The moment, you own it, you better never let it go. The IT Privacy and Security Weekly Update for March 30th 2021

Hey Daml’ers,

We start this week’s adventure with a tribute to women’s safety as we come to the end of National Women’s History Month in the US.

We move on, not to home building, but cybersecurity, with a backdoor disguised as a Typo fix. In the days of the George Floyd murder trial in the US, we find one legal reviewer in the UK that is of the opinion that people should get anywhere from 2 months to 5 years for not providing their phone password to the police.

We get to the bottom of STIR/SHAKEN and finally, we see the results of a privacy and security survey of over fifteen thousand people around the world. We think the results will surprise you!

And with that, the moment, you own it, you better never let it go.

IN: Dating app Bumble takes a stand on female safety

Bumble India found that 83% of women have experienced online harassment of some kind, with 1 in 3 reporting that they experience it weekly. And it’s worsened since the onset of the COVID-19 pandemic, women in India report: 70% say they believe cyberbullying has increased since lockdown began.

As a result of this digital abuse epidemic, well over half (59%) of women Bumble surveyed in India said they feel unsafe. No one should have to feel afraid of harassment online, nor should they — as 1 in 3 women reported — put on a brave face and let this behavior slide for fear of retribution.

So Bumble have teamed up with the Safecity app to foster the reporting and creation of safer neighborhoods for Indian women.

Why is it important to report cases of harassment and abuse? UN Women states that 1 in 3 women face some kind of sexual assault at least once in their lifetime. But in our experience, the statistic in India seems to be extremely high. A rape occurs every 20 mins in India. Yet most women and girls do not talk about this abuse for a multiple of reasons – fear of society, culture, victim blaming, fear of police, tedious formal procedures etc. As a result women keep silent and this data is not captured anywhere but the perpetrator gets bolder over time and we accept it as part of our daily routine.

SafeCity are creating a new data set which currently does not exist. By representing the information thus collected on a map as hotspots, we are moving the focus away from the “victim” to the location and people can view the issue with a different lens. People can sign up for alerts either based on location or category of harassment. This allows people to understand the “safety” landscape of an area and make the most informed decision for themselves. e.g. They can decide on time of visit, method of transport to use, if they need to be accompanied by someone or even what clothes to wear.

So what’s the upshot for you? Today we make choices for pretty much everything based on reviews – books, movies, restaurants, hotels but we have nothing for personal safety.
We applaud the team at Safecity app and to Bumble for partnering with them to provide greater security to Indian women. Let’s hope this is only the first step in the evolution of both the app and these types of partnerships.

Global: Backdoor Disguised as Typo Fix Added to PHP Source Code

The investigation into this incident is ongoing, but the backdoor was discovered quickly and it apparently did not make it into a PHP update made available to users.

(2021-03-28) two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and Nikita Popov. We don’t yet know how exactly this happened, but everything points towards a compromise of the git(dot)php(dot)net server (rather than a compromise of an individual git account). While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git(dot)php(dot)net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git(dot)php(dot)net.
While previously write access to repositories was handled through our home-grown karma system, you will now need to be part of the php organization on GitHub.

We’re reviewing the repositories for any corruption beyond the two referenced commits. Please contact security@php(dot)net if you notice anything.

So what’s the upshot for you? We are lucky this commit was reviewed and caught, but we’ll bet that many others haven’t.

UK: UK terror law reviewer calls for expanded police powers to imprison people who refuse to hand over passwords. Police should be exempted from regulatory safeguards, states legal reviewer.

The UK’s Government Reviewer of Terrorism Laws, Jonathan Hall QC, said police should be able to threaten people arrested under terror laws with five years in prison if they don’t hand over passwords on demand.
We read through this report and from section 4.22. on page 55 and 56 The two clear powers that are available to Police are: section Regulation of Investigatory Powers Act 2000 and Schedule 7 Terrorism Act 2000. Under Schedule 7 members of the traveling public may be required to produce passwords (or their equivalent) for mobile phones during the course of examination, and failure to do so is not infrequently prosecuted as a breach of the duty to comply with such examinations In the context of bulk acquisition, the stages are collection, filtering and selection for examination (where analysts form a judgment as to what data is actually worth considering). In its report on Search Warrants, supra, The Law Commission draws attention to the power under section 19(4) to compel the production of information stored in electronic form which is accessible from the premises searched. They recommend that the power to compel passwords in this context should be made clearer and more effective, with a maximum penalty of 3 months imprisonment. “I say no more about the use of this power which is limited to ports and certain border areas.”

