Serving up the IT Privacy and Security weekly update with a slice of cake on May 6th., 2022


This week we start with flying bananas(?), before traveling through Spain, China, Russia, Nigeria, and Austria to get a visual carbohydrate count.

We consider the secure tweet, break and break into more phones, set new attack records, and nick a few scientists.

We find China hacking Europe, the US and UK hacking Russia, Russia hacking Ukraine, and someone hacking Spain.

…then we end with a quote of the week that only a mother could love.

This is the BITPASWU (Best Information Technology Privacy and Security Weekly Update) yet, so grab your friends and let’s FAF (Focus, Act, and Follow-Through)!

Global: Wait! A banana-colored drone just landed on that guy’s hand.

More than five years after it released Spectacles, Snap is back with a second hardware product. And this time it flies.

Yes, Snap made a drone. Called Pixy, the small yellow puck takes off from your hand, follows you around, and captures video that can be sent back to Snapchat.

It’s Snap’s attempt at making a drone that’s friendlier and more approachable than other products on the market — and it may hint at the more advanced, AR-powered future Snap is building toward.

Pixy is available online for $230 in the US and France starting Thursday. Unlike most existing drones, it’s small and light enough to fit in a pant pocket.

There isn’t a controller; it takes off from and lands on an outstretched palm, and it uses six pre-programmed flight patterns that are accessible through a dial on the top of the device.

The Pixy weighs just 101 grams with its swappable battery inserted. Snap says a full charge will get you five to eight flights, which can range from roughly 10 to 20 seconds — a short flight even by tiny drone standards.

Thanks to a bottom-facing camera, the Pixy’s main trick is taking off and landing in your hand.

Its front-facing camera needs to be lined up roughly at eye level as it takes off, and then it automatically tracks you as you move around. When you’re ready to end the flight, simply outstretch your hand to the Pixy, and it returns to your palm.

During both outdoor and indoor tests, I found this to be the most impressive part of using the drone; it just works and induces a rare “wow” moment the first time it happens.

Pixy may be a Trojan horse for a bigger idea. Snap recently bought a French startup called NextMind that made a headband for controlling computers with your thoughts. Imagine controlling your banana-colored drone just with your thoughts.

So what’s the upshot for you? Relaying your thoughts to Snap to control your drone. No privacy issues there. (loud coughing)

Global: Elon has built better rockets, cars, and solar panels. Can he do the same for security?

“Twitter DMs should have end-to-end encryption like Signal,” Elon Musk tweeted Wednesday to his 89 million followers, “so no one can spy on or hack your messages.”

And on Monday, Musk also announced hopes to “authenticate all humans.”

But now Security Week is wondering if Musk’s acquisition of Twitter will ultimately mean not just better security at Twitter but also innovation for the entire cybersecurity industry:
Twitter has struggled with consistent security leadership, hiring and firing multiple CISOs even as nation-state adversaries target Twitter’s massive user base with computer-generated disinformation campaigns…“Even if you don’t like the guy, you have to root for Twitter to beat the bots,” said one prominent CISO interviewed by SecurityWeek on Tuesday. “I think we will all benefit from any security features they [Twitter] can create.”

Jamie Moles, a senior technical manager at ExtraHop, said the bot-elimination mission could have spinoff benefits for the entire industry. “While this seems like a Sisyphean task if he’s successful, the methods used by Twitter to eliminate bots from the platform may generate new techniques that improve the detection and identification of spam emails, spam posts, and other malicious intrusion attempts. If Musk and his team can train AI to be more effective in combating this, it may well be a boon to security practitioners everywhere.”

"Identity is one area I expect to see movement. In addition to just detecting bots and spam better, I think we will see Twitter do a better job of verifying humans.

There are a lot of things to fix there," said one CISO who requested anonymity because his company does security-related business with Twitter. Industry watchers also expect to see the company improve the multi-factor authentication (MFA) adoption numbers among its massive user base…A transparency report released by Twitter in January this year showed that barely 2.3 percent of all active Twitter accounts had enabled at least one method of two-factor authentication.

If Twitter can build a reliably secure platform with a new approach to distinguishing between human and bot traffic and fresh flavors of MFA and encryption, this could be a big win for the entire industry and users around the world.

So what’s the upshot for you? Elon’s got a pretty good track record so far. We wouldn’t bet against him.

ES: Spanish Prime Minister’s Mobile Phone Infected By Pegasus Spyware

Spanish authorities have detected “Pegasus” spyware in the mobile phones of Prime Minister Pedro Sanchez and Defense Minister Margarita Robles, the government minister for the presidency, Felix Bolanos, said on Monday.

