The "They got more breeches than Levi Strauss" Privacy and Security Weekly Update for January 26th. 2021

G’day Daml’ers!

We start with a guy who’s got reporters, lawsuits and a Stock Market darling chasing him, and he didn’t even know it until a reporter from the Post told him!

We show you the price you pay for something free. Then we move on to more breeches than Levi Strauss… and a sombre message about trust on the Internet.

We finish with a shocking story about our kids getting hacked. Think it’s implausible? Think again!

This is the best Privacy and Security Weekly Update yet, so let’s get going!

US:Tesla sues ex-employee over alleged ‘brazen’ theft of confidential code, files.

Tesla is suing a former employee and software engineer named Alex Khatilov, alleging trade secret theft and breach of contract.

According to Tesla’s complaint, only three days after being hired on December 28, 2020, Khatilov “brazenly stole” thousands of files from the automaker’s WARP Drive backend system

Tesla has also accused the engineer of attempting to cover his tracks by “hurriedly deleting the Dropbox client and other files during the beginning of the interview,” leaving the company to wonder whether or not other confidential data may have been stolen, noting that Tesla has “no way to know” if any further leaks or transfers to third-parties have occurred.

“Access to the scripts would enable engineers at other companies to reverse engineer Tesla’s automated processes to create a similar automated system in a fraction of the time and with a fraction of the expense it took Tesla to build it,” Tesla says. “The scripts also would inform competitors of which systems Tesla believes are important and valuable to automate and how to automate them – providing a roadmap to copy Tesla’s innovation.”

Apparently, Khatilov was not aware Tesla was suing him until the New York Post reached out to him about the matter.

So what’s the upshot for you? Be careful in a new system in new surroundings. This Khatilov’s adventure could have been as inadvertent as a desktop synch, or something much more, but for now it seems the courts will make that decision.

Global: Beware-A New Wormable Android Malware Spreading Through WhatsApp

“This malware spreads via victim’s WhatsApp by automatically replying to any received WhatsApp message notification with a link to [a] malicious Huawei Mobile app,” ESET researcher Lukas Stefanko said.
“I don’t remember reading and analyzing any Android malware having such functionality to spread itself via whatsapp messages.”

Stefanko said the exact mechanism behind how it finds its way to the initial set of directly infected victims is not clear; however, it’s to be noted the wormable malware can potentially expand from a few devices to many others incredibly quickly.

“I would say it could be via SMS, mail, social media, channels/chat groups etc,” Stefanko told The Hacker News.

So what’s the upshot for you? If anything, the development once again underscores the need to stick to trusted sources to download third-party apps, verify if an app is indeed built by a genuine developer, and carefully scrutinize app permissions before installation.
Also, if you have not already, move off What’s App to Signal… and take all your friends with you.

Global:New campaign targeting security researchers

Over the past several months, the Google Threat Analysis Group (tag) has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.
After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains.

So what’s the upshot for you? Everyone has to be careful in today’s brave new world, because even the security folks are becoming targets. The advice from Google’s Tag team? If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.

CZ:The Cost of Avast’s Free Antivirus? Companies Can Spy on Your Clicks

The Cost of Avast's Free Antivirus: Companies Can Spy on Your Clicks | PCMag “The data is fully de-identified and aggregated and cannot be used to personally identify or target you,” Avast told users, who opt in to the data sharing. In return, your privacy is preserved, Avast gets paid, and online marketers get a trove of “aggregate” consumer data to help them sell more products.

There’s just one problem: What should be a giant chunk of anonymized web history data can actually be picked apart and linked back to individual Avast users, according to a joint investigation by PCMag and Motherboard.
The data collected is so granular that clients can view the individual clicks users are making on their browsing sessions, including the time down to the millisecond. And while the collected data is never linked to a person’s name, email or IP address, each user history is nevertheless assigned to an identifier called the device ID, which will persist unless the user uninstalls the Avast antivirus product.

For instance, a single click can look like this: Device ID: abc123x Date: 2020/12/01 Hour Minute Second: 12:03:05 Domain: Product: Apple iPad Pro 10.5 - 2018 Model - 256GB, Rose Gold Behavior: Add to Cart.

“Most of the threats posed by de-anonymization—where you are identifying people—comes from the ability to merge the information with other data,”

Jumpshot is the name of the Avast subdivision selling the data collected by Avast and in regard to one particular client, Jumpshot appears to have offered access to everything.

In December 2018, Omnicom Media Group, a major marketing provider, signed a contract to receive what’s called the “All Clicks Feed,” or every click Jumpshot is collecting from Avast users. Normally, the All Clicks Feed is sold without device IDs “to protect against triangulation of PII (Personally Identifiable Information),” says Jumpshot’s product handbook. But when it comes to Omnicom, Jumpshot is delivering the product with device IDs attached to each click, according to the contract.

In addition, the contract calls for Jumpshot to supply the URL string to each site visited, the referring URL, the timestamps down to the millisecond, along with the suspected age and gender of the user, which can inferred based on what sites the person is visiting.

