This week in our smash and grab we go from phones to fake followers and end up with a blog writer in tears.
We gain a little insight into just how relaxed some US Government officials are with the data of private citizens.
Then we wave, we get grabbed, we patch, and we secure.
Why… heavens to Betsey! This sounds like the makings of the best IT Privacy and Security Weekly update yet!
Let’s pull up our socks, lace our running shoes, and see what we can unravel before we try and find that backdoor!
UK: Crypto Muggings’: Thieves in London Target Digital Investors
Thieves are targeting digital currency investors on the street in a wave of “crypto muggings,” police have warned, with victims reporting that thousands of pounds have been stolen after their mobile phones were seized.
Anonymized crime reports provided to the Guardian by City of London police, as part of a freedom of information request, reveal criminals are combining physical muscle with digital know-how to part people from their cryptocurrency.
One victim reported they had been trying to order an Uber near London’s Liverpool Street station when muggers forced them to hand over their phone. While the gang eventually gave the phone back, the victim later realized that $6,150-worth of Ethereum digital currency was missing from their account with the crypto investing platform Coinbase.
In another case, a man was approached by a group of people offering to sell him cocaine and agreed to go down an alley with them to do the deal. The men offered to type a number into his phone but instead accessed his cryptocurrency account, holding him against a wall and forcing him to unlock a smartphone app with facial verification. They transferred $7,400-worth of ripple, another digital currency, out of his account.
A third victim said he had been vomiting under a bridge when a mugger forced him to unlock his phone using a fingerprint, then changed his security settings and stole $35,300, including cryptocurrency.
So what’s the upshot for you? Could these victims now be considering moving their Crypto trading app off their phones???
Global: It’s 2022, phones should be built to last…
Smartphone hardware has hit a plateau.
From mid-range to flagships, hardware is now more than powerful enough to last quite a while without going obsolete.
The days of significant year-on-year improvements are long gone, whether you’re looking at bleeding-edge performance, cameras, or battery life.
This isn’t to say we don’t yearn for those yearly gains, but they no longer suddenly mark older models for obsolescence even if they materialize.
As such, modern smartphones deserve long-term software support above and beyond semi-annual security patches.
So what’s the upshot for you? The harsh reality is that 83% of all e-waste does not end up getting recycled and e-waste comprises precious metals, such as copper and gold, and critical raw materials like cobalt and palladium.
These are expensive and finite resources that are labor-intensive to extract and refine.
More thoughtful design and longer support would help us now and mean that future generations don’t have to figure out how to clean up after us.
US/IL: F.B.I. Told Israel It Wanted Pegasus Hacking Tool for Investigations
The F.B.I. informed the Israeli government in a 2018 letter that it had purchased Pegasus, the notorious hacking tool, to collect data from mobile phones to aid ongoing investigations, the clearest documentary evidence to date that the bureau weighed using the spyware as a tool of law enforcement.
The F.B.I.'s description of its intended use of Pegasus came in a letter from a top F.B.I. official to Israel’s Ministry of Defense that was reviewed by The New York Times.
Pegasus is produced by an Israeli firm, NSO Group, which needs to gain approval from the Israeli government before it can sell the hacking tool to a foreign government.
The 2018 letter, written by an official in the F.B.I.'s operational technology division, stated that the bureau intended to use Pegasus “for the collection of data from mobile devices for the prevention and investigation of crimes and terrorism, in compliance with privacy and national security laws.”
The Times revealed in January that the F.B.I. had purchased Pegasus in 2018 and, over the next two years, tested the spyware at a secret facility in New Jersey.
Since the article’s publication, F.B.I. officials have acknowledged that they considered deploying Pegasus but have emphasized that the bureau bought the spying tool mainly to test and evaluate it – partly to assess how adversaries might use it.
They said the bureau never used the spyware in any operation.
So what’s the upshot for you? We’d be interested to see how many licenses they bought to better understand how large the radius of “testing” was that they were involved in…
US: US secretly issued subpoena to access Guardian reporter’s phone records
The US justice department secretly issued a subpoena to gain access to details of the phone account of a Guardian reporter as part of an aggressive leak investigation into media stories about an official inquiry into the Trump administration’s child separation policy at the southern border.
Leak investigators issued the subpoena to obtain the phone number of Stephanie Kirchgaessner, the Guardian’s investigations correspondent in Washington.
The move was carried out without notifying the newspaper or its reporter, as part of an attempt to ferret out the source of media articles about a review into family separation conducted by the Department of Justice’s inspector general, Michael Horowitz.
