Moving through the Reverb with the IT Privacy and Security Weekly Update for April 27th 2021



Daml’ers, this week we start with a uniquely Canadian turn of events that has absolutely nothing whatsoever to do with privacy or security but was essential nonetheless, and end up chasing the cat around the office.

In between we find out why the C-Suite of gaming companies are themselves becoming targets, a newly developing jab / job relationship, just what the new MacOS update stops, what’s behind the Linux fracas, some stats on ransomware and then what’s going on with Reverb.

It’s loud, it’s raucous and it’s just getting started, so turn on the noise cancelling, turn up the volume and let’s get going!


CA: Hundreds lose internet service in northern British Columbia

Internet service was down for about 900 customers in Tumbler Ridge, B.C., after a beaver chewed through a crucial fibre cable, causing “extensive” damage.

In a statement, Telus spokesperson Liz Sauvé wrote that in a “very bizarre and uniquely Canadian turn of events,” crews found that a beaver chewed through the cable at multiple points, causing the internet to go down on Saturday at about 4 a.m.

“Our team located a nearby dam, and it appears the beavers dug underground alongside the creek to reach our cable, which is buried about three feet underground and protected by a 4.5-inch thick conduit. The beavers first chewed through the conduit before chewing through the cable in multiple locations,” the statement said.

Sauvé said that a photo from the site appeared to show the beavers using Telus materials to build their home. She said the image shows fibre marking tape, usually buried underground, on top of their dam.

So what’s the upshot for you? It’s not the place of this podcast to comment about beaver behavior.


Global: Execs are under siege as hackers target the video game industry

BlackCloak conducted independent research and discovered some interesting security-related revelations.

By digging into publicly available information, we were able to discern the corporate email addresses of video game company executives and members of the leadership teams.

This led to the capture of personal email addresses for these same executives. From there, our cybersecurity analysts were able to draw the following conclusions based on a review of 15 of the Top 20 video game companies in the world, which are responsible for 90% of the world’s most famous games.

The gaming industry is not only one of the fastest growing targets for hackers, but also one of the most profitable.

Hackers launched 12 billion credential stuffing attacks on gaming websites during a 17-month period between November 2017 and March 2019. (Compare that against 55 billion attacks launched against all industries combined.)

C-Suite executives were 12 times more likely to be targeted in cyberattacks than other employees in the organization.

The C-Suite cyber attacks were financially motivated, with attackers looking to make money from company or employee data, intellectual property or through ransomware.
…and the report goes on…

So what’s the upshot for you? The key takeaway from the research is that the leadership teams at video game companies are vulnerable to cyberattacks which could potentially put their entire company at risk. Security needs to be extended to home networks, to all devices used by family members on the Wi-Fi network, and to all locations used by the family, including secondary homes.
Why are they vulnerable? Well that same report says that 34% of C-suite execs reuse their passwords and that a 83% of those passwords were found for sale on the dark web.
…shame on them!


US: Want That Job Offer? A Covid-19 Vaccine Is Now Required.

At the New York restaurant Eleven Madison Park, a recent job posting for a sommelier lists a string of necessary skills, including exceptional wine knowledge and an ability to lift 50 pounds. The last requirement on the list: a Covid-19 vaccination.

As the U.S. job market heats up, positions operating machines in Louisville, Ky., working in offices in Houston and waiting on diners in Manhattan now require that candidates be vaccinated—or be willing to get their Covid-19 shot within 30 days of hire.

The Houston Methodist Hospital network is mandating vaccines for both existing employees and new hires, barring an exemption. Those who fail to comply will at first be suspended without pay, and later terminated, a hospital spokeswoman says.

So what’s the upshot for you? We’ve spoken to a surprising number of people who won’t be getting the vaccine and somehow there seems to be a political dividing line. Stay tuned to Fox News for more…


US: DC police department hit by apparent extortion attack

The Washington D.C. police department said Monday that its computer network had been breached with a Russian-speaking ransomware group claiming to have downloaded more than 250 gigabytes of sensitive data from its servers, adding to the string of cyberattacks that have hit many government entities and police departments in the U.S. this year.

Screenshots the Babuk group posted suggested it has data from at least four of the police computers, including intelligence reports, information on gang conflicts, the jail census and other administrative files.

