The Story of the IT Privacy and Security Weekly Update and the Exploding Duck. May 24th, 2022


This week we learn why modern romantics sing: “If you like it, then you shoulda put 2FA on it”

Yeah, and we go from Bridal veils to white hats and mistaken nails. From Crypto to klepto to dummo and UFO.

We even end with an exploding duck.
Duck Bride

What other blog/podcast gives you that kind of range in a wonderful mix of IT Privacy and Security Updates?

None. Zip. Nada.

So whether you put on a tux, a bridal gown, or nothing at all, at least slip into some comfortable shoes, ‘cause we’re on a run through some amazing stories!

Global: Would be Brides need Two Factor Authentication Too

The incident first came to light last week after Zola customers took to social media to report that their accounts had been hijacked.

Some reported that hackers had depleted funds held in their Zola accounts, while others said they had thousands of dollars charged to their credit cards and gift cards.

In a statement given to TechCrunch, Zola spokesperson Emily Forrest confirmed that accounts had been breached as a result of a credential stuffing attack, where existing sets of exposed or breached usernames and passwords are used to access accounts on different websites that share the same set of credentials.

Zola said fewer than 0.1% of accounts were compromised but would not say specifically how many users that equates to.

Zola also declined to answer questions regarding the lack of two-factor authentication (2FA) currently offered to users, which helps to protect accounts against credential stuffing attacks.

So what’s the upshot for you? By this point in the relationship. 2FA should be put on and remain in place, just like that ring.

If you like it, then you shoulda put 2FA on it
Don’t be mad once you see that he want it
If you like it, then you shoulda put 2FA on it…

Global: And from a Bridal Veil to a Veil of Secrecy

Having strangers from all over the world stare at your home isn’t necessarily something you want to happen—but it can be done in seconds on the mapping apps we all carry around on our phones.

If you’d like to deter those digital voyeurs, you can ask Google, Apple, and Microsoft to draw a veil of privacy across your property. You’d be in good company too: Apple CEO Tim Cook had his home blurred from mapping apps. after issues with a stalker.

There is something to bear in mind before you do this, though: you may not be able to reverse the process. The blur could be there for good. This is the case for Google Maps, and while Apple and Microsoft don’t specify whether blurs on their services are permanent, they may follow the same protocol or decide to do so in the future.

So, once you have had a moment to pause and think about a permanent blur of your home the article goes into the specific detail as to how to request it with the mapping providers: Google, Apple, and Bing.

So what’s the upshot for you? As a further consideration, if you are thinking of selling your home in the future, this may impact some 3rd party services from showing external photos of your home…so perhaps a veil is not the optimal attire…

Global: Why the White Hats can now Breathe Again.

The Department of Justice announced today a policy shift in that it will no longer prosecute good-faith security research that would have violated the country’s federal hacking law the Computer Fraud and Abuse Act (CFAA).

The move is significant in that the CFAA has often posed a threat to security researchers who may probe or hack systems in an effort to identify vulnerabilities so they can be fixed.

The revision of the policy means that such research should not face charges.

“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa O. Monaco said in a statement published with the announcement. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The policy itself reads that “the Department’s goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.”

So what’s the upshot for you? This is a much better stance from the US dept of Justice. If compromise is inevitable, and depending on who is aiming their firepower at you it well could be, then making a few more friends in the IT security business is probably a good idea.

CA: Canada Bans Huawei & ZTE Equipment From 5G Networks, Orders Removal By 2024

Canada has banned the use of Huawei and fellow Chinese tech giant ZTE’s equipment in its 5G networks.

In a statement, it cited national security concerns for the move, saying that the suppliers could be forced to comply with “extrajudicial directions from foreign governments” in ways that could “conflict with Canadian laws or would be detrimental to Canadian interests.”

Telcos will be prevented from procuring new 4G or 5G equipment from the companies by September this year, and must remove all ZTE- and Huawei-branded 5G equipment from their networks by June 28th, 2024. Equipment must also be removed from 4G networks by the end of 2027.

