Making Waves with Moxie and the IT Privacy and Security Weekly Update for January 11th., 2022


In this week’s update, we take you from lockdown to the end of civilization with the notice that “a smooth sea never made a skilled sailor”.

We move “shipshape and Bristol fashion”, through mines, espionage, and corruption.

Then, we “make up Leeway” with one big name demanding Multi-Factor Authentication (MFA) for everyone and a black box that just might be a “shot across the bows” of politicians who talk ‘Blah Blah Blah’

Whether landlubber or salty dog, this vessel delivers the best IT Privacy and Security update yet!

So let’s put on those oilskins, slip on those waders, grab a rope, and hit the high seas!

US: Cyberattack leads to jail lockdown

This latest ransomware attack has limited how much time inmates can spend out of their cells (= zero), and also reduced their access to telephones and tablets, according to the filing. No visitors have been allowed.

The county said in the filing that its inability to access cameras is one of the more concerning aspects of the cyberattack, which has caused the facility to be on “lockdown” since Wednesday.

“This means inmates, even inmates in the general population, are limited to their cells."

So what’s the upshot for you? We have an idea: When these malware miscreants are apprehended, make sure they end up in this particular prison. We are sure the inmates will appreciate the opportunity to express their thoughts as to the extra time they’ve spent in full lock-down.

Global: 500M Avira Antivirus Users Introduced to Cryptomining

Founded in 2006, Avira Operations GmbH & Co. KG is a German multinational software company best known for its Avira Free Security (a.k.a. Avira Free Antivirus). In January 2021, Avira was acquired by Tempe, Ariz.-based NortonLifeLock Inc., the same company that now owns Norton 360.

Now both Norton 360 and Avira come with a crypto miner built-in.

“Norton should be DETECTING and killing off crypto-mining hijacking, not installing their own,” reads a Dec. 28 thread on Norton’s forum titled “Absolutely furious.”

Others have charged that the crypto offering will end up costing customers more in electricity bills than they can ever hope to gain from letting their antivirus mine ETH. What’s more, there are hefty fees involved in moving any ETH mined by Norton or Avira Crypto to an account that the user can cash out, and many users apparently don’t understand they can’t cash out until they at least earn enough ETH to cover the fees.

In August 2021, NortonLifeLock said it had reached an agreement to acquire Avast, another longtime free antivirus product that also claims to have around 500 million users.

So what’s the upshot for you? You have been warned. Anything that has anything to do with the old Symantec Corporation, should be avoided like… a virus.

EU/US: Apple’s Private Relay Feature is Being Blocked by Some Carriers.

Some European carriers, and T-Mobile/Sprint in the United States, are blocking iCloud Private Relay access when connected to cellular data. As 9to5Mac reports, “This feature is designed to give users an additional layer of privacy by ensuring that no one can view the websites that they visit.”

From the report: Apple says that Private Relay is a feature designed to give users another layer of privacy when browsing the web. The first relay is sent through a server maintained by Apple, and the second is a third-party operator. The feature was announced at the World Wide Developer |Conference last June and initially slated for inclusion in iOS 15. Apple ultimately shipped the feature as a “public beta,” meaning that it is disabled by default in the newest iOS 15 and macOS Monterey releases. You can manually enable it by going to Settings on your iPhone, tapping your name at the top, choosing iCloud, and choosing “Private Relay” if you are paying for the iCloud+ service.

T-Mobile was among the carriers in Europe that signed an open letter expressing concern about the impact of Private Relay. The carriers wrote that the feature cuts off networks and servers from accessing "vital network data and metadata and could impact “operator’s ability to efficiently manage telecommunication networks.” In the UK, carriers including T-Mobile, EE, and others have already started blocking Private Relay usage when connected to cellular data. 9to5Mac has also now confirmed that T-Mobile is extending this policy to the United States. This means that T-Mobile and Sprint users in the United States can no longer use the privacy-preserving iCloud Private Relay feature when connected to cellular data.

The letter said that Private Relay cuts off networks and servers from accessing “vital network data and metadata” and will have “significant consequences in terms of undermining European digital sovereignty”. They say it will also impact the “operator’s ability to efficiently manage telecommunication networks”.

