Privacy and Security related news for the week ending 2020 09 01

This week we start with a lucky escape for Elon Musk and his team over at Tesla, and we end with as story as to why online students might actually need to update the tried and true “The dog ate my homework excuse” for anything that had to be handed in first thing Monday morning.

In between we have the other side of the story on Ring doorbells and why police might not like them as much as they once did, Apple accidentally notarizing malware, the struggles for SendGrid customers, a sad story for Facebook and how that “How to secure your printer” guide ended up … on your printer…

US: Tesla Employee Thwarted an Alleged Ransomware Plot

Andy Greenberg: In August, according to a recently unsealed criminal complaint, a 27-year-old Russian man named Egor Igorevich Kriuchkov met an old associate who now worked at Tesla at a bar in Reno. At some point in the evening, the FBI says, Kriuchkov took the person’s phone, put it on top of his own, and placed both devices at arm’s length—the universal sign that he was about to say something for their ears only. He then invited the Tesla employee to collaborate with a “group” that carries out “special projects.” More specifically, he offered the staffer $500,000 to install malware on his employer’s network that would be used to ransom its data for millions of dollars.

Just a few weeks after that Reno meeting, FBI agents arrested Kriuchkov in Los Angeles as he was trying to flee the country.

Sometime after that first meeting, the Tesla staffer alerted his employer, and the FBI began surveilling and recording the subsequent meetings with Kriuchkov. Throughout August, Kriuchkov allegedly attempted to persuade the Tesla staffer by upping the bribe to $1 million, and by arguing that the malware would be encrypted such that it couldn’t be traced to the staffer who installed it. Moreover, to distract Tesla’s security staff during the ransomware installation, the gang would carry out a distributed denial of service attack, bombarding Tesla’s servers with junk traffic.

In fact, Kriuchkov allegedly claimed that another insider they had used at a different company still hadn’t been caught after three and a half years. Prosecutors say Kriuchkov even went so far as to suggest they could frame another employee of the Tesla staffer’s choice for the hack … someone he or she wanted to “teach a lesson.”

On Thursday night, Tesla founder Elon Musk confirmed the attempted attack, in typical offhand style, on Twitter. “Much appreciated,” Musk wrote in response to a report on Tesla news site Teslarati that named Tesla as the attempted ransomware strike’s target. “This was a serious attack.”

This is what happens when you hand billions to ransomware groups. If they can’t access a network via their usual methods, they can afford to simply buy their way in. Or try to. Tesla got lucky. The outcome could have been very different.

FBI warns that Ring doorbell surveillance can also be used against police officers

By Charlie Osborne: Smart doorbells can provide the police with valuable intelligence – but the network can also be turned against them. “Most IoT devices contain sensors and cameras, which generate an alert or can be remotely accessed by the owner to identify activity in and around an owner’s property,” the bulletin reads. “If used during the execution of a search, potential subjects can also learn of police presence nearby, and officers or agents could have their images captured, thereby presenting risk to their present and future safety.”

In “standoff” situations, too, IoT devices containing motion sensors could alert suspects to the position of police officers around or in a property. Another challenge posed by IoT devices is when users pull the footage and post suspected criminal activity across social media, tipping off the baddies before the police can even investigate-- a trend that you can often see in local Facebook groups.

Maximum Lifespan of SSL/TLS Certificates is 398 Days Starting Today

The Hacker News: Starting today, the lifespan of new TLS certificates will be limited to 398 days, a little over a year, from the previous maximum certificate lifetime of 27 months (825 days).

In a move that’s meant to boost security, Apple, Google, and Mozilla are set to reject publicly rooted digital certificates in their respective web browsers that expire more than 13 months (or 398 days) from their creation date.

Although the proposal to reduce certificate lifetimes to one year was rejected in a ballot last September, the measure has been overwhelmingly supported by the browser makers such as Apple, Google, Microsoft, Mozilla, and Opera.

Then in February this year, Apple became the first company to announce that it intends to reject new TLS certificates issued on or after September 1 that have a validity of more than 398 days. Since then, both Google and Mozilla have followed suit to enforce similar 398-day limits.

Certificates issued before the enforcement date won’t be impacted, neither those that have been issued from user-added or administrator-added Root certificate authorities (CAs).