“The Government is committed to maximizing the social and economic benefits of 5G and access to telecommunications services writ large, but not at the expense of security,” the Canadian government wrote in its statement.

So what’s the upshot for you? Huwai and ZTE. This takes us back a few years to when we ran network packet capture on an untouched ZTE phone that seemed to have an unusually strong urge to communicate with a selection of servers in China.

Unfortunately, shortly thereafter the phone had a misunderstanding with a hammer, which mistook it for a nail.

CA: The Math Prodigy Whose Hack Upended DeFi Won’t Give Back His Millions

An 18-year-old graduate PHD student exploited a weakness in Indexed Finance’s code and opened a legal conundrum that’s still rocking the blockchain community.

Then he disappeared.

On Oct. 14, in a house near Leeds, England, Laurence Day was sitting down to a dinner of fish and chips on his couch when his phone buzzed.

The text was from a colleague who worked with him on Indexed Finance, a cryptocurrency platform that creates tokens representing baskets of other tokens – like an index fund, but on the blockchain using a mechanism called an “automated market-maker” to maintain the balance of underlying assets, as many DeFi platforms do. Unlike a traditional market-maker, the AMM wouldn’t buy and sell assets itself; instead it would help the pool reach its desired asset balance by adjusting the “pool price” of component tokens to give traders an incentive to buy them from the pool or sell them into it.

The colleague had sent over a screenshot showing a recent trade, followed by a question mark. “If you didn’t know what you were looking at, you might say, ‘Nice-looking trade,’” Day says. But he knew enough to be alarmed: A user had bought up certain tokens at drastically deflated values, which shouldn’t have been possible.

Something was very wrong. Day jumped up, sending his chips flying, and ran into his bedroom to call Dillon Kellar, a co-founder of Indexed.

Kellar was sitting in his mom’s living room six time zones away near Austin Texas, disassembling a DVD player so he could salvage one of its lasers. He picked up the phone to hear a breathless Day explaining that the platform had been attacked. “All I said was, ‘What?’” Kellar recalls.

They pulled out their laptops and dug into the platform’s code, with the help of a handful of acquaintances.

Indexed was built on the Ethereum blockchain, a public ledger where transaction details are stored, which meant there was a record of the attack.

It would take weeks to figure out precisely what had happened, but it appeared that the platform had been fooled into severely undervaluing tokens that belonged to its users and selling them to the attacker at an extreme discount. Altogether, the person or people responsible had made off with $16 million worth of assets.

Exploiting the vulnerability required hundreds of commands, which court documents later took dozens of pages to explain. But the process contained a few key steps. For his attack on the pool of tokens that made up the DEFI5 index (and later, on the CC10 pool), Andy Medjedovic wrote a program that took out a “flash loan”—a mechanism in crypto trading that gives users access to funds as long as they’re returned within the same set of preprogrammed transactions—worth $157 million.

His script then used a large chunk of the borrowed funds to buy up nearly all of the pool’s UNI, the token corresponding to the DeFi exchange Uniswap.

The sudden undersupply of UNI caused its price within the pool to skyrocket, as the algorithm sought to incentivize traders to stop swapping UNI out and start swapping it back in to restore its original balance. The more UNI Medjedovic bought, the more the price increased, eventually reaching 860 times its external market price.

So what’s the upshot for you? Andy Medjedovic argues that he’d executed a perfectly legal series of trades. Nothing he did “involves getting access to a system I was not allowed access into,” he said.

“I did not steal anyone’s private keys. I interacted with the smart contract according to its very own publicly available rules. The people who lost internet tokens in this trade were other people seeking to use the smart contract to their own advantage and taking on risky trading positions that they, apparently, did not fully understand.”

