The Smiling face of IT Privacy and Security for the week ending June 29th 2021


this week we take you from an employer that won’t even let you in the building if you are not smiling, to your best friend when there is just … one… CCTV too many.

In between, we get a loud warning for publicly accessible Western Digital personal storage, a couple of painful admissions from Microsoft, and US phone users getting shaken and stirred tomorrow.

In the mix, we also have a place for you to jump into a 3d world for a little privacy and chill should you wish.

It’s all here, it’s all fresh and it’s just about the best IT Privacy and Security Weekly Update yet.

Let’s put on a great big smile and get to work!

CN: Canon Uses AI Cameras That Only Let Smiling Workers Inside Offices

From Kareem Khan, we have a great first story: Canon has rolled out new AI cameras that use “smile recognition” technology to ensure that only happy employees are allowed into its offices.

Back in 2020, the China-based Canon subsidiary Canon Information Technology introduced an “intelligent IT solution” for corporate offices that includes 5 different functional modules, one of which is “smiley face access control.”

“In addition, based on the corporate culture of ‘moving and always being’, Canon has always advocated the concepts of ‘laughing’ and ‘big health’, and hopes to bring happiness and health to everyone in the post-epidemic era,” Canon wrote in a press release. “Therefore, in the […] intelligent IT solution, a new experience of smile recognition is specially incorporated. It is hoped that smiles can let everyone relax and get healthy, so as to create a more pleasant working atmosphere and improve efficiency.”

“So now the companies are not only manipulating our time but also our emotions,” one worker wrote on Weibo (the popular Chinese microblogging service)

So what’s the upshot for you? To us, this sounds like the perfect solution to everything. Just imagine one of these on your front door! Or as a solution to road rage. If your car decided you were unhappy, it would just turn off. You could only drive when you were happy again! The possibilities are boundless!

Global: Privacy or Party in 3d

Jump, run, move and chat in your own 3d world and then, when you have had enough time with your own private thoughts, invite some friends.

The maker of this nifty little virtual scene wrote that “this would be a good time” to release the website, presumably referring to C19 lockdowns. So far, the program runs on desktops only.

All you need to do is pick a YouTube link of your choice, choose an avatar of your liking, have some private time, or invite people to your e-gathering if you’d so prefer. You can add up to 30 individuals and allow them to change the video in the background (or not).

“Knee-high grass” because why not? While DJ-ing sounds like the go-to activity on, you can get creative with your background. In fact, some people are already using it as a free virtual classroom to teach CSS Grid. It wouldn’t be a surprise if was used to run live streams for cooking, gaming, coding, stitching, and a lot more."

And while DJ3D isn’t exactly a video-conferencing tool either, it is pretty versatile. You don’t really need to dress up for it. All you have to do is throw a YouTube link in, invite your friends, (or not) play around with your emoji-avatar, and have a jolly good time.

So what’s the upshot for you? We liked the LoFi playing on the back wall, but not the fact that our character had a blockhead!

Global: This Company Is Putting Face-Tracking Ad Tablets in the Back of Ubers

Last week, Alfi—a self-described “AI enterprise SaaS platform company powering computer vision with machine learning models”—announced a deal to give Uber and Lyft drivers 10,000 digital tablets equipped with cameras that will display ads, catalog information about riders, and track their reactions to the content.

As part of a larger program, Alfi is offering ride-hail drivers a free tablet that it claims will use computer vision to “recognize the demographics of the rider” and serve them “personalized content as well as advertisements.” Drivers are promised a revenue share of “up to $350” so long as passengers actually engage with the content or ads.

According to a press release announcing the rollout of the program, Alfi uses computer vision and its ads are tailored “by age, gender, geography, demographics, brand behavior, and interests’’ and the tablet “informs the advertisers that someone viewed their ad, the number of views, and each viewer’s reaction to the ad.” According to the release, “hundreds’’ of Ubers and Lyfts in Miami have installed the tablets.

Alfi’s algorithm tracks “small facial cues,” according to the company’s website.

So what’s the upshot for you? Whether or not the technology behind the advertising really works is beside the point, as it’s hard not to read this as an attempt by another industry to profit from the particular vulnerability and exploitation of ride-hail drivers. Nationwide, ride-hail companies are hiking prices while keeping driver pay at the same or lower levels… And now your face is involved.

Global: MyBook Users Urged to Unplug Devices from Internet

Hard drive giant Western Digital is urging users of its MyBook Live brand of network storage drives to disconnect them from the Internet, warning that malicious hackers are remotely wiping the drives using a previously unknown critical flaw that can be triggered by anyone who knows the Internet address of an affected device.

