Privacy and Security related news for the week ending 2020 07 07

This week starts off with a tongue in cheek report on the perils of TikTok from Fox News, moves through Instagram to email and then to Google Play.

We cover a police commissioner’s personal rationale for not using facial recognition software and a Google Exec’s logic as to why a MITM attack should actually be called a PITM attack, before … finishing with a flash.

U.S. ‘Looking At’ Banning TikTok And Other Chinese Apps—Pompeo

The pressure on Chinese social media app TikTok has ratcheted up, with Secretary of State Mike Pompeo confirming in a FOX TV news interview that the administration is “looking at” a potential ban of the app in the U.S. This follows TikTok’s ban in India last week, and reports suggesting Australia may be looking at similar measures.

The scrutiny on TikTok has scaled with its growth—it now genuinely competes with U.S. platforms such as YouTube and Instagram for installs and users, and the platform has been one of the soaraway successes of the lockdown. But serious security and data privacy concerns have clouded TikTok for more than a year.

“Would you recommend people to download [TikTok] onto their phones?” Laura Ingraham pressed Pompeo during a Fox News interview late on Monday, July 6. “Only if you want your private information in the hands of the Chinese Communist Party,” the Secretary of State replied.

HK: Tech Giants Suspend Hong Kong Co-Operation Following Security Law

Phil Muncaster: A slew of technology providers have temporarily suspended any co-operation with Hong Kong police following the introduction of a regressive national security law.

WhatsApp, Telegram, Facebook, Twitter, LinkedIn and Zoom have all announced a pause on the processing of data requests from the Special Administrative Region (SAR) of China until an international consensus is formed on how to react.

Widely criticized by governments around the world, the legislation was secretly drafted in Beijing in blatant violation of the “one country two systems” agreement signed between China and Britain which enabled the former colony to retain a semi-autonomous criminal justice and political system following the 1997 handover.

The law will now give the Chinese authorities the power to punish acts of “terrorist activities,” “secession,” “subversion” and “collusion with a foreign country” with life imprisonment or even death.

NG/UAE/US: “Hushpuppi” the Instagram Star with 2.5 million followers, Faces business email compromise (BEC) Charges

A social media star known for his ostentatious displays of wealth is set to be charged in the US with conspiracy to launder hundreds of millions of dollars from BEC and other fraud schemes.

The Nigerian man, Ramon Olorunwa Abbas, 37, who is also known as “Ray Hushpuppi” and “Hush,” is accused of targeting multiple organizations, including a U.S. law firm, a foreign bank and an English Premier League soccer club, to perform (BEC) fraud.

Abbas was arrested last month by UAE authorities and the FBI brought him to the U.S. to face charges, after taking custody of him last week. A criminal complaint against him was filed on June 25 in Los Angeles.

RU: First-Ever Russian BEC Gang, Cosmic Lynx, Uncovered

Researchers say they have discovered the first-ever reported Russian business email compromise (BEC) cybercriminal ring, showing that sophisticated attackers beyond the usual Nigerian scammers are setting their sights on the email-based attack vector.

The BEC gang is called Cosmic Lynx, and has been associated with more than 200 BEC campaigns targeting senior-level executives in 46 countries since last July. The threat group sets itself apart from other run-of-the-mill BEC scams in that it uses extremely well-written emails, targets victims without DMARC policies and leverages a fake “merger-and-acquisition” scenario that allows it to steal larger sums of money from victims.

Cerberus banking Trojan infiltrates Google Play

Charlie Osborne: Security researchers have discovered the Cerberus banking Trojan disguised as a legitimate currency app on Google Play (downloaded 10,000 times). The malicious currency calculator app, “Calculadora de Moneda” bypassed Google’s security barriers by posing and acting as a legitimate app for the first few weeks after being accepted into Google Play. It appears that as users began to download the app in March, the software, at first, did not cause any harm and actually acted as a legitimate – and useful – utility.

However, after instilling trust in the growing user base, the app then triggered dormant code that became a dropper for the Cerberus Trojan, a relatively new Trojan that has been in circulation since June 2019.