Bolanos told a news conference Sanchez’s phone was infected in May 2021 and at least one data leak occurred then.

“The interventions were illicit and external. External means carried out by non-official bodies and without state authorization,” he said, adding that the infections had been reported to the justice ministry, and the High Court would be in charge of the case.

The announcement followed intense pressure on the leftist coalition government to explain itself after Canada’s digital rights group Citizen Lab said more than 60 people linked to the Catalan separatist movement had been targets of “Pegasus” spyware made by Israel’s NSO Group.

The European Union’s data watchdog has called for a ban on Pegasus over allegations it has been abused by client governments to spy on rights activists, journalists, and politicians.

So what’s the upshot for you? Now the question is who is putting the Pegasus software on all these top politicians’ phones.

Global: Cloudflare Thwarts Record DDoS Attack Peaking at 15 Million Requests Per Second

Cloudflare last Wednesday disclosed that it acted to mitigate a 15.3 million request-per-second (RPS) distributed denial-of-service (DDoS) attack.

The web infrastructure and website security company called it one of the “largest HTTPS DDoS attacks on record.”

Cloudflare said the latest attack was launched from a botnet consisting of roughly 6,000 unique compromised devices, with 15% of the attack traffic emanating from Indonesia, followed by Russia, Brazil, India, Colombia, and the U.S.

“What’s interesting is that the attack mostly came from data centers. We’re seeing a big move from residential network Internet Service Providers (ISPs) to cloud compute ISPs.”

So what’s the upshot for you? Last week’s attack was huge and they only seem to be growing larger.

US: Google Makes $100,000 Worth of Tech Training Free To Every US Business

Alphabet’s Google will provide any U.S. business with over $100,000 worth of online courses in data analytics, design, and other tech skills for their workers free of charge, the search company said on Monday.

The offer marks a big expansion of Google’s Career Certificates, a program the company launched in 2018 to help people globally boost their resumes by learning new tools at their own pace.

Over 70,000 people in the United States and 205,000 globally have earned at least one certificate, and 75% receive a benefit such as a new job or higher pay within six months, according to Google.

The courses, designed by Google and sold through the online education service Coursera, each typically cost students about $39 a month and take three to six months to finish.

Google will now cover costs for up to 500 workers at any U.S. business, and it valued the grants at $100,000 because people usually take up to six months to finish.

Lisa Gevelber, founder of Grow with Google, the company unit overseeing certificates, said course completion rates are higher when people pay out of pocket but that the new offer was still worthwhile if it could help some businesses gain digital-savvy.

Certificates also are available in IT support, project management, e-commerce and digital marketing. They cover popular software in each of the fields, including Google advertising services.

So what’s the upshot for you? We have no insight yet on whether this offering will go global, but if you are interested, check back. If the response in the US is good, it just might.

CN: Research points to a Chinese hacking effort targeting a Russian border unit

The Chinese government hacking group seen targeting European governments and non-governmental organizations in early March may have also been going after Russian government targets as well, researchers with Secureworks Counter Threat Unit reported Wednesday.

The findings add new details to multiple threat intelligence reports in early March highlighting the concerted efforts of Chinese-linked hacking groups to target European diplomatic entities and NGOs, particularly with respect to refugee and migrant services.

At the time researchers with Google’s Threat Analysis Group and cybersecurity firm Proofpoint noted the activity and associated it with Mustang Panda, a Chinese-government-linked hacking group. The two teams’ assessments differed slightly on whether it reflected longstanding targeting or a shift based on new intelligence needs related to Russia’s invasion of Ukraine.

“The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations,” the researchers wrote.

“This desire for situational awareness often extends to collecting intelligence from allies and friends, which could explain why researchers detected what appears to be an attempt by China to deploy advanced malware to computer systems of Russian officials.”

So what’s the upshot for you? Researchers found the malware embedded in a malicious file opened a decoy document in English that discussed refugee and migrant pressures on countries bordering Belarus, and European Union sanctions against Belarus at the beginning of March 2022.

Global: Mental Health Apps Have Terrible Privacy Protections, Report Finds

“The vast majority of mental health and prayer apps are exceptionally creepy,” Jen Caltrider, the Mozilla *Privacy Not Included guide lead, said in a statement. “They track, share, and capitalize on users’ most intimate personal thoughts and feelings, like moods, mental state, and biometric data.”

In the latest iteration of the guide, the team analyzed 32 mental health and prayer apps.