Medjedovic added that he’d taken on “substantial risk” in pursuing this strategy. If he’d failed he would have lost “a pretty large chunk of my portfolio.” (The 3 ETH he stood to lose in fees was worth about $11,000 at the time.)

Global: Microsoft Warns of ‘Stealthy DDoS Malware’ Targeting Linux Devices

“In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos,” writes the Microsoft 365 Defender Research Team.

It’s a trojan combining denial-of-service functionality with XOR-based encryption for communication.

Microsoft calls it part of “the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things devices.” And ZDNet describes the trojan “one of the most active Linux-based malware families of 2021, according to Crowdstrike.”

XorDdos conducts automated password-guessing attacks across thousands of Linux servers to find matching admin credentials used on Secure Shell (SSH) servers… Once credentials are gained, the botnet uses root privileges to install itself on a Linux device and uses XOR-based encryption to communicate with the attacker’s command and control infrastructure.

While DDoS attacks are a serious threat to system availability and are growing in size each year, Microsoft is worried about other capabilities of these botnets.

“We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner,” Microsoft notes… Microsoft didn’t see XorDdos directly installing and distributing the Tsunami backdoor, but its researchers think XorDdos is used as a vector for follow-on malicious activities…

XorDdoS can perform multiple DDoS attack techniques, including SYN flood attacks, DNS attacks, and ACK flood attacks.

Microsoft’s team warns that the trojan’s evasion capabilities "include obfuscating the malware’s activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis.

“We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions.”

So what’s the upshot for you? …and the rest of the article reads like an advert for Microsoft Defender products and of course, you should be running Microsoft’s Edge browser on your Linux endpoint, but we wonder… would people really do that?

US: A pretty blistering commentary on the viability of Cryptocurrency.

Nicholas Weaver is a senior staff researcher at the International Computer Science Institute and lecturer in the computer science department at UC Berkeley. But he’s also a raging cryptocurrency skeptic, arguing that cryptocurrency is useless and destructive, and should “die in a fire.”

In a recent interview in Current Affairs he promulgates what he calls Weaver’s Iron Law of Blockchain. “When somebody says you can solve X with blockchain, they don’t understand X, and you can ignore them.”

So for those pushing cryptocurrency for “Banking the unbanked,” Weaver points to M-Pesa, a payment system Vodafone started in Kenya in 2007 “about the same time as Bitcoin…”

It has eaten the Third World. It’s huge. Because it just basically attaches a balance to your phone account. And you can text to somebody else to transfer money that way… So even with the most basic dumb phone you have easy-to-use electronic money. And this has taken over multiple countries and become a huge primary payment system. [Whereas] the cryptocurrency doesn’t work."

Weaver also contends that when companies say they accept payments in Bitcoin, “They’re lying.” (They’re using a service which pays them in “actual money” after performing conversions on any Bitcoin proferred-up by a customer.) He believes cryptocurrency is only seriously used for payments for ransomware and drug deals — the things that non-decentralized currencies are legally obligated to block.

The reason I’ve gotten so sour on the cryptocurrency space is the ransomware. It’s doing tens to hundreds of billions of dollars worth of damage to the global economy. And it only exists because people can pay in Bitcoin.

Weaver also believes cryptocurrency lets venture capitalists “carry out securities fraud as a business model” when they sell one of their startup’s tokens to retail investors.

This is blatantly an unlicensed security. This is blatant securities fraud, but they didn’t commit the securities fraud. It was just the companies they invested in that did the securities fraud, and the SEC has not been proactively enforcing this. They only retroactively enforce against the initial coin offerings after they fail… and when things fail, the only people to prosecute are the companies, not Andreessen Horowitz itself. So they’ve been able to make securities fraud a business in such a way that they are legally remote, so you will not be able to throw them in jail…

The SEC has the authority to stop those proactively rather than reactively. They choose not to… Basically, there’s a fear among regulators — that I think started in the '80s — of being accused of “stifling innovation.” There’s no innovation to stifle. So regulate away.

