The IT Privacy and Security Weekly Update served with a side of Broccoli for the week ending July 5th 2022


Daml’ers,

This update moves IT Privacy and Security from your next meal to a trip around the salad bar at least a couple of times.
broccoli

We work our way from an unlikely garden and a Raspberry Robin out to the OpenSea. We discover many, unappetizing ways for our data to be lost, stolen, or sold.

Then… sprinkling a little bit of insight into how police use our search data and what is being proposed in the garden state of California that would wipe out any sort of browsing anonymity … completely.

You get some reassurance in your “sage” thoughts about that co-worker you’ve never actually seen or heard from and finally, you see how many people have blossomed since we put this piece together.

There’s plenty of calm in this week’s update, but there is plenty of tossing around too.



Dark Places: Artificial photosynthesis can produce food without sunshine

Photosynthesis has evolved in plants for millions of years to turn water, carbon dioxide, and the energy from sunlight into plant biomass and the foods we eat.

This process, however, is very inefficient, with only about 1% of the energy found in sunlight ending up in the plant.

Scientists at UC Riverside and the University of Delaware have found a way to bypass the need for biological photosynthesis altogether and create food independent of sunlight by using artificial photosynthesis.

Plants are growing in complete darkness in an acetate medium that replaces biological photosynthesis. The research, published in Nature Food, uses a two-step electrocatalytic process to convert carbon dioxide, electricity, and water into acetate, the form of the main component of vinegar.

Food-producing organisms then consume acetate in the dark to grow. Combined with solar panels to generate the electricity to power the electrocatalysis, this hybrid organic-inorganic system could increase the conversion efficiency of sunlight into food, up to 18 times more efficient for some foods.

So what’s the upshot for you? Grow your mixed salad in the front hall closet perhaps, but at least that nosey person at the supermarket checkout won’t be commenting on how much veg you are eating lately.


Global: Microsoft finds Raspberry Robin worm in hundreds of Windows networks

Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors.

The malware, dubbed Raspberry Robin, spreads via infected USB devices, and it was first spotted in September 2021.

Raspberry Robin is spreading to new Windows systems via infected USB drives containing a malicious .LNK file.

Once the USB device is attached and the user clicks the link, the worm spawns a msiexec process using cmd.exe to launch a malicious file stored on the infected drive.

It infects new Windows devices, communicates with its command and control servers (C2), and executes malicious payloads using several legitimate Windows utilities.

Although Microsoft observed the malware connecting to addresses on the Tor network, the threat actors are yet to exploit the access they gained to their victims’ networks.

So what’s the upshot for you? Microsoft has tagged this campaign as high-risk, given that the attackers could download and deploy additional malware within the victims’ networks and escalate their privileges at any time.


UA: The Ukraine war could provide a cyberwarfare manual for Chinese generals eyeing Taiwan

Military leaders around the world are closely watching Russia’s invasion of Ukraine, which just entered its fifth month, but perhaps none more than those in China are tracking the intricacies of Russia’s cyberattacks designed to further cripple Kyiv.

Some of the possible lessons for a Chinese invasion of Taiwan, then? Strike quickly, pick targets that would cripple the enemy early on, and rely on attack methods that never have been observed in public.

The idea that China is watching what’s happening in the cyberspace element of the conflict between Russia and Ukraine is more than informed speculation. Beijing has long shown a fascination with Russia’s cyberattacks in Ukraine, especially its 2015 attack on the power grid that left hundreds of thousands of citizens without power for hours.

Hegel and others note that China has typically taken a different approach in cyberspace than Russia. China focuses on the covert collection of information, while Russia often uses cyber for disruption, as it did by upending the 2016 U.S. election by hacking into key Democratic organizations.

So what’s the upshot for you? Chinese military is learning from the Ukraine invasion, said a clearer picture of exactly what Beijing’s generals are tracking will emerge soon.

“Eventually you will see ‘lessons learned’ type articles appear in media intended primarily for internal consumption, and from those, we will be able to get a much clearer picture of what their takeaways were."


US: HackerOne employee side gig isn’t well received.*

On June 22nd, 2022, a customer asked us to investigate a suspicious vulnerability disclosure made outside of the HackerOne platform.

The submitter of this off-platform disclosure reportedly used intimidating language in communication with our customer.

Additionally, the submitter’s disclosure was similar to an existing disclosure previously submitted through HackerOne…

The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties.

We discovered a then-employee had improperly accessed security reports for personal gain.

This is a clear violation of our values, our culture, our policies, and our employment contracts.

We worked quickly to contain the incident by identifying the then-employee and cutting off access to data.

We have since terminated the employee and further bolstered our defenses to avoid similar situations in the future.

