“There’s only one thing I never did and wish I had done: climbed over a fence.” Mary of Teck
Damlers!
This week we start in El Salvador and end in mid-air.
In between those fence posts, we find: Breaches for airlines and autos and then discover one already being served up with a side of fries.
We find out how Google really motivates their staff, learn about Facebook suing a whole government, malware “photobombing” FujiFilm, the huge market for fake product reviews … and why the legal community is turning against geofencing.
This simply is the best IT Privacy and Security Weekly Update yet. Now let’s go climb a fence!
SV: " I’ve just sent the #BitcoinLaw to Congress" nayibbukele: Presidente de la República de El Salvador
From December 22, 2000, El Salvador used the US dollar as its fiat currency. With the passage of this bill on June 8th, 2021 they have also adopted Bitcoin.
Article 2. The exchange rate between bitcoin and the United States dollar, subsequently USD, will be freely established by the market.
Article 3. Prices may be expressed in bitcoin.
Article 4. Tax contributions can be paid in bitcoin.
Article 5. Exchanges in bitcoin will not be subject to capital gains tax, just like any legal tender.
Article 6. For accounting purposes, the USD will be used as the reference currency.
Article 7. Every economic agent must accept bitcoin as payment when offered to him by whoever acquires a good or service.
Article 8. Without prejudice to the actions of the private sector, the State shall provide alternatives that allow the user to carry out transactions in bitcoin and have automatic and instant convertibility from bitcoin to USD if they wish. Furthermore, the State will promote the necessary training and mechanisms so that the population can access bitcoin transactions.
Article 14. Before the entry into force of this law, the State will guarantee, through the creation of a trust at the Banco de Desarrollo de El Salvador (BANDESAL), the automatic and instantaneous convertibility of bitcoin to USD necessary for the alternatives provided by the State mentioned in Article8.
So what’s the upshot for you? From September 6, 2021, they are all in! We loved this response. “@crypto_hanuman Jun 8 Replying to @nayibbukele Our President. Blue heart, We gonna pump El Salvador GDP to the moon now. Rocket Rocket”
… If you’ve ever seen Wall Street Bets on Reddit, you’ll get that reference.
Global: How Hackers Used Slack to Break into EA Games
The group stole the source code for FIFA 21 and related matchmaking tools, as well as the source code for the Frostbite engine that powers games like Battlefield and other internal game development tools. In all, the hackers claim they have 780GB of data and are advertising it for sale on various underground forums.
A representative for the hackers told Motherboard in an online chat that the process started by purchasing stolen cookies being sold online for $10 and using those to gain access to a Slack channel used by EA. Cookies can save the login details of particular users, and potentially let hackers log into services as that person. In this case, the hackers were able to get into EA’s Slack using the stolen cookie.
“Once inside the chat, we messaged an IT Support member and we explain to them we lost our phone at a party last night,” the representative said.
The hackers then requested a multi-factor authentication token from EA IT support to gain access to EA’s corporate network. The representative said this was successful two times.
Once inside EA’s network, the hackers found a service for EA developers for compiling games. They successfully logged in and created a virtual machine giving them more visibility into the network, and then accessed one more service and downloaded game source code.
“No player data was accessed, and we have no reason to believe there is any risk to player privacy.”
So what’s the upshot for you? Can you imagine even more backdoors into the different player levels? Bedlam.
CN: Monumental Supply-Chain Attack on Airlines Traced to State Actor
https://threatpost.com/supply-chain-attack-airlines-state-actor/166842
A monster cyberattack on SITA, a global IT provider for 90 percent of the world’s airline industry, is slowly unfurling to reveal the largest supply-chain attack on the airline industry in history.
The enormous data breach, estimated to have already impacted 4.5 million passengers, has potentially been traced back to the Chinese state-sponsored threat actor APT41, and analysts are warning airlines to hunt down any traces of the campaign concealed within their networks.
SITA announced the attack in March, and soon after Singapore and Malaysia Airlines were the first airlines to disclose that their customers’ personal data had been exposed. Most recently, SITA’s customer, Air India reported an attack on its systems.