“Connections to TLS servers violating these new requirements will fail,” Apple explained in a support document. “This might cause network and app failures and prevent websites from loading.” To avoid unintended consequences, Apple recommends that certificates be issued with a maximum validity of 397 days.

Why Shorten the Certificate Lifespan?

Capping certificate lifetimes improve website security because it reduces the period in which compromised or bogus certificates can be exploited to mount phishing and malware attacks.

That’s not all. Mobile versions of Chrome and Firefox do not proactively check for certificate status due to performance constraints, causing websites with revoked certificates to load without giving any warning to the user.

For developers and site owners, the development is a good time to implement certificate automation using tools such as Let’s Encrypt and EFF’s CertBot, which offer an easy way to set up, issue, renew, and replace SSL certificates without manual intervention.

Apple Accidentally Notarizes Shlayer Malware Used in Adware Campaign

Lindsey O’Donnell: Apple accidentally approved one of the most popular Mac malware threats – OSX.Shlayer – as part of its security notarization process.

The Apple notary service is an automated system on recent macOS versions that scans software (ranging from macOS apps, kernel extensions, disk images and installer packages) for malicious content and checks for code-signing issues. Then, when a macOS user installs the software, Apple’s Gatekeeper security feature notifies them about whether any malicious code was detected before they open it.

Security researchers Peter Dantini and Patrick Wardle recently discovered that Apple inadvertently notarized malicious payloads that were utilized in a recent adware campaign. On Friday, Dantini noticed that a website (homebrew[.]sh) was actively hosting an adware campaign. The website is likely spoofing the legitimate Homebrew site (hosted at, a free and open-source software package management system that simplifies the installation of software on macOS.

The adware payloads were fully notarized in this campaign, meaning the malicious payloads were submitted to Apple prior to distribution. They were scanned by the mobile giant and no malicious code was detected via Apple’s automated system. After running the payloads in an instrumented virtual machine captures, Wardle was able to discover the execution of various shell commands. These commands change file modes, execute and delete files, and more.

Shlayer is a top common threat for Macs — In fact, last year it made up 29 percent of all attacks on macOS devices in Kaspersky’s telemetry for 2019, making it the No. 1 Mac malware threat for the year.

After the malicious payloads were spotted, Wardle notified Apple, which revoked their certificates on Aug. 28. Then, on Aug. 30 (Sunday), the adware campaign was still live and serving up new notarized payloads.notarization apple

“Both the old and ‘new’ payload(s) appears to be nearly identical, containing OSX.Shlayer packaged with the Bundlore adware,” said Wardle. “However the attackers’ ability to agilely continue their attack (with other notarized payloads) is noteworthy. Clearly in the never-ending cat and mouse game between the attackers and Apple, the attackers are currently (still) winning.”

Sendgrid Under Siege from Hacked Accounts

Email service provider Sendgrid is grappling with an unusually large number of customer accounts whose passwords have been cracked, sold to spammers, and abused for sending phishing and email malware attacks. Sendgrid’s parent company Twilio says it is working on a plan to require multi-factor authentication for all of its customers, but that solution may not come fast enough for organizations having trouble dealing with the fallout in the meantime.

When a Sendgrid customer account gets hacked and used to send malware or phishing scams, the threat is particularly acute because a large number of organizations allow email from Sendgrid’s systems unfiltered access through their spam-filtering systems.

To make matters worse, links included in emails sent through Sendgrid are obfuscated (mainly for tracking deliverability and other metrics), so it is not immediately clear to recipients where on the Internet they will be taken when they click.

According to multiple emails from readers, recent threads on several anti-spam discussion lists, and interviews with people in the anti-spam community, over the past few months there has been a marked increase in malicious, phishous and outright spammy email being blasted out via Sendgrid’s servers.

A New Botnet Is Covertly Targeting Millions of Servers

Ars Technica: FritzFrog has been used to try and infiltrate government agencies, banks, telecom companies, and universities across the US and Europe. Researchers have unearthed what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world.

The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported last Wednesday. Peer-to-peer (P2P) botnets distribute their administration among many infected nodes rather than relying on a control server to send commands and receive pilfered data. With no centralized server, the botnets are much harder to spot and more difficult to shut down.