It’s unclear why the companies are speaking out against Private Relay when general VPN services have been widely available for years and do much of the same role. Perhaps it is the fact that Private Relay is so easily accessible that they expect a lot of people to use it; the feature is built into iOS 15 and available to any customer with a paid iCloud plan.

So what’s the upshot for you? If Internet Service Providers don’t know what you’re sending, Private Relay, and other VPN services prevent the carriers’ ability to upsell internet features based on your phone plan, like compressing images or restricting HD video streaming to more expensive tiers. This is still in beta for Apple and is disabled by default, but if you wish to turn it on you must have an iCloud+ account, which starts at $.99/month, and then you simply turn it on in the iCloud settings on your phone… and then it’s just a question of your carrier supporting it.

KP: North Korean Hackers Start New Year with Attacks on Russian Foreign Ministry

A North Korean cyberespionage group named Konni has been linked to a series of targeted attacks aimed at the Russian Federation’s Ministry of Foreign Affairs (MID) with New Year lures to compromise Windows systems with malware.

The phishing campaign unfolded in three waves:

  • the first commencing on October 19, 2021, to harvest credentials from MID personnel,
  • followed by leveraging COVID-19 themed lures in November to install a rogue version of the Russian mandated vaccination registration software that served as a loader for additional payloads.
  • The third attack began on December 20, 2021, using New Year’s Eve festivities as a spear-phishing theme to trigger a multi-stage infection chain

So what’s the upshot for you? If we could get the Iranians and the Chinese into this mele all hacking each other, we’d have some true fireworks to report here.

US/RU: The US warns of Russian state-sponsored attacks on critical infrastructure

Less than one day after Russia and the US held bilateral talks over the deployment of troops near Ukraine, US intelligence and law enforcement agencies issued a warning to critical infrastructure operators about threats from Russian state-sponsored hackers.

The alert, jointly authored by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the National Security Agency, disclosed commonly observed tactics, techniques, and procedures (TTPs) used by the threat actors, as well as guidance on incident response and mitigation.

So what’s the upshot for you? Mark our words. There will be much more as countries leverage cyber warfare for political gain.

Global: Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps

Users of popular open-source libraries ‘colors’ and ‘faker’ were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking.

Some surmised if the NPM libraries had been compromised, but it turns out there’s much more to the story.

The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on ‘colors’ and ‘faker.’

The colors library receives over 20 million weekly downloads on npm alone and has almost 19,000 projects relying on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents.

The reason behind this mischief on the developer’s part appears to be retaliation—against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.

In November 2020, Marak had warned that he will no longer be supporting the big corporations with his “free work” and that commercial entities should consider either forking the projects or compensating the dev with a yearly “six-figure” salary.

“Respectfully, I am no longer going to support Fortune 500s with my free work. There isn’t much else to say,” the developer wrote.

Concerns emerged as to how big businesses were used to “exploiting” open-source; by consuming it incessantly but not giving back enough to support the unpaid volunteers who sustain these critical projects by giving up their free time.

Some also criticized the netizens and bug bounty hunters hounding the Log4j maintainers who were already “working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc.”

So what’s the upshot for you? “The responses to the colors.js/faker.js author sabotaging their own packages are really telling about how many corporate developers think they are morally entitled to open source developers’ unpaid labor without contributing anything back,” commented one Twitter user.

In the meantime, users of ‘colors’ and ‘faker’ NPM projects should ensure they are not using an unsafe version. Downgrading to an earlier version of colors (e.g. 1.4.0) and faker (e.g. 5.5.3) is one solution.

Global: My first impressions of web3

Moxie Marlinspike, sailor, cryptographer, creator of both WhatsApp and Signal, and considered one of the brightest minds in the cryptography space wrote a new blog a few days ago that’s getting quite a bit of press coverage for his conceptual NFT model. We’re going to let you discover that on your own and summarize some of his statements around Web3:

The premise for web1 was that everyone on the internet would be both a publisher and consumer of content as well as a publisher and consumer of infrastructure. We’d all have our own web server with our own website, our own mail server for our own email, our own finger server for our own status messages, our own chargen server for our own character generation. However – and I don’t think this can be emphasized enough – that is not what people want. People do not want to run their own servers.

