Same as it Ever Was with the IT Privacy and Security Weekly Update for December 7th 2021


As we come to the end of another tough year with… how many new Covid variants? It’s important to remind ourselves that the holidays are peak feeding season for the hack, crack and malware miscreant community.

So no, there are no “surprise” Amazon gift cards coming to you and… that attachment is only going to blow up on the Windows machine and steal your secrets.

Remember to initiate all outbound connections where you enter a username and password and if it’s worth keeping safe, it’s worth turning on 2FA (two-factor authentication).

For this week’s journey, we start with a SIM card, end with an Onion and circle the globe in-between.

We learn about naughty telecoms carriers, a frozen health department, and Microsoft taking down some bad actors acting badly.

We discover why secret agents in the cinema use Nokia phones, why Elon is the only one flying for NASA, and some interesting new features being rushed to Instagram the day before the Senate hearings.

This is without a shadow of a doubt the best IT Privacy and Security Weekly update yet, so grab your boots and your overcoat, and let’s get to swashbuckling “same as we ever did”!
same as it ever was

MZ: Maybe some action in the US on SIM swap attacks?

SIM-swap attacks, in which someone ports your phone number to their device in order to get past two-factor authentication on your most sensitive accounts, have been a scourge for years. They’ve resulted in cryptocurrency theft, bank accounts being drained, and social media account takeovers. And while there’s no simple way to stop them, there are certainly approaches that the US hasn’t yet tried.

Which is why it’s heartening that the FCC finally appears to be paying attention to them; this week the agency said it was planning to push carriers to implement more secure authentication before transferring numbers to a new device. It won’t solve the problem entirely—especially since phone company employees have at times actively enabled the attacks—but it’s a long-overdue start.

AROUND A YEAR ago, André Tenreiro was called into a meeting between the chief technology officer of the phone carrier he worked for—one of the largest in Mozambique—and an executive of the country’s largest bank. The latter had seen an escalating pattern of fraud based on so-called SIM swap attacks, where hackers trick or bribe a phone company employee into switching the SIM card associated with a victim’s phone number. The attackers then use that hijacked number to take over banking or other online accounts. According to Tenreiro, the bank had seen more than 17 SIM swap frauds every month. The problem was only getting worse.

“The gentleman from the bank, I could see by his face he was desperate. As mobile operators, we also had a responsibility to fight this fraud.”

SIM swap hackers rely on intercepting a one-time password sent by text after stealing a victim’s banking credentials, or by using the phone number as a password reset fallback.

So the phone company, Tenreiro says, offered a straightforward fix: The carrier would set up a system to let the bank query phone records for any recent SIM swaps associated with a bank account before they carried out a money transfer. If a SIM swap had occurred in, say, the last two or three days, the transfer would be blocked. Because SIM swap victims can typically see within minutes that their phone has been disabled, that window of time lets them report the crime before fraudsters could take advantage.

By August of 2018, Mozambique’s largest bank was performing SIM swap checks with all the major carriers. “It reduced their SIM swap fraud to nearly zero overnight.”

So what’s the upshot for you? Why has this not caught on in the US? Some security firms and banking executives point to US carriers as the main hurdle. They simply don’t make real-time SIM swap data available for the kind of security checks other countries’ banks have implemented. In fact, security company Telesign has sought to offer SIM swap fraud-checking to US banks but has found that most US phone companies aren’t willing to work with them.

FI: Agent Nomi uses Nokia 8.2 (8.3) 5G, Nokia 7.2 & 3310 in the Bond movie “No time to die”

00 agent “Agent Nomi” variously carries a Nokia 3310, Nokia 7.2, and Nokia 8.3 5G.

You may be wondering why a vendor like Nokia with .7% of the smartphone market appears with three different models in the latest Bond film.

They paid for the opportunity.

“There are some people who believe using ‘dumb phones’—pre-smartphone devices less reliant on software—keep them safer."

The fact is, and we checked this with our NSO buddies, that “no” phone is the safest, most private, most secure phone to carry.

So what’s the upshot for you? What about an iPhone, isn’t that supposed to be secure and private?

Apparently, an iPhone would not be a good option for 007. “Untraceable phones with anti-surveillance, anti-interception, and location-spoofing functionality are a must for James Bond. An iPhone, however formatted, just wouldn’t be able to offer this ability to ensure tracking isn’t an option. The security of an iPhone is impressive enough for the normal user, but with threats such as Pegasus around periodically, it makes it difficult for a spy to use one securely and confidently.”

