Picturing the IT Privacy and Security Weekly Update for August 17th 2021

Daml’ers,

If the single most important component of a camera is the twelve inches behind it and the “camera is a license to explore” then let’s hit the motor drive because we’ve got a lot of scenery to cover!

We start with an appetite so large for taking pictures that consumer interest groups are now asking for receipts. We move on to dadada and password reuse, the inflationary pressure on phishing, and a suggestion that T-mobile might want to be a bit more polished in their breach news releases.

We end up with a demonstration of a solid backup and recovery process and a kid who is going back to church with his camera.

You’re going to love this week’s IT Privacy and Security update … frame, by frame!
listen_tiny


"We start with a story about reinvention:

There’s been a lot of press lately about Ransomware as a Service (RaaS) groups disappearing.
The truth is, when you make as much money as they do, it’s hard to just walk away.
So here are this weeks RaaS Renames:

  • Darkside has become BlackMatter
  • DoppelPaymer is now known as Grief and
  • Avaddon shall henceforth be known as Haron

How do we know? Much of the signature software in use by the new gangs is bit-for-bit the same as was used by their earlier alias."


US: The NYPD Had a Secret Fund for Surveillance Tools

NEW YORK CITY police bought a range of surveillance tools—including facial-recognition software, predictive policing software, vans equipped with x-ray machines to detect weapons, and “stingray” cell site simulators—with no public oversight, according to documents released last week.

In all, the documents show that the NYPD spent at least $159 million since 2007 through a little-known “Special Expenses Fund” that did not require approval by the city council or other municipal officials.

Currently, the police are blocking records “needed by the public to understand the way our city is being policed.”

Contracts are heavily redacted, making it difficult to understand how any single tool functions, let alone how they can work together to create a surveillance dragnet over people in New York. The secrecy also inhibits a more complete understanding of the relationship between the NYPD, its vendors, and the public.

  • In 2018 the NYPD awarded $6.8 million to Idemia Solutions, which furnishes biometric tools including facial recognition. The NYPD enters children under 18 into facial recognition databases maintained by the company.
  • A five-year, $800,000 contract with Elbit Systems, Israel’s largest defense contractor, for surveillance tools including cameras and sensors.
  • In 2016 a three-year, $750,000 contract with American Science and Engineering, which furnishes mobile x-ray vans. Originally developed to detect improvised explosive devices in war zones, the vans can scan vehicles for weapons from up to 1,500 feet away. The NYPD has used the vans since at least 2012, but it has successfully fought attempts to disclose where or how often they’re used, citing national security. Health officials have warned that the devices may be a cancer risk because they can expose passersby to unhealthy amounts of radiation.
  • Contracts with KeyW Corporation, which furnished the NYPD with cell-site simulators, known as “stingrays.” These devices mimic cell phone towers, logging the identifying information of any phone that connects to them, allowing police to track people by their phone.

So what’s the upshot for you? Someone has been playing with a lot of new surveillance tech. Times Square at different times of the year has over 1200 cameras, plus drones flying overhead all happily taking your picture. Look up, smile and say “Cheese”!


Global: Survey finds the vast majority of people reusing personal passwords in the workplace, despite security training

In 2012, it became apparent that the passwords for almost 6.5 million LinkedIn passwords had been stolen from the business networking site and posted online.

(That would have been bad enough, but four years later it was revealed that the breach was much worse than previously thought - and had actually exposed over 100 million LinkedIn users’ passwords).

Following the breach, hackers tried to crowbar their way into users’ other accounts by using the passwords that had been used on LinkedIn.

Infamously, one high profile victim was a fellow you may have heard of called Mark Zuckerberg - who had made the elementary mistake of using the same password for his Twitter, Instagram, and Pinterest accounts as his LinkedIn profile.

That password? The hardly complex “dadada”.

According to a survey conducted by Bitdefender, nearly two-thirds (62%) of employees passwords between business and personal accounts. The problem is particularly bad in the healthcare and education sectors, where the survey found particularly high rates of password reuse, at 94% and 91% of employees respectively.

You’re probably imagining that all people need is a little training in password security to fix this problem. Well, think again.

85% of employees who have received security training in the workplace continue to reuse their passwords. Even 78% of those employees who said they had received ‘a lot’ of cybersecurity training were found to still reuse their passwords.

So what’s the upshot for you? that puts everyone - businesses and personal users - at risk, in the office, and at home.


