The Heart of the IT Privacy and Security Weekly update for the week ending December 27th., 2022


This latest IT Privacy and Security update will keep you right in the heart gold heart of things… from airport travel to petrol scams.

There’s a state-of-play update on TikTok, sad Twitter news for Elon, and even sadder Facebook news for the Zuck.

We’ve got a couple of urgent updates for Linux and Windows users sprinkled in amidst new malware that has nothing to do with Al Pacino.

We even have a touching holiday note from Eufy who will assure you that they are still collecting the facts, while the whole west coast is tuned into the feed coming off your “Secure” security camera.

Thanks for joining us for the final edition of the ITP&SWU of our third year.

Happy Holidays, Happy new year and let’s get Go!

Global: If you made it through the year thus far…

Christmas Day has the most cardiac deaths than any other day of the year, researchers found in a study published in Circulation, the American Heart Association’s flagship journal.

The second highest number of cardiac deaths happens on Dec. 26, on what the British call Boxing day with the third largest tally occurring on New Year’s Day.

There are a number of factors leading to this alarming holiday trend, including more stress around the holidays, overeating, drinking more alcohol, frigid wintry weather, and not sleeping as much amid family gatherings.

So what’s the upshot for you? “Last Christmas we gave you our hearts and the very next day, you gave them away…” Be sure to hold onto yours, at least through New Years’!

NYC: Two Men Accused of Hacking Into JFK Airport Cab Dispatch System

With a flat fee of $70 for trips into Manhattan and a guaranteed stream of passengers, a ride to and from New York’s John F. Kennedy International Airport is one of the more lucrative journeys for the city’s cab drivers.

But federal prosecutors say two 48-year-old Queens men found another way to profit from the crowd of taxis waiting long hours for passengers at the airport, conspiring with Russians to hack the dispatch system and allow drivers to cut ahead in line for a $10 payment.

The two men, Daniel Abayev and Peter Leyman were arrested Tuesday and charged with conspiracy to commit computer intrusions for hacking into the system from November 2019 to November 2020.

Prosecutors said the pair worked with Russian nationals to access the system through various methods, including bribing someone to insert a flash drive into computers that allowed them to enter the system via Wifi and stealing tablets connected to the dispatch operation.

They then used their access to move certain taxis to the front of the line for $10 each, allowing drivers to bypass a holding lot that frequently required hours-long waits before they were dispatched to a terminal, and waived the fee for drivers who recruited others, according to prosecutors.

So what’s the upshot for you? Still more expensive than current rates, but let’s add up all the extras…Flat Fare: $52.00
MTA State Surcharge $0.50
Improvement Surcharge $0.30
Rush hour surcharge (4 pm to 8 pm weekdays, excluding legal holidays) $4.50
New York State Congestion Surcharge $2.50
Tolls – (Queens Midtown Tunnel or Triborough (Robert F. Kennedy Bridge) $6.12
To a total of either $61.42 or 65.92 between 4 pm to 8 pm on weekdays

NYC: Face Recognition Tech Gets Girl Scout Mom Booted From Rockettes Show — Due to Where She Works

When Kelly Conlon joined her daughter’s Girl Scout troop for a fun outing to see the Rockettes perform their Christmas Spectacular show at Radio City Music Hall in New York, she had no idea she would end up booted from the show once she entered the building.

Security stopped Conlon, NBC New York reported, because she is a New Jersey lawyer. It seems that Madison Square Garden Entertainment has begun using facial recognition technology to identify any visitor to any of its venues – including Radio City Music Hall – who is involved with any law firm that is actively involved in litigation against MSG Entertainment.

Conlon has never practiced law in New York nor personally been involved in litigation against MSG Entertainment. Instead, she is guilty by association, as an associate for Davis, Saperstein and Solomon, which has spent years tangled up in litigation against a restaurant that NBC reported is “now under the umbrella of MSG Entertainment.”

According to Conlon, she became aware of this supposed conflict of interest when security guards approached her in the Radio City Music Hall lobby just as she passed through the metal detector.

