The Starman and the IT Privacy and Security Weekly Update for August 3rd 2021


Daml’ers,

We are firing all rockets, starting down-under with a report on a pocket calculator that may inspire a whole generation (to write secure code). From there we orbit to Italia where you might need a “shot” of espresso before their news.

Then it’s on to Raccoons and their role in the new SaaS, before touching down in France and Luxembourg to see who’s hands have been slapped.

We Zoom into why you might want to hold the Guac on that burrito, and why if you are in North America, you might want to reschedule your Doctor’s appointment.

Finally, we end our journey 56 miles above the earth’s surface with one of the best “What could possibly go wrong?” stories ever…

We think you’ll be even more excited by this launch than Jeff Bezos was last month, and we’ll certainly be going further! So fasten your helmets, put on your moon boots and let’s blast off!
listen_tiny


AU: Texas Instruments Adds Python to Its Latest Graphing Calculator

Graphing calculators have always been a fun way to get started with programming, though mostly in the form of games and cheat sheets. But now Texas Instruments is introducing a new TI-84 graphing calculator that supports programming in Python.

Available beginning this fall, the TI-84 Plus CE Python graphing calculator will also include features like a full-colour screen and a rechargeable battery that lasts up to a month. According to Texas Instruments, the benefit of learning the basics of Python on a calculator is that the device doesn’t have wifi, Bluetooth, or a camera. As in, no distractions means no shenanigans. For now. After all, kids are wily and it’s only a matter of time before we start seeing some creative applications that Texas Instruments probably didn’t intend.

So what’s the upshot for you? We loved the Gizmodo Australia comment: “colour screens, lightweight bodies, a monthlong battery life, and Python? Dang, kids got it good these days.” But always remember kids, secure coding is paramount, so have your mum, dad, or bus buddy do a peer review before you release your homework results.


IT: ‘The Situation Is Very Serious’: Ransomware Hackers Hobble Covid-19 Vaccinations in Italy

A series of cyberattacks has disrupted COVID-19 vaccinations in Italy’s Lazio region — a large area that encompasses the nation’s capital, Rome.

The attacks, which appear to have been launched by hackers connected to a ransomware gang, temporarily took down the Lazio government’s website over the weekend, while also incapacitating LAZIOCrea, a third-party firm in charge of scheduling and booking vaccination appointments. Data associated with a large public health database was also encrypted, though the government has backups of the data, local outlets have reported.

ANSA, the nation’s leading wire service, reports that the cybercriminals infiltrated LAZIOCrea’s systems as an “administrator” and were able to deploy “a malware that encrypted the data on the system.” In a Facebook post, the local government admitted that “operations relating to vaccinations may be delayed” as a result.

“At the moment we are defending our community from these attacks of a terrorist nature,” said Nicola Zingaretti, Lazio’s governor

So what’s the upshot for you? Hospitals, public health websites, and academic researchers have all been attacked. It’s particularly disturbing to see such morally unscrupulous tactics targeted at the vaccination process — a process solely designed to save lives — especially for a country as hard hit by COVID as Italy.


RU: Wait for it, we have a new one: SaaS … "stealer-as-a-service"

Raccoon is offered as a stealer-for-hire, with the developers behind the malware offering their creation to other cybercriminals for a fee. In return, the malware is frequently updated. The stealer operates through a Tor-based command-and-control (C2) server to handle data exfiltration and victim management. Each Raccoon executable is tied with a signature specific to each client.

Usually found in Russian underground forums, Raccoon has also been spotted for the last few years in English language forums, too – for as little as $75 for a weekly subscription.

The malware is spread not through spam emails but, through droppers disguised as installers for cracked and pirated software to date, predominantly on Windows machines.
Raccoon Stealer can monitor for and collect account credentials, cookies, website “autofill” text, and financial information that may be stored on an infected machine.

However, the upgraded stealer also has a “clipper” for cryptocurrency-based theft. Wallets, and their credentials, in particular, are targeted by the QuilClipper tool, as well as Steam-based transaction data.

The Raccoon developer earned roughly $1200 in subscription fees, together with a cut of their user’s proceeds.

“It’s these kinds of economics that make this type of cybercrime so attractive – and pernicious. Multiplied over tens or hundreds of individual Raccoon actors, it generates a livelihood for Raccoon’s developers and a host of other supporting malicious service providers that allows them to continue to improve and expand their criminal offerings.”

So what’s the upshot for you? This one is easy enough to prevent (at this point). Stay away from pirated software on your Windows machines.


FR: France Cracked Down on Google’s Ad Tech. and Google Agreed.