…and there you have it.

US: Verizon overrides users’ opt-out preferences in push to collect browsing history

Verizon is automatically enrolling customers in a new version of a program that scans mobile users’ browser histories—even when those same users previously opted out of the program when it had a different name.

The carrier announced changes to its “Verizon Selects” program along with a new name a few days ago. “Verizon Custom Experience Plus is the new name of our Verizon Selects program,” Verizon said in an FAQ.

Verizon is ignoring the previous opt-out preferences for at least some customers by enrolling them in “Custom Experience,” which collects browser and app-usage history.

Verizon says it does not sell the information collected, but does share the data with “service providers who work for us” and says it uses the data to “personalize our communications with you, give you more relevant product and service recommendations, and develop plans, services, and offers that are more appealing to you. For example, if we think you like music, we could present you with a Verizon offer that includes music content or provide you with a choice related to a concert in our Verizon Up reward program.”

Er, what???!!

Verizon shares your data with vendors, but it says it tries to avoid collecting sensitive browsing and location information: “We make efforts to eliminate the use of websites that may be sensitive in nature; for example, we employ filters that are designed to exclude websites related to adult content, health conditions, sexual orientation and others. We also make efforts to eliminate the use of location information about sensitive points of interest in these same areas.”
The “make efforts” phrasing suggests that these filters will fail to prevent the collection of sensitive data in some cases.

Verizon customers have good reason to be wary of the carrier’s privacy practices. The Federal Communications Commission last year found that “Verizon apparently disclosed its customers’ location information, without their consent, to a third party who was not authorized to receive it.” The commission proposed a fine of $48 million.

In 2016, Verizon agreed to pay a $1.35 million fine for inserting “supercookie” identifiers into customers’ mobile Internet traffic without users’ knowledge or consent.

So what’s the upshot for you? We tried updating the Verizon privacy settings. Verizon doesn’t make it easy. Select to delete the information they are gathering on you and before they will let you tell them to stop collecting it, they have to send you an email with a code that has to be copied back to the confirmation page. That mail took a number of minutes in our tests. Just enough hoops to jump through to make it difficult enough for most not to bother with it.

You have been warned.

UK: Researchers find Apple Pay, Visa contactless hack

Large unauthorized contactless payments can be made on locked iPhones by exploiting how an Apple Pay feature designed to help commuters pay quickly at ticket barriers works with Visa.

The attack works like this:

  • a small commercially available piece of radio equipment is placed near the iPhone, which tricks it into believing it is dealing with a ticket barrier
  • at the same time an Android phone running an application developed by the researchers is used to relay signals from the iPhone to a contactless payment terminal - this could be in a shop or one the criminal’s control
  • because the iPhone thinks it is paying a ticket barrier, it doesn’t need to be unlocked
  • meanwhile, the iPhone’s communications with the payment terminal are modified to fool it into thinking the iPhone has been unlocked and a payment authorized - allowing high-value transactions to be made without entering a PIN, fingerprint or using Face ID
    In a demonstration video seen by the BBC, researchers were able to make a Visa payment of £1,000 approx US$1,300 without unlocking the phone or authorizing the payment.

The researchers say the Android phone and payment terminal used don’t need to be near the victim’s iPhone.

So what’s the upshot for you? Visa’s view was that this type of attack was “impractical”. We say, check your credit card statements carefully if you have set up your iPhone for these types of transactions.

Outer Space: After a “thorough review,” NASA awards additional astronaut flights to SpaceX

The announcement, posted on the space agency’s website late on Friday afternoon, follows a “request for information” issued by NASA in October seeking the additional transportation to keep “uninterrupted” US access to the space station.

The blog post contained the following rationale for selecting SpaceX to provide these three crewed flights while not selecting the other potential provider, Boeing’s Starliner spacecraft:

“After a thorough review of the near-term certified capabilities and responses from American industry, NASA’s assessment is that the SpaceX crew transportation system is the only one certified to meet NASA’s safety requirements to transport crew to the space station and to maintain the agency’s obligation to its international partners in the needed timeframe,” the agency said.

Boeing has yet to safely complete an uncrewed demonstration test. Following a December 2019 test flight plagued by software problems, Boeing’s effort to fly a second uncrewed demonstration had to be scrubbed this summer due to leaky oxidizer valves. Now, this “Orbital Flight Test-2” mission is unlikely to occur before mid-2022.

