The Foxy IT Privacy and Security Weekly update for June 21st. 2022



Daml’ers,

This week we chase up stories from ‘round the globe from inner to outer space. We surmise that if some countries’ plans to harvest solar energy are successful it might just induce your rellies to forget about you.

We let you in on a little million-dollar lost wager and a new student movement to get you to log off.

We finish with a sad story about a little fox, that’s getting smaller by the day and our valiant call to re-install.
Fox-Png-Clipart-3

OK, gang, once those downloads are complete, log off, resist the tweet, and we’ll hit the street for our weekly ITP&SWU treat!

IN: Police Linked to Hacking Campaign to Frame Indian Activists

POLICE FORCES AROUND the world have increasingly used hacking tools to identify and track protesters, expose political dissidents’ secrets, and turn activists’ computers and phones into inescapable eavesdropping bugs. Now, new clues in a case in India connect law enforcement to a hacking campaign that used those tools to go an appalling step further: planting false incriminating files on targets’ computers that the same police then used as grounds to arrest and jail them.

More than a year ago, forensic analysts revealed that unidentified hackers fabricated evidence on the computers of at least two activists arrested in Pune, India, in 2018, both of whom have languished in jail and, along with 13 others, face terrorism charges.

Researchers at security firm SentinelOne and nonprofits Citizen Lab and Amnesty International have since linked that evidence fabrication to a broader hacking operation that targeted hundreds of individuals over nearly a decade, using phishing emails to infect targeted computers with spyware, as well as smartphone hacking tools sold by the Israeli hacking contractor NSO Group.

But only now have SentinelOne’s researchers revealed ties between the hackers and a government entity: none other than the very same Indian police agency in the city of Pune that arrested multiple activists based on the fabricated evidence.

Digital forensics firm Arsenal Consulting analysts found that evidence had clearly been fabricated on both machines. In Wilson’s case, a piece of malware known as NetWire had added 32 files to a folder of the computer’s hard drive, including a letter in which Wilson appeared to be conspiring with a banned Maoist group to assassinate Indian prime minister Narendra Modi. The letter was, in fact, created with a version of Microsoft Word that Wilson had never used, and that had never even been installed on his computer.

To the researchers’ surprise, that recovery email on all three accounts included the full name of a police official in Pune who was closely involved in the Bhima Koregaon 16 case.

The three hacked accounts have other fingerprints that link them—and thus the Pune police—to the larger Modified Elephant hacking campaign: The email provider found that the hacked accounts were accessed from IP addresses that SentinelOne and Amnesty International had previously identified as those of Modified Elephant.

To further confirm the link between the recovery email and phone number on the hacked accounts and the Pune City Police, WIRED turned to John Scott-Railton, a security researcher at the University of Toronto’s Citizen Lab.

To prove that the Pune City Police controlled the recovery contacts on the hacked accounts, Scott-Railton dug up entries in open source databases of Indian mobile phone numbers and emails for the recovery phone number that linked it to an email address ending in pune@ic.in, a suffix for other email addresses used by police in Pune.

Scott-Railton found that the number is also linked in the database to the recovery email address connected to the hacked accounts for the same Pune police official.

“We’ve known things have been planted, but the police could have always said, ‘we are not involved in all this,’” says Desai. “By showing the police did this, it would mean there was a conspiracy to arrest these people. It would show the police have acted in a vicious and deliberate manner knowing full well this was false evidence.”

So what’s the upshot for you? The conclusion that Pune police are tied to a hacking campaign presents a disturbing new example of the dangers of hacking tools in the hands of law enforcement—even in an ostensible democracy like India.

And the victims of this police corruption? The victims have remained in jail even as the evidence against them proves to be more conclusive with every passing day.


Global: Cryptographic Submission of War Crimes Evidence

Starling Lab, an academic research center co-founded by Stanford University’s Department of Electrical Engineering and the USC Shoah Foundation, together with social enterprise Hala Systems, announced today they have submitted a novel cryptographic dossier, documenting possible war crimes in Kharkiv, Ukraine, and submitted it to the Office of the Prosecutor of the International Criminal Court.

