialADeal Scotland Ltd (DDSL) after an investigation found that it had targeted numbers registered with the Telephone Preference Service (TPS) where people had expressly withdrawn their consent to receive marketing calls.

The unsolicited phone calls were about non-existent “Green Deal energy saving schemes” including boiler and window replacement, loft insulation, and home improvement grants.

So what’s the upshot for you? The ICO has advised that DialADeal has now ceased trading.

PK: “FudCo” Spam Empire Tied to Pakistani Software Firm

“The Manipulaters,” is the name chosen by a prolific cybercrime group based in Pakistan that was very publicly selling spam tools and a range of services for crafting, hosting, and deploying malicious email. A review of the social media postings from this group shows they are prospering, while rather poorly hiding their activities behind a software development firm in Lahore that has secretly enabled an entire generation of spammers and scammers.
The Manipulaters’ core brand in the underground is a shared cybercriminal identity named “Saim Raza,” who for the past decade across dozens of cybercrime sites and forums has peddled a popular spamming and phishing service variously called “Fudtools,” “Fudpage,” “Fudsender,” etc.

The common acronym in nearly all of Saim Raza’s domains over the years — “FUD” — stands for “Fully Un-Detectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.

They spoofed some of the world’s top banks and brand names, but particularly Apple and Microsoft. Phishing domain names registered to The Manipulaters included an address in Karachi, with the phone number 923218912562. That same phone number is shared in the WHOIS records for 4,000+ domains registered through domainprovider[.]work, a domain controlled by The Manipulaters that appears to be a reseller of another domain name provider.
This open-source research on The Manipulaters and We Code Solutions is damning enough. But the real icing on the Fud Co cake is that sometime in 2019, The Manipulaters failed to renew their core domain name — manipulaters[.]com — the same one tied to so many of the company’s past and current business operations.

That domain was quickly scooped up by Scylla Intel, a cyber intelligence firm that specializes in connecting cybercriminals to their real-life identities. Whoops.

Scylla co-founder Sasha Angus said the messages that flooded their inbox once they set up an email server on that domain quickly filled in many of the details they didn’t already have about The Manipulaters.

So what’s the upshot for you? One of the things the investigators found challenging about this case was not who did what, but just how much bad stuff they’ve done over the years. With these guys, you keep going down this rabbit hole that never ends because there’s always more, and it’s fairly astonishing. They are prolific. If they had halfway decent operational security, they could have been really successful. But thankfully, they don’t.”

IE: Boxing clever, Ireland’s Gardai Sucker punches the HSE Cyber-Attackers

Ireland’s national police service, Gardai, has carried out a significant operation targeting the gang behind the ransomware attack on Ireland’s Health Service Executive (HSE) in May, which it believes has prevented other such attacks from taking place globally.

“A process has also commenced between the Garda Siochana and their law enforcement partners at Europol and Interpol to provide the details of the visiting URLs to the member countries to ensure that the infected systems are appropriately decontaminated,” the spokesman said.

“To date, a total of 753 attempts were made by ICT systems across the world to connect to the seized domains.

“In each instance, the seizure of these domains by the investigation team is likely to have prevented a Conti ransomware attack on the connecting ICT system by rendering the initially deployed malware on the victim’s system as ineffective.”

So what’s the upshot for you? We love this story. After the resilience shown by the Irish Health workers dealing with their whole system being offline, the Garda get revenge. We would, however, like to see even more of a happy ending with the Conti gang taken out back and given a good roundhouse…

US: FBI says Chinese authorities are hacking US-based Uyghurs

The FBI has warned that the Chinese government is using both in-person and digital techniques to intimidate, silence, and harass U.S.-based Uyghur Muslims.

In recent months, the Chinese government has become increasingly aggressive in its efforts to shut down foreign critics, including those based in the United States and other Western democracies. These efforts have now caught the attention of the FBI.

In an unclassified bulletin, the FBI warned that officials are using transnational repression — a term that refers to foreign government transgression of national borders through physical and digital means to intimidate or silence members of diaspora and exile communities — in an attempt to compel compliance from U.S.-based Uyghurs and other Chinese refugees and dissidents, including Tibetans, Falun Gong members, and Taiwan and Hong Kong activists. “Threatened consequences for non-compliance routinely include detainment of a U.S.-based person’s family or friends in China, seizure of China-based assets, sustained digital and in-person harassment, Chinese government attempts to force repatriation, computer hacking, and digital attacks, and false representation online.”

“This transnational repression activity violates US laws and individual rights.”

So what’s the upshot for you? If you or someone you know in the US are aware of this type of activity, the FBI would like to know about it. The FBI has urged U.S. law enforcement personnel, as well as members of the public, to report any suspected incidents of Chinese government harassment.

CH: ProtonMail does not log your data, except when it does.

End-to-end encrypted email service provider ProtonMail has drawn criticism after it ceded to a legal request and shared the IP address of anti-gentrification activists with law enforcement authorities, leading to their arrests in France.

The Switzerland-based company said it received a “legally binding order from the Swiss Federal Department of Justice” related to a collective called Youth for Climate, which it was “obligated to comply with,” compelling it to handover the IP address and information related to the type of device used by the group to access the ProtonMail account.

On its website, ProtonMail advertises that: “No personal information is required to create your secure email account. By default, we do not keep any IP logs that can be linked to your anonymous email account. Your privacy comes first.”

But, “Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities,” ProtonMail founder and CEO Andy Yen tweeted, adding “By law, [ProtonMail] must comply with Swiss criminal investigations. This is obviously not done by default, but only if legally forced.”

So what’s the upshot for you? This is probably the best balance. No tracking or tracing unless a court of law deems you a criminal, and then all bets are off.