It is highly unusual for US government officials to obtain a journalist’s phone details in this way, especially when no national security or classified information is involved.
The move was all the more surprising in that it came from the DoJ’s inspector general’s office – the watchdog responsible for ethical oversight and whistleblower protections.
On 2 September 2020, Kirchgaessner reported that a senior justice department official nominated by Trump to be a federal judge had participated in the removal of a Texas prosecutor who had sounded the alarm over child separation.
So what’s the upshot for you? We saw the Freedom of Information Act request for detail on the subpoenaed phone records… noteworthy only by the absence of any significant detail.
It makes you think that these types of information gathering requests to Google, Apple, Microsoft, Facebook, and others, must be becoming so routine by now that they even have a Pro-forma response page to send out in reply.
US: US Drug Enforcement Agency Investigating Breach of Law Enforcement Data Portal
The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases.
KrebsOnSecurity learned the alleged compromise was tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets.
Hackers obtained a username and password for an authorized user of esp.usdoj.gov, which is the Law Enforcement Inquiry and Alerts system managed by the DEA.
Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley said, “I don’t think these [people] realize what they got, how much money the cartels would pay for access to this."
It’s not clear why there are still sensitive government databases being protected by nothing more than a username and password, but we are willing to bet that this portal is not the only offender.
So what’s the upshot for you? When hackers can plunder 16 law enforcement databases, arbitrarily send out law enforcement alerts for specific people or vehicles, or potentially disrupt ongoing law enforcement operations — all because someone stole, found, or bought a username and password — it’s time for a change.
BR: In an effort to keep pace, Mastercard Launches the ‘Wave To Pay’ Program
Retailers that sign up for its pilot scheme can allow customers to pay in-store with a gesture such as a smile or a wave.
The system, which requires customers to enroll first, could also be connected to loyalty programs and purchase history. "
Payments is a wide space, and we are trying to offer what customers want," Ajay Bhalla, Mastercard’s president of cyber and intelligence, told the Financial Times.
He said that Mastercard could act as the “enabler of the ecosystem,” setting unified privacy and security standards for a technology that has raised the hackles of privacy and data protection campaigners. “It’s important that we make sure that data is handled properly and the transaction is safe,” said Bhalla. “Everything is done with consumer consent.”
The facial recognition software itself will come from companies including Japan’s NEC, Brazil’s Payface, and California-based PopID.
The first pilots are launching this week at five supermarkets run by the St Marche chain in Brazil. The ambition is to eventually allow consumers to use a single enrolment to pay across different stores, says Bhalla, with further pilots planned across regions including Asia, the Middle East, and Europe.
So what’s the upshot for you? That’s it. First, our identification information is hacked, and then our biometrics? Is it really so hard to take a credit card out of your wallet?
Global: Ad-Tech Firms Grab Email Addresses From Forms Before They’re Even Submitted
In a research paper scheduled to appear at the Usenix '22 security conference later this year, the authors describe how they measured data handling in web forms on the top 100,000 websites, as ranked by research site Tranco.
The researchers created their own software to measure email and password data gathering from web forms – structured web input boxes through which site visitors can enter data and submit it to a local or remote application.
Providing information through a web form by pressing the submit button generally indicates the user has consented to provide that information for a specific purpose.
“Our analyses show that users’ email addresses are exfiltrated to tracking, marketing, and analytics domains before form submission and without giving consent on 1,844 websites in the EU crawl and 2,950 websites in the US crawl,” the researchers state in their paper, noting that the addresses may be unencoded, encoded, compressed, or hashed depending on the vendor involved.
Most of the email addresses grabbed were sent to known tracking domains, though the researchers say they identified 41 tracking domains that are not found on any of the popular blocklists. “Furthermore, we find incidental password collection on 52 websites by third-party session replay scripts,” the researchers say.
“On 17 of these, Facebook Pixel’s Automatic Advanced Matching feature was responsible for sending the SHA-256 of the email address in a SubscribedButtonClick event, despite not clicking any submit button,” the report says.
Facebook did not respond to a request for comment.
So what’s the upshot for you? “Based on our findings, users should assume that the personal information they enter into web forms may be collected by trackers – even if the form is never submitted,” the report concludes.
Global: Apple Patches Dozens of Security Flaws With iOS 15.5, Over 50 Fixes For macOS 12.4
Apple shared details for its security fixes in its latest software for iPhone, iPad, Mac, and more on its support page.