Subject to our review with counsel, we will also decide whether criminal referral of this matter is appropriate.

So what’s the upshot for you? This confirms that HackerOne has a process for vetting new employees that is insufficient to task. What a dummy.


Global: OpenSea suffers a massive email data breach

An employee of Customer.io, OpenSea’s email delivery vendor, exploited their access to download and share the email addresses of the company’s users and newsletter subscribers to a third party.

The NFT giant claims that all users who have previously shared their email with OpenSea should assume they have been affected.

“We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” OpenSea stated in a press release.

OpenSea is a huge platform with almost 1.9 million active users, according to Dune Analytics.

Now, the company warns users of impersonation attempts and encourages them to stay vigilant in light of the recent breach. Since emails were affected, phishing attacks are to be expected.

“Please be aware that malicious actors may try to contact you using an email address that looks visually similar to our official email domain, OpenSea warns.

So what’s the upshot for you? Rough water ahead for OpenSea.


US: Cryptocurrency Titan Coinbase Providing ‘Geo Tracking Data’ To ICE

COINBASE, THE LARGEST cryptocurrency exchange in the United States, is selling Immigration and Customs Enforcement a suite of features used to track and identify cryptocurrency users.

In August 2021, Coinbase sold a single analytics software license to ICE for $29,000, followed by a software purchase potentially worth $1.36 million the next month, but details of exactly what capabilities would be offered to the agency’s controversial Homeland Security Investigations division were unclear.

A new contract document shows ICE now has access to a variety of forensic features provided through Coinbase Tracer, the company’s intelligence-gathering tool (formerly known as Coinbase Analytics).

Coinbase has in recent years made a concerted effort to pitch its intelligence features to U.S. government agencies, including the IRS, Secret Service, and Drug Enforcement Administration.

Earlier this month, Coinbase vice president of global intelligence John Kothanek testified before a congressional panel that his company was eager to aid the cause of Homeland Security. “If you are a cyber criminal and you’re using crypto, you’re going to have a bad day. … We are going to track you down and we’re going to find that finance and we are going to hopefully help the government seize that crypto.”

Coinbase’s government work has proved highly controversial to many crypto fans, owing perhaps to the long-running libertarian streak in that community.

So what’s the upshot for you? Homeland Security Investigations, the division of ICE that purchased the Coinbase tool, is tasked not only with immigration-related matters, aiding migrant raids and deportation operations, but broader transnational crimes as well, including various forms of financial offenses.

The ICE spokesperson did not respond to questions about how precisely it has used Tracer or might in the future, including the use of location data, noting “the agency does not provide specifics on investigative techniques, tools, and/or ongoing investigations or operations.”


Global: A wide range of routers are under attack by new, unusually sophisticated malware

So far, researchers from Lumen Technologies’ Black Lotus Labs say they’ve identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus, and DrayTek.

Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

ZuoRAT can pivot infections to connected devices using one of two methods:

  • DNS hijacking, replaces the valid IP addresses corresponding to a domain such as Google or Facebook with a malicious one operated by the attacker.

  • HTTP hijacking, in which the malware inserts itself into the connection to generate a 302 error that redirects the user to a different IP address.

The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.

Note: MIPS architecture plays a major role in the embedded processor market and hundreds of manufacturers use it commercially. Common applications are set-top boxes, residential gateways, and routers.

So what’s the upshot for you? Like most router malware, ZuoRAT can’t survive a reboot. Simply restarting an infected device will remove the initial ZuoRAT exploit, consisting of files stored in a temporary directory.

To fully recover, however, infected devices should be factory reset and then have firmware updates reapplied (Something that most users are probably never going to do).


CN/US: TikTok Confirms Some China-Based Employees Can Access US User Data

https://www.bloomberg.com/news/articles/2022-07-01/tiktok-says-some-china-based-employees-can-access-us-user-data

TikTok, the viral video-sharing app owned by China’s ByteDance Ltd., said certain employees outside the US can access information from American users, stoking further criticism from lawmakers who have raised alarms about the social network’s data-sharing practices.

The company’s admission came in a letter to nine US senators who accused TikTok and its parent of monitoring US citizens and demanded answers on what’s becoming a familiar line of questioning for the company:

  • Do China-based employees have access to US users’ data?
  • What role do those employees play in shaping TikTok’s algorithm?
  • Is any of that information shared with the Chinese government?

So what’s the upshot for you? Just a reminder that if data is managed from outside the country of origin, it can also be reviewed, duplicated, backed up, and restored outside that country of origin too.


CN/US: An FCC regulator wants TikTok removed from app stores.

