Privacy and Security related news for the week ending 2020 08 18

This week we step you through what a business email compromise (BEC) attack is and what to do if you have your suspicions. Our privacy and security stories share detail ranging from North Korea to Australia and points between. We hope you find them all of interest.

We end this week’s coverage with a second story about Alice Springs Australia in almost as many weeks, although to be frank there is not a jot of privacy or security involved, we think you will also find it entertaining.

Amazon Alexa security bug allowed access to voice history

BBC: The hack “required just one click on an Amazon link” purposely crafted by the attacker, Check Point Research says. The attackers would have been able to see Alexa’s voice history - a record of conversations between the user and device.

Check Point said the hack required the creation of a malicious Amazon link, which would be sent to an unsuspecting user. Once they clicked the link, the attacker could get a list of all installed Alexa “skills” - or apps - and steal a token allowing them add or remove skills. “This could lead to exposure of personal information, such as banking data history.” So the firm told Amazon about the flaw, and it’s now been fixed.

Amazon said: “There are hundreds of millions of Alexa devices in the world. The security of those devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us.”

US/UK/NL: Bletchley Park Trust hit in Blackbaud security breach.

BBC: Data exposed to the hackers included names, dates of birth, email addresses, donation history and details of event attendance – but not credit and debit card details or bank account information.

US-based Blackbaud is a major supplier of fundraising and financial management software to clients around the world. In July, it revealed that it had fallen victim to a ransomware attack in May. The company decided to pay an undisclosed sum to the attackers who then promised to destroy any stolen data and hand back control of Blackbaud’s systems.

Other clients slowly being revealed included Harvard University (US), Utrecht and TU Delft Universities (Netherlands).

US/RU: NSA and FBI Expose a Russian Hacking Tool

From Wired: The National Security Agency is not known for being especially chatty. But it has made some useful public overtures of late; last week it offered tips to limit location tracking on your smartphone, and this week it followed up by going public with new Russian malware it discovered alongside the FBI.

The announcement links the so-called Drovorub malware to Fancy Bear, the elite hacking group behind the hack of the Democratic National Committee in 2016 and more.

Russia allegedly used Drovorub to plant backdoors; the versatile malware consisted of an implant, kernel module rootkit, file transfer and port forwarding tool, and command and control server. By shining a light on the malware, the US agencies hope to better enable potential targets to defend themselves.

CN/US: TikTok Dodged Google’s Rules to Track Android Users

The Wall Street Journal: Reported that TikTok used a banned method to track users for advertising purposes until last November. TikTok collected so-called MAC addresses using a security loophole that let it circumvent measures Android has in place to prevent that behavior. A MAC address is significant because it can be used to track a user even if they uninstall an app and reinstall it later.

Perhaps more significant, though, is a line in the Journal report that TikTok sent those MAC addresses and other data back to ByteDance, the app’s Chinese parent company. TikTok has repeatedly insisted that it does not, has not, and will not share user data with ByteDance. President Donald Trump has ordered ByteDance to sell TikTok by September 15, or the administration will take steps to shut down the app in the US.

The ReVoLTE Attack Requires Just $7,000 of Equipment to Eavesdrop on Calls

In the era of 4G, many mobile phone conversations happen over Voice over LTE. Not only does VoLTE offer more bandwidth than the 3G calls of yesteryear, it also has a built-in layer of encryption that protects your calls from eavesdropping.

A team of researchers has figured out how to undermine that security, using radio equipment that costs about $7,000 to capture that encrypted data as it heads to a cell tower and unscramble it. The attack has some important limitations, but it’s a good reminder that modern telephony still has more than its share of security holes—and 5G isn’t looking that much better.

RU: Baddies Use ‘Russian SIMs’ to Outfox Law Enforcement

Motherboard this week took a deep dive down the rabbit hole of Russian SIMs, also known as white SIMs, that let criminals spoof phone numbers at will, or in some cases allow for real-time voice manipulation.

While not illegal in and of themselves, the SIMs are a boon to phishing scams and other social engineering attacks.

UK: Leaky Tea at the Ritz

The Ritz London, one of the world’s best-known luxury hotels, said that a cyberattack had affected its food and beverage reservation system, which may have compromised visitors’ personal data, as it noted via tweet: “We can confirm that on 12th August 2020, we were aware of a potential data breach within our food and beverage reservation system, which may have compromised some of our clients’ personal data. This does not include any credit card details or payment information.” — The Ritz London (@theritzlondon) August 15, 2020

AU: Google says Australian law would put search and YouTube at risk

Over the past few months, the Australian government has been preparing legislation which will make Google and Facebook pay local publishers for their content. Google has said it will fight the regulation which the government says is designed to create “a level playing field” for news outlets.

