Privacy and Security related news for the week ending 2020 07 21


This week we have stories about a couple of Telecom companies, one in France and another in Argentina that have fallen foul of ransomware.

We have an interesting leak of log data from some VPN providers who aren’t even supposed to be logging.

We might have found the perfect gift for that special someone who has everything.

There’s even a story about how your USB charger might be hacked to destroy the thing it’s charging, and we finish with why the Internet went down last Friday.


SIGRed: What You Should Know About the Windows DNS Server Bug

“This is a vulnerability that’s serious enough to give somebody access to the host that’s actually running the Microsoft DNS Server,” says Cricket Liu, chief DNS architect at Infoblox. This host is often the domain controller, he says. If attackers gain access to a domain controller and a target organization has an extensive DNS infrastructure based on Windows DNS Server, they could potentially propagate from the initial host to all internal domain controllers.

Last week Microsoft patched SIGRed, a critical and wormable vulnerability in the Windows DNS Server that affects Windows Server versions 2013 to 2019. CVE-2020-1350, which has a CVSS base score of 10.0, should be a top priority for any environment running Windows DNS Server.


Crooks have acquired proprietary Diebold software to “jackpot” ATMs

Dan Goodin for ars technica: Diebold Nixdorf, which made $3.3 billion from ATM sales and service last year, is warning stores, banks, and other customers of a new hardware-based form of “jackpotting,” the industry term for attacks that thieves use to quickly empty ATMs.

The new variation uses a device that runs parts of the company’s proprietary software stack. Attackers then connect the device to the ATM internals and issue commands. Successful attacks can result in a stream of cash, sometimes dispensed as fast as 40 bills every 23 seconds. The devices are attached either by gaining access to a key that unlocks the ATM chassis or by drilling holes or otherwise breaking the physical locks to gain access to the machine internals.

The new attack variation described by Diebold is both good and bad news for consumers. On the one hand, there’s no indication thieves are using their recently acquired software stack to steal card data. The bad news is that attackers appear to have their hands on proprietary software that makes attacks more effective. The recent increase in successful jackpotting ultimately results in higher fees, as financial institutions pass on the costs caused by the losses. Diebold has issued a variety of defenses that ATM owners can take to protect against the attacks.


Family Tree Maker Software Exposes Data on 60,000 Users

One more unsecured Elasticsearch server leaking 25GB of data linked to users of the Family Tree Maker software. Among the details leaked to the public-facing internet were email addresses, geolocation data, IP addresses, system user IDs, support messages and technical details.


Coinbase blocks $280,000 in Bitcoin theft

On July 15, Twitter accounts belonging to well-known figures and celebrities including Barack Obama, Joe Biden, Elon Musk, and Bill Gates were compromised to promote cryptocurrency scams. In total, the cyberattackers manipulated 130 accounts – 45 of which were used to urge unwitting members of the public to send them BTC. Data belonging to eight accounts was also downloaded and stolen; however, Twitter does not believe the hackers were able to access cleartext passwords and so mass password resets are not required.
In an attempt to contain the incident, Twitter temporarily stopped verified accounts from sending out any messages that appeared to contain Bitcoin wallet addresses. At the same time, cryptocurrency exchanges, too, took action. During the attack, the scammers managed to steal close to $120,000 in BTC. However, if Coinbase had not blacklisted the wallet address within minutes of the scam beginning, this could have been far worse.


The perfect gift for your techie?

After WWII Churchill ordered all the Enigma machines destroyed, so it’s news when one of the rarest of Enigma machines, with less than 100 in existence, is sold in an online auction by Christie’s for $440,000 (£347,250).

Last December 19, 2019, Sotheby’s sold another Enigma M4 for a world record price of $800,000 (£630,000).

What is an Enigma machine? A cipher device that enabled Nazi forces to communicate in what was thought to be perfect secrecy.


UK ‘Confident’ Moscow Helped Hackers Target Virus Vaccine

By AFP: British Foreign Secretary Dominic Raab said on Sunday he was “absolutely confident” in allegations by the UK and its allies that Russia targeted labs conducting coronavirus research, branding the behaviour “outrageous and reprehensible”.

