Privacy and Security related news for the week ending 2020 09 22

DAML’ers, this week we start underground in a Tesla and end with a boat crash, but what you find in between those two modes of transport is crazy interesting.

We have a cautionary tale involving an Australian Prime minister, Fuzzing as a Service, a leaky elastic Microsoft Bing search server, a snowflake, a credit card, and Russia putting the clamp on secure protocols.

There’s no better way to get your Privacy and Security updates than here with your fellow DAML’ers, so have a seat, buckle up and enjoy the journey!

Read the article or download the podcast

…and now our first story:

US: Elon Musk’s Tunnel Under Las Vegas for Self-Driving Cars Is Almost Complete

By Sissi Cao: For most of 2020, Elon Musk has dominated news headlines for SpaceX rocket launches and Tesla’s wild stock movements, so much so that it’s easy to forget that another Musk-owned transportation venture, The Boring Company, has also been making rapid progress.

On Tuesday, Musk announced on Twitter that, after a full year in the making, The Boring Company’s first operational “loop tunnel” in Las Vegas is “almost done.”

The young company operated as a subsidiary of SpaceX in its early days and had a hard time attracting venture capital. Not long ago, it was trying to raise money by selling baseball caps and $500 flamethrowers.

“Tunnels under cities with self-driving electric cars will feel like warp drive,” the entrepreneur described the future in a tweet.

The Boring Company built a test tunnel in 2018 near its headquarters in Hawthorne, California. A year later, it landed a commercial contract in Las Vegas to build a loop tunnel system for public use. According to The Boring Company’s proposal, the final system will be able to shuttle passengers in self-driving Tesla cars between any two destinations in Sin City within minutes.

Security? Elon tweeted last week that the Vegas tunnel “Doubles as an underground nuclear shelter.”

AU: Do not get arrested challenge 2020: When you browse Instagram and find former Australian Prime Minister Tony Abbott’s passport number.

tl; dr
Your boarding pass for a flight can sometimes be used to get your passport number. Don’t post your boarding pass or baggage receipt online, keep it as secret as your passport.

Alex Hope: The boarding pass photo. This particular former PM had just posted a picture of his boarding pass on Instagram. yes, pictures of boarding passes can indeed be used for crimes. The part you wanna be looking at for all your criming needs is the barcode, because it’s got the “Booking Reference” (e.g. H8JA2A) in it.

Why do you want the booking reference? It’s one of the two things you need to log in to the airline website to manage your flight.

The second one is your… last name. I was really hoping the second one would be like a password or something. But, no, it’s the booking reference the airline emails you and prints on your boarding pass. And it also lets you log in to the airline website. Oh and the Booking Reference is just… printed on the baggage receipt.

I went to, and clicked “Manage Booking”. In case you don’t know it because you live in a country with fast internet, Qantas is the main airline here in Australia. By right clicking and selecting “Inspect Element” I could see the former PM’s passport number. Further I could read Qantas flight staff talking to each other via this passenger information field. Why do they send these messages, and your passport number to you when you log in to their website?

Additionally you may find these these codes with corresponding detail:

  • RFTV Reason for Travel
  • UMNR Unaccompanied minor
  • PDCO Carbon Offset (chargeable)
  • WEAP Weapon
  • DEPA Deportee—accompanied by an escort
  • ESAN Passenger with Emotional Support Animal in Cabin
  • CTCM Passengers telephone number.

What have i done? I’d now found Tony Abbott’s: Passport details, Phone number, Qantas staff comments. (At this point the author is terrified).

Part 2: The author did publish in a blog and he did get arrested. But that was after approaching countless legal aid offices, filing a report to the ASD, notifying Quantas (who did reply 5 months later), and trying to notify Tony Abbot’s staff that perhaps a new passport number was in order.

Part 3: Tony Abbot rings me up. "he wanted to check whether his understanding of how I’d found his passport number was correct (it was). He also wanted to ask me how to learn about “the IT”.

Then he said it:

“You could drop me in the bush and I’d feel perfectly confident navigating my way out, looking at the sun and direction of rivers and figuring out where to go, but this! Hah!”

When I asked Tony Abbott for permission to publish the post, he said “well look Alex, I don’t have a problem with it, you’ve alerted me to something I probably should have known about, so if you wanna do that, go for it”.

At the end of the call, he said “If there’s ever anything you think I need to know, give us a shout”.