Over the speakers, Conlon heard a warning about a woman in a gray scarf, then security confirmed the warning was about her, telling her, “Our recognition picked you up.”

Despite Conlon assuring security that “I’m not an attorney that works on any cases against MSG,” she was escorted out.

Ars could not immediately reach MSG for comment, but in a statement, MSG said the same thing would’ve happened to any attorney involved in her firm, claiming that her firm had been “notified twice” of MSG’s policy.

“MSG instituted a straightforward policy that precludes attorneys pursuing active litigation against the Company from attending events at our venues until that litigation has been resolved,” the statement provided to NBC said.

“While we understand this policy is disappointing to some, we cannot ignore the fact that litigation creates an inherently adverse environment.”

So what’s the upshot for you? …and so it starts.

Global: LastPass: Hackers Stole Customer Vault Data In Cloud Storage Breach

LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident.

This follows a previous update issued last month when the company’s CEO, Karim Toubba, only said that the threat actor gained access to “certain elements” of customer information.

Last Thursday, Toubba added that the cloud storage service is used by LastPass to store archived backups of production data.

The attacker gained access to Lastpass’ cloud storage using “cloud storage access key and dual storage container decryption keys” stolen from its developer environment.

"The threat actor copied information from a backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."

Fortunately, the encrypted data is secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password.

According to Toubba, the master password is never known to LastPass, it is not stored on Lastpass’ systems, and LastPass does not maintain it.

Customers were also warned that the attackers might try to brute force their master passwords to gain access to the stolen encrypted vault data.

However, this would be very difficult and time-consuming if… you’ve been following password best practices recommended by LastPass.

If you do, "it would take millions of years to guess your master password using generally-available password-cracking technology.

Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture."

So what’s the upshot for you? and if… you weren’t as careful… the hackers have everything.

Global: GodFather Android Malware Targets 400 Banks, Crypto Exchanges

An Android banking malware named ‘Godfather’ has been targeting users in 16 countries, attempting to steal account credentials for over 400 online banking sites and cryptocurrency exchanges.

The malware generates login screens overlaid on top of the banking and crypto exchange apps’ login forms when victims attempt to log in to the site, tricking the user into entering their credentials on well-crafted HTML phishing pages.

The Godfather trojan was discovered by Group-IB analysts, who believe it is the successor of Anubis, a once widely-used banking trojan that gradually fell out of use due to its inability to bypass newer Android defenses.

ThreatFabric first discovered Godfather in March 2021, but it has undergone massive code upgrades and improvements since then.

Also, Cyble published a report yesterday highlighting a rise in the activity of Godfather, pushing an app that mimics a popular music tool in Turkey, downloaded 10 million times via Google Play.

So what’s the upshot for you? This Godfather is an offer you should probably refuse.

RU: Kremlin-Backed Hackers Targeted a ‘Large’ Petroleum Refinery In a NATO Nation

One of the Kremlin’s most active hacking groups targeting Ukraine recently tried to hack a large petroleum refining company located in a NATO country.

The attack is a sign that the group is expanding its intelligence gathering as Russia’s invasion of its neighboring country continues.

The group mostly uses emails with Ukrainian-language lures.

More recently, however, some samples show that the group has also begun using English-language lures.

“We assess that these samples indicate that Trident Ursa is attempting to boost their intelligence collection and network access against Ukrainian and NATO allies,” company researchers wrote.

Tuesday’s report didn’t name the targeted petroleum company or the country where the facility was located.

In recent months, Western-aligned officials have issued warnings that the Kremlin has set its sights on energy companies in countries opposing Russia’s war on Ukraine.

Trident Ursa’s hacking techniques are simple but effective.

The group uses multiple ways to conceal the IP addresses and other signatures of its infrastructure, phishing documents with low detection rates among anti-phishing services, and malicious HTML and Word documents.

"Trident Ursa remains an agile and adaptive APT that does not use overly sophisticated or complex techniques in its operations.

