SPY: Security & Privacy Yarns for the week ending 2020 12 15


This week reads or sounds like a https://www.007.com/ movie
(we like the " How To Drive Like James Bond… That is, if you have £3M to spare" section): from across the world, nation state spies are revealed, huge hacking exploits that provided access into 80% of the US Fortune 500 come to light, insecure kit at the doctor’s office and schools hacking students phones with hardware that was and probably should still be in the domain of the spies are exposed.

Yes, despite the meteor showers overhead, we stay with our feet planted firmly on terra firm with this update, and we think you will love the detail.

And finally this yarn ends by knitting in an opportunity for you to play phisherman/phisherwoman, engaging in some role playing/threat modelling around how you might compromise someone through email, in order to understand the small changes in your own behaviour that will keep you much safer.

It’s all here so let’s get cracking!

Chinese Communist party leaders exposed.

An unprecedented data leak(from a server in April 2016) only now being shared, reveals how alleged Chinese Communist Party members have embedded themselves inside some of the world’s biggest companies, including defense contractors, banks and pharmaceutical giants manufacturing coronavirus vaccines.

The Australian newspaper has obtained the leaked database of almost two million CCP members – including their party position, birthdate, national ID number and ethnicity – and 79,000 branches, many of them inside companies, universities and even government agencies.

Among the companies identified as having CCP members in their employ are manufacturers like Boeing and Volkswagen, drug giants Pfizer and AstraZeneca, and financial institutions including ANZ and HSBC, according to the reports.

“It is believed to be the first leak of its kind in the world,” The Australian journalist and Sky News host Sharri Markson said.

“What’s amazing about this database is not just that it exposes people who are members of the Communist Party, and who are now living and working all over the world, from Australia to the US to the UK."

Markson said CCP branches had been set up inside western companies where members, “if called on, are answerable directly to the Communist Party” and President Xi himself. “It is also going to embarrass some global companies who appear to have no plan in place to protect their intellectual property from theft, from economic espionage."

US: Hackers Broke Into Federal Agencies.

In one of the most sophisticated and perhaps largest hacks in more than five years, email systems were breached at the Treasury and Commerce Departments. Other breaches are under investigation.

The Trump administration acknowledged on Sunday that hackers acting on behalf of a foreign government — almost certainly a Russian intelligence agency, according to federal and private experts — broke into a range of key government networks, including in the Treasury and Commerce Departments, and had free access to their email systems.

Officials said a hunt was on to determine if other parts of the government had been affected by what looked to be one of the most sophisticated, and perhaps among the largest, attacks on federal systems in the past five years. Several said national security-related agencies were also targeted, though it was not clear whether the systems contained highly classified material.

The Trump administration said little in public about the hack, which suggested that while the government was worried about Russian intervention in the 2020 election, key agencies working for the administration — and unrelated to the election — were actually the subject of a sophisticated attack that they were unaware of until recent weeks.

“The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” John Ullyot, a spokesman for the National Security Council, said in a statement. The Department of Homeland Security’s cybersecurity agency, whose leader was fired by President Trump last month for declaring that there had been no widespread election fraud, said in a statement that it had been called in as well.

The Commerce Department acknowledged that one of its agencies had been affected, without naming it. But it appeared to be the National Telecommunications and Information Administration, which helps determine policy for internet-related issues, including setting standards and blocking imports and exports of technology that is considered a national security risk.

It was a measure of the sudden panic sweeping federal offices that the Department of Homeland Security ordered all agencies late Sunday night to shut down any use of a complex piece of network management software made by a company called SolarWinds and installed on networks belonging to government agencies and American corporations.

and in a related update…

More detail on last week’s FireEye/Mandiant attack

The attack that that impacted FireEye involved hackers compromising the infrastructure of SolarWinds, a company that produces a network and applications monitoring platform called Orion. It then used that access to produce and distribute trojanized updates to the software’s users. SolarWinds customers include 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, as well as hundreds of universities and colleges worldwide.