He’s also skeptical of cryptocurrency’s other supposed advantages. Weaver argues cryptocurrency incentivizes green power “the same way that a whole bunch of random shootings would incentivize bulletproof vests.”

And even as an investment vehicle, Weaver sees it as “a self-created pyramid scheme.”
[Y]ou have to keep getting new suckers in. As soon as the number of suckers dries up, it collapses. And because it’s not zero-sum, but deeply negative-sum, there are actually a lot of mechanisms that can cause it to collapse suddenly to zero. We saw this just the other day with the Terra stablecoin and the Luna side token.

So when asked for the future of cryptocurrency, Weaver predicts “It will implode spectacularly.” (By which he means it will “collapse greatly.”)

The only question is when. “I thought it would have actually imploded a year ago. But basically, what we saw with Terra and Luna, where it collapsed suddenly due to these downward positive feedback loops — situations where basically the system is designed to collapse utterly and quickly — those will happen to the larger cryptocurrency space…”

So what’s the upshot for you? And from the far corner of the room you could hear them shout, “Sell, Sell!”

US: Ransomware on edtech vendor results in data breach of 500K Chicago students

A ransomware attack last December against the K-12 technology vendor Battelle for Kids is being pinned as the cause of a data breach reported last Friday by Chicago Public Schools, affecting 500,000 students over a four-year period and about 60,000 current and former employees.

Chicago Public Schools sent out breach notification letters notifying families of students who attended between 2015 and 2019.

The school system — the nation’s third-largest, with roughly 340,000 children enrolled currently — uses Battelle for Kids’ teacher evaluation software, which assesses educators based on students’ academic performance. Chicago Public Schools has paid Battelle for Kids about $1.4 million annually since 2012,.

“[An] unauthorized party gained access to your child’s name, date of birth, gender, grade level, school, Chicago Public Schools student ID number, State Student ID number, information about the courses your student took, and scores from performance tasks used for teacher evaluations,” read the letter families received last week.

So what’s the upshot for you? School tech vendors are starting to get picked off with alarming regularity adding one more thing that kids don’t need as they eventually mature into the workforce, compromised identity.

Global: The passwords most used by CEOs are startlingly dumb

Interesting Findings
The study reveals that passwords such as 123456, password, and 123456789, are as popular among high-ranking executives as they are among ordinary internet users.

  • Most affected countries: France and the United Kingdom were the two countries among the most affected by data breaches. Research shows that France had over 200M passwords breached while the UK’s number stands at 600M.
  • Most popular names: Research shows that many high-ranking business executives prefer to use names as their passwords. Among the most popular name-themed passwords are: Tiffany, (100,534), Charlie (33,699), Michael (10,647), and Jordan (10,472).
  • Animal and mythical creatures: Besides names, business leaders showed love for animals and mythical creatures when it came to passwords. Dragon (11,926) and monkey (11,675) were ranked high among the top animal-themed passwords used by high-ranking executives.

And the top 4 passwords used by C-level executives, managers, and business owners (We really could not make this up):

  • 123456,
  • password,
  • 12345,
  • 123456789

So what causes corporate data breaches? Here are a few of the leading causes of a breach.

  1. Weak passwords: According to a Verizon Data Breach Investigations Report (DBIR), 80% of data breaches are the result of weak and easy-to-crack passwords. Using simple and easy-to-remember passwords is a risk not worth taking.

  2. Reused passwords: Using a single password for multiple business-related accounts puts those accounts at a huge risk. If a bad actor can get a hold of that single password, every account that the password protects can be compromised simultaneously.

  3. Risky password-sharing habits: These days, password sharing is a part of the corporate reality. However, sharing passwords over insecure channels such as email can lead to a data breach.

  4. Phishing: Phishing scams are a type of social engineering where a bad actor attempts to trick unsuspecting users with fraudulent email messages that are designed to appear legitimate. According to Verizon’s 2021 DBIR, around 25% of all data breaches involve phishing.

