The IT Privacy and Security Wearable Update for September 14th 2021


This week it’s all about wearables. Be they on your nose, wrist, ring finger, back pocket, or further south they are collecting just about all the …er … data you can generate.

We start this week with Facebook “trying it on” before moving one step closer to their metaverse. We hit you with news on the Biggest DDos attack ever, before getting bleary-eyed as we learn what happened to the bride (or groom), and why you’re about as likely not to be able to tell just how late they are.

Finally, after you’ve run on your smart treadmill, ridden your smart bike, and gotten yelled at by your smart mirror, we leave you with a wearable that, thankfully, you don’t have to carry around with you.

It’s all here, (well some anyway), it’s all fresh and it’s all in the best IT Privacy and Security Weekly Update yet. So press “start” on your wearable and let’s get exploring!

Global: Facebook quietly lets 5.8 million politicians and celebrities get special enforcement of its rules, report says

“We are not actually doing what we say we do publicly.”
“Facebook routinely makes exceptions for powerful actors.”
“This problem is pervasive, touching almost every area of the company.”

Mark Zuckerberg has publicly said Facebook Inc. allows its more than three billion users to speak on equal footing with the elites of politics, culture, and journalism, and that its standards of behavior apply to everyone, no matter their status or fame.

In private, the company has built a system that has exempted high-profile users from some or all of its rules, according to company documents reviewed by The Wall Street Journal.

Facebook has a secret internal system called XCheck, that exempts 5.8 million users from having to follow the rules on its platform, according to the Wall Street Journal.

The paper on Monday published an investigation detailing how high-profile users on its services who are “newsworthy,” "influential or popular, or “PR risky” don’t see the same enforcement action as do ordinary users, citing company documents it had viewed.

Most Facebook employees have the power to add users to the XCheck (crosscheck) system for whitelisting status, a term used to describe high-profile accounts that don’t have to follow the rules. But the Journal viewed a 2019 audit that found Facebook doesn’t always keep a record of who it whitelists and why, which poses “numerous legal, compliance, and legitimacy risks for the company and harm to our community.”

Facebook employees, including an executive who led its civic team, expressed disapproval with the company’s practice of doling outs special treatment for some users and said it was not in alignment with Facebook’s values, the paper reported.

So what’s the upshot for you? This system was initially conceived to have a single user check the comments of about 500 people as the risk from AI misinterpreting the comments could have had a high impact. As the numbers included on the “Allow-list” skyrocketed it soon overwhelmed the staff covering it and became ineffective, but it was never closed out and so provides one set of rules for the general populace… and another for VIPs, stars, and politicians.

Global: Has Ray-Ban been Zucked?

Facebook announced its long-awaited foray into the smart glasses space Thursday morning, launching the Ray-Ban Stories smart glasses in partnership with eyewear giant EssilorLuxottica.

Facebook’s first pair of smart glasses don’t feel like much of a Facebook product.

And that might not be a bad thing after Facebook’s dismal “Facebook Portal” sales numbers. From Fast Company: “Supply-chain sources say Facebook Portal sales are ‘very low’. After the company’s many privacy sins, people are apparently hesitant to put a Facebook device with a camera in their living rooms. Imagine that.”

So you won’t find the Facebook logo emblazoned on these glasses or even its name in small print by the serial code. They aren’t “Facebook Stories” or “Ray-Ban’s Facebook Stories” or even “Ray-Ban Stories in collaboration with Facebook.” Unlike other Facebook-designed hardware like the Quest 2 or Portal, the Ray-Ban Stories feel more self-aware and restrained as though the company knew exactly what use cases they needed to hit, and stopped themselves from trying to do much more than that.

The svelte frames are some of the most low-profile yet available to consumers and will allow users to snap photos and videos with the two onboard 5 MP cameras, listen to music with in-frame speakers and take phone calls. The glasses need to be connected to an iOS or Android device for full functionality, though users can take and store hundreds of photos or dozens of videos on the glasses before transferring media to their phones via Facebook’s new View app. The twin cameras will allow users to add 3D effects to their photos and videos once they upload them to the app.

