The Full Spectrum of the IT Privacy and Security Weekly Update for September 28th. 2021


From audio to visual we keep the full spectrum of IT Privacy and Security covered in our best update yet!

We start with almost nothing at all and move on to blocks, breaches, bots, and smacks. We cover why it’s more important to tip your Amazon delivery person than ever before. And finally, we round out why you are actually going to want security training before the fourth quarter of this year. Unbelievable …right?

We end, on the brightest story we have ever covered!! listen_tiny

It’s all wrapped in loveliness, so grab your paintbrushes, get your drop cloths in place, and put in on those old overalls because it’s time for the best adventure yet!

UK: Privacy paint?

    Let’s get technical for a minute. Color, as we humans know it, is the result of the way light is reflected off of an object and into our eyes. Different light frequencies translate into different colors. Vantablack isn’t a color, but a material. It’s made of a “forest” of tiny, hollow carbon tubes, each the width of a single atom. According to the Surrey NanoSystems website, “a surface area of [1 centimeter squared] would contain around 1000 million nanotubes.” When light hits the tubes, it’s absorbed and cannot escape—which means that actually, Vantablack is the absence of color.


Because it’s not a pigment or a paint, you can’t just buy a bucket of it and dip a brush in and slather it onto your walls. The nanotubes that make up Vantablack must be grown in the Surrey NanoSystems lab using a complicated (and patented) process involving several machines, a few layers of different substances, and some extreme heat. From start to finish, applying Vantablack to an object can take up to two days, according to Northam. “I had an inquiry yesterday asking how much would it cost for a kilo of Vantablack pigment,” Northam says. “First of all, I can’t sell you a bucket of Vantablack, but if I could, I don’t think there’d be much on the planet that would be more expensive.” He says that ounce for ounce, Vantablack is a lot more expensive than both diamonds and gold.


“One of the things that people often say is ‘Can I touch it?’” Northam says. “They expect it to feel like a warm velvet.” Though Vantablack does have a sort of soft, velvety look to it, Northam says that doesn’t translate to physical sensation. When you touch Vantablack, it just feels like a smooth surface. That’s because the nanotubes are so small and thin, they simply collapse under the weight of human touch. Here’s how Northam describes it: “Imagine you have a field of wheat, and instead of the wheat being 3 or 4 feet high, it’s about 1000 feet tall. That is the equivalent scale that we’re talking about for nanotubes. The reason they work is they’re very, very long compared to their diameter. It will stay upright and not blow away in the wind, but if you then try and land a plane on it, you’ll make a dent.” So, Vantablack is pretty susceptible to damage, which is why it can’t yet be applied to unprotected surfaces like cars or high-end gowns—one brush of a hand and the material would lose its magic.


While Vantablack is sensitive to touch, it’s super robust against other forces, like shock and vibration. This is due to the fact that each carbon nanotube is individual, and has almost no mass at all. Plus, most of the material is air. “If there’s no mass, there’s no force during acceleration,” Northam says. This makes Vantablack ideal for protected objects that might have to endure a bumpy ride, like a space launch, for example.


The material was originally designed for super technical fields, like space equipment, where its ability to limit stray light makes it ideal for the inside of telescopes. But it could be applied in more everyday objects if the conditions are right. Northam says Surrey NanoSystems has already been approached by a handful of luxury watchmakers interested in incorporating Vantablack into their wrist candy, and high-end car manufacturers want to use it in their dashboard displays for stunning visual appearance. Northam says they also have a few smartphone makers knocking on their door.

Artists are also clamoring to get their hands on Vantablack and make some crazy, mind-boggling works of art. But for now, much to the chagrin of thousands of creatives, only one artist is allowed to work with the material, and that’s sculptor Anish Kapoor. Surrey NanoSystems gave Kapoor the exclusive rights to using Vantablack in “creative arts,” which Northam says translates into anything that’s meant to be observed purely as a work of art. He says the company will continuously reassess this agreement, but as Vantablack is still such a new material, it makes sense that they’d want to have some control over how it’s being used. “I do understand that people would wanna get their hands on this stuff,” Northam says. “But I suspect many would not want to pay the prices for it.”


Vantablack could take the “little black dress” to a whole new level if it can successfully be applied to fabric without compromising its physical properties. Northam says the company is working with fabric, but Vantablack’s foray into fashion is probably a long way off. “I wouldn’t be surprised if at some point we see something along the lines of a black dress,” he says, optimistically, “but we won’t see people walking down the street in it any time soon.”
So what’s the upshot for you? Privacy is in the eyes of the beholder.