In an open letter to Australians Google said, "Google Search and YouTube services would be “dramatically worse” and the new regulation “could lead to your data being handed over to big news businesses.”

Rod Sims, Australian Competition and Consumer Commission chairman responded in a statement, “Google will not be required to charge Australians for the use of its free services such as Google Search and YouTube, unless it chooses to do so. Google will not be required to share any additional user data with Australian news businesses unless it chooses to do so.” He added that the new regulations would “address a significant bargaining power imbalance” between Australian news media and internet organisations. A healthy news media sector is essential to a well-functioning democracy."

This on the heels of the May 2020 announcement that Rupert Murdoch was closing 112 Australian print papers.

Business Email Compromise BEC attacks.

BEC attacks are different because they do not have attachments carrying malware, often they don’t even contain URLs leading to malicious websites. The content of the email is generally simple, and the attacks are customized for each individual target.

As a result, BEC losses continue to grow, in spite of employees’ email-security awareness. BEC attacks, referred to as “payload-less,” still only represent a small portion of total email attacks at only 5 percent. But according to the FBI’s Internet Crime Complaint Center (IC3), they have accounted for $26 billion in losses over the last three years.

Common attack types are urgent requests for money wire transfers, threats with a demand to send bitcoin to an account address or a link to reactivate a password.

Blocking BEC attacks is difficult as the sender address can be spoofed, and a mail gateway block on certain combinations of words, could prevent legitimate mail getting through.

Please Expect to see more BEC scams over the coming months and be extra vigilant. If the request seems unusual, even if it is from a familiar source, stop and approach a different source for confirmation. You should always double check an unexpected request asking you to do something, especially if you’ve never seen that type of request before, or it appears out of the ordinary.

UK/US: Carnival files notice of a Ransomware Attack on Its Systems

British-American cruise operator Carnival Corporation & plc filing submitted to the U.S. Securities and Exchange Commission (SEC), Carnival revealed that it had detected a ransomware attack on August 15.

“We expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies. Although we believe that no other information technology systems of the other Company’s brands have been impacted by this incident based upon our investigation to date, there can be no assurance that other information technology systems of the other Company’s brands will not be adversely affected.”

The investigation is ongoing.

Apple threatens to boot Epic—including Unreal Engine—off Mac and iOS

KATE COX: The new legal battle between game developer Epic and iPhone-maker Apple continues to heat up, as Epic says Apple will be cutting it off from the developer platform for Mac and iOS before the end of this month.

Epic wrote in a court filing that Apple said its membership in the Developer Program will be terminated as of August 28. According to Epic, Apple’s move threatens not only Fortnite but also every game that uses Unreal Engine: “By August 28, Apple will cut off Epic’s access to all development tools necessary to create software for Apple’s platforms—including for the Unreal Engine Epic offers to third-party developers, which Apple has never claimed violated any Apple policy,” Epic said.

“Apple has become what it once railed against: the behemoth seeking to control markets, block competition, and stifle innovation,” Epic alleged in its suit. “Apple is bigger, more powerful, more entrenched, and more pernicious than the monopolists of yesteryear. At a market cap of nearly $2 trillion, Apple’s size and reach far exceeds that of any technology monopolist in history.”

US: University Covid-19 tracking app comes with hard coded AWS credentials.

Thomas Claburn: Albion College has a plan for students to return safely to campus this fall amid the COVID-19 coronavirus pandemic. It involves being tracked by an app that, at least until a few days ago, appears to have been insecure.

The Michigan institution announced its plan on July 28, which called for testing coordinated by Testing Centers of America and the use of a health monitoring app called Aura Sequential Testing.

“All students will utilize Aura, an app developed by Nucleus Healthcare, that organizes the College’s COVID-19 testing and public health approach,” Albion said in a statement.

Perhaps more concerning is that the Amazon Web Services access keys for the backend servers of the Android version of Aura were accessible within the app’s code. The credentials were found by an Albion College student, who asked to be identified by her Twitter handle Q3w3e3. The keys could be used to access the app’s backend data and virtual machines in the Amazon-hosted US-West-2 region, including people’s COVID-19 test results and medical insurance information.

Q3w3e3 found the hardcoded AWS credentials stored within the Android app. She said it’s quite possible the stored data has already been compromised because there are bots that regularly scrape the App Store and Google Play for apps with hardcoded credentials to exploit.

Q3w3e3 expressed doubts about the company’s ability to keep user data private, noting that the corporate entity named in the privacy policy, Nucleus Careers, LLC, is a recruiting company focused on machine learning and AI.

