Praɪvəsi ænd Sɪˈkjʊrəti Update for the week ending 2020 12 22


Dear DAML’ers, phonetically speaking, we have the tastiest holiday serving of praɪvəsi ænd sɪˈkjʊrəti on anyone’s holiday menu!

Our entre is confirmation of a hack first reported here months ago, before moving onto the first course of NSO stew, a main of student test taking with a side of Facebook.

For dessert we move outside and with the wind in our hair we end with a story about brushing.

Yes, it’s all here and although we make a real meal of it, we think you will love this holiday feast!

So grab a knife and fork (no spoons in this issue, for that see our December 1st update) and let’s dig in!


Trump’s Twitter account was hacked, Dutch ministry confirms

Dutch prosecutors have confirmed that Donald Trump’s Twitter account was hacked in October despite denials from Washington and the company, but said the “ethical hacker” would not face charges.

The hacker, named as Victor Gevers, broke into Trump’s account @realDonaldTrump on 16 October by guessing the US president’s password, Dutch media reports said.

Both the White House and Twitter strenuously denied reports that the account had been hacked.

Gevers, 44, disclosed the hack immediately, saying the password he guessed was “maga2020!”, referring to the Trump slogan “Make America Great Again”.


CA: Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit

In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera news network.
The zero-day exploit in iMessage which worked against at least iOS 13.5.1 on Apple’s then-latest iPhone 11 was apparently deployed in the Autumn of 2019 (so 8-9 months earlier).

Given the global reach of NSO Group’s customer base and the apparent vulnerability of almost all iPhone devices prior to the iOS 14 update, we suspect that the infections that we observed were a minuscule fraction of the total attacks leveraging this exploit.
Infrastructure used in these attacks included servers in Germany, France, UK, and Italy using cloud providers Aruba, Choopa, CloudSigma, and DigitalOcean.
We have shared our findings with Apple and they have confirmed to us they are looking into the issue.

The attacks infected the targets’ phones with Pegasus, an NSO-made implant for both iOS and Android that has a full range of capabilities, including recording both ambient audio and phone conversations, taking pictures, and accessing passwords and stored credentials. The hacks exploited a critical vulnerability in the iMessage app that Apple researchers weren’t aware of at the time. Apple has since fixed the bug with the rollout of iOS 14.


US: Tech Giants Support Facebook in Case Against Spyware Maker NSO

Microsoft, Google, Cisco and a host of other tech giants have added their names to a legal filing supporting Facebook’s case against controversial spyware developer NSO Group.

The social network took the Israeli firm to court after alleging that the latter exploited a vulnerability in WhatsApp which helped its clients spy on over 1400 users globally. It’s believed that the bug or similar ones may also have been used to help Saudi Arabian officials spy on murdered journalist Jamal Khashoggi and his former boss, Jeff Bezos.

“Reporting shows foreign governments are using those surveillance tools, bought from PSOAs [private sector offensive actors], to spy on human rights defenders, journalists and others, including US citizens,” Microsoft’s Tom Burt said. “These tools allow the user to track someone’s whereabouts, listen in on their conversations, read their texts and emails, look at their photographs, steal their contacts list, download their data, review their internet search history and more.”

The case is now at the Court of Appeals after Facebook won the argument against the NSO Group in the Northern District of California in July.


Facebook: Removing Coordinated Inauthentic Behavior from France and Russia

https://about.fb.com/news/2020/12/removing-coordinated-inauthentic-behavior-france-russia/?

Facebook reports on politically motivated campaigns originating in one country against another: Today we removed three separate networks for violating our policy against foreign or government interference which is coordinated inauthentic behavior (CIB) on behalf of a foreign or government entity. These networks originated in France and Russia and targeted multiple countries in North Africa and the Middle East.

In each case, the people behind this activity coordinated with one another and used fake accounts as a central part of their operations to mislead people about who they are and what they are doing, and that was the basis for our action.

