Privacy and Security related news for the week ending 2020 10 13

OK DAML’ers this week we start with an Orca reporting on a bunch of appliances and we end with a story about birds. In between the two extremes we have cars, drive-bys, cruises, trickbots, bricked phones and backdoors. Truly colorful content.

We help you stay safe with tips on everything from shopping to conferencing and while the tone is light, the results are serious.

Have a great read or check out the podcast here.

Orca security report: 4500K vulns on 2200 virtual appliances.

The company, Orca, scanned a total of more than 2,200 virtual appliances from 540 vendors in marketplaces associated with cloud platforms such as AWS, VMware, Google Cloud Platform, and Microsoft Azure in April and May, and identified over 400,000 vulnerabilities.

Before the report was published, they contacted the vendors (less than 14% responded) and they addressed only about 37K of the 400K vulnerabilities. Some said it was up to customers to ensure that their virtual appliances are patched, while others refused to take any action, arguing that the identified vulnerabilities were not exploitable. Unsurprisingly, some vendors threatened to take legal action.

How to cook up a solution to stay ahead of vulnerabilities? Orca recommends inventorying the virtual appliances in use, adding in vulnerability management tools that can discover weaknesses, and baking in a vulnerability management process that prioritizes the most serious issues.

UK: Hackney council subject of cyber attack

“Hackney Council has been the target of a serious cyberattack, which is affecting many of our services and IT systems…This investigation is at an early stage, and limited information is currently available. We will continue to provide updates as our investigation progresses. In the meantime, some Council services may be unavailable or slower than normal, and our call centre is extremely busy. Philip Glanville, Mayor of Hackney”

US: CBP Spent $2 Million On Google Maps For A Massive Surveillance Tool

Thomas Brewster for Forbes: For every person who enters America, a profile is drawn up and a determination made on their risk to national security. Run by Customs and Border Protection, it’s been controversial since the mid-2000s when the U.S. Department of Homeland Security (DHS) pivoted its use from just targeting cargo to tracking people.
Though it’s primarily engineered by lesser-known tech contractors, one of the technologies the ATS uses is Google Maps.

“The Automated Targeting System (ATS) is sort of this terrifying master database of vast quantities of personally identifiable information that’s being funnelled in from dozens of different law enforcement and other databases,” said John Davidson, lead counsel at the Electronic Privacy Information Center (EPIC), who said the use of Google tech in ATS was potentially “alarming.”

The revelation that CBP is using Google tech, through intermediary First Source Partners (FS Partners), as part of a surveillance technology also comes at an awkward time for the Mountain View giant. Sundar Pichai, CEO of Google’s parent company Alphabet, has been vocal in his criticism of the Trump administration’s clamp down on immigration, saying he was “disappointed” in the Trump administration’s executive order suspending foreign worker visas in July. Besides being used on the border, ATS is also used to vet nonimmigrant and immigrant visa applications.

Watch out for Amazon Prime day Scammers

Amazon claim it is bigger than Black Friday and cyber Monday combined (they would).

October 13-14th is also the day to be very careful that you end up on a real Amazon site and not a look alike, that you forgo Amazon surveys that offer iPhone 11s for completing an Amazon survey, and are very careful making your way through the expected barrage of phishing scams.

US: Lawfirm Seyfarth Shaw LLP shut down after ransomware attack.

On October 10, 2020, Seyfarth was the victim of a sophisticated and aggressive malware attack. At this time, our email system remains down. Our phone system is still functioning but if you are unable to reach your contact at the firm, please fill out this Contact Form."

Syfarth Shaw LLP have 17 offices with 900 lawyers across the US and serves 300 of the 500 Fortune 500 companies.

FBI ‘Drive-By’ Hacking Threat Just Got Real: Here’s Why You Should Be Concerned

Zak Doffman: Last December, the FBI warned

that the perilous state of IoT security means that “hackers can use an innocent device to do a virtual drive-by of your digital life.” A week earlier, that same FBI office had cautioned on the danger that smart TVs can allow “manufacturers, streaming services, and even hackers an open door into your home.”

“We were able to listen to conversations happening in a house from about 65 feet away,” Guadicore claims. “The attack did not require physical contact with the targeted remote or any interaction from the victim… We were able to hear a person talking 15 feet away from the remote, almost word-for-word… we could have stretched that distance out, too.”

The specifics in this instance are actually less important than the theory proven out. The team at Guardicore set about attacking Comcast set-top boxes, running the theory that this commonplace appliance may be exploitable. Probing weaknesses, the team moved over to its XR11 voice-remote, “one of the most common household devices you can find,” which in this instance can be found in some 18 million U.S. homes.