US: AGAIN? — T-Mobile has been hacked yet again—but still doesn’t know what was taken

As reported by Motherboard on Sunday, someone on the dark web claims to have obtained the data of 100 million from T-Mobile’s servers and is selling a portion of it on an underground forum for 6 bitcoin, about $280,000. The trove including the entire IMEI history database going back to 2004, includes not only IMEI Numbers, but names, phone numbers, and physical addresses but also more sensitive data like social security numbers, driver’s license information, and unique identifiers tied to each mobile device. Motherboard confirmed that samples of the data “contained accurate information on T-Mobile customers.”

T-Mobile said on Monday that hackers breached its internal servers and that company investigators are in the process of determining if the incident involves the theft of sensitive customer data. “We have determined that unauthorized access to some data occurred, however, we have not yet determined that there is any personal customer data involved,” the company said in a statement. “We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed.”

By some counts, T-Mobile has experienced as many as six separate data breaches in recent years. They include a hack in 2018 that gave unauthorized access to customer names, billing ZIP codes, phone numbers, email addresses, and account numbers. In a breach from last year, hackers absconded with data including customer names and addresses, phone numbers, account numbers, rate plans and features, and billing information.

Apparently, the person responsible for the latest T-Mobile hack claimed that they obtained access by exploiting a misconfigured GPRS gateway, which carriers use in 2G or 3G cellular communications.

A lot of that information is already widely available, even the social security numbers, which can be found on any number of public records sites. There’s also the reality that most people’s data has been leaked at some point or another but this would tie it all neatly together.

So what’s the upshot for you? How do you protect yourself if you are a T-Mobile customer?

  • Right now, change your T-Mobile password and security PIN. Switch any of your important accounts from text-based to app-based authentication, if they support it.
  • Check out a site called HaveIBeenPwned, the brainchild of security researcher Troy Hunt, who has made it his mission to collect info from as many breaches as possible; so far it’s logged trillions of accounts.
    HaveIBeenPwned shows you not just if you’ve been impacted, but the specific type of information that may have been exposed. That way you’ll know if it’s time to change your password or cancel your credit cards or both.
  • Oh, and change your T-mobile password anywhere else you might have reused it. Once more… Don’t reuse passwords. Get a password manager instead.
    If the breach potentially includes extra-sensitive information, like credit card or Social Security numbers, companies sometimes offer free credit monitoring.
  • Sign up for that now in case someone uses your info to try to open a credit account in your name.

Remember that the threat doesn’t fade after the free monitoring does. Stolen data can float around the dark web for years and Social Security numbers aren’t like passwords; they’re tough to get changed.

  • So keep a close eye on your bank accounts, literally… forever.

Global: Apple drops the intellectual property lawsuit against a maker of security tools

In 2019, Apple sued a company called Corellium over its iOS virtualization software. Corellium’s products are popular among security researchers, who have limited insight into iOS itself; Apple claimed that the software violated the company’s copyright claims.

The retreat comes at a time when Apple has come under fire from privacy advocates over its controversial new steps to find child sexual abuse materials in iCloud that involves iPhones themselves. It needs all the friends in the security community it can get; an unpopular lawsuit against a critical research tool wasn’t going to be the way to make them.

So what’s the upshot for you? When we reported on this a while back, it did seem like Apple was being a bit of a Bully.


Global: A 5G Shortcut Leaves Phones without much of that great 5G Security.

To get 5G out to the masses quickly, most carriers around the world deployed it in something called “non-standalone mode” or “non-standalone architecture.” The approach essentially uses the existing 4G network infrastructure as a jumping-off point to put out 5G data speeds before the separate, “standalone” 5G core is built. It’s like starting your cake-decorating business out of your cousin’s ice cream shop while you renovate a new storefront three blocks away.

You may see where this is going. As long as your 5G connection is in non-standalone mode, a lot of what you’re getting is still actually 4G, complete with security and privacy weaknesses that actual 5G aims to address.

Verizon said it is on track for “full commercialization” of 5G standalone mode by the end of 2021. AT&T says that it began “limited 5G deployments” late last year and that it will scale up “when the ecosystem is ready.”

So what’s the upshot for you? The 5g story sounds more and more like fiction the further you dig into it. Three speeds: slow medium and fast, but the fast doesn’t work across more than short distances or obstacles and now… the feted 5g security seems still to be years away!


