Privacy and Security related news for the week ending 2020 10 20

DAML’ers we have the most entertaining round up of privacy and security stories making this the best week yet! From a rapper scamming the system to an alarming number of stories covering the security, a ransomware gang giving back to charity, to a final word from POTUS that has roughly half of the population up in arms.

In between we share US election communications that you will want to avoid, a RAT infested travel app that you’ll never need to download and how to make your phone a little bit safer.

Enjoy this week’s roundup of stories!

Have a great read or check out the podcast.


Don’t rap about scamming the system

Rapper Fontrell Antonio Baines AKA Nuke Bizzle is being accused of alleged to have stolen $1.2 million in Unemployment benefits through the COVID-19 Jobless relief program and then singing about it.

Not sure if the prosecutors need any more evidence than what they find in that video. Fontrell could do up to 22 years behind bars.


Call the exterminator the Rat is back

Rat = Remote Access Trojan. This one, called GravityRat was first used to target the Indian Armed Forces.

First seen on Windows, MacOS and Android versions have now been seen on VirusTotal. The code was written to an app called TravelMate, with the new version renamed TravelMatePro. The cybercriminals have started using digital signatures to make the apps look more legitimate and distribute primarily through links on Facebook as a “secure messenger application”.

Malware retrieves device information, contact lists, call logs, email addresses, and SMS messages, and even finds and exfiltrates files based on extensions: .docx, .doc, .ppt, .pptx, .txt, .pdf, .xml, .jpg, .jpeg, .log, .png, .xls, .xlsx, and .opus.


US: Scammers Seize on the US Election, But It’s Not Votes They Want

American voters face an especially pivotal, polarized election this year, and scammers here and abroad are taking notice. The Federal Bureau of Investigation, the Better Business Bureau and cybersecurity experts have recently warned of new and increasingly sophisticated online fraud schemes that use the election as an entry, reflecting both the proliferation of political misinformation and intense interest in this year’s presidential and Senate races.

“Every election is heated, but this one is very much so,” Paula Fleming, a chief marketing officer for the Better Business Bureau, said. “People are more trusting when they see it’s a political party or a candidate they like emailing them.”

“It is tricky because there are legitimate organizations out there that are trying to help people register to vote,” said Eva Velasquez, a former financial crimes investigator who now runs the Identity Theft Resource Center, based in San Diego. “But you don’t have to act in the moment. Take a few minutes and do a little homework.” Check the links before clicking on them or providing any detail.


Mississippi Schools Cyber-Attack Costs $300,000

“Last week, the Yazoo County School District detected a potential cyber event impacting certain devices on our network. We took our IT systems offline to investigate and address. National cyber-security firms were engaged to assist. We also reported this to federal law enforcement,” according to a statement issued by the school Superintendent Dr. Ken Barron

The school board voted to pay a company $300,000 to recover the data that was encrypted by malware.


Number 4. Delete some apps from your phone. Use a browser instead.

Matt Mitchell is a tech fellow at the Ford Foundation, and the founder of CryptoHarlem, an organization that teaches people to protect their privacy, including from surveillance.

Apps can learn a lot about you due to all the different types of data they can access via your phone. Seemingly harmless apps – like say, a flashlight app — could be selling the data they gather from you.

That’s why Mitchell recommends “Marie Kondo-ing” your apps: Take a look at your smartphone and delete all the apps you don’t really need. For many tasks, you can use a browser on your phone instead of an app.

Privacy-wise, browsers are preferable, because they can’t access as much of your information as an app can.


UK Says Russia Launched Cyberattacks Against 2020 Olympic, Paralympic Games

On Monday, the UK officially accused the GRU of launching malicious cyber-operations targeting the Olympic and Paralympic Games, including the now-postponed 2020 Summer Olympics and the 2018 Winter Olympic and Paralympic Games in Pyeongchang, South Korea.