So what’s the upshot for you? So far this year, 26 government agencies in the U.S. have been hit by ransomware, with cybercriminals releasing online data stolen from 16 of them. Time to tighten that blue line.


Global: Shlayer script that walked past MacOS defenses, silenced in the 11.3 update.

The core of Mac security rests on three related mechanisms:

1.) File Quarantine requires explicit user confirmation before a file downloaded from the Internet can execute.
2.) Gatekeeper blocks the installation of apps unless they’re signed by a developer known to Apple.
3.) Mandatory App Notarization permits apps to be installed only after Apple has scanned them for malware.

Earlier this year, a piece of malware already known to Mac security experts began exploiting a vulnerability that allowed it to completely suppress all three mechanisms.

Called Shlayer, it has had an imposing history from its first appearance 3 years ago.

  • Last September, it managed to pass the security scan that Apple requires for apps to be notarized.
  • Two years ago, it was delivered in a sophisticated campaign that used novel steganography to evade malware detection.
  • And last year, Kaspersky said Shlayer was the most detected Mac malware by the company’s products, with almost 32,000 different variants identified.

Shlayer’s exploitation of the zero-day, which started this past January, represented yet another impressive feat.

Normally, scripts downloaded from the Internet are classified as application bundles and are subject to the same requirements as other types of executables.
A simple modification allowed scripts to completely bypass those requirements.
By removing the info.plist—a structured text file that maps the location of files it depends on—the script no longer registered as an executable bundle to macOS.
Instead, the file was treated as a PDF or other type of non-executable file that wasn’t subject to Gatekeeper and the other mechanisms.

The flaw appears to have existed since the introduction of macOS 10.15 in June 2019, which is when notarization was introduced.

Apple fixed the vulnerability with Monday’s release of macOS 11.3.

So what’s the upshot for you? This sidestep seems trivially easy to pull off because it relied on developers “playing fair”. See what happens when they don’t? Oh, and if you own or work with a Mac, It might be an idea to install the update ASAP.


Global: Linux kernel security uproar: What some people missed

Recently the Linux kernel community was aflame due to efforts by researchers at the University of Minnesota to intentionally torpedo Linux security by submitting faulty patches. While the University’s Department of Computer Science apologized, the damage was done, and Linux kernel maintainer Greg Kroah-Hartman banned the University from contributing to the kernel.

However you feel about what these researchers did (Chris Gaun, for example, argued, “A researcher showed how vulnerabilities can EASILY make it through [the] approval process”), this isn’t really about Linux, or open source, security. It’s always been the case that it’s possible to get bad code into good open source projects. Open source software isn’t inherently secure. Rather, it’s the open source process that is secure, and while that process kicks in during development, it’s arguably most potent after vulnerabilities are discovered.

It’s important to remember that security is always about process, not the software itself. No developer, no matter how talented, has ever written bug-free software. Bugs, to Abbott’s point above, are a constant because human imperfection is a constant.
We can try to test away as many bugs as possible, but bugs will remain, whether intentionally deposited in a project or unintentionally created.

So true security kicks in once the software is released, and people can either discover the faults before they become serious issues, or they’re reported and acted upon after release.
[In open source] security issues are most often the first to be reported. If security problems aren’t fixed pronto, the open source project will be labeled as lame by users, who will move on to the next option. Also, the openness of vulnerability disclosure means software authors are incented to fix security problems fast. If they don’t respond quickly, they risk others forking the project and taking over from authors who won’t keep up with the market of open source users.

So what’s the upshot for you? The real story is that even had those flaws remained, if ever they became an issue, the process for fixing them would be swift. There would be no waiting on some company to determine the optimal time to inform the world about the issues. Rather, fixes would probably available almost immediately. That’s the process by which open source becomes, and remains, secure, or the intent, anyway. Now tell us what happened with Heartbleed.


EU: As the EU prepares loads of new legislation covering AI, TikTok Opens a European Transparency and Accountability Centre in Ireland

https://www.usnews.com/news/technology/articles/2021-04-27/tiktok-says-to-address-european-concerns-by-opening-up-about-how-it-works

The aim is to show the public that the company - owned by China’s ByteDance - has nothing to hide… “With more than 100 million people across Europe active on TikTok every month, our teams are focused on maintaining their trust and the trust of policymakers and the broader public,” says Cormac Keenan, head of trust and safety.

