The IT Privacy and Security Weekly Update and Crop Rotation for the Week ending August 16th, 2022


This week we begin in the underwear drawer and end up on the floor in one of the cutest stories about the effects of honey that we have ever seen.

We learn about a new hack that reveals the deep secrets of Dishy McFlatFace, and why Zoom took you out for your first meeting with your boss yesterday.

There’s an announcement about Amazon’s new comedy show made from Ring doorbell clips, yet nothing about what happened to all the compromising recordings Alexa made of you over the last few years.

We have bans on video players, chips, and even a whole smart city.

combine harvester right

Finally, we get to the root of rooting the combine harvester you’ve had sitting out in the barn for the last two seasons because you could not drive it to the service center.

No stone is left unturned, no seed left unplanted, no crop left un-rotated and no mind left unfertilized, with this week’s harvest of stories.

So grab your pitchfork and follow us!

US: Twisted knickers

HanesBrands suffered a ransomware attack which left it partially unable to fulfill customer orders for three weeks, costing the company $100 million in net sales.

HanesBrands, an American multinational clothing company, has released its second-quarter results, which indicate a hit it took as a result of a ransomware attack.

The incident temporarily paralyzed its supply chain system and left the company unable to fulfill customer orders.

The overall losses amount to $100 million in net sales, $35m in adjusted operating profit, and $0.08 in adjusted earnings per share.

So what’s the upshot for you? Apparently now Hanes has things back under control, but this has left some huge holes in their underwear figures.

Global: Another first, the Starlink Terminal hack

Since 2018, ELON Musk’s Starlink has launched more than 3,000 small satellites into orbit.

This satellite network beams internet connections to hard-to-reach locations on Earth and has been a vital source of connectivity during Russia’s war in Ukraine.

Thousands more satellites are planned for launch as the industry booms.

And now, like any emerging technology, those satellite components are being hacked.

Lennert Wouters, a security researcher at the Belgian university KU Leuven, revealed one of the first security breakdowns of Starlink’s user terminals, the satellite dishes (dubbed Dishy McFlatface) that are positioned on people’s homes and buildings.

Wouters, who previously created hardware that can unlock a Tesla in 90 seconds, looked at the security of the terminal and its chips. “The user terminal was definitely designed by capable people,” Wouters says.

To access the satellite dish’s software, Wouters physically stripped down a dish he purchased and created a custom hacking tool that could be attached to the Starlink dish.

The hacking tool, a custom circuit board known as a modchip, uses off-the-shelf parts that cost around $25.

Once attached to the Starlink dish, the homemade printed circuit board is able to launch a fault injection attack – temporarily shorting the system – to help bypass Starlink’s security protections.

This ‘glitch’ allows Wouters to get into previously locked parts of the Starlink system.

The researcher notified Starlink of the flaws last year and the company paid Wouters through its bug bounty scheme for identifying the vulnerabilities.

Wouters says that while SpaceX has issued an update to make the attack harder (he changed the modchip in response), the underlying issue can’t be fixed unless the company creates a new version of the main chip.

All existing user terminals are vulnerable, Wouters says.

Wouters made his hacking tool open source on GitHub.

Starlink says it plans to release a “public update” to address the issue but additional details were not shared.

So what’s the upshot for you? Why haven’t these terminals been hacked already? With one of the Dishy McFlatfaces costing $599 and a $110 monthly subscription fee, you have to have some capital behind you before you even solder on the Raspberry Pi, oh, and you will want a few of each to practice on…

Global: Windows patch for the DogWalk Zero-Day Exploit

Despite previously claiming the DogWalk vulnerability did not constitute a security issue, Microsoft has now released a patch to stop attackers from actively exploiting the vulnerability.

The vulnerability, known as CVE-2022-34713 or DogWalk, allows attackers to exploit a weakness in the Windows Microsoft Support Diagnostic Tool (MSDT).

By using social engineering or phishing, attackers can trick users into visiting a fake website or opening a malicious document or file and ultimately gain remote code execution on compromised systems.

DogWalk affects all Windows versions under support, including the latest client and server releases, Windows 11, and Windows Server 2022.

The vulnerability was first reported in January 2020 but at the time, Microsoft said it didn’t consider the exploit to be a security issue.

So what’s the upshot for you? This is the second time in recent months that Microsoft has been forced to change its position on a known exploit, having initially rejected reports that another Windows MSDT zero-day, known as Follina, posed a security threat.

A patch for that exploit was released in June’s Patch Tuesday update.

Global: Update Zoom For Mac Now To Avoid Root-Access Vulnerability

If you’re using Zoom on a Mac and you didn’t have your first session of the week with your boss interrupted by a 10-minute Zoom refresh and a reboot, it’s time for a manual update.

