The Fertile Pasturelands of the IT Privacy and Security Weekly update for February 23rd. 2021


G’day Daml’ers!

This week we move from the farm to the hospital, and all hopefully injury-free.

We’ve got another “kikerikii, jippiyayyeyyy, boomchikahwoowoow” from Zoom, stalking Favicons, and why you might not want to do your personal banking during your Zoom calls.

We even have the lowdown on the hot new invite-only app that you… somehow got an invite for… and have been using non-stop for the last couple of weeks.

It’s all here and we know you are going to love jumping up on the combine harvester and taking in the fertile pasturelands of the IT Privacy and Security Weekly Update…

The general consensus from the farming community is that this is the best one yet!


US: Farmers and legislators channel rural frustration as they push for tractor "Right to Repair"

John Deere has long been a focal point of the right to repair movement, given its refusal to let farmers fix their own tractors when high-tech components go down.

In response to the growing backlash, the company promised in 2018 to give its customers the tools they need to be self-sufficient. But an investigation by the nonprofit US Public Interest Research Group found that little if any progress had been made to that effect.

Farmers by and large still don’t have access to the tools and diagnostics that they need to address software malfunctions and other breakdowns associated with John Deere’s proprietary technology. Meanwhile, right to repair legislation has gained momentum across dozens of states. It appears that may be the only way to empower farmers to fix the equipment they own the way they want to.

So what’s the upshot for you? Using tech to force people to service through a particular supply chain is not nice. Momentum is building and if one thing is for certain, it’s that you don’t mess with farmers.


Global: Flaws in Zoom’s Keybase App Kept Chat Images From Being Deleted

The Keybase flaw manifested itself in two ways.

First: images that were copied and pasted into Keybase chats were not reliably deleted from a temporary folder, /uploadtemps, associated with the client application. “In general, when you would copy and paste in a Keybase chat, the folder would appear in (the uploadtemps) folder and then immediately get deleted. But occasionally that wouldn’t happen. Clearly there was some kind of software error – a collision of sorts – where the images were not getting cleared."

Second: discovering that initial flaw put researchers on the hunt for more and they soon struck pay dirt again when they discovered an unencrypted directory, cache, associated with the Keybase client that contained a comprehensive record of images from encrypted chat sessions. “The application used a custom extension to name the files, but they were easily viewable directly or simply by changing the custom file extension to the PNG image format.”

In a statement, a Zoom spokesman said that the company appreciates the work of the researchers and takes privacy and security “very seriously.”

So what’s the upshot for you? Zoom takes privacy and security “very seriously.”
When you repeat this phrase as often as Zoom has over the last couple years, it becomes pretty obvious that they need Alex Stamos back. (…after Facebook and Zoom, Alex has moved on to oversee the SolarWinds debacle as “temporary cyber security expert in residence”).


US: Tales of F A V I C O N S and Caches: Persistent Tracking in Modern Browsers https://www.cs.uic.edu/~polakis/papers/solomos-ndss21.pdf

Sites Have a New Way to Track You—Even If You Go Incognito or Clear the Cache

The technique works by focusing on favicons, the little icon that your browser displays to represent the site you’re on. Because most browsers store those favicons separately from your browsing history and cookies, traditional means of avoiding tracking like using a private mode or clearing your cache don’t affect them.

According to 4 researchers at University of Illinois at Chicago, sites can/could use a unique series of favicons to identify you and track you across the web no matter what.
Chrome, Safari, and Edge are all currently vulnerable to the attack. Google and Apple have said they’re looking into it.

So what’s the upshot for you? You keep working to maintain your privacy and companies will keep trying to strip you of it. Maybe big fines are the best way to end unauthorized data slurping.



US: Accellion and its 20 year old file transfer service

The cyber-incident happened in mid-December 2020, when a hacking group that FireEye’s Mandiant security researchers tracks as UNC2546 exploited an SQL injection flaw in FTA, which allowed it to deploy web shells and access customer data.
A total of four vulnerabilities in FTA were targeted in the attack, all of which have already been patched. Accellion is moving forth with plans to retire the service designed to allow customers to transfer large files.
FTA is over two decades old, and will no longer receive support past April 30, 2021.

AU: Australian Health and Transport Agencies compromised in Accellion Hack

Transport for NSW, which is the main transport and roads agency in New South Wales, Australia, and NSW Health, the state’s ministry of health, are the latest confirmed victims of a cyber-attack targeting Accellion’s FTA file transfer service.

US: Ohio Supermarket chain compromised in Accellion Hack

https://www.kroger.com/i/accellion-incident

Kroger has confirmed that it was impacted by the data security incident affecting Accellion, Inc.
Accellion’s services were used by Kroger, as well as many other companies, for third-party secure file transfers. Accellion notified Kroger that an unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion’s file transfer service.