The lightweight glasses weigh less than 50 grams and come with a leather hardshell charging case. The battery life is advertised as “all-day,” which TechCrunch found to be accurate during their review of the frames.

They only do a few things: You can take poor-quality photos and videos; you can take quiet phone calls if the other side doesn’t mind the ambient noise, and you can listen to music. That’s it.

So what’s the upshot for you? As heard around town, Facebook has a “Trust Deficit”. That might be why “Diem” the digital currency and “Novi” the wallet releases have been delayed, why the portal sales are limping and why Zuck’s metaverse might be a little longer in arriving than he intended. Whatever the case, we think it’s the reason these glasses simply say Ray-ban just beside the two honking great camera lenses, but they are a stepping stone to something more. Now if we could just learn to trust Zuck.

RU: Russia’s Yandex says it repelled biggest DDoS attack in history

MOSCOW, Sept 9 (Reuters) - A cyberattack on Russian tech giant Yandex’s servers (YNDX.O) in August and September was the largest known distributed denial-of-service (DDoS) attack in the history of the internet, the company said on Thursday.

The DDoS attack, in which hackers try to flood a network with unusually high volumes of data traffic in order to paralyze it when it can no longer cope with the scale of data requested, began in August and reached a record level on Sept. 5.

“Our experts did manage to repel a record attack of nearly 22 million requests per second (RPS). This is the biggest known attack in the history of the internet,” Yandex said in a statement.

So what’s the upshot for you? DDoS protection firm Qrator Labs identified the culprit — “Meris” — a new monster that first emerged at the end of June 2021. Meris appears to be made up of compromised Internet routers produced by MikroTik. It says the United States is home to the most number of MikroTik routers that are potentially vulnerable to compromise by Meris — with more than 42 percent of the world’s MikroTik systems connected to the Internet (followed by China — 18.9 percent)

U.S. cybersecurity firm Cloudflare (NET), which is widely used by businesses and other organizations to help defend against DDoS attacks, said in August the largest DDoS attack it was aware of was the one that hit it, earlier in June, which reached 17.2 million RPS. Signs point to Meris for both the Yandex and earlier Cloudflare attacks.

RU: Hackers leak passwords for 500,000 Fortinet VPN accounts

A threat actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from almost 13,000 exploitable devices last summer (3000 US-based).

While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid.

This leak is a serious incident as the VPN credentials could further allow threat actors to access a network to perform data exfiltration, install malware, and perform ransomware attacks.

The list of Fortinet credentials was leaked for free by a threat actor known as ‘Orange,’ who is the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk Ransomware operation.

After disputes occurred between members of the Babuk gang, Orange split off to start RAMP and is now believed to be a representative of the new Groove ransomware operation.

So what’s the upshot for you? If you use a Fortinet VPN, patch it and reset all your passwords. In the meantime, we’ll wait for Orange and Ramp to start exposing what they found while they had all that VPN access.

KR: TrickBot gang member arrested after getting stuck in South Korea due to COVID-19 pandemic

A Russian national thought to work with the notorious malware gang TrickBot was arrested last week at Seoul international airport. Known only as Mr. A in local media, the man was attempting to fly to Russia after spending more than a year and a half in South Korea.

After arriving in February 2020, Mr. A was trapped in Seoul because of international travel restrictions related to the COVID-19 pandemic. During this time his passport expired and Mr. A had to get an apartment in Seoul while working with the Russian embassy on a replacement.

Concurrently, United States law enforcement officials opened an investigation into TrickBot’s activity, particularly related to a botnet the group developed and used to aid a rash of 2020 ransomware attacks.

During the investigation, officials gathered evidence of Mr. A’s alleged work with TrickBot, including the possible 2016 development of a malicious browser tool.

So what’s the upshot for you? South Korean news said the suspect was being held on an international arrest warrant and extradition request to the US.

Mr. A is fighting this extradition. His lawyer claimed that if his client is sent to the US, he “will be subjected to excessive punishment.”

We’d love to be part of that.

UK: Would you like a side of fries with that Account Name and Password?

A bug in the McDonald’s Monopoly VIP game in the United Kingdom caused the login names and passwords for the game’s database to be sent to all winners.

