The Little Red IT Privacy and Security Update for January 12th 2021

Dear DAML’ers,

This week we start our stories to the background tune of Prince with a story that just keeps getting bigger. We move onto politics and the permanency of the Internet and a do at home project you too can perform if you have the time, the dosh, a few tools, and a supercomputer sitting around.

We have a cautionary tale about a leak and all the data about you, yes you, that was exposed (and thankfully a way to minimize that going forward).

Finally, we finish with a video about how a nice man ended up with a little Red Corvette!

One thing is for sure, this week’s update is the BEST one yet!

Let’s get rolling! (You can also listen here.)

Global: 3rd Malware strain discovered in the SolarWinds Attack.

At this point you might be asking, isn’t it easier to name the Russian hacking teams that have not planted malware in the SolarWinds code? Perhaps. Security firm CrowdStrike have been called in to work with SolarWinds and have identified yet another strain of malware they dub, “Sunspot”.

"SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code. Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.

The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers."

So what’s the upshot for you? This feels like a mosh pit where Russian hacking team is jumping in. In the US we have no idea the extent of the compromise, but each development seems to carry more bad news related to this SolarWinds code. Keep an eye on your credit reports as a first step in monitoring your identity and its potential compromise.

US: SolarWinds hire Krebs Stamos Group

On Friday the news surfaced that Chris Krebs, the head of the US government’s Cybersecurity and Infrastructure Security Agency (CISA) until he was fired by presidential tweet for saying the American election was not hacked, has started a security consultancy with former Facebook, Yahoo! And Zoom security chief Alex Stamos. The two say that they have already been hired by SolarWinds and it’s a long-term contract.

So what’s the upshot for you? Chris Krebs did a great job for the US government until he wouldn’t align his statements with the POTUS. Alex Stamos put Zoom back on track when they could not get their encryption story straight. SolarWinds needs help and this is a good direction for all.

US: Once on the Internet - forever on the Internet…

By now, you may have heard of the hacker who says she scraped 99 percent of posts from Parler, the Twitter-wannabe site used by Trump supporters to help organize last Wednesday’s violent insurrection on Capitol Hill. What you may not know yet is the abysmal coding and security that made the scraping so easy.

To recap, the scraping was pulled off by a hacker who goes by the handle donk_enby. She originally set out to archive content posted to Parler last Wednesday in hopes of preserving self-incriminating material before account holders came to their senses and deleted it. By Sunday, donk_enby said she had collected roughly 80 terabytes of posts, including more than 1 million videos, many of which contained the GPS metadata identifying the exact locations of where the videos were shot.

Parler’s site was a mess. Its public API used no authentication. When users deleted their posts, the site failed to remove the content and instead only added a delete flag to it. Oh, and each post carried a numerical ID that was incremented from the ID of the most recently published one.

Parler’s moderation policies—even more lax than those of Twitter, Facebook, and Youtube—already made the site popular with far-right users looking for a forum to discuss debunked conspiracy theories. With Twitter permanently banning Trump, the president’s supporters embraced the site even more enthusiastically.

Prosecutors are already pursuing more than 150 suspects in Wednesday’s riot. The preservation of some 80TB of Parler posts, including more than 1 million raw video files, may result in more people being charged.

Want to scrape Parlor yourself? Here’s the script: parler-grab/parler.lua at d25d252816cf5ee679f23cb3c9403f00d9fa7382 · ArchiveTeam/parler-grab · GitHub

So what’s the upshot for you? Reputations are earned by demonstrating behavior over time. The fact that they could not keep their promises should not come as surprising news to anyone who used Parler (now offline as Amazon refused to host them). “Parler is here to help people with varying life experiences, and from all walks of life communicate on a platform which treats them as equals. a higher ethical standard Parler believes that people are entitled to security, privacy, and freedom of expression. All personal data is kept confidential, and never sold to third parties.” Sigh…

US: Trump sneaks in another agency: Bureau of Cyberspace Security and Emerging Technologies (CSET)

Last week while your attention was diverted by insurrection, DJT had Secretary Mike Pompeo quickly set up another agency to meet the cyber challenges to U.S. national security presented by China, Russia, Iran, North Korea.

Apparently creating yet another agency will allow the US defense Dept to “posture itself appropriately and engage as effectively as possible with partners and allies”. It’s interesting that this is being hastily done in the last couple weeks of a 4 year term. So your first question might be “Does the US have any partners or allies left?” And your second might be “why suddenly now?” We don’t have answers but we do expect one more committee to be formed: TCOTAOHYTATO or “The Committee Overseeing The Awfulness Of Having Your Twitter Account Turned off”.

So what’s the upshot for you? None really, but expect one more committee to be formed: TCOTAOHYTATO or The Committee Overseeing The Awfulness Of Having Your Twitter Account Turned off.

