Privacy and Security related News for the week ending 2020 11 03

We have the best mix of stories yet, from across the world… to outer space.

We start with why you might do better smashing your old thumb drives, then patching, a really laughably acronym, guarding against malicious Google forms, how long were you on that phone?, why naming bugs is such a bitch, and a first review of Elon Musk’s SpaceX StarLink.

You will love every single word and you’ll be better informed and safer for each!

Listen to, or read our first story…

UK: Look What Was Left On USB Drives Sold On eBay

Two thirds of USB drives bought off eBay contain some kind of retrievable personal data, according to a study conducted by British academics.

The study, which saw Abertay University researchers examine the contents of 100 drives bought off the auction site, revealed files such as bank statements, health records, tax returns and CVs had not been fully wiped from the drives. Files named “passwords” were also among those recovered by the researchers, who were using publicly available tools.

Of the 100 USB thumb drives bought during the study, only 32 had been “properly wiped”. Partial file recovery was possible from 26 of the drives, while the researchers were able to fully recover every file from 42 drives.

The researchers recommended smashing the USB drive with a hammer if you were not selling it on, and if you are, use a tool like the free Mini partition manager to wipe it with.

We love the "dripping in sarcasm tone of this next article from the Register

Oracle patches severe flaw in WebLogic Server that could be exploited 'without the need for a username and password’

Oracle has released an emergency patch after a security vulnerability was revealed in its WebLogic middleware last week.

The security alert addresses CVE-2020-14750, a remote code execution vulnerability in Oracle WebLogic Server.

The patch is designed to address the flaw revealed last week by Johannes Ullrich, dean of research at the SANS Technology Institute. He spotted a massive spike in traffic on research “honeypot” systems as somebody tried to identify public-facing WebLogic servers that weren’t patched against CVE-2020-14882. The flaw, with a CVSS score of 9.8, is an “easily exploitable vulnerability” in the application’s console that can be targeted over HTTP without user interaction to execute code remotely.

“If you find a vulnerable server in your network, assume it has been compromised,” Ullrich said.

“It affects the Weblogic server where the admin console is on the open internet which is extremely bad practice. [If you did that] you’d expose managed servers, not just the admin server on the open internet.”

He advised users not to allow WebLogic Console access via open internet and to use a proxy server as a gateway between WLS server and the internet, configuring WebLogic Connection filters to accept connections from trusted hosts only.

Still, it will be an embarrassment for Oracle to have to issue the patch after its mega quarterly update, which issued 402 fixes.

Whoops. Seems like you missed one, Larry.

Worst acronym of the week? The Control System Cyber Security Association International or (CS)2AI

Anyway CS2AI & KPMG released a preview of a report compiled last year at a conference of their members (16,000) in which 600 participated.

Of the incidents observed by respondents in the year prior to taking part in the survey:
a majority involved an email-based attack vector (32%) or
infected removable media (35%).
Nearly 46% of attacks have been attributed to negligent insiders (i.e. individuals with trusted access who unwittingly facilitate or cause a breach), but some were also attributed to
scammers (16%),
cybercriminals (14%),
nation-state actors (12%) and
malicious insiders (11%).

Google Forms Used In huge Password-Stealing trick.

Security firm Zimperium published a report which reveals how cybercriminals used a total of 265 Google Forms, part of Google Docs, while impersonating more than 25 brands, companies and government agencies. This, in itself, is hardly surprising: not only are Google Forms very easy to produce, but they also come with the trust-building advantage of being hosted under the domain. “Being hosted under a Google domain avoids the detection of reputation-based phishing detectors.”

Researchers found Google Forms purporting to be connected to various brands, including AT&T, BT Group, Capital One, Citibank, the IRS, OneDrive, Outlook, Office 365, Swisscom, T-Mobile, Wells Fargo and Yahoo.

How to protect yourself from this attack method?

  1. “When in doubt, navigate directly to the site the email is claiming to be from, logging into your account, and check for notifications.”
  2. Enable two-factor authentication (2FA) and use a password manager to minimize the likelihood of password reuse.
  3. Also “match the source website with the brand on the website, URL, logo and process.” The chances of a well-known brand serving you up a login screen from a address are virtually nil.

Adobe gets a new CSO

Former Blizzard Entertainment chief security officer (CSO) Mark Adams replaces former Adobe CSO, Brad Arkin, who joined Cisco as its new chief security and trust officer recently.

Adams joins Adobe at an exciting time for the firm, with its venerable but notoriously buggy Flash product about to be retired.

After December 31 2020, Adobe will no longer be providing updates for Flash Player, with support already removed from all major browsers.

Can we all give a Woop Woop???