After skipping a year due to COVID-19, McDonald’s UK launched their popular Monopoly VIP game on August 25th, where customers can enter codes found on purchase food items for a chance to win a prize. These prizes include £100,000 in cash, an Ibiza villa or UK getaway holiday, Lay-Z Spa hot tubs, and more.

Unfortunately, the game hit a snag over the weekend after a bug caused the user name and passwords for both the production and staging database servers to be in prize redemption emails sent to prize winners.

So what’s the upshot for you? Hang on! Did we still win?

US/NG: The U.S. Locks Up Key Player in Nigerian Romance Scam. Wait. What?

An Oklahoma man has been sent to prison for his role in an online romance scam that defrauded victims across the United States out of at least US$2.5 million.

The victims – many of whom were elderly – would wire the money to the scammer’s bank account in the belief that they were helping their significant other to complete a business project or to return to the United States.

Afeez Olajide Adebara, 35, pleaded guilty to conspiracy to commit money laundering before U.S. District Court Judge Gregory K. Frizzell. Adebara’s sentencing hearing is set for Feb. 3, 2021.

“Adebara organized and led a money-laundering operation from Oklahoma in order to conceal the proceeds of a Nigerian Romance Scam. He and his co-conspirators defrauded an Oklahoman and two other victims of more than $1.5 million,” said U.S. Attorney Trent Shores. “Romance scams inflict the highest reported financial losses yearly, totaling about $200 million in 2019, when compared to other online scams. Con artists like Adebara have no shame. They care not if their victims are elders, veterans, or hard-working Americans living paycheck to paycheck. I commend the FBI agents and federal prosecutors who took down this international money laundering operation.”

According to court documents, Adebara coordinated with overseas co-conspirators who had assumed false identities on online dating websites and social media platforms with the intent to defraud victims. Adebara opened multiple accounts using fraudulent identities then provided the account and routing numbers to the overseas co-conspirators.

The co-conspirators posed as US residents working or traveling abroad and tricked victims into believing that they had found love online. After manipulating a victim into thinking that they were in a romantic relationship, a scammer would ask for increasingly large sums of money.

As these online “relationships” continued, the overseas co-conspirators’ would request increasingly larger sums of money, claiming that the funds were needed to complete business projects or to return to the United States.

So what’s the upshot for you? Just in case you had been left standing on the alter after forking out to have your fiancé flown in first-class for your wedding…wait, what?

No, we’re just partial to wearing tuxedos and wedding gowns in the office.

Global: Apple Ships Urgent Patch for FORCEDENTRY Zero-Days

Monday Apple rolled out fixes for a pair of iOS and macOS security defects alongside a warning that these issues belong in the “actively exploited” zero-day category.

Apple has released iOS 14.8, an urgent iPhone update that all users should install now. That’s because it comes with a warning—iOS 14.8 is an important security-only upgrade for two vulnerabilities that Apple believes adversaries are already using to attack people’s iPhones.

The first security issue fixed in iOS 14.8 is a vulnerability in Apple’s CoreGraphics framework, where processing a maliciously crafted PDF may allow an attacker to execute code.

The second security hole is in the Apple WebKit browser engine, where processing malicious web content could allow an adversary to execute code.

As is customary, Apple did not provide any additional details on the live attacks beyond crediting Citizen Lab for one of the discoveries, a major clue the patch covers the FORCEDENTRY zero-click malware attacks seen targeting political activists in Bahrain.

Apple believes both vulnerabilities have been exploited by attackers, so it recommends you install iOS 14.8 now.

So what’s the upshot for you? These are being exploited now, so now is a good time to update your iPhone and your Mac.

Global: Apple debuts iPhone 13, updates iPad and Apple Watch

Then on Tuesday Apple introduced the lucky iPhone 13 featuring a smaller “notch” surrounding the front-facing FaceID camera. The iPhone 13 mini keeps the smaller-size model introduced last year in the lineup. Both models feature a new A15 bionic processor as well as optical image stabilization previously found only on the Pro line. A new “cinematic mode” allows for something akin to portrait mode in videos by dramatically shifting the point of focus.

