The IT Privacy and Security Weekly Update for January 5th. 2021

Dear DAML’ers,

Following on from last year’s collection of the Best IT Privacy and Security stories yet, we up your ROI (return on investment) in this section with what these stories mean to you. There’s no better way to drive a story home than with a message of “what’s in it for me?” and that’s what we deliver.

We start our journey across the world with a criminal complaint and we end at the doctor’s office, in between we have insight from the Netherlands, India, China, the EU and the US. If you use any type of technology there’s a story for you here.

So without further ado we’d like to help you start your great new year off with best wishes and the BEST IT Privacy and Security Weekly Update yet!

Let’s get going! Read on or listen to the podcast here!

US: Need a reason to use two factor authentication? Read this criminal complaint filed December 22nd.

According to the affidavit filed in support of the criminal complaint, in February 2020, Desmond Babloo Singh 19 Yr/old., sent the victim, Jane Doe, an Instagram story, professing his love for her. Jane Doe was a former classmate of Singh’s older sister. Jane Doe rejected Singh’s romantic advances and told him that she was not interested in a relationship with him. Jane Doe, who resides in Maryland when she is not attending college, asked Singh to not contact her any further.

As detailed in the affidavit, from approximately April 18, 2020, through November 24, 2020, Singh allegedly used more than 100 different social media, electronic communication, and phone accounts to send Jane Doe harassing and unsolicited messages. The messages included express and implied threats of death and bodily injury, sexualized violence, and racial slurs. Singh allegedly accessed several of Jane Doe’s electronic accounts without authorization, changing her passwords to lock her out of her accounts and posting offensive images and statements to her accounts without authorization. Singh allegedly obtained personal images that had been privately stored in Jane Doe’s Snapchat account, which he later posted on social media accounts used to harass Jane Doe, and sent via text message to Jane Doe and her family members.

According to the affidavit, Singh publicly posted Jane Doe’s personal information on several occasions and encouraged others to harass the victim. Singh also allegedly posted the personal information of Jane Doe’s family members. Singh allegedly sent harassing messages and posted messages attacking an ex-boyfriend of Jane Doe, who Singh viewed as a romantic rival. In addition, Singh allegedly “swatted” Jane Doe, causing a police response to her Baltimore County residence in response to an e-mailed bomb threat. Further, the affidavit alleges that Singh solicited others online to rape, murder, and decapitate Jane Doe in exchange for Bitcoin.

So what’s the upshot for you?

  • Take dated screenshots (e.g. Facebook threat 2021 01 05) documenting anything maliciously directed at you on line.

  • You can’t stop a crazy, but you can use 2 factor authentication and account specific logons like “YourName”+service.

  • If it’s an e-mail … you can sign up for a no-name gmail account and use the +service addition (everything after the + and before the @ is discarded) to create a unique email.

GLOBAL: Over 100,000 Zyxel firewalls, VPN gateways, and access points are updated with a hardcoded with Admin backdoor.

Dutch security team “Eye Control” report “this is pretty much as bad as it gets”

The 4.60 patch includes an admin account with “zyfwp” as the username and the “PrOw!aN_fXp” for the password.

Security experts warn that anyone ranging from DDoS botnet operators… to state-sponsored hacking groups and ransomware gangs could abuse this backdoor account to access vulnerable devices and pivot to internal networks for additional attacks.

TL;DR: If you have a Zyxel USG, ATP, VPN, ZyWALL or USG FLEX you should update to the latest firmware version today. It appears that it’s only ver. 4.60 where both the admin account and the password have been retained, so you want the “v4.60Patch1”.

For AP controllers running v6.10, “v6.10Patch1” patches are expected at the end of this week.

So what’s the upshot for you?

  • We always recommend updating anything with a network connection to the latest patch. In this case , Ouch!

  • Patches for all devices should be available at latest by the end of this week, if you have one, put something in your calendar with this link:

IN: Data from August Breach of Amazon Partner Juspay Dumped Online.

Data from a breach that occurred five months ago involving Juspay, which handles payments for Amazon and other online retailers in India, has been dumped online. Rajshekhar Rajaharia discovered data of 35 million Indian credit-card holders from a breach of a Juspay server that occurred on Aug. 18. The data included sensitive information such as the name, mobile number and bank name of customers whose payment info went through the company’s service exposed data included an edited screenshot of some of the data.