FR: French researchers hack Google Titan security keys.

“This work shows that an attacker can clone a legitimate Google Titan Security Key. Our attack requires physical access to the Google Titan Security Key, expensive equipment, custom software, and technical skills. They used electromagnetic emanations – tiny, stray radio waves emitted by the device as a side-effect of the electrons whizzing around inside it as it operates – to make guesses about the internal state of the Titan processor chip while it was performing cryptographic calculations.”

They trained up on a “we had to make a quick stop on Rhea (NXP J3D081 JavaCard smartcard)”. Freely available on the web, this product looks very much like the NXP A700X chip and uses the same cryptographic library."

And then had to have physical access to the Google Titan Security Key to run the 4000 observations that would allow them to “guess” the private key during the Elliptic Curve Digital Signature Algorithm (ECSDA) by monitoring the chip while it was performing authentication operations.

Er… to prep your own lab, because of course you are going to want to try this at home, you will need the following:

  1. A Langer ICR HH 500-6 electromagnetic probe
  2. A Thorlabs PT3/M 3-axis (X-Y-Z) manual micro-manipulator …they will set you back about US$10K
  3. A heat gun to soften the plastic on the Titan Key
  4. A scalpel to then cut the key apart
  5. Nitric acid to dissolve the secure plastic coating on the secure chip
  6. …the patience to collect about 6000 digital signature calculations (about 6 hours)
  7. Something to run the statistical calculations on to derive the private key.

Ah, there are a couple other gotchas: Fast Identity Online Alliance (FIDO) standard includes a counter… every authentication response that’s created by a FIDO key includes a count of how many responses the key has computed so far, together with a digital signature of that count. To use the key you have to guess the current value of the counter in your key, add one, and use that to get in. If you get that wrong… well it won’t work.

And remember that is all in addition to having the correct username and password initially… So, as far as the work presented, it is still safer to use your Google Titan Security Key or other impacted products as FIDO U2F two-factor authentication token to sign in to applications rather than not using one.

Nevertheless, this work shows that the Google Titan Security Key (and other impacted products) would not avoid unnoticed security breach by attackers willing to put enough effort into it. Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.

So if you use Google’s total keys instead of Yubikeys, you should keep on using it, but keep it with you. Look for tampering (in this research the Titan key looked liked it had been mauled by a Rottweiler puppy). Lastly you can ask your security providers to track FIDO key counters, as often they do not.

So what’s the upshot for you? Google came out of the gate proclaiming the Titan keys to be secure and got dinged, but the long established Yubikey is still avoiding press like this. If you are looking for a physical security key of this type to add to your two factor authentication arsenal, consider the reputation and the long term results of the vendor.

NZ: Central Bank of New Zealand announces breach.

A third party file sharing service used by the Bank to share and store some sensitive information, has been illegally accessed. “The system has been secured and taken offline until we have completed our initial investigations. It will take time to understand the full implications of this breach, and we are working with system users whose information may have been accessed. Our core functions remain sound and operational.”

So what’s the upshot for you? Often you don’t hear about banks being breached as that is seen to diminish client trust and confidence, but the fact is that they are all involved in compromise of one sort or another. In this case even contact details for you if you wish to learn more. We applaud this transparency from this member of the banking community.

CN: Chinese startup leaked 400GB of scraped data exposing 200+ million Facebook, Instagram and LinkedIn users

Rapidly growing Chinese social media management company Socialarks has suffered a huge data leak leading to the exposure of over 400GB of personal data including several high-profile celebrities and social media influencers.

The company’s unsecured ElasticSearch database contained personally identifiable information (PII) from at least 214 million social media users from around the world, scraping populist consumer platforms such as Facebook and Instagram, as well as professional networks such as LinkedIn.

Data scraping is a means of extracting private information from a website.

Aided by the rapid sprawl of seamlessly connected online services and platforms, data scraping has become commonplace online, given the value of the information being obtained and the fact that the practice is legal if authorized by the user as part of agreeing to terms of use.

The lack of security apparatus on the company’s server meant that anyone in possession of the server IP-address could have accessed a database containing millions of people’s private information.

The affected database contained a huge volume (408 Gig)of sensitive personal information and more than 318 million records in total.

Exposed details included:

  • Full name
  • Phone numbers for 6+ million users
  • Email addresses for all 11+ million users
  • Profile link
  • Username
  • Profile picture
  • Profile description
  • Average comment count
  • Number of followers and following count
  • Country of location
  • Specific locality in some cases
  • Frequently used hashtags

Socialarks’ database stored personal data for Instagram and LinkedIn users such as private phone numbers and email addresses for users that did not divulge such information publicly on their accounts. How Socialarks could possibly have access to such data in the first place remains unknown.

Also, the fact that such a large, active, and data-rich database was left completely unsecured (probably for a second time) is astonishing.