Amidst escalating attacks against Ukraine’s second-largest city, a global team of experts worked quickly to preserve and authenticate a complex evidence base.

Using photos, video, and web scraping, sourced from social media and messaging platforms, engineers and lawyers worked together to produce an unbroken chain of evidence on the decentralized web. This process establishes the provenance of the data and allows prosecutors to prove it has not been tampered with from the field to the courtroom.

New methods used in the submission describe how decentralized and cryptographic tools can:

  • Establish the authenticity and origin of digital content
  • Protect the identity of the sources and investigators
  • Secure preservation of documents and distributed crowdsourced analysis
  • Create robust chains of custody to help self-authenticate digital content

So what’s the upshot for you? This is a phenomenal new use of blockchain tech.


KP: DPRK hackers are tricking their way into jobs with Western firms.

When businesses unknowingly contract with North Koreans, they are violating government sanctions and face legal risk.

North Korean IT contractors also can use their access to plant malware and facilitate espionage and intellectual property theft.

The US issued an alert recently which lists a number of “red flag indicators” of a North Korean IT worker scam.

Many overlap with general best practices for avoiding online scams, like monitoring for unusual logins or IP addresses and contractors who use suspicious digital accounts to collect payments or require payment in cryptocurrency, submit formulaic job applications and documents rather than personalized ones, and have perfect reviews on hiring websites that were all written within a short time span.

So what’s the upshot for you? KYC (Know your customer) now becomes KYE (know your employee) and with a global marketplace of piecemeal contract work that is going to be harder than we imagine!


Global: A Linux Botnet That Spreads Using Stolen SSH Keys

Linux users need to watch out for a new peer-to-peer (P2P) botnet that spreads between networks using stolen SSH keys and runs its crypto-mining malware in a device’s memory.

The Panchan P2P botnet was discovered by researchers at Akamai in March and the company is now warning it could be taking advantage of collaboration between academic institutions to spread by causing previously stolen SSH authentication keys to be shared across networks.

But rather than stealing intellectual property from these educational institutions, the Panchan botnet is using their Linux servers to mine cryptocurrency

So what’s the upshot for you? Configuring strong SSH passwords should stop the malware in its tracks since it uses a very basic list of default passwords to spread.

Akami has published indicators of compromise (IOCs), queries, signatures, and scripts that can be used to test for infection.


Global: A New Vulnerability in Intel and AMD CPUs Lets Hackers Steal Encryption Keys

Hardware manufacturers have long known that hackers can extract secret cryptographic data from a chip by measuring the power it consumes while processing those values.

Fortunately, the means for exploiting power-analysis attacks against microprocessors is limited because the threat actor has few viable ways to remotely measure power consumption while processing the secret material.

Now, a team of researchers has figured out how to turn power-analysis attacks into a different class of side-channel exploit that’s considerably less demanding.

The team discovered that dynamic voltage and frequency scaling (DVFS) – a power and thermal management feature added to every modern CPU – allows attackers to deduce the changes in power consumption by monitoring the time it takes for a server to respond to specific carefully made queries.

The discovery greatly reduces what’s required. With an understanding of how the DVFS feature works, power side-channel attacks become much simpler timing attacks that can be done remotely.

The researchers have dubbed their attack Hertzbleed because it uses the insights into DVFS to expose – or bleed out – data that’s expected to remain private.

The researchers have already shown how the exploit technique they developed can be used to extract an encryption key from a server running SIKE, a cryptographic algorithm used to establish a secret key between two parties over an otherwise insecure communications channel.

So what’s the upshot for you? Neither Intel nor AMD are issuing microcode updates to change the behavior of the chips. Instead, they’re endorsing changes Microsoft and Cloudflare made respectively to their PQCrypto-SIDH and CIRCL cryptographic code libraries.


***US: Ex-Amazon Employee Convicted Over Data Breach of 100 Million CapitalOne Customers ***

Paige Thompson, a former Amazon employee accused of stealing the personal information of 100 million customers by breaching banking giant CapitalOne in 2019, has been found guilty by a Seattle jury on charges of wire fraud and computer hacking.

