The Tipping Point for the IT Privacy and Security Weekly update July 27th., 2021


As we put this update together there is a haze outside our New York Windows from the raging fires burning 2400 miles (about 4000 kilometers) to the west.

We start in a lighthearted mood, with a great reason to use 2fa, and finish with a burning update about the loss of something that may be even more important than your Privacy and Security.

In between, we have a mix of stories that range from Home routers in France being hijacked by APT31, to an unexpected Twitter discovery.

Next, we have Venmo offering just a little more privacy … and why naked people are turning up next to your Washington Post articles.

This may be the most important update yet, so stick with us to the end. We think you’ll take away more than you bargained for.

It: Olympics Broadcaster Announces His Computer Password on Live TV

You have to love this. An Italian sports announcer who did not know he was live, reveals his password… and a few other gems.

A source who works at Eurosport, the channel which was broadcasting the volleyball game, confirmed that the video is authentic.

Even if you don’t speak Italian it’s funny enough, but if you do…the big reveal?

It turns out the password was “Booth.03” after the number of the commentator’s booth.

So what’s the upshot for you? Use 2FA

Global: Only 2.3 Percent of Twitter Users Use 2FA

Only 2.3 Percent of Active Twitter Users Have Two-Factor Enabled

Twitter this week disclosed that very, very, very, very, very few of its users actually take advantage of two-factor authentication. Only 2.3 percent, to be precise.

“This is not great! Two-factor can’t stop every attack, but it provides a huge security upgrade for not much extra hassle, on a platform that suffers account takeover epidemics on a regular basis. You can even use an authentication app instead of your phone number, an even more secure and easy to manage method.

If you’re one of the 97.7 percent of active Twitter users not using two-factor, please take 90 seconds out of your day to set it up.”

So what’s the upshot for you? That means that 97.7% of us need to get busy and enable 2fa!

ZA: S. Africa’s Port Terminals Still Disrupted Days After Cyber-Attack

South Africa’s state-owned logistics firm said Tuesday it was working to restore systems following a major cyber-attack last week that hit the country’s key port terminals.

The attack began on July 22 but continued, forcing Transnet to switch to manual systems.

It said it had “experienced an act of cyber-attack, security intrusion, and sabotage, which resulted in the disruption of… normal processes and functions.”

The attack has affected ports in Durban – the busiest in sub-Saharan Africa – as well as Cape Town, Port Elizabeth, and Ngqura, Transnet said in the “confidential” notice seen by AFP on Tuesday.

“The disruption has occurred at the peak of the citrus export season when South African farmers are rushing to get their produce to foreign markets. It’s the perfect storm”.

So what’s the upshot for you? This may be an attack on shipping facilities, but food producers and consumers who can least afford it, are losing big.

NL/CN: TikTok fined €750,000 for Violating Children’s Privacy€750000-violating-childrens-privacy

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens – AP) announced Thursday that it has imposed a fine of €750,000 on TikTok “for violating the privacy of young children”.

More specifically, TikTok failed to provide a privacy statement in the Dutch language, making it difficult for young children to understand what would happen to their data.

Where children are concerned, the AP’s decision to fine TikTok would seem to imply a de facto case. The AP is satisfied that TikTok collected and processed personally identifiable information and that it did so without legally acceptable information being given to the data subjects (the young children). This is a seemingly clear violation of GDPR.

So what’s the upshot for you? This is part of a wider set of legal issues facing TikTok. In February 2021, the Chinese parent company ByteDance agreed to pay $92 million in settlement to U.S. users – part of a class lawsuit that alleges illegal data collection – for violation of Illinois privacy law.

In late May 2021, the European Commission gave TikTok one month to answer complaints from the European Consumer Organization that had claimed several terms in TikTok’s ‘Terms of Service’ are unfair. The consumer group said the platform failed to protect children and teenagers from hidden advertising and potentially harmful content.

NL: Dutch Police Arrest Alleged Member of ‘Fraud Family’ Cybercrime Gang

The man worked together with a 15-year-old accomplice to develop and sell phishing panels that allowed cybercriminals to steal banking credentials from unsuspecting users.

According to threat intelligence company Group-IB, which helped the investigation, “Fraud Family” is a Dutch-speaking crime syndicate that builds, sells, and rents sophisticated phishing frameworks.

Impersonating legitimate financial organizations, the attackers typically approach victims via email, SMS, or WhatsApp messages, and trick them into clicking on malicious links that take them to phishing websites where they are prompted to share their login credentials.