“What was intriguing about this campaign was that, at first sight, there was no apparent command-and-control (CNC) server being connected to.” The botnet, which Guardicore Labs researchers have named FritzFrog, has a host of other advanced features, including:

  • In-memory payloads that never touch the disks of infected servers

  • At least 20 versions of the software binary since the start of this year

  • A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines

  • The ability to backdoor infected servers

  • A list of login credential combinations used to determine weak login passwords that are more comprehensive than those in previously seen botnets

Taken together, the attributes indicate an above-average operator who has invested considerable resources to build a botnet that’s effective, difficult to detect, and resilient to takedowns. The new code base—combined with rapidly evolving versions and payloads that run only in memory—make it hard for antivirus and other end-point protection to detect the malware.

The peer-to-peer design makes it difficult for researchers or law enforcement to shut down the operation. The typical means of takedown is to seize control of the command-and-control server. With servers infected with FritzFrog exercising decentralized control of each other, this traditional measure doesn’t work. Peer-to-peer also makes it impossible to sift through control servers and domains for clues about the attackers.

Guardicore said that company researchers first stumbled on the botnet in January. Since then it has targeted tens of millions of IP addresses belonging to government agencies, banks, telecom companies, and universities. The botnet has so far succeeded in infecting 500 servers belonging to “well-known universities in the US and Europe, and a railway company.”

Once installed, the malicious payload can execute 30 commands, including those that run scripts and download databases, logs, or files. To evade firewalls and endpoint protection, attackers pipe commands over SSH to a netcat client on the infected machine. Netcat then connects to a “malware server.”

To infiltrate and analyze the botnet, the researchers developed a program that exchanged encryption keys the botnet used to send commands and receive data. “This program allowed us to investigate the nature and scope of the network. Using this program we were also able to join the network by ‘injecting’ our own nodes and participating in the ongoing P2P traffic.”

Before infected machines reboot, FritzFrog installs a public encryption key to the server’s “authorized_keys” file. The certificate acts as a backdoor in the event the weak password gets changed.

The takeaway from last week’s findings is that administrators who don’t protect SSH servers with both a strong password and a cryptographic certificate may already be infected with malware that’s hard for the untrained eye to detect. The report has a link to indicators of compromise and a program that can spot infected machines.

Firefox Launched a New Android App to Lure Users From Chrome

Matt Burgess: Google Chrome has never been so dominant—the web browser is used by 69 percent of all desktop users and 64 percent of mobile users. Every time you visit a website or conduct a search, again probably using Google, the information you send is fed back to the company’s infrastructure… And that’s on top of advertising trackers from Google and Facebook following you around the web.

One of the big differentiators between Firefox on Android and its rivals is that it runs Geckoview, Mozilla’s browser rendering engine. “We are the only independent web engine browser available on Android,” says Dave Camp, the vice president of Firefox.

Browser engines are key pieces of infrastructure that lie at the heart of every web browser. They run the core functions of a browser needed for navigating the internet. However, there are only three main ones available for developers to use. These are Blink, which belongs to Google, Apple’s WebKit, and Mozilla’s Geckoview.

Using Geckoview allows Firefox to also make speed improvements on Android that it first introduced on desktop in November 2017. Camp says that because Firefox is relying on Mozilla’s browser engine, it’s able to use its Enhanced Tracking Protection tool, which is turned on by default and blocks third-party tracking cookies that follow people around the web. Mozilla first turned on Enhanced Tracking Protection by default in September 2019 and says it has blocked 3.4 trillion tracking cookies since then. The trackers that are blocked are all defined by a list compiled by privacy company Disconnect.

“The Enhanced Tracking Protection Standard is a technology that knows what the trackers are, knows what they are doing, and deploys a set of mitigations that prevent them from actually tracking you,”

However, Mozilla itself has struggled during the pandemic. Earlier in August, the nonprofit organization announced it was making 250 people redundant—around a quarter of its total workforce. CEO Mitchell Baker told staff that its operations in Taipei, Taiwan, would cease, while the number of workers in the US, Canada, Europe, and rest of the world would be reduced because the pandemic “significantly impacted our revenue”.