Look you gotta hand it to him. That’s exactly the right way to respond when someone tells you about a security problem.

In closing. Why is it bad for someone else to have your passport number?
A passport is a government-issued ID. It’s how you prove you are you. With your passport number, someone could:

  • Book an international flight as you.
  • Apply for anything that requires proof of identity documentation with the government, e.g. Working with children check
  • Activate a SIM card (and so get an internet connection that’s traceable to you, not them, hiding them from the government)
  • Create a fake physical passport from a template, with the correct passport number (which they then use to cross a border, open a bank account, or anything)

OneFuzz FaaS (Fuzzing as a Service)

Project OneFuzz enables continuous developer-driven fuzzing to proactively harden software prior to release.

With a single command, which can be baked into CICD, developers can launch fuzz jobs from a few virtual machines to thousands of cores.

A new initiative from Microsoft, more detail can be found at GitHub(dot)com/Microsoft/onefuzz.

Unsecured Microsoft Bing Server Exposed Users’ Search Queries and Location

Ravie Lakshmanan for the Hacker News: A back-end server associated with Microsoft Bing exposed sensitive data of the search engine’s mobile application users, including search queries, device details, and GPS coordinates, among others.

The data leak, discovered by Ata Hakcil of WizCase on September 12, is a massive 6.5TB cache of log files that was left for anyone to access without any password, potentially allowing cybercriminals to leverage the information for carrying out extortion and phishing scams.

“We saw records of people searching from more than 70 countries.” Aside from device and location details, the data also consisted of the exact time the search was performed using the mobile app, a partial list of the URLs the users visited from the search results, and three unique identifiers, such as ADID (a numeric ID assigned by Microsoft Advertising to an ad), “deviceID”, and “devicehash.” Although the logging database doesn’t include any personal details such as names or addresses it would be easy enough tho determine the person’s identity thanks to all the other detail exposed.

The misconfiguration was addressed by Microsoft on the 16th September 2020.

Russia wants to ban the use of secure protocols such as TLS 1.3, DoH, DoT, ESNI

By Catalin Cimpanu for Zero Day: The Russian government is working on updating its technology laws so it can ban the use of modern internet protocols that can hinder its surveillance and censorship capabilities.

According to a copy of the proposed law amendments and an explanatory note, the ban targets internet protocols and technologies such as TLS 1.3, DoH, DoT, and ESNI.

Moscow officials aren’t looking to ban HTTPS and encrypted communications as a whole, as these are essential to modern-day financial transactions, communications, military, and critical infrastructure.

Instead, the government wants to ban the use of internet protocols that hide “the name (identifier) of a web page” inside HTTPS traffic.

With TLS 1.3, DoH, DoT, and ESNI gaining adoption, all of Russia’s current surveillance and censorship tools will become useless, as they rely on having access to the website identifiers that leak from encrypted web traffic.

And just like China, Russia is cracking down on these new technologies. According to the proposed law amendment, any company or website that uses technology to hide its website identifier in encrypted traffic will be banned inside Russia after a one-day warning.

HackerOne Paid Out Over $107 Million in Bug Bounties

Hacker-powered bug hunting platform HackerOne on Tuesday announced that it paid more than $44.75 million in bounty rewards over the past 12 months, with the total payouts to date surpassing $107 million.

Based in San Francisco, the company started paying hackers in October 2013, and has received reports for over 181,000 valid vulnerabilities to date. Last year alone, the platform says 37,259 vulnerability reports were resolved.

HackerOne says it currently has more than 830,000 registered vulnerability hunters from 226 countries and territories, and that nine of them have earned more than $1 million on the platform.

A Billion Devices Are Vulnerable to Yet Another Bluetooth Flaw

Wired: Researchers have disclosed what they call a Bluetooth Low Energy Spoofing Attack, which focuses on the protocol’s reconnection process rather than more common pairing vulnerabilities.

With BLESA, the Purdue University team found that it could send spoofed data to a vulnerable device, causing various shenanigans. Windows devices aren’t affected, and Apple has patched the flaw, but the researches said that Android many IoT devices were still susceptible as of June.

Given the prevalence of Bluetooth Low Energy devices, the researchers estimate that billions may be impacted. It’s yet another security concern for Bluetooth, whose complexity has made it increasingly harder to secure.

And in case you missed it. GitHub to replace ‘master’ with ‘main’ starting next month

All new Git repositories on GitHub will be named “main” instead of “master” starting October 1, 2020.