It appears that this Russian network was an attempt to rebuild their operations after our October 2019 takedown, which also coincided with a notable shift in focus of the French campaign to begin to post about Russia’s manipulation campaigns in Africa.

Unlike the operation from France, both Russia-linked networks relied on local nationals in the countries they targeted to generate content and manage their activity across internet services. This is consistent with cases we exposed in the past, including in Ghana and the US, where we saw the Russian campaigns co-opt authentic voices to join their influence operations, likely to avoid detection and help appear more authentic.

What We Found

  1. We removed 84 Facebook accounts, 6 Pages, 9 Groups and 14 Instagram accounts for violating our policy against coordinated inauthentic behavior. This activity originated in France and targeted primarily the Central African Republic and Mali, and to a lesser extent Niger, Burkina Faso, Algeria, Cote d’Ivoire and Chad.

  2. We also removed 63 Facebook accounts, 29 Pages, 7 Groups and 1 Instagram account for coordinated inauthentic behavior. This network originated in Russia and focused primarily on the Central African Republic (CAR), and to a lesser extent on Madagascar, Cameroon, Equatorial Guinea, Mozambique, South Africa and the CAR diaspora in France.

  3. We also removed 211 Facebook accounts, 126 Page, 16 Groups and 17 Instagram accounts for coordinated inauthentic behavior. This network originated in Russia and focused primarily on Libya, Sudan and Syria.


DE: Boom! VPN provider Safe-Inet, favored by cyber criminals taken offline.

Law enforcement observed criminals using Safe-Inet to spy on 250 companies located around the world. Servers used by the 11 year old service were taken down, and its infrastructure seized in France, Germany, the Netherlands, Switzerland, and the United States. Visitors to the Safe-Inet webpage are now greeted by a domain seizure notice.
The operation was led by German Reutlingen Police Headquarters and carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).


UK firm NOW: Pensions tells 1.7 million customers a ‘service partner’ leaked their data all over 'public software forum’

Workplace pension provider NOW: Pensions has emailed its near 1.7 million UK customers to warn about a data leakage caused by contractor error. The email claims a service provider “unintentionally” posted user data to an unnamed “public software forum” for three days: 11-14th December 2020. The records included biographical data (names, email addresses, and dates of birth) as well as National Insurance numbers.


Ledger threat mail continues to be a huge problem.

Let’s start at the beginning. What is a Ledger device? Ledger devices are hardware wallets that keep your secret secured on a physical device that does not expose it to your computer or the internet. It is strongly recommend to use a hardware wallet if you are managing a significant amount of funds.

So what is the backstory? The phone numbers, email and postal addresses of over 270,000 owners of the Ledger cryptocurrency hardware wallet are now freely available from a number hacking forums.

The information, which is accompanied by the email addresses of over one million people who subscribed to the Ledger newsletter, is believed to have originally fallen into the hands of criminals following a security breach at the firm back in June 2020.

According to a Ledger July 2020 blog post: “To be as transparent as possible, we want to explain what happened. An unauthorized third party had access to a portion of our e-commerce and marketing database through an API Key. The API key has been deactivated and is no longer accessible. Contact and order details were involved. This is mostly the email address of our customers, approximately 1M addresses. Further to investigating the situation we have also been able to establish that, for a subset of 9500 customers were also exposed, such as first and last name, postal address, phone number or ordered products. Due to the scope of this breach and our commitment to our customers, we have decided to inform all of our customers about this situation.”

Did you have a Ledger account or subscribe to their newsletter? Expect even higher volumes of phishing and threat mail. You can report it here:

Ledger have already had 171 websites shut down and detail their work to stop the scammers.

https://www.ledger.com/phishing-campaigns-status?

The most important suggestion? Ledger state “Beware of phishing attacks, Ledger will never ask for the 24 words of your recovery seed. Never share them.”

An additional suggestion, as phone numbers were also released, threat actors could attempt to perform a number transfer, or SIM swap attack, on your mobile account. We suggest contacting your cellular provider to see if they can enable a protection that blocks number transfers (to stop SIM card swapping).