At first, analysts thought the database was a fake because it hadn’t popped up on the Dark Web, but after a closer look, “The Threat Intelligence team soon realized that they were dealing with a sophisticated nation-state threat actor, rather than another financially motivated cybercriminal group.”
“Airlines have a wealth of information that is of interest to intelligence agencies,” a representative told Threatpost by email. “China, in particular, would love to collect the travel patterns of individuals associated with the targets of their national-security apparatus. All airlines should take note of this report and search for these indicators in their environments.”
So what’s the upshot for you? “The attackers exfiltrated NTLM hashes and plain-text passwords from local workstations using hashdump and Mimikatz." Tells you that this was a Windows environment that either did not use 2-factor authentication or had overlooked turning off NTLM auth. Don’t make the same mistake.
Global: McDonald’s serves up a data breach with a side of fries
McDonald’s Corp. said hackers stole some data from its systems in markets including the U.S., South Korea, and Taiwan.
The company said no customer data was breached in the U.S., and that the employee data exposed wasn’t sensitive or personal. The company advised employees and franchisees to watch for phishing emails and to use discretion when asked for information.
However, McDonald’s attackers did steal customer emails, phone numbers, and addresses for delivery customers in South Korea and Taiwan. In Taiwan, hackers also stole employee information including names and contact details. The company said the number of files exposed was small without disclosing the number of people affected.
So what’s the upshot for you? More controversy from the company that brought you the broken ice cream machine hack.
US/CA: Volkswagen discloses data breach impacting 3.3 million Audi drivers.
https://www.documentcloud.org/documents/20806130-audi-volkswagen-letter
The car vendor said the exposed data was gathered from US and Canadian customers between 2014 to 2019. They made this statement:
"For over 97% of the individuals, the exposed information consists solely of contact and vehicle information relating to Audi customers and interested buyers, including some or all of the following: first and last name, personal or business mailing address, email address, phone number. In some instances, the data also includes information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages.
For approximately 90,000 Audi customers or interested buyers, the data also includes more sensitive information relating to eligibility for purchase, loan, or lease. Nearly all of the more sensitive data (over 95%) consists of driver’s license numbers. A very small number of records include data such as dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers.
So what’s the upshot for you? While most users face risks related to online fraud activity, owners of expensive Audi cars also face the risk of being targeted by professional car thieves if the leaked data ever falls into the wrong hands. Be afraid. Be very afraid.
Global: Google is using AI to design its next generation of AI chips more quickly than humans can
Google is using machine learning to help design its next generation of machine learning chips. The algorithm’s designs are “comparable or superior” to those created by humans, say Google’s engineers, but can be generated much, much faster. According to the tech giant, work that takes months for humans can be accomplished by AI in under six hours.
So what’s the upshot for you? No better way to make your engineers feel great about themselves than to read them a story like this.
US: Google Geofence Warrants Endanger Privacy—Judges Starting to Realize The Threat
In a rare decision to counter U.S. government investigator attempts to force tech giants to furnish them with data, a Kansas judge has denied a government request to use a controversial search warrant for what’s known as a Google geofence.
Also known as a reverse location search, such warrants allow police to take a given crime scene and ask Google for data on all smartphones in that place over a given timeframe, whether that’s information coming from Maps or other Google tools that track location.
In one recent case in Tennessee, for instance, a church was vandalized and a geofence ordered around the place of worship, though no information has yet been recovered in that case, according to the court docket. In another recently-unsealed case, they’ve been used to track phones within and around a suspected child abuser’s residence over two days in an attempt to determine where he was on the date of an alleged message he sent to a minor. In others, police have targeted the wrong man or retrieved data on more than 1,000 phones going through the area, raising concerns about how innocent people can be affected by such warrants.
The judge said that the government hadn’t done enough to prove the suspect would have had a smartphone in the area at the time of the incident. “The affidavit suggests only that the culprit was a lone pedestrian in the early morning hours who was caught on surveillance footage,” he wrote. “The affidavit conspicuously omits any suggestion that the surveillance footage shows that the individual had a cellphone.”