Under normal circumstances, the remote control unit checks with the cable box for new firmware just once every 24 hours. After hijacking this process, the attack intercepts those same firmware check processes to trigger each on-demand eavesdropping attack. To make this more practical, the malicious firmware increases those outgoing requests to once per minute. Intercepting a request allows the attacker to start recording.

Although the comms between the box and the remote was encrypted, it had a weakness, a signature, which was all the team needed open a door through which to return a malicious firmware load. “Normally, the box would respond to this request by saying that no new firmware is available. However… we could have told the remote that there is, in fact, a new firmware image available.” This firmware was then carefully uploaded. To prevent the cable box ending the attack, the team also “found a way to temporarily crash [its own] software.”

Again, the issue here is not a specific (now-fixed) Comcast issue, it’s a timely warning into the myriad camera and microphone equipped IoT devices we surround ourselves with. We have now seen multiple reports into smart speakers recording our conversations for training and other purposes, this simply manipulates that risk. “Most consumers have at least some idea of the risks in having a WiFi-connected baby monitor or voice-controlled smart speaker in their homes. Few people think of their television remote controls as ‘connected devices’… The recent development of RF-based communication and voice control makes this threat real.”

And so while this issue has been fixed, you can assume that there will be countless other vulnerabilities not yet researched, discovered and disclosed. “Capabilities like these used to be the closely-guarded secrets of sophisticated, nation-state actors,” the team says—and they’re right. Only this one was executed with nothing more than some cheap electronics that any one of us could purchase online. Comcast acted quickly and did the right thing—not all IoT vendors would have done the same, most such devices do not come from large U.S. corporations.

The key takeaway here is that researchers focused on a popular device, probing until they found its weakness. The device had all the component parts needed for a malicious task. Where once such a listening device would have been planted in the dead of night by covert method of entry professionals, now we’re doing that all by ourselves.

Microsoft Uses Trademark Law to Disrupt Trickbot Botnet

Brian Krebs. Microsoft: “We disrupted the Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world,” wrote Tom Burt, corporate vice president of customer security and trust at Microsoft, in a blog post this morning about the legal maneuver. “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”

A court in Virginia granted Microsoft control over many Internet servers Trickbot uses to plunder infected systems, based on novel claims that the crime machine abused the software giant’s trademarks. However, it appears the operation has not completely disabled the botnet.

However great the concept the baddies seem to already have a work around…according to real-time information posted by Feodo Tracker, a Swiss security site that tracks Internet servers used as controllers for Trickbot and other botnets, nearly two dozen Trickbot control servers — some of which first went active at beginning of this month — are still live and responding.


You may have first heard of the white supremacy group “Proud Boys” after Donald Trump told them to “stand down and stand by” during his first presidential debate. Now Google have given them the boot.

“Google’s recent actions to block the Proud Boys website and online store is a welcome response to persistent demands from Color Of Change and our allies. Following years of pressure, the company successfully got a Google Cloud Services customer hosting the Proud Boys’ website to remove the violent hate group’s online pages. This progress is important, but now we call on Google’s peers to follow suit, and Google must remain vigilant as Proud Boys moves to other website hosts.”

Proud boys are now hosted by the German web hosting provider 1&1 IONOS.

Ransomware Attackers can now Buy Network Access

Ever wonder why some companies get attacked again and again in high profile cases?

Well it seems that we now have a new service offering: NAaaS or Network Access as a Service.

Depending on the size of the company, you can pay between US $300 and $10,000 for credentials that will allow you to infiltrate pre-compromised corporate or government networks.

Advertisers list their Dark Web offering with the access type: RDP, VPN or Citrix, what country the network is in, number of Endpoints, employees, and turnover.

Typically this access is as a result of unpatched machines or a zero day and whereas the malfeasants used to just sell the zero day exploits, but now they use it to gain entry to networks and then sell the accessible network details, netting much higher returns.

US: Carnival cruises give up PII in Ransomware Attack.

Carnival Corp confirmed in a Q-10 form (pp33 & 48) filed with the Securities and Exchange Commission last week, the exfiltration of employee, crew and passenger PII from a mid-August 2020 attack.

Generally that Q10 is pretty ugly reading, but such is the state of the cruise industry right now.

FI: NordVPN finally go live.

Back in 2018 03 someone managed to gain remote access to one of NordVPNs exit node servers, lifting software, cryptography keys and their TLS cert. Because NordVPN doesn’t log user access, they could not tell how long and how many of their 13M clients were compromised.

Large blush.