Juspay is a Bengaluru, India-based start-up that partners with leading online retailers to make payment transactions—upwards of 650,000 per day–in India. Merchants with payments going through the service include Amazon, Swiggy, MakeMyTrip, Yatra, Freecharge, BookMyShow and Snapdeal.

Juspay responded immediately to the incident and stopped the intrusion, terminated the server used in the attack, and sealed its entry point, according to the statement. “Within the same day, a system audit was done to make sure the entire category of such issues is [sic] prevented," the company said. “Our merchants were informed of the cyberattack on the same day and we worked with them to take various precautionary measures to safeguard information.”

While the company may have already informed partners, it did not reveal the breach publicly until this week, after Rajaharia’s discovery of the dumped data. Juspay’s delayed approach to revealing the breach has some calling for the company to be investigated by Indian authorities for its lack of immediate disclosure.

So what’s the upshot for you?

  • We say it’s important for customers to know when we have been compromised too!
  • If you have flexibility in who you select for payments, this might be a great time to let your vendor know that you are not happy with Juspay’s sense of transparency.

It’s your data and it’s your right to have it protected.

US: Ticketmaster To Pay $10 Million Fine For Hacking A Rival Company

Ticketmaster has agreed to pay a $10 million fine after being charged with illegally accessing computer systems of a competitor CrowdSurge, repeatedly between 2013 and 2015 in an attempt to “cut [the company] off at the knees.”

“Further, Ticketmaster’s employees brazenly held a division-wide ‘summit’ at which the stolen passwords were used to access the victim company’s computers, as if that were an appropriate business tactic.”

The allegations were first reported in 2017 after CrowdSurge sued Live Nation for antitrust violations, accusing Ticketmaster of accessing confidential business plans, contracts, client lists, and credentials of CrowdSurge tools.

In addition to the $10 million fine, Ticketmaster has been slapped with maintaining a compliance and ethics program to detect and prevent such unauthorized acquisition of confidential information belonging to its rivals. The company will be required to make an annual report to the U.S. Attorney’s Office for the next three years to ensure compliance.

So what’s the upshot for you?

  • Consider buying your tickets from another vendor. TicketMaster may then learn that being a good corporate citizen is as important to its customers as it is to the US Government.

T-Mobile suffers its fourth hack in less than three years – still “takes the security of your information very seriously”

We love Graham Cluley’s rant about t-Mobile’s most recent data breach.

In an update on its website the wireless provider has published a “notice of security incident” (don’t you love the way companies try to find words to make their data breach notifications sound as dull as possible?).

1.) In its advisory, T-Mobile says that its security team recently discovered that hackers had managed to access information related to T-Mobile accounts which: “may have included phone number, number of lines subscribed to on your account and, in some cases, call-related information collected as part of the normal operation of your wireless service.

They finished by saying… “We take the security of your information very seriously…”

Previous three breaches:

2.) March 2020 – T-Mobile reveals that hackers broke into employees’ email accounts and stole customer account information.

At the time, T-Mobile said: “We take the security of your information very seriously…”

3.) November 2019 – T-Mobile confirmed that more than one million prepaid customers were impacted by a breach which saw hackers access their names, phone numbers, billing addresses, T-Mobile account numbers, and details about rates and plans.

At the time, T-Mobile said: “We take the security of your information very seriously…”

4.) August 2018 – Hackers stole details of two million T-Mobile customers.

At the time, T-Mobile said: “We take the security of your information very seriously…”

Fancy that. It’s almost as if they have a template all ready in case of a breach…

So what’s the upshot for you?

  • If T-Mobile seems to be playing “Free and Easy” with your user data, it might be something to remember if all else is equal when sourcing your next phone service provider.

  • “I take the security of my information very seriously…”

CN: How a new ransomware Attack is linked to a Chinese Advanced Persistent Threat (APT) group.

A report from “Security Joes and Profero” reveals how the vendors uncovered the links after investigating an incident in which ransomware encrypted “several core servers” at an unidentified firm. What was interesting about this backdoor was its utilization of Dropbox as a Command and Control (C2) server.

APT27 is believed to be a state-sponsored Chinese APT group, focused on cyber-espionage and theft of information and data. What stood out in this incident was the encryption of core servers using BitLocker, which is a drive encryption tool built into Windows. This was particularly interesting, as in many cases threat actors will drop ransomware to the machines, rather than use local tools.

The work of attack attribution is fascinating and this report steps through all the discovery components that lead to the conclusion. If you are at all interested in the detective work that goes on to provide examples of ownership and toolset use in the spy/hacker community, this is a great article to review.

So what’s the upshot for you?

  • If you love a good police or detective show cyber security may have more than a few elements that interest you. Following the trail of a hacker can be equivalent to piecing together clues in detective work. In any case this is an eye opening opportunity to see how this particular group was tracked down and identified!

EU: Missing big league Sports? Let’s check the EU GDPR penalty scorecard instead.

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world.
Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018 and each year, as regulators become more familiar with the application of the regulation, you should see fines steadily rising.

In the league tables it seems Italy (EURO 58,161,601), the UK (EURO 43,901,000) and Germany (EURO 37,398,708) are first second and third in terms of the total amounts of GDPR related fines levied.

Spain tops the list with numbers of fines at 128, Italy with 34 and Romania at 26

Clothing retailer H&M got the biggest fine last year (EURO 35 million), followed by Telecom Italia (EURO 28 million) and British Airways (EURO 22 million).

So what’s the upshot for you?

  • It’s the recognition that your information is valuable and needs to be handled and disposed of safely for the time it is required.

  • While you may not be a member of the European Union, similar regulations are being put in place around the world. They all work to protect you and your identity.

GLOBAL: Ransomware Surge Drives 45% Increase in Healthcare Cyber-Attacks

Healthcare: and while the doctors and nurses were busy fighting for their lives (and yours) with Covid-19 in the ER, the IT team were busy with cyber-attacks which increased at double the rate of any other business sector.

There was a 45% increase in attacks on the healthcare sector, versus less than half this figure (22%) for all other verticals. November was particularly bad, with Health Care Organizations suffering 626 weekly attacks on average per organization, compared with 430 in the previous two months.

Although the attacks span a variety of categories — including ransomware, botnets, remote code execution and DDoS — perhaps unsurprisingly, it is ransomware that displayed the largest increase overall and poses the biggest threat to Health Care Organizations.

Ryuk and Sodinokibi (REvil) malware were highlighted as the main culprits.

In fact, financially motivated cyber-criminals have been going after the healthcare sector since the start of the COVID-19 crisis, well aware that hospitals and clinics are distracted with the huge surge in cases coming through their doors.

  • Central Europe experienced the biggest rise in cyber-attacks on its Health Care Organizations during the period (145%), followed by East Asia (137%) and Latin America (112%).
  • Spain saw attacks double and Germany recorded a 220% surge.
  • Although North America (37%) saw the smallest rise regionally, Canada experienced the biggest increase of any country, at 250%.

So what’s the upshot for you?

  • Healthcare organizations are simply getting overwhelmed front, back and sides. There is no good way to frame this story or the outcome. Continue to be vigilant, check your credit rating with the credit bureaus quarterly and now, more than ever, watch the bank, credit card and health statements.

Lastly: Let’s take every opportunity to thank the front line in healthcare near us. This has been a relentless 9 months for them they have literally been impacted physically, emotionally and …digitally.

That’s it for the first IT P&SWU of 2021! We wish you a great start to the year and will be back in se7en days!


This is the first IT Privacy & Security weekly update I have read :+1:t2:

It reminds me of the format that Bruce Schneier uses on his weekly (?) Blog Posts. Very interesting, varied and topical. Any chance of some more Blockchain and/or Smart Contract chicanery, or is it too early for this to be a reportable ‘thing’ yet?

1 Like

We do keep an eye out for those types of stories, so you will see more of them as the ecosystem evolves. To this point in history, most of the stories concerning distributed transactions and blockchain have been exchanges that have had a compromise, but we will keep digging and promise you more relevant content to come!!! We also invite all listeners and readers to share their own stories and experiences and we’ll see how much we can blend in from our global audience!
Thank you for being part of this great community!