The cybercriminals behind this Fraud-as-a-Service operation would provide other threat actors with phishing kits and web panels targeting bank users, mainly in the Netherlands and Belgium. The frameworks allow adversaries to interact with the phishing site in real-time and also include data collection and management capabilities.

Dutch authorities announced that, while the 24-year-old remains in custody, the 15-year-old was released, pending further investigation. A third individual, 18 years of age, had their residence searched this week in relation to the investigation.

So what’s the upshot for you? “Honey, can you go ask Jimmy-bob why there are police surrounding the house?”

Global: Venmo Gets More Private—but It’s Still Not 100%

Last week Venmo took a long-overdue step toward privacy by eliminating its global social feed in its latest redesign.

That’s good! Now you can no longer witness an endless stream of complete strangers sending money to and from one another.

But privacy advocates say that until Venmo makes every transaction private by default, it’s still a liability for users who may not realize they have to dig through the settings to hide their Venmo lives from others.

Venmo’s global feed has for years been a font of voyeuristic insights into the financial habits of total strangers. The feed doesn’t display amounts for a given transaction, but names and notes emoji, and likes are included. Tapping on a name brings you to that user’s profile, and an enterprising busybody (or worse) could pretty quickly build a small dossier of that person’s friends, their hobbies, and anything else they’ve slipped into the stream—without, perhaps, realizing how public that info can be.

Venmo hasn’t made it especially easy for users to figure out what they are or are not sharing; in 2018 it reached a settlement with the Federal Trade Commissions related in part to its confusing privacy settings.

So what’s the upshot for you? “Venmo’s finally getting the message that maximum publicity on a financial app is a terrible idea,” says Kaili Lambe, senior campaigner at the Mozilla Foundation, a nonprofit focused on internet openness and accessibility. “…from the beginning, we have been calling on Venmo to be private by default, because so many Venmo users don’t actually know that their transactions are public to the world.”

To make sure that yours aren’t going forward, head to Settings > Privacy and select Private. Then tap Past Transactions, and tap Change All to Private to lock things down retroactively.

Also, while hitting the privacy buttons, tap Friends List, then tap Private and toggle off Appear in other users’ friends list. Otherwise, you’re sharing the digital equivalent of your credit card purchases with everyone you know, and lots of people you don’t.

Lastly, consider using something like Square’s Cash App instead, which is private by default.

Global: A Defunct Video Hosting Site Is Flooding Normal Websites With Hardcore Porn

Hardcore porn is now embedded on the pages of the Huffington Post, New York magazine, The Washington Post, and a host of other websites.

This is because a porn site called 5 Star Porn HD bought the domain for Vidme, a brief YouTube competitor founded in 2014 and shuttered in 2017. Its Twitter account is still up, but the domain lapsed. Seemingly any vid (dot) me embeds now redirect to the 5 Star Porn HD homepage.

So what’s the upshot for you? “This is funny, unfortunate, and also, an example of a much larger problem: The internet is a collective hallucination that is fading away thanks to link rot.” Motherboard

Global:A Single-Character Typo Made Chromebooks Unusable

Chromebook owners may have found themselves unable to log into their devices this week.

A bug introduced in a recent update made it so that the cloud-based laptops wouldn’t accept passwords on the log-in screen, leaving users locked out indefinitely. Not great! But what makes it even worse is that the bug apparently comes down to a single, tiny typo.

Some Chrome OS programmer somewhere left out an “&” in a conditional statement, none of their colleagues caught it, and chaos ensued.

Google pulled the bad update quickly, and a fix is rolling out now, but that’s little comfort to the Chromebook owners who were affected.

Google can’t seem to catch a break when it comes to Chrome OS 91. First, we saw many users reporting their devices using an egregious amount of CPU after upgrading to 91.0.4472.147. While Google pulled the update shortly thereafter and rolled everyone back to 91.0.4472.114, that managed to lockout Linux apps.

Now we’re seeing the arrival of 91.0.4772.165, and this update introduces an awful bug that’s breaking Chromebooks left and right.

A moderator from the ChromeOS subreddit recently tipped us about this new Chrome OS update that’s locking users out of their Chromebooks. If you receive a prompt in the system tray to update your machine, do not shut off your Chromebook. Chrome OS would otherwise automatically install it upon restarting, meaning your device would be stuck with the problematic 91.0.4772.165 build.