June, 7th 2021, Isabelle de Silva, a little-known French regulator, made global headlines. After a painstaking investigation, which de Silva describes as the most complex she has been involved in, the French Competition Agency, or FCA, hit Google with a $260 million fine. Google, de Silva ruled, had been using its already-dominant advertising technology to further strengthen its position and outbid rivals.

A month later, in a separate case, she fined Google again. This time Google had failed to negotiate copyright changes to its search results with media organizations. Google’s punishment? A $594 million fine.

Such sums are small change to Google and its parent company Alphabet, which made $61.9 billion in the last quarter alone. But the FCA’s ruling on Google’s ad tech was headline-grabbing for another reason: Google didn’t fight it. The company agreed with all the facts in the FCA’s case and agreed to make significant changes in how it operates. And these changes won’t just happen in France, but across the world.

“We were able to show in detail that not only did Google have information that the others did not have, because of its specific [dominant] position, but that they effectively used this information to have a better chance to win the bids,” de Silva said. In short, Google used its power to give itself an advantage. Under competition laws in Europe, companies that have a dominant market position aren’t allowed to abuse their position.

So what’s the upshot for you? Slowly but surely, and after years of inaction, regulators are finally finding their stride. A big part of that is the FCA unpicking Google’s dominance with technologists rather than lawyers. “They have highly qualified people on board—people who are not lawyers or economists, but tech people able to understand Google’s algorithms.”
As for why Google agreed to make such wholesale changes globally? "It’s not French competition law, it’s just competition law,” says Timothy Cowen, the chair of antitrust practice at a London-based law firm.


LU: Amazon Fined 746 Mn Euros in Luxembourg Over Data Privacy

https://www.securityweek.com/amazon-fined-746-mn-euros-luxembourg-over-data-privacy

The fine was believed to be the largest ever for a data protection violation since the passage of the regulation.

The Securities and Exchange Commission (SEC) document offered no details, but Amazon was sued by a European consumer group claiming personal data was collected for ad targeting without permission.

The fine was issued July 16 by the Luxembourg National Commission for Data Protection following its determination that “Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation (GDPR),” Amazon said in a securities filing.

So what’s the upshot for you? The EU considers quite a number of data points Personally identifiable information, including your IP address.
Moving forward, companies are going to have to tread ever more carefully as they collect user behavior data for marketing.


Global: Zoom to Settle US Privacy Lawsuit for $85M

Zoom, the video conferencing firm, has agreed to settle a class-action US privacy lawsuit for $85 million, it said Sunday.

The suit charged that Zoom’s sharing of users’ personal data with Facebook, Google, and LinkedIn was a breach of privacy for millions.

While Zoom denied wrongdoing, it did agree to improve its security practices and pay the money.

So what’s the upshot for you? Now let’s all repeat together the familiar Facebook refrain, updated for Zoom: “The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us.”


IL: Meet Paragon: An American-Funded, Super-Secretive Israeli Surveillance Startup That ‘Hacks WhatsApp And Signal’

Paragon Solutions doesn’t have a website. There’s very little information at all about them online, even if the Tel Aviv-based smartphone surveillance startup’s employees are all over LinkedIn, more than 50 of them.

But it does have a co-founder, director, and chief shareholder that will turn heads: Ehud Schneorson, the former commander of Israel’s NSA equivalent, known as Unit 8200. The other co-founders - CEO Idan Nurick, CTO Igor Bogudlov, and vice president of research Liad Avraham - are ex-Israeli intelligence too. Also on the board is cofounding director and former Israeli prime minister Ehud Barak.

Paragon claims their product can remotely break into encrypted instant messaging communications, whether that’s WhatsApp, Signal, Facebook Messenger, or Gmail. Apparently, the spyware exploits the protocols of end-to-end encrypted apps, meaning it would hack into messages via vulnerabilities in the core ways in which the software operates.

With an American financial backer: Boston, Massachusetts-based Battery Ventures, it appears Paragon is going to try and crack American law enforcement agencies where others like NSO have failed. According to a LinkedIn profile, a 30-year veteran of Israeli intelligence, Menachem Pakman, has been employed to help find business in the U.S.

So what’s the upshot for you? Microsoft president Brad Smith warned the $12 billion industry as a whole represented a threat, writing: “An industry segment that aids offensive cyberattacks spells bad news on two fronts. First, it adds even more capability to the leading nation-state attackers, and second, it generates cyberattack proliferation to other governments that have the money but not the people to create their own weapons."


US: Hold the Burritos! Chipotle’s Email Marketing Account Hacked to Spread Malware

The technique involves compromising the account of a genuine mail service user. In the latest incident, the account was that of fast-food firm Chipotle, and the mail service was Mailgun. This technique generally has a high success rate because the emails appear to be genuine from high reputation sources. The emails pass many automated phish detection systems since they come from a high reputation IP address (Mailgun: 166.78.68.204) and pass SPF and DKIM authentication.

