The Lost and Found of the IT Privacy and Security Weekly Update for October 5th., 2021

Daml’ers,


In this week’s IT Privacy and Security Weekly Update, we journey from the bottle to your heart.

We start with the loss of identity, ethics, freedom, dollars, Bitcoin, and Etherium before balancing them out with new finds in the cloud, storage, cleaning, and rain.

Finally, we end with a story of synchronicity that will have your heart racing! listen_tiny

It’s all fresh, it’s all relevant, and …you won’t need to carry a metal detector with you on this journey.

So let’s get on those workboots, grab some gloves and check out the “lost and found”!

TK: Turkey: ‘Missing’ man joins search party looking for himself

A missing man in Turkey accidentally joined his own search party for hours before realizing he was the person they were looking for, local media reports.

Beyhan Mutlu had been drinking with friends on Tuesday when he wandered into a forest in Bursa province.

When he failed to return, his wife and friends alerted local authorities and a search party was sent out.

Mr. Mutlu, 50, then stumbled across the search party and decided to join them, NTV reported.

But when members of the search party began calling out his name, he replied: “I am here.”

So what’s the upshot for you? We wouldn’t have high-quality IT privacy stories like this about hundreds of people out in public shouting Personally Identifiable Information… if it were not for alcohol. :wink:


EU: RANSOMWARE GANG ARRESTED IN UKRAINE WITH EUROPOL’S SUPPORT

On 28 September, a coordinated strike between the French National Gendarmerie, the Ukrainian National Police, and the United States Federal Bureau of Investigation, with the coordination of Europol and INTERPOL, has led to the arrest in Ukraine of two prolific ransomware operators known for their extortionate ransom demands (between €5 to €70 million).

Results of the action day:

  • 2 arrests and 7 property searches
  • Seizure of US$ 375 000 in cash
  • Seizure of two luxury vehicles worth €217 000
  • Asset freezing of $1.3 million in cryptocurrencies

The criminals would deploy malware and steal sensitive data from these companies, before encrypting their files. They would then proceed to offer a decryption key in return for a ransom payment of several millions of euros, threatening to leak the stolen data on the dark web should their demands not be met.

So what’s the upshot for you? This is a great result from a highly coordinated initiative and we hope it paves the way for more in the future.


US: Whistleblower says Facebook put profit before reining in hate speech

The identity of the Facebook whistleblower who released tens of thousands of pages of internal research and documents — leading to a firestorm for the social media company in recent weeks — was revealed on “60 Minutes” Sunday night as Frances Haugen.

The 37-year-old former Facebook product manager who worked on civic integrity issues at the company says the documents show that Facebook knows its platforms are used to spread hate, violence, and misinformation, and that the company has tried to hide that evidence.

“The thing I saw at Facebook over and over again was there were conflicts of interest between what was good for the public and what was good for Facebook, and Facebook over and over again chose to optimize for its interests, like making more money,” Haugen told “60 Minutes.”

About a month ago, Haugen filed at least eight complaints with the Securities and Exchange Commission alleging that the company is hiding research about its shortcomings from investors and the public. She also shared the documents with the Wall Street Journal, which published a multi-part investigation showing that Facebook was aware of problems with its apps, including the negative effects of misinformation and the harm caused, especially to young girls, by Instagram.

Haugen, who started at Facebook in 2019 after previously working for other tech giants like Google and Pinterest, testified today before the Senate Subcommittee on Consumer Protection, Product Safety, and Data Security.
“I’ve seen a bunch of social networks, and it was substantially worse at Facebook than anything I’ve seen before,” Haugen said. “At some point in 2021, I realized I’m going to have to do this in a systemic way, that I’m going to have to get out enough [documents] that no one can question that this is real.”

“One of the consequences of how Facebook is picking out that content today is that it is optimizing for content that gets engagement, a reaction, but its own research is showing that content that is hateful, that is divisive, that is polarizing, it’s easier to inspire people to anger than it is to other emotions,” she said. She added that the company recognizes that “if they change the algorithm to be safer, people will spend less time on the site, they’ll click on fewer ads, they’ll make less money.”