It’s unclear why Omnicom wants the data. The company did not respond to our questions. But the contract raises the disturbing prospect Omnicom can unravel Jumpshot’s data to identify individual users.

Clients mentioned in Jumpshot’s marketing cover consumer product companies Unilever, Nestle Purina, and Kimberly-Clark, in addition to TurboTax provider Intuit. Also named are market research and consulting firms McKinsey & Company and GfK, which declined to comment on its partnership with Jumpshot.

‘It’s Almost Impossible to De-Identify Data’. Wladimir Palant is the security researcher who initially sparked last month’s public scrutiny of Avast’s data-collection policies. In October, he noticed something odd with the antivirus company’s browser extensions: They were logging every website visited alongside a user ID and sending the information to Avast. “Aggregation would normally mean that data of multiple users is combined. If Jumpshot clients can still see data of individual users, that’s really bad,” Palant said in an email interview.

Avast’s Jumpshot division can still collect your browser histories through Avast’s main antivirus applications on desktop and mobile. This include AVG antivirus, which Avast also owns. The data harvesting occurs through the software’s Web Shield component, which will also scan URLs on your browser to detect malicious or fraudulent websites.

“For this reason, PCMag can no longer recommend Avast Free Antivirus as an Editors’ Choice in the category of free antivirus protection.”

So what’s the upshot for you? Is anything ever truly free? Sometimes you are better off paying a small fee to subsidize the work that goes on developing a tool rather than leaving the monetization to be determined at some later date.

Additionally, although many do not read the privacy agreements they sign, we do… and we can tell you that there have been a number of surprises over the years, typically buried about three quarters of the way through a very lengthy document.

and now on to those breeches…

AU/Breach: Australian Corporate Regulator Discloses Breach Involving Accellion Software

The Australian Securities and Investments Commission (ASIC) on Monday disclosed a security incident that involved Accellion software.

An independent commission of the Australian government, ASIC is the national corporate regulator, overseeing enterprise and financial services and also tasked with the enforcement of laws designed to protect consumers, creditors, and investors in Australia.

The newly disclosed incident, ASIC says, was identified on January 15, 2021, and resulted in unauthorized access to one of its servers, on which documents related to recent Australian credit license applications were stored.

Breach: TikTok Bug Gave Access to Contacts’ Profile Details

TikTok allows users to sync their phone contacts with the app using the Find friends feature, thus connecting user profiles with phone numbers.

The flaw allowed attackers to bypass the app’s HTTP message signing to login, and then sync contacts to discover the profiles of all the TikTok users in the victim’s phone book.

Worse still, the SMS log-in process from a mobile device involved TikTok servers generating a token and session cookies, but these did not expire for 60 days, meaning an attacker could use the same cookies to login for weeks.

The flaw only impacts those users who have linked a phone number with their account or logged in with a phone number.

TikTok have since fixed the vulnerability.

US/Breach: Cook County Leaks 320,000 Court Records

Over 320,000 court records belonging to the second most populous county in the US have been discovered sitting on a misconfigured online database.
“There have been several high -profile data exposures of private companies that affected Cook County residents in the past few years including a large hospital data breach. However, this appears to be the largest breach of Cook County internal records to date.” Cook County includes Chicago Illinois.

The highly sensitive data appears to have come from an internal records management system, with virtually all exposed records containing some form of personal info including: full names, home addresses, email addresses, case numbers and private case notes.

Dating back nine years, the cases were marked up to signify they relate to either immigration, family or criminal court proceedings.

US/Breach: South Carolina County Suffers Weekend Cyberattack

A coastal South Carolina county says hackers broke into its computer network over the weekend.

A statement from Georgetown County’s local government Monday said the county’s computer network “suffered a major infrastructure breach over the weekend.”

Most of the county’s electronic systems, including emails, were impacted.

Breach:Hacker leaks data of 2.28 million dating site users

The leaked data, a 1.2 GB file, appears to be a dump of the site’s users database.

The content of this file includes a wealth of information that users provided when they set up profiles on the MeetMindful site and mobile apps.

Some of the most sensitive data points included in the file include:

  • Real names
  • Email addresses
  • City, state, and ZIP details
  • Body details
  • Dating preferences
  • Marital status
  • Birth dates
  • Latitude and longitude
  • IP addresses
  • Bcrypt-hashed account passwords
  • Facebook user IDs
  • Facebook authentication tokens

US/Breach: Bonobos Notifies Users of Data Breach

While the company did not provide specific details on the type of data that might have been compromised, its privacy policy reveals that personal information it collects may include names, addresses, phone numbers, email addresses, system information, national identification numbers, driver’s license numbers, age and date of birth, gender, nationality, purchase history information, location information, credit and debit card numbers, and other information.
The information was contained in a 70 GB SQL file and included user data such as addresses and phone numbers for roughly 7 million users, account information for nearly 2 million registered users, and partial numbers of 3.5 million payment cards.

UK/Breach: British fox hunt supporters warned about coordinated data breaches

Three hunts have been hit by data leaks, with home addresses and contact details published online by anti-hunting groups, said the police, who warned hunt supporters to bolster the security of their stables and kennels after three hunts were hit by coordinated data breaches.