Last week, Bleeping Computer and Ars Technica pointed to a heated discussion thread on Western Digital’s user forum where many customers complained of finding their MyBook Live and MyBook Live Duo devices completely wiped of their data.

“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the company said in a statement on June 24. “In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live and My Book Live Duo devices received their final firmware update in 2015. We understand that our customers’ data is very important. We are actively investigating the issue and will provide an updated advisory when we have more information.”

Western Digital’s brief advisory includes a link to an entry in the National Vulnerability Database for CVE-2018-18472. The NVD writeup says Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug.

“The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012,” reads a reply from Western Digital. The vulnerable MyBook devices are popular among home users and small businesses because they’re relatively feature-rich and inexpensive, and can be upgraded with additional storage quite easily. But these products also make it simple for users to access their files remotely over the Internet using a mobile app.

So what’s the upshot for you? If you have one and you’d still like to keep your MyBook connected to your local network (at least until you can find a suitable backup for your backups), please make double sure remote access is not enabled.

Global: Microsoft admits to signing rootkit malware in supply-chain fiasco

Microsoft has now confirmed signing a malicious driver being distributed within gaming environments.

This driver, called “Netfilter,” is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs.

G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec. community in tracing and analyzing the malicious drivers bearing the seal of Microsoft.

This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft’s code-signing process.

Last week, G Data’s cybersecurity alert systems flagged what appeared to be a false positive, but was not—a Microsoft signed driver called “Netfilter.”

The driver in question was seen communicating with China-based C&C IPs providing no legitimate functionality and as such raised suspicions. Notably, the C2 IP that the malicious Netfilter driver connects to belonged to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd, according to WHOIS records.
“The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party.”

“We have suspended the account and reviewed their submissions for additional signs of malware,” said Microsoft yesterday.

According to Microsoft, the threat actor has mainly targeted the gaming sector specifically in China with these malicious drivers, and there is no indication of enterprise environments having been affected so far. This particular incident has exposed weaknesses in a legitimate code-signing process, exploited by threat actors to acquire Microsoft-signed code without compromising any certificates.

So what’s the upshot for you? If you check in malicious drivers, you don’t get invited back to the party. We hope the net result of this is that Microsoft put a little more rigor into their testing processes.

Global: Microsoft Discovers New Breach while investigating SolarWinds CyberAttack

Microsoft has found Nobelium hackers compromised a worker’s computer and used the device to launch targeted attacks against its customers, the company wrote in a blog post on June 25, 2021. The company made the discovery during its investigation into Nobelium, the hacking group responsible for the SolarWinds Orion supply chain cyberattack, which was discovered in 2020.

The latest cyberattack reported by Microsoft does not involve SolarWinds or its customers. Nobelium hackers gained access to one of Microsoft’s customer service agents. They then used information from the agent to attack Microsoft customers.

From Microsoft: “All customers that were compromised or targeted are being contacted through our nation-state notification process.”

“This type of activity is not new, and we continue to recommend everyone take security precautions such as enabling multi-factor authentication to protect their environments from this and similar attacks. This activity was targeted at specific customers, primarily IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services. The activity was largely focused on US interests, about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada. In all, 36 countries were targeted.”

"As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers. The actor used this information in some cases to launch highly targeted attacks as part of their broader campaign. "

“We responded quickly, removed the access, and secured the device.”

Microsoft has warned affected customers to be careful about communications to their billing contacts, according to Reuters. It also has encouraged these customers to change those usernames and email addresses.

So what’s the upshot for you? Things could become a little less comfortable when the world’s biggest software supplier admits that it, has been compromised (even if only a little bit).

US: Hospitals are selling treasure troves of medical data — what could go wrong?

Healthcare organizations and hospitals in the United States all sit on treasure troves: a stockpile of patient health data stored as electronic medical records. Those files show what people are sick with, how they were treated, and what happened next. Taken together, they’re hugely valuable resources for medical discovery.

Because of certain provisions of the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations are able to put that treasure trove to work. As long as they de-identify the records — removing information like patient names, locations, and phone numbers — they can give or sell the data to partners for research. They don’t need to get consent from patients to do it or even tell them about it.

More and more healthcare groups are taking advantage… but if it’s re-identified and the data is hacked or exposed, there are a few things that could go on. A lot of people will use solely medical data to make fraudulent medical claims, and then what happens is the victim of the identity theft gets all these bills. Your medical record contains financial information, so there’s the financial risk of that. The other thing that can go on is if you had a condition that you didn’t want your family to know about, or your employer or something like that, it could be exposed.