So what’s the upshot for you? “Facebook makes more money when you consume more content. People enjoy engaging with things that elicit an emotional reaction and the more anger that they get exposed to, the more they interact and the more they consume.” So the problem is not Facebook, the problem is us!


Global: Facebook, Instagram, WhatsApp down and up after global outage

"As explained by Giorgio Bonfiglio, a Principal TAM at Amazon AWS, various Facebook routing prefixes had suddenly disappeared from the Internet’s BGP routing tables, effectively making it impossible to connect to any services hosted on their IP addresses.

A bunch of Facebook networks has just disappeared from the internet: pic.twitter.com/j07LrmAAdW
— Giorgio Bonfiglio (@g_bonfiglio) October 4, 2021

BGP or the Border Gateway Protocol makes the modern-day Internet work and how a computer on one side of the world can connect to a device on the other. To make it easier to understand, the BGP routing protocol is similar to an Internet “postal system,” facilitating traffic from one (autonomous) system of networks to another. When a network wants to be seen on the Internet, they need to advertise their routes, or prefixes, with the rest of the world. If those prefixes are removed, no one else on the Internet knows how to connect to their servers.

As Facebook configured their organization to use a domain registrar and DNS servers hosted on their own routing prefix, when those prefixes were removed, no one could connect to those IP addresses and the services running on top of them.

Starting at 5 PM EST, yesterday the Facebook routing prefixes began to be seen on the BGP routing table at other networks. With these prefixes now being advertised on the Internet, users could connect to Facebook, Instagram, and WhatsApp once again."

So what’s the upshot for you? So many people thought this might be tied in with the Whistleblower activities. Nope, just a DNS update that might have been better thought through.


Global: Pandora Papers: Secret wealth and dealings of world leaders exposed

Pandora Papers: A simple guide to the Pandora Papers leak: The Pandora Papers is a leak of almost 12 million documents that reveal hidden wealth, tax avoidance, and, in some cases, money laundering by some of the world’s rich and powerful.

More than 600 journalists in 117 countries have been trawling through the files from 14 sources for months, finding stories that are being published this week.

The data was obtained by the International Consortium of Investigative Journalists (ICIJ) in Washington DC, which has been working with more than 140 media organizations on its biggest ever global investigation.

What has been uncovered?
The Pandora Papers leak includes 6.4 million documents, almost three million images, more than a million emails, and almost half a million spreadsheets.

Stories revealed so far include:

  • King Abdullah II, who rules Jordan, spent more than $100 million on lavish properties in the U.S. and Europe while his country fell deeper into political turmoil, The Washington Post reported.
  • A woman suspected of being in a years-long relationship with Russian President Vladimir Putin became the owner of a pricey Monaco apartment, days after reportedly giving birth to his child, the paper also found.
  • Azerbaijan’s leading family’s hidden involvement in property deals in the UK worth more than £400m
  • the Czech prime minister’s failure to declare an offshore investment company used to purchase two French villas for £12m
  • how the family of Kenyan president Uhuru Kenyatta’s secretly owned a network of offshore companies for decades
  • The files expose how some of the most powerful people in the world - including more than 330 politicians from 90 countries - use secret offshore companies to hide their wealth.

Mrs. Lakshmi Kumar from US think-tank Global Financial Integrity explained that these people “are able to funnel and siphon money away and hide it,” often through the use of anonymous companies.

What do we mean by ‘offshore’?
The Pandora Papers reveal complex networks of companies that are set up across borders, often resulting in hidden ownership of money and assets.
For example, someone may have a property in the UK, but own it via a chain of companies based in other countries, or “offshore”.

These offshore countries or territories are where:

  • it’s easy to set up companies
  • there are laws that make it difficult to identify owners of companies
  • there is low or no corporation tax
  • The destinations are often called tax havens or secrecy jurisdictions. There is no definitive list of tax havens, but the most well-known destinations include British Overseas Territories such as the Cayman Islands and the British Virgin Islands, as well as countries such as Switzerland and Singapore.

