The "Beautiful Game" of the IT Privacy and Security Weekly update for October 26th 2021


Like watching Lionel Messi score his 100th goal, some of the stories we cover here seem almost un-be-lieva-ble!

We jump in the game in Argentina and finish in South Korea. Scoring heavily we witness an own-goal, a red-card in the UK, travel to the top and bottom of the league tables, get punched in the mouth, breached, hacked, cracked, arrested, and then, then in what may be the worse fate of all… someone scuffs our white Vans slip-ons.

This is, with no hesitation, the greatest update to date, so don your tracksuits, sort out those shoes and let’s get in on the game! listen_tiny

AR: Hacker steals government ID database for Argentina’s entire population!

A hacker has breached the Argentinian government’s IT network and stolen ID card details for the country’s entire population, data that is now being sold in private circles.

The hack, which took place last month, targeted RENAPER, A.K.A. the National Registry of Persons.

The agency is a crucial cog inside the Argentinian Interior Ministry, where it is tasked with issuing national ID cards to all citizens, data that it also stores in digital format as a database accessible to other government agencies, acting as a backbone for most government queries for citizen’s personal information.

The first evidence that someone breached RENAPER surfaced earlier this month on Twitter when a newly registered account named @AnibalLeaks published ID card photos and personal details for 44 Argentinian celebrities. This included details for the country’s president Alberto Fernández, multiple journalists and political figures, and even data for soccer superstars Lionel Messi and Sergio Aguero.

Faced with a media fallback following the Twitter leaks, the Argentinian government confirmed a security breach three days later.

This is the third breach of PII that the Argentinian government has suffered in the last few years.

So what’s the upshot for you? Hack me once, shame on you. Hack me twice, shame on me. Hack me three times … and it’s plain you don’t listen to our podcast.listen_tiny

UK: British regulator fines Facebook $70 million

The UK’s Competition and Markets Authority (CMA) issued a red card and fined Facebook almost $70 million for breaking an order imposed by the CMA during its investigation into Facebook’s purchase of Giphy.

CMA said Facebook had failed to provide full updates about its compliance with requirements to continue to compete with Giphy and not integrate its operations with Giphy’s while its investigation was ongoing.

Given the fact that Facebook did not provide the required updates despite multiple warnings, CMA considers this failure deliberate and issued a £50,5 (approx. $70 million) fine for what it called a “major breach, which fundamentally undermined its ability to prevent, monitor and put right any issues.”

So what’s the upshot for you? Did anyone overhear the Facebook accountants at the watercooler say this fine was the equivalent of a rounding error?

Global: The 14th Annual Verizon Data Breach investigations report findings

There are some interesting differences in cyberattacks in different regions of the world.

For instance, in the Asia Pacific region, most breaches were financially motivated phishing attacks, with stolen credentials then used to access things like email accounts and web applications.

In Europe, attacks tended to focus more heavily on system intrusion and basic web application attacks. Indeed, basic web application attacks were found to make up 54% of all breaches in Europe.

And in the US the focus really seemed to be on network access and Malware.

The most popular attack type was DDoS (Distributed Denial ofService), and although 2021 recorded some of the highest attack numbers yet … the median bits per second (bps) of 1.3 Gbps may be only fractionally higher than your home internet connection.
Ninety-five percent of all DDoS incidents fell between 13 Mbps and 99 Gbps, an easily mitigatable range (according to the authors).

So what’s the upshot for you? We learned a couple of important lessons from this report. Hackers look for low-hanging fruit and will often pivot to take advantage of that fruit, and if you are going to run DDoS attacks, it’s best not to attempt them through a dial-up connection.

Global: Top 10 best and worst countries in the world for Cyber security

#1 for best cybersecurity (lowest risk) is… wait for it… Denmark, followed by Germany and the US! (What?!!) The UK came in at 5 with Australia at #8, NZ at #13, Israel at #14, and India at #61.

The worst for Cybercrime (Highestrisk)? Myanmar, Cambodia, and Honduras in that order.

The most common types of cybercrime in the US were phishing and pharming, which accounted for 32.96% of all reported cybercrime in the country in 2020 with a victim count of 241,342.

Phishing and pharming refer to the fraudulent practice of luring people into revealing personal information, such as passwords, login details, and credit card numbers.

