Privacy and Security related news for the week ending 2020 09 29



Good day DAML’ers! We’ve certainly got a roundup of WILD stories for you this week, from the FBI playing Roxy Music’s Manifesto, to the DAML’ers cycling group’s contribution to the development of city centers it’s all here.

Fed up with your Android location based unlock? We can help you fix it for a while. We cover the curious outage of a large swathe of the US’s 911 emergency services (the equivalent of 999 in the UK… or is it “0118 999 881 999 119 725 3”?) and even a coffee maker hit with ransomware.

We hope you enjoy this week’s privacy and security related news stories , and that they help you stay on point, on guard and informed.

Read the article or download the podcast

…and now our first story:



False Claims of Hacked Voter Information Likely Intended to Cast Doubt on Legitimacy of U.S. Elections

During the 2020 election season, foreign actors and cyber criminals are spreading false and inconsistent information through various online platforms in an attempt to manipulate public opinion, sow discord, discredit the electoral process, and undermine confidence in U.S. democratic institutions. These malicious actors could use these forums to also spread
disinformation suggesting successful cyber operations have compromised election infrastructure and facilitated the “hacking” and “leaking” of U.S. voter registration data.

Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) recommendations?

  • Seek out information from trustworthy sources, verify who produced the content, and consider their intent.
  • Rely on state and local election officials for information about voter registration databases and voting systems.
  • View early, unverified claims with a healthy dose of skepticism.
  • Verify through multiple reliable sources any reports about compromises of voter information or voting systems, and consider searching for other reliable sources before sharing such information via social media or other avenues.

We are not passing judgement, but it does sound an awful like the lyrics to an old Roxy Music song:

Hold out when you’re in doubt
Question what you see
And when you find an answer
Bring it home to me.


US: SEC Charges Amazon Finance Manager and Family With US$1.4M Insider Trading

Washington D.C., Sept. 28, 2020: The Securities and Exchange Commission today charged a former finance manager at Amazon(.)com Inc. and two family members with insider trading in advance of Amazon earnings announcements between January 2016 and July 2018.

According to the SEC’s complaint, Laksha Bohra worked as a senior manager in Amazon’s tax department, where she prepared and reviewed calculations used to finalize numbers included in Amazon’s quarterly and annual earnings that were filed with the SEC. Beginning in January 2016 and continuing through July 2018, Laksha Bohra allegedly acquired, and tipped her husband Viky Bohra with, highly confidential information about Amazon’s financial performance. The complaint alleges that Viky Bohra and his father, Gotham Bohra, traded on this confidential information in 11 separate accounts maintained by different members of the Bohra family.


US: McAfee Corp seeking listing on Nasdaq

The filing says McAfee plans to issue $100m of shares. “you won’t just be buying into a trusted name that’s proven it can grow, you’ll be buying into an industry with a $30.4 billion addressable market projected to grow at a four-year compound annual growth rate of 7.9 percent.”

Sounds great right? But they do temper that with a cautious statement: “large cloud platforms, such as Amazon Web Services, Google Cloud and Microsoft Azure, may expand or commence providing native cyber-security functionality directly on the platform such that our current and potential customers forego purchasing cybersecurity solutions from us.”

Certain of this security team who have spent months reviewing McAfee products a couple years back and suggest that other companies might provide lower risk to return ratios (at least for now).


US: 911 services down in multiple states

Emergency services across at least 14 US states have reported outages of their 911 lines on Monday. Intrado routing issues were reported by police departments in counties across Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania, and Washington. The outage impacted all emergency services simultaneously, and 911 services were restored within 30 and 60 minutes for most affected counties.

Intrado and TCS reroute and interconnect emergency 911 calls, so act as a chokepoint if one goes down (as appears is the case with Intrado).