  5. Human error: Reports indicate that up to 80% of data breaches are related or directly caused by human error. Often a simple mistake that could be prevented by cybersecurity awareness training leads to a breach.

  6. Poor cybersecurity infrastructure: Like unneeded ports left open or passwords left in code.

  7. Use a password manager, or at the very least a password-protected spreadsheet. The advantage of the password manager though is that it will automatically check the website for the correctness and not let you put your credentials into a website like

  8. Increase cybersecurity training. ← Ha! of course! Human error remains the leading cause of data breaches and other cybersecurity-related risks. Reading the IT Privacy and Weekly Security Update blog or listening to the podcast helps “heal” this shortcoming.

  9. Use Multifactor/2Factor Authentication wherever possible

So what’s the upshot for you? Make sure your CEO is covered. Make sure they read this blog or listen to the podcast … every week!

US: Ouch! Mark may be on his way to getting Zucked.

Washington, D.C., Attorney General Karl Racine has sued Meta CEO Mark Zuckerberg for allegedly failing to protect consumer data following the Cambridge Analytica data leak.

“The evidence shows Mr. Zuckerberg was personally involved in Facebook’s failure to protect the privacy and data of its users leading directly to the Cambridge Analytica incident,” Racine said in a statement about the lawsuit released Monday.

“This unprecedented security breach exposed tens of millions of Americans’ personal information, and Mr. Zuckerberg’s policies enabled a multi-year effort to mislead users about the extent of Facebook’s wrongful conduct.” He added, “This lawsuit is not only warranted, but necessary, and sends a message that corporate leaders, including CEOs, will be held accountable for their actions.”

The lawsuit alleges that Zuckerberg was “responsible for” and “had the clear ability” to control Facebook operations and enabled Cambridge Analytica to use consumer data.

The lawsuit alleges that third-party firms like Cambridge Analytica got data from 87 million Americans and half of District of Columbia residents.

Racine filed a lawsuit against Facebook in December 2018 for the data leak and is bringing this suit following evidence found during that litigation, according to the attorney general. In March, a judge ruled against an effort by Racine to add Zuckerberg as a defendant in the ongoing 2018 case.

The lawsuit filed by Racine takes issue with what it appears to consider a central business objective of Facebook.

The suit accuses the company of aiming “to convince people to reveal the most granular details of who they are to Facebook – their religions, their work histories, their likes – so that it can be monetized, and Zuckerberg and his company can continue to grow even wealthier.”

On multiple occasions, the lawsuit notes that the company pursued its policies “at Zuckerberg’s direction.”

So what’s the upshot for you? Zuck took full responsibility for the Cambridge Analytica data sharing and with great responsibility comes… great restitution.

US: Private mode is not so private in Chrome

The Google search engine collects data on users who think they can be anonymous if they use a “private browsing” mode, Texas Attorney General Ken Paxton claimed on Thursday, filing an amended privacy lawsuit against the Alphabet unit.

Texas, Indiana, Washington State and the District of Columbia filed separate suits against Google in January in state courts over what they called deceptive location-tracking practices that invade users’ privacy.

Paxton’s filing adds Google’s Incognito mode to the lawsuit filed in January.

Incognito mode or “private browsing” is a web browser function that Paxton said implies Google will not track search history or location activity.

The lawsuit said Google offers the option of “private browsing” that could include "viewing highly personal websites that might indicate, for example, their medical history, political persuasion, or sexual orientation.

Or maybe they simply want to buy a surprise gift without the gift recipient being tipped off by a barrage of targeted ads."

The suit said “in reality, Google deceptively collects an array of personal data even when a user has engaged Incognito mode.” Paxton previously alleged Google misled consumers by continuing to track their location even when users sought to prevent it.

Google has a “Location History” setting and informs users if they turn it off “the places you go are no longer stored,” Texas said.