This will impact the development of the Firefox browser in the future. “In order to refocus the Firefox organization on core browser growth through differentiated user experiences, we are reducing investment in some areas such as developer tools, internal tooling, and platform feature development, and transitioning adjacent security/privacy products to our New Products and Operations team,”

As a crazy side note: While Mozilla may be creating tools to limit web tracking and online surveillance, it is still reliant on Google. A large part of its income comes from a deal with Google that ensures its search is the default option inside Firefox. Mozilla and Google recently extended their current deal until 2023. It’s expected the deal could be worth as much as $400 million and help contribute to Mozilla’s ongoing survival… but it’s important to remember that anything you search for using Google will be tracked and recorded, so consider setting your default search engine to something like “DuckDuckGo”.

iOS 14: Facebook’s Apple Nightmare Keeps Getting Worse

Kate O’Flaherty: Soon-to-launch iOS 14 is a momentous leap for iPhone privacy, but this week Facebook confirmed its Apple nightmare was even worse than previously thought.

In a blog titled “preparing our partners for iOS 14” Facebook admitted that Apple’s new privacy features would impact itself and its partners heavily. The problems for Facebook and its advertisers stem from the fact that iOS 14 signals the end of collecting iPhone “Identifiers For Advertisers” (IDFA), due to Apple’s strong measures to prevent services from tracking you across apps.

From iOS 14, Apple requires people to actively opt in to ad tracking. Before being tracked you will receive a notification saying, “x would like permission to track you across apps and websites owned by other companies. Your data will be used to deliver personalized ads to you.”

Apple will allow you to choose between “Allow Tracking” or “Ask App Not To Track.”

Facebook says this will have a negative impact on businesses’ ability to market themselves and monetize through ads. In response, it announced it will no longer collect the Identifier for Advertisers (IDFA) on its own apps on iOS 14 devices.

These iOS 14 changes affect Facebook’s Audience Network—its in-app advertising network for mobile apps. In a scathing attack on rival Apple, Facebook says: “Ultimately, despite our best efforts, Apple’s updates may render Audience Network so ineffective on iOS 14 that it may not make sense to offer it on iOS 14.”

Apple and Facebook’s relationship has gone from bad to worse. “Indirectly, Apple has dramatically shaken up Facebook’s business model with a new focus on privacy. It has created a knock on effect to Facebook and other businesses around the world who rely on collecting and sharing data—often unbeknownst to the users.”

However, iOS 14 is “likely to force people into thinking more about the risks in sharing their own data, and in time, help to protect them.”

Stolen Fortnite Accounts Earn Hackers Millions Per Year

Lindsey O’Donnell: More than 2 billion breached Fortnite accounts have gone up for sale in underground forums so far in 2020 alone.

Hackers are scoring more than a million dollars annually selling compromised accounts for the popular Fortnite video game in underground forums.

With Fortnite’s immense popularity skyrocketing over the past few years – it currently has more than 350 million global players – the game is a lucrative target for cybercriminals. So lucrative, in fact, that 2 billion breached accounts have gone up for sale in underground forums so far in 2020 alone, according to a new report.

After tallying the auction sales for several high-end and low-end Fortnite account sellers over a three month period, researchers found that on the high end, sellers averaged $25,000 per week in account sales — roughly $1.2 million per year.

Fortnite accounts are initially hacked via simple brute force and password cracking: Username-and-password combinations can be extracted from data breaches of other companies, and checked against Fortnite accounts, as many people reuse passwords.

Cybercriminals have tools that can make these types of techniques even easier. One well-known password cracker in underground hacking circles (known as “DonJuji”) says high-end Fortnite cracking tools can average between 15 and 25 thousand checks per minute (roughly 500 account checks per second), according to the report.

Epic Games does limit the number of logins allowed per IPs in an attempt to limit password cracking attempts. However, cybercriminals bypass this by utilizing automatic proxy rotation, which creates a new IP for each request. One popular Fortnite account checker called Axenta (costing $15 per month), for instance, provides automatic proxy rotation, as well as a number of other different built-in tools allowing password checking and automatic password-changing.

Cybercriminals then create “logs” of these varying compromised accounts and sell them. These collections, which contain a few thousand stolen accounts, are auctioned in private Telegram channels for anywhere between $10,000 and $50,000. From there, accounts are then extracted from the log and individually posted for sale.

Marketplaces are highly organized, even containing customer service and return policies. One site is overseen by a system called “Community Checkup.” Community Checkup, which is made up of a group of five “judges,” keeps track of scammers, sellers, buyers who are breaking community bylaws.