Britain, the United States and Canada on Thursday accused a hacking group called APT29 of spearheading the online attacks on various organisations involved in COVID-19 vaccine development.

They said the collective is “almost certainly” linked to Russian intelligence, and intended to steal information and intellectual property.

Moscow quickly rejected the accusations as “groundless”, and its ambassador to London said in a British television interview Sunday the claims made “no sense”.
Russia and Britain have been at loggerheads since Moscow was accused of trying to kill double agent Sergei Skripal with a powerful military-grade nerve agent in 2018.

“We still don’t understand why some spy story should disrupt this important business relationship,” Andrei Kelin, who was appointed Moscow’s top envoy in Britain last November, added. “We are prepared to turn the page and we are prepared to do business with Britain.”


UK Weak Gadget Passwords Could Be Illegal In 2021, Says U.K. Government

Davey Winder: In his foreword to a newly published policy paper on regulating consumer smart-product cybersecurity, the U.K. Minister for Digital Information, Matt Warman MP, has said that his is an “unashamedly pro-tech government.” Warman stated that the Department for Digital, Culture, Media and Sport has been working with the National Cyber Security Centre (NCSC) to “urgently address” the problem of poor Internet of Things (IoT) device security.

The ‘Proposals for regulating consumer smart product cyber security - call for views’ policy paper, published on July 16, sets out an overview of the proposed password legislation and seeks to get further external feedback from interested parties before moving forward.

Under proposals for a new law to protect consumers from the insecure IoT device threat, the U.K. government has recommended that single, universal, passwords for devices should be banned.

The government also wants to move towards the use of “alternative authentication mechanisms” that do not use passwords. What’s more, the policy paper reveals that there is an intent to ban those passwords which are unique to every device but are still easily guessable. “Where pre-installed and unique per device passwords are used, they cannot be generated by a mechanism that doesn’t take into account the minimization of automated attacks.”

That password generation mechanism must not, the paper suggests, allow a password to be derived solely from knowledge of another password, or from information that can be determined by communicating with the device over the network. Well done! Now move that into law!


iOS 13.6

Apple has released a hefty list of 29 security vulnerabilities that it has fixed in the latest version of the software. Apple doesn’t give much detail about iOS security issues while people are still on vulnerable versions, to avoid hackers taking advantage. However, in a support document detailing the security content of iOS 13.6, Apple lists the 29 issues affecting areas including Audio, Bluetooth, Kernel, Mail, Messages, Safari Login AutoFill, and WebKit.

The worst of the vulnerabilities patched in iOS 13.6 could allow for arbitrary code execution—an attacker could obtain the same privileges as someone who’s logged on, or bypass security restrictions and execute remote code on the impacted system.


More on TikTok in the US

FT: A U.S. ban on TikTok could now come “within weeks,” and it is much clearer how it would work. There will not be some form of website block or internet censorship, instead TikTok will likely be added to the same entity list that Washington has used against Huawei. This threatened TikTok ban, which started as an opportunistic political point, has now gathered serious momentum. Tens of millions of American users might be about to lose their daily TikTok fix.

Adding TikTok to a Commerce Department entity list would prevent access to U.S. tech. If TikTok is not available on app stores and cannot be updated, then how does it reach its users? What about any U.S. hardware used in the background and U.S. cloud service providers used for storage and processing? According to the FT, any such entity list decision might come within the next month, and would “send a very strong message to China who currently ban US apps Twitter and Facebook.”


"No logging" VPNs leak serious volumes of log data.

Last week 1.2TB of data was found sitting out in the open on an unsecured ElasticSearch cluster. The data contains a total of 1,083,997,361 log entries, many containing highly sensitive information. The VPN logs were from “zero logging” VPN providers: UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN, all based in Hong Kong. This exposed cluster contained records of websites visited, connection logs, people’s names, subscribers’ email and home addresses, plain-text passwords, Bitcoin and Paypal payment information, messages to support desks, device specifications, and account info. Ouch!