The judge also took issue with the lack of specificity regarding the number of non-suspects whose data could have been scooped up in the geofence. “The boundary encompasses two public streets, so anyone driving their automobile by the target location during the relevant time period could be identified in the data,” the judge wrote. “Google Maps also indicates that the subject building contains another business, which the application does not address.”
The government even attempted to get data from outside the boundary, “seeking data within the geofence’s ‘margin of error.’” It wasn’t made clear just how big that margin might be. And as the judge noted, there were residences and other businesses that could have been “implicated” by the margin of error.
So what’s the upshot for you? Previous cases have shown courts allowing broad geofences. But this case, alongside a growing number of others, shows judges are catching on to the potential for innocent citizens’ data to be caught up in these warrants.
Global: Microsoft product vulnerabilities reached a new high of 1,268 in 2020
According to the Microsoft Vulnerabilities Report 2021 by BeyondTrust, which examined vulnerability data in security bulletins–known as Patch Tuesday—posted by Microsoft in the past year. Unpatched vulnerabilities are responsible for one in three breaches around the world for the approximately 1.5 billion people who use Windows operating systems every day.
“Windows 10 was touted as the ‘most secure Windows OS’ to date when it was released, yet it still experienced 132 critical vulnerabilities last year … Removing admin rights could have mitigated 70% of these critical vulnerabilities.”
While there were a wide number of vulnerabilities found in various Microsoft products in 2020, for the first time, Elevation of privilege, which occurs when an application gains rights or privileges that should not be available to them, accounted for the largest proportion. It almost tripled in number year over year from 198 in 2019 to 559 in 2020, making up 44% of all Microsoft vulnerabilities in 2020.
Such vulnerabilities allow malicious actors to gain higher-level permissions on a system or network. The attacker can then use these privileges to steal confidential data, run administrative commands, or install malware.
“Enforcing least privilege is the fastest and most effective measure to address this problem.” the report said.
"In the past, a ransomware attack would have targeted one vulnerability; now a single strain can target a dozen or more,‘’ the BeyondTrust report said. “Once attackers gain access to your network via a phishing email, they can seek and target endpoints you haven’t patched.”
So what’s the upshot for you? Even home users should consider creating a non-administrative working account for each user who uses a particular machine.
Don’t give that account admin rights to install anything on the machine. If you are the primary user, get used to logging in with the administrative account only when you need to update or install software. Sure, it’s an inconvenience, but compared to having your machine encrypted and shut down by malware, it’s a small inconvenience.
IN: Facebook sues the Indian government over privacy law.
India’s new IT rules were proposed in February and went into effect last month (May). To comply with the new law in India, messaging platforms would need to break end-to-end encryption- a system that allows only the sender and the receiver access to the messages. That means WhatsApp will need to start collecting data on all the messages exchanged between all its subscribers every day. “There is no way to predict which message a government would want to investigate in the future….This would severely undermine the privacy of billions of people who communicate digitally.”
Facebook-owned WhatsApp is suing the Modi-led Indian government over new Internet laws which it says “severely undermine” the privacy of its user, requiring messaging platforms to store messages in a traceable database. In its lawsuit, WhatsApp says this would require breaking encryption and saving billions of messages from its over 500 million users in India. In 2016, WhatsApp got into a similar fight in Brazil over privacy concerns that led to the suspension of its service on multiple occasions. But the case against the Indian government is Facebook’s first against a national government.
The company says the new rules are an infringement of the fundamental right to privacy.
“There is a risk that privileged communication, such as conversations between lawyers and their clients, may be accessed by the state. Conversations between patients and doctors, journalists and their sources, are all at risk.”
So what’s the upshot for you? Imagine the costs associated with decrypting and safely storing all user communication for a billion people, “just in case the government decides it needs it.” Facebook hasn’t done a good job of this in the past, it’s almost certain they would have a problem with this going forward. That fact alone should be enough to leave them victorious in this particular case.
UK: NCSC CEO warns that ransomware is