In most cases, they rely on publicly available tools and scripts as well as routine phishing attempts to successfully execute their operations…" Tuesday’s report provides a list of cryptographic hashes and other indicators organizations can use to determine if Trident Ursa has targeted them.

It also provides suggestions for ways to protect organizations against the group.

So what’s the upshot for you? Let’s hope these actions on the part of the Russians against a NATO member do not lead to escalation.

CN: Anker’s Eufy Gives an update on Security Cam Security

In the last episode of “Will Anker ever tell us what’s actually going on with its security cameras rather than lying and covering its tracks,” we told you how Eufy’s customer support team is now quietly providing some of the answers to the questions that the company had publicly ignored about its smart home camera security.

Now, Anker is finally taking a stab at a public explanation, in a new blog post titled “To our eufy Security Customers and Partners.”

So what’s the upshot for you? Unfortunately, it contains no apology and doesn’t begin to address why anyone would be able to view an unencrypted stream in VLC Media Player on the other side of the country, from a supposedly always-local, always-end-to-end-encrypted camera. Thanks, Eufy!

Global: Okta’s Source Code Stolen After GitHub Repositories Hacked

According to a ‘confidential’ email notification sent by Okta and seen by BleepingComputer, the security incident involves threat actors stealing Okta’s source code.

A ‘Confidential’ security incident notification that Okta has been emailing to its ‘security contacts’ confirmed by multiple sources, including IT admins.

Earlier this month, GitHub alerted Okta of suspicious access to Okta’s code repositories, states the notification.

“Upon investigation, we have concluded that such access was used to copy Okta code repositories,” writes David Bradbury, the company’s Chief Security Officer (CSO) in the email.

So what’s the upshot for you? Unfortunately for all those businesses that rely on Okta for their security, the effect of this loss is still unknown.

It may amount to nothing at all, but it’s the insecurity of not knowing that is the hardest to bear.

Global: Study Finds AI Assistants Help Developers Produce Code That’s More Likely To Be Buggy

Computer scientists from Stanford University have found that programmers who accept help from AI tools like Github Copilot produce less secure code than those who fly solo.

In a paper titled, “Do Users Write More Insecure Code with AI Assistants?”, Stanford researchers Neil Perry, Megha Srivastava, Deepak Kumar, and Dan Boneh answer that question in the affirmative.

Worse still, they found that AI help tends to delude developers about the quality of their output.

“We found that participants with access to an AI assistant often produced more security vulnerabilities than those without access, with particularly significant results for string encryption and SQL injection,” the authors state in their paper.

So what’s the upshot for you? This confirms that there are no shortcuts when writing good code.

EU: More sad Twitter news for Elon: Twitter Probed by Top EU Privacy Watchdog for Pre-Musk Era Leak

Elon Musk’s Twitter Inc. risks massive fines after its top privacy regulator in the European Union opened a probe into reports of a suspected data breach that compromised the personal details of 5.4 million users last year.

Ireland’s Data Protection Commission said in a statement on Friday it decided to start a probe under its own initiative, over reports that one or more datasets of Twitter user personal information “had been made available on the internet.”

So what’s the upshot for you? The Twitter story just keeps on unraveling for Elon.

Let’s hope he can right the ship and bring this one back into port safely.

US: Some Universities Are Now Restricting TikTok Access on Campus

A small but growing number of U.S. universities are now blocking access to TikTok on school-owned devices or WiFi networks, in the latest sign of a widening crackdown on the popular short-form video app.

The University of Oklahoma and Auburn University in Alabama have each said they will restrict student and faculty access to TikTok, in order to comply with recent moves from the governors in their respective states to ban TikTok on government-issued devices.

The school will also require that university-administered TikTok accounts be deleted and “alternate social media platforms utilized in their place.”

The 26 universities and colleges in the University System of Georgia are also reportedly taking a similar step.

So what’s the upshot for you? The TikTok ban quickly starts to pick up steam in the US…

US: TikTok Banned on U.S. Government Devices Under Spending Bill Passed by Congress

Under the bipartisan spending bill that passed both chambers of the U.S. Congress as of Friday, TikTok will be banned from government devices, underscoring the growing concern about the popular video-sharing app owned by China’s ByteDance.