Next: A protocol moves much more slowly than a platform. After 30+ years, email is still unencrypted; meanwhile, WhatsApp went from unencrypted to full e2ee in a year. People are still trying to standardize sharing a video reliably over IRC; meanwhile, Slack lets you create custom reaction emoji based on your face.

Given the history of why web1 became web2, what seems strange to me about web3 is that technologies like ethereum have been built with many of the same implicit trappings as web1. To make these technologies usable, the space is consolidating around platforms. Again. People who will run servers for you, and iterate on the new functionality that emerges.

Of interest in the cryptocurrency world is the lack of attention to the client/server interface. When people talk about blockchains, they talk about distributed trust, leaderless consensus, and all the mechanics of how that works, but often gloss over the reality that clients ultimately can’t participate in those mechanics. All the network diagrams are of servers, the trust model is between servers, everything is about servers. Blockchains are designed to be a network of peers, but not designed such that it’s really possible for your mobile device or your browser to be one of those peers.

It seems like we should take notice of that from the very beginning, these technologies immediately tended towards centralization through platforms in order for them to be realized.

Looking at web3 I can easily see why so many people find the web3 ecosystem so neat. I don’t think it’s on a trajectory to deliver us from centralized platforms, I don’t think it will fundamentally change our relationship to technology, and I think the privacy story is already below par for the internet (which is a pretty low bar!).

So what’s the upshot for you? We should accept the premise that people will not run their own servers by designing systems that can distribute trust without having to distribute infrastructure. This means architecture that anticipates and accepts the inevitable outcome of relatively centralized client/server relationships but uses cryptography (rather than infrastructure) to distribute trust.

One of the surprising things to me about web3, despite being built on “crypto,” is how little cryptography seems to be involved.

and to that we say, “Hear, Hear!”

Global: Moxie Marlinspike Steps Down as Signal CEO

Celebrated cryptographer Matthew Rosenfeld A.K.A. Moxie Marlinspike is stepping down as chief executive at Signal, temporarily turning the reins of the popular encrypted messaging platform to WhatsApp co-founder Brian Acton.

Marlinspike, who created Signal and led its growth into becoming a must-use encrypted messaging app, said Signal would begin the search for a new chief executive immediately.

He said Acton, the WhatsApp co-founder who helped to bankroll Marlinspike’s Signal Foundation and sits on the non-profit board, has volunteered to serve as interim CEO during the search period.

Marlinspike, who spent a decade working on the secure app, said he is “very comfortable replacing myself as CEO” because of the management team in place and the opportunity to expand the company’s success.

“I’ve been talking with candidates over the last few months, but want to open up the search with this announcement in order to help find the best person for the next decade of Signal,” Marlinspike added.

Back in 2018, Marlinspike and Acton teamed up to launch the Signal Technology Foundation, with Acton investing $50 million in the non-profit.

So what’s the upshot for you? We look forward to “sailing” into the next adventure in this series…

Global: Salesforce to require MFA for all users starting next month. That’s customers, internal staff… Everyone!

At Salesforce, we take the protection of your data very seriously and understand that the confidentiality, integrity, and availability of your data are vital to your business.

In April, we contacted you to reiterate our commitment to providing the highest level of security for your products with technology like multi-factor authentication (MFA).

As your partner in protecting your customer data, we’re announcing that beginning February 1, 2022, Salesforce will begin requiring customers to enable MFA in order to access Salesforce products.

Acceptable types of multifactor authentication:

  • Salesforce Authenticator mobile app (available on the Apple App Store or Google Play Store)
  • Time-based one-time passcode (TOTP) authenticator apps, like Google Authenticator, Microsoft Authenticator, or Authy.
  • Security keys that support WebAuthn or U2F, such as Yubico’s YubiKey or Google’s Titan.
  • Built-in authenticators, such as Apple’s Touch ID and Face ID, or Windows Hello.

So what’s the upshot for you? We’re glad that the security folks at Salesforce listen to our podcast and have taken our advice.