Revealed: China suspected of spying on Americans via Caribbean phone networks

https://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks?

China appears to have used mobile phone networks in the Caribbean to surveil US mobile phone subscribers as part of its espionage campaign against Americans, according to a mobile network security expert who has analysed sensitive signals data.

The findings paint an alarming picture of how China has allegedly exploited decades-old vulnerabilities in the global telecommunications network to route “active” surveillance attacks through telecoms operators.

The alleged attacks appear to be enabling China to target, track, and intercept phone communications of US phone subscribers, according to research and analysis by Gary Miller, a Washington state-based former mobile network security executive.

Miller, who has spent years analysing mobile threat intelligence reports and observations of signalling traffic between foreign and US mobile operators, said in some cases China appeared to have used networks in the Caribbean to conduct its surveillance.

At the heart of the allegations are claims that China, using a state-controlled mobile phone operator, is directing signalling messages to US subscribers, usually while they are traveling abroad.

Signaling messages are commands that are sent by a telecoms operators across the global network, unbeknownst to a mobile phone user. They allow operators to locate mobile phones, connect mobile phone users to one another, and assess roaming charges. But some signalling messages can be used for illegitimate purposes, such as tracking, monitoring, or intercepting communications.

Miller focused his research on messages that he said did not appear legitimate, either because they were “unauthorised” by the GSMA, an international standard-setting body for the telecommunications industry, or because the messages were sent from a location that did not match where a user was travelling.

“Government agencies and Congress have been aware of public mobile network vulnerabilities for years,” he said. “Security recommendations made by our government have not been followed and are not sufficient to stop attackers.”

He added: “No one in the industry wants the public to know the severity of ongoing surveillance attacks. I want the public to know about it.”

“Once you get into the tens of thousands, the attacks qualify as mass surveillance, which is primarily for intelligence collection and not necessarily targeting high-profile targets. It might be that there are locations of interest, and these occur primarily while people are abroad,” Miller said. In other words, Miller said he believed the messages were indicative of surveillance of mass movement patterns and communication of US travellers.

Miller also found what he called unique cases in which the same mobile phone users who appear to have been targeted via China Unicom also appear to have been targeted simultaneously through two Caribbean operators: Cable & Wireless Communications (Flow) in Barbados and Bahamas Telecommunications Company (BTC).

“We have an illusion of security when we talk on our mobile phones,” said James Lewis, the director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS). “People don’t realise that we are under a sustained espionage attack on anything that connects to a network, and that this is just another example of a really aggressive and pretty sophisticated campaign.”


2000 Parents Call on McGraw-Hill Publishing to End Partnership with Proctorio

Schooling from home comes with its own challenges, some of which have been addressed by algorithmic proctoring software running on the child’s computer, that ID the student, check head and eye movements, check surroundings and then report back a fail if any of the checks come back negative.

Six US Senators recently asked Proctorio and other online proctoring companies to “address the alarmingly long list of equity, accessibility, & privacy issues students are facing on their exam platforms.” Proctorio’s response has been legal action against critics and actions to remove negative comments about them on social networking platforms.

Erik Johnson, a freshman at Ohio’s Miami University, posted his concerns about Proctorio and his analysis of their code online earlier this year, and received intimidating messages from Proctorio’s CEO, among other retaliation.

Writing for the MIT Technology Review, a librarian at UC Denver shared the following story: “A Black woman at my university told me that whenever she used Proctorio’s test proctoring software, it always prompted her to shine more light on her face. The software couldn’t validate her identity and she was denied access to tests so often that she had to go to her professor to make other arrangements. Her white peers never had this problem.”

In an open letter to Simon Allen, CEO of McGraw Hill Publishing, and Terri Walker, head of Inclusion and Diversity at McGraw Hill Publishing from 2000 parents, they quote the McGraw Hill Publishing Inclusion & Diversity statement: "Our focus on inclusion and diversity will ensure that our team members, products, and customer experiences are relevant and represent the diverse population of customers we serve.” The 2000+ parents demanded that McGraw Hill Publishing cease its performative allyship and end its peddling of racially-biased, invasive surveillance technology immediately.