So what’s the upshot for you? Breeches are becoming so routine that country bands are singing about them. No matter where, or what, or who; these days you can almost count on data that you share to be exposed. Reveal the minimum possible and consider what you would do if it was. A good list of steps to take can be found here:

We say… get familiar with the document before you need it!

Crypto/Breech: Livecoin slams its doors shut after failing to recover from hack, financial loss

Livecoin, the Russian cryptocurrency exchange, claimed it had been hacked roughly around Christmas, with the alleged cyber attackers seizing control of Livecoin systems in order to tamper with exchange rate values.

Bitcoin (BTC) exchange rates were changed from $23,000 at the time to over $450,000, and Ethereum grew from $600 to $15,000. Smaller cryptocurrency rates were also impacted.

As Livecoin asked users to stop all activity, the threat actors began cashing out, reaping profit in the process. Livecoin claimed to have lost control of its “servers, backend, and nodes,” and was unable to stop the attack from occurring.
Additionally claims have been made that “documentation and personal information to verify claimant identities, including passport/ID scans, selfies, places of residence, primary device data for logging in to Livecoin, and video footage” were also stolen.

Crypto/Breach:Data from Indian cryptocurrency BuyUCoin has been leaked online

Indian cryptocurrency exchange BuyUCoin initially denying the databreeches as “rumors” now says that is investigating claims that sensitive data related to hundreds of thousands of its users has been published on the dark web, where it is available for free download.

The 6GB of leaked data is said to have been found in a MongoDB database that BuyUCoin had left unsecured, and included users’ bank account details, email addresses, bcrypt-hashed passwords, mobile phone numbers, and Google sign-in tokens.

So what’s the upshot for you? You research your crypto purchases carefully. Do the same for your Crypto exchanges. Is it safer to keep your crypto details yourself? It just may be.

SolarWinds: SonicWall Is Latest Security Vendor to Disclose Cyberattack

In a statement published Jan. 22, SonicWall officials wrote they detected an attack by highly sophisticated threat actors exploiting probably zero-day vulnerabilities on certain SonicWall secure remote access products.

SolarWinds: Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach.

“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails.”

SolarWinds: Virginia Regulator And $5 Billion Cybersecurity Firm Confirmed As Targets

Amongst the confirmed newly-discovered targets are Qualys, a $5 billion market cap cybersecurity company on the Nasdaq, and the Virginia State Corporation Commission, which regulates businesses in the region. Both said they had installed the SolarWinds Orion tool that was laced with malware in 2020 before being downloaded by thousands of customers.

“Qualys’ in-depth investigations have concluded that there was no successful exfiltration of any data, even though the test system attempted to connect to the associated backdoor.”

So what’s the upshot for you? As the SolarWinds compromise continues to unfold we are starting to see some very directed activity: “stage two targets were clearly handpicked by the threat actors.”

So far the global tally sounds almost like a global cyber pandemic with 80% of the identified victims located in the United States with the rest spread over seven other countries including Canada, Mexico, Belgium, Spain, the United Kingdom, Israel, and the UAE… but just like Covid-19, expect this to spread with the number of victims to continue to grow.

US: A Home Security Worker Hacked Into Surveillance Systems

A former employee of prominent home security company ADT has admitted that he hacked into the surveillance feeds of dozens of customer homes, doing so primarily to spy on naked women or to leer at unsuspecting couples while they had sex.

Telesforo Aviles, 35, pleaded guilty to a count of computer fraud in federal court this week, confessing that he inappropriately accessed the accounts of customers some 9,600 times over the course of several years. He is alleged to have done this to over 200 customers.

So what’s the upshot for you? Think about how cameras and devices are situated, because at the end of the day there are often people behind your Alexa, Google, Siri or ADP devices, and although they may have good intent, clearly some do not.

Our last story was contributed by our own DJ KK, who with a child of his own, undoubtedly found this story somewhat unsettling.

UK: Laptops given to British schools came preloaded with remote-access worm

A shipment of laptops supplied to British schools by the Department for Education to help kids learn under lockdown came preloaded with malware. The affected laptops, distributed to schools under the UK government’s Get Help With Technology (GHWT) scheme, which started last year, came bundled with Gamarue – an old remote-access worm from the 2010s. This software nasty doesn’t just spread from computer to computer, it also tries to connect to outside servers for instructions to carry out.

A batch of 23,000 computers, the GeoBook 1E running Windows 10, made by Shenzhen-headquartered Tactus Group, contained the units that were loaded with malware.

So what’s the upshot for you? Anything that ends up with our kids and… in our homes… needs to be vetted and checked thoroughly, and… if you don’t get a feeling of comfort from the school, put anti-malware and antivirus (stay away from Avast though OK?) on the machine and prove to yourself that there is nothing untoward on that device.

That’s it for this week Daml’ers! Stay safe, Stay secure and see you again in Se7en days!


thanks for this update @rps, worth reading!