TunnelBear VPN Survey

44% of the 5500 aged 18-65 from the UK, US, Canada, Australia and Russia surveyed felt they were subjected to some form of Internet censorship. This is especially concerning due to the higher reliance on the Internet during the COVID-19 lockdown restrictions. (The results should not be surprising in the context of TunnelBear’s censorship-free focus but the results are of interest nonetheless.)

Some search engines and social media platforms promote what they consider to be ‘authoritative sources’ and may suppress or remove other results. Is that good practice? It really depends on how reliable the censorship decisions are – but what has been evident in many cases is that the sources that have been marginalized turned out to be correct – and the supposedly authoritative sources have sometimes turned out to be the misinformation.”

“Two of the most prominent examples of information misuse have been online product reviews besieged by fake reviews and how the term fake news – once used just to label news that was probably incorrect – is now regularly misapplied to discredit or question real news more often than it is to label genuine fake news."


FR: Another shipping giant confirms ransomware attack

Lloydslist: The French carrier CMA CGM was asked by hackers using the Ragnar Locker ransomware to contact them within two days ‘via live chat and pay for the special decryption key’. No ransom price has been named yet.

After initially claiming the company’s booking system was disabled by ‘an internal IT infrastructure issue’, CMA CGM has now confirmed it was hit with a ransomware attack. Several of its Chinese offices were affected, but the container line says it has shut down its network to prevent the spread of malware.

CMA CGM initially denied it had been hit by a cyber attack. However, vice-president Joël Gentil has now confirmed a security breach.

“The CMA CGM group, excluding CEVA Logistics, is currently dealing with a cyber attack on peripheral servers,” he said. “Now that we have identified this problem, we have interrupted the access to our system to prevent the malware from spreading. Now our information system is resuming.”

  • The Ragnar Locker attack would make CMA CGM the fourth major container shipping carrier known to have fallen victim to such a major cyber incident.

  • In July 2018, Chinese giant Cosco Shipping was hit by a cyber attack that disabled its IT systems in the US.

  • Maersk Line sustained a severe blow from a ransomware attack in 2017, which cost the Danish carrier up to $300m.

  • Mediterranean Shipping Co suffered a shutdown from a cyber attack earlier this year.


CA: KPMG Survey: Canadians would shift companies after a data breach.

Ninety percent of the 2000 Canadians surveyed by KPMG earlier this month reported they would not trust PII to a company after it had been breached.

Other interesting stats out of that survey:

  • 54% of the 18-44 demographic said they do more online shopping than pre-Covid-19,
  • The same number said they are being extra careful when shopping online.
  • Over half of the respondents said they got way more phishing e-mails.

US: Nevada School district refused to pay the ransomware demand… And all the kids PII was released onto the web.

More and more ransomware is following a new path of downloading sensitive data, encrypting everything left, demanding ransom.

Clark County Nevada schools as first reported by the Associated press at the beginning of this month: just had that happen. Although all affected individuals were notified prior to the data breech, it’s still sad to see something like this happen.

Identity theft can wreck lives, so it’s especially sad to see children’s PII exposed in this manner.


Google removes 17 Android apps designed to deploy Joker malware
Viral Gandhi: In a blog post published on Thursday, security firm Zscaler explained that it discovered and identified the 17 apps (uploaded this month) and alerted Google, which then removed the offending programs. In total, there were around 120,000 downloads.

Joker spyware captures SMS messages, contact lists, and device information in addition to silently enrolling the victim in premium wireless application protocol (WAP) services. Joker has been a tough contender for Google in large part because the criminals behind it keep modifying the code, the execution process, and the tactics for delivering the payload.

The 17 apps incorporated the Command and Control Server (C&C) stager payload URL directly in their code using encryption to disguise it. The final stage payload then executed the Joker malware on the users endpoint.

“We recommend paying close attention to the permission list in the apps that you install on your Android device. Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page also helps identify compromised apps.”