AU: Media Comms Giant Says Ransomware Hit Will Cost Millions

Media communications giant Isentia is reporting that its coffers will be emptied of as much as $6 million ($8.5 million AUS) in the wake of a ransomware attack last week.

The company is a media-intelligence and data-analytics firm headquartered in Australia, with a presence throughout Southeast Asia. It’s known for its Mediaportal platform, which aggregates news about customers’ brands and is used by public relations and marketing teams globally. According to its website, customers include a variety of major clients, including the Australian government, Singtel, Samsung and the Walt Disney Corp.

Isentia said that remediation costs and lost business stemming from its systems being locked up by the attack will create a big hit to its bottom line for fiscal year 2021, with an estimate that this will total $7 million to $8.5 million AUS.

And this one sent in from Andrae Muys:

Google patches second Chrome zero-day in two weeks

This is the second Chrome zero-day that Google found exploited in the wild in the past two weeks. Identified as CVE-2020-16009, the zero-day was discovered by Google’s Threat Analysis Group (TAG), a security team at Google tasked with tracking threat actors and their ongoing operations.

In typical Google fashion, details about the zero-day and the group exploiting the bug have not been made public — as a way to allow Chrome users more time to install the updates and prevent other threat actors from developing their own exploits for the same zero-day.

We have suggested previously that it’s important to secure our phones. Now a new survey shows us why.

According to a new survey published by satellite broadband provider Viasat, the typical American now spends 2-3 months per year on their phone.

For the survey, the researchers asked 1,000 Americans to estimate their smartphone use. They then compared these figures to actual reports produced by the phones themselves (using Screen Time reports for Apple phones, and Digital Wellbeing reports for Android phones). The data was collected during the summer of 2020, during the height of the coronavirus pandemic.

Three months per year on average
The survey found that “the average American is projected to spend 3 months on their phone by the end of 2020, with 30% spending 4-6 hours a day on their phone.”

  • GenZ respondents (born since 1997) used their phones 6-8 hours per day,
  • Millennials (1981 – 1996) and GenX’ers (1965 – 1980) 4-6 hours per day,
  • Boomers (1946 – 1964) 0-2 hours per day.

And 15% of respondents use their phones ten or more hours per day — equivalent to five months per year.

Broken out by sex.

  • Men use their phones more on Sundays,
  • Women on Mondays.

By App: Respondents aged 25-34 were the most likely to have Facebook as the most-used app on their phones, while those aged 16-24 were the least likely to do so.

The most-used app among 26 to 28-year-olds was Slack!

And finally, if you got paid $7.25/hr for using your phone 4-6 hours per day, you would have made between US$10-16K/yr!

Marriott fined £18.4 million by UK watchdog over customer data breach

At the time, threat actors were able to infiltrate Starwood systems and execute malware via a web shell, including remote access tools and credential harvesting software.

The attackers were then able to enter databases used to store guest reservation data including names, email addresses, phone numbers, passport numbers, travel details, and loyalty program information.

The compromise continued until 2018, and over the course of four years, information belonging to roughly 339 million guests was stolen. In total, seven million records relating to UK guests were exposed.

The Information Commissioner’s Office (ICO) says the company failed to meet the security standards required by GDPR due to failures to “put appropriate technical or organizational measures in place” when processing data, and as such, the company contravened data protection requirements now enforced through 2018 GDPR regulations.

The original notice of intent to fine, issued in July 2019, was set to £99,200,396 for GDPR violations. However, the ICO says that talks with Marriot, security improvements, and the economic damage caused by COVID-19 has led to the revised figure of £18.4 million.

US: And these days even naming your bugs can become politicized so: the CERT/CC launches Twitter bot to give security bugs random names.

For decades, all major security flaws have been assigned a CVE identifier by the MITRE Corporation. This ID is usually in the format of CVE-[YEAR]-[NUMBER], such as CVE-2019-0708.

These CVE IDs are usually used by security software to identify bugs, track, and monitor bugs for statistical or reporting purposes, and CVE IDs are rarely used by humans in any meaningful way.

Over the years, some security firms and security researchers realized that their work in identifying important bugs could easily get lost in a constant stream of CVE numbers that almost everyone has a hard time remembering.

Companies and researchers realized that the bugs they discovered had more chances to stand out if the bug had a cool-sounding name.

And so the practice of “bug naming” came to be, with the best-known examples being Spectre, Meltdown, Dirty Cow, Zerologon, Heartbleed, BlueKeep, BLESA, SIGRed, BLURTooth, DejaBlue, or Stagefright.

Things reached a ridiculous level last year when a Cisco bug was named using three cat emojis under the spoken term of Thrangrycat (aka “three angry cats”).