When carried out via email this practice is referred to as phishing, with it being referred to as pharming when the victim is directed to a fake website disguised as a legitimate one.

What we found interesting is that the numbers stopped growing exponentially in 2021. This means that either companies are not reporting as much of the cybercrime as they were, or that a little organization and legislation do make a difference.

So what’s the upshot for you? “Give someone a fish and you feed them for a day, teach them how to phish, and you get them locked away.”

Global: Urgency, Mail Relay Serve Phishers Well on Craigslist

Craigslist, that old-fashioned website people still use to find things locally — and urgently — has become the latest phishing vector. In addition to the inherent time pressure of its marketplace, a feature on the site that appeals to phishers is the mail relay function.

In the service of safety and anonymity, Craigslist lets people seeking or offering things send an email through the system to anyone else. What the recipient sees for a sender’s address is a “long hex string @ subdomain[.]craigslist[.]org”.

Craigslist knows the identities of everyone, but unless a correspondent discloses details, they are perfectly anonymous to others on the system. This situation suits phishers just fine. They can shoot at you from behind a local mail proxy.

Type: phishing

Vector: fake notifications sent from Craigslist

Made to look like a Craigslist violation statement, however, if a recipient tried to rectify this supposed problem by clicking on the big purple button, they were taken to a customized document uploaded to Microsoft OneDrive. It appears as if bad actors were able to manipulate the email’s HTML to create that button and link it to OneDrive. Recipients were then instructed to use the “Download” link on OneDrive to fill out the form and return it to violations@craiglist[.]org.

Hovering over the link, however, reveals a Russian domain (myjino[.]ru).
Clicking on the link automatically downloaded a zip file named “”

Uncompressing the file revealed a macro-enabled spreadsheet named “form_1484004552-10012021.xls,” a document that had already been flagged by security vendors. Clicking on it allows the exfiltration of saved login credentials from a browser; or the installation of a keylogger.

So what’s the upshot for you? A red flag ought to go up right away if a violation notice comes in that doesn’t correspond to any recent recipient behavior on the platform in question. Also, remember, It doesn’t make sense to resolve a Craigslist issue through a document uploaded to OneDrive.

US: We just don’t Talk Anymore.

The sophistication of cyber-attacks has improved. The attackers are very good at sharing information about their targets and about their victims.

On the good guy side, we’re much less willing and much less sophisticated at sharing information about what we’re seeing in the threat landscape.

The collaboration is happening on the dark side. It’s not happening as effectively on the good side.

So what should we do if we are on the good side? "Consider having a well-thought-out, practiced response process as to how you’re going to handle an attack. Who you’re going to notify in terms of breach notification, if it’s your customers, you have to notify or law enforcement, if you have to go that route.

Having all of that rehearsed makes it a lot easier to handle it at the moment. The reality of the situation is that this activity always happens on a weekend or a holiday. So, the more you’ve practiced your responses, the more they become second nature. And it’s not as much of an imposition on your colleagues.

So what’s the upshot for you? Remember what Mike Tyson said: “EVERYONE HAS A PLAN UNTIL THEY GET PUNCHED IN THE MOUTH”.

Global: It’s a great time to be in the Insurance Business Unless you have to Pay Out.

The cyber insurance market is booming. Cyber insurance premiums rose to $2.5 billion last year, a 103% increase compared with 2016, Moody’s said, citing data from U.S. regulators. It is estimated that worldwide premiums total around $10 billion.

The number of policies in force rose to more than 3.6 million in 2019, an increase of about 60% since 2016, the Government Accountability Office (GAO) said, citing an analysis of data from S&P Market Intelligence and the National Association of Insurance Commissioners.

Still, “several industry associations, regulators, and participants said that many entities, particularly smaller businesses, may underestimate their cyber risks and the cyber coverage needed to mitigate those risks,” GAO said.

So what’s the upshot for you? It’s true that many insurers that covered cyber insurance may have taken a huge hit over the past year, but expect the risk tables to be adjusted accordingly … as evidenced in your next bill.