.4.23. The section 49 power is available to a number of authorities in addition to the police and Secretary of State, and is not limited to terrorism, although a failure to comply with a notice produced under section 49 in a “national security case” risks an elevated maximum five-year sentence.

So what’s the upshot for you? This chap will be making friends with law enforcement, but should tread very carefully where matters of further police empowerment are concerned. This gives the police the right to review the contents of your phone without further oversight. In light of the George Floyd murder trial going on in the US currently, we think that over here, further empowerment for police might not go over so well.

Global: Apple rushes to patch zero‑day flaw in iOS, iPadOS

Apple has released an emergency update for its iOS, iPadOS, and watchOS operating systems to patch a zero-day security flaw that is being actively exploited in the wild. The vulnerability affects multiple models of iPhone, iPad, Apple Watch, and iPod touch.

Apple is aware of a report that this issue may have been actively exploited,” reads Apple’s security advisory describing the security hole that is being plugged with the release iOS 14.4.2 and iPadOS 14.4.2.

Given the seriousness of the threat, Apple also rolled out an update (iOS 12.5.2) for older devices such as iPhone 5s and iPhone 6. In an effort to protect its customers, the company did not release any information about the perpetrators or the targets of the attacks. Meanwhile, Computer Emergency Response Teams (CERT) from the United States, Hong Kong, and Singapore issued alerts urging users of the affected devices to apply the updates immediately.

So what’s the upshot for you? These patch releases are becoming a weekly thing, but even though a bit of a headache, we say wait a day or two, check the news for patch related failures and “if the coast is clear” then patch your Apple products.

US: Intel Sued Under Wiretapping Laws for Tracking User Activity on its Website

Intel is being sued under a Florida state wiretapping law for using software on its website to capture keystrokes and mouse movements of people that visit it.
A class-action suit in the Circuit Court of the Fifth Judicial Circuit in and for Lake County, Florida, alleges that the tech giant unlawfully intercepted communications without user consent because of its use of analytics technology on its website.

At issue in the case is session replay software that Intel—and many other companies–use on their respective websites that can track how people interact with the site, including recording their mouse movements and clicks, information they input into the site, and the pages and content they view, according to the suit.

The suit claims that this activity by Intel violates the 2020 Florida Security of Communications Act, which makes it illegal to intentionally intercept another person’s electronic communications without first letting the person know and asking for his or her consent.

A number of other cases—mainly in Florida and California, which have similar wiretapping statues—are currently pending, with companies such as Fandango, Foot Locker, Frontier Airlines, Ray Ban, Banana Republic and others, counted among those accused of illegally intercepting user communications.

So what’s the upshot for you? Regulations regarding what companies can and cannot do with data they collect about you is coming to the fore. You have a right to know if detail about you is being collected and how it is being used.

***Global:Help-wanted ads show a sharp increase for black hat hackers-for-hire ***

“I need a site hacker for $2,000,” “Break this site for $10K,” “Can you collect information from our competitors’ websites?” or “Can you delete reviews? Budget $300.”

Posts like these, in which individuals try to hire black hats, have flooded some of the most active hacking forums on the dark web.

It started even before the pandemic, but it further intensified as more employees switched to working remotely.

So what’s the upshot for you? Like any other business, Black Hat hackers have a gig economy. The downside is that the more people know about it, the more it will drive expansion. You don’t need a large capital investment to make a lot of money (good situation if you are in a poorer country where Internet connectivity is strong) and a local government who has a tendency to look the other way for this type of activity.

US/CA: Use your phone for phone calls? STIR/SHAKEN becomes Mandatory for US and Canadian telcos June 30.