The video conferencing software’s latest update fixes an auto-update vulnerability that could have allowed malicious programs to use its elevated installing powers, granting escalated privileges and control of the system.

The vulnerability was first discovered by Patrick Wardle, founder of the Objective-See Foundation, a nonprofit Mac OS security group.

Wardle detailed in a talk at Def Con last week how Zoom’s installer asks for a user password when installing or uninstalling, but its auto-update function, enabled by default, doesn’t need one.

Wardle found that Zoom’s updater is owned by and runs as the root user. It seemed secure, as only Zoom clients could connect to the privileged daemon, and only packages signed by Zoom could be extracted.

The problem is that by simply passing the verification checker the name of the package it was looking for (“Zoom Video … Certification Authority Apple Root CA.pkg”), this check could be bypassed.

That meant malicious actors could force Zoom to downgrade to a buggier, less-secure version or even pass it an entirely different package that could give them root access to the system.

So what’s the upshot for you? Now if Zoom could just figure out a way to handle the updates so that they didn’t have to interrupt their own Zoom meetings, we’d be onto a winner.

US: Amazon Studio Plans Lighthearted Show of Ring Surveillance Footage

For some people, the term “Ring Nation” might evoke a warrantless surveillance dystopia overseen by an omnipotent megacorp.

To Amazon-owned MGM, Ring Nation is a clip show hosted by comedian Wanda Sykes, featuring dancing delivery people and adorable pets.

Deadline reports that the show, due to debut on September 26, is “the latest example of corporate synergy at Amazon.”

Amazon owns household video security brand Ring, Hollywood studio MGM, and Big Fish, the producer of Ring Nation.

Viral videos captured by doorbell cameras have been hot for a while now.

You can catch them on late-night talk shows, the r/CaughtOnRing subreddit, and on millions of TikTok users’ For You page.

Amazon’s media properties, perhaps sensing an opportunity to capitalize and soften Ring’s image, are sallying forth with an officially branded offering.

Ring Nation will feature “neighbors saving neighbors, marriage proposals, military reunions, and silly animals,” Deadline writes.

But Ring Nation might be aiming even higher, according to Ring founder Jamie Siminoff – to something approaching a salve for our deeply divided nation. “Bringing the new community together is core to our mission at Ring, and Ring Nation gives friends and family a fun new way to enjoy time with one another,” Siminoff told Deadline.

“We’re so excited to have Wanda Sykes join Ring Nation to share people’s memorable moments with viewers.”

So what’s the upshot for you? We can’t wait for the announcement of their new audio show “Intimate moments”. Recordings of all the naughty things that Amazon Alexa pretends she doesn’t hear.

Global: Facebook Testing End-to-End Encrypted Chats, Secure Backups

Thursday Meta published a blog post by their “product management director of Messenger Trust,” who emphasized that they’ve begun at least testing end-to-end encryption by default for Messenger chats. But Meta also announced plans “to test a new secure storage feature for backups of your end-to-end encrypted chats on Messenger…”

“As with end-to-end encrypted chats, secure storage means that we won’t have access to your messages unless you choose to report them to us.”

CNBC provides a bit of context: The announcement comes after Facebook turned over Messenger chat histories to Nebraska police as part of an investigation into an alleged illegal abortion.

(Meta spokesperson Andy Stone said the feature has been in the works for a while and is not related to the Nebraska case…)

The feature is rolling out on Android and iOS devices this week, but it isn’t yet available on the Messenger website.

The company has been discussing full-scale deployment of end-to-end encryption since 2016, but critics have said the security measure would make it much more difficult for law enforcement to catch child predators…

Meta said in the release that it is making progress toward the global rollout of default end-to-end encryption for personal messages and calls in 2023.

So what’s the upshot for you? With what is going on in the US. Facebook is moving toward a better stance, still, it would be sweet to have some firm “Go-Live” dates for all these changes.

IN: VLC Media Player Banned In India

One of the most popular media player software and streaming media servers VLC media player, developed by VideoLAN project, is no longer working in India.

VLC Media Player downloads were blocked in India nearly 2 months ago.

Neither the company nor the Indian government has revealed any details about the ban.

Some reports suggest that VLC Media Player has been blocked in the country because the platform was run by a China-backed hacking group Cicada who was using it for cyber attacks.

Just a few months ago, security experts discovered that Cicada was using VLC Media Player to deploy a malicious malware loader as part of a long-running cyber attack campaign

So what’s the upshot for you? “No more bug videos.”

US: The United States Bans the Export of Tech Used In 3nm Chip Production On Security Grounds

The United States is formally banning the export of four technologies tied to semiconductor manufacturing, calling the protection of the items “vital to national security.”

Announced Friday by the US Commerce Department’s Bureau of Industry and Security and enacted today, the rule will ban the export of two ultra-wide bandgap semiconductor materials, as well as some types of electronic computer-aided design technology and pressure gain combustion (PGC) technology.