How to fix Android’s Smart Lock Trusted Places feature

JR Raphael: Smartlock has been around since Android 5 (2014) but since then it has spent most of that time breaking. For whatever reason when you set “home” and “work” now to get unfettered access to your phone, you still have to unlock.

Here is a way to fix that (if not permanently, at least for a few months, until it breaks again).
Open up the Google Maps app on your phone.

  1. Tap your profile picture in the app’s upper-right corner, then select “Settings” followed by “Edit home or work.”
  2. Tap the three-dot icon next to the line labeled “Home,” “Work,” or whatever location is giving you trouble, and then select the “Edit” option (“Edit home,” “Edit work,” etc.) from the menu that comes up.
  3. On the map that appears next, use your finger to drag the pin representing your location ever so slightly — enough that the address at the top of the screen changes (even if it changes to something that’s no longer the exact correct address). Tap the Save button at the bottom of the screen.
  4. Repeat steps 3 and 4, but this time, drag the pin back to your location’s correct address. Be sure to tap the Save button again when you’re done.

UK: Hacking Prosecutions Drop by 12% in 2019

James Coker Reporting: Hacking prosecutions fell by 12% to 57 in 2019 compared to the previous year in the UK, according to an analysis by the law firm RPC. This meant that just 0.33% of the 17,600 hacking offences reported in the UK in 2019 resulted in a prosecution under the Computer Misuse Act.

RPC believes lack of resources being provided to the police to investigate such cases is the biggest factor in prosecutions being so low. It added that the UK government typically focuses its resources on targeting cyber-criminals involved in attempts to compromise national security.

In addition, it is often very difficult to identify and pursue attackers, as the majority of offenses reported in the UK are likely to be carried out abroad. The primary reason for this, according to the RPC, is that attackers are more likely to route attacks through countries which do not necessarily have a co-operative law enforcement relationship with UK authorities.


Coffee Machine “Hit By Ransomware Attack”

As hacked by Martin Hron: With the name Smarter, you might expect a network-connected kitchen appliance maker to be, well, smarter than companies selling conventional appliances. But in the case of the Smarter’s Internet-of-things coffee maker, you’d be wrong.

Upon switching on the coffee machine in question, I discovered that it acted as a Wi-Fi access point, establishing an unencrypted, unsecured connection to a companion app. This enabled me to start investigating the firmware update mechanism employed. Unsurprisingly, perhaps, the updates were also unencrypted, without any authentication or code-signing involved.

So I did what any good hacker would do and proceeded to reverse-engineer the firmware stored within the Android app. To get it all right, I needed to see what was running the code.

I took the coffee machine apart and had a look at the components, eventually acquiring enough information to write a python script that mimicked the update process.

Initially, I wanted to turn the device into a cryptocurrency mining machine rather than one that churned out coffee. It was possible, but I discovered it would be rather pointless given the speed of the CPU.

Instead, I managed to produce a working ransomware attack that was both persistent and hard to ignore. The trigger for the attack was the command that connects the machine to the network, and the payload some malicious code that “renders the coffee maker unusable and asks for a ransom.”

But I didn’t stop there; I also got that triggered code to permanently turn on the hotbed and water heater as well as the coffee grinder. The only way to silence the now manic machine being to pay the supposed ransom or, of course, pull the plug from the mains. Plug it back in, however, and the onslaught continues anew.

“Smarter” wants you to know that the version that was hacked is an older version with the newer model updating a number of components preventing this current hack.

The biggest question out of this experiment revolves around the lifespan of the item. How long do you think the manufacturer will support the product with updates?


Privacy: Amazon

Last week, Amazon not only launched the indoor flying Ring camera drone, but confirmed new Alexa privacy controls.

Now you can now configure Alexa so that no voice recordings are saved.

This is a significant advance because before, you could only opt for such auto-deletion after 3 or 18 months. You can find this setting in the Alexa app under More|Settings|Alexa Privacy|Manage Your Alexa Data|Automatically delete recordings.