Last week, cellular carrier T-Mobile completed its rollout of STIR/SHAKEN in the United States. Designed to stop caller ID spoofing, STIR/SHAKEN is a suite of security protocols that all U.S. mobile providers will need to implement by June 30.
Caller ID spoofing happens when the caller (often a bad actor) “tricks” a telephone network into showing incorrect caller ID information to the call recipient. VoIP (Voice over Internet Protocol) providers sometimes allow users to configure the number that will be displayed when they make calls. Bad guys abuse this feature in caller ID spoofing attacks.

There are also full-fledged spoofing services. Malicious callers can set up a PIN, pay for a certain number of minutes, and then place calls that can be configured to display whatever origin number they choose.

If a call comes in from a familiar number, or even just a local number, it can seem legitimate and you might answer your phone. Caller ID spoofing is used heavily in robocalls — those automated, pre-recorded phone calls that have plagued consumers for years. While some robocalls are nothing more than spammy sales pitches (deeply annoying, but relatively harmless), many robocalls are scams.

How does STIR/SHAKEN stop caller ID spoofing? STIR stands for Secure Telephony Identity Revisited. The STIR protocol works by adding metadata to the call header information that’s used to route VoIP data through phone networks. This metadata includes information that shows how well the provider was able to verify the originating number (there are options for known origin, partially known origin, or unknown origin). The metadata is then encrypted using public key cryptography so that other providers further downstream can verify that the header info is really coming from a trusted provider. In this way, any call that fails to authenticate properly, or that’s coming from an unknown or unverified caller, can be flagged by the carrier responsible for delivering the call to the end user.

SHAKEN stands for Signature-based Handling of Asserted information using toKENs (yes, they really went out of their way for that James Bond reference). Unlike STIR, SHAKEN isn’t really about the technical procedures used to verify callers. More than anything, it’s a set of guidelines intended to standardize how carriers deal with calls that fail STIR authentication.

Carriers in the United States and Canada have until June 30 to roll out STIR/SHAKEN.

So what’s the upshot for you? Although Stir/Shaken will make a huge dent in the numbers of robocalls that we all get on a daily basis it will never be 100% (someone will always find a way around). So until then remember:
There are organizations that will never contact you asking for sensitive information. This includes big tech companies like Apple and Microsoft, banks and financial institutions, and government agencies like the IRS.
Never give your password or other login information to anyone over the phone … for any reason.

Global:‘Apex Legends’ players banned over Xbox DDoS attack

Two high-ranked Apex Legends players have been banned from the platform for cheating by launching distributed denial-of-service (DDoS) attacks on an Xbox server.

The players, who had achieved the rank of “Apex Predators” in the console version of the game haven’t been named, but the whole thing went down publicly on Reddit’s r/apexlegends forum over the weekend.

eSports is a market where the top 10 teams are valued at about $2 billion in total, and where money is involved, there are folks trying to use dirty tricks,” said Dirk Schrader from New Net Technologies.

So what’s the upshot for you? Hopefully these guys will get banned in a manner that sets and example for others, but more than likely, as the stakes get higher we will see more of this.

NL: Royal Dutch Shell’s Accellion file transfer story from last week just got worse.

This story started with the Accellion File transfer software breach. Ransomware was uploaded to Royal Dutch Shell servers where it encrypted business and personal data. In this case the ransomware operation known as ‘Clop’ is applying maximum pressure on victims by emailing their customers and asking them to demand a ransom payment to protect their privacy.

A common tactic used by ransomware operations is to steal unencrypted data before encrypting a victim’s network. This data is then used in a double-extortion tactic where they threaten to release the data if a ransom is not paid.

When data is published, it can be damaging to the victim and their customers, as the stolen data could contain personal information, credit cards, social security numbers, and even government-issued identification.

To encourage Shell to pay the thieves and prevent further stolen data from leaking, the gang has now uploaded to its Tor-hidden website a selection of documents, including scans of purported Shell employees’ US visas as well as a passport page and files from its American and Hungarian offices.

So what’s the upshot for you? This ransomware story just gets more brutal. Although in this case it started with the Accellion file transfer software, the sad fact is that it typically starts with a phishing e-mail… Please be careful what you click on.

IN: Mobikwik lies and pays the price.