Thompson, 36, was accused of using her knowledge as a software engineer working in the retail giant’s cloud division, Amazon Web Services, to identify cloud storage servers that were allegedly misconfigured to gain access to the cloud-stored data used by CapitalOne.

That included names, dates of birth, Social Security numbers, email addresses, and phone numbers, and other sensitive financial information, such as credit scores, limits, and balances.

Some one million Canadians were also affected by the CapitalOne breach.

Thompson also accessed the cloud-stored data of more than 30 other companies, according to a superseding indictment filed by the Justice Department almost two years after Thompson was first charged, which reportedly included Vodafone, Ford, Michigan State University, and the Ohio Department of Transportation.

So what’s the upshot for you? She receives final sentencing in September.


AU: The right to be forgotten

If you are familiar with GDPR you know about the “right to be forgotten.” Well, this has nothing to do with that.

If you have older grandparents or parents, you might have an opportunity to do them a favor before they forget who you are.

Vitamin D (actually a hormone) is available as a capsule and supposedly helps with cell-level biomechanics in our bodies, boosting mood and cell-level functions.

Researchers at the University of South Australia have uncovered a link between vitamin D deficiency and an increased risk of dementia and stroke. The study found that a decent proportion of cases of dementia may be prevented by boosting levels of the hormone.

Vitamin D plays some important roles in the body, primarily helping with the uptake of calcium and phosphorus. The majority of a person’s vitamin D intake doesn’t come from food but from the Sun, as the skin produces it in response to UV light exposure.

“Our study is the first to examine the effect of very low levels of vitamin D on the risks of dementia and stroke, using robust genetic analyses among a large population,” said Professor Elina Hyppönen, senior investigator of the study.

“In some contexts, where vitamin D deficiency is relatively common, our findings have important implications for dementia risks.

Indeed, in this UK population, we observed that up to 17 percent of dementia cases might have been avoided by boosting vitamin D levels to be within a normal range.”

…and then some research on another disease affecting memory and that same group:

New research published today (June 9, 2022) in the journal Nutrients shows that people with a higher blood DHA level are 49% less likely to develop Alzheimer’s disease vs. those with lower levels, according to the Fatty Acid Research Institute (FARI).

The study, led by Aleix Sala-Vila, Ph.D., suggested that providing extra dietary omega-3 DHA, especially for those carrying the ApoE4 gene (which approximately doubles an individual’s susceptibility to developing AD) might slow the development of the disease.

Such a cost-effective, low-risk dietary intervention like this could potentially save billions in health care costs.

So what’s the upshot for you? While there is some controversy over vitamin (and steroid) supplements, we’d say it might be worthwhile to do a little research on them yourself. It might be all the difference in retaining their fond memories of you.


CN: Solar energy to be beamed back to Earth from space by 2028

China has accelerated its ambitious plans to build the world’s first solar power plant in space, aiming to launch two years ahead of schedule in 2028.

A trial satellite will be sent out to orbit at an altitude of 250 miles which should absorb and beam solar energy back to specific locations on Earth, or to moving satellites.

That energy will have to first be converted into microwaves or lasers, before being sent on to a new destination.

Space-based solar power is expected to be much more efficient, as its location will allow for sunlight to be received at greater intensity compared to solar panels installed on Earth.

Such technology, if scaled up, could become a key tool in helping nations minimize carbon emissions and reach climate change targets.

China’s test station is estimated to generate 10 kilowatts of power – just enough to power a handful of households.

The power plant would need to be expanded to allow for greater absorption and distribution of energy, which could have both military and civilian applications.

So what’s the upshot for you? Can we imagine a day when the skies are so full of solar panels and you won’t need to put on sunblock to go to the beach, because so little of the sun’s rays will actually make it to your beach towel? How will we ever get our “Vitamin D”?