And now a SolarWinds update…

Recall that FireEye was the first to expose the wide-ranging Solar Winds espionage campaign on December 8 after discovering that someone had stolen its arsenal of Red Team penetration testing tools.

Just days before the full SolarWinds hack came to light, the firm’s two biggest investors, Silver Lake and Thoma Bravo, sold more than $280 million in stock to a Canadian public pension fund. The investors said in a statement that they were not aware of the cyberattack when they sold the stock. (It’s worth noting that Equifax also claimed that its executives were not aware of the massive breach suffered by the company in 2017 when they sold stock, but it later turned out that insider trading did take place.)

Security researchers have determined that SolarWinds was likely breached at least one year (October 2019) before the intrusion was discovered.

Microsoft, Cisco, Equifax, General Electric, Intel, NVIDIA, Deloitte, and VMware have confirmed finding compromised Orion software on their systems.

Now it looks like a completely different hacker group may have also breached SolarWinds.

“The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor.”
PaloAlto do a great writeup of this new component dubbed Supernova here: https://unit42.paloaltonetworks.com/solarstorm-supernova/


‘Brushers’ Come Into Focus as Officials Test Packages of Mysterious Seeds

Now that your holiday shopping is, for the most part, over and the plethora of fake reviews are behind you, we thought we would bring up a new scam called “brushing”.

Brushing involves using fake transactions to enhance the reputations of online merchants. It began attracting attention in the U.S. about five years ago and might explain why you got that weird pair of slippers from Amazon or that phone case that fit nothing you have ever owned or even those seeds…

Planting Reviews
High sales volume and good reviews help vendors move up in search results and attract shoppers. Some vendors turn to “brushers” who place fake orders for products.
How brushing works

The vendor

  1. Pays a brusher the cost of the products they’ll be ordering, and a fee

The brusher

  1. Places orders for the vendor’s products

The vendor

  1. Ships parcels that are empty or contain low-value merchandise that may go to strangers overseas

The brusher

  1. Writes good reviews, leading to the vendor’s products being ranked higher

A Wall Street Journal article at the time reported that brushing in China helped vendors artificially increase their sales and boost their standing on online marketplaces, which typically give more prominence to high-volume sellers with good customer reviews.

In a typical brushing scheme, vendors pay fees to operators known as brushers. The brushers order products, and vendors ship packages, sometimes to people uninvolved in the scheme, that are empty or filled with trinkets to create the illusion of a real transaction. Some brushers post glowing reviews.

Considered a form of false advertising, such schemes are prohibited in the U.S. and China.

Why would brushers ship packages to strangers overseas? Ron Schlecht Jr., a managing partner at BTB Security, a cybersecurity consulting firm in Philadelphia, said auditors at e-commerce platforms may examine every part of a transaction to make sure it looks legitimate. Sending a bunch of items to just a few addresses wouldn’t look right.

“People go to those lengths so that it looks from one end to the other like a true transaction,” Mr. Schlecht said.

A 2015 study by Haitao Xu of the College of William and Mary and others, focused more attention on a problem then believed to be confined mostly to Chinese online marketplaces.

Dr. Xu, who earned a Ph.D. in computer science in 2015, explored an underground market in what he called seller-reputation escalation. Some of his insights came from an internship he had at China’s Alibaba Group Holding Ltd. , where he focused on fraud protection. His 2015 study found that vendors using brushing services could boost their online reputations at least 10 times faster than legitimate sellers.

Without fake transactions, a vendor of hair clips and costume jewelry told the Journal, “your product will end up at the very back of the search results, and people will never be able to find it.”


And that’s your holiday feast for this week DAML’ers! We hope you finished the meal happy and full! Have the best holidays ever, and we will see you right here in se7en days time as we prepare for the new year festivities!



1 Like