Privacy and Security related news for the week ending 2020 09 15

Dear DAML’ers,

Sometimes the Privacy and Security information that we share with you is so racy we feel like purveyors of some slightly tawdry, hot-mess, gossip magazine, except that … this stuff is all true.

We have updates on cyber-security firms’ messy housekeeping, a tawdry breach of dating sites of the Atlantic, gossipy US elections, more nation state pushing and shoving and what you really want… and update on TikTok.

In between the cheap thrills are serious details on vulnerabilities and vulnerability reporting, and what has been described as an “insane” Windows bug.

Read the article or download the podcast.

…And now our first story:

EU: Europe Tests Gateway for COVID-19 Tracing Apps to Work Across Borders

AP: Six European Union countries and the bloc’s executive Commission have begun testing a virtual “gateway” to ensure national coronavirus tracing apps can work across borders.

The trial starting Monday will allow national computer systems that run tracing apps in the Czech Republic, Denmark, Germany, Ireland, Italy and Latvia to communicate with each other via a central hub.

If the tests succeed, travelers from each of the six countries will be able to use their own apps while abroad in the other five to ensure they’re notified if they have been in close contact to another user who tests positive.

Tracing apps were touted as a potentially game-changing tool to reduce the spread of COVID-19, but most have been beset with privacy concerns, technical problems or users’ apathy.

Among the most popular apps is the one developed in Germany, which has been downloaded 18 million times in a country of 83 million. So far an estimated 3,700 people in Germany have confirmed in the app that they tested positive, alerting other users they were in close contact with over the previous fortnight that they might have been exposed.

Getting apps to work across borders has posed a headache because of differing national data protection rules and tracing systems in place. But officials say that the large number of people traveling across the EU for work and leisure makes communication across national apps essential.

Operators hope the gateway, consisting of a server located in Luxembourg, will be fully functional next month.

Other countries that use the same decentralized system for their apps — designed to ensure maximum user privacy — will be able to join later. France, which has opted for a system where data is stored centrally, will likely not become part of the network.

UK. Here it comes, that dry cough… Over 18K COVID-19 Patients’ Data Mistakenly Exposed by NHS Trust

Yesterday, September 14, Public Health Wales announced in a web statement that a data breach had occurred on August 30, 2020.

The notice explained that the personal information of 18,105 Welsh residents who had tested positive for COVID-19 had ended up on a public server as the result of human error.

The incident exposed only the initials, date of birth, geographical area and sex of the individuals, the statement explained.

Report: 97% of Cybersecurity Companies Have Leaked Data on the Dark Web

These stats are provided by ImmuniWeb and focus on 398 of the leading cyberSecurity companies across 26 countries, you know, the ones that are supposed to help keep us safe. Key findings:

  • 97% of companies have data leaks and other security incidents exposed on the Dark Web.
  • 631,512 verified security incidents were found with over 25% (or 160,529) of those classed as a high or critical risk level+ containing highly sensitive information such as plaintext credentials or PII, including financial or similar data. Hence, on average, there are 1,586 stolen credentials and other sensitive data exposed per cybersecurity company. Over 1 million unverified incidents (1,027,395) were also discovered during ImmuniWeb’s research, and only 159,462 were estimated as low risk.
  • 29% of stolen passwords are weak, employees from 162 companies reuse their passwords - the research revealed that 29% of stolen passwords are weak, with less than eight characters or without uppercase letters, numbers, or other special characters and that employees from 162 companies (around 40) reuse identical passwords on different breached This boosts the risk of password re-use attacks by cybercriminals.
  • Professional emails from those cyber security companies were used on porn and adult dating sites - third-party breaches represented a considerable number of the incidents, as ImmuniWeb’s research found 5,121 credentials that had been stolen from hacked porn or adult dating websites.
  • 63% of websites of the cybersecurity companies do not comply with PCI DSS requirements - which means that they use vulnerable or outdated software (including JS libraries and frameworks) or have no Web Application Firewall (WAF) in blocking mode.
  • 48% of the cybersecurity firms websites do not comply with GDPR requirements – due to vulnerable software, the absence of a conspicuously visible privacy policy, or a missing cookie disclaimer when cookies contain PII or traceable identifiers.
  • 91 companies themselves had exploitable website security vulnerabilities, 26% of which are still unpatched – this finding came from ImmuniWeb referring to openly available data on the Open Bug Bounty project.