According to the report, video games in general are extremely profitable for cybercriminals, with Roblox, Runescape, and Minecraft also proving to be popular on underground forums.

Our advice is to use long unique passwords or passphrases for each login.

Nearly A Million Printers At Risk Of Attack, Thousands Hacked To Prove It

Lee Mathews: Roughly 28,000 printers recently gave their owners an unexpected lesson in cybersecurity. Seemingly unprompted, the printers whirred to life and produced a 5-step guide to keeping hackers at bay.

“This printer has been hacked,” the message began ominously. Fortunately for the “victims” it was a group of ethical hackers behind the attack. Then the team scoured the globe for printers that were vulnerable. They found more than 800,000 in total using a search engine called Shodan.

Shodan is a tool that’s leaned on by both security researchers and cyber criminals. In the past it’s been used to identify thousands of at-risk surveillance cameras, security alarm systems and hundreds of wind turbines and solar devices.

And yes, Shodan has also been used to pinpoint tens of thousands of vulnerable networked printers. In 2018 someone hijacked around 50,000 printers and forced them to print documents voicing support for controversial YouTuber PewDiePie.

This time the team created a “custom script that was specifically designed to only target the printing process, without gaining access to any other features or data stored on the printers.” Across the entire list of 800,000-plus vulnerable devices located by Shodan that works out to around 447,000 that could have been successfully hijacked.

No, A Massive Cyber-Attack Didn’t Take Down The Internet Sunday: Here’s What Happened

Davey Winder: August 30 was not your typical day for millions of people who took to the internet as usual on a Sunday morning. What awaited them was cyber-chaos as they discovered many of the world’s largest internet services were either down or disrupted to the point of being unusable.

As the sheer scale of the internet down event started to reveal itself, with a 3.5% drop in global traffic, speculation mounted as to whether a cyber-attack was to blame.

Which online services were hit by the internet outage?

The list of online services that were either inaccessible or severely disrupted on Sunday reads like a who’s who of the internet age. Amazon, bet365, Blizzard, Cloudflare, Discord, eBay, Garmin, Hulu, PlayStation Network, Reddit, Roblox, Starbucks, Steam, Twitter and Xbox Live were among their number.

What caused so much of the internet to go down on Sunday?

At first, it looked like there was a connection to a secure domain name system (DNS) and denial of service protection provider, Cloudflare. Back in July it was a Cloudflare technical issue that led to sites like Deliveroo, Discord, Feedly, GitLab, Medium, Patreon, Politico and Shopify either going down or being disrupted.

But Cloudflare quickly responded to those concerns on Twitter, suggesting that a “third-party transit provider” had suffered an “incident,” which was to blame. Cloudflare was just another victim this time around, albeit one that had a knock-on effect in disrupting other services.

CenturyLink takes the blame

The third-party transit provider turned out to be CenturyLink, a Fortune 500 Louisiana based telecommunication company providing connectivity, cloud and security solutions. CenturyLink is, indeed, one of the biggest internet service providers in the U.S.

At around the same time as the Cloudflare tweet, CenturyLink posted to confirm that technicians were working to resolve an IP outage. “We’ve pulled in every resource available to resolve the outage as soon as we are able,” the company said.

Border Gateway Protocol (BGP), which is how internet routers talk to each about the traffic they should receive, could be to blame. More precisely, a “bad Flowspec rule.” Flowspec, a BGP extension, is used to distribute firewall rules across and between networks.

If such a rule was misconfigured, or sent out by mistake, it could prevent BGP announcements.

The good news comes on two fronts: this wasn’t a cyber-attack, and the internet was back to normal within half a day. The bad news is that half a day is an awfully long time to be without the internet, and this event shows how devastating the impact would be if a cyber-attack on providers such as Cloudflare or CenturyLink were to take place successfully.


The internet is held together with string, duct tape and goodwill.

At some point we’re going to have to find an alternative to (or an evolution of) BGP that doesn’t let one ISP take down the Internet.

Agreed. BGP in this day and age doesn’t make sense, but like caution signs at road crossings, it seems like you have to wait for loss of life before anything happens. I remember reading somewhere a few years ago where the author stated, “We will look fondly back at the days before massive Internet outages were a common occurrence.”

1 Like