CN: Leaked Audio From 80 Internal TikTok Meetings Shows That US User Data Has Been Repeatedly Accessed From China

For years, TikTok has responded to data privacy concerns by promising that information gathered about users in the United States is stored in the United States, rather than China, where ByteDance, the video platform’s parent company, is located.

According to leaked audio from more than 80 internal TikTok meetings, China-based employees of ByteDance have repeatedly accessed nonpublic data about US TikTok users — exactly the type of behavior that inspired former President Donald Trump to threaten to ban the app in the United States.

Ultimately, the tapes suggest that the company may have misled lawmakers, its users, and the public by downplaying that data stored in the US could still be accessed by employees in China.

When asked for comment, Booz Allen Hamilton spokesperson Jessica Klenk said something about the above information was incorrect, but refused to specify what it was. "…I can tell you that what you’re asserting here is inaccurate.”

“Everything is seen in China,” said a member of TikTok’s Trust and Safety department in a September 2021 meeting. In another September meeting, a director referred to one Beijing-based engineer as a “Master Admin” who “has access to everything.”

TikTok has said in blog posts and public statements that it physically stores all data about its US users in the US, with backups in Singapore.

“Physical location does not matter if the data can still be accessed from China.”

So what’s the upshot for you? If data flows through China, or can even be accessed from China it can be copied there and sequestered by the Chinese government.


CN: Now China wants to censor online comments

On June 17, the internet regulator Cyberspace Administration of China (CAC) published a draft update on the responsibilities of platforms and content creators in managing online comments.

One line stands out: all online comments would have to be pre-reviewed before being published. Users and observers are worried that the move could be used to further tighten freedom of expression in China.

The new changes affect Provisions on the Management of Internet Post Comments Services, a regulation that first came into effect in 2017. Five years later, the Cyberspace Administration wants to bring it up to date.

There’s a need for a stand-alone regulation on comments because the vast number makes them difficult to censor as rigorously as other content, like articles or videos.

Beijing is constantly refining its social media control, mending loopholes, and introducing new restrictions. But the vagueness of the latest revisions makes people worry that the government may ignore practical challenges.

For example, if the new rule about mandating pre-publish reviews is to be strictly enforced—which would require reading billions of public messages posted by Chinese users every day—it will force the platforms to dramatically increase the number of people they employ to carry out censorship.

It’s clear that China is identifying the Great Firewall’s loopholes and updating its regulations to address them.

The most recent changes are “unapologetically part of China’s continued expansion of content regulations beyond mainstream media to now cover user content generated through comments and other interactive features,”

So what’s the upshot for you? “Although China’s internet is one of the most censored in the world, there is still some space for discussing sensitive topics.

People can play a clever cat-and-mouse game with censors and make creative adjustments once posts are censored.

However, the new system could make that next to impossible and tighten the already limited space for freedom of expression on sensitive topics even further.”


DE: German Regulators Open Investigation Into Apple’s App Tracking Transparency

In Germany, big publishing companies like Axel Springer are pushing back against Google’s stated plans to remove third-party cookie support from Chrome.

The notion that if a company has built a business model on top of privacy-invasive surveillance advertising, they have a right to continue doing so, seems to have taken particular root in Germany. It’s like pawn shops suing to keep the police from cracking down on a wave of burglaries…

So what’s the upshot for you? The Bundeskartellamt perspective here completely disregards the idea that surveillance advertising is inherently unethical and Apple has studiously avoided it for that reason, despite the fact that it has proven to be wildly profitable for large platforms.

Apple could have made an enormous amount of money selling privacy-invasive ads on iOS, but opted not to.


DE: Deutsche Bank staff forced to install phone app that tracks messages

Deutsche Bank is installing an app on some of its employees’ phones that lets it monitor their calls, texts, and WhatsApp messages, according to the Financial Times.

The bank has spent the last few weeks installing the app from US firm Movius on work phones so that its compliance teams can keep an eye on communications with clients, says the FT, citing sources. Deutsche Bank has not commented.

The move comes as regulators in the US, UK, and Germany all step up their interest in client communications.

The FT has previously reported that a former executive at Deutsche Bank’s asset management unit has cited WhatsApp use in a whistleblower complaint to Germany’s BaFin, which has recently asked the bank for details on how employees use messaging apps.