So what’s the upshot for you? Administrators have to follow the news. You can’t keep using vulnerable software and think that no one will know. There is such a volume of scanning going on that within 5 minutes of an Internet facing address going live it is scanned. If you are running software with publicly exposed vulnerabilities, it’s like painting a big red X on your t-shirt.

Fix the vulnerability and then take the T-shirt off. In that order.


Global: Don’t bank during your Webex,Teams or Zoom calls.
From the the Network and Distributed System Security Symposium

In a joint study recently published by the Universities of Oklahoma and Texas at San Antonio they design and evaluate an attack framework to infer private information from the video stream of a call – keystrokes, i.e., text typed during the call. Thankfully, they also propose and evaluate effective mitigation techniques that can protect users when they type during a video call.
To achieve the compromise, the recorded video is fed into a video-based keystroke inference framework that goes through three stages —

  1. Pre-processing, where the background is removed, the video is converted to grayscale, followed by segmenting the left and right arm regions with respect to the individual’s face detected via a model dubbed FaceBoxes
  2. Keystroke detection, which retrieves the segmented arm frames to compute the structural similarity index measure (SSIM) with the goal of quantifying body movements between consecutive frames in each of the left and right side video segments and identify potential frames where keystrokes happened
  3. Word prediction, where the keystroke frame segments are used to detect motion features before and after each detected keystroke, using them to infer specific words by utilizing a dictionary-based prediction algorithm.
    Who did they catch most often? Short sleeved, hunt and peck types on big, loud mechanical keyboards in a quiet room with flat, even lighting.

So whats the upshot for you? How do you lower the odds from 75%? Wear sleeves or move the camera up so it covers just your head and shoulders, change the lighting during the video call, get one of those solar hula dancers in the window that clicks loudly as it dances and sit on a chair that rolls around.
Done. Protected!


US: Venture Capital firm Sequoia Capital reports a data breach

Sequoia Capital told its investors on Friday that some of their personal and financial information may have been accessed by a third party, after a Sequoia employee’s email was successfully phished.

"We recently experienced a cybersecurity incident. Our security team responded promptly to investigate, and we contacted law enforcement and engaged leading outside cybersecurity experts to help remediate the issue and maintain the ongoing security of our systems.
We regret that this incident has occurred and have notified affected individuals. We have made considerable investments in security and will continue to do so as we work to address constantly evolving cyber threats."

Sequoia is one of the largest and most successful venture capital firms in the world, with a portfolio of companies like Airbnb, DoorDash, and Robinhood.

So what’s the upshot for you? There is a certain amount of irony here as it has also made big investments in cybersecurity firms like FireEye and Carbon Black.


Global: "In Da club. Bottle full of bubb"


Streaming private clubhouse rooms

The app, currently available only on iPhones, allows users to quickly and easily set up and discover panel-style discussions, with a small group of speakers and potentially thousands of listeners in each room. It has been strictly limited since its launch in April, with users requiring an invitation before they can create an account. It initially gained popularity in the tech and venture capitalist community of the San Francisco Bay area.
Its exclusivity has also encouraged some users to breach the company’s security. On Tuesday, Clubhouse announced it had permanently banned one such user, who had set up a relay that streamed the audio from multiple rooms to a website called OpenClubhouse. That would have helped users without an iPhone or without an invitation to the service to listen in on some of the platform’s elite conversations: tech figures including Mark Zuckerberg, Elon Musk and Marc Andreessen have all appeared in Clubhouse chatrooms.


US:Assume Clubhouse Conversations Are Being Recorded, Researchers Warn

The heart of Clubhouse’s security woes is its backend “real-time voice and video engagement platform” provided by Shanghai-based startup Agora.

Clubhouse web traffic is directed to Agora’s server in China, including personal metadata, without encryption, according to the Stanford Internet Observatory (SIO), which was the first to raise the alarm about ClubHouse’s privacy and security protections on Feb. 12.

Because Agora is based in China and Silicon Valley, it is subject to cybersecurity laws of the People’s Republic of China, which the company acknowledged could require it to assist the government in investigations by providing audio.
Agora is a Shanghai-based start-up, with U.S. headquarters in Silicon Valley, that sells a “real-time voice and video engagement” platform for other software companies to build upon.

In other words, it provides the nuts-and-bolts infrastructure so that other apps, like Clubhouse, can focus on interface design, specific functionalities, and the overall user experience. If an app operates on Agora’s infrastructure, the end-user might have no idea.

How do we know it provides back-end support to Clubhouse?

SIO analysts observed Clubhouse’s web traffic using publicly available network analysis tools, such as Wireshark.

Our analysis revealed that outgoing web traffic is directed to servers operated by Agora, including “qos-america.agoralab.co.”
Joining a channel, for instance, generates a packet directed to Agora’s back-end infrastructure. That packet contains metadata about each user, including their unique Clubhouse ID number and the room ID they are joining. That metadata is sent over the internet in plaintext (not encrypted), meaning that any third-party with access to a user’s network traffic can access it.
Analysis of Agora’s platform documentation also reveals that Agora would likely have access to Clubhouse’s raw audio traffic. Barring end-to-end encryption (E2EE), that audio could be intercepted, transcribed, and otherwise stored by Agora. It is exceedingly unlikely that Clubhouse has implemented E2EE encryption.