The malware creates an overlay across existing banking and financial apps. Cerberus will lurk in the background, waiting for a user to input their account credentials, of which this information is then stolen and sent to the attacker’s C2.

By yesterday evening, the C2 server had vanished and Cerberus disappeared from the currency conversion app. This does not mean, however, that the app should not still be considered malicious – and treated as a threat.

Introducing Project Freta

Project Freta is a free, cloud-based offering from the NExT Security Ventures (NSV) team at Microsoft Research that provides automated full-system volatile memory inspection of Linux systems.

The initiative aimed at uncovering forensic evidence of sabotage on Linux systems, including rootkits and intrusive malware. The cloud offering, dubbed Project Freta, is a snapshot-based memory forensic mechanism that aims to provide automated full-system volatile memory inspection of virtual machine (VM) snapshots, with capabilities to spot malicious software, kernel rootkits, and other stealthy malware techniques such as process hiding.

The project is named after Warsaw’s Freta Street, the birthplace of Marie Curie, the famous French-Polish physicist who brought X-ray medical imaging to the battlefield during World War I.

Microsoft said it focused on Linux due to the need for fingerprinting operating systems in the cloud in a platform-agnostic manner from a scrambled memory image. It also cited the increased complexity of the project, given the large number of publicly available kernels for Linux.

This initial release version of Project Freta supports over 4,000 Linux kernels, with Windows support in the pipeline.

Google VP Withdraws from Black Hat 2020 Over its Name

A Google VP has ignited a fierce debate in the cybersecurity industry over the use of potentially discriminatory language after withdrawing from the upcoming Black Hat USA virtual event in protest.

David Kleidermacher, who is VP of Android security and privacy, thanked the organizers of the long-running security conference but said it was time to change.

“Black hat and white hat are terms that need to change. This has nothing to do with their original meaning, and it’s not about race alone – we also need sensible gender-neutral changes like PITM (Person in the Middle) versus MITM (Man in the Middle),” he argued on Twitter. “These changes remove harmful associations, promote inclusion and help us break down walls of unconscious bias."

Others reflected: “The companies at the forefront of changing these tech terminologies hardly have black and women professionals at the decision table and their top leadership, that’s the change we ask, not sidelining us by making a lingua change no reasonable person asked for.”

US: EARN IT passes Senate Judiciary, stokes concerns over erosion of end-to-end encryption

Teri Robinson: Proponents of the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARNIT) might tout its tough stance on online child sexual abuse material but privacy and digital rights advocates contend the bill, just passed by the Senate Judiciary Committee, will erode end-to-end encryption.

EARN IT revokes Section 230 protection for internet intermediaries for what is seen as an overly broad array state and civil claims concerning child sexual abuse material.

“The EARN IT Act sets the stage for judges across the country to apply scores of different legal standards to intermediaries’ content moderation and security practices,” Emma Llansó, director of the Center of Democracy and Technology’s Free Expression Project, said in a statement. “We know from decades of experience that threats of litigation lead website operators and other intermediaries to censor speech and shutter services. The EARN IT Act vastly amplifies those threats.”

In preface of last week’s markup, the ACLU petitioned the committee to vote down the bill, explaining in a letter that the legislation “would harm the privacy and online speech rights of every person in this country” and would jeopardize “essential encryption services.”

Even an amendment offered up by Sen. Patrick Leahy, D-Ill., during markup isn’t enough to assuage those concerns. “While the Leahy amendment correctly seeks to shield services from liability arising from their use of encryption, services will still face endless litigation concerning whether the shield applies,” Greg Nojeim, director of CDT’s Freedom, Security, and Technology Project, said.

Nojeim pointed out that the CSAM Commission created by the bill is to be chaired by Attorney General William Barr, who he called “the Darth Vader of encryption policy.

Misconfigured AWS S3 bucket at V Shred exposed more that one million files, including PII on 99,000 people associated with the fitness brands customers

Researchers at vpnMentor led by Noam Rotem and Ran Locar discovered the open server and alerted the company, which apparently removed the file containing the most PII, but kept the bucket itself open. The AWS bucket, whose URL contained “vshred,” and which contained files with the company’s logo and other identifiers “was completely opened to the public.”