You get a warning that deleting recordings “May degrade Alexa’s ability to understand and respond,” but probably didn’t notice any difference if you switched this to three months, some time ago and you probably won’t with this change either. Oh, and as long as you have “Enable deletion by voice” toggled on from the same page, you will also soon be able just to tell Alexa to “delete everything I’ve said.”

Trying that, it didn’t work, but Alexa did respond “it was coming soon”.


AU: Google Maps asked to stop users ‘walking’ on Uluru through street view function

George Roberts for ABC News: Parks Australia has asked Google to remove images of the top of the sacred Indigenous site, Uluru, which allow users to walk on its summit.

Traditional owners have banned visitors from the top of the rock, which has spiritual significance to Anangu, Uluru’s traditional owners.

Google Maps’ street view function allows people to move around environments as part of a virtual walking tour.

It contains 360-degree images of the summit of Uluru, allowing users to effectively defy the visitors’ ban.

A spokesperson for Parks Australia said it had, “alerted Google Australia to the user-generated images from the Uluru summit that have been posted on their mapping platform”.

Google Australia told the ABC that it was working on having all the images removed, including the user-generated content that allowed the walk-through.

But it added that the changes may take up to 24 hours to come into effect.


Privacy: Hiding your home on Google Street View

Last week as I was hanging off a ladder fighting to remove some old wood on my front porch, the Google street view car went by. No, pre-warning like “stand up straight”, “hold your shoulders up” or “strike a happy pose”, Just a blaze of white with Google logos and a strange spherical object on top of the car and it was gone.

I wasn’t sure I wanted that. Especially as I was currently in a fight with the local township over building permits and inspections. So I wondered, is it possible to get the complete history of the world according to building frontage removed and I found out you could!

Here’s what you do. Open Google Maps and search for your address. Then drag the little yellow Street View snooper onto the map, somewhere near your house. You’ll jump into the real-world viewer. Move the snooper along the inlaid 2D map until you have your house in view. Then select “report a problem” from the menu bar. This gives you the option to correctly position a red square over your house and explain the issue. You can just say it’s your home, by way of explanation, adding that you have concerns about security.


US: ATM Skimming Group Arrested On Federal Charges

The department of justice has indicted nine people it says operating a string of ATM skimmer operations netting more than $100,000 in theft.

The crew, it is said, placed “skimmer” devices over the card readers of ATMs and collected the card information of people who used the kiosks. They would then yank the skimmers and encode the data onto blank cards which they could use or sell to others.

This was done between March of 2019 and June of 2020 across a string of states in the southeastern US: Florida, Louisiana, Georgia, and Mississippi, as well as in New York state.

Each of the nine have now been indicted on one federal count of conspiracy to commit device fraud. Police have also reportedly arrested other suspected members of the gang.

An indictment is merely a formal charge that a defendant has committed one or more violations of federal criminal law, and every defendant is presumed innocent unless, and until, proven guilty.


Teen hacker nets US$25K for Instagram bug

A 14 year-old Brazilian developer got a nice payday from Facebook, thanks to a critical bug find in Instagram.

Andres Alonso says that he happened on the cross-site scripting flaw by accident while he was working on his own mobile app.

While working through some integration code with Instagram’s AR filter creator, he figured out that someone could redirect the URL a filter links to without the user getting any notification. At the time, though, he couldn’t quite get a working proof-of-concept to work and show it was a complete XSS vulnerability.

Still, Alonso reported the issue to Facebook, whose security team confirmed that it was indeed a bug that would allow for dangerous cross-site-scripting and decided to award the teen a tidy $25,000 bounty. Facebook’s crew the dodgy code could be used in an XSS attack against Instagram but said it hadn’t been used in the wild.

“I have to thank Facebook for making a little push in my report escalating to an XSS,” he said.