In its original procurements seven years ago, NASA agreed to purchase six of these “operational” missions each from SpaceX and Boeing. Because it has been the sole provider of operational missions, SpaceX may run through the end of its original contract by the spring of 2023. As NASA wants to fly crew missions every six months, and it has no guarantee that Boeing would be ready by 2023, it took the step of extending SpaceX’s contract now.

So what’s the upshot for you? Last week, we specifically called out the relationship of SpaceX to these new initiatives. We wanted to provide a little more context.

Global/CN: Court hands Microsoft control of websites linked to spying by Chinese hackers

Microsoft obtained a court order to seize websites from a Chinese government-linked espionage group that was using the sites to attack government agencies, think tanks, and human rights organizations in 29 countries, the company said Monday.

The legal move is aimed at a hacking outfit that Microsoft calls Nickel, which is also known as APT15 or Vixen Panda. It’s been around since at least 2010 and frequently spies on foreign affairs of interest to China.

“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” wrote Tom Burt, Microsoft’s corporate vice president for customer security and trust. “Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”

So what’s the upshot for you?
Last month, the United States and the European Union joined the Paris Call for Trust and Security in Cyberspace, the world’s largest multistakeholder confirmation of core cybersecurity principles with more than 1,200 endorsers.

Meanwhile, the Oxford Process has brought together some of the best legal minds to evaluate the application of international law to cyberspace.

And the United Nations has taken critical steps to advance dialogue across stakeholders. It is our responsibility, and that of every entity with the relevant expertise and resources, to do whatever we can to help bolster trust in technology and protect the digital ecosystem.

RU: Cybersecurity CEO Arrested in Russia on Treason Charges

Russia has continued to crack down on every facet of technology in the country, which this week took a troubling turn. Law enforcement in the country has reportedly arrested Ilya Sachkov, founder and CEO of the international cybersecurity firm Group-IB.
He’s accused of working with “foreign intelligence services” to undermine Russia’s national interests; the company has said he is innocent of all charges. Sachkov faces up to 20 years in prison if found guilty.

So what’s the upshot for you? We could not make this up. Good luck to Ilya in the meantime.

US: Cyberattack freezes Maryland health department

The Maryland Department of Health over the weekend took many of its IT systems offline, including its main website, in response to a cyberattack, the agency said Sunday night.

“The Maryland Security Operations Center is investigating a network security incident involving the Maryland Department of Health,” the MDH spokesperson, Andy Owen, said in an emailed statement. “The Maryland Department of Information Technology, the Maryland Department of Health, and the Maryland Department of Emergency
Management are working closely with federal and state law enforcement partners to address the incident and to gather additional information. Certain systems have been taken offline out of an abundance of caution and other precautions have and will be taken.”

So what’s the upshot for you? The Maryland Department of Health’s website was restored Monday evening. While officials said the “incident appears to have affected some of our partners,” including local health agencies.

US/RU: Mandiant Provides an update on what the “SolarWinds” Hackers are up to Now.

As the one-year anniversary of the discovery of the SolarWinds supply chain compromise passes, Mandiant “remains committed to tracking one of the toughest actors we have encountered.” These suspected Russian actors practice top-notch operational security and advanced tradecraft. However, they are fallible, and we continue to uncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that must be closely studied by defenders seeking to stay one step ahead.

We continue to track multiple clusters of suspected Russian intrusion activity that have targeted business and government entities around the globe. Based on our assessment of these activities, we have identified two distinct clusters of activity, UNC3004, and UNC2652. We associate both groups with UNC2452 also referred to as Nobelium by Microsoft.

In most instances, post-compromise activity included theft of data relevant to Russian interests. In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments. The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts.

So what’s the upshot for you? “same as it ever was”

US: Instagram announces changes ahead of political grilling

Instagram suddenly announces new features it says will help teenagers and parents manage time spent on the app.

Parents will be able to see how much time their children spend on Instagram and set time limits, while teens will get reminders to take a break.

“If someone has been scrolling for a certain amount of time, we’ll ask them to take a break from Instagram and suggest that they set reminders to take more breaks in the future.”

It comes a day before Instagram chief Adam Mosseri is due to appear before US Senators investigating online safety.

So what’s the upshot for you? It will be launched today in the UK, Ireland, United States, Canada, Australia, and New Zealand.

We hope Adam gets to take a break during the Senate grilling tomorrow, somehow we doubt it.

US: Data Leak confirms predictive crime prevention targets the same areas of society previously targeted.