For both iOS and Mac, many of the flaws could allow malicious apps to execute arbitrary code with kernel privileges.
Another for iOS says “A remote attacker may be able to cause unexpected application termination or arbitrary code execution.” Specifically on Mac, one of the 50+ flaws fixed was that “Photo location information may persist after it is removed with Preview Inspector.”
Important security updates are also available for macOS Big Sur with 11.6.6, macOS Catalina, Xcode 13.4, and watchOS 8.6.
So what’s the upshot for you? If you own anything Apple, it’s time for another update.
Global: How much will it cost to secure open-source software?
Among the leading open-source organizations are the Linux Foundation and its Open Source Security Foundation (OpenSSF), which has a growing base of users. Last Friday at the Open Source Software Security Summit II in Washington, D.C., OpenSSF announced an ambitious, multipronged plan with 10 key goals to better secure the entire open-source software ecosystem.
While open-source software itself can sometimes be freely available, securing it will have a price. OpenSSF has estimated that its plan will require $147.9 million in funding over a two-year period.
In a press conference held after the summit, Brian Behlendorf, general manager of OpenSSF, said that $30 million has already been pledged by OpenSSF members including Amazon, Intel, VMware, Ericsson, Google, and Microsoft.
“I’ve been working with the source community for almost two decades, and in that period of time we’ve had multiple cases where a vulnerability in an open-source component has posed a dramatic risk to a broad set of society,”
So what’s the upshot for you? “Software will never be perfect. The only software that doesn’t have any bugs is the software with no users.”
US: NSA Says ‘No Backdoor’ in a New US Encryption Scheme
The US is readying new encryption standards that will be so ironclad that even the nation’s top code-cracking agency says it won’t be able to bypass them.
The National Security Agency has been involved in parts of the process but insists it has no way of bypassing the new standards.
“There are no backdoors,” said Rob Joyce, the NSA’s director of cybersecurity at the National Security Agency, in an interview.
A backdoor enables someone to exploit a deliberate, hidden flaw to break encryption. An encryption algorithm developed by the NSA was dropped as a federal standard in 2014 amid concerns that it contained a backdoor.
The new standards are intended to withstand quantum computing, a developing technology that is expected to be able to solve math problems that today’s computers can’t.
So what’s the upshot for you? And after making that announcement, the director left by the back door.
US: Jeffrey Snover Claims Microsoft Demoted Him For Inventing PowerShell
PowerShell inventor Jeffrey Snover has aired some hitherto very private grievances about how his indispensable tool once got him demoted.
The Microsoft Technical Fellow discussed the incident in a weekend Twitter thread that started when controversial investor Peter Thiel discussed the virtues of courage.
“Courage is a key characteristic of future leaders and previous employees,” Snover joked in response to Thiel’s musings. He also asserted that “many people focus on getting their boss to pat them on the head rather than address problems.”
Snover said he was urged by friend Kevin Kean – who served as director of the Microsoft Security Response Center (MSRC) in the mid-2000s – not to reveal PowerShell, as it may not be well received.
When I was doing the prototype for what became PowerShell, a friend cautioned me saying that was the sort of thing that got people fired.
I didn’t get fired.
I got demoted. https://twitter.com/jsnover/status/1523010083189235712
— Jeffrey Snover (@jsnover) May 7, 2022
So what’s the upshot for you? Eventually Jeffrey was awarded the “Distinguished Engineer” title by Microsoft, and Powershell did become regarded as “indispensable” by Microsofties, demonstrating, obviously, that it may eventually pay to stand your ground when you know you are doing the right thing.
Global: Elon might be right… Twitter Analysis: 19.42% of Active Accounts Are Fake or Spam
This is an interesting tool that checks for patterns in accounts to determine certain characteristics that might expose them as bots.
TL;DR – From May 13-15, 2022, SparkToro and Followerwonk conducted a rigorous, joint analysis of 44,058 public Twitter accounts active in the last 90 days.
These accounts were randomly selected, by machine, from a set of 130+ million public, active profiles.
Our analysis found that 19.42%, nearly four times Twitter’s Q4 2021 estimate, fit a conservative definition of fake or spam accounts (i.e. our analysis likely undercounts).
Our quote this week from author and think-tank leader Tim Lebrecht might just end up as a new buzzphrase for SinCity, “What happens in Vegas ends up on YouTube.”
That’s it for this week. Stay safe, stay, secure, pass the tissues, and we’ll see you in se7en.