While Google is aware of the problem and is pulling the update from its servers, the damage has already been done.

So what’s the upshot for you? Chrome OS 91.0.4772.167 is now available on the update server, which should finally close the curtains on this issue. With the new build, Chrome OS should be able to decrypt your user account and sign you in, allowing you to access your important files.

Here’s how to update your Chromebook manually in case it has trouble fetching the update:

  • Log in as Guest.
  • Open Chrome OS preferences by clicking the system tray and pressing the settings icon
  • Click About Chrome OS, then press Check for updates
  • You should be able to sign back in with the new Chrome OS 91 build.

US: NIST selects 18 tech companies for zero-trust demonstrations.

The National Institute of Standards and Technology selected 18 tech companies to demonstrate zero-trust security architectures as it drafts guidance for agencies and industry.

Companies will work with NIST‘s National Cybersecurity Center of Excellence to design and deploy architectures in accordance with Special Publication (SP) 800-207, Zero Trust Architecture, which discusses the core logical components that make up a zero-trust architecture (ZTA). Zero-trust refers to an evolving set of security paradigms that narrows defenses from wide network perimeters to individual or small groups of resources.

So what’s the upshot for you? What? You want to know the names of the companies so you can do some quick investment research? Amazon, Appgate, Cisco, F5 Networks, FireEye, Forescout, IBM, McAfee, Microsoft, MobileIron, Okta, Palo Alto, PC Matic, Radiant Logic, SailPoint, Symantec, Tenable, and Zscaler.

Global: EvilModel: Hiding Malware Inside of Neural Network Models

Bruce Schneier pointed out a research report by Zhi Wang, Chaoge Liu, Xiang Cui today that is a bit chilling…

Delivering malware covertly and detection-evadingly is critical to advanced malware campaigns. In this paper, we present a method that delivers malware covertly and detection-evadingly through neural network models. Neural network models are poorly explainable and have a good generalization ability.

By embedding malware into the neurons, malware can be delivered covertly with minor or even no impact on the performance of neural networks.

Meanwhile, since the structure of the neural network models remains unchanged, they can pass the security scan of antivirus engines.

Experiments show that 36.9MB of malware can be embedded into a 178MB-AlexNet model within 1% accuracy loss, and no suspicions are raised by antivirus engines in VirusTotal, which verifies the feasibility of this method.

With the widespread application of artificial intelligence, utilizing neural networks becomes a forwarding trend of malware.

We hope this work could provide a referenceable scenario for the defense on neural network-assisted attacks.

So what’s the upshot for you? What… now we have Cornell University post Grads studying how to place malware in machine learning code?

CN: China Hacked US Pipelines a Decade Ago

Remember how they used to say that China has historically focused on espionage?

That’s still true. But a troubling alert from the FBI and the Department of Homeland Security this week indicates that the country’s hackers have at least considered more disruptive attacks.

From around 2011-2013, they probed nearly two dozen US pipeline companies, and not just for intellectual property. “This activity was ultimately intended to help China develop cyberattack capabilities against US pipelines to physically damage pipelines or disrupt pipeline operations,” the alert reads.

It’s the sort of behavior you’ve come to expect from Russia or ransomware hooligans, but less so China. “Fortunately, the incidents were years ago; the hope is that it doesn’t revisit those plans.”

So what’s the upshot for you? A country maps out all critical infrastructure globally, has more Personally Identifiable Information and financial data on a country’s population than they have on themselves, and starts building whole islands to put military bases on to control shipping traffic in one of the busiest areas in the world … is probably only doing all that because it wants to be helpful, right?

FR: China-linked APT31 Exploiting Home Routers in French Hacking Op.

France’s national cybersecurity agency has warned that the China-based hacking group APT31is behind ongoing cyberattacks aimed at French organizations since the beginning of the year.

In a recent alert, the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) said the cyber syndicate is using a mesh of infected home routers as “relay boxes” to probe for vulnerabilities and initiate attacks. “It appears from our investigations that the threat actor uses a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks,”

So what’s the upshot for you? APT31 is keeping busy. Remember, last month it was Microsoft Exchange servers.

Global: New PetitPotam NTLM Relay Attack Lets Hackers Take Over Windows Domains

A newly uncovered security flaw in the Windows operating system can be exploited to coerce remote Windows servers, including Domain Controllers, to authenticate with a malicious destination, thereby allowing an adversary to stage an NTLM relay attack and completely take over a Windows domain.