So what’s the upshot for you? It’ll be interesting to see how Google argue this one.

US: Navy Ships Swarmed By Drones, Not UFOs, Defense Officials Confirm

The Drive’s Adam Kehoe noticed something during this week’s UFO hearings in the U.S. Congress. "After intense public speculation, stacks of official documents obtained via the Freedom Of Information Act, ambiguous statements from top officials, and an avalanche of media attention, it has now been made clear that the mysterious swarming of U.S. Navy ships off the Southern California coast in 2019 was caused by drones, not otherworldly UFOs or other mysterious craft.

“Raising even more questions, a similar drone swarm event has occurred off another coast, as well.”
These revelations came from top Department of Defense officials during a recent and much-anticipated House hearing on UFOs.

The strange series of events in question unfolded around California’s Channel Islands in July of 2019. On multiple evenings, swarms of unidentified drones were spotted operating around U.S. Navy vessels.

In numerous instances, the drones flew within close proximity to ships, even crossing directly over their decks. The behavior provoked defensive reactions from the ships, including the deployment of emergency security teams…

Deck logs demonstrate that the Navy appears to have drilled and implemented a variety of counter-drone techniques in response to these incidents. This eventually included the deployment of Northrop Grumman’s Drone Restricted Access Using Known EW (DRAKE) platform. The DRAKE system is a man-portable backpack that allows sailors to use radio frequency signals to interrupt the control links of drones. The DRAKE system appears to have been actually deployed in one of the incidents…

It is entirely unclear where the drones were operating from, how they were controlled, or who was controlling them. Still, the Navy could identify the objects as drones without those questions being fully answered at this time…

The Department of Defense’s open acknowledgment of these drone swarm events just off U.S. shores shows that the threat is not theoretical. It is also not a future threat. Significant drone swarm events have occurred in the last three years, unknown to the public, and evidently unresolved by defense authorities. Judging by what is known to date about the 2019 incident, it is clear that the United States is not well-positioned to detect, identify and neutralize such threats. It remains to be seen what level of priority these issues will receive by lawmakers in relation to more speculative questions surrounding “Unidentified Aerial Phenomena”.

If anything else, top confirmation that adversaries are operating swarms among America’s most powerful weapons in training areas where their most sensitive capabilities are put to use should make national headlines, but because it was buried in sensationalism around UFOs, it clearly did not.

So what’s the upshot for you? Last week’s hearing also demonstrates that public discussion of such encounters is largely situated in a broader cultural conversation about UFOs and aliens – not terrestrial technology and intelligence.

In fact, none of the lawmakers present asked any follow-up questions about the apparent fact that at least two highly troubling drone swarm events have occurred in the last several years.

Global: Busted! Duck Duck Go has a tracker blocking carve-out linked to Microsoft contract

DuckDuckGo, the self-styled “internet privacy company” — which, for years, has built a brand around a claim of non-tracking web search and, more recently, launched its own ‘private’ browser with built-in tracker blocking — has found itself in hot water after a researcher found hidden limits on its tracking protection that create a carve-out for certain advertising data requests by its search syndication partner, Microsoft.

Late yesterday, the researcher in question, Zach Edwards, tweeted the findings of his audit — saying he had found DuckDuckGo’s mobile browsers do not block advertising requests made by Microsoft scripts on non-Microsoft web properties.

Discussing his findings and DuckDuckGo’s response with TechCrunch, Edwards described himself as “pretty shocked” by Weinberg’s public response to his audit — and for having what he summed up as “no public solutions for the problems created through the secret partnership between DuckDuckgo and Microsoft.”

So what’s the upshot for you? Boom! …and the duck explodes.
Duck Bride upsidedown

Quote of the week: " Nobody wants to know what you’re doing until you’re doing something you don’t want anyone to know about. "

That’s it for this week. Stay safe, stay, secure, if it’s on the menu, avoid the duck, and we’ll see you in se7en.