In particular, the Bureau of Industry and Security said that the semiconductor materials gallium oxide and diamond will be subject to renewed export controls because they can operate under more extreme temperature and voltage conditions.

The Bureau said that capability makes the materials more useful in weapons.

Electronic computer-aided design software, which aids design for a wide range of circuits, comes in specialized forms that support gate-all-around field effect transistors, which are used to scale semiconductors to 3 nanometers and below.

Pressure gain combustion technology also has “extensive potential” for ground and aerospace uses, the Bureau of Industry and Security said.

All items will be classified under Section 1758 of the Export Control Reform Act, which covers the production of advanced semiconductors and gas turbine engines.

Those types of technology are also covered by the Wassenaar Arrangement, made in 2013 between the US and 41 other countries, which functions as a broader arms control treaty.

“We are protecting the technologies identified in today’s rule from nefarious end use by applying controls through a multilateral regime,” the Assistant Secretary of Commerce for Export Administration said in a statement.

“This rule demonstrates our continued commitment to imposing export controls together with our international partners.”

The Bureau of Industry and Security statement announcing the export ban made no mention of the countries, but recent events make it clear the target is China – the US has been considering other tech export bans (and investment freezes), recently all of which appeared tailored to target China.

Analysts in the Middle Kingdom have claimed the ban would have little short-term impact on China’s chipmaking industry as no one in China has yet managed to design chips as advanced as those targeted by the ban.

So what’s the upshot for you? We realized that we made at least a dozen substitutions of acronyms back to their original meaning just to understand this story. In essence what it says is that super-small chips made for use in extreme conditions will be banned from export to China, who won’t mind anyway as they aren’t making anything that small at this point in time.

US: New US Privacy Law May Give Telecoms a Free Pass On $200 Million in Fines

The American Data Privacy and Protection Act, a new federal privacy bill that has actually a chance of becoming law, is designed to introduce new privacy protections for Americans.

But it may also have the side effect of wiping out $200 million worth of fines proposed against some of the country’s biggest telecommunications companies as part of a major location-data selling scandal in which the firms sold customer data that ended up in the hands of bounty hunters and other parties.

The issue centers around the American Data Privacy and Protection Act’s shift of enforcement for privacy-related matters from the Federal Communications Commission (FCC), which proposed the fines, to the Federal Trade Commission (FTC).

The news highlights the complex push and pulls when developing privacy legislation, and some of the pitfalls along the way.

The FCC proposed the $200 million fines in February 2020.

The fines came after Motherboard revealed that the carriers sold phone location data to a complex supply chain of companies which then provided it to hundreds of bounty hunters and other third parties, including someone that allowed Motherboard to track a phone for just $300.

The fines also came after The New York Times and the office of Sen. Ron Wyden found that the carriers sold location data in a similar method to a company called Securus, which allowed law enforcement officials to track the location of phones without a warrant.

A former sheriff abused the tool to spy on judges and other officials.

The offending telecoms – AT&T, T-Mobile, Sprint, Verizon – said they stopped the sale of location data at varying points in time in response to the investigations.

The FCC then found that the carriers broke the law by selling such data.

FCC Press Secretary Paloma Perez told Motherboard in an emailed statement that "our real-time location information is some of the most sensitive data there is about us, and it deserves the highest level of privacy protection.

That is why the FCC proposed more than $200 million in fines against the nation’s largest wireless carriers for selling their customers’ location data.

Through our continued oversight we have ensured that these carriers are no longer monetizing their consumers’ real-time location in this way, and we are continuing our investigation into these practices and expect to reach a conclusion very soon."

In July FCC Chairwoman Jessica Rosenworcel sent letters to a host of U.S. telecommunications, tech, and retail companies to ask about their use of location data.

So what’s the upshot for you? We hope they do this with our tax bills this year too.

Global: Apple Finds Its Next Big Business: Showing Ads on Your iPhone

“Apple is set to expand ads to new areas of your iPhone and iPad in search of its next big revenue driver”

Apple “could eventually bring ads to more of the apps that come pre-installed on your iPhone and other Apple devices, including Maps, Books, and Podcasts.”

According to a report from Bloomberg’s Mark Gurman, Apple has internally tested search ads in Maps, which could display recommendations when you search for restaurants, stores, or other nearby businesses.

Apple already implements a similar advertising model on the App Store, as developers can pay to have their app promoted on a search page for a particular query, like “puzzle games” or “photo editor.”

As noted by Gurman, ads on Maps could work in the same way, with businesses paying to appear at the top of search results when users enter certain search terms.

Gurman believes that Apple could introduce ads to its native Podcasts and Books apps as well.

This could potentially allow publishers to place ads in areas within each app, or pay to get their content placed higher in search results.

