On Fire with the IT Privacy and Security Weekly Update for May Eleventh 2021

Howdy Daml’ers!

Through the acrid smell of trouser fires we bring you an incredibly varied line up of stories.

We start with a zero day that burned the world’s most popular .PDF reader, the dirt around the pipeline, a not-nice new activity for Apple Tags and early results of Apple’s app tracking option.

We flame out with proof that you should not trust ransomware developers, another government attempt try and get us to believe that 5G doesn’t cause Covid-19 and end with a Zero day attack on the Universal Turing Machine.

You are going to love each and every spark of a story, each, will fan the flames of your passion for IT Privacy and Security.

So let’s catch our balance, get fired up and go!
<You can also listen to the podcast here.>

Global: Zero day in Adobe Acrobat reader on both Windows and Mac


When was the last time you did a round of application patching? Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

The under-attack flaw – CVE-2021-28550 – is described as a use-after-free memory corruption issue that was discovered and reported anonymously to Adobe. The company did not provide any additional details on the active exploitation.

The mega-patch release from Adobe documents at least 23 flaws in a range of products, including a pair of security holes in the Adobe Experience Manager, a trio of security flaws in Adobe InDesign and five serious bugs in Adobe Illustrator.

So what’s the upshot for you? Most of us have the Adobe Acrobat reader on a machine somewhere. Take a moment to ensure that you are running the latest version for your OS.

US: Liar Liar Pants on Fire

A database filled with the medical records of nearly 200,000 U.S. military veterans was exposed online by a vendor working for the Veterans Administration.
After disclosing the findings to United Valor, Jeramiah Fowler said he received a reply the next day thanking him and adding,
“We communicated your findings to our contractors, and they shut down this public data access immediately.”
It added…
“According to their monitoring, the data has only been accessed via our internal IP and yours.”

Er… but not so fast… Jeremiah found “The dataset also contained a ransomware message titled “read_me” that claimed all of the records were downloaded and they would be leaked unless 0.15 Bitcoin ($8,148) was paid.”

Neither United Valor or the Veterans Administration have responded to requests for more detail.

So what’s the upshot for you? “Either the contractors had, or still have, only limited monitoring capabilities; or they (United Valor Solutions) are trying to avoid consequences.” Oooh, we smell burning…

US: Major U.S. Pipeline Crippled in Ransomware Attack

Over the weekend, a cyberattack by the Russia-based ransomware gang DarkSide managed to hamstring America’s largest oil pipeline, Colonial, threatening to choke off significant energy flows to the East Coast.

Founded in 1962 and headquartered in Alpharetta, Georgia, privately-held Colonial Pipeline is one of the largest pipeline operators in the United States and provides roughly 45% of the East Coast’s fuel, including gasoline, diesel, home heating oil, jet fuel, and military supplies. The company says that it transports over 100 million gallons of fuel daily across an area spanning Texas to New York.

DarkSide is a Ransomware-as-a-Service (RaaS) group that offers its own brand of malware to customers on a subscription basis. The ransomware is currently in version 2.

According to IBM X-Force, the malware, once deployed, steals data, encrypts systems using Salsa20 and RSA-1024 encryption protocols, and executes an encoded PowerShell command to delete volume shadow copies.

Per Bloomberg News, the DarkSide gang pilfered approximately 100GB of data from the company’s IT network in just two hours on Thursday. The attack was part of what is known as a “double extortion scheme,” a tactic used by criminal groups in which they steal and then threaten to leak significant amounts of data from a high-value target in an effort to extort money from the victim.
A coalition of private companies, along with major government agencies like the FBI, the NSA, and CISA, apparently worked together to stop further data theft from occurring.

"We proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems,” Colonial stated. “Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have launched an investigation into the nature and scope of this incident, which is ongoing.”

So what’s the upshot for you? We checked the Colonial Pipeline status update page this morning and it too was now offline. If you are in the east coast of the US, fill your car today. We are betting that fuel prices keep rising until this is resolved.
And somehow we almost feel sorry for the Russian DarkSide ransomware gang who recently posted this statement in somewhat broken english on their website: “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined goverment and look for other our motives. Our goal is to make money. and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

We think we might panic too if we found out that the FBI, NSA, CISA and the US president were all getting regular updates on efforts to apprehend us.