Existing repositories that have “master” set as the default branch will be left as is.

“For existing repositories, renaming the default branch today causes a set of challenges,” GitHub explained in a support page published earlier this month, such as having to edit settings for pull requests and modifying security policies.

“By the end of the year, we’ll make it seamless for existing repositories to rename their default branch,” GitHub said.

The company’s move is part of a bigger trend in the tech community.

After the brutal death of George Floyd and the Black Lives Matter protests earlier this year, tech companies wanted to show their support for the black community by abandoning non-inclusive terms such as master, slave, blacklist, and whitelist.

Companies and major open source projects like Microsoft, IBM, Twitter, Red Hat, MySQL, the Linux kernel, and OpenBSD have agreed to make changes to their technical jargon.

US: Study: Credit Card Fraud Up by 104% Over 2019

Greg Mahnken for LegalReader: According to the FTC’s annual Consumer Sentinel Network report, credit card fraud is one of the fastest-growing types of identity theft.

From Q1 2019 to Q1 2020, reports of credit card fraud rose by a staggering 104%. To put that spike in perspective, from 2017 to 2019, reports grew by only 27%

New Concept? X1 Card is a credit card based on your income, not your credit score

Romain Dillet for TechCrunch: “The consumer credit card industry has been almost untouched by tech and has relied on the archaic credit score system. Max [Levchin], David [Sacks] and I have similar scores — that makes no sense!” co-founder Deepak Rao told me. “We reimagined the credit card from the ground up to have smarter limits, intelligent features, modern rewards and a new look.”

The card is a stainless steel Visa card that works with Apple Pay and Google Pay. It helps you track your subscriptions in different ways. First, you can cancel your subscription payments from the app. If you’re trying out a new service and they require you to enter your credit card information to start a free trial, you can also generate an auto-expiring virtual credit card.

If you get a refund, X1 Card sends you a notification. You can also attach receipts to your transaction in the app. Which can help with the bookkeeping at the end of the year.

Depending on your creditworthiness, you may get a variable APR of 12.9 to 19.9% and a balance transfer fee of 2%. There’s no annual subscription fee and X1 Card doesn’t change any late fee or foreign transaction fee.

Behind the scene, X1 Card is built by Thrive, the company that created ThriveCash, a loan platform that lets you get a credit line based on offer letters for an upcoming summer internship or your first full-time job after college.

So is this the first real disruptor to the current credit scoring system? Time will tell, but unlike so many cards that have dropped the option of virtual credit card numbers, these guys still support it. And did we mention it is stainless steel?

It’s Official: Snowflake is largest software IPO (Initial Public Offering) ever

Snowflake, a Silicon Valley cloud data warehousing company, raised US$3.4B last Tuesday, in the largest software IPO ever.

Snowflake loses money, but got a big credibility boost when Warren Buffett’s Berkshire Hathaway agreed to invest $500 million concurrent to the IPO. Warren Buffet typically stays well clear of IPOs.

Initially valued at US$44B (or about $120/share), the shares opened at $245 each or more than double the IPO valuation. A large number of tech stocks fell as investors sold off other tech names in the rush to buy Snowflake!

US: DoJ Unseals a Flurry of Indictments Against Iranian Hackers

Wired: The Department of Justice this week released not one, not two, but three indictments against alleged Iranian hackers.

The actual activity detailed in the charges doesn’t come as much of a surprise; it’s a lot of the usual spear-phishing and intelligence gathering, with some website defacement thrown in for good measure.

The suspects haven’t been apprehended, and may not ever be given that they’re in Iran. But the DoJ has filed charges with increasing frequency in recent years, hoping to deter them by limiting their travel and exposing their techniques.

DE: Maze suspected in German ransomware attack that caused woman’s death

AP: The woman sought treatment for a life-threatening condition, but could not be treated because the ransomware attack meant the hospital could not operate normally.

She was forced to go to another hospital about 20 miles away. The one-hour delay in being treated killed her.

AP said a report from the justice minister of North Rhine-Westphalia state, about 30 servers in the hospital were hit in the attack. A message was left for the Heinrich Heine University, to which the hospital is affiliated, to make contact with the criminals behind the attack.

Police managed to contact the attackers and informed them that the attack had affected a hospital. The attackers then provided a decryption key, after which they could not be contacted.