The issue, dubbed “PetitPotam,” was discovered by security researcher Gilles Lionel, who shared technical details and Proof-of-Concept (PoC) code last week, noting that the flaw works by forcing “Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function.”

MS-EFSRPC is Microsoft’s Encrypting File System Remote Protocol that’s used to perform “maintenance and management operations on encrypted data that is stored remotely and accessed over a network.”

Specifically, the attack enables a domain controller to authenticate against a remote NTLM under a bad actor’s control using the MS-EFSRPC interface and share its authentication information. This is done by connecting to LSARPC, resulting in a scenario where the target server connects to an arbitrary server and performs NTLM authentication.

“An attacker can target a Domain Controller to send its credentials by using the MS-EFSRPC protocol and then relaying the DC NTLM credentials to the Active Directory Certificate Services AD CS Web Enrollment pages to enroll a DC certificate,” TRUESEC’s Hasain Alshakarti said. "This will effectively give the attacker an authentication certificate that can be used to access domain services as a DC and compromise the entire domain.

So what’s the upshot for you? To safeguard against this line of attack, the Windows maker is recommending that customers disable NTLM authentication on the domain controller. In the event NTLM cannot be turned off for compatibility reasons, the company is urging users to take one of the two steps below -
Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.
Disable NTLM for Internet Information Services (IIS) on AD CS Servers in the domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services

Global: A new chapter for Google’s Vulnerability Reward Program

10 years ago, Google launched the Vulnerability Rewards Program (VRP), and here is what happened over the past 10 years:
Total bugs rewarded: 11,055, Number of rewarded researchers: 2,022, from 84 different countries getting rewards totaling over US$29 Million.

They are now announcing the launch of where they say it will be easier to report bugs, find jobs, attend the Bug Hunter University, and score swag.

So what’s the upshot for you? The only hesitation we have is their additional “gamification” of the site… but it sounds like they’re doing something right as they had 25 reports on the first day!

Global: Pegasus Spyware: iVerify App Says It Can Instantly Check For Pegasus

The Pegasus spyware has been in the news over the last week, with many people fearing the NSO Group-made malware could be hiding on their phones. Pegasus is even scarier because it is invisible and difficult to detect and remove. But it might be becoming a bit easier to detect the spyware because iVerify has added the capability to detect Pegasus to its smartphone app.

So what’s the upshot for you? For those important enough to be spied on. $3/mo. to ensure you don’t have Pegasus on your phone.

Alternately, Amnesty international has uploaded a number of tools to GitHub that you can download and use to compile a checker specific to your phone. Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.

It has been developed and released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus project along with a technical forensic methodology and forensic evidence. GitHub - mvt-project/mvt: MVT is a forensic tool to look for signs of infection in smartphone devices

Global: Time to update the MacOS and Ios devices again!

Wait… you just did an update 2 days ago? We’ve got another for you.

Apple has not released any real details about the flaw, to reduce the chances of other parties exploiting the security vulnerability.

Technically known as CVE-2021-30807 involves a memory corruption flaw in the IOMobileFrameBuffer kernel extension used for managing the screen frame buffer, that can be abused to execute arbitrary code on a device with kernel privileges. If a malicious hacker’s code successfully gains kernel privileges it seizes God-like control over the device.

Apple is warning that the security flaw has been used in real-world attacks: “Apple is aware of a report that this issue may have been actively exploited.”
Proof-of-concept code to exploit the flaw has been published on Twitter

Users are advised to update to the latest versions of iOS (14.7.1), iPadOS (14.7.1), and macOS (11.5.1) to protect against the issue.

So what’s the upshot for you? Another day another macOS and iOS patch to apply! But you know what? Better safe than sorry!

Global: Inside the Industry That Unmasks People at Scale

Unique IDs linked to phones are supposed to be anonymous. But there’s an entire industry that links them to real people and their addresses.

Tech companies have repeatedly reassured the public that trackers used to follow smartphone users through apps are anonymous or at least pseudonymous, not directly identifying the person using the phone. But what they don’t mention is that an entire overlooked industry exists to purposefully and explicitly shatter that anonymity.

They do this by linking mobile advertising IDs (MAIDs) collected by apps to a person’s full name, physical address, and other personally identifiable information (PII). Motherboard confirmed this by posing as a potential customer to a company that offers linking MAIDs to PII.