Global: Interesting revelations in the Epic Games vs. Apple lawsuit

On the afternoon of September 21, 2015, Apple managers uncovered 2,500 malicious apps that had been downloaded a total of 203 million times by 128 million users, 18 million of whom were in the US. The apps contained code that made iPhones and iPads part of a botnet that stole sensitive user information.

Dale Bagwell from the Customer Experience team discusses the logistics of notifying all 128 million affected users, localizing notifications to each users’ language, and “accurately includ[ing] the names of the apps for each customer.”

Apparently that work was too much. Notification was never sent.

So what’s the upshot for you? We already knew that Google routinely doesn’t notify users when they download malicious Android apps or Chrome extensions. Now we know that Apple doesn’t either.

Global: Android users beware! Apple Air Tag stalking is now a thing.

Privacy and safety
Apple says that the entire AirTag process is anonymous and end-to-end encrypted, from the AirTag itself to the devices that discover and report its location. Apple further assures users that only they can see any information about their AirTag. None of the data is stored on the AirTag itself, and the Find My network’s Bluetooth signals rotate frequently. For those reasons and others, most users don’t need to be worried about someone using their own AirTag to track them. But there’s another problem that very well could be an important consideration for many people: the potential for someone else to use their AirTag to track and stalk you.
Apple anticipated this concern, and to the company’s credit, it has done far more than any competitor that sells these kinds of trackers to counteract it. But perhaps not quite enough.

Anti-stalker features
If someone places an AirTag on your person or in your possessions, your first line of defense may be a notification to your iPhone that a foreign AirTag is present. Apple designed the iPhone-AirTag connection to do this under two conditions: after the AirTag has stuck with you for a certain “continuous” amount of time that Apple deems sufficient to be considered abnormal, or if you arrive at the location that either your iPhone’s machine learning smarts have identified as home or that you have manually recorded as home.

The length of time doesn’t seem to be consistent, but is in the ballpark of a couple of hours. But there’s a much more critical problem: this feature is only available to people with devices running iOS 14.5 or better.

That leaves users who haven’t updated their iPhones on their own, but—more critically given that most people update their iPhones fairly promptly—it leaves anyone with an Android phone (that is, the significant majority of people) without this line of protection.

OK, so there is one line of defense: the AirTag will start making a noise when it has been separated from its owner’s other devices for a while. Unfortunately, that timeframe is three days—meaning someone who is stalking you has plenty of time to invade your privacy, harm you, or anything else.
This is something that Apple can alter on the back end, and we should probably expect to see that happen rather soon.

So what’s the upshot for you? AirTags:
The good
Ultra-precise and ultra-fast
Easy to set up
High-quality design and materials
Excellent software features in the Find My app
Replaceable battery
Not too pricy
The bad
Gets scratched up easily
Accessories are necessary for some uses and can cost as much as the device itself
Lacks the exciting AR features early reports said were coming
The ugly
Makes tracking and stalking pre 14.5 iPhone users and all Android users very easy

Global:Bet you were wondering… What are the iPhone App tracking opt-in rates?


Flurry Analytics said that its analytics library is used in over 1 million mobile applications and provides “aggregated insights” across 2 billion mobile devices per month (not all of them iOS).

It has been measuring the percentage of iOS 14.5 users who have opted into app tracking, with the current figure 15 per cent worldwide.
That is up from 11 per cent on launch day, with the rate tending to increase over time as more users opt in.

In the US, the figure is just 6 per cent (up from 2 per cent on launch day).

So what’s the upshot for you? Although this story is sounds good from a privacy perspective expect one of two outcomes:
App developers who used to sell your data to pay for their app will now start to charge
A new system of tracking you will be developed that skirts the controls Apple have put in place.

Global: Google release Cosign for container image verification

Google has released a new open-source tool called cosign that allows users to sign and verify container images. It was developed to make signatures invisible infrastructure.