US: Autonomous vehicle program "Super Valuable"

Nearly three months after a suburb of Denver launched one of the largest deployments of autonomous vehicles in the United States, riders are reporting that the self-driving shuttles have been “super valuable,” said Tyler Svitak, the director of the nonprofit Colorado Smart Cities Alliance, the organization behind the vehicles.

The alliance, a group of cities, businesses, and communities promoting connected infrastructure across Colorado, partnered with the City of Golden and the Colorado School of Mines earlier this year to test an autonomous shuttle system serving the school’s 5,000 students.
Students riding the shuttles are “always really excited to talk about the project,” and feel “inspired” to attend a school that’s so involved with emerging technologies like autonomous vehicles.

Half the operational cost of the project is covered by the Colorado School of Mines, while the other half comes from students, who voted to support the pilot into next year.

So what’s the upshot for you? “EasyMile has a number of installations such as the one in Lausanne Switzerland but has never had a fleet the size of this one before (7 busses) — and the operational design domain, which is essentially where it’s operating — is complex… in mixed-traffic, on public roads, roundabouts, and relatively modest daily traffic.”
Residents have voted to continue this project into next year, with an increase in the number of vehicles used.

Global: Macs Still Targeted Mostly With Adware

Apple Macs are not immune to malicious attacks, but outside of some major nation-state efforts, bad actors continue to use adware as the method of choice to make money from infecting the macOS operating system, new research shows.

Jamf, a provider of tools to manage Apple computers and devices, found that two adware programs, Pirrit and Climpli, make up the lion’s share of adware encountered in the last 30 days, while a third program, Shlayer, has dominated over the past year. Often the programs are installed during the installation of legitimate programs as part of an affiliate system, and because they are not outright malicious, they are not always detected by antivirus software.

“Overall, we are seeing a lot of families of adware on macOS. If these adware families are able to make it onto your system with these basic approaches to social engineering, then bigger threat actors are almost guaranteed to not have many problems getting there either.”

So what’s the upshot for you? It’s not as easy to get Malware onto a Mac, due to the additional layered protections, and smaller population of machines compared to Windows, but expect it to happen, especially if the return on investment draws an audience.

CN: A Million People’s Personal Information Leaked by Chinese VPN Application

Quickfox is a free VPN service primarily used to access Chinese sites from outside of mainland China. The leak exposed a variety of personally identifiable information (PII) from users, including names, phone numbers, other software installed on their devices, and more.

“There was no need for a password or login credentials to see this information, and the data was not encrypted. Based on the records exposed, our team estimates that the breach affected at least a million Quickfox users. We reached out to the company, but did not receive a reply so far.”

The leak was caused by incomplete ELK stack security. ELK (Elasticsearch, Logstash, and Kibana) are three open-source programs which streamline searches through large files, such as the logs of an online service like Quickfox.

Quickfox had set up access restrictions from Kibana, but had not set up the same security measures for their Elasticsearch server. That meant that anyone with a browser and an internet connection could access Quickfox logs and extract sensitive information on Quickfox users.

The leak exposed around 500 million records totaling over 100GB of data. The information contained mainly two types of data.

  • The first type was the personal information of approximately 1 million users.
  • The second type was about the software located on the devices of over 300K users.

All the documents found were dated between June 2021 and September 2021. Based on IP addresses found in the leak, it primarily affected users located in the USA, Japan, Indonesia, and Kazakhstan.

The PII found in this leak included customers’ emails, phone numbers, device type, user’s original IP address, and MD5 hashed passwords. While the passwords were hashed, MD5 is an archaic hashing technique that leaves user passwords vulnerable to modern password cracking techniques.

So what’s the upshot for you? Be sure to research a VPN service before using it. In general, if a VPN is not making a profit through subscription services, then the VPN is making a profit by other means, often by collecting your data. If you choose to use a free VPN, make sure you understand and are comfortable with the information they collect. In addition, only share the information which is necessary to operate the program.

US: US Government may limit the export of PenTest and Hacking Tools

The U.S. Commerce Department wants tighter controls on companies selling hacking tools that could be used for malicious purposes to certain foreign governments without a license from the agency’s Bureau of Industry and Security.

A new, interim rule, which will become effective in 90 days, would establish Commerce’s export governance over cybersecurity items used for national security and anti-terrorism and includes a licensing requirement for sales to certain countries of concern, including China and Russia. In the wrong hands, “these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it,” the interim rule reads. The control also applies to un-encrypted products. The Bureau of Industry and Security will vet all end-users before granting a license.