As a result, security experts started to react with derision every time a security bug was disclosed, and the bug named.
But … naming CVEs does have a place and it does work, so… in a blog post on Friday, the US: CERT/CC team decided to put forward a solution to put some order in vulnerability naming.
Their answer was the Vulnonym bot, which will assign a two-word codename in the format of adjective-noun to every newly assigned CVE ID.

Testing it on Twitter, their Vulnonym bot has come up with some interesting combos.: Ludicrous Beauty, Exhaustive Phalarope, Printable Nutria, Crouched Buzzard and we will end with Skewed Bassoon.

Secure End to End Encryption (E2EE) on zoom.

Let’s start by saying Zoom meetings are encrypted by default. They’re likely safe enough for most people most of the time. And remember, encryption isn’t magic; the people that you’re talking to could still share whatever you say. Also if any of your devices are compromised, well, you’re out of luck.

Turning on end-to-end encryption comes with various inconveniences. When you have it enabled, all call participants need to call in from either the Zoom desktop or mobile apps—not a browser—or a Zoom Room. (That also means no telephone participants.) Features like cloud recording, live transcription, breakout rooms, polling, one-on-one chat, and meeting reactions aren’t compatible with end-to-end encryption, and no one can join the meeting before the host does.

You need a Zoom account to enable it, and free accounts need a valid phone number and billing option to take advantage, which Zoom has said helps prevent abuse of the feature.

For individual users, sign into your account on the Zoom web portal. Click Settings in the navigation panel, then Meeting.

Under Security, toggle Allow use of end-to-end encryption to on. It’ll ask you to verify your choice; click Turn On when it does.
Then back under Security you can choose your default encryption level. What Zoom calls Enhanced Encryption is fine in most cases—you’ll still be able to make specific calls end-to-end encrypted—but go with End-to-end Encryption if you’re especially scared of eavesdroppers.

You can confirm that you’re locked in by looking for a green shield in the upper-left corner of the screen.

Another told you so?? The Majority of Microsoft 365 Admins Don’t Enable MFA

A recent report by CoreView Research also found that 97 percent of all total Microsoft 365 users do not use MFA. “This is a huge security risk – particularly during a time where the majority of employees are remote

And while no one has looked up the stats for G-Suite, we are sure they are pretty similar. Always use 2FA!

And more calming reassuring privacy news…

Eagle Eye Networks, a cloud video surveillance company, raised $40 million in Series E funding from Accel to advance its platform.

The company’s video management system integrates with other application programming interfaces to provide recording, security and encryption, as well as broad analog and digital camera support. “It also works with industry cameras so customers don’t have to rip out and replace their existing cameras,” Dean Drako, founder and CEO of Austin Texas based Eagle Eye Networks said.

This new funding will be used to expand sales and marketing and invest in AI, particularly for new projects such as license plate recognition and elevated temperature screening. “We have just scratched the surface,” he added. “There are literally hundreds of millions of cameras in the world.”

Securing your home network:

  • Log in to your router, check for firmware updates, and upgrade if one is available. Set up a monthly task, maybe alongside bill paying, as a reminder to log in to see whether any new versions are available.
  • Verify that “Remote Administration” or “Administration from WAN/Internet” are disabled. If enabled, they allow access to the management UI from the Internet.
  • Review firewall settings for any open or proxied ports. If you’re unsure of the origin of a particular entry, disable it.
  • Check Wi-Fi network settings, if applicable, and verify you’re using WPA3 Wi-Fi security standard – if your devices support it – or, at least, WPA2.
  • Make sure your network password is complex and not related to the network name.
  • Review your attached devices list for anything suspicious, and verify the identity of unknown hosts.

As Businesses Go Remote, Hackers Find New Security Gaps

The increase in server-side request forgery (SSRF) vulnerabilities is a trend HackerOne noticed last year but has increased, Rice says. It’s a trend somewhat related to the pandemic but more broadly driven by the broad migration to cloud environments.

“These vulnerabilities aren’t very exploitable in on-prem or local environments but have massive impacts when redeployed to shared multi-tenant cloud environments. … We’re seeing the impact of them spike pretty dramatically,” he says.

UK: Was Hunter Biden’s laptop password really “Hunter02”?

The headline (which in Daily Mail tradition is typically wordy) reads:

“EXCLUSIVE: National security nightmare of Hunter Biden’s abandoned laptop containing phone numbers for the Clintons, Secret Service officers and most of the Obama cabinet plus his sex and drug addictions – all secured by the password Hunter02”

It’s the bit about the password which interests me the most. Obviously, if true, “Hunter02” is a very poor choice of password. Particularly for somebody called Hunter.

But what’s bizarre is that there has been a meme all about having “hunter2” as a password, for the best part of 20 years.

Is it possible that somebody is having a joke at the media’s expense, and has duped some non-tech savvy journalists into believing that the son of US Presidential candidate Joe Biden might have used a joke password like “hunter02”?