The iPhone 13 Pro line builds on the new chip and design of the iPhone 13 but adds a 3x zoom lens and larger battery, among other features.

  • Debuted Apple Watch Series 7 with larger displays, thinner borders, and more rounded corners.
  • Introduced a new iPad mini with a more powerful processor, a USB-C port, and optional 5G cellular connectivity.

So what’s the upshot for you? Yawn. The one thing we really wanted to see was extended battery life. They did it for the phones, but alas not the watch, so if you wear one you will still be taking it off every 12 hours to charge. At least they don’t look to be suffering from the supply side holdups that are plaguing everyone else.

Global: Over 60 million wearable, fitness tracking records exposed via unsecured database

A research team discovered a non-password-protected database that contained 16.71 GB / Total Records: 61,053,956 belonging to users around the world. The massive amount of exposed records were related to IoT health and fitness tracking devices. Upon further investigation, there were multiple references to “GetHealth”, a New York City-based company that offers a unified solution to access health and wellness data from hundreds of wearables, medical devices, and apps.

The most disturbing part of the discovery was that many of the records contained user data that included first and last name, display name, date of birth, weight, height, gender, geolocation, and more. This information was in plain text while there was an ID that appeared to be encrypted. The geolocation was structured as in “America/New_York”, “Europe/Dublin” and revealed that users were located all over the world.

According to GetHealth’s website they can sync data from the following: 23andMe, Daily Mile, FatSecret, Fitbit, GoogleFit, Jawbone UP, Life Fitness, MapMyFitness, MapMyWalk, Microsoft, Misfit, Moves App, PredictBGL, Runkeeper, Sony Lifelog, Strava, VitaDock, Withings, Apple HealthKit, Android Sensor, S Health.

It is unclear how long these records were exposed or who else may have had access to the dataset and thankfully GetHealth took everything offline as soon as it was reported.

So what’s the upshot for you? Health data from wearable devices is a treasure trove of information that will grow as a target for cybercriminals. The health industry experiences more data breaches than any other sector and it can sell for $250 per record on the black market or dark web. Versus $5.40 for credit card detail.

CH: Covid-19 shortages, first toilet paper now Rolex watches.

Yes, you’ve made it, and now you might be thinking to yourself, “It’s time I bought that status symbol that lets everyone else know I’ve made it whenever I walk into a room” — a Rolex.

Well, we’ve got some bad news for - you probably can’t get one.

Semiconductor chips used cars, Rolex watches: One of these things is not like the other.

Yes, people are having a hard time getting their hands on them; and yes, all are more expensive now than they were last year; but unlike the first two, the scarcity of Rolex is strategic.

“Rolex would like to perpetuate the image that there’s a shortage and that there’s such high demand that they can’t produce enough to satisfy the demand, but in reality, it’s just a very controlled release in order to keep that demand super high.”
Another result of this artificially constrained supply of new watches is the absolute explosion of prices on the resale market where some timepieces now command far higher prices used than they do at the retail counter.

For example, a steel Daytona is advertised on the Rolex website for $13,150, but over at Chrono24, the exact same watch is listed for more than $36,000. What other asset appreciates so instantly after purchase?

So what’s the upshot for you? The upside is for one of these things is there is no nightly recharging, and there is no chance of a data leak. The downside is even if you can afford it you won’t wear it for fear of depreciating its value.

Global: Health monitoring that below us moves…

“The future of healthcare, where you’d least expect it.”

We thought we had seen it all, fitness monitors on our wrists, on our fingers, around our chests. Now we have one under our backsides.

The Casana Heart Seat™ unobtrusively gathers health data and analyzes it in context, with the aim of providing unique insights into health and trends over time.

With a long-lasting battery, you simply set and forget.

So what’s the upshot for you? We’re not saying this is a crap idea, but it certainly gives “data leak” new meaning.

And flushed with laughter from that last story, the end of another episode of the IT Privacy and Security Weekly update.

We’ll look forward to seeing you and your Rolex (or not) in a week’s time.

Until then, be kind, stay safe, stay secure and see you in Se7en.

1 Like