Just like Maps, Podcasts and Books are currently ad-free… Gurman mentions the potential for advertising on Apple TV Plus, too, and says the company could opt to create a lower-priced ad-supported tier, something both Netflix and Disney Plus plan on doing by the end of this year.

Bloomberg points out that Apple is already displaying ads inside its News app — where some of the money actually goes back to news publishers.

And while you can disable ad personalization — which 78% of iOS users have done — Bloomberg notes that "Another ironic detail here is that the company’s advertising system uses data from its other services and your Apple account to decide which ads to serve.

That doesn’t feel like a privacy-first policy."

Bloomberg’s conclusion? “Now the only question is whether the customers of Apple — a champion of privacy and clean interfaces — are ready to live with a lot more ads.”

So what’s the upshot for you? The perfect ad blocker that works on all platforms: just leave your phone in the car until the battery runs out.

US: Right To Repair Battle Heats Up With Rooting of John Deere Equipment

John Deere, the current and historic American producer of farming equipment, has long been maligned for their digital rights management-based lockdowns of said equipment which can make it impossible for farmers to perform their own service. Now a new security bypass has been discovered for some of their equipment, which has revealed that it is in general based on outdated versions of Linux and Windows CE (a.k.a. Windows Embedded Compact).

Carried out by An Australian living in Asia calling himself “Sick Codes”, the complete attack involves attaching hardware to the Printed Circuit Board inside a touchscreen controller, and ultimately produces a root terminal.

In the bargain and as a result, the question is being raised about John Deere’s “General Public License” (or GPL) compliance which looks to those using the code to contribute in return.

Sick Codes isn’t sure how John Deere can eliminate this vulnerability (beyond overhauling designs to add full disk encryption to future models). “At the same time, though, vulnerabilities like the ones that Sick Codes found help farmers do what they need to do with their own equipment.”

So what’s the upshot for you? There has been a bit of an uproar over what John Deere has been doing with its unserviceable tractors over the last few years.

Word has it that pressure from farmers and the US Gov’t may see John Deere making software home diagnostics kits available in the fourth quarter of this year.

CA: Toronto may kill the smart city forever

An unassuming section of Toronto was going to become a hub for an optimized urban experience featuring Robo-taxis, heated sidewalks, autonomous garbage collection, and an extensive digital layer to monitor everything from street crossings to park bench usage.

Had it succeeded, Quayside could have been a proof of concept, establishing a new development model for cities everywhere.

It could have demonstrated that the sensor-laden smart city model embraced in China and the Persian Gulf has a place in more democratic societies.

Instead, Sidewalk Labs’ (A subsidiary of Google’s Alphabet) two-and-a-half-year struggle to build a neighborhood “from the internet up” failed to make the case for why anyone might want to live in it…

The project’s tech-first approach antagonized many; its seeming lack of seriousness about the privacy concerns of Torontonians was likely the main cause of its demise.

There is far less tolerance in Canada than in the U.S. for private-sector control of public streets and transportation, or for companies collecting data on the routine activities of people living their lives.

Canadians don’t expect the private sector to come in and save us from the government because we have high trust in government."

With its very top-down approach, Sidewalk failed to comprehend Toronto’s civic culture.

Almost every person I spoke with about the project used the word “hubris” or “arrogance” to describe the company’s attitude. Some people used both.

So what’s the upshot for you? In February Toronto announced new plans for the area, with "800 affordable apartments, a two-acre forest, a rooftop farm, a new arts venue focused on indigenous culture, and a pledge to be zero-carbon.

The philosophical shift signaled by the new plan, with its emphasis on wind and rain and birds and bees rather than data and more data, seems like a pragmatic response to the demands of the present moment and the near future.

We like it.

TR: Intoxicated bear rescued after eating hallucinogenic honey in Turkey

The Turkish Ministry of Agriculture and Forestry said the bear was found disoriented in Duzce Province on Thursday and was captured by wildlife officials.

The bear was examined by veterinarians and found to be intoxicated after ingesting a large amount of honey made from the nectar of an indigenous species of rhododendron.

The honey, known as “mad honey,” contains grayanotoxin, a neurotoxin that produces hallucinogenic effects when consumed by mammals.

The ministry said the bear is in good health and will eventually be returned to the wild. It also asked social media users to help come up with a name for the intoxicated bear.

So what’s the upshot for you? No privacy, no security, but probably the cutest accompanying “Buzzed” bear video we have seen in a while, make sure you click on the article link.

And our quote of the week: "They [pets] never talk about themselves but listen to you while you talk about yourself, keep up an appearance of being interested in the conversation, and never gossip. "

combine harvester

That’s it for this week. Stay safe, stay secure, pass the honey, please don’t park that thing in front of the office, and we’ll see you in se7en.