And though Congress made more headway this year than in the past toward a compromise bill on national privacy standards, there remains only a patchwork of state laws determining how consumer data is protected.

Center-left tech industry group Chamber of Progress cheered the exclusion of several antitrust bills that would have targeted its backers, which include Apple, Amazon, Google and Meta.

So what’s the upshot for you? Better late than never.

CN/US: TikTok Spied On Forbes Journalists

ByteDance confirmed it used TikTok to monitor three journalists’ physical location using their IP addresses, reports Forbes, “to unearth the source of leaks inside the company following a drumbeat of stories exposing the company’s ongoing links to China.”

As a result of the investigation into the surveillance tactics, ByteDance fired Chris Lepitak, its chief internal auditor who led the team responsible for them.

The China-based executive Song Ye, who Lepitak reported to and who reports directly to ByteDance CEO Rubo Liang, resigned.

“It is standard practice for companies to have an internal audit group authorized to investigate code of conduct violations,” TikTok General Counsel Erich Andersen wrote in a second internal email shared with Forbes.

“However, in this case, individuals misused their authority to obtain access to TikTok user data…”

“This new development reinforces serious concerns that the social media platform has permitted TikTok engineers and executives in the People’s Republic of China to repeatedly access private data of U.S. users despite repeated claims to lawmakers and users that this data was protected,” Senator Mark Warner told Forbes.

ByteDance is not the first tech giant to use an app to monitor specific users. In 2017, the New York Times reported that Uber had identified various local politicians and regulators and served them a separate, misleading version of the Uber app to avoid regulatory penalties.

Both Uber and Facebook also reportedly tracked the location of journalists reporting on their apps.

Ironically, TikTok’s journalist-tracking project involved the company’s Chief Security and Privacy Office, according to Forbes, and targeted three Forbes journalists who had formerly worked at BuzzFeed News.

It was back in October that Forbes first reported ByteDance had discussed tracking journalists.

ByteDance immediately denied the charges on Twitter, saying “TikTok has never been used to ‘target’ any members of the U.S. government, activists, public figures or journalists,” and that “TikTok could not monitor U.S. users in the way the article suggested.”

Forbes also notes that in 2021, TikTok became the most visited website in the world.

So what’s the upshot for you? We told you this could happen. Now you have proof that it has.

US: Facebook Parent Meta To Settle Cambridge Analytica Case For $725 Million

Facebook owner Meta Platforms has agreed to pay $725 million to resolve a class-action lawsuit accusing the social media giant of allowing third parties, including Cambridge Analytica, to access users’ personal information.

The proposed settlement, which was disclosed in a court filing late on Thursday, would resolve a long-running lawsuit prompted by revelations in 2018 that Facebook had allowed the British political consulting firm Cambridge Analytica to access the data of as many as 87 million users.

Lawyers for the plaintiffs called the proposed settlement the largest to ever be achieved in a U.S. data privacy class action and the most that Meta has ever paid to resolve a class action lawsuit.

“This historic settlement will provide meaningful relief to the class in this complex and novel privacy case,” the lead lawyers for the plaintiffs, Derek Loeser and Lesley Weaver, said in a joint statement.

Meta did not admit wrongdoing as part of the settlement, which is subject to the approval of a federal judge in San Francisco.

The company said in a statement settling was “in the best interest of our community and shareholders.”

“Over the last three years we revamped our approach to privacy and implemented a comprehensive privacy program,” Meta said.

So what’s the upshot for you? “You should trust us now,” Is what we hear from this…

Global: Linux Kernel Security Bug Allows Remote Code Execution for Authenticated Remote Users

The Zero Day Initiative, a zero-day security research firm, announced a new Linux kernel security bug that allows authenticated remote users to disclose sensitive information and run code on vulnerable Linux kernel versions.