And if that password makes us raise a doubtful eyebrow, might we be wise to be similarly cautious about other claims made in the article – especially with a contentious US election due to take place today?

We loved this write in comment about Graham Cluley’s article:

“I would be cautious about anything in the Daily Mail. They told us Eric Idle would be the new Doctor Who.”

U.S. Says Iranian Hackers Accessed Voter Information

“CISA and the FBI assess this actor is responsible for the mass dissemination of voter intimidation emails to U.S. citizens and the dissemination of U.S. election-related disinformation in mid-October 2020. Further evaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to influence and interfere with the 2020 U.S. presidential election,” the alert reads.

Between September 29 and October 17, the adversary launched attacks on U.S. state websites, including election websites, to access voter information, CISA and the FBI say.

Observed activity includes exploitation of known vulnerabilities, the use of web shells, and the abuse of web application bugs.

“CISA and the FBI can confirm that the actor successfully obtained voter registration data in at least one state. The access of voter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL tool to iterate through voter records,” CISA and the FBI say.

JM Bullion Discloses Months-Long Payment Card Breach

Texas-based precious metals dealer JM Bullion has informed some customers that their payment card information may have been stolen by cybercriminals, but the disclosure came months after the breach was discovered.

The investigation found that someone hacked into JM Bullion’s website and planted malicious code that was present on the site between February 18 and July 17, 2020. The malicious code was apparently designed to harvest customer information entered on the website — this is known as a skimming or Magecart attack.

Some customers who discussed the incident on Reddit seem disappointed that it took the company five months to discover the breach and another three months to alert impacted individuals. Others expressed concern that the exposure of physical addresses is serious as someone could use the information to target the homes of people who acquired precious metals.

And our penultimate story, only bumps up against privacy if this company’s drones bump up against your kitchen window…

CA: Startup news: Canadian Drone reforestation company.

Flash Forest is Canada’s first-to-market and largest drone reforestation company that uses UAV hardware, aerial mapping software, automation, and biological seed-pod technology to reforest areas at a rapid pace.

When it begins work at a site, the startup first sends mapping drones to survey the area, using software to identify the best places to plant based on the soil and existing plants. Next, a swarm of drones begins precisely dropping seed pods, packed in a proprietary mix that the company says encourages the seeds to germinate weeks before they otherwise would have. The seed pods are also designed to store moisture, so the seedlings can survive even with months of drought. In some areas, such as hilly terrain or in mangrove forests, the drones use a pneumatic firing device that shoots seed pods deeper into the soil. “It allows you to get into trickier areas that human planters can’t.”

After the current planting near Toronto and another in British Columbia, the company will begin a restoration project in Hawaii later in the year, with plans to plant 300,000 trees there. It’s also planning tree-planting pilots in Australia, Colombia, and Malaysia. In some cases, funding comes from forestry companies, government contracts, or mining companies that are required to replant trees; in other cases, the startup plants trees for companies that offer tree-planting as a donation with the sale of products, or for landowners who can get a tax break, in some areas, for planting trees. “There’s a lot of philanthropy around it, and then also just a solid business model with a desperate need and demand to plant trees.”

To quickly plant around a trillion trees—a goal that some researchers have estimated could store more than 200 gigatons of carbon—Flash Forest argues that new technology is needed. In North America, trees need to grow 10-20 years before they efficiently store carbon, so to address climate change by midcentury, trees need to begin growing as quickly as possible now. “I think that drones are absolutely necessary to hit the kind of targets that we’re saying are necessary to achieve some of our carbon sequestration goals as a global society,” she says. “When you look at the potential for drones, we plant 10 times faster than humans.”

So our last story has to be from outer space.

SpaceX Starlink users provide first impressions and unboxing pictures "It feels like it’s from the future… I am amazed at how well it works."

SpaceX Starlink beta users are starting to share their experiences, and confirm that sometimes the satellite service can provide fast broadband speeds and low latencies in remote areas.

With a user terminal/satellite dish placed on the ground in a relatively open part of the forest (Northern Idaho), a speed test measured downloads of 120Mbps, uploads of 12Mbps, and latency of 37ms. Results in a different, more heavily forested location with the dish closer to the trees was worse because Starlink needs a clear line of sight to SpaceX satellites. “It didn’t work well with a heavy tree canopy/trees directly in the line of sight, you would be connected only for about 5 seconds at a time. Make sure you have as clear a view of the sky as possible!”

That principle applied to my hard wired cable connection and its constant flakiness… perhaps we just have to run the cable over the tops of the trees. OK then!

That’s all for this week DAML’ers. If you are in the US, go vote! if you are not, encourage someone who is!



Great as always!