TikTok has steadily been increasing its presence in Ireland, with a new data center planned for 2022 and more than 1,000 new staff hired over the last year.

TikTok is also under persistent scrutiny in Europe and the US over data privacy issues. Last week, for example, a class action lawsuit was filed against the company in the UK alleging that it illegally harvested data belonging to millions of European children.

EU lawmakers have recently proposed a swathe of updates to digital legislation that look set to dial up emphasis on the accountability of AI systems — including content recommendation engines.

A draft AI regulation presented by the Commission last week also proposes an outright ban on subliminal uses of AI technology to manipulate people’s behavior in a way that could be harmful to them or others. So content recommender engines that, for example, nudge users into harming themselves by suggestively promoting pro-suicide content or risky challenges may fall under the prohibition. (The draft law suggests fines of up to 6% of global annual turnover for breaching prohibitions.)
Meanwhile, the Irish Data Protection Commissioner is currently investigating whether the app might be sharing user data with China - also a matter of concern in the US.

So what’s the upshot for you? It’s certainly interesting to note TikTok also specifies that its European TAC will offer detailed insight into its recommendation technology. That’s going to be of interest to lots and lots of people!


Global: Ransomware: don’t expect a full recovery, however much you pay

https://www.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf

“The State of Ransomware 2021” April 2021 results from a global sampling of 5400 IT respondents
Key findings…
37% of respondents’ organizations were hit by ransomware in the last year (down from 51% the previous year) with larger organizations more likely than small to be hit.
Extortion-style attacks where data was not encrypted but the victim was still held to ransom have more than doubled since last year, up from 3% to 7%
54% that were hit by ransomware in the last year said the cybercriminals succeeded in encrypting their data.
On average, only 65% of the encrypted data was restored after the ransom was paid
68% of respondents in India had experienced an attack, making it the highest hit rate, while Poland had the lowest at 13%
The average ransom paid by mid-sized organizations was US$170,404
The average bill for rectifying a ransomware attack, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc. was US$1.85 million

So what’s the upshot for you?

  1. Assume you will be attacked. Be prepared. Have a plan.
  2. Back up your data. It won’t stop and attack but it will let you recover from one.
  3. Layer on your security. Remember that easier targets tend to be the most popular choices.
  4. Don’t pay. It only encourages the baddies to hit you or someone else.

UK: The UK’s National Cyber Security Centre (NCSC) warns Android users about FluBot

https://www.ncsc.gov.uk/guidance/flubot-guidance-for-text-message-scam

The NCSC is aware that a malicious piece of spyware – known as FluBot – is affecting Android phones and devices across the UK.

The spyware is installed when a victim receives a text message, asking them to install a tracking app due to a ‘missed DHL package delivery’.
If you have already clicked the link to download the application:
Take the following steps to clean your device, as your passwords and online accounts are now at risk from hackers.
Do not enter your password, or log into any accounts until you have followed the below steps.
To clean your device, you should:

  • Perform a factory reset as soon as possible. The process for doing this will vary based on the device manufacturer and guidance can be found here. Note that if you don’t have backups enabled, you will lose data.
  • When you set up the device after the reset, it may ask you if you want to restore from a backup. You should avoid restoring from any backups created after you downloaded the app, as they will also be infected.
    Footnote - While messages so far have claimed to be from DHL, the scam could change to abuse other company brands.

So what’s the upshot for you?

  • Back up your device to ensure you don’t lose important information like photos and documents. The CyberAware campaign explains how to do this.
  • Only install new apps onto your device from the app store that your manufacturer recommends.
  • For Android devices, make sure that Google’s Play Protect service is enabled if your device supports it.

US:Phishing attacks target Chase Bank customers

The first campaign claimed to include a Chase credit card statement…
The second warned recipients that their Chase account access had been restricted to unusual activity…
In both cases, the goal was the same: obtain your account credentials.