“We have one of the largest repositories of current, fresh MAIDS<>PII in the USA,” Brad Mack, CEO of data broker BIGDBM told us when we asked about the capabilities of the product while posing as a customer. “All BIGDBM USA data assets are connected to each other,” Mack added, explaining that MAIDs are linked to full name, physical address, and their phone, email address, and IP address if available. The dataset also includes other information, “too numerous to list here,” Mack wrote.

So what’s the upshot for you? US Senator Ron Wyden said, “I have serious concerns that personal data is available to foreign governments that could use it to harm national security. That’s why I’ve proposed strong consumer privacy legislation and a bill to prevent companies based in unfriendly foreign nations from purchasing Americans’ personal data.”

BR: According to a new Report the Amazon Rain forest has just crossed a tipping point, with the burning of the rainforest releasing more CO2 into the atmosphere than it removed.

Amazon Rainforest Now Emits More Carbon Dioxide Than It Absorbs, Study Confirms : NPR.

The Amazon has long done its part to balance the global carbon budget, but new evidence suggests the climate scales have tipped in the world’s largest rainforest.

Now, according to a study published July 14 in Nature, the Amazon is emitting more carbon than it captures.

“You have to understand that the Amazon is Brazil’s, not yours,” President Jair Bolsonaro once said.

The following year, deforestation numbers in the region were the highest they’d been in 12 years.

As the fires rage burning vast swathes of the Amazon Rainforest, what used to be the world’s CO2 sink is now a net contributor with an additional +.3 billion tons of CO2 now going into the atmosphere.

Meanwhile on the other side of the planet, just outside Zurich, Switzerland, more than a dozen massive fans are fast at work, cleaning the air of carbon dioxide. So-called direct air capture is the leading edge of what could become the largest environmental industry aimed at saving the planet.

The company behind it, Climeworks, is one of the few offering the technology to basically vacuum the atmosphere of carbon. The plant in Switzerland removes about 900 tons of carbon dioxide per year, according to Climeworks policy chief Chris Beuttler. To put it in perspective, globally we are emitting 40 billion tons.

Canada-based Carbon Engineering has been working on direct air capture since 2015. Carbon Engineering was founded more than a decade ago with the mission to develop and commercialize affordable and highly scalable carbon removal technology. Today, they are engineering the largest direct air capture plant in the world – a facility that will capture one million tons of CO2 directly from the atmosphere each year.

Arizona State University and Silicon Kingdom Holdings Newly renamed “Carbon Collect” are deploying proprietary carbon-capture technology that acts like a tree and frankly looks like a tree. Column-shaped MechanicalTreesTM are 10 meters tall when extended to capture CO2 and contain sorbent tiles that extend and retract on a constant capture and regeneration cycle.

This year the World Economic Forum in Davos, Switzerland, called for the world to plant a trillion trees. Planting a trillion trees over the next three decades would be a huge logistical challenge. A trillion is a big number. That target would require a thousand new trees in the ground every second, and then for all of them to survive and grow.

Meanwhile estimates that natural forest regrowth could capture in biomass and soils 73 billion tons of carbon between now and 2050. That is equal to around seven years of current industrial emissions, making it “the single largest natural climate solution.”

So what’s the upshot for you? It’d be a bit more reassuring if the CO2 removal factories (and mechanical trees) didn’t look so much like the things they were built to repair the damage from. This is set to become one of the biggest areas of attention, innovation, and investment globally over the next 20 years. In the meantime, we will have a new catastrophic event each day to remind us that through global warming we are killing the oceans, the animals, and ourselves.

That’s it for this week. We are off to plant a tree. Be kind, stay safe, stay secure, and through the haze of the burning forests, we hope to see you in Se7en.

1 Like

I must say, I love the assumptions that young children read privacy statements, and that that allows them to understand how their data is used. Dutch children are a lot more diligent and educated than I’d have assumed.

1 Like

I would hope that the story is misquoting the agency, but let’s be honest, government branches aren’t exactly known for understanding people.

I think it’s a real shame that the fine was so low. I’m sure ByteDance considers €750k to be a reasonable cost of doing business in the Netherlands.

Now, the €1.5 billion claim that the article links to… that’s gonna be very interesting.

1 Like

Dutch children always read the privacy statements. Don’t be so silly Gary.

1 Like

I’m so silly I’d have guessed there’d be more Dutch children able to read English fluently than there are reading privacy statements. :man_shrugging:

I guess I just don’t go out enough.