Originally, the Zero Day Initiative ZDI rated it a perfect 10 on the 0 to 10 common Vulnerability Scoring System scale. Now, the hole’s “only” a 9.6.

The problem lies in the Linux 5.15 in-kernel Server Message Block (SMB) server, ksmbd.

The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands.

The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the kernel context.

This new program, which was introduced to the kernel in 2021, was developed by Samsung.

Its point was to deliver speedy SMB3 file-serving performance.

Any distro using the Linux kernel 5.15 or above is potentially vulnerable. This includes Ubuntu 22.04, and its descendants; Deepin Linux 20.3; and Slackware 15.
So what’s the upshot for you? How to know if your build is affected? Just run:

$ uname -r

To see which kernel version you’re running.

Then, if you’re running the susceptible kernel, to see if the vulnerable module is present and active run:

$ modinfo ksmb

What you want to see is that the module wasn’t found. If it’s loaded, you’ll want to upgrade to the Linux 5.15.61 kernel.

Uhmmnnn… one thing though… Many distros, unfortunately, have not moved to this kernel release yet.

Global: Critical Windows code-execution vulnerability went undetected until now

Ars Technica reports on a dangerously “wormable” Windows vulnerability that allowed attackers to execute malicious code with no authentication required — a vulnerability that was present “in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability.”

Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes.

At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information.

As such, Microsoft gave the vulnerability a designation of “important.” In the routine course of analyzing vulnerabilities after they’re patched, IBM security researcher Valentina Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did [the flaw used to detonate WannaCry].

Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue.

One potentially mitigating factor is that a patch for CVE-2022-37958 has been available for three months.

“While EternalBlue was an 0-Day, luckily this is an N-Day with a 3-month patching lead time,” said Palmiotti.

There’s still some risk, Palmiotti tells Ars Technica. “As we’ve seen with other major vulnerabilities over the years, such as MS17-010 which was exploited with EternalBlue, some organizations have been slow deploying patches for several months or lack an accurate inventory of systems exposed to the internet and miss patching systems altogether.”

So what’s the upshot for you? This emphasizes the importance of faster patching, which at enterprise scale is only going to add more steam to the IT Operations team pressure cooker.

Global: Google’s management has reportedly issued a ‘code red’ amid the rising popularity of the ChatGPT AI

Google’s management has issued a “code red” amid the launch of ChatGPT — a buzzy conversational-artificial-intelligence chatbot created by OpenAI — as it’s sparked concerns over the future of Google’s search engine, The New York Times reported Wednesday.

Sundar Pichai, the CEO of Google and its parent company, Alphabet, has participated in several meetings around Google’s AI strategy and directed numerous groups in the company to refocus their efforts on addressing the threat that ChatGPT poses to its search-engine business, according to an internal memo and audio recording reviewed by The Times.

Google’s move to build out its AI-product portfolio comes as Google employees and experts alike debate whether ChatGPT — run by Sam Altman, a former Y Combinator president — has the potential to replace the search engine and, in turn, hurt Google’s ad-revenue business model.

But some have been quick to say the bot is often riddled with errors. ChatGPT is unable to fact-check what it says and can’t distinguish between a verified fact and misinformation, AI experts told Insider.

It can also make up answers, a phenomenon that AI researchers call “hallucinations.”

The bot is also capable of generating racist and sexist responses, Bloomberg reported.

Its high margin of error and vulnerability to toxicity are some of the reasons Google is hesitant to release its AI chatbot LaMDA — short for Language Model for Dialogue Applications — to the public, The Times reported.

A recent CNBC report said Google execs were reluctant to release it widely in its current state over concerns over “reputational risk.”

So what’s the upshot for you? We appreciate Google’s rationale for restraint but understand the new impetus to move forward.

HK: Watchdog Says 53 VPN Apps Unavailable in Hong Kong Since Security Law Passed, Urges Apple To State Its Policy

A total of 53 VPN applications have become unavailable in Apple’s Hong Kong App Store since Beijing imposed a national security law (NSL) on the city in June 2020, a report by AppleCensorship has revealed.