Is it illegal to use a tax haven?

  • Loopholes in the law allow people to legally avoid paying some taxes by moving their money or setting up companies in tax havens, but it is often seen as unethical. The UK government says tax avoidance “involves operating within the letter, but not the spirit, of the law”.
  • There are also a number of legitimate reasons people may want to hold money and assets in different countries, such as protection from criminal attacks or guarding against unstable governments.
  • Although having secretive offshore assets is not illegal, using a complex network of secret companies to move around money and assets is the perfect way to hide the proceeds of criminality.
  • There have been repeated calls for politicians to make it harder to avoid tax or hide assets, particularly following previous leaks such as the Panama Papers.

But Mr Ryle said the Pandora Papers show that “the people that could end the secrecy offshore… are themselves benefiting from it. So there’s no incentive for them to end it”.

How easy is it to hide money offshore?

  • All you need to do is set up a shell company in one of the countries or jurisdictions with high levels of secrecy. This is a company that exists in name only, with no staff or office.
  • It costs money though. Specialist firms are paid to set up and run shell companies on your behalf. These firms can provide an address and names of paid directors, therefore leaving no trail of who is ultimately behind the business.

How much money is hidden offshore?
It is impossible to say for sure, but estimates have ranged from $5.6 trillion to $32 trillion, according to the ICIJ. The International Monetary Fund has said the use of tax havens costs governments worldwide up to $600bn in lost taxes each year.

So what’s the upshot for you? This quote from Ms Kumar gives you an idea: “The ability to hide money has a direct impact on your life… it affects access to healthcare, access to a home, and your child’s access to education.” ‘nuff said.


Global: CoinBase Customers Robbed due to SMS MFA flaw

Crypto exchange Coinbase disclosed that a threat actor stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the company’s SMS multi-factor authentication (MFA) security feature.

Coinbase is the world’s second-largest cryptocurrency exchange, with approximately 68 million users from over 100 countries.

In a notification sent to affected customers this week, Coinbase explains that between March and May 20th, 2021, a threat actor conducted a hacking campaign to breach Coinbase customer accounts and steal cryptocurrency.

To conduct the attack, Coinbase says the attackers needed to know the customer’s email address, password, and phone number associated with their Coinbase account and have access to the victim’s email account.

Banking trojans traditionally used to steal online bank accounts are also known to steal Coinbase accounts.
for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account."

Once they learned of the attack, Coinbase states that they fixed the “SMS Account Recovery protocols” to prevent any further bypassing of SMS multi-factor authentication.

As the threat actor also had full access to an account, customers’ personal information was also exposed, including their full name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balances.

So what’s the upshot for you? Anyone with missing BTC (or other) will be credited the amount taken. All victims should change their passwords immediately.
Coinbase also recommends users switch to a more secure MFA method, such as a hardware security key or an authentication app. And we second that recommendation.


US: Neiman Marcus sends Breach Notices of to 4.3 Million Customers

https://apps.web.maine.gov/online/aeviewer/ME/40/9c04b285-0451-4660-9c14-7616913def24.shtml

4.3 Million customers recently received a breach notice from the Texas-based retailer. While Neiman Marcus has not explained how their systems were breached, they state that sensitive customer information was exposed, including:
Online account username
Online account password
credit card number and expiration date

  • Security questions and the matching answers
  • Neiman Marcus virtual gift card number
  • Shipping address
  • Contact information

So what’s the upshot for you? The data breach notification doesn’t clarify if the passwords were in plain text or hashed and salted, so if you are a customer and using the same credentials elsewhere, you should change them immediately.


Global: Cloudflare wants to be the Fourth Major Public Cloud

Cloudflare is ready to launch a new cloud object storage service that promises to be cheaper than the established alternatives, a step the company believes will catapult it into direct competition with AWS and other cloud providers.

The service will be called R2 — “one less than S3,” said Cloudflare CEO Matthew Prince ahead of Cloudflare’s announcement Tuesday morning. Cloudflare will not charge data-egress fees for customers using R2, taking direct aim at the fees AWS charges developers to move data out of its widely popular S3 storage service. R2 will run across Cloudflare’s global network, which is most known for providing anti-DDoS services to its customers by absorbing and dispersing the massive amounts of traffic that accompany denial-of-service attacks on websites.