The research was derived using ImmuniWeb’s online Domain Security Test, which combines proprietary OSINT technology enhanced with Machine Learning, to discover and classify Dark Web exposure.

FBI and HSA on Vulnerability exploitation

FBI and Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on Monday shared detail of vulnerability exploitation for the following:

  • Microsoft Exchange Server (CVE-2020-0688)
  • the F5 Big-IP remote takeover vulnerability (CVE-2020-5902)
  • Pulse Secure’s VPN’s remote code flaw (CVE-2019-11510)
  • he Citrix VPN directory traversal hole (CVE-2019-19781).

All have patches but not all publicly facing implementations have been patched.

Examination of network probing …points to nation states looking for corporate points of entry. Hackers “frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data, in some cases years after the initial successful data theft.”

The advice given is again, to keep the patching up to date!

UK: Vulnerability discovery and remediation is coming into sharper focus with the UKs National Cyber Security Centre releasing a Vulnerability reporting toolkit to help.

“The toolkit is deliberately easy to implement, so you can adopt it at short notice. Even if you already have a process in place, please take a look at the toolkit as it may help you to improve on what you’ve already set up.”

As the first edition of the toolkit, the current iteration is designed to cover just the basics and is distributed as a .pdf. However, over time it will be adapted to include details on how to build an internal process that can triage and fully manage a vulnerability disclosure." Well done!

US: Veterans Affairs Office discloses a breach containing data of 46K veterans.

According to this press release, the VA’s Financial Services Center (FSC) discovered that unauthorized actors had accessed one of its online applications for the purpose of diverting payments to community providers of health care services for veterans.

Upon discovery, the FSC took its application offline and notified the VA’s Privacy Office about the security incident.

The Privacy Office subsequently launched an investigation into the data breach. This effort revealed that those unauthorized actors had acquired access to the FSC’s online application by using social engineering techniques and by exploiting authentication protocols.

VA officials noted that they would not restore system access until the Office of Information Technology had completed a review of the Department’s security measures, and that they would begin notifying victims immediately.

Largest Ever Magecart Campaign Hits 2,000 E-Stores

“The massive scope of this weekend’s incident illustrates increased sophistication and profitability of web skimming. Criminals have been increasingly automating their hacking operations to run web skimming schemes on as a many stores as possible.”

Sansec’s Threat Research Team warned that the 1904 Magecart attacks it detected targeted e-stores running the now out-of-date Magento version 1. A total of 10 stores were infected on Friday, followed by 1058 on Saturday, 603 on Sunday and 233 on Monday, it said.

The security firm estimates that tens of thousands of customers unwittingly had their payment details stolen over the weekend in the attacks.

Sansec suggested that, as many of the sites had no previous history of security incidents, the attackers may have found a new way to compromise their servers — potentially exploiting a zero-day in Magento 1 that was advertised online.

The firm warned that, if this is the case, 95,000 stores could also be exposed to the exploit, as they’re running Magento 1 and no more patches are being produced by developer Adobe.

Chinese Open Source Data Collection, Big Data, And Private Enterprise Work For State Intelligence and Security: The Case of Shenzhen Zhenhua

Christopher Balding and Robert Potter: In a paper Published Sunday an associate professor from the Fulbright University Vietnam reveals the discovery of a 2.4 million person database maintained by Shenshen Zhenhua where 10 to 20% of the data does not appear to have come from public sources. The authors make no claims as to how this data was collected but do state “A fundamental purpose appears to be information warfare.”

They also state that the collected and very detailed information is from individuals “around the world from sectors China deems as targets for a variety of purposes ranging from political influence to intellectual property targeting. The data appears used to support Chinese intelligence, military, security, and state operations in information warfare and influence targeting. The data covers a broad array of public and non-public data with classifications and rankings on individuals and institutions designed to assist Chinese analysts. The company also provides big data analytics as well as other functionality to support Chinese military and intelligence analysts. Individuals and institutions in open liberal democracies need greater understanding and privacy rights based upon the asymmetric information warfare being undertaken by the Chinese Communist Party and state security intelligence.”