“The National Cyber Security Centre (NCSC) assesses with high confidence that these attacks were carried out by the GRU’s Main Centre for Specialist Technologies (GTsST)

The same day the U.S. Department of Justice on Monday announced charges against six Russian intelligence officers for their alleged role in several major cyberattacks conducted over the past years.

U.S. authorities have credited several companies in the private sector for their assistance in the Sandworm investigation, including Google, Cisco Talos, Facebook and Twitter.


The Cybersecurity Visuals Challenge

The Hewlett Foundation: Let’s reimagine the visual language of cybersecurity by elevating more representative imagery. (i.e. how to get more people interested in cyber-security).

Judge for the results for yourself.

Bruce Schneier liked the idea but found the artwork underwhelming.


Google’s Waze Can Allow Hackers to Identify and Track Users

What I found is that I can ask Waze API for data on a location by sending my latitude and longitude coordinates. In addition to the essential traffic information, Waze also sends me coordinates of other drivers who are nearby. What caught my eye was that identification numbers (ID) associated with the icons were not changing over time. I decided to track one driver and after some time she really appeared in a different place on the same road.

I found out that if user acknowledged any road obstacle or reported police patrol, the user ID together with the username is returned by the Waze API to any Wazer driving through the place. The application usually doesn’t show this data unless there is an explicit comment created by the user, but the API response contains the username, ID, location of an event and even a time when it was acknowledged.


From the archives: Unique in the Crowd: The privacy bounds of human mobility

https://www.nature.com/articles/srep01376

We study fifteen months of human mobility data for one and a half million individuals and find that human mobility traces are highly unique. In fact, in a dataset where the location of an individual is specified hourly and with a spatial resolution equal to that given by the carrier’s antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals.

A simply anonymized dataset does not contain name, home address, phone number or other obvious identifier. Yet, if individual’s patterns are unique enough, outside information can be used to link the data back to an individual. For instance, in one study, a medical database was successfully combined with a voters list to extract the health record of the governor of Massachusetts. In another, mobile phone data have been re-identified using users’ top locations. Finally, part of the Netflix challenge dataset was re-identified using outside information from The Internet Movie Database.

…So we are not as anonymous as we thought.


Forum Data Breach - Please Change Your Password

Message from Albion to its users:
“Dear Albion Community, Unfortunately, we have become aware of a data breach in one of our systems, in which a malicious actor gained access to parts of our forum’s user database.”

What happened?
The intruder gained access to our systems and was able to access forum user profiles, which include the e-mail addresses connected to those forum accounts.


Barnes & Noble warns customers it has been hacked, customer data may have been accessed

A day after Barnes & Noble solved its Nook outage, the bookstore revealed a far more serious problem: A massive cybersecurity attack breached the company’s data, exposing information about customers, including email addresses and other personal information including customers’ email addresses, billing and shipping addresses, and telephone numbers.

In addition, Barnes & Noble stores details of customers’ past transactions, revealing a history of books and other products that have been purchased from the retailer in the past. Depending on your literary tastes, that clearly could prove embarrassing.

The data breach comes at a time when bookstores are relying on online sales and competing with Amazon.


800,000 SonicWall VPNs vulnerable to new remote code execution bug

Tripwire vulnerability and Exposure Research Team (VERT) has identified a stack-based buffer overflow in SonicWall Network Security Appliance (NSA). The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access.

An unskilled attacker can use this flaw to cause a persistent denial of service condition. Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible. This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet. As of the date of discovery, a Shodan search for the affected HTTP server banner indicated 795,357 hosts.

Remediation? Disconnect and patch the affected SSL VPN portal.

As at October 16th SonicWall was not aware of a vulnerability that had been exploited or impact to any customer.


Clear Conquered U.S. Airports. Now It Wants to Own Your Entire Digital Identity.

https://onezero.medium.com/clear-conquered-u-s-airports-now-it-wants-to-own-your-entire-digital-identity-15d61076e44d

Dave Gershgorn: In March, the air travel industry ground to a halt. Some airplanes were turned around in midair and sent back to where they’d come from. Clear’s revenue from some of the airports where the company operates more than halved during the month of April.