Popular Indian mobile payments service MobiKwik on Monday came under fire after 8.2 terabytes (TB) of data belonging to millions of its users began circulating on the dark web in the aftermath of a major data breach that came to light earlier this month.
The data leak site, which is accessible via Tor browser and boasts of 36,099,759 records, came online after the digital wallet company vehemently denied the incident on March 4 following a report by an independent security researcher.

The leaked data includes: names, email addresses, residential addresses, GPS locations, list of installed apps, partially-masked credit card numbers, connected bank accounts and associated account numbers, and know your customer (KYC) documents of 3.5 million users.
Even worse, the leak also shows that MobiKwik does not delete the card information from its servers even after a user has removed them, in what’s likely a breach of government regulations.
It’s not immediately clear how the threat actor managed to gain unauthorized access to MobiKwik’s servers, but the hacker said, “it’ll be embarrassing for the company. story for some other time…”

So what’s the upshot for you? The baddies wanted about US$85K in Bitcoin to keep the data quiet. While we don’t ever encourage payment, we really don’t encourage lying when you have been hacked. It’s just bad for business.

AU:Cyber attack forces live TV shows off-air on Australia’s Channel 9

Nine Entertainment Co has requested the assistance of the Australian Signals Directorate after a major cyber attack hit its broadcast systems in the early hours of Sunday morning.

Nine chief executive confirmed on Sunday night the incident was a cyber attack. Nine’s director of people and culture Vanessa Morley said the company may be unable to fully restore systems for some time and instructed staff to work from home indefinitely. The origin and motive of the attack is unclear, but no requests for ransom have been made.

Sources familiar with the discussions at Nine said the company had been in talks with a large number of external security experts on Sunday who said they had not seen this kind of attack before in Australia. The sources said the experts believe it is some kind of ransomware likely created by a state-based actor. The Australian Cyber Security Centre, part of the ASD, confirmed it had offered technical assistance to Nine after it made contact about the attack.

So what’s the upshot for you? Currently the Australian Signals Directorate believe this is a nation state attack. When a nation state lines up against your business, there is very little you can do, which is why it’s important to have contingency plans in place, back up your important files and have a prepared statement ready for the press, remembering that all that has to be done before the event!

Global: the state of data privacy amid growing digital dependency

A new report from security firm Kaspersky of 15,070 adult consumers globally. Respondents were asked about their household devices, how they use them,
the personal and work apps and services they use, their security attitudes and, finally, about any security incidents they had experienced in the past 12 months.reveals some interesting facts:

  • 80% consumers who work from home use personal computers for work-related purposes
  • 53% of respondents that were a target of ransomware (56% ) paid the ransom to restore access to data stolen from them. Yet despite paying, 17% who paid the ransom didn’t get their data back
  • 45% of respondents did not believe that they were a target for cyberattacks and cybercriminals
  • 50% users whose devices were lost, stolen or damaged, had secret information revealed
  • 23% always give apps and services permission to access their microphone or webcam
  • 50% consumers would no longer use an online service provider following a data breach
  • 56% of respondents that were affected by this form of attack paid the ransom demanded to restore access to their data. This is highest among those aged 35-44, of whom 65% paid to restore their data, compared to just over half (52%) of those aged 16-24.
  • 36% said that their car was connected to the internet and another third (33%) had a multimedia center or car-PC connected to the internet.
  • 28% of online users experienced attempts to hack their online accounts, with a large number (41%) of these people reporting that they had their social media accounts targeted.
  • 37% had an email account targeted.
  • 31% had a cryptocurrency wallet targeted.
  • 30% who lost money as a result of a scam or hack reported that they did not manage to get it back
  • 9% lost between $2,000 and $4,999
  • 65% of the respondents admitted to downloading a music torrent,
  • 66% downloaded films
  • 61% Downloaded software from a torrent. This is despite the fact that torrenting sites are commonly known to be littered with malware.

So what’s the upshot for you? Cyber security is a continuous process. Back up your data, use anti virus and anti malware and be careful what you download. You might end up with more than you expected.

We hope you enjoyed the moment, because that’s it for this week! See you in Se7en!