Google: “To start signing distroless we integrated cosign into the distroless CI system, which builds and pushes images via Cloud Build. Signing every distroless image was as easy as adding an additional Cloud Build step to the Cloud Build job responsible for building and pushing the images.” states Google. “This additional step uses the cosign container image and a key pair stored in GCP KMS to sign every distroless image. With this additional signing step, users can now verify that the distroless image they’re running was built in the correct CI environment.”

Kubernetes is already using the tool to verify images, it aims at establishing a consumable, introspectable, and secure supply chain for the project.

So what’s the upshot for you? This may help allow administrators to sign and verify their container images. Apparently it supports hardware and KMS signing, bring-your-own PKI and will be rolling out over the next 2 months.

IN: It’s Official. There is No link between 5G technology and spread of COVID-19

Press Information Bureau, Government of India:

“It has come to the notice of the Department of Telecommunications (DoT), Ministry of Communications that several misleading messages are being circulated on various social media platforms claiming that the second wave of coronavirus has been caused by the testing of the 5G mobile towers. As per a press statement issued by DoT these messages are false and absolutely not correct.”
But if that were not enough, the next statement really drives the message home…
“Moreover, it is informed that the testing of the 5G network has not yet started anywhere in India. Hence, the claim that 5G Trials or networks are causing coronavirus in India is baseless and false.”

Back in February 2021, India ordered that certain social media accounts be made unavailable on grounds they were spreading Covid related misinformation. Interestingly, critics said many of the impacted accounts belonged to opposition politicians who criticized the government for its handling of mass protests by farmers angered by new agricultural product distribution laws.

So what’s the upshot for you? Right now our thoughts flow to those in regions of India that are experiencing the most horrific evidence of a pandemic imaginable. That, compounded by the destruction of mobile phone communication equipment makes an unthinkable situation even worse.

FR: AXA to Stop Reimbursing Ransom Payments in France

In an apparent industry first, the global insurance company AXA said Thursday it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.

The suspension only applies to France and does not affect existing policies, said Christine Weirsky, a spokeswoman for the U.S. AXA subsidiary, a leading underwriter of cyber-insurance in the United States. She said it also does not affect coverage for responding and recovering from ransomware attacks, in which criminals based in safe havens including Russia break into networks, seed malware and cripple them by scrambling data.

Cyber-insurance provider Coalition last year estimated that ransomware accounted for over two-fifths (41%) of claims in North America in the first half of 2020.

The practice of reimbursing corporate policyholders to pay-off their extorters has also come in for criticism by lawmakers and police, who see it as perpetuating the problem. As long as policies continue to pay-out, victims will be happy to pay-up and cyber-criminals will continue to target them.

The insurance industry can use its influence to improve baseline corporate security and therefore make life tougher for the threat actors, by writing rules into policies that stipulate payments will only be made if the customer has followed strict security best practices.

So what’s the upshot for you? We applaud this strategy, but are curious as to why this has not been applied globally. Perhaps if ransomware attacks move out of France it will be used to demonstrate that not paying is the most effective deterrent. On the flip side however, paying up can sometimes be the only way for a cash strapped, afflicted business to avoid bankruptcy.

RU: You just cannot trust ransomware baddies to keep their word

The Babuk group said last month that its attack on the Washington DC police department, in which it threatened to release stolen data on officers and informants, would be its last. But then it deleted an online note which claimed that it would be open sourcing its code for Ransomware as a Service (RaaS) actors to use and instead attacked the Japanese Power Tool Maker ‘Yamabiko’.

The Russian-speaking threat actors have already released some of the data on their naming-and-shaming site, including personally identifiable information (PII) on employees, product schematics, financial data and more.

The group reportedly claimed to have half a Terabyte of Yamabikos data.

So what’s the upshot for you? …And as for Babuks chances of getting any money from Yamabiko… Japanese companies have established themselves among the most difficult to negotiate over ransomware with.

US: Civil Rights Petition Amazon to stop selling “Rekognition” to the Police

Amazon introduced Rekognition, a cloud-based technology that uses artificial intelligence and machine learning to identify people and objects in photos and video, in 2016. But the technology became a lightning rod for civil rights groups and anti-surveillance advocates after researchers at MIT found it identified gender of certain ethnicities less accurately than similar products made by Microsoft and IBM. (Amazon said the MIT findings were “misleading and drawing on false conclusions” and asserted that its own tests had found no such inaccuracies.)