Global: Do you have a Fortress S03, home security system? You are not as Secure as you Thought.

relies on Wi-Fi to connect cameras, motion sensors, and sirens to the internet, allowing owners to remotely monitor their home anywhere with a mobile app. The security system also uses a radio-controlled key fob to let homeowners arm or disarm their house from outside their front door.

Rapid7 says it found a couple of vulnerabilities that include an unauthenticated API and an unencrypted radio signal that can be easily intercepted.

Rapid7 revealed details of the two vulnerabilities on Tuesday after not hearing from Fortress in three months, the standard window of time that security researchers give companies to fix bugs before details are made public. Rapid7 said its only acknowledgment of its email was when Fortress closed its support ticket a week later without commenting.

Rapid7 said that Fortress’ unauthenticated API can be remotely queried over the internet without the server checking if the request is legitimate. The researchers said by knowing a homeowner’s email address, the server would return the device’s unique IMEI, which in turn could be used to remotely disarm the system.

An email from Bottone Reiling, a Massachusetts law firm representing Fortress, called the claims “false, purposely misleading and defamatory,” but did not provide specifics that it claims are false…
So what’s the upshot for you? Well, we hope you kept your receipt. We’d definitely recommend returning this setup to the shop where you bought it!

US: The new paradigm in Espionage.

Mike Orlando, the acting director of the National Counterintelligence and Security Center, on the range of foreign espionage threats facing the U.S. from adversaries and challengers like Russia and China.

  • Adversaries are now targeting the private sector: “what we’ve seen over the last 20 years is the shift to private sector intellectual property research and development, particularly by China, who has been the most egregious in stealing those technologies.”
  • Espionage threat from the Chinese government: “We believe that there’s no other country than China that poses the most severe intelligence threat to America. We’re looking at $200 billion to $600 billion dollars a year in losses to intellectual property theft by China. And that’s been going on for the last 20 years. That’s a pretty staggering loss to the U.S. and when you look at China’s national plans, it’s one where it’s to put the U.S. out of business.”
  • “A move to Non-traditional Collectors”: “We’ve seen a pivot to these non-traditional collectors, which are students, researchers, business people, people who have legitimate jobs, who act as proxies or surrogates for the intelligence service.”
    So what’s the upshot for you?
    Ouch! Actually, read his job title, this guy is supposed to say stuff like this. Still, the claims are pretty huge.

CN: In China, Kids Are Limited To Playing Video Games For Only 3 Hours Per Week

It’s getting dangerously close to “game over” for some players in China: If you’re under 18 and a fan of video games, you’re now limited to just three hours of play a week.

Under the new mandates, companies are barred from offering their services to children outside a small window of time: Those under 18 can access online games only on Fridays, Saturdays, and Sundays and only between 8 p.m. and 9 p.m., according to the report.

So what’s the upshot for you? Parents, there goes your quiet time.

CN: China bans men it sees as not masculine enough from TV

Broadcasters must “resolutely put an end to sissy men and other abnormal esthetics,” the TV regulator said, using an insulting slang term for effeminate men — niang pao, or literally, “girlie guns.”

That reflects official concern that Chinese pop stars, influenced by the sleek, girlish look of some South Korean and Japanese singers and actors, are failing to encourage China’s young men to be masculine enough.

Broadcasters should avoid promoting “vulgar internet celebrities” and admiration of wealth and celebrity, the regulator said. Instead, programs should “vigorously promote excellent Chinese traditional culture, revolutionary culture and advanced socialist culture.”

So what’s the upshot for you? Who makes the call on that one?

US: Fired Employee Deletes 21GB of Credit Union Files

Juliana Barile of Brooklyn, a former credit union employee, is currently facing a decade behind bars after pleading guilty to destroying large amounts of corporate data in revenge for being fired. Barile admitted to one count of computer intrusion due to unauthorized access to the data on her former employer’s computer system. Barile allegedly accessed the file server of the New York-based credit union two days after her termination. Barile is said to have opened confidential files and deleted 21.3GB of data, including 3500 directories and 20,000 files. According to the Department of Justice, the deleted files mainly pertained to mortgage loan applications

So what’s the upshot for you? Although it’s interesting to see women move into an area that hitherto has been male-dominated, the case highlights the importance of offboarding terminated employees and the risk of insider threats

US: A New Navy Weapon Actually Stops You From Talking

The U.S. Navy has successfully invented a special electronic device that is designed to stop people from talking. A form of non-lethal weapon, the new electronic device effectively repeats a speaker’s own voice back at them, and only them, while they attempt to talk.

The main idea of the weapon is to disorientate a target so much that they will be unable to communicate effectively with other people.

Called acoustic hailing and disruption, the weapon is able to record speech and instantly broadcast it at a target in milliseconds. Much like an annoying sibling, this action will disrupt the target’s concentration, and, in theory, discourage them from continuing to speak.

“According to an illustrative embodiment of the present disclosure, a target’s speech is directed back to them twice, once immediately and once after a short delay. This delay creates delayed auditory feedback, which alters the speaker’s normal perception of their own voice. In normal speech, a speaker hears their own words with a slight delay, and the body is accustomed to this feedback. By introducing another audio feedback source with a sufficiently long delay, the speaker’s concentration is disrupted and it becomes difficult to continue speaking.”

So what’s the upshot for you? It is important to note that the device is unlikely to be used on the battlefield anytime soon but may turn up as a form of crowd control. We imagine you could probably think of some innovative uses!

That’s it for this week! As we disembark we wonder when they started charging for putting luggage in the overhead bins.

We’ve got 7 days to get through passport control, clear customs, and find an Uber that we can afford.

Until then, be kind, stay safe, stay secure and see you in se7en!

1 Like