The rule’s wording, which has been repeatedly refined since 2015, is still a bit complicated. It will require U.S. companies selling hacking software and equipment to obtain a license from the Bureau of Industry and Security to sell such technologies to countries that raise eyebrows over “national security or weapons of mass destruction” as well as those that could use them for espionage or other malicious purposes. It would also extend to countries under the U.S. arms embargo.

So what’s the upshot for you? This is a tough rule to implement and is probably more of a message to US companies that prosecution could be the costly end result of an investigative process into the sharing of this type of code.

US: A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers

The study signals that telecommunications companies may not escape the Federal Trade Commission’s efforts to establish consumer privacy protections, even as platforms like Facebook and Google dominate the conversation.

The report, which the agency ordered in 2019, looked at six of the largest Internet Service Providers (ISP)s — AT&T Mobility, Verizon Wireless, Charter Communications Operating, Comcast (Xfinity), T-Mobile US, and Google Fiber — covering 98% of the mobile internet market. It also covered three affiliated advertising entities: AT&T’s Xander, Verizon Online, and Oath Americas (Verizon Media).

“While several ISPs in our study tell consumers they will not sell their data, they fail to reveal to consumers the myriad of ways that their data can be used, transferred, or monetized outside of selling it, often burying such disclosures in the fine print of their privacy policies,” the report concludes. The key takeaways offer a scathing view of the industry’s privacy practices as a whole, Federal Trade Commission members suggested.

Common collection practices across many of the ISPs included gathering data that wasn’t necessary to provide internet services, as well as using web browsing data to serve up specific advertisements. Targeted ad groupings, for instance, included categories such as “Gospel and Grits,” “Hispanic Harmony,” and “Asian Achievers.” (Public reports show that the practice of advertising along the lines of race, gender, economic status, and sexuality can lead to “digital redlining” that violates civil rights laws, such as discrimination in housing and job ads.)

Numerous ISPs also shared real-time location data with third parties, allowing third parties to garner sensitive details about an individual’s life, such as if they visit a rehab or where their children go to daycare. The sharing of such data with third parties was recently tied to the public outing of a Catholic priest.

So what’s the upshot for you? This work will complement the Federal Communication Commissions own work in this area and who have more authority over the activities of Internet Service Providers

Global: Fuzz testing. What is Fuzz Testing?

Fuzz testing, or fuzzing, is a dynamic application security testing technique for negative testing. Fuzzing aims to detect known, unknown, and zero-day vulnerabilities. A fuzzing tool can be used to create a test case and send malformed or random inputs to fuzz targets. Their objective is to trigger bad behaviors, such as crashes, infinite loops, and/or memory leaks. These anomalous behaviors are often a sign of an underlying vulnerability.

There are four types of fuzzers:

  1. Random fuzzers send random inputs to an application. There is no systematic method to the generation of these test cases, and they do not resemble a valid input.
  2. Template fuzzers utilize manually supplied custom inputs and modify them to include anomalies. They are more effective than random fuzzers, because they resemble valid inputs.
  3. Generational fuzzers understand the inner workings of their input type. These tests are written to resemble a valid input while evading common error-detection techniques. Protocol-based fuzzers are a common example of generational fuzzers.
  4. Guided fuzzers are intelligent, containing the capability to monitor and leverage the target’s behavior to autonomously generate new, custom test cases on-the fly. These fuzzers have scoring capabilities that measure the effectiveness of the test cases it sends.
    Guided fuzzers do rely on sample inputs, or a corpus, for initial guidance to explore a program however, thereafter, it monitors and leverages its target’s behavioral feedback to generate new, customized test cases on the fly. These newly generated test cases aim to incrementally test new sections of code, checking the security of each new region it successfully penetrates.
    The speed of guided fuzzers is undeniable. However, they struggle to break through complex conditional clauses within a program, limiting their testing depth. Without guidance, guided fuzzers randomly bounce around a program, struggling to reach deep into the code.

So what’s the upshot for you? You asked. Wait, you didn’t ask?