Well that server was in a rented datacenter at Creanova data center in Finland and the compromise was down to unauthorized access to the remote management software used by the servers owner. Creanova bosses say, however that Nord VPN used the software and should have locked it down.

Fingers pointing.

Nord VPN decided to rent space in a CoLo and take care of all access element themselves. The Finnish CoLo datacenter has just gone live and NordVPN will soon begin replicating the setup throughout the world.

Five Eyes for Encryption Backdoors

Ok 5 eyes plus 2: UK, US, Australia, New Zealand and Canada with India and Japan have called on tech firms to engineer backdoors into encryption. "we challenge the assertion that public safety cannot be protected without compromising privacy or cybersecurity.”
They believe that the tech community just isn’t trying hard enough to come up with a solution.
We don’t get this. With all the breaches that have occurred, it must be completely evident secrets worth having cannot be kept, and what’s to stop someone trying to have a secret conversation switching to an un-back-doored encryption algorithm. What are we missing?

DE: Software-AG hit by Malware.

Last week Software-AG (IoT Specialist) appeared to have been hit and downed by the Clopp malware variant… “Software AG has obtained first evidence that data was downloaded from Software AG’s servers and employee notebooks… Software AG is further investigating the incident and is doing everything in its power to contain the data leak and to resolve the ongoing disruption of its internal systems, in particular to restart its internal systems as soon as possible which had been shut down for security reasons.”

Rumors have it that almost a terabyte of data has been stolen with a ransom of about Euros 18M

US: Twitter adds fact check warning to President Trumps tweet claiming coronavirus immunity

Sunday Trump tweeted: “A total and complete sign off from White House Doctors yesterday. That means I can’t get it (immune), and can’t give it. Very nice to know!!!”
To which Twitter added: “This Tweet violated the Twitter Rules about spreading misleading and potentially harmful information related to COVID-19.”

IL: Phantom images and the Tesla Autopilot.

Researchers at Ben Gurion University of the Negev discovery that just a subliminal showing of a stop sign during and animated roadside presentation could bring a Tesla to a screeching halt. “The driver doesn’t even notice, but suddenly the car reacts and the driver can’t figure out why!”
With a $300 projector they projected speed limits into trees and flashed pedestrians b the roadside causing cars to slow and alter course.
Now imagine a little projector in a Drone flying around causing havoc and you can see the concern.
Tesla in its defense does state that Autopilot is only intended for use with a fully attentive driver, and the experiments were carried out on the Mobileye 630 Pro Driver Assist System which is already one rev back.

Microsoft Blogging about malware bricking Android phones?

"The mobile ransomware, detected by Microsoft Defender for Endpoint as AndroidOS/MalLocker.B, is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop. This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures, including masquerading as popular apps, cracked games, or video players. The new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions.

this new threat doesn’t actually block access to files by encrypting them. Instead, it blocks access to devices by displaying a screen that appears over every other window, such that the user can’t do anything else. The said screen is the ransom note, which contains threats and instructions to pay the ransom.

A new platform is calling: Signal Desktop

The latest beta release of secure Signal Desktop includes preliminary support for one-to-one voice and video calls. Call your friends and family on macOS, Windows, and Linux; see their smiles on a larger screen; hear their laughter through the big speakers on your desk; and help us test the next generation of calling on Signal.

Beta users get an early chance to evaluate call quality and performance while we continue to improve the interface and work on upcoming features.

BTW the Signal protocol is the one What’sApp is built on, so this comes without Facebook acting as an end point.

Be careful where you fly your drone.

You might expect this to be a cautionary privacy or security tale about drone flying near airports or outside the kitchen window of that attractive individual down the street, but this story takes us to Scotland for a commercial roof survey. Apparently a the DJI Phantom 4 was spotted by a Scottish black-headed gull and violently taken out of commission. No mean feat when you consider the drone weighed over 6.14kg.

This follows a similar story from a coastal mapping mission last summer over the US waters of Lake Michigan when an eagle made a similar hit on another DJI Phantom 4, 7 minutes in.

It would seem that birds are so effective against drone attacks that police in Holland created an “anti drone Eagle squad” a few years back.

What happened?
Well apparently the first hits went as expected, but on the second or third drone sighting, the birds thought better of further assaults on the 6kg, whizzing, whirring craft entering their airspace, so the Dutch had to drop the project.

That’s all for this week DAML’ers. Hope you liked the new format and look forward to seeing you next week!



thank you. You guys on are great.

1 Like

I really enjoy the podcast version @rps :wave:

Thanks from the bottom to the tops of our microphones! We love your comments and will keep trying to make it the “best podcast ever”!

1 Like