US: The NSA and CIA Use Ad Blockers Because Online Advertising Is So Dangerous

Lots of people who use ad blockers say they do it to block malicious ads that can sometimes hack their devices or harvest sensitive information on them. It turns out, the NSA, CIA, and other agencies in the U.S. Intelligence Community are also blocking ads potentially for the same sorts of reasons.

The Intelligence community, which also includes the parts of the FBI, DEA, and DHS, and various DoD elements, has deployed ad-blocking technology on a wide scale. "The Intelligence Community has implemented network-based ad-blocking technologies and uses information from several layers, including Domain Name System information, to block unwanted and malicious advertising content,” the Intelligence Community chief information officer wrote in the letter.

You may use an ad blocker to make your browsing experience more pleasant, but the tools also have potential defense benefits. Attackers who try to run malicious ads on unscrupulous ad networks or taint legitimate-looking ads can steal data or sneak malware onto your device if you click, or sometimes by exploiting web vulnerabilities. The fact that the Intelligence Community views ads as an unnecessary risk and even a threat speak to long-standing problems with the industry. The NSA and Cybersecurity and Infrastructure Security Agency have released public guidance in recent years advising the use of ad blockers as security protection, but the Intelligence Community itself wasn’t required to adopt the measure. Its members deployed ad blockers voluntarily.

So what’s the upshot for you? We’ve advocated the use of UBlock origins for years. Still do.

US: Controversial Web Host Epik Confirms Customer Data Exposed in Breach

Controversial web services provider Epik last week confirmed that sensitive information pertaining to its customers was stolen in a data breach.

Epik is known for providing web services to sites hosting extremist content, such as those advocating racism, hate speech, violence, and misinformation, and which have been rejected by other web services providers.

Details from 110,000 people included: Name or another personal identifier in combination with Financial Account Number or Credit/Debit Card Number (in combination with security code, access code, password, or PIN for the account)

So what’s the upshot for you? Apparently, the 150 gigabytes of private data allegedly stolen is regarded as a boon for extremist researchers and political opponents.

RU: Russian security firm sinkholes part of the dangerous Meris DDoS botnet

Rostelecom-Solar, the cybersecurity division of Russian telecom giant Rostelecom, said on Monday that it “sinkholed” a part of the Meris DDoS botnet after identifying a mistake from the malware’s creators.

But in research published on Monday, Rostelecom-Solar said that during routine analysis of this new threat, which has also been attacking some of its customers, its engineers found that some infected routers were reaching out and asking for new instructions from an unregistered domain at cosmosentry[.]com.

Seizing the operator’s mistake, Rostelecom-Solar engineers said they registered this domain and converted it into a “sinkhole.”

After days of tracking, researchers said they received pings from around 45,000 infected MikroTik devices, a number estimated to be around a fifth of the botnet’s entire size.

“Unfortunately, we cannot take any active actions with devices under our control (we do not have the authority to do this),” the company said this week.

“At the moment, about 45,000 MikroTik devices turn to us as a sinkhole domain.”First spotted earlier this year, the Meris botnet is currently the largest DDoS botnet on the internet, with an estimated size of around 250,000 infected systems.

For the past few months, the botnet has been abused by a threat actor that has engaged in DDoS extortion attacks against internet service providers and financial entities across several countries, such as Russia, the UK, the US, and New Zealand.

The attacks have been brutal, with companies often going offline overwhelmed by the botnet’s sheer power. As part of this ferocious campaign, Meris broke the record for the largest volumetric DDoS attack twice this year, once in June and then again in September.

Internet infrastructure firms like Cloudflare and Qrator Labs have analyzed the botnet following attacks on their customers and found that the vast majority of infected systems have been MikroTik networking equipment like routers, switches, and access points.
So what’s the upshot for you? Thank heavens for little missteps.

Wait! What is a Botnet?

A botnet (derived from ‘robot network’) is a large group of malware-infected internet-connected devices and computers controlled by a single operator. Attackers use these compromised devices to launch large-scale attacks to disrupt services, steal credentials and gain unauthorized access to critical systems. The botnet command and control model allows the attacker(s) to take over operations of these devices in order to control them remotely. A botnet’s strength is in the number of infected machines it contains. Attackers can control botnets remotely and receive software updates from them, using those updates to quickly shift their behavior.

What Is a Botnet Attack?
A botnet attack is a large-scale cyber attack carried out by malware-infected devices which are controlled remotely. Unlike other malware that replicates itself within a single machine or system, botnets pose a greater threat because they let a threat actor perform a large number of actions at the same time. They are becoming more sophisticated than other malware attack types since they can be scaled up or changed on the fly to inflict even more damage.