Uber Drivers in GDPR Fight to Reveal Algorithms

Two Uber drivers are taking the platform to court, arguing that it has failed to meet its GDPR obligations to reveal detailed profiling data about them and how it is used, according to reports.

The case was launched yesterday by the UK-based App Drivers and Couriers Union in the district court in Amsterdam, where the ride hailing giant’s European operations are headquartered.

The drivers, also based in the UK, want to know how the data and algorithms are used by the firm to make silent automated decisions about their jobs.

It is argued that only with greater transparency can gig economy workers like these challenge potential workplace discrimination and unfair treatment, and exercise important powers of collective bargaining over work and pay.

The kind of data they’re after includes information on any inappropriate driver behavior, late arrivals or missed ETAs, driver cancellations and other info on reliability, behavior and location, according to The Guardian.


Hey there, want to break into computers like an Iranian hacker crew? IBM finds 40GB of videos that include how-tos

Shaun Nichols for The Register: The crew at IBM X-Force has uncovered a massive cache of files, including about five hours of training videos intended for a select crew of hackers in Iran known as ITG18.

Big Blue said the videos range from two minutes to two hours and mainly cover techniques for compromising popular webmail services. They also include videos of hackers combing through data in a compromised email accounts from Google, AOL Hotmail, and Yahoo!, including those of member of the United States Navy, as well as an officer in the Hellenic naval forces.

It’s not all success, the videos also show failed phishing attempts too. But learning from failure is a key part of IT training too.

“Rarely are there opportunities to understand how the operator behaves behind the keyboard, and even rarer still are there recordings the operator self-produced showing their operations,” said researchers Allison Wikoff and Richard Emerson.


FR: Orange suffers ransomware attack

French telecoms giant Orange has confirmed that its enterprise services arm was the victim of a ransomware infection in which information of around 20 of its customers was stolen and leaked.

The Orange Business Services outfit was said to have fallen victim to the Nefilim ransomware crew, who posted an archive of the pilfered data onto its leaks site. The stolen data is believed to have been lifted from customers who were using Orange’s virtualization service.

“This attack seems to have allowed hackers to access the data of around 20 PRO / SME customers hosted on the platform,” Orange said. “Affected customers have already been informed by Orange teams and Orange continues to monitor and investigate this breach.”


Telecom Argentina Has Tuesday Deadline to Pay $7.5m Ransom

Phil Muncaster: The firm’s official website is currently down and local reports suggested that employees started having trouble accessing internal VPNs and databases as early as last Wednesday. If the Telecom Argentina has not paid the ransom by the end of today, the attackers are threatening to double it (must be paid in Monero).

Founded in 1990, the Buenos Aires-headquartered firm has over 16,000 employees and owns one of only three mobile phone operators in the country.


USB chargers hacked to destroy devices.

Zak Doffman: Not all cyber attacks focus on data theft. Sometimes the intent is “to achieve destruction of the physical world through digital means,” Chinese tech giant Tencent warns. The company’s researchers have just disclosed a serious new vulnerability in many of the mass-market fast chargers now used around the world.

When you connect your device to a fast charger with a USB cable, there is a negotiation between the two, establishing the most powerful charge the device can safely handle. This negotiation is managed between the firmware on the device and the firmware on the charger, and assumes both will play nicely with one another.

But Tencent’s researchers have now proven that a compromised charger can override this negotiation, pushing more power down the cable than the device can safely handle, likely destroying the device and potentially even setting it on fire.

Because the fast charger is essentially a smart device in its own right, it is open to a malicious compromise. An attack is very simple. With malware loaded onto a smartphone, an attacker connects to the charger, overwriting its firmware and essentially arming it as a weapon for whatever plugs in to it next.

The interesting twist here is that the malware might even be on the target device. An attacker pushes that malicious code to your phone. The first time you connect to a vulnerable fast charger, the phone overwrites its firmware. The next time you connect to that same charger to reposer your device, your phone will be overloaded.