The digital freedom watchdog urged the US tech giant to clearly state how it would respond if Hong Kong or Beijing requested that apps be taken down.

In a report released on Thursday entitled “Apps at Risk: Apple’s censorship and compromises in Hong Kong,” AppleCensorship found that more apps were unavailable in Hong Kong than in most of the 173 App Stores it monitored.

So what’s the upshot for you? According to AppleCensorship’s latest statistics from last month, 2,370 or 16 percent of the 14,782 apps it tested were unavailable in Hong Kong’s App Store.

The watchdog said only stores in Russia and China had more unavailable apps than their Hong Kong counterpart – Russia had 2,754 and China had 10,837.

US: Even the FBI Says You Should Use An Ad Blocker

The FBI is recommending the use of ad blockers, warning in an alert this week that cybercriminals are using online ads in search results to steal or extort money from victims.

In a pre-holiday public service announcement, the FBI said that cybercriminals are buying ads to impersonate legitimate brands, like cryptocurrency exchanges.

Ads are often placed at the top of search results but with “minimum distinction” between the ads and the search results, the feds say, which can look identical to the brands that the cybercriminals are impersonating.

Malicious ads are also used to trick victims into installing malware disguised as genuine apps, which can steal passwords and deploy file-encrypting ransomware.

One of the FBI’s recommendations for consumers is to install an ad blocker.

As the name suggests, ad blockers are web browser extensions that broadly block online ads from loading in your browser, including in search results. By blocking ads, would-be victims are not shown any ads at all, making it easier to find and access the websites of legitimate brands.

Ad blockers don’t just remove the enormous bloat from websites, like auto-playing video and splashy ads that take up half the page, which make your computer fans run like jet engines.

Ad blockers are also good for privacy because they prevent the tracking code within ads from loading.

That means that ad companies, like Google and Facebook, cannot track you as you browse the web, learn which websites you visit, or infer what things you might be interested in based on your web history.

“Of course, you can switch your ad blocker off any time you want, and even allow or deny ads for entire websites,” adds the report.

“Ads are still an important part of what keeps the internet largely free and accessible even as subscriptions and paywalls are increasingly becoming the norm.”

So what’s the upshot for you? We applaud TechCrunch for reporting this story, a journalistic source that derives income from ad placement on web pages. As you investigate ad blockers be sure to include Ublock Origin to your shortlist.

***US: Six Arrested After Manipulating Gas Station Pumps To Steal 30,000 Gallons of Gasoline / Benzina / Petrol ***

Whatever you call it: Gasoline / Benzina / Petrol, this story is sure to hit home during this travel season!

A Valero gas station sells approximately 5,000 gallons of gas a day, one employee estimates.

But local police arrested six men who, in a series of robberies, tricked the pumps out of 30,000 gallons of gasoline, a haul authorities estimated was worth at least $180,000."

Upon further inspection of surveillance video, authorities said, police saw one of the suspects activate a gas-pump computer, allowing another suspect to pump fuel into his vehicle.

An employee from the Valero station, who declined to give their name, called the process the gas thieves used “nearly untraceable.”

“You must have a deep understanding of how the pump system works,” the person said.

"There is a time frame anywhere from 75 seconds to two minutes for the authorization to go through the network [after sliding a credit card into a gas pump].

In this (time period), there’s an opportunity to manipulate the pump … You’re able to manipulate the pump and confuse the programming to an extent that the pump starts dispensing gas…"

In a Facebook post, authorities said the three suspects had been “conspiring together in a sophisticated operation to thwart security devices and pump electronics to steal large amounts of gasoline from the business…”

So what’s the upshot for you? Now there is a quote… “conspiring together in a sophisticated operation to thwart security devices and pump electronics”

Say that 5 times fast!


And our quote of the week: “Let’s have a moment of heartfelt silence for all those “get-fitters” who are stuck in traffic on their way to the gym to ride the stationary bicycle.” - anonymous observer.

That’s it for this week. Stay safe, stay secure, wear your heart on your sleeve, and see you for year four in se7en.