So what’s the upshot for you? Apparently, the app has only been mandated on work phones… In the other back pocket is the personal phone.


Global: 24.6 Billion Pairs of Credentials For Sale On Dark Web

More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

Data recorded from last year reflected a 64 percent increase over 2020’s total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020.

Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said.

Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years.

This represents a 34 percent increase from 2020.

Seventy-five percent of the passwords for sale online were not unique.

Proactive account protection, consistent application of good authentication habits, and awareness of one’s organizational digital footprint are necessary to protect against account takeover attacks, the study found.

Individuals, the report said, should “use multi-factor authentication, password managers, and complex, unique passwords.”

So what’s the upshot for you? More data to back up our suggestions that you use 2FA (Two factor Authentication) wherever and whenever you can.


Global: Telegram Founder Pavel Durov Owes Me a Million Dollars

While he couldn’t even ethically accept the million dollars, PC Magazine’s senior security analyst Max Eddy writes that “how this happened in the first place is indicative of some of the information security industry’s worst impulses. It doesn’t have to be this way.”

Back in 2017, Telegram founder Pavel Durov and I had a disagreement… Durov tweeted about how the Signal secure messaging app had received money from the U.S. government. This is true; Signal received funds from the Open Technology Fund (OTF) — a nonprofit that previously was part of the US-backed Radio Free Asia.

According to the OTF’s website, it gave nearly $3 million between 2013 and 2016. It’s entirely legitimate to be suspicious of government funding (even if TOR, OpenVPN, and WireGuard also received OTF money), and even take a moral stand against recipients of money from governments you disagree with.

But Durov went far beyond that. He seemed to think this meant Signal was bought off by the feds and predicted that a backdoor would be found within five years.

It made me mad that companies ostensibly working to better people’s lives by protecting their security and privacy were trying to drag each other down publicly.

This is not new; the VPN industry is full of whisper campaigns and counter-accusations.

I can’t tell you how many conversations I’ve had with VPN vendors that start with “first off, everything you heard is a lie…”

But generally, the message from companies in this industry is one of cooperation and protecting everyone.

It’s a common theme in keynotes at the RSA Conference and Black Hat that the people who work in infosec have a higher calling to protect other people first and do business second.

And then this happened (on Twitter):

Max Eddy: It’s one thing to point out funding and another to say that a “backdoor will be found within five years.”

Pavel Durov: I am certain of what I’m saying and am willing to bet $1M (1:1) on it.

While Eddy didn’t have a million dollars, “I knew there was no way I would lose. This would be the easiest million-dollar bet I ever make.”

I was confident Durov was wrong because Signal, like many companies, has made an effort toward transparency that I can have some confidence in.

Signal has made its code available, has registered as a nonprofit, has a fairly comprehensive privacy policy, and has made abundantly clear that it has no information to provide in response to law enforcement requests.

Signal’s protocol is also used by competitors, such as WhatsApp and Facebook Messenger, which have surely done their homework when selecting a method for encrypting messages.

Most recently, a document revealed that even the FBI has been frustrated in its attempts to get data from Signal.

It’s been five years, and Eddy now writes that Signal “continues to be recommended by advocacy groups of all kinds as a safe and secure way to communicate…”

So what’s the upshot for you? Finally from Max Eddy: "There have been some tense moments over the years when I thought I might be wrong. One I had forgotten about until I started working on this story came shortly after Durov made his proclamation on Twitter.

A claim from Cellebrite—the people the FBI reportedly hired to crack an iPhone.

That company hinted that they were able to break Signal’s encryption, but this also turned out to be untrue.

Signal continues to be recommended by advocacy groups of all kinds as a safe and secure way to communicate."


Global: A New Student Movement Wants You to Log Off

Two years ago a college sophomore started “the Log Off movement.” This week the New York Times explored its progress — starting with how its mission’s been affected by negative news stories about social media.

As members of Gen Z, we understand that there are positive attributes and there are negative attributes to social media, but right now, in its current usage, it can be really harmful.