It remains unclear how the company managed to obtain private data from multiple secure sources.

So what’s the upshot for you? This is another example of data aggregation to build a more complete picture of you than you might ever have imagined. How do you protect your information?

  • Be cautious of what information you give out and to whom
  • Check that the website you are on is secure (look for https and/or a closed lock)
  • Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.)
  • Create secure passwords by combining letters, numbers, and symbols
  • Do not click links in emails unless you are sure that the sender is legitimately who they represent themselves to be
  • Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust
  • Avoid using credit card information and typing out passwords over unsecured Wi-Fi networks

IN: We said detective work in Cyber space is thrilling, check out this expose on an Android Malware developer.

"We tracked the activity of the threat actor, who goes by the nickname Triangulum, in several Darknet forums.

Nickname: Triangulum™
Skype: triangulum_10 | crook_62
Discord: Triang#9504
Alternate identities: Magicroot
Alleged origin: Indian
Strengths: High level of social skills combined with a math background in trigonometry, integration and differentiation
Age: Approximately 25 years old
Personal details:

  • 190cm tall
  • had two tortoises as home pets back in 2017
  • had a girlfriend back in 2017 (current marital status is unknown)
  • Preferable laptop models: Lenovo, HP, Sony, Dell

In the past few years that Triangulum has been active in the dark corners of the internet, he has shown an impressive learning curve. Over a two-year period, he dedicated most of his time to evaluating the market needs and developing a merch network from scratch by maintaining partnerships, rooting investments and distributing malware to potential buyers.

Triangulum appears to have gotten started at the very beginning of 2017, when he joined the hack forums in the Darknet.

Triangulum initially exhibited some technical skills by reverse engineering malware, but at that point in time still seemed to be an amateur developer.

Triangulum also communicated with different users, trying to estimate the market value for different kind of malware.

On June 10, 2017, Triangulum provided a first glimpse of a product he developed by himself. This product was a mobile remote access trojan or RAT that targeted Android devices, and was capable of exfiltrating sensitive data to a command and control or C&C server, as well as destroying local data, even deleting the entire OS.

We’ve seen indications that Triangulum is obsessed with his reputation and cares about his popularity with the same level of thoroughness as he does about maximizing his profits.

He fanatically defends his products and tries to crush anyone brave enough to raise uncomfortable questions about or discredit his work.

The malware is pretty sophisticated and builds on or combines other malware feature sets. (Checkpoint took all that apart too)."

So what’s the upshot for you? It’s a great report by Checkpoint, even to including Triangulums personal and pet details, it’s unfortunate that Checkpoint ended the report with a sales pitch for their product. What you can do is always check application reputation before you install any new app and periodically review those apps on your phone. Not using it? Might be a good time to remove it.

JP: Kawasaki and then Nissan taken out with kung-fu breaches.

Kawasaki first: “On June 11, 2020, an internal system audit revealed a connection to a server in Japan from an overseas office (Thailand) that should not have occurred. unauthorized accesses to servers in Japan from other overseas sites (Indonesia, the Philippines, and the United States) were subsequently discovered.”

“The unauthorized access in question had been carried out with advanced technology that did not leave a trace.”

JP: Then Nissan…

… when Swiss based software engineer Tillie Kottmann found loadsa data available on one of Nissan’s North American Git servers through username: Admin, password: Admin. The tweet has been removed, and Tillie’s account suspended, but the comments are still available and are pretty funny.

You can also see some of the data from the open server here:

So what’s the upshot for you? Everybody makes mistakes, but like leaving your front door open at home, if you have a locked storm door and then an open front door, chances are your house won’t get robbed. In security, layers are the best way to present a defense and then checking that those layers are secure… just the way you test your door handle as you pull that front door closed.

Global: Microsoft announce Endpoint Defender for Linux servers.

The full set of Microsoft Defender for Endpoint (Linux) preventive and detection and response capabilities are supported across the six most common Linux server distributions:

  • RHEL 7.2+
  • CentOS Linux 7.2+
  • Ubuntu 16 LTS, or higher LTS
  • SLES 12+
  • Debian 9+
  • Oracle Linux 7.2

So what’s the upshot for you? If you are a Linux user in Azure this is good news. Any step you can take to harden or secure your server is worth taking.

And finally, a story that has less to do with privacy and security and more to do with doing good…

US: The story of zip folders by their creator Mark Plummer

In one of Plummer’s latest installments, you can hear how Mark almost got fired from Microsoft for creating and distributing the Zip shareware that has been part of Windows for about the last 25 years. The upshot for for you? They finally bought the product off Mark and made it formally a part of Windows and now file compression/decompression software is a part of most operating system offerings.

So what’s the upshot for you? Sometimes doing the right thing really does yield rewards. rumor has it he bought a little red corvette with the proceeds.

That’s it for this week DAML’ers. See you in se7en!