Of those apps, 29 were given a “privacy not included” warning label, indicating that the team had concerns about how the app managed user data.

The apps are designed for sensitive issues like mental health conditions, yet collect large amounts of personal data under vague privacy policies, the team said in the statement.

Most apps also had poor security practices, letting users create accounts with weak passwords despite containing deeply personal information.

So what’s the upshot for you? Wow. Take one of the most vulnerable segments of society and completely exploit them. If things are getting you down, you may be better off talking to your plants. At least you won’t have privacy concerns.

RU/UA: A chilling Russian cyber aim in Ukraine: Digital dossiers

If Russia is successful at taking control of more of eastern Ukraine, stolen personal data will be an asset. Russian occupiers have already collected passport information, a top Ukrainian presidential adviser tweeted recently, that could help organize separatist referendums.

Ukrainian agencies breached on the eve of the Feb. 24 invasion include the Ministry of Internal Affairs, which oversees the police, national guard, and border patrol. A month earlier, a national database of automobile insurance policies was raided during a diversionary cyberattack that defaced Ukrainian websites.

The hacks, paired with prewar data theft, likely armed Russia with extensive details on much of Ukraine’s population, cybersecurity, and military intelligence analysts say. It’s information Russia can use to identify and locate Ukrainians most likely to resist an occupation, and potentially target them for internment or worse.
“The idea was to kill or imprison these people at the early stages of occupation,” Victor Zhora, a senior Ukrainian cyber defense official, alleged.

Ukraine, for its part, appears to have done significant data collection — quietly assisted by the U.S., the U.K., and other partners — targeting Russian soldiers, spies, and police, including rich geolocation data.

Demediuk, the top security official, said the country knows “exactly where and when a particular serviceman crossed the border with Ukraine, in which occupied settlement he stopped, in which building he spent the night, stole and committed crimes on our land.”

“We know their cell phone numbers, the names of their parents, wives, children, their home addresses, who their neighbors are, where they went to school and the names of their teachers," he said.

So what’s the upshot for you? To drive the point home, follow the link to hear Ukrainian authorities inform a Russian soldier’s wife that the package she received from her husband was full of artifacts he stole from civilians he murdered.

US/RU: State Department announces $10M bounty for Russian intelligence hackers behind NotPetya

The State Department announced Tuesday that it is offering a reward of up to $10 million for information leading to six Russian intelligence hackers responsible for the infamous 2017 NotPetya malware.

That malware knocked out Chornobyl’s radiation monitoring system and did more than $1 billion in damage to a number of U.S. organizations, according to a federal indictment.

It noted that the malware damaged the computers of hospitals and other medical facilities in western Pennsylvania, a large U.S. pharmaceutical manufacturer, and other U.S. private sector entities.

The State Department identified the suspects as 6 GRU officers: Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin, calling them “members of a conspiracy that deployed destructive malware and took other disruptive actions for the strategic benefit of Russia through unauthorized access to victim computers.”

The men operated inside the Sandworm unit of Russian intelligence, known as an unusually skilled hacking collective.

So what’s the upshot for you? Anyone with information on the suspects can report it via the State Department’s Tor-based tips-reporting channel at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion. A Tor browser is required. Just remember if you get the reward you’re also getting the first two rounds of beer.

US/RU: The US Seeks to Poach Putin’s Top Scientists by reducing their Visa Requirements

“The Biden administration has a plan to rob Vladimir Putin of some of his best innovators,” reports Bloomberg, “by waiving some visa requirements for highly educated Russians who want to come to the U.S., according to people familiar with the strategy.”

One proposal, which the White House included in its latest supplemental request to Congress, is to drop the rule that Russian professionals applying for an employment-based visa must have a current employer.

It would apply to Russian citizens who have earned masters or doctoral degrees in science, technology, engineering, or mathematics in the U.S. or abroad, the proposal states.

A spokesman for the National Security Council confirmed that the effort is meant to weaken Putin’s high-tech resources in the near term and undercut Russia’s innovation base over the long run — as well as benefit the U.S. economy and national security.

Specifically, the Biden administration wants to make it easier for top-tier Russians with experience with semiconductors, space technology, cybersecurity, advanced manufacturing, advanced computing, nuclear engineering, artificial intelligence, missile propulsion technologies, and other specialized scientific areas to move to the U.S.

So what’s the upshot for you? Biden administration officials have said they’ve seen significant numbers of high-skilled technology workers flee Russia because of limited financial opportunities from the sanctions the U.S. and allies have imposed after Putin’s invasion of Ukraine.