So what’s the upshot for you? Another Social networking app with plumbing through China? Remember that the Chinese government can request any data from any company working within China and if you add that in with all the data they have collected about you from all the breeches over the last few years … well it could all get embarrassing somewhere down the road…


CN: China Hijacked an NSA Hacking Tool in 2014—and Used It for Years

More than four years after a mysterious group of hackers known as the Shadow Brokers began wantonly leaking secret NSA hacking tools onto the internet, the question that debacle raised—whether any intelligence agency can prevent its “zero-day” stockpile from falling into the wrong hands—still haunts the security community.

That wound has now been reopened, with evidence that Chinese hackers obtained and reused another NSA hacking tool years before the Shadow Brokers brought it to light.

On Monday, the security firm Check Point revealed that it had discovered evidence that a Chinese group known as APT31, also known as Zirconium or Judgment Panda, had somehow gained access to and used a Windows-hacking tool known as EpMe created by the Equation Group, a security industry name for the highly sophisticated hackers widely understood to be a part of the NSA.

According to Check Point, the Chinese group in 2014 built their own hacking tool from EpMe code that dated back to 2013.
The researchers say they made their discovery while digging through older Windows privilege escalation tools to create "fingerprints that they could use to attribute those tools to certain groups.

The approach helps better identify the origin of hackers found inside customers’ networks.
At one point Check Point tested one of these fingerprints its researchers had created from the APT31 hacking tool and were surprised to find that it matched not Chinese code, but Equation Group tools from the Shadow Brokers’ leak.

“When we got the results, we were in shock. We saw that this was not only the same exploit, but when we analyzed the binary we found that the Chinese version is a replica of the Equation Group exploit from 2013.”

The Vulnerability was patched by Microsoft in May 2017, after the Shadow Brokers’ leak.

So what’s the upshot for you? The downside of backdoors in computer code, or secret tools that leverage zero day vulnerabilities is that if they get away from you, they can end up being more dangerous to you than you were with them.


US: Nvidia wants to protect the gameRs from the mineRs

If you have tried to buy a super fast GPU over the last few years you’ve probably been frustrated at the lack of supply. For Gamers it’s been the fact that Crypto mining also works really well on these chips. Well, now Nvidia are stepping into the fray with a profitable solution.

Nvidia says: " Our GeForce RTX GPUs introduce cutting-edge technologies — such as RTX real-time ray-tracing, DLSS AI-accelerated image upscaling technology, Reflex super-fast response rendering for the best system latency, and many more. But they also include drivers that slow down when they determine Ethereum is being mined."

Reports suggest that Nvidia’s anti-crypto drivers work by detecting memory usage that looks like a Dagger-Hashimoto computation, which needs to follow unusual but unavoidable memory access patterns, and cut the speed of ETH hashing in half.

And to address the miners… "we’re announcing the NVIDIA CMP, or, Cryptocurrency Mining Processor, product line for professional mining.

CMP products — which don’t do graphics — are sold through authorized partners and optimized for the best mining performance and efficiency. They don’t meet the specifications required of a GeForce GPU and, thus, don’t impact the availability of GeForce GPUs to gamers.

For instance, CMP lacks display outputs, enabling improved airflow while mining so they can be more densely packed. CMPs also have a lower peak core voltage and frequency, which improves mining power efficiency.
Creating tailored products for customers with specific needs delivers the best value for customers. With CMP, we can help miners build the most efficient data centers while preserving GeForce RTX GPUs for gamers."

So what’s the upshot for you? It won’t stop crypto-mining on your unsecured laptop or server, but taking a product line, splitting it in two, optimizing for subtle differences in each and creating two markets where before you had one? We always clocked Jensen Huang as a smart guy, here’s proof.


US: Now here is a great idea!

Block DNS lookups for bad domains!

“The MDBR service is a no-cost service available from the Center for Internet Security, Inc. (CIS®), in partnership with Akamai, for U.S.-based hospitals and healthcare organizations. MDBR technology prevents IT systems from connecting to harmful web domains, helping limit infections related to known malware, ransomware, phishing, and other cyber threats. This capability can block the vast majority of ransomware infections just by preventing the initial outreach to a ransomware delivery domain.”

So what’s the upshot for you? It’s about time that someone thought about the underfunded hospitals that have their hands tied when it comes to malware. Simple, efficient, effective and cheap! We love it!

And by the way, a big shout-out to all the Doctors, Nurses, teachers, first responders, and essential workers that have kept us healthy, schooled and fed through a full year of global pandemic.

We are awed by you.

Thank you.


Well that’s it for another week Daml’ers! We’ve got fields to plow, code to write and blogs to publish, but we’ll be back in se7en days!



1 Like