Google buys augmented reality (AR) smart-glasses company North.

Google announced it purchased smart-glasses company “North” and still plans to enhance our vision with its helpfulness. From the announcement, posted by Rick Osterloh, Senior Vice President, Devices & Services:
“From 10 blue links on a PC, to Maps on your mobile phone, to Google Nest Hub sharing a recipe in the kitchen, Google has always strived to be helpful to people in their daily lives. We’re building towards a future where helpfulness is all around you, where all your devices just work together and technology fades into the background. We call this ambient computing.”

KP: Follow up: Magecart Attacks on Claire’s and Other U.S. Stores Linked to North Korea.

By Eduard Kovacs: Hackers linked to the North Korean government appear to be behind the Magecart attacks on fashion retailer Claire’s and other online stores, Netherlands-based e-commerce security company Sansec reported on Monday. hackers targeted Claire’s, photography and imaging retailer Focus Camera, and stationary and gift retailer Paper Source, all based in the United States. The attack on Claire’s was disclosed in mid-June, but the fake domain used by the attackers was set up in March, shortly after the company announced closing its physical stores due to the coronavirus pandemic.
The link between these Magecart attacks and North Korean hackers? Sansec has identified the use of several domains that were previously linked to North Korean campaigns by other cybersecurity companies.

ZA: VaultAge Solutions CEO goes into hiding to avoid cryptocurrency investors allegedly scammed out of $13 million.

News24: While VaultAge Solutions described itself as a media and events entity, the company also offered a platform for traders to invest in Bitcoin (BTC) and alternative cryptocurrencies.
Willie Breedt, the founder of VaultAge Solutions, was declared bankrupt last week and investors are now faced with the loss of 227 million in South African rand ($13.3 million). Several weeks ago, Breedt went into hiding after some investors called for debt collectors to find the executive and recover their funds. Before vanishing, Breedt informed local police that he was being intimidated.
One of the investors in the now-defunct company reportedly handed over 7.5 million rand ($440,000) to Breedt, but when growth failed to materialize and investment pledges were not honored, then filed a complaint with the Gauteng High Court in Pretoria.
Approximately 2,000 investors invested in the company, which promised to act as a “digital vault growing wealth over time,” to “alleviate financial strains from individuals, entrepreneurs, investors, and communities.”

Three UK: We’re sending you this SMS to warn you not to pay attention to unsolicited texts!

Gareth Corfield: A subset of Three UK users have received an SMS message warning them about text message-based spam – complete with a short link and textual urgings to click it and learn more.
“They send an unsolicited out-of-the-blue SMS which asks you to ‘click’ (not tap) on a link. When checked out in a sandboxed environment this goes to an insecure http-only page which warns of suspicious text messages and a video telling recipients not to tap on any links. Awesome!”

US: Boston City Council bans government use of facial recognition.

Boston Police Department (BPD) Commissioner William Gross said that high error rates – for Native American, black, asian or female skin, make Boston’s recently enacted ban on facial recognition use by city government common sense.
“Until this technology is 100%, I’m not interested in it. I didn’t forget that I’m African American and I can be misidentified as well.”
Thus with “Docket #0683, ordinance banning facial recognition technology in Boston”, the city become the second-largest in the world, after San Francisco, to ban use of the currently error prone technology.

The rise and fall of Adobe Flash, or, "What? It’s still supported?"

Few technologies have yielded such controversial and widespread passion as Flash. Many gush over its versatility and ease of use as a creative platform or its critical role in the rise of web video. Others abhor Flash-based advertising and Web design, or they despised the resource-intensiveness of the Flash Player plugin in its later years.

But now, after roughly 25 years, Flash is finally nearing its end. In less than six months—December 2020—Adobe will officially end support and distribution of Flash Player, the browser plugin we all associate most strongly with the technology. And already, months ahead of this end-of-life switch, Flash has been disabled in most Web browsers (often flagged as a security risk should you choose to override the default settings). Even Google Chrome, long the browser of choice for Flash content, will soon remove Flash Player.