IL: Researcher presented with 5000 networks in Tel Aviv managed to crack 70%

The expert gathered 5,000 WiFi network hashes by strolling the streets of Tel Aviv with simple WiFi sniffing equipment composed of an AWUS036ACH ALFA Network card ($50) that can work in monitoring mode and is able to inject packets.

The expert used the open-source packet analyzer WireShark running on Linux.
The attack technique is clientless, this means that an attacker doesn’t need to carry out the attack in real-time, he just needs to capture a single frame and eliminate wrong passwords and malformed frames that are disturbing the cracking process.

The expert first used “mask attack” as a Hashcat cracking method, he used a combination of dictionary + rules and mask attack because many Israeli citizens have the bad habit of using their cellphone numbers as WiFi passwords.
Israeli phone numbers have 10 digits and start with 05, so it’s only eight digits, this means that remained only 8 digits to guess. Using a standard laptop, the researcher successfully cracked 2,200 passwords at an average speed of nine minutes per password.

In a second phase, the expert used a standard dictionary attack technique leveraging the ‘Rockyou.txt’ dictionary. He cracked another 1,359 passwords using this technique, most of the cracked passwords contain only digits or only lower-case characters.

So what’s the upshot for you?

  • Choose a complex password. A strong password should include at least one lower case character, one upper case character, one symbol, one digit. It should be at least 10 characters long. It should be easily remembered and hard to anticipate. Bad example: Summer$021
  • Change the default username and password of your router.
  • Update your router firmware version.
  • Disable weak encryption protocols (as WAP or WAP1).
  • Disable WPS.

US: The FBI Raids Chinese Point-of-Sale Giant

Headquartered in Shenzhen, China, PAX Technology Inc. has more than 60 million point-of-sale (POS) terminals in use throughout 120 countries. Today, from Jacksonville, Fla. reported that agents with the FBI and Department of Homeland Security (DHS) had raided a local PAX Technology warehouse.

The FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals. the payment processor found that the PAX terminals were being used both as a malware “dropper” — a repository for malicious files — and as “command-and-control” locations for staging attacks and collecting information. “The packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software. PAX is now claiming that the investigation is racially and politically motivated.”

Two major financial providers — one in the United States and one in the United Kingdom — had already begun pulling PAX terminals from their payment infrastructure, as verified by two different sources.
So what’s the upshot for you? We thought this comment was interesting. “It’s an open secret in the payments industry that PAX was started with IP stolen from an American company.”

KR: Hot on the heels of the show: Squid Game-themed Trouble

South Korean Netflix show Squid Game has become a runaway hit, surpassing Bridgerton to become the most-watched Netflix show of all time. With 111 million viewers and counting, scammers have started to smell blood in the water, Kaspersky reports, and Squid Game-themed scams and malware have begun to appear online.

Some of the latest Squid-scams:

  • Online games purporting to be digital versions of Squid Game with a 100 BNB (Binance Coin) prize (approximately $48,000 USD). Signing up means turning over personal data, with the end result being identity theft and a system likely infected with malware that will only collect more personal data if not found and stopped.
  • Fraudulent Squid Game merchandise websites that try to position themselves as an official store have appeared. Those sites are a goldmine for cybercriminals: Not only are victims providing credit card or banking details, but they’re also sharing personal identifying information like email address, a physical address for shipping, the victim’s real name, and more.

So what’s the upshot for you? We encourage you and those around you, to use caution when seeking out anything to do with the latest craze. If you find something too good to be true, like a pair of the rumored-sold-out white Vans slip-ons, at a decent price, it probably is!

That’s it for this week and look, your Vans stayed nice and clean throughout.

Thanks for joining us. Be kind, stay safe, stay secure and we will see you for the next game in a squidley se7en.

Good luck with that.

The actual process to do this, inconjunction with actually being able to locate the correct & updated firmware, makes this a non-trivial task for all but the hardcore geeks.

It is a pity that the OEM Modem/Routers foisted upon us have no upgrade service plan.

That will start to change. My hope is that observations like yours will drag the manufacturers along into the realms of reality. That, or somewhere, someone will create legislation requiring updates that make it cheaper to have a system that gets updated (preferably automatically).
I can already hear the rumbling in the distance…
Thanks quidagis!

1 Like