So what’s the upshot for you? When you get mails purporting to be from your bank or credit card company, remember to look for social engineering clues and ask yourself: “Why is my bank sending emails to my work account” or perhaps “why is the URL’s parent domain different from chase.com?”

  1. Use multi-factor authentication on all business and personal accounts wherever you can.
  2. Don’t use the same password across multiple sites or accounts.
  3. Use a password manager or an old school password protected spreeadsheet to handle your passwords (Note that free online office suites will not let you password protect spreadsheets).
  4. Don’t use passwords associated with your name, your pets name or family members names, date of birth, anniversary date or other public information.
  5. Don’t repeat passwords across accounts.
  6. If the login wants an e-mail address create one just for logons eg: flumpy2@gmail.com and add the name of the site flumpy2+Macys@gmail.com, but do remember that Google scans gmail content to target ads to you, so factor that into what you sign up with this account.

Global: when the reverb becomes too much

Reverb.com is an online marketplace for new, used, and vintage music gear with its headquarters in Chicago, Illinois.

The company was founded in 2013 by Chicago Music Exchange owner David Kalt and has more than 10 million monthly visitors.

Reverb is the largest online marketplace devoted to selling new, used, and vintage musical instruments and equipment.

5.6 million records containing full names, email address, phone numbers, addresses, PayPal email addresses, and listing/order information were all exposed by their unsecured Elasticsearch server

Information belonging to Bill Ward of Black Sabbath, Jimmy Chamberlin of the Smashing Pumpkins, and Alessandro Cortini of Nine Inch Nails was among the data exposed in the security incident at Reverb.com.

Passwords were not exposed.

So what’s the upshot for you? Perhaps “Securing your ElasticSearch” server should be a notification that periodically flashes in the face of admins, because an awful lot seem to neglect that part.

Thankfully Volodymyr “Bob” Diachenko is a white hatter who spends his free time looking for unsecured ElasticSearch databases and then doing the right thing.
Interestingly … he’s now started posting notice of these breaches on Linked-In before his own website, undoubtedly for the additional promotional benefits this will provide. Way to go Bob!


Global: Eight-Year-Old ‘Hacker’ Unlocks Dad’s iPhone After iOS 14.5 Update

Jake Moore, cybersecurity specialist at ESET, “After setting up iOS 14.5. I asked my eight-year-old daughter to test the security on the basis that kids make the best hackers.” She put on a face mask and immediately gained access to the iPhone with an upward swipe. “I was notified on my watch that it was unlocked, and I had the option of locking it, but this could easily be missed and gives threat actors yet another tool in their kit to exploit.”

“Tested again, with the help of my partner, who was masked up in the kitchen with my iPhone. First, I went to the living room at the opposite end of the house, and the iPhone unlocked. Then I tried it while I was upstairs, in my office at the other side of the house to the kitchen, and it worked.” I can confirm that my partner looks nothing like me, even with the mask on."

Indeed, Apple support on the subject states that “the feature doesn’t use Face ID to recognize and authenticate you,” and when you enable the feature, you are reminded it will unlock when “any face with a mask is detected while your watch is unlocked and nearby.”

One thing that is worth pointing out is that if you do use the lock iPhone button on your Apple Watch, this effectively disables the unlock feature until your passcode is entered. This would prevent someone from being able to get access immediately and is a welcome protection.

“The battle between convenience and security is a long-drawn-out battle between users and the security industry,” Moore said.

So what’s the upshot for you? You still need to unlock your iPhone by a more secure means to use Apple Pay, and the unlock doesn’t extend to opening apps that require Face ID or a passcode.

We hope that in the next update Apple will include some sort of distance setting, so that some day, when you are back in the office and you go to your colleagues’ desk three meters away, the phone stays unlocked, but when you disappear to fight with the printer on the other side of the floor, the phone will get locked. Until that point perhaps we can assume that any person with a mask can open an iPhone if the watch wearer is close enough. Hmnnn… but how far can we push this?


And that’s all for this week! We’re off now to test whether we can put a mask on the cat and get it to unlock an iPhone with the new update in place.
And interestingly, there hasn’t been much reverb about the iOS 14.5 privacy changes.

Maybe the cat will notice.

Until then, stay safe, stay secure and see you in se7en!



2 Likes