“After an initial dormant period of up to two weeks, the trojan retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services,” the FireEye analysts said. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

The backdoor was used to deliver a lightweight malware dropper that has never been seen before and which FireEye has dubbed TEARDROP. This dropper loads directly in memory and does not leave traces on the disk.

SolarWinds’ monitoring tool has extremely deep “administrative” access to a network’s core functions, which means that hacking the tool would allow the team deploying it to freely root around victims’ systems.

U.S. Schools Are Buying the same Phone-Hacking Tech That the FBI Uses to Investigate Terrorists


In May 2016, a student enrolled in a high-school in Shelbyville, Texas, consented to having his phone searched by one of the district’s school resource officers. Looking for evidence of a romantic relationship between the student and a teacher, the officer plugged the phone into a Cellebrite UFED to recover deleted messages from the phone. According to the arrest affidavit, investigators discovered the student and teacher frequently messaged each other, “I love you.” Two days later, the teacher was booked into the county jail for sexual assault of a child.

“Every teenager is going to have something vaguely incriminating on their phone. That’s just part of being a teenager. We’re concerned about the teachers, you know, just kind of pulling out students they don’t like and deciding to run their phones to look for reasons to take them out of class…”

While companies like Cellebrite have partnered with federal and local police for years, that the controversial equipment is also available for school district employees to search students’ personal devices has gone relatively unnoticed—and serves as a frightening reminder of how technology originally developed for use by the military or intelligence services, ranging from blast-armored trucks designed for use in war zones to invasive surveillance tools, keeps trickling down to domestic police and even the institutions where our kids go to learn.

Spam calls grew 18% this year despite the global pandemic

Despite several efforts from carriers, telecom regulators, mobile operating system developers, smartphone makers and a global pandemic, spam calls continued to pester and scam people around the globe this year — and they only got worse.

Users worldwide received 31.3 billion spam calls between January and October this year, up from 26 billion during the same period last year, and 17.7 billion the year prior, according to Stockholm-headquartered firm Truecaller.

The firm, best known for its caller ID app, estimated that an average American received 28.4 spam calls a month this year, up from 18.2 last year. As a result, and with 49.9 spam calls per user a month, up from an already alarming 45.6 figure last year, Brazil remained the worst impacted nation by spam calls, the firm said in its yearly report on the subject.

If it seems hard to get rid of this type of call, apparently about 9% of all spam calls that people received in the U.S. were dialled by the telecom networks themselves, the report said.

GitHub rolls out dependency review, vulnerability alerts for pull requests

The open source development platform said last week at the GitHub Universe conference that dependency review is a system designed to help “reviewers and contributors understand dependency changes and their security impact at every pull request” and has been developed to try and prevent vulnerable code from merging with new or updated dependencies by accident.

Added to the GitHub roadmap this year, the new tool will give developers an overview of which dependencies are added or removed from a project, when they were updated, how many other projects lean on a dependency, and any vulnerability information associated with them.

The new functionality should be available globally by the end of the year.

Millions of IoT devices vulnerable to 33 connectivity flaws.

Several sets of internet communication protocols used by major vendors of connected products have vulnerabilities that could affect millions of devices, researchers revealed last week.

Four of the vulnerabilities are critical, meaning attackers could use them to remotely take over devices ranging from a “smart” refrigerator to an industrial networking switch in the electrical grid, according to the security vendor Forescout. The flaws exist in information technology, operational technology and so-called internet of things products.

The Forescout study, dubbed AMNESIA:33, focuses on 33 vulnerabilities in four open-source TCP/IP stacks: AMNESIA:33 is a set of 33 vulnerabilities that impact four open source TCP/IP stacks (uIP, FNET, picoTCP and Nut/Net), which collectively serve as the foundational components of millions of connected devices worldwide. These vulnerabilities primarily cause memory corruption, allowing attackers to compromise devices, execute malicious code, perform denial-of-service attacks and steal sensitive information.

And the fact of the matter is that most of the current IoT devices are not made to be updated…

Going to the Doctor? Accounts with default credentials found on over 100 GE medical device models

Secret (well up to noew) accounts, hidden to end-users, are included in the device firmware and are used by GE Healthcare servers to connect to on-premise devices and perform maintenance operations, run system health checks, obtain logs, run updates, and other actions.