TikTok Gets Reprieve as Judge Halts Trump Download Ban

TikTok won a last-minute reprieve late Sunday as a US federal judge halted enforcement of a politically charged ban ordered by the Trump administration on downloads of the popular video app, hours before it was set to take effect.

District Judge Carl Nichols issued a temporary injunction at the request of TikTok, which the White House has called a national security threat stemming from its Chinese parent firm’s links to the Beijing government.

An amicus brief filed by Netchoice, a lobby/trade group which includes Google, Facebook and Twitter, said a ban could have important implications for the global internet. “The government’s actions are unprecedented in scope,” the group said in its filing.

A ban would “also create a dangerous precedent” for the open internet, the brief said.


RU: Putin to Trump: Let’s collude to stop election hacking

Simon Sharwood: Russia has taken the unusual step of posting a proposal for a new information security collaboration with the United States of America, including a no-hack pact applied to electoral affairs.

The document, titled “Statement by President of Russia Vladimir Putin on a comprehensive program of measures for restoring the Russia – US cooperation in the filed [sic] of international information security”, opens by saying “one of today’s major strategic challenges is the risk of a large-scale confrontation in the digital field” before adding: “A special responsibility for its prevention lies on the key players in the field of ensuring international information security (IIS).”

Russia stands accused of interfering in the 2016 US presidential election with widespread use of fake social media accounts. On 17 September FBI director Christopher Ray testified before the House Homeland Security Committee Events and named Russia as a nation already interfering in this year’s elections.


Just so You Know… DAML cycling Group: Strava to sell your data to city planners

Simon Sharwood: Exercise-tracking app Strava, notorious for inadvertently revealing the location of military bases, will share a four-billion-record-strong dataset generated by its users in the name of assisting cities to plan for expected post-pandemic bicycle and walking booms.

An email sent to users over the weekend reminded users that Strava doesn’t just let them record their bike rides and track personal best efforts, but also sells the resulting data to urban planners as a product called “Metro” that’s touted as just the thing to inform development decisions about cycling and pedestrian infrastructure.

“The vast majority of cities are experiencing a boom in human-powered transportation. Vehicle traffic has plummeted, while bike sales have soared.”

Strava points out that users can opt out of having their data collected for the ever-growing Metro dataset. However, collection for Metro appears to be on by default in the Strava app and the opt-out feature is a couple of layers below the everyday UI.


Fashion Retailer BrandBQ Exposes Seven Million Customer Records

The Krakow-based retailer operates online and physical stores across Eastern Europe, in: Poland, Romania, Hungary, Bulgaria, Slovakia, Ukraine and the Czech Republic. Its main brands are Answear and WearMedicine(.)com.

Among the one billion entries in the exposed database, 6.7 million records related to online customers, with each entry featuring personally identifiable information (PII) including full names, email and home addresses, dates of birth, phone numbers and payment records (although not card details).

An additional 50,000 records relating to local contractors in certain jurisdictions included further information such as VAT numbers and purchase info. The database also contained logs of API calls from Answear’s mobile app, exposing PII on 500,000 users of the Android app and an unknown number who have downloaded the iOS version.


Too many Company accounts are over privileged.

In a survey carried out by the US Ponemon Institute of just under 900 IT professionals, 40 per cent of commercial sector respondents and 36 per cent working in the public sector said they had privileged access to sensitive data through work.

Worryingly, of that number, about a third again (38 per cent public sector and 36 per cent private) said they had access privileges despite not needing them. of just under 900 IT professionals, 40 per cent of commercial sector respondents and 36 per cent working in the public sector said they had privileged access to sensitive data through work.


The Missing CryptoQueen
If you have any serious commuting time coming up we have a hearty recommendation for a thoroughly engaging podcast series (9 in total). This one is from the BBC and follows the search for OneCoin’s missing Dr Ruja Ignatova. The podcast moves from intrigue to heartbreak. Stick with it. You will love it.


That’s it for this week DAML’ers! Stay safe and secure!



1 Like