How Do I Defend Against a Botnet Attack Before it Happens?
Experts predict IoT device adoption will increase over time, with the total number of connected devices worldwide reaching 43 million by 2023. IoT device configuration is important. Always change default device login credentials. Retiring (removing) older, unused devices from the network also removes them as an attack vector.

You can also prevent a botnet attack by limiting access to suitable host devices. Monitor and restrict access to IoT devices on the network. Segregating or air-gapping IoT devices from other critical systems can help lessen the effects of an attack as well. Enable multi-factor authentication on devices and limit the number of users with access to them.

Global: The Signal App gets smacked by a 4-hour Outage.
Signal was hit by a brief outage late Sunday that interrupted services on the platform at the same time as localized interruptions on other social media services. Signal blamed hosting issues for the disruption, which internet outage monitor DownDetector said began at 11:05 pm Eastern Standard Time (0305 GMT), citing user reports.

The site logged reports of interrupted service in the United States, Europe, Hong Kong, and other parts of the world.

Service had largely returned to normal by 3:00 am (0700 GMT), according to Signal’s developers. “Messaging has recovered for 99% of users, but we’re still working on the remaining 1%,” the company said on Twitter.

“Apologies for the disruption.” The outage coincided with “degraded performance” in a cloud server owned by Amazon Web Services (AWS) in northern Virginia state, the firm said. “We can confirm that the deployed mitigation has worked and we have started to see recovery,” AWS said in a status report on the disruption.

DownDetector users reported simultaneous outages with some other apps, including dating platform Tinder and popular news and discussion website Reddit.

First launched in 2014, Signal saw a surge in downloads earlier this year after Facebook-owned messaging service WhatsApp tweaked its terms of service and sparked privacy concerns. Its profile was boosted by a tweeted recommendation by tech entrepreneur and Tesla founder Elon Musk and the app was downloaded more than 100 million times as of March.

So what’s the upshot for you? We’ve also been advocating the use of Signal for … well, years now.

CA: Huawei CFO Released from Canada After Admitting She Misled Bank

Huawei’s CFO is finally back in China after striking a plea deal with the US authorities in which she admitted playing a pivotal role in a scheme designed to defraud a global financial institution.

Meng Wanzhou, the daughter of Huawei founder Ren Zhengfei, was indicted by the US in 2019 on charges associated with the firm’s alleged breaking of US sanctions on Iran.

“Her admissions in the statement of facts confirm that, while acting as the Chief Financial Officer for Huawei, Meng made multiple material misrepresentations to a senior executive of a financial institution regarding Huawei’s business operations in Iran in an effort to preserve Huawei’s banking relationship with the financial institution,” said acting US attorney Nicole Boeckmann.

“The truth about Huawei’s business in Iran, which Meng concealed, would have been important to the financial institution’s decision to continue its banking relationship with Huawei. Meng’s admissions confirm the crux of the government’s allegations in the prosecution of this financial fraud — that Meng and her fellow Huawei employees engaged in a concerted effort to deceive global financial institutions, the US government, and the public about Huawei’s activities in Iran.”

So what’s the upshot for you? Apparently, another part of the story that was left out, and one of significance, is that the Chinese had arrested two Canadians for alleged “spying” so instead for extraditing her to the US, a swap deal was done… Cue the James bond soundtrack.

Global: Too many privacy notices?

A report released today by identity provider Ping Identity looks at how security and privacy issues can frustrate and turn away people trying to log into and use a website.
Based on a survey of 3,400 consumers across the U.S., U.K., Germany, France, and Australia, the report examined the typical registration and login experience, attitudes toward online privacy, and the willingness of users to share personal information.

More than three-quarters (77%) of the respondents said they’ve abandoned or stopped creating an online account for reasons due to the login or registration process.
40% were frustrated because they were asked to provide too much personal information.
33% left the site because too much time was needed to enter all the required information.
29% said they were saddled with too many security steps.
…and finally, nearly half of consumers in the United States forget the answers to their security questions nearly half the time.

So what’s the upshot for you? Website owners need to test their onboarding process: Time it, refine it and time it again. And remember that sometimes too much, yields … nothing at all.