It will be compatible with S3’s API, which makes it much easier to move applications already written with S3 in mind, and Cloudflare said that beyond the elimination of egress fees, the new service will be 10% cheaper to operate than S3.

So what’s the upshot for you? Amazon’s response? “While we can’t comment on a product that has been announced but not released, we welcome competition generally across our businesses because we believe it is healthy and helps grow markets.” We wonder if sometime soon we will be reading stories about unsecured R2 buckets!


US: PwC offers U.S. employees full-time remote work… with a Small Catch

Accounting and consulting firm PwC told Reuters on Thursday it will allow all its 40,000 U.S. client services employees to work virtually and live anywhere they want in perpetuity, making it one of the biggest employers to embrace permanent remote work.

The policy is a departure from the accounting industry’s rigid attitudes, known for encouraging people to put in late nights at the office.

So what’s the upshot for you? “Employees who opt to work virtually full-time from a lower-cost location would see their pay decrease.” PwC’s deputy people leader, Yolanda Seals-Coffield said.

“See you at the office!”


Global: DNA-based data storage platform Catalog raises $35M

Conventional electronic media like flash drives and hard drives require energy consumption to process a vast amount of high-density data and information overload and are vulnerable to security issues due to the limited space for storage. There is also an expensive cost issue when it comes to transmitting the stored data.

To solve the problems of traditional electronic media, a startup in Boston, “Catalog”, founded in 2016 by MIT scientists for developing an energy-efficient, cost-competitive, and more secure data storage and computation platform by using synthetic DNA just received US$35M in Series B funding.

While the concept of using DNA as a medium for data storage and computing has been around for years, a lot of the work has been relegated to the academic realm. Catalog has discovered the means to incorporate DNA into algorithms and applications with potential widespread commercial use through its proprietary data-encoding scheme to automation.

“Catalog’s proprietary approach to writing information into DNA, namely its encoding scheme, is revolutionary in that minimal de novo DNA synthesis is required to store a tremendous amount of information. Because the low speed and high cost of DNA synthesis have traditionally been the bottleneck in this field." Catalog’s custom-developed DNA writer is capable of hundreds and thousands of chemical reactions per second, writing at a speed of over 10MB/sec at full capacity.

The IT industry has witnessed a proliferation of purpose-fit technologies over the last several years, including accelerators (GPUs, FPGAs), quantum computers, as well as extreme parallel computers. The advent of the DNA-based computer complements this portfolio, emphasizing low-energy, spatially dense, and secure computing, which is divorced from the realities and limitations of electronic systems.

So what’s the upshot for you? Call Keanu Reeves, we feel a sequel to Johnny Mnemonic coming on.


US: Brain-cleaning sleeping cap gets US Army funding

the US Army has awarded researchers at Rice University and other institutions a grant to develop a portable skullcap that can monitor and adjust the flow of fluid through the brain during sleep.

Most of us are familiar with the brain fog that comes with not getting enough sleep, but the exact processes going on in there remain mysterious. In 2012 scientists made a huge breakthrough in the field by discovering the glymphatic system, which cleans out toxic waste products from the brain during deep sleep by flushing it with cerebrospinal fluid.

Signals would be gathered with a mix of sensors on the skullcap. Electroencephalography (EEG) measures electrical activity in the brain, while rheoencephalography (REG) measures blood flow. Other sensors measure fluid flow using ultrasound pulses – orbital sonography (OSG) sends these pulses through the eye socket, while transcranial doppler (TCD) ultrasound sends them through the skull. The fluid flow can then be controlled using transcranial electrical stimulation (TES) and low-intensity focused ultrasound pulses (LIFUP).

So what’s the upshot for you? We can’t wait to receive ours. Until then, we will have to keep wearing our tinfoil hats so aliens can’t read our minds.