CyberMDX the security fimr that “outed” the problem, says the problem with these accounts is that use the same default credentials and that the credentials are public and can also be found online by threat actors, which can then abuse them to gain access to hospital imaging systems and harvest patient personal data.

Affected devices include CT scanners, X-Ray machines, and MRI imaging systems. With the hidden accounts providing access to FTP, SSH, Telnet and REXEC services and features. In most cases, the exposed systems are limited to internal hospital networks, but even access to those is becoming more common.

GE is aware that it has a huge problem but has begun working with healthcare providers; “We are providing on-site assistance to ensure credentials are changed properly and confirm proper configuration of the product firewall.”

Cyber security startup provides perimeter monitoring as a differentiator.

The cyber insurance industry is growing exponentially, driven by IoT devices and growing regulatory oversight.

By offering perimeter monitoring At-Bay have been able to reduce payments by an average of 50% to traditional corporate models (Local Area Network based).

They might be worth keeping an eye on as they have recently completed series C funding, raising US$34 million. Could they be a serious disruptor?

The detail behind the Spotify Password Reset

From a data breach notification sent to the California attorney general “On Thursday November 12th, Spotify discovered a vulnerability in our system that inadvertently exposed your Spotify account registration information, which may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify. Spotify did not make this information publicly accessible. We estimate that this vulnerability existed as of April 9, 2020 until we discovered it on November 12, 2020, when we took immediate steps to correct it.”

Meanwhile Spotify reported the breach, are conducting an internal investigation, and reset all user passwords.

Avoiding phishing e-mails by thinking like the Phisher-person.

Let’s play a game.

Imagine you are going to compromise a business or a person by crafting a phishing e-mail. How would you do it?

You hate unsolicited mails, so you might embed the malware link in the “unsubscribe” link at the bottom of the mail. To prompt the user to click on it, you might include offers to donate to one or another political party fund. Yuck.

You might buy some domain names that look like the domain you intend on phishing and sit on them for a couple months (they are typically flagged if they are newer domains), or you might buy domain names with grandiose names like “FischerPaythePrice(.)com”, promising amazing investment strategies by downloading one or another piece of malware.

You might tie a mail into a recent wide ranging recent event. You know that Titter, Zoom and Spotify are likely to continue to have security issues. Think forward and setup so that you are ready to leverage an event when it occurs (you might buy the domain SpotifySecurity(.)com for example).

You also know that most phishing emails try to create a sense of urgency, so you’d expect the effectiveness of that to be diminished now. Instead you could pretend to be a recruiter with a fabulous job offer. Or you could even try the lost kitten/puppy available for adoption emotional approach. Some would never let a cute animal go unclicked on. Remember, it’s a game of numbers and you only need a small percentage to click on a link…

(It’s with constant amazement that recruiters who have no previous relationship with an individual send unsolicited .PDFs describing jobs.)

Most importantly, make it personal. Learn about the person you are attempting to compromise. Facebook, LinkedIn and Google are good places to start. Especially if they are posting content to those sites. People love to be complimented. Make it more real by calling out specifics and you are more apt to get a hit.

Hopefully that exercise scared you just a little bit.

As you thought through how you would compromise someone else, we hope the role playing helped you think through where your own weaknesses might lie. Tighten those areas up. Hover over links to validate anything before you even consider clicking on them. If you get a communication about something urgent, open a different browser and navigate to the thing that is being mentioned. Follow the rule of initiating something yourself. Rather than clicking on a link, search for it in DuckDuckGo, navigate to it and make your decision based on what you find once you initialize the session.

That’s all for this Week DAML’ers! Stay safe and secure and see you in se7en!

1 Like

found this today in a UK paper. A link to 20 James Bond films free with ads on Youtube. Good for holiday spy bingeing (after you read this week’s update): https://www.youtube.com/playlist?list=PLwwhtOnMyjuyEeWvv6UX11aw3jFLFAxU1