One Million Online Student Records Exposed by E-Learning Sites

Nearly one million records containing the personal information of online students have been leaked after cloud misconfigurations by five e-learning platforms, according to WizCase.

The VPN comparison site found four misconfigured and unencrypted AWS S3 buckets and one unsecured Elasticsearch server, compromising the details of countless e-learners, including many children, as well as their parents and teachers.

The personal information (PII) exposed included full names, home and email addresses, ID numbers, phone numbers, dates of birth and course/school information.

WizCase warned users of potential follow-on identity fraud, phishing attacks, stalking and blackmail.

“As many users whose data was leaked aren’t active on the sites anymore, they’re less likely to realize these companies still have their information,” it added.

“However, it’s still possible that their data can be used to aid in various types of online crimes. These dangers are even bigger since many of the users affected by the leaks are children and young people.”

The affected companies include Escola Digital, a Brazilian site that leaked 15MB of data, amounting to 75,000 records, although many came from 2016 and 2017.

South African site MyTopDog exposed over 800,000 records via a misconfigured S3 bucket, including documents related to business partner Vodacom School.

Kazakhstan-based Okoo leaked 7200 records via an Elasticsearch server, while US sites Square Panda (15,000) and Playground Sessions (4100) round-out the affected platforms.


UK.gov admits it has not performed legally required data protection checks for COVID-19 tracing system

Lindsay Clark: The UK government has admitted it deployed the COVID-19 Test and Trace program without a Data Protection Impact Assessment (DPIA) required by law, according to privacy campaigners the Open Rights Group (ORG).

The ORG said the Department of Health and Social Care (DHSC) had confirmed in writing that the impact assessment had not been carried out following its legal complaint to data protection watchdog the Information Commissioner’s Office (ICO).

The failure to meet the legal requirement means the government’s “entire test and trace program has been operating unlawfully since its launch on 28th May 2020,” the ORG said.

On 1 June, Public Health England, which runs the program, issued a statement saying it was “currently working to complete the DPAIA for NHS Test and Trace and has committed to provide this document to the ICO next week”.


UK Consumers Targeted by Tesco 4K TV Phishing Scam

MICHAEL HILL: The fraud began via an official-looking but fake Facebook page entitled ‘Tesco UK’ which shared images purporting to be from a Tesco warehouse, displaying packed boxes of HD TVs.

According to litigation firm Griffin Law, the accompanying message said: “We have around 500 TVs in our warehouse that are about to be binned as they have slight damage and can’t be sold. However, all of them are in fully working condition, we thought instead of binning them we’d give them away free to 500 people who have shared and commented on this post by July 18.”

Unsuspecting users who then enthusiastically shared the post helped it to spread before receiving an email offering them the chance to ‘claim their prize.’ A button in the message linked victims to a landing page to enter their name, home address, telephone number and bank account details.

Griffin Law stated that at least 100 consumers have reacted to the Facebook page or received an email. The original fake Tesco Facebook page is now listed as ‘content unavailable.’


Much Of The Internet Went Down Friday: Here’s Why.

The outage started at 9:12 p.m. UTC and was caused by human error. In a July 18 blog entry, Cloudflare CTO John Graham-Cumming said that the cause of the 50% drop in traffic across the network, and the subsequent internet outages, was “a configuration error in our backbone network.”

The Cloudflare engineering team were working on an issue with a segment of the network backbone and updated a router configuration in Atlanta to alleviate congestion.

“This configuration contained an error that caused all traffic across our backbone to be sent to Atlanta,” Graham-Cumming said, “This quickly overwhelmed the Atlanta router and caused Cloudflare network locations connected to the backbone to fail.”

Connections in 20 locations across the world were impacted: San Jose, Dallas, Seattle, Los Angeles, Chicago, Washington, DC, Richmond, Newark, Atlanta, London, Amsterdam, Frankfurt, Paris, Stockholm, Moscow, St. Petersburg, São Paulo, Curitiba, and Porto Alegre.

The outage itself lasted only 27 minutes, an eternity to the average internet user, but the resulting core network congestion meant that disruption to services continued for almost an hour in total.