“Analysis of the email headers revealed that the messages originated from Mailgun servers (postgun.com and mailgun.net) and passed email authentication for chipotle[.]com,” says Inky.

Of the 121 phishing emails examined, two were vishing attacks (fake voicemail notifications with malware attachments), 14 impersonated the USAA Bank, and 105 impersonated Microsoft.

The 14 USAA bank impersonations contained a mail.chipotle[.]com link that redirected to a forged and malicious USAA Bank credential harvesting site. The credential harvesting site is a good impersonation of the genuine bank site, including a perfect copy of the USAA logo. “The black hats can make these pages by simply cloning the real page, changing just one or two details to the underlying HTML, and voila! A credential-harvesting page is born,” comment the researchers.
The majority of phishing emails impersonate Microsoft. This is unsurprising since almost everyone has a Microsoft account, and almost all of them contain large amounts of valuable detail (such as other logins, trade secrets, financial details, and more).

So what’s the upshot for you? This report emphasizes how easy it is to compromise users. Now you should expect all emails asking you to sign into something to be phishing e-mails. A good technique, if you think the mail is valid, is to not click on the link, but start a new tab in your browser and type the company URL in yourself. Log into that and do your own verification!


NA: “PwnedPiper” flaws could allow attackers to disrupt the delivery of lab samples and steal Credentials.

You’ve seen them, air-pressurized tube systems that transport medications, bloodwork, and test samples among hospital departments, lab, and the operating room.

One of the most popular of these so-called pneumatic tube system (PTS) stations recently was found to be harboring several vulnerabilities.

This is where it gets embarrassing, so if you blush easily, you may want to look away now: “The vulnerabilities include two hard-coded passwords of user and root accounts that are accessible via default and fixed telnet access on the control panel, the Swisslog Nexus Control Panel also contains a design flaw that allows unsigned, as well as unauthenticated and unencrypted, firmware updates to the system.
Once you compromise a station, without [needing] credentials, you can harvest any employee credentials to access these systems,” including their RFID cards that open doors at the hospital building.

So what’s the upshot for you?
The good news is “the affected systems are mostly just used in hospitals in North America.”

The bad news is the fighting over the flaw count: with the company that found and reported the flaws … Armis, saying eight CVEs account for nine flaws it discovered while Swisslog says the number should be eight “they are claiming one vulnerability could have more than one impact and counting it as two vulnerabilities,” along with the fact that Swisslog’s latest patch only fixes one of the two vulnerabilities.

We will leave the fighting to the dawgs, but in the meantime, if you are in North America, you might want to postpone your doctor’s appointment for a bit.


US: The US National Security Agency provides some advice for your wireless Device

  • Don’t Connect to public WiFi.
  • Turn off Bluetooth.
  • Disable NFC.
  • Don’t leave your device unattended.
    and… don’t use your own name to name your device, like “Donald Trump’s iPhone 7”.

So what’s the upshot for you?

  • Keep software and applications updated with the latest patches.
  • Use anti-virus/anti-malware software (if applicable).
    -Use multi-factor authentication (MFA) whenever possible.
  • Reboot regularly, especially for mobile phones after using untrusted Wi-Fi.
  • Additionally, for Laptops: Enable firewalls to restrict inbound and outbound connections by application.

OuterSpace: Reprogrammable satellite launched

Developed under an ESA Partnership Project with satellite operator Eutelsat and prime manufacturer Airbus, Eutelsat Quantum has pioneered a new generation of satellites with the European space industry.

The flexible software-defined satellite – which will be used by governments and in mobility and data markets – was launched on an Ariane 5 on 30 July from Europe’s Spaceport in French Guiana.

It has since reached geostationary orbit some 36 000 km above Earth, where the spacecraft systems checkout was successfully completed.

Because the satellite can be reprogrammed in orbit, it can respond to changing demands during its lifetime.

Its beams can be redirected to move in almost real-time to provide information to passengers onboard moving ships, planes, trucks, lorries and other land-based transport. The beams also can be easily adjusted to deliver more data when demand surges.

So what’s the upshot for you? What could possibly go wrong?


That’s it for this week’s update. We’ll be parachuting back to Earth in time for our next update. In the meantime, be kind, stay safe, stay secure and we’ll debrief in se7en.



2 Likes

I really want one of those calculators.

Can I get it with a full-sized keyboard though, pretty please? Typing on a tiny box is a young person’s game.

1 Like

Me too! Full keyboard? How would you ever fit it in your pencil case?

1 Like

and I am thinking it would really be perfect for reprogramming a particular satellite…

1 Like

Just browse through some of the files in the archives here: https://www.ticalc.org

2 Likes