These relaxed visa requirements would be in place for four years.

US: Why the heck are SSNs still treated as passwords in the US?

The Equifax data breach occurred between May and July 2017 at the American credit bureau Equifax.

Private records of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft.

When I moved to the U.S. a couple of years ago, my friends made sure that I knew I had to keep my Social Security number (SSN) secret and hidden.

When I started opening a bank account and set up a cell phone plan, it became obvious why: All sorts of institutions that really should know better are treating this string of numbers as a password.

There’s a huge, glaring problem with that.

I maintain that Equifax should receive the corporate equivalent of capital punishment for allowing this to happen, but 145 million social security numbers were stolen by hackers means that the Social Security numbers — yes, the same numbers that are being treated as “passwords” — for about half the U.S. adult population are in the wind.

We’ve gotten used to passwords by now, but at least, in most cases, passwords can be changed when they are hacked.

Your social security number? Not so much. If your SSN leaks just once, you’re stuffed.

So what’s the upshot for you? 5 years after the Equifax breach we are still being asked to use our SSN numbers to sign up for car insurance, open credit cards, and identify ourselves to our banks. That’s insane. Let’s make some noise.

NG: Nigeria Blocks 73 Million Mobile Phones in Security Clampdown

Constance Chioma calls her son every morning to check that he is safe while studying in northeast Nigeria, a region plagued by deadly attacks by Islamist insurgents and armed kidnappings.

Earlier this month, she could not get through. She later realized her SIM card was one of about 73 million - more than a third of the 198 million in Nigeria - which has been barred from making outgoing calls because they have not been registered in the national digital identity database.

Nigeria is among dozens of African countries including Ghana, Egypt, and Kenya with SIM registration laws that authorities say are necessary for security purposes, but digital rights experts here say increase surveillance and hurts privacy.

Nigeria has been rolling out 11-digit electronic national identity cards for almost a decade, which record an individual’s personal and biometric data, including fingerprints and photo.

The National Identity Number (NIN) is required to open a bank account, apply for a driver’s license, vote, get health insurance, and file tax returns.

In 2020, Nigeria’s telecommunications regulator said every active mobile phone number must be linked to the user’s NIN. It repeatedly extended the deadline until March 31 this year.

The government said outgoing calls were being barred from April 4 here from any mobile phone numbers that had not complied.

The barring of mobile phones has especially hurt women in rural areas. Charity Elem, a street food vendor in Awara village in southwest Imo state, said she could not afford to travel to the registration center in Owerri city about 60 kilometers (37 miles) away.

Following complaints from the public and telecom companies about the short notice, authorities have once again extended the deadline for registration.
So what’s the upshot for you? Back in Nigeria, Chioma has until October 15 to find another solution to keep in touch with her son.

AT: Privacy, What Privacy? Or, How I put my whole life into a single database (and shared it with the world).

Felix Krause: "Back in 2019, I started collecting all kinds of metrics about my life. Every single day for the last 2.5 years I tracked over 100 different data types - ranging from fitness & nutrition to social life, computer usage, and weather.

The goal of this project was to answer questions about my life, like
How does living in different cities affect other factors like fitness, productivity, and happiness?
How does sleep affect my day, my fitness level, and my happiness?
How do the weather, and the different seasons affect my life?
Are there any trends over the last few years?
How do computer time, work, and hours in meetings affect my personal life?

Since the start of this project, I collected a total of more than 380,000 data points.

Naturally, after I started collecting this data, I wanted to visualize what I was learning, so I created Initially, the domain started as a joke to respond to friends asking when I’d be back in NYC or San Francisco.

Rather than send them my schedule, I’d point them to this domain. However, now it’s more than my location: it’s all of me.

Rules I set up for the project:

Use a single database, owned and hosted by me, with all the data I’ve collected over the years
Be able to easily add and remove questions on the fly, as I learn what’s beneficial to track
Maintain full control of how the data is visualized
Works well for frequent flyers with mixed time zones
100% fully open source, MIT licensed, and self-hosted"

So what’s the upshot for you? Felix has an impressive body of work and data. If you ever decide that this type of “sharing is caring” then there are two ways to go about achieving similar results. Use Felix’s setup, which he cheerfully reveals, or you could start dating him, in which we are sure you’d skew his results!

And finally, the quote of the week comes to us from an unknown source, and innocently asks a simple question:

“Will my smart fridge tell my mother about my chocolate cake addiction?”

That’s it for this week. Stay safe, stay, secure, leave us a slice, and we’ll see you in se7en.