Recently the College issued an updated version of the app. along with a message to reassure its community that the app is safe. Albion College did not respond to a request for comment.

#COVID19 Threatens ISO Re-Certification Audits

ISO27001, the bellwether of Information security management systems is in danger of having thousands of companies lapse due to pandemic isolation requirements.

Re-certification audits must be undertaken within six months of the anniversary of an ISO certificate being issued or else it should be suspended and a new assessment required. However, auditors usually have to visit premises in person, especially if organizations are still using manual spreadsheet-based processes for compliance. Auditors argue that this approach requires face-to-face explanation and cross-referencing.

As of 2018, around 1.3 million ISO certificates were granted to global organizations. If no special dispensation is granted due to COVID-19, these ISO-holders may find themselves being forced to pay as much as three-times their anticipated outlay this year on restoring certifications for complete recertification if their current certifications lapse. In the meantime, they would be forced to remove any ISO accreditation messaging from marketing materials. That’s not a good situation for anyone.

US Army report says many North Korean hackers operate outside the country

Summary by Catalin Cimpanu: North Korea has at least 6,000 hackers and electronic warfare specialists working in its ranks, with many operating abroad in countries such as Belarus, China, India, Malaysia, and Russia, the US Army said in their 332 page “North Korean Tactics” report published last month.

The report contains a wealth of detail about the Korean People’s Army (KPA), such as military tactics, weapons arsenal, leadership structure, troop types, logistics, and electronic warfare capabilities. Also detailed is the 6000 strong Electronics and cyber Warfare guidance Unit a.k.a Bureau 121. Within that unit are subunits focussing on Advanced Persistent threats (APT) and network vulnerabilities, Financial cybercrime, generic hacking and electronic Warfare Jammming.

So why do so many of Bureau 21’s constituents work from outside North Korea? Apparently Pyongyang use its hackers to set up shell companies to serve both as cover when setting up foreign-based server infrastructure, band also as intermediary entities in money laundering operations.

While the US Army report acknowledges that North Korean hackers have been involved in financial cybercrime, Army officials go even further and describe the entire North Korean government as a criminal network, with the Kim regime being involved in a wide range of activities that also included drug trading, counterfeiting, and human trafficking.

EU/US: Companies left hanging until the US and the EU work out data protection differences.

Teri Robinson: The now-defunct Privacy Shield, detailed data protection requirements when transferring personal data from the European Union and Switzerland to the United States, took months of negotiations before it was ultimately approved in July 2016. But the framework caved in its first legal test, after Austrian privacy advocate Max Schrems claimed that the privacy pact didn’t protect EU citizens from being spied on by the government. In July, the European Court of Justice (ECJ) decision in the Schrems II case left companies with very little protection beyond the standard contractual clauses for data transfers between EU and non-EU countries.

Without Privacy Shield for protection companies face a risky position that can be challenged at any time by the courts. U.S. tech companies, in particular, could find themselves in a precarious position.

It isn’t inconceivable that the courts could test the validity of the standard contractual clauses by taking on one of the U.S. tech giants, particularly in light of both Congress and the world’s recent focus on data privacy and the EU court’s position that U.S. surveillance laws run afoul of GDPR principles."

Expect to see EU-only solutions targeted at European customers to hold their data over European territory in the cloud, as this reflects an acceleration of a trend that’s spun out over the last few years.

Negotiators are likely to run into the same issues that sank the first Privacy Shield and the Safe Harbor act before it – U.S. surveillance laws that don’t meet the standard of protection that EU laws provide.

“Without drastic reform to data privacy standards in the U.S., and the reach of agencies like the NSA, any potential new Privacy Shield agreements will most likely be swiftly shut down by the same court in the EU.”

AU: A couple weeks back we mentioned Alice Springs in relation to compromised IoT devices. This week’s story is something related to storage, and completely unrelated to Security or privacy.

Ashley Nunes: "In the heart of Australian outback lies Alice Springs. The town – colloquially known as Alice – is the site of indigenous human presence dating back nearly 30,000 years. More recently, however, a new (and admittedly very different) type of settler has descended upon Alice. Since April, four Airbus A380s have made their way to the small town. The 500-plus-tonne behemoths belong to Singapore Airlines which, like many other carriers, has grounded almost its entire fleet.

The reason is Covid-19. The spread of the novel coronavirus has caused passenger demand to collapse, forcing airlines to park, rather than fly, their planes. Alice offers conditions ideal to do just that. The local airport has a runway long enough to land commercial airplanes and the climate is dry, which means aircraft parts corrode far slower than in the sweltering heat and humidity of SouthEast Asia."

That’s it for this week. Stay safe, stay secure and have a great week!