We’ve gotten really good at not fixing anything when this happens. Once the data is out, it’s out. It’s very difficult to stay on the curve, especially in medicine. On one side, you have these speed-of-light tech and cybercrime processes going on, and the other is smart people trying to take care of patients better. And they’re just mismatched.

So what’s the upshot for you? This is a wake-up call for all of us. Be preemptive. If you have not frozen your credit reports with the top 3 (there are actually 4 so do them all) agencies you should do so now. Document all your pins and passwords because you will need them for any new service you apply for that does a credit pull.
And finally, be conservative with your online announcements. They can and are easily aggregated to build a complete profile of you along with other leaked materials that could haunt you now and well into the future.

US: Honey, the Insurance premiums are going up… again.

Cyber insurance providers are likely experiencing big losses when other costs like underwriting and legal expenses are factored in.

“From an industry perspective, results have definitely gotten worse in this line. And it’s from all the things you’re reporting on—the number of breaches, ransomware attacks, the cost of these incidents continuing to go up. In 2021 I’m not sure we’ll see a big improvement for insurers.”

Pandemic-related shifts to remote work helped fuel a surge in cyberattacks over the last year. Cybersecurity firm Crowdstrike, for example, said it observed more hands-on-keyboard intrusions in the first half of 2020 than it did in all of 2019. The company attributed this increase to an expanded attack surface for cybercriminals to exploit, as well as COVID-19 related fears that made phishing attacks more successful.

“Prices are going to continue to rise for these policies. Insurance companies will change the terms and conditions of what they cover and what they exclude. They will offer lower limits."

Direct written premiums for cyber insurance rose 22% in 2020 to over $2.7 billion. However, demand for cyber insurance is still strong, as companies look for ways to shield themselves against losses related to cyberattacks.

So what’s the upshot for you? 2 + 2 still equals 4 in most circles, and as the payouts rise, so do the premiums. .

Global: In the US, Robocalls are out of control, but that could change from Tomorrow

Millions of Americans don’t even bother answering calls from unfamiliar or blocked numbers anymore (count us among those numbers).

US consumers have received just under 22 billion robocalls in the first five months of 2021.

From tomorrow, every major voice provider in the US, including phone companies AT&T, Verizon and T-Mobile, and cable provider Comcast, will have to implement a technology called Stir/Shaken.

What’s Stir/Shaken? “Stir” stands for “secure telephone identity revisited,” and “Shaken” for “signature-based handling of asserted information using tokens.” Stir is the technical protocol, and Shaken is the framework by which calls can be tracked in the new robocall mitigation database. The way it works is that Stir/Shaken technology ensures that calls traveling through phone networks have their caller ID “signed” as legitimate by originating carriers and validated by other carriers before the calls reach you. In short, the technology authenticates a phone call’s origin and makes certain the information on the Caller ID matches.

So what’s the upshot for you? So exciting! Looking forward to being able to answer our phones as phones again!

US: Americans lost $29.8 billion to phone scams in the past year, study finds

A study of U.S. residents has found that one in three say they’ve fallen victim to a phone scam in the past year, and 19% say they’ve been duped more than once. Totaling 59.4 million people, the money lost in the past year increased by 51% over last year for a total of $29.8 billion.

So what’s the upshot for you? Tomorrow cannot come fast enough.

RU: Too many CCTV cams watching you? We might have a Solution.

The Nizhne-Svirsky Nature Reserve in Russia has shared a video that shows a local black woodpecker methodically destroying a camera trap that was hidden in the trees.
In a post on Facebook, the Nature Reserve writes that the black woodpecker “easily” discovered the camera, despite its camouflage, and spent several days attacking the camera as if it were a part of the tree.

Black woodpeckers are large woodpeckers that live in the forests of the northern Palearctic and are the sole representative of their genus in the region. It is closely related to the pileated woodpecker of North America and the lineated woodpecker of South America.

In the video, the black woodpecker can be seen popping in and out of frame as its loud pecks can be heard through the camera’s microphone. According to the Nature Reserve, the “vandalism” — as it is cheekily referred to– was attributed to the bird’s desire to remove any human interference with the personal life of the animals in the region.

So what’s the upshot for you? Dear Santa, we what we’d like for the holidays… a woodpecker!

And that’s it for this week! Be kind, stay safe, stay secure and see you in se7en!