Q: How does the Log Off Movement address these issues?

What we are asking for teens to do is to be comfortable talking about their experiences so that we can educate legislators to understand a Gen Z perspective, what we need from technology, what privacy concerns we’re having, what mental health concerns we’re having.

We have an advocacy initiative through Tech Politics, which pushes for laws that help ensure teens have a safe online experience, specifically the California Age Appropriate Design Code Bill…

Q: How have you adjusted your own relationship with social media? What methods have worked?

Whenever I go through a stressful period with exams, I delete Instagram. I know that in periods of stress, I’m going to lean towards mindlessly using it as a form of coping. Another thing that’s worked for me is Grayscale, which makes the phone appear only in black and white.

I use Habit Lab for Chrome, which helps you reduce your time online. It creates a level of friction between you and addictive technology.

So what’s the upshot for you? One app they still enjoy is BeReal (which notifies you and your friends to take an unstaged picture of what you’re genuinely doing at one randomly-chosen moment each day).

But the group’s founder still remembers the “horrific loop” of using social media apps six hours a day (starting with Instagram at the age of 12) — and “feeling as though I could not stop scrolling because it has this weird power over me…”


Global: Is Firefox OK?

Across all devices, the browser has slid to less than 4 percent of the market – on mobile it’s a measly half a percent.

“Looking back five years and looking at our market share and our own numbers that we publish, there’s no denying the decline,” says Selena Deckelmann, senior vice president of Firefox.

Mozilla’s own statistics show a drop of around 30 million monthly active users from the start of 2019 to the start of 2022.

“In the last couple of years, what we’ve seen is actually a pretty substantial flattening,” Deckelmann adds.

In the two decades since Firefox launched from the shadows of Netscape, it has been key to shaping the web’s privacy and security, with staff pushing for more openness online and better standards.

But its market share decline was accompanied by two rounds of layoffs at Mozilla in 2020.

Next year, its lucrative search deal with Google – responsible for the vast majority of its revenue – is set to expire.

A spate of privacy-focused browsers now competes on its turf, while new-feature misfires have threatened to alienate its base. All that has left industry analysts and former employees concerned about Firefox’s future.

Its fate also has larger implications for the web as a whole. For years, it was the best contender for keeping Google Chrome in check, offering a privacy-forward alternative to the world’s most dominant browser.

So what’s the upshot for you? Come on team! Let’s support Firefox, which has done more to drive browser privacy than the next 10 browsers combined!
right fox


…and our quote of the week “The three golden rules to ensure computer security are:

  1. do not own a computer;
  2. do not power it on,
  3. and do not use it.” – Robert Morris


That’s it for this week. Stay safe, stay, secure, log-off, but come back in se7en and bring the fox.



1 Like

Hi, I received an e-mail from you that I did not understand correctly.

Hooman

در تاریخ چهارشنبه ۲۲ ژوئن ۲۰۲۲،‏ ۴:۲۵ Rich via Daml Developers Community <notifications@daml.discoursemail.com> نوشت:

same here. How can I help?

Hello, I am an Iranian. If your email is in Iranian Persian, I will be able to reply. Thanks

Hooman

در تاریخ دوشنبه ۲۷ ژوئن ۲۰۲۲،‏ ۱۷:۴۹ Rich via Daml Developers Community <notifications@daml.discoursemail.com> نوشت:

Hi @Hooman_Zirakja,

The email that was sent out was in English, I just checked. It might be something with your email client, that’s my best guess.

Hello, I will answer you with Google Translator, but in order to understand your subject correctly, I need Persian language. I sent a sample of understandable conversation with Persian text (sample) to your service. Thank you very much

باتشکر از زحمات شما نوشتار قابل درک راحت برای اینجانب فارسی ایران است با آرزوی موفقیت برای شما.

Hooman

در تاریخ دوشنبه ۲۷ ژوئن ۲۰۲۲،‏ ۲۰:۵۰ Nemanja via Daml Developers Community <notifications@daml.discoursemail.com> نوشت: