Privacy and Security related news for the week ending 2020 11 10

Dear DAML’ers,

After what some may have found a nerve wracking week across the globe awaiting the results of the US elections (absolutely validating the value of immutable transactions) the dust is settling a little bit. While US authorities pat themselves on the back, we look into just how precarious some of the security surrounding voting was, from hacking voter data websites to breaking into ballot boxes, you may come away a little shaken.

We have a story of how the father of the Internet wants to bring privacy back, the results from both the Pwn2Own and the Tianfu Cup and an early Black Friday sale that could land you behind bars.

*Finally we end with a story that might put a little more sting in your Campari and soda. *

This is the best round up yet! We hope you enjoy this week’s privacy and security update.

Read on or listen up!

US: 2020 Is An Election Security Success Story (So Far)

After voting concluded, the director of the Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, released a statement, saying that “after millions of Americans voted, we have no evidence any foreign adversary was capable of preventing Americans from voting or changing vote tallies.” Krebs pledged to “remain vigilant for any attempts by foreign actors to target or disrupt the ongoing vote counting and final certification of results,” and no reports have emerged of threats to tabulation and certification processes.

Certainly credit goes to CISA’s impressive work in defending and securing election infrastructure more broadly and to U.S. Cyber Command’s strategy of defending forward. But will we learn enough in the coming months to draw specific conclusions? Was the Trickbot takedown a sufficient warning shot to discourage ransomware? Did sanctions imposed after 2016 effectively deter foreign actors? Did the political circumstances diminish the incentives to engage in malicious conduct?

Of course, coordinated foreign disinformation wasn’t the whole story in 2016 and it wasn’t here either. This election season saw plenty of domestic disinformation attempts. The Trump campaign official account, the White House social media director, Trump surrogates and the second-highest ranking Republican in the House all tweeted manipulated pictures or videos.

Somehow there US seems to have pulled off a free and fair election without significant cyber disruptions, foreign influence or unchecked disinformation—all during a pandemic and in the face of active efforts by the president to undermine both the administration of and confidence in the election.

But the real winner on US election night? The Calm App.

Running ads between the nerve racking election coverage that said, "Do nothing for 15 seconds” to the sound of rain falling on leaves, the meditation app is now counting upwards of 50 million users on the platform.

Trump Site Alleging Arizona Election Fraud, itself leaks Voter Data

The Trump campaign hastily set-up a website to support their lawsuit claiming voters were duped into having their ballots rejected. Unfortunately the “Name” field reveals lists of voter names and addresses as you type.

We ran a script to test out how easy it would be to pull the data and change the parameters to start with the letter “A” and to stop at the first 5000 entries and “Bam”, the first 5000 names and addresses.

Someone else used a SQL injection to pull Names, Addresses, DOBs and last 4 of SSNs.

The original Reddit post writer had contacted the Arizona Board of Elections, Maricopa County Recorder, and Amazon AWS (the website is registered through them). There is no contact information on the website except for the disclosure that the website is financed by the RNC and authorized by Trump’s campaign.

US: Physical Privacy. Test of US voter Ballot Collection box locks: all opened with a straight metal shim in less than 30 seconds.

In some counties of the US with over a million voters only a few ballot collection boxes were provided. This was said to provide a political advantage. At a cost of US$3,800 each you would expect something solid to collect ballots in.

Apparently though the boxes were solid, at least one established manufacturer, shipped with a 1999 vending machine lock that retailed for US$17. These are wafer type locks that can be easily manipulated to cause the lock to open by jiggling it up and down.

It appears there is currently no minimum standard specification for ballot collection boxes (or their locking mechanisms) in the US. With the razor thin margins between candidates over the last two US elections, it might be worth considering.

iPods, coffee pods, Kubernetes pods and now Tim Berners-Lee introduces “Privacy Pods” for a More Secure Internet.

In a world where everyone has access to and control of your personal data but (seemingly) you, Sir Tim and a number of heavy hitters in the cyber security space are trying a fresh approach, by storing sensitive info. like your health data in a “pod” that provides you the ability to determine Read, write, append or control access for anything that needs access to your data.

Great concept, but there are a few hurdles first: The infrastructure has to be agreed on by all companies that generate and consume that data.

Users will need to understand their own control over private data and how to provide access to it, or be provided a means of access that abstracts them from difficult decision processes. (Remember these are the same users that value the free use of Google maps more highly than the company collecting and holding their location data for the last 5 years.)

Finally, someone has to have a way to monetize it to cover costs.

Sir Tims proposal: “…a technology for organizing data, applications, and identities on the web. Solid enables richer choices for people, organizations and app developers by building on existing web standards.”

We are encouraged to see the UK’s National Health Service testing it out currently, but wonder if cash starved health providers generally are going to provide the “oomph” to get a project like this across the line.

Sir Tim is credited with inventing the World Wide Web 30 years ago when many considered heterogeneous interoperability impossible. From our perspective, any idea that competes to return control of personally identifiable (PII) and personal health information (PHI) to the hands of the data subject is worthy of consideration.

For now Inrupt appear heavy on concept and light on detail, but watch this space … every great idea starts somewhere and Sir Tim has a good track record.

Don’t give in to temptation.

A fake Facebook Group is using the lure of a free hamper of Cadbury chocolate to trick social media users into divulging their personal and financial details. The campaign appears to have been launched over the weekend and already has hundreds of comments and nearly 2000 likes.

The campaign is based around “Cadbury Rewards,” which has been set up with official logos to spoof a legitimate group on the social media site.

Various posts from the group claim that the chocolate-maker, now owned by multinational Mondelēz, is sending a hamper to everyone who replies before midnight, as part of a celebration of its 126 years in business. In reality, the company is 196 years old, having been founded in 1824.

“If someone is asking for your credit card details, on social media or over email, always look closely at why they would need that information. If someone is offering you free products, but requesting you provide your card details, alarm bells should start to ring.”

US: Zoom lied to users about end-to-end encryption for years, Federal Trade Commission Announces says.

The Federal Trade Commission today announced a settlement with Zoom Video Communications, Inc. that will require the company to implement a robust information security program to settle allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users.

Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base, which has skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.

In its complaint, the FTC alleged that, since at least 2016, Zoom misled users by touting that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it provided a lower level of security. End-to-end encryption is a method of securing communications so that only the sender and recipient(s)—and no other person, not even the platform provider—can read the content.

In reality, the FTC alleges, Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised. Zoom also misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.

Under the settlement, “Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false.”

Zoom is separately facing lawsuits from investors and consumers that could eventually lead to financial settlements.

Npm package caught stealing sensitive Discord and browser files

Named discord.dll, the malicious JavaScript library was until recently available via npm, a web portal, command-line utility, and package manager for JavaScript programmers.

Developers use npm to load and then update libraries (npm packages) inside their JavaScript projects — websites, desktop apps, or server applications.

Once installed, discord.dll will run malicious code to search a developer’s computer for certain applications and then retrieve their internal LevelDB databases.

Targeted apps include browsers like Google Chrome, Brave, Opera, and the Yandex Browser, but also the Discord instant messaging app.

The malware retrieves LevelDB databases, which apps. use to store information such as browsing histories and various access tokens.

Discord.dll would read the files and attempt to post their content in a Discord channel (as a Discord webhook).

US: Former Microsoft Worker Gets 9 Years in $10M Fraud Scheme

Volodymyr Kvashuk, a 26-year-old Ukrainian citizen living in Renton, Washington, was responsible for helping test Microsoft’s online retail sales platform.

Prosecutors said he stole digital currency such as gift cards or codes that could be redeemed for Microsoft products or gaming subscriptions, then resold them on the internet.

A federal jury convicted Kvashuk in February of tax, money laundering and fraud charges. U.S. District Judge James Robart sentenced him Monday and ordered him to pay more than $8.3 million in restitution.

Kvashuk bought a US $160K Tesla and a US$1.7M lakefront house with some of the proceeds. Nothing like keeping a low profile. He faces deportation following his prison term.

Let’s Encrypt Warns Some Android Users of Compatibility Issues

Let’s Encrypt, which earlier this year announced releasing over one billion certificates since its launch in 2015, initially relied on a cross-signature from IdenTrust. It can take a certificate authority (CA) years to get a new root certificate accepted by browsers and operating systems, and in order to be able to immediately start issuing certificates that are trusted by devices, a CA can get a cross-signature from a trusted CA.

Let’s Encrypt’s own root certificate is now mature and the initial certificate, which is set to expire on September 1, 2021, is no longer needed. While this will not impact most users, software that has not been updated since September 2016 and which does not trust Let’s Encrypt’s own root certificate will likely cause problems.

The CA believes one of the products most impacted by this will be Android, prior to version 7.1.1. The organization estimates that roughly one-third of Android devices are still running these older versions, which means their users will start getting certificate errors once the cross-signed certificate expires. Major integrators indicated that these users account for roughly 1-5% of their traffic.

While the situation might improve until next year when the certificate expires, Let’s Encrypt believes there will still be many impacted devices so is trying to raise awareness. (and we are happy to help)

Hacked In 300 Seconds: iOS 14, Samsung Galaxy S20, Windows 10

The annual Tianfu Cup is in its third year. Populated by teams from China that used to dominate the Pwn2Own leaderboard until they stopped taking part, supposedly in response to a government directive banning them from doing so, some big names in hardware and software fell this year. And fell quickly: each of the 15 teams were allowed three attempts to show their exploits in a five minute timeframe.

11 targets were successfully exploited by the Chinese hackers. These included: an iPhone 11 Pro running iOS 14, Windows 10 (v2004 April 2020), the Samsung Galaxy S20, Chrome, Firefox, Safari and Adobe PDF Reader.

The precise details of the vulnerabilities that the hackers managed to exploit are not known, the Tianfu Cup follows the lead of Pwn2Own and doesn’t disclose these details until after the vendors have had the chance to fix them.

Prize money awarded was somewhere around US $1.2M.

Routers, NAS Devices, TVs Hacked at Pwn2Own Tokyo 2020

Organizers offered a wide range of mobile and IoT devices, but participants focused on routers, NAS products and TVs.

In total, participants were awarded $136,000 for 23 unique vulnerabilities across six different devices. Impacted vendors have been given 120 days to release patches before details are made public.

Black Friday sales? Hackers selling network access to 7500 educational establishments have dropped their asking price.

The threat actor offering the detail, reduced the asking price to BTC 10 (USD 155,300) from BTC 25 (USD 387,000) on November 4.

“Educational establishments could be a particularly tantalizing target for research and intellectual property theft, especially if linked to COVID-19 research. Cyber-criminals are economically rational in their behavior and will price their ‘offer’ of credentials to maximize returns, in the shortest time, for the smallest of efforts.”

Hotel Booking Firm Leaks Data on Millions of Guests

The Prestige Software hotel reservation platform has been exposing highly sensitive data from millions of hotel guests worldwide, dating as far back as 2013 and including credit card details for 100,000s of people.

Based in Madrid and Barcelona, Prestige Software sells a channel management platform called Cloud Hospitality to hotels that automates their availability on online booking websites like Expedia and Booking(dot)com.

The company was storing years of credit card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks.

Size: 24.4 GB, totaling 10,000,000+ exposed files
Data Storage Format: Misconfigured AWS S3 bucket
Countries Affected: Worldwide

Customer Data Exposed
PII data: Full names, email addresses, national ID numbers, and phone numbers of hotel guests
Credit card details: card number, cardholder’s name, CVV, and expiration date
Payment details: total cost of hotel reservations
Reservation details: Reservation number, dates of a stay, the price paid per night, any additional requests made by guests, number of people, guest names, and much more.

Mashable Customer Data Leaked Online

“This past Wednesday evening, November 4th, we learned that a hacker known for targeting websites and apps had posted a copy of a Mashable database to the internet,” said Mashable.

“Based on our review, the database related to a feature that, in the past, had allowed readers to use their social media account sign-in (such as Facebook or Twitter) to make sharing content from Mashable easier.”

Information leaked included first and last names, location data, email addresses, gender, date of registration, IP addresses, links to social media profiles, expired OAuth tokens, and the days and months on which users’ birthdays fall.

IT: Campari Gulps and Staggers after Ransomware Attack

“Campari Group Press Release Malware attack: update on IT systems recovery
Milan, November 9th, 2020-Following the previous communications on the malware attack, Campari Group informs that, in the context of its IT systems recovery plan, selected services have been progressively resumed following their successful sanitization and the installation of extra security measures.”

Campari was targeted by hackers using the Ragnar Locker ransomware. According to some reports, the malware attack managed to encrypt data on 24 of the company’s servers around the world, and the hackers responsible have demanded a cryptocurrency ransom worth $15 million.

In its ransom note, the group claimed it had stolen 2TB worth of files from Campari’s servers, including sensitive information including bank statements, social security numbers, tax forms, contracts, and even passport details.

The company has made no statement about whether it would be prepared to pay the ransom or not, but for now it certainly sounds as if it has chosen to attempt to rebuild its services on multiple sites, adding additional security measures in a bid to prevent reinfection.

As to the data that was stolen… That’s another story.

That’s it for this week DAML’ers! Stay safe, stay secure and see you next week!