After national protests that followed the death of George Floyd last year, Amazon followed Microsoft and IBM in stopping the sale of its facial recognition technology to law enforcement. However, unlike IBM, which abandoned its program, and Microsoft, which indefinitely suspended police use of its facial recognition until a federal law is introduced, Amazon opted to impose a one-year ban to “give Congress enough time to implement appropriate rules” to govern the use of the technology.
Amazon has yet to say whether it will continue its moratorium after it expires next month, or lift the ban and sell the technology to law enforcement.

So what’s the upshot for you? Ahead of the company’s annual general meeting on May 26, one shareholder proposal is calling for an independent third-party audit on the risks linked with government use of Rekognition. Another shareholder proposal is calling for an independent report on how Amazon conducts due diligence on its customers, including law enforcement agencies that use Rekognition.
In the meantime no ruling on facial recognition software has been issued by Congress.

SE: Zero Day Arbitrary Code Execution in the Universal Turing Machine

In a paper published on academic repository ArXiv, Pontus Johnson, a professor at the KTH Royal Institute of Technology in Stockholm, Sweden, explained that his findings pertained specifically to the 1967 implementation of the simulated Universal Turing Machine (UTM) designed by the late Marvin Minsky, who co-founded the academic discipline of artificial intelligence.

“The universal Turing machine is generally considered to be the simplest, most abstract model of a computer,” Johnson wrote in his paper.

The Minsky specification describes a tape-based machine that reads and executes very simple programs from a simulated tape. Instructions on the tape move the simulated tape reader head left or right across the “tape” itself, which is represented as a one-line alphanumeric string. While users can make inputs at the start of the tape, in the UTM model they’re not supposed to alter the program that follows. So through exploiting the Minsky-spec UTM’s lack of input validation, Johnson was able to trick it into running a program he had put together.
Question… “If one of the simplest concepts of a computer is vulnerable to user meddling, where in the design process should we start trying to implement security features?”

So what’s the upshot for you? Johnson’s vulnerability (which has been assigned as CVE-2021-32471) seems to raise further questions for hardware and firmware designers. “Some people say that security needs to be built in from the start; you can’t add it later. But in this case, all the mitigations of this that I could think of, they need to be add-ons, you can’t build it into this machine. And if this is the mother of all computers, then it seems to me that you cannot build security in from the start.”

And that’s it for this week. Please check your clothing for burn marks. See you in Se7en.

From an evolutionary perspective that makes sense. Many parasites, in a symbiotic relationship with a host take enough to survive, but not sufficient to kill the host.

Legally, I don’t think that having some sort of ESR statement as a criminal entity abrogates your actions nor mitigates the harm done.

Adaptive thinking though, is always important :+1:t2:

Fair question but I’d expect that it just had to start somewhere, and a highly-advanced business economy full of legacy IS/IT systems makes for juicy targets. The criminals are adaptive (There’s that word again) and eventually will just move to a more RaaS-friendly business domicile.

So the problem will not really get ‘fixed’ but transferred.

Crime like Capital, seeks the locales of greatest profit, least compliance costs and ease of doing business.

and I think there was a certain ease with which some of the French companies were handing the problems over to their insurance companies.

1 Like

In the US an oil pipeline is considered part of the critical infrastructure. If my experience in being part of two other components considered part of the critical infrastructure are anything to go by, the US team will not be messing around. DarkSide are justified in their fears.

1 Like

This will not change measurably until the cost of failing to proactively address, implement and sustain systems & business security processes is of an order of at least 10 times higher than business insurance premiums.

Remember the movie ‘Fight Club’, with that excellent explanation of what an auto industry insurance adjuster does? It is just Maths, Profit and Reputation. Until we factor in everything to ESG compliance, it will be BAU.

… from the ‘free market’, maximum profit, rapacious earnings perspective, I am surprised that any industry would allow an emerging threat to reduce longterm profit. Stitch in time, saves nine.

As well they should.

Any threat to the NII/CII/CI requires a swift and harsh response. And any nation(s) that allows these bad actors to flourish and hide is culpable as well.

Good point. Full agreement here.