Global: Microsoft Comes up With a Sort-Of Fix for Its Endless Printer Vulnerabilities

Over the last few months, Microsoft has dealt with a plethora of security issues tied to its Windows Print Spooler function, including more than one failed attempt to patch a vulnerability called PrintNightmare. This week, the company finally offered a way to end its printer-related woes, although it’s a bit of a workaround. Now, anyone who wants to use the Windows Point and Print feature to install drivers will need administrative privileges. That should stave off most PrintNighmare attacks—but it has already been demonstrated not to stop all of them.

So what’s the upshot for you? “Today, we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges. The installation of this update with default settings will mitigate the publicly documented vulnerabilities in the Windows Print Spooler service.”

This change will take effect with the installation of the security updates released on August 10, 2021, for all versions of Windows. Microsoft warns that this change may impact organizations that previously allowed non-elevated users to add or update printer drivers, as they will no longer be able to do so and now the poor support team is going to get a lot more printer driver calls.


Global: How a Valve user turned $1 into $1M

“Firstly you will have to change your steam account email to something like (I will explain why in next steps, amount100 is the important part): YourNameamount100abc@█████,” the researcher wrote.

This allows the attacker to manipulate communications between Valve and Smart2Pay, circumventing the cryptographic hash used to protect transaction data.

“We can’t change parameters as there is Hash field with signature, however signature is generated like that hash (ALL_FIELDS_NAMES_VALUES_CONTACTED). So with our special email we can move parameters in a way that will change the amount for us.”

Where the Valve parameters might be, “hash(MerchantID1102MerchantTransactionID█████Amount2000……)” the attacker can turn $1 into $100 or $1,000,000 simply by changing the format of the email request.

“So with our special email we can move parameters in a way that will change the amount for us. For example, we can change the original Amount=2000 to Amount2=000 and after contacting it still will be Amount2000. Then we can change email from CustomerEmail=YourNameamount100abc%40████ to CustomerEmail=YourName&amount=100&ab=c%40█████████ by this we are adding the new field amount with our value.” Cool huh?

Valve first rated the bug as of moderate importance. However, after investigating, it escalated the bug to critical in nature, scoring it “9-10”, with the highest possible rating 10.

So what’s the upshot for you? This is a great example of why there are no shortcuts when it comes to security.


Global: Last week a Hacker Stole $610 Million in Cryptocurrency, then Gave Most of It Back, but Why?

It’s been quite a roller coaster for Poly Network, a decentralized finance system. A hacker stole over $600 million early in the week, only to begin returning it on Wednesday. By Thursday, they had returned $342 million of the funds, while another $33 million worth of Tether stablecoins had been frozen. The remaining crypto assets have been placed in a wallet that requires keys from both Poly Network and the hacker; their ultimate fate is still in the balance.

But hours after the heist, blockchain security firm Slowmist claimed that they already tracked down the attacker’s IP and email information while the investigation on other ID intel relating to the attacker continued. Slowmist’s Weibo post on Tuesday suggested that the attacker used a little-known Chinese crypto exchange Hoo when putting together the funds for the attack, hinting at how their digital footprint was trailed at the beginning. Other crypto sleuths also found details relating to other exchanges that may help to identify them.

So what’s the upshot for you? They could have been the self-professed scripting angel that just wanted to demonstrate fault in the transaction handling and it took $610 million to get noticed. We’re thinking the fact that they had been identified so early on might have also have been highly motivational.


Global: Phishing costs rise almost fourfold since 2015

That’s not in line with the rate of inflation either… In “The 2021 Cost of Phishing Study Presented by Ponemon Institute: June 2021”
So what did they learn in the survey across 591 individual working at US based companies?

  • The average annual cost of phishing has increased from $3.8 million in 2015 to $14.8 million in 2021.
  • The most time-consuming tasks to resolve attacks are the cleaning and fixing of infected systems and conducting forensic investigations.
  • Documentation and planning represent the least time-consuming tasks.
  • Loss of employee productivity represents a significant component of the cost of phishing.
  • Each employee wastes an average of 7 hours annually due to phishing scams

So what’s the upshot for you? Wouldn’t it be nice to have something more than reassurance it’s just getting worse from one of these surveys?


PK: Looks like the Federal Board of Revenue for Pakistan got hacked on Friday the 13th.

https://www.fbr.gov.pk/pr/fbr-issues-clarification-regarding-service-op/163118

In a very understated notice, the Federal Board of Revenue (FBR) has "issued a clarification regarding in-progress service optimization activities at the FBR House Data Center Islamabad. FBR has explained that the technical team is currently migrating services. The completion of this migration shall result in the increased overall productivity of FBR IT Operations. This migration is necessary to facilitate the up-gradation of the system in order to enhance the best services to our clients.