For our analysis, we obtained a trove of PredPol crime prediction data that has never before been released by PredPol for unaffiliated academic or journalistic analysis. Gizmodo found it exposed on the open web (the portal is now secured) and downloaded more than 7 million PredPol crime predictions for dozens of American cities and some overseas locations between 2018 and 2021.

This makes our investigation the first independent effort to examine actual PredPol crime predictions in cities around the country, bringing quantitative facts to the debate about predictive policing and whether it eliminates or perpetuates racial and ethnic bias.

We examined predictions in 38 cities and counties crisscrossing the country, from Fresno, California, to Niles, Illinois, to Orange County, Florida, to Piscataway, New Jersey. We supplemented our inquiry with Census data, including racial and ethnic identities and household incomes of people living in each jurisdiction—both in areas that the algorithm targeted for enforcement and those it did not target.

Overall, we found that PredPol’s algorithm relentlessly targeted the Census block groups in each jurisdiction that were the most heavily populated by people of color and the poor, particularly those containing public and subsidized housing. The algorithm generated far fewer predictions for block groups with more White residents.

We found that PredPol’s algorithm as used by dozens of law enforcement agencies disproportionately targeted vulnerable populations, including low-income communities and residents of public housing. We also found that its predictions disproportionately targeted neighborhoods with proportionately more Black and Latino residents.

So what’s the upshot for you? Garbage in, garbage out.

Cloud: Virtual-Network Vulnerability Found in AWS, Other Clouds

Vulnerabilities in Eltima’s software development kit (SDK) for virtual networking — which is used by a variety of cloud-based virtualization services, including Amazon’s WorkSpaces agent, its Nimble Studio AMI, and Eltima’s USB Network Gate — could allow an attacker to execute code in the kernel through a buffer overflow to gain higher privileges.

The ability to elevate privileges to kernel or root would allow malicious software to turn off security products and gain access to sensitive information that would otherwise be protected.

“We have listed different software and cloud products that we are aware of that rely on the Eltima SDK and the respective vendors have done their best to mitigate the issue. We encourage enterprise defenders and end-users to make sure the relevant products are patched and up-to-date. Furthermore, software developers that rely on the Eltima SDK for their solutions need to make sure that they’re using the latest version and to provide updates downstream as needed.”

So what’s the upshot for you? So far, there has been no evidence that the vulnerabilities have been exploited in the wild.

Global: A Mysterious Threat Actor Is Running Hundreds of Malicious Tor Relays

Since at least 2017, a mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network in what a security researcher has described as an attempt to deanonymize Tor users.

Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000. Some of these servers work as entry points (guards), others as middle relays, and others as exit points from the Tor network.

Their role is to encrypt and anonymize user traffic as it enters and leaves the Tor network, creating a giant mesh of proxy servers that bounce connections between each other and provide the much-needed privacy that Tor users come for.

Servers added to the Tor network typically must have contact information included in their setup, such as an email address, so Tor network administrators and law enforcement can contact server operators in the case of a misconfiguration or file an abuse report.

However, despite this rule, servers with no contact information are often added to the Tor network, which is not strictly policed, mainly to ensure there’s always a sufficiently large number of nodes to bounce and hide user traffic.

But a security researcher and Tor node operator going by Nusenu told The Record this week that it observed a pattern in some of these Tor relays with no contact information, which he first noticed in 2019 and has eventually traced back as far as 2017. Grouping these servers under the KAX17 umbrella, Nusenu says this threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point.

The actor’s servers are typically located in data centers spread all over the world and are typically configured as entry and middle points primarily, although KAX17 also operates a small number of exit points. Nusenu said this is strange as most threat actors operating malicious Tor relays tend to focus on running exit points, which allows them to modify the user’s traffic.

KAX17’s focus on Tor entry and middle relays led Nusenu to believe that the group, which he described as “non-amateur level and persistent,” is trying to collect information on users connecting to the Tor network and attempting to map their routes inside it. In research published this week and shared with The Record, Nusenu said that at one point, there was a 16% chance that a Tor user would connect to the Tor network through one of KAX17’s servers, a 35% chance they would pass through one of its middle relays, and up to 5% chance to exit through one.

So what’s the upshot for you? This could be the work of anyone, but the breadth and depth seem to indicate a nation-state player.

That’s it for this week Damlers! We’ll be taking off our boots now. You’ll find us tiptoeing around e-mails with attachments and hopping over any links unless we initialized a search for them and sought them out (same as it ever was).

Be kind, stay safe, stay secure, keep those toes warm, and see you in se7en!


Thanks Quidagis! Much appreciated.

1 Like