The security sources said the attackers were reported to have used CVE-2019-19781, a flaw in the Citrix application delivery controller, to gain access, adding that this particular vulnerability was commonly used by four ransomware groups: Ragnar Locker (aka Ragnarok), Nefilim, REvil and Maze.

That Chinese database of 2.4 million personal details again. Experts call it “frightening”.

In further developments it appears the database was stolen and leaked to the Five Eyes Intelligence network by an anti-China activist. Put together by the private firm Zhenhua Data: a Shenzhen-based company that lists the People’s Liberation Army and Chinese Communist Party among its main clients.

Those included in the 2.4 million people are 35,000 Australians, 40,000 Britons, and a vast number of high-profile figures such as senior politicians, members of the royal family, religious leaders and military officers.

Details include dates of birth, addresses, marital status, relatives, political associations and social media IDs. And while a lot of the data has been “scraped” from social media and other publicly available material some also appears to have been sourced from confidential bank records, job applications and psychological profiles, and the dark web.

According to the Australian Broadcasting Company, One intelligence analyst described the giant global database as “Cambridge Analytica on steroids”

Further to last weeks comments from Professor Christopher Balding and his colleague Robert Potter, Balding describes the database as "something akin to the Holy Grail. The information warfare being touted by Zhenhua targets key institutions in democracies such as the children of politicians, universities, and key industrial sectors. These flow into information transmission and policy formation.”

On advice, Balding has returned to the US from his university position in Vietnam.

US: $100,000 in bribes helped fraudulent Amazon sellers earn $100 million, DOJ says.

Jon Brodkin for ARS Technica: Six people were indicted on allegations of paying over $100,000 in bribes to Amazon employees and contractors as part of a scheme to give third-party sellers unfair advantages on the Amazon marketplace. Among other things, the indictment says that Amazon workers who accepted bribes reinstated sellers whose accounts had been suspended for offering dangerous products, and these workers suspended the seller accounts of fraudulent sellers’ competitors.

In exchange for bribes, Amazon workers “baselessly and fraudulently conferred tens of millions of dollars of competitive benefits upon hundreds of [third-party] seller accounts that the Defendants purported to represent,” the indictment said. The DOJ said that workers “helped reinstate products and merchant accounts that Amazon had suspended or blocked entirely from doing business on the Amazon Marketplace” and that “the fraudulently reinstated products included dietary supplements that had been suspended because of customer-safety complaints, household electronics that had been flagged as flammable, consumer goods that had been flagged for intellectual-property violations, and other goods.” These fraudulently reinstated seller accounts included ones Amazon had “suspended for manipulating product reviews to deceive consumers, making improper contact with consumers, and other violations of Amazon’s seller policies and codes of conduct,” the DOJ said.

The previously suspended merchants made over $100 million from Amazon sales after their “baseless and fraudulent reinstatement,” the indictment said. The scheme started no later than July 2017 and continued until September 2020, the US Department of Justice indictment said.

Scary new project on Github: Darkshot.

Darkshot is a scraper tool on steroids, to analyze all of the +2 Billion pictures publicly available on Lightshot. It uses OCR to analyze pictures and auto-categorize them thanks to keywords and detection functions.

“You can find pretty much everything : credentials, personal information (emails, phone numbers, addresses, ID cards, passports), banking information, etc.
Since it’s modulable, you can make your own detection function and use it as a monitoring tool.”

Disclaimer from the author mxrch: “This tool is intended for an education usage only, I am not responsible of a possible bad usage for it. Its main goal is to demonstrate the danger of storing user data with incremental/guessable links, and I wanted to push the thing to the max.”

UK: World’s largest ever DNA sequencing of Viking skeletons reveals they weren’t all Scandinavian

St John’s College, University of Cambridge: Now cutting-edge DNA sequencing of more than 400 Viking skeletons from archaeological sites scattered across Europe and Greenland will rewrite the history books because (make sure you are sitting down):

  • Many Vikings actually had brown hair not blonde hair.
  • Viking identity was not limited to people with Scandinavian genetic ancestry. The study shows the genetic history of Scandinavia was influenced by foreign genes from Asia and Southern Europe before the Viking Age.
  • The genetic legacy in the UK has left the population with up to six per cent Viking DNA.

And all this without one consent form being signed… which only goes to show that your privacy can even be compromised a thousand years after your boat crashes.

That’s it for this week’s updates DAML’ers. Stay safe, stay secure and see you next time!

1 Like

This was a great podcast @rps, thanks for doing this!