UK: DeepMind’s AI predicts almost exactly when and where it’s going to rain

Forecasting rain, especially heavy rain, is crucial for a lot of industries, from outdoor events to aviation to emergency services. But doing it well is hard. Figuring out how much water is in the sky, and when and where it’s going to fall, depends on a number of weather processes, such as changes in temperature, cloud formation, and wind. All these factors are complex enough by themselves, but they’re even more complex when taken together.

The best existing forecasting techniques use massive computer simulations of atmospheric physics. These work well for longer-term forecasting but are less good at predicting what’s going to happen in the next hour or so, known as nowcasting. Previous deep-learning techniques have been developed, but these typically do well at one thing, such as predicting location, at the expense of something else, such as predicting intensity.

The DeepMind team trained their AI on radar data. Many countries release frequent snapshots throughout the day of radar measurements that track the formation and movement of clouds. In the UK, for example, a new reading is released every five minutes. Putting these snapshots together provides an up-to-date stop-motion video that shows how rain patterns are moving across a country, similar to the forecast visuals you see on TV.

The researchers fed this data to a deep generative network, similar to a GAN—a kind of AI that is trained to generate new samples of data that are very similar to the real data it was trained on. GANs have been used to generate fake faces, even fake Rembrandts. In this case, DGMR (which stands for “deep generative model of rainfall”) learned to generate fake radar snapshots that continued the sequence of actual measurements. It’s the same idea as seeing a few frames of a movie and guessing what’s going to come next.

To test the approach, the team asked 56 weather forecasters at the Met Office (who were not otherwise involved in the work) to rate DGMR in a blind comparison with forecasts made by a state-of-the-art physics simulation and a rival deep-learning tool; 89% said that they preferred the results given by DGMR. DeepMind’s collaboration with the Met Office is a good example of AI development done in collaboration with the end-user, something that seems like an obviously good idea but often does not happen.

The team worked on the project for several years, and input from the Met Office’s experts shaped the project. “It pushed our model development in a different way than we would have gone down on our own,”

So what’s the upshot for you? Last Summer this UK-based, Google sister-company open-sourced cell protein mapping. So after the bods at DeepMind taught AI to defeat humanity’s greatest chess and Go masters it now seems to be yielding other perhaps very practical benefits.


Global: When listeners pay close attention to stories, their heart rates synchronize

An international team of researchers has shown that when a group of people hear the same story or watch the same video, their heart rates tend to rise and fall in synch. This correlation of heart rates, described this month in Cell Reports, could one day lead to new tools for measuring attentiveness, both in the classroom and the clinic.

Lucas Parra, a biomedical engineer at City College of New York, New York, and co-senior author on the study, knew from the previous work by his own group and others that people paying attention to the same videos or listening to the same stories show similar brain activity, as measured by electroencephalogram (EEG). Jens Madsen, a postdoctoral fellow in Parra’s lab and co-first author of the study, convinced him that the heart deserved a look as well. “Brain signals are hard to get,” says Parra. “If the heart can do that, it is even better because you don’t have to set up complicated recording equipment for the brain.”

The pair teamed up with co-senior author Jacobo Sitt of the Paris Brain Institute in France and others in a series of experiments to explore how heart rates increase and decrease across listeners. They began by asking over two dozen volunteers to each listen to 16 one-minute segments of Jules Verne’s “20,000 Leagues Under the Sea.” The heart rates of participants, captured by electrocardiogram (EKG), tended to speed up or slow down at the same points in the story.

The researchers also found that people whose heart rates most closely correlated with others while listening to children’s stories were better at recalling details such as the names of characters. “If you are paying attention to the narrative, then your heart rate will fluctuate in a reliable fashion,” explains Parra.

So what’s the upshot for you? The best way to test this theory is always to listen to this podcast listen_tiny with your friends, checking your pulse rate after each story.


That’s it for this week’s pulse racing collection of stories. We hope you enjoyed the coverage now that you’ve found both your heart and your mind in synch with the best in IT Privacy and Security stories.


Be kind, stay safe, stay secure, and we look forward to finding you in a synchronized se7en!