Let the games begin.

New Windows Exploit: An “insane” bug with “huge impact”.

Dan Goodin: This one hit the press big time yesterday. Called CVE-2020-1472, it carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System (the highest you can get). “The attack basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”

Zerologon works by sending a string of zeros in a series of messages that use the Netlogon protocol, which Windows servers rely on for a variety of tasks, including allowing end users to log in to a network. People with no authentication can use the exploit to gain domain administrative credentials, as long as the attackers have the ability to establish TCP connections with a vulnerable domain controller.

The vulnerability stems from the Windows implementation of AES-CFB8, or the use of the AES cryptography protocol with cipher feedback to encrypt and validate authentication messages as they traverse the internal network.

For AES-CFB8 to work properly, so-called initialization vectors must be unique and randomly generated with each message. Windows failed to observe this requirement. Zerologon exploits this omission by sending Netlogon messages that include zeros in various carefully chosen fields.

Apparently Microsoft patched this exploit in August, but the deployment of those patches has been slow…

Android 11 system update from Google adds privacy controls

By Leo Kelion: New privacy controls and a screen-recording tool are among features being added to Android phones in the latest major update to Google’s mobile operating system (OS).

Android 11 also makes it easier to keep track of chat messages across multiple apps, and control smart home gadgets.

Google has made efforts to encourage third-party device manufacturers to roll out its system updates more quickly than they used to.

But some brands lag behind others.
The tech giant has said that in addition to its own Pixel brand, the following firms would be the first to offer downloads of Android 11:

  1. OnePlus
  2. Xiaomi
  3. Oppo
  4. RealMe
    (Nokia has also tended to be an early adopter, while Samsung, Huawei and LG typically take a little longer to adapt new features to their own user interfaces.)

In any case, one expert said the fact that Google had detached app and security updates from its major system releases a while back meant delays were now less of an issue than they had once been.

“There’s a lot of features that drip into Android phones across the year via app updates, which happen independently of the manufacturers,” explained Chris Hall from the tech review site Pocket-lint.

“That contrasts with Apple’s iOS, where iPhone users wait for a big dump of features to happen all at once.”
Users can now control smart home gadgets from different brands via a single screen rather than multiple apps. Even so, Mr Hall acknowledged that some of the privacy changes could prove timely.
They include:

  • the ability to give apps single-use - rather than perpetual - access to a device’s microphones, cameras and location
  • a permissions auto-reset function that retracts apps’ access to such functions if they have not been launched for a few months
  • limiting apps to launching the phone’s built-in camera app rather than a third-party alternative. This has been done to close a loophole that allowed some developers to harvest location data without the user’s say-so.

“People often grant permissions without realizing what they are doing as they just click on an option to accept all features, allowing an app to go off and do what it wants,” commented Mr Hall. “So building in one-time permissions is actually quite a big deal, especially after some high-profile cases of microphones and cameras being accessed without users realizing what was going on.”

And, lastly, the update should also allow all smartphones running it to connect via wi-fi to car entertainment systems powered by Android Auto.
Until now only Pixel and Samsung phones could do this, meaning users of other brands had needed to resort to a USB cable if they wanted to stream music, have chat messages read aloud via the vehicle’s speakers or get-real time alerts on their navigation display.

US: TikTok Rejects Microsoft Offer, Oracle Sole Remaining Bidder

The Wall Street Journal and The New York Times report that Oracle has won the bidding war, citing people familiar with the deal, although the company did not immediately confirm that to AFP.

But two Chinese state media outlets – CGTN and China News Service – said Monday that ByteDance will not sell TikTok to Oracle either, citing unnamed sources.

Microsoft had indicated at the beginning of August that it was interested in acquiring TikTok’s US operations, but announced Sunday that bid had been rejected.

“ByteDance let us know today they would not be selling TikTok’s US operations to Microsoft,” it said in a statement.

A deal with Microsoft could also have included Walmart, which joined forces with the tech giant during negotiations.

Ives said that even with Microsoft out of the picture, “while Oracle is technically the remaining bidder, without willing to sell its core algorithm we see no TikTok sale on the horizon.”

“Given the need now to get a green light from Beijing after its export rules were changed a few weeks ago, TikTok’s days in the US likely are numbered with a shutdown now the next step.”

Warning issued about dangerous new TikTok Pro app

Don’t install it.

Security researchers have now issued a warning about a dangerous new TikTok Pro app that is targeting Android users.

TikTok Pro is a fake app with highly malicious intent: it can capture photos, read and send text messages, make calls and even steal passwords.

Misconfigured Database Leaks 370 Million Dating Site Records

With Dating site use skyrocketing during the pandemic it’s only to be expected that someone would set the database to open, light it up on a public facing interface, and walk away.

So it was that vPnMentor stumbled across Mailfire’s Elasticsearch 882 Gb database comprising over 70 dating websites worth of data. Although the DB only had 4 days or records, they included: full names, ages and dates of birth, gender, email addresses, locations, IP addresses and profile pics were exposed, as well as potentially embarrassing conversations between dating site users occurring in 100 countries.

Reading through some of the data, a large number of the dating websites appeared to themselves be scams, with false photos and misleading billing statements.

Love is never easy.

US: As Election Day Nears, Kremlin Leans on Hackers-for-Hire

Jack Monahan: the “big-four” (Russia, China, Iran, North Korea), nations in the Middle East, Asia, and South America are showing evidence that hacker-for-hire groups are on the rise.

With a little over fifty days until election day, the U.S. Department of Justice (DOJ) on Thursday charged Artem Mikhaylovich Lifshits, a Russian national, for his alleged role in a conspiracy to use the stolen identities of U.S. persons to open fraudulent accounts at banking and cryptocurrency exchanges.

US: Why online voting is harder than online banking

Tim Lee: Every electronic transaction in the conventional banking system is tied to a specific sender and recipient who can confirm that a transaction is valid or raise the alarm if it isn’t. Banks count on customers to periodically review their transactions—either online or in paper statements—and notify the bank if fraudulent transactions occur.

By contrast, elections are supposed to be secret. In-person elections don’t just allow voters to cast a secret ballot, they typically require them to do so. Mandatory secrecy insulates voters from coercion.

Banks’ security efforts are also aided by the fact that people hacking financial networks are typically trying to divert stolen funds to themselves. Often banks can “follow the money” to figure out who was responsible for a particular hack, recovering the stolen funds and deterring others from trying a similar attack. Bank hacking is also of little interest to foreign governments, most of which have plenty of money.

Election hacking is different. We talk metaphorically about people “stealing” votes, but someone hacking an election isn’t trying to directly profit from their hack. This means that the authorities can’t follow the money to identify suspects.

When fraudulent transactions are flagged after the fact, banks automatically credit lost funds back to customers. They try to identify the culprits and make them pay, but if that’s not possible, banks absorb the losses themselves.

This approach is totally unworkable for voting. Voting officials can’t issue voters after-the-fact credits for their stolen votes the way banks do for stolen funds. An election needs to produce a definitive result that is quickly and widely accepted as legitimate. Even a small number of fraudulent votes could flip the results of an election and destroy public confidence in the voting process. Major elections, including the US presidency, have been decided by a few hundred votes out of millions cast.

So a voting infrastructure needs to be a lot more secure than our online banking infrastructure.

Researcher kept a major Bitcoin bug secret for two years to prevent attacks

Catalin Cimpanu for Zero Day: In 2018, a security researcher discovered a major vulnerability in Bitcoin Core, the software that powers the Bitcoin blockchain, but after reporting the issue and having it patched, the researcher opted to keep details private in order to avoid hackers exploiting the issue.

INVDoS was discovered in 2018 by Braydon Fuller, a Bitcoin protocol engineer. Fuller found that an attacker could create malformed Bitcoin transactions that, when processed by Bitcoin blockchain nodes, would lead to uncontrolled consumption of the server’s memory resources, which would eventually crash impacted systems.

“At the time of the discovery, this represented more than 50% of publicly-advertised Bitcoin nodes with inbound traffic, and likely a majority of miners and exchanges,” Fuller said in a paper [PDF] published on Wednesday.

Furthermore, INVDoS also impacted more than Bitcoin nodes (servers) running the Bitcoin Core software. Bitcoin nodes running Bcoin and Btcd were also impacted by the same bug as well.

Other cryptocurrencies that were built on the original Bitcoin protocol were also impacted, such as Litecoin and Namecoin.

The INVDoS bug was reported to all the responsible parties and patched, at the time, under the generic identifier of CVE-2018-17145, which didn’t include that many details, so as not to tip off attackers.

Full details about the entire INVDoS vulnerability were published last week, so other cryptocurrencies that forked older versions of the Bitcoin protocols should check and see if they were impacted as well.

“There has not been a known exploitation of this vulnerability in the wild. Well, not as far as we know.”


Eterbase admits its systems were compromised with funds said to be worth $5.4m taken by hackers.

“We want to inform our users that we have enough capital to meet all our obligations. At the same time, we want to reassure everyone that this event won’t stop our journey. After the security audit of renowned global companies, our operations will continue. We will announce the date of the re-opening of the ETERBASE Exchange platform as soon as possible.
Best regards, ETERBASE Team”

SC: Development Bank of Seychelles Hit by Ransomware

Established in 1977, Development Bank of Seychelle is majority owned by the government of Seychelles, but it is non-budgetary dependent and operates on a commercial basis.

“Since September 9 2020, Central Bank of Seychelles has been engaging with Development Bank of Seychelles to establish the exact nature and circumstances of the ransomware incident and closely monitor the developments, including the possible impact on the Development Bank of Seychelles’ operations,” the bank said in a Friday announcement.

The bank has yet to reveal whether customer data was compromised in the incident.

Many of the ransomware attacks over the past couple of years, however, did result in sensitive data being stolen, to entice victim companies into paying the ransom.

US: School’s out for ransomware

Iain Thomson for The Register: Students in Hartford, Connecticut, got an extra day of holiday after the school system was taken down by ransomware.

The malware borked key logistics systems on Tuesday in the US city. Hartford Mayor Luke Bronin said the infection was “significantly limited” due to computer security systems installed last year. Schools were back up and running the following day, though we’re sure students appreciated their digital snow day.

UK: Travel Sites Riddled with Hundreds of Vulnerabilities

Phil Muncaster: UK-based consumer rights group Which? and tech consultancy 6point6 studied 98 travel sector companies, probing websites, subdomains, employee portals and other web properties with lawful online tools.

They found Marriott-owned websites were riddled with 497 bugs including over 100 assessed to be “high” (96) or “critical” (18). Some of these could have allowed an attacker to target users and their data, Which? said.

“We reported our findings directly to Marriott (as we did with all the five providers in our snapshot test) and it said that it had ‘no reason to believe’ that its customer systems or data had been compromised,” Which? explained.

Marriott is facing a large fine from regulator the Information Commissioner’s Office (ICO) after last year revealing a historic breach of 339 million customers’ data.

Airline easyJet, which this year revealed a breach affecting nine million customers, was found to have 222 vulnerabilities across nine web domains, including one critical bug that could allow an attacker to hijack users’ browsing sessions.

The firm apparently took three domains offline and remediated the disclosed vulnerabilities on the other six sites.

British Airways was found to have 115 vulnerabilities on its websites including 12 judged to be critical. Although most of the issues identified were thought to be related to running old versions of software, the carrier gave no indication in its response to Which? that they would be updated.

BA famously exposed the details of around 500,000 customers to Magecart attackers last year, in an incident which could also land it a major fine from the ICO.

Elsewhere there were 291 potential vulnerabilities found at American Airlines, and a critical vulnerability at Lastminute(dort)com which could allow attackers to create fake log-in accounts.

“Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cyber-criminals,” argued Which? Travel editor, Rory Boland.

Stay updated, stay patched, stay safe and secure and we’ll be back with more next week!

1 Like