US: Amazon Delivery Driver Surveillance

In early 2021, Amazon installed AI-powered cameras in the delivery vans at one of its depots in Los Angeles. Derek, a delivery driver at the facility, said the camera in his van started to incorrectly penalize him whenever cars cut him off, an everyday occurrence in Los Angeles traffic. “Every time I need to make a right-hand turn, it inevitably happens. A car cuts me off to move into my lane, and the camera, in this really dystopian dark, robotic voice, shouts at me."

In February, Amazon announced that it would install cameras made by the AI-tech startup Netradyne in its Amazon-branded delivery vans as an “innovation” to “keep drivers safe.” As of this month, Amazon had fitted more than half of its delivery fleet in the US with this technology, an Amazon spokesperson told Motherboard.

“Maintain a safe distance,” the camera installed above his seat would say when a car cut him off. That data would be sent to Amazon and would be used to evaluate his performance that week and determine whether he got a bonus.
The Netradyne camera, which requires Amazon drivers to sign consent forms to release their biometric data, has four lenses that record drivers when they detect “events” such as following another vehicle too closely, stop sign, and street light violations, and distracted driving. For many Amazon drivers, these performance scores determine whether they receive weekly bonuses, prizes, and extra pay. Drivers who contest the results have not met success.

Amazon’s delivery service partner program relies on 2,000 small delivery companies that employ 115,000 drivers in the United States to deliver billions of packages each year. Amazon skirts liability for these drivers through this contract model but requires delivery companies to adhere to a set of rules around hiring, drivers’ appearances and social media activity, pay, routes, and safety mechanisms, including Netradyne cameras.

So what’s the upshot for you? This is a case where “AI threatens not only to disproportionately displace lower-wage earners, but also to reduce wages, job security, and other protections for those who need it most.”

Global: Get ready for a blast of bad email to finish out the year

Tessian, the email security vendor, analyzed four billion messages sent between July 2020 and July 2021 to compile its Spear Phishing Threat Landscape 2021 report.

It found 45% more malicious emails sent in October, November, and December 2020 than in the previous quarter.

The report revealed that malicious emails are typically delivered around 2 pm and 6 pm, perhaps trying to hit inboxes when employees are at their most distracted — just after lunch and at the end of the day.

The most common tactics detected by Tessian were impersonation techniques like display name spoofing (19%), as well as domain impersonation (11%), and account takeover (2%).

The most spoofed brands over the year were Microsoft, ADP, Amazon, Adobe Sign, and Zoom.

2 million emails slipped right past customers’ secure e-mail gateways and native tools.

So what’s the upshot for you? This just says to us, no more “liquid lunches” unless the liquid is a double espresso.

US: …and Now to Cover the Other End of the Spectrum

West Lafayette, IN – Purdue University researchers develop the world’s whitest paint. The paint has earned a Guinness World RecordsTM title. The record appears in the 2022 edition of Guinness World Records.

Breaking a record for the whitest paint wasn’t a goal for the researchers – curbing global warming was.

“When we started this project about seven years ago, we had saving energy and fighting climate change in mind,” said Xiulin Ruan, a professor of mechanical engineering at Purdue, in a podcast episode of “This Is Purdue.”

Ruan invented the paint with his graduate students. The idea was to create a paint that would reflect sunlight away from a building. Making this paint really reflective, however, also made it really white. The formulation that Ruan’s lab-created reflects 98.1% of solar radiation at the same time as emitting infrared heat. Because the paint absorbs less heat from the sun than it emits, a surface coated with this paint is cooled below the surrounding temperature without consuming power.

Typical commercial white paint gets warmer rather than cooler. Paints on the market that are designed to reject heat reflect only 80%-90% of sunlight and can’t make surfaces cooler than their surroundings.

Using this new paint formulation to cover a roof area of about 1,000 square feet could result in a cooling power of 10 kilowatts, Purdue researchers showed in a published paper. “That’s more powerful than the air conditioners used by most houses,” Ruan said.

This white paint is the result of research building on attempts going back to the 1970s to develop radiative cooling paint as a feasible alternative to traditional air conditioners. Ruan’s lab had considered over 100 different materials, narrowed them down to 10, and tested about 50 different formulations for each material.

Two features make this paint ultra-white: a very high concentration of a chemical compound called barium sulfate – also used in photo paper and cosmetics – and different particle sizes of barium sulfate in the paint. What wavelength of sunlight each particle scatters depends on its size, so a wider range of particle sizes allows the paint to scatter more of the light spectrum from the sun.

So what’s the upshot for you? We’ve always wondered why people do their roofs in dark colors. Here’s an argument to keep it bright!

That’s it for this week’s spectrum of stories. We hope you enjoyed the rainbow of coverage and look forward to seeing you in se7en!