The company has already amassed troves of personal data on its customers, especially for Clear customers who use the service to buy concessions and enter sports stadiums. The company has even explored sharing that data with partners for marketing purposes. In return for cutting to the front of the line unimpeded, customers handing over vast swaths of biometric and travel data.

Clear plans to be the company that verifies your identity every time you would have swiped a credit card, shown your ID at a door, or handed over a health insurance card. “Enroll once at the airport: now you can use it at Hertz, now you can use it at the sports stadium, now you can use it at the Seahawks to buy a beer. That is the power of a platform. Now you think about adding hotels, now you think about ride-share… You are your credit card when you enroll.”

To that end, Clear announced a new product called Health Pass in May. It takes Clear’s main identity verification service and attaches a person’s health information to their profile. Through self-administered health quizzes and integrations with Covid testing labs, Clear’s app would allow companies to monitor the health of staff and patrons of office buildings, hotels, restaurants, hospitals, sporting events, and of course, airports. Only those who are able to prove good health would gain access to these realms of public life, with Clear’s app as the arbiter.

At its peak in 2008, Verified Identity Pass (VIP) operated in more than 20 airports. But that year, the company stumbled. An unencrypted company laptop containing the personal information of 33,000 members was stolen, and the TSA suspended the company’s ability to register new customers in airports for about two weeks. (Seidman-Becker now says this episode is an “urban myth” and that there wasn’t any personal information on the laptop.)
Brill left the company in March 2009, and by the end of the year, Verified Identity Pass had filed for bankruptcy.

Months later, two former billion-dollar hedge fund managers, having closed their fund in the wake of the recession, bought VIP for just $6 million with a novel idea: rehabilitating the service as a luxury tech brand. The Clear program would no longer just save you time — now, it would unlock a lifestyle. Caryn Seidman-Becker and Ken Cornick, now the company’s CEO and president, respectively, changed the name of the company to Clear, and registered it under a parent company called Alclear.

Today, Clear operates in 35 airports in the U.S. Clear offers airports a cut of the revenue earned when a traveler signs up for a subscription. These deals typically range from 10% to 12% of Clear’s revenue at the airport, and include Clear sign-ups outside of the airport’s doors within a specific geographic zone.

In a 2015 presentation to LAX, Clear showed off all the data that it collected on customers who enter stadiums, with the title “Identity Dashboard — Valuable Marketing Data.” That data includes favorite foods and beverages at sports stadiums, when they arrive at games, what kind of credit card they have, whom they attend games with, and how often they fly first class.

In a 2018 partnership with concession stands at the Seattle Mariners’ T-Mobile stadium, Clear users could verify they’re over 21 and pay for a beer with their fingerprint, as long as the card and fingerprint had been previously registered with Clear.

The company’s terms of service say, “the company would never sell or rent any user information, or send information to partners, without asking users permission”, but does say the company can use your personal data to market products to you that they think you might like. This is similar to the way that Facebook doesn’t sell data, but instead offers access to its users via ads, and tailors which users see those ads based on its own internal system.

Last year, at a U.S. Chamber of Commerce event, Seidman-Becker announced that the company had even partnered with Budweiser to make a “Bud Now” machine. “Fingerprints down, checks you are you, you are over 21, and you have an authenticated payment, and it delivers you your beer, all in less than 20 seconds,” she said.

“Just like screening was forever changed post-9/11, in a post-Covid environment you’re going to see screening and public safety significantly shift,” Seidman-Becker said on CNBC in June. “But this time it’s beyond airports. It’s sports stadiums, it’s retail, it’s office buildings, it’s restaurants.” Clear is pitching a world in which Health Pass could be installed in hotels, hospitals, or any business or location that wants to keep track of the health of its customers, employees, or residents.

Clear is signaling that it intends to be part of the fabric of Americans’ daily life, and the coronavirus pandemic’s creation of a “new normal” has, for the company, a silver lining.


Toddlers Are Being Scooped Up in Buenos Aires’ Live Facial Recognition Dragnet

More than 160 children, some as young as one year old, were placed on Argentina’s national criminal database in the last three years, according to a new report from Human Rights Watch (HRW), and their faces were uploaded into Buenos Aires’ city live facial recognition database.
Buenos Aires’ facial recognition has a history of failures. The new report suggests that even toddlers could be found on the publicly listed database, listed as wanted criminals. The inclusion of children in this criminal database violates international law protecting the privacy of children.

Under international human rights law, every child alleged to have committed a crime is guaranteed to have their privacy fully respected at all stages of the proceedings. May 17 2019 the UN warned the Argentinian Government that the use of the database known as the National Register of Fugitives and Arrests (Consulta Nacional de Rebeldías y Capturas, CONARC) for capturing children’s data was illegal.

Human Rights Watch reviewed 28 versions of the database published between May 2017 and May 2020, as archived by the Internet Wayback Machine, and found that over this three-year period, at least 166 children have been added to CONARC.

The database contains obvious errors and discrepancies. Some children appear multiple times. There are blatant typographical errors, conflicting details, and multiple national ID numbers assigned to single individuals, raising the risk of mistaken matches. In one example, a 3-year-old is listed as being wanted for aggravated robbery. These persistent errors in CONARC, which is updated every morning at 7 a.m., indicate that the system lacks basic safeguards to minimize data entry errors, which can have serious consequences for a child’s reputation and safety.

Since April 24, 2019, the Buenos Aires city government has fed this data into its facial recognition system, the Facial Recognition System for Fugitives (Sistema de Reconocimiento Facial de Prófugos, SRFP). The facial recognition component of this system is reported as having been developed by the Russian company NtechLab, which specializes in facial recognition technology. Facial recognition technology has considerably higher error rates for children, in part because most algorithms have been trained, tested, and tuned only on adult faces.


Ransomware Gang Donated Part of Ransom Demands to Charities

On October 13, the Darkside ransomware group announced donations in a blog post on its dark web portal.: As we said in the first press release – we are targeting only large profitable corporations. We think it’s fair that some of the money they’ve paid will go to charity. No matter how bad you think our work is, we are pleased to know that we helped change someone’s life.
The ransomware gang specifically made donations of 0.88 BTC (worth approximately $10,000) to two charities: Children International, a global non-profit organization dedicated to helping children in poverty, and The Water Project, an organization which works to provide clean water to villages in sub-Saharan Africa.

The move is being seen as a strange and troubling development, both morally and legally.

A Children International spokesperson told the BBC: “If the donation is linked to a hacker, we have no intention of keeping it”.

The Water Project, which works to improve access to clean water in sub-Saharan Africa, has not responded to requests for comment.


US: "Nobody gets hacked."

Donald J Trump: “To get hacked you need somebody with 197 IQ and he needs about 15 percent of your password.”

This comment has outraged female hackers, “He seems to be inferring cyberattacks can only be carried out by males…”

It also seems he has forgotten his hotel chain was hacked twice: once from 2014 to 2015 and again from 2016 to 2017.


Well that’s it for this week DAML’ers! Stay tuned to stay safe and secure!


2 Likes

Thanks for a great post, @rps!

I agree with Schneier that the Cybersecurity Visuals winners are pretty underwhelming. But this one of a cuckoo grenade did make me laugh, so I guess I’m still in favor. :grin:

1 Like

Aw cute. And if that creates a greater affinity to the topic of Cyber-Security it has certainly fulfilled its remit! I think that anything that raises a laugh is a good thing, so I was dancing about last night to Nuke Bizzle Ft. Fat Wizza while wondering what new statement the president would drop today that would have us all grinning.

Thanks for your note Samir!

2 Likes