Last week Brendan Carr, a commissioner on America’s Federal Communications Commission, warned on Twitter that TikTok, owned by China-based company ByteDance, “doesn’t just see its users dance videos: It collects search and browsing histories, keystroke patterns, biometric identifiers, draft messages and metadata, plus it has collected the text, images, and videos that are stored on a device’s clipboard. TikTok’s pattern of misrepresentations coupled with its ownership by an entity beholden to the Chinese Community Party has resulted in U.S. military branches and national security agencies banning it from government devices… The CCP has a track record longer than a CVS receipt of conducting business & industrial espionage as well as other actions contrary to U.S. national security, which is what makes it so troubling that personnel in Beijing are accessing this sensitive and personnel data.”

TikTok is owned by the Beijing-based ByteDance, which means the company is essentially under the control of the Chinese government, said CNN’s chief media correspondent Brian Stelter.

Bytedance has promised to house American data on servers in the United States to quell concerns. But an explosive Buzzfeed News report published two weeks ago revealed that according to leaked audio from internal meetings, engineers in China were able to repeatedly access US user data.

FCC Commissioner Brendan Carr told Stelter lawmakers had asked TikTok directly if any data is being accessed by Beijing. Instead of being upfront, he said, the company has repeatedly said all US user data is stored in the US.

“And that’s not just a national security problem, but to me, it looks like a violation of the terms of the app store,” Carr said.

He has written a letter to Google and Apple asking them to boot TikTok out of their app stores, giving them until July 8 to respond.

Carr: At the end of the day, it functions as a sophisticated surveillance tool that is harvesting vast amounts of data on U.S. users. And I think TikTok should answer point-blank, has any CCP member obtained non-public user data or viewed it. Not to answer with a dodge, and say they’ve never been asked for it or never received a request. Can they say no, no CCP member has ever seen non-public U.S. user data?

So what’s the upshot for you? This puts creators between a rock and a hard place: On the one hand, you have Mark Zuckerberg’s Reels, a good 'merican company that sells its data all over the world, and on the other, you have TikTok whose users have the Chinese government potentially ingesting their data.

Tough decision either way.


CN: What? The Chinese police get hacked

SHANGHAI (Reuters) – A hacker has claimed to have procured a trove of personal information from the Shanghai police on one billion Chinese citizens, which tech experts say, if true, would be one of the biggest data breaches in history.

The anonymous internet user, identified as “ChinaDan,” posted on the hacker forum Breach Forums last week offering to sell more than 23 terabytes (TB) of data for 10 bitcoin BTC=, equivalent to about $200,000.

“In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizens,” the post said.

“Databases contain information on 1 Billion Chinese national residents and several billion case records, including name, address, birthplace, national ID number, mobile number, all crime/case details.”

The hashtag “data leak” was blocked on Weibo by Sunday afternoon.

So what’s the upshot for you? The claim of a hack comes as China has vowed to improve the protection of online user data privacy, but it has proven difficult to verify as the Chinese censors are removing references to it as quickly as they appear.


US:Texts and Web Searches Have Been Used to Prosecute Women

Privacy advocates warn internet activity could someday be used to prosecute women who sought abortions. But it’s already happened, reports the Washington Post.

In a handful of cases over the years, “American prosecutors have used text messages and online research as evidence against women facing criminal charges related to the end of their pregnancies.”

Despite mounting concerns that the intricate web of data collected by fertility apps, tech companies, and data brokers might be used to prove a violation of abortion restrictions, in practice, police and prosecutors have turned to more easily accessible data — gleaned from text messages and search history on phones and computers.

These digital records of ordinary lives are sometimes turned over voluntarily or obtained with a warrant and have provided a gold mine for law enforcement.

“The reality is, we do absolutely everything on our phones these days,” said Emma Roth, a staff attorney at the National Advocates for Pregnant Women. “There are many, many ways in which law enforcement can find out about somebody’s journey to seek an abortion through digital surveillance…”

Women have been punished for terminating pregnancy for years.

Between 2000 and 2021, more than 60 cases in the United States involved someone being investigated, arrested, or charged for allegedly ending their own pregnancy or assisting someone else, according to an analysis by If/When/How, a reproductive justice nonprofit. If/When/How estimates the number of cases may be much higher because it is difficult to access court records in many counties throughout the country.

A number of those cases have hinged on text messages, search history, and other forms of digital evidence.

So what’s the upshot for you? Thankfully for the US audience, even President Biden has acknowledged the need for greater privacy protections recently.


US: Police sweep Google searches to find suspects.

A teen charged with setting a fire that killed five members of a Senegalese immigrant family in Denver, Colorado, has become the first person to challenge police use of Google search histories to find someone who might have committed a crime, according to his lawyers.