The stakeholders, who are being provided services from the data center, are informed that there were unforeseen anomalies during the migration process, which has resulted in the unavailability of services since the early hours of the last night. FBR team is ensuring restoration of services as soon as possible to keep the downtime to a minimum. This activity is expected to be completed in the next 48 hours.

FBR regrets and apologizes for any inconvenience this may have caused and appreciates continued cooperation of the stakeholders."

Apparently, they were back, good to go by yesterday.

So what’s the upshot for you? Those unauthorized to say it said: “It was the result of malicious actors cracking the Board’s implementation of Microsoft’s Hyper-V hypervisor.” Still, as the Register.com commented, “the fact that they were offline for only about 48 hours suggests decent disaster recovery infrastructure and processes were in place.”


US/Global: Wait, That’s my Camera.

https://us-cert.cisa.gov/ics/advisories/icsa-21-229-01

https://www.throughtek.com/about-throughteks-kalay-platform-security-mechanism/

Here’s one that permeates more than 83 million devices, and over a billion connections to the internet each month. A vulnerability in security cameras, DVRs, and even baby monitors—could allow an attacker to access live video and audio streams over the internet and even take full control of the gadgets remotely. The unifying feature is they all include software built with ThroughTek Kalay Software Development Kit (SDK), which provides a plug-and-play system for connecting smart devices with their corresponding mobile apps.

Researchers from the security firm Mandiant discovered the critical bug at the end of 2020, and they are publicly disclosing it today in conjunction with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

“An attacker can connect to a device at will, retrieve audio and video, and use the remote API to then do things like trigger a firmware update, change the panning angle of a camera or reboot the device. And the user doesn’t know that anything is wrong.”

The flaw is in the registration mechanism between devices and their mobile applications. The researchers found that this most basic connection hinges on each device’s “UID,”

By searching for web vulnerabilities and coupling that with a little knowledge of the Kalay protocol, the baddie can reregister the UID and essentially hijack the connection the next time someone attempts to legitimately access the target device.

So what’s the upshot for you? ThroughTek did issue a patch back in 2018 that had options for stopping these types of attacks, but apparently, it’s not trivial for most users to load onto the device.
Today ThroughTek issued a more strongly worded update that suggested you should patch if your software was built with a pre-3.1.10 version of the SDK (and no detail on how you would determine that), but that you would only get attacked if the hacker had this skillset…
"Required skills for successful exploitation:

  1. A deep knowledge of network security
  2. Knowledge of network sniffer tools
  3. A deep knowledge of encryption algorithm"

US: Teen Finds Entire Leica M Camera Kit at Church Sale for $15

According to his Facebook profile, 16-year-old Tyler B. of Detroit, Michigan is into BMX, snowboarding, and tennis. Soon, he may be very much into photography. And who wouldn’t be, after scoring a complete Leica M outfit, that is considered a dream camera rig, for just $15?

Last Friday, Tyler sauntered around the local church garage sale for about an hour with his friend, casually searching for old watches and cameras.

He spotted a Kodak 35. It was just $3 and Tyler had heard of Kodak before so he bought it. Beside the Kodak was another camera he’d never seen or heard of though. It “looked fancy” but he had to leave for vacation in a few minutes so he passed on it.

Tyler caught up with his friend briefly to show him the Kodak and he mentioned the other camera.

“I would have never had gone back to get the Leica if I hadn’t stopped and talked to my friend who said that it was a very good camera,” Tyler says.
“I have always wanted to get into photography but never had the right camera and I figured I would try to find one at a garage sale”

As it turns out, Tyler is now the proud owner of a chrome 1968/69 Leica M4, complete with 35mm f/2 Summicron, 50mm f/2 Summicron, and 9cm f/4 Elmar lenses, as well as an original Leica ITDOO lens hood, Leica meter, and leather lens and camera cases. The M4 body itself currently sells for as much as about $3,000 on eBay, the 35mm Summicron for $2,500, the 50mm Summicron for $1,500, and about $100 each for the 9cm Elmar and ITDOO hood. Total value: $7,200+.

So what’s the upshot for you? We love the article’s closing statement: “I do think I am going to go back to the church and give them a little bit more money.” the 16-year-old Tyler said.


That’s it for this week. So as not to leave you overexposed, we will give you se7en days to develop before fixing you with another breathtakingly beautiful panoramic vie of IT Privacy and Security.


Be kind, stay safe, keep focussed, stay secure and see you in se7en!


2 Likes