EU: EDPS orders Europol to erase data concerning individuals with no established link to a criminal activity

In the context of its inquiry, the EDPS, the European Data Protection Supervisor, an EU-independent supervisory authority whose primary objective is to monitor and ensure that European institutions and bodies respect the right to privacy and data protection, admonished Europol in September 2020 for the continued storage of large volumes of data with no Data Subject Categorisation, which poses a risk to individuals’ fundamental rights.

While some measures have been put in place by Europol since then, Europol has not complied with the EDPS’ requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under the Europol Regulation.

This means that Europol was keeping this data for longer than necessary, contrary to the principles of data minimization and storage limitation, enshrined in the Europol Regulation.

Europol will be allowed to process personal information as part of investigations, but the data on those not linked to crimes must be erased after six months.

“This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline,” the EDPS said in a press release on Monday.

This Decision concludes the EDPS’ inquiry launched in 2019.

So what’s the upshot for you? …and what? No fine?

US: In a First, Man Receives a Heart From a Genetically Altered Pig

A 57-year-old man with life-threatening heart disease has received a heart from a genetically modified pig, a groundbreaking procedure that offers hope to hundreds of thousands of patients with failing organs. It is the first successful transplant of a pig’s heart into a human being.

The eight-hour operation took place in Baltimore on Friday, and the patient, David Bennett Sr. of Maryland, was doing well yesterday, according to surgeons at the University of Maryland Medical Center.

“It creates the pulse, it creates the pressure, it is his heart,” said Dr. Bartley Griffith, the director of the cardiac transplant program at the medical center, who performed the operation. “It’s working and it looks normal. We are thrilled, but we don’t know what tomorrow will bring us. This has never been done before.”

“It was either die or do this transplant,” Mr. Bennett said before the surgery, according to officials at the University of Maryland Medical Center. “I want to live. I know it’s a shot in the dark, but it’s my last choice.”

“We can’t give you a human heart; you don’t qualify. But maybe we can use one from an animal, a pig,” Dr. Griffith recalled. “It’s never been done before, but we think we can do it.’”

Two newer technologies — gene editing and cloning — have yielded genetically altered pig organs less likely to be rejected by humans. The pig had 10 genetic modifications.

Four genes were knocked out, or inactivated, including one that encodes a molecule that causes an aggressive human rejection response. A growth gene was also inactivated to prevent the pig’s heart from continuing to grow after it was implanted.

In addition, six human genes were inserted into the genome of the donor pig — modifications designed to make the porcine organs more tolerable to the human immune system.

The team used a new experimental drug to suppress the immune system and prevent rejection. It also used a new machine perfusion device to keep the pig’s heart preserved until surgery. The Food and Drug Administration worked intensely toward the end of the year, finally giving the transplant surgeons an emergency authorization for the operation on New Year’s Eve.

So what’s the upshot for you? This may be the best opportunity yet to see if pigs really can really fly.

AU: Earth is getting a black box to record events that lead to the downfall of civilization

An indestructible “black box” is set to be built upon a granite plain on the west coast of Tasmania, Australia, in early 2022. Its mission: Record “every step we take” toward climate catastrophe, providing a record for future civilizations to understand what caused our demise, according to the Australian Broadcasting Corporation.

The project, led by marketing communications company Clemenger BBDO in collaboration with University of Tasmania researchers, is currently in beta and has already begun collecting information at its website.

So what’s the upshot for you? We loved this quote on the Australian Broadcasting Company Website: “When people know they’re being recorded, it does have an influence on what they do and say.” Mr. Kneebone said.

You Bet! Well, that’s it for this week. “Like Ships that Pass in the Night,” we’re off to the west coast of Tasmania to see if we can find the elusive “Mr. Kneebone” for more choice quotes.

Be kind, stay safe, stay secure and see you in se7en!

Indeed. One can only hope.

Bit of a trip when Bad Actors start on each other. You would have to think there is a real backstory to this, as we all learned young … Don’t poke The Bear :teddy_bear:

Excellent newsletter @rps

1 Like

Thanks Ben. Could this be the start of the antagonists antagonizing one another?
More to come in next week’s thrilling episode of the IT Privacy and Security Weekly Update!

1 Like