In documents filed Thursday in Denver District Court, lawyers for the 17-year-old argued that the police violated the Constitution when they got a judge to order Google to check its vast database of internet searches for users who typed in the address of a home before it was set ablaze on Aug. 5, 2020.

That search of Google’s records helped point investigators to the teen and two friends, who were eventually charged in the deadly fire, according to police records. All were juveniles at the time of their arrests.

Two of them, including the 17-year-old, are being tried as adults; they both pleaded not guilty. The defendant in juvenile court has not yet entered a plea.

The 17-year-old’s lawyers say the search, and all evidence that came from it should be thrown out because it amounted to a blind expedition through billions of Google users’ queries based on a hunch that the killer typed the address into a search bar.

That, the lawyers argued, violated the Fourth Amendment, which protects against unreasonable searches.

“People have a privacy interest in their internet search history, which is really an archive of your personal expression,” said Michael Price, who is lead litigator of the National Association of Criminal Defense Lawyers’ Fourth Amendment Center and one of the 17-year-old’s attorneys.

“Search engines like Google are a gateway to a vast trove of information online and the way most people find what they’re looking for. Every one of those queries reveals something deeply private about a person, things they might not share with friends, family or clergy.”

Price said that allowing the government to sift through Google’s vast trove of searches is akin to allowing the government access to users’ “thoughts, concerns, questions, fears.”

So what’s the upshot for you? Do we think the kid was guilty? Maybe, but do we want the coppers going through all our queries to determine that? No way. The police use starts in justified and innocuous ways that have the potential to go on to become terrifying.


US: California firearms dashboard leaked personal information of 200,000 gun owners

The personal information of every concealed carry weapon holder in California was exposed this week following an update Monday to the state’s firearms data dashboard that was meant to improve transparency and encourage data-sharing.

(It certainly seems to have on both points, we are just not sure they got the audience right).

The California Department of Justice on Wednesday acknowledged the error, which compromised the name, date of birth, gender, race, driver’s license number, address, and criminal history of every registered concealed carry license holder in the state, affecting about 200,000 people.

The department said data dating back a decade across a variety of databases were affected, including its assault weapon registry, handguns certified for sale, dealer record of sale, firearm safety certificate, and gun violence restraining order dashboards.

So what’s the upshot for you? In the first half of this year, there have been an average of 11 mass shootings every week in the US.


US: Will California Eliminate Anonymous Web Browsing?

The AB 2273, the Age-Appropriate Design Code Act (AADC), bill pretextually claims to protect children, but it will change the Internet for everyone.

In order to determine who is a child, websites and apps will have to authenticate the age of all consumers before they can use the website/service.

This bill reaches topics well beyond children’s privacy. Instead, the bill repeatedly implicates general consumer protection concerns and, most troublingly, content moderation topics.

This turns the bill into a trojan horse for comprehensive regulation of Internet services and would turn the privacy-centric California Privacy Protection Agency/CPPA) into the general-purpose Internet regulator.

So what’s the upshot for you? This bill’s protect-the-children framing is designed to mislead everyone about the bill’s scope.

The bill will dramatically degrade the Internet experience for everyone and will empower a new censorship-focused regulator who has no interest or expertise in balancing complex and competing interests.


US/Global: FBI Says People Are Using Deepfakes to Apply to Remote Jobs

https://www.ic3.gov/Media/Y2022/PSA220628

The FBI wrote to its Internet Crime Complaint Center Tuesday that it has received multiple complaints of people using stolen information and deep-faked video and voice to apply to remote tech jobs.

According to the FBI’s announcement, more companies have been reporting people applying to jobs using video, images, or recordings that are manipulated to look and sound like somebody else.

These fakers are also using personally identifiable information from other people—stolen identities—to apply to jobs at IT, programming, database, and software firms. The report noted that many of these open positions had access to sensitive customer or employee data, as well as financial and proprietary company info, implying the imposters could have a desire to steal sensitive information as well as a bent to cash a fraudulent paycheck.

So what’s the upshot for you? If the FBI has gotten around to issuing warnings about this happening, you know it’s actually an issue.


Global: Did you ever wonder how many “real” people share this world with you?

…at the exact moment this story was written there were 7,958,589,149

So what’s the upshot for you? Comforting to know as a million different species go extinct, this year, to this point, there have been over 71 million babies born…



And our quote of the week: “As a matter of fact, yeah, they were foolproof.
The problem is that you don’t have to protect yourself against fools.
You have to protect yourself against people like me.”
Jeffery Deaver


That’s it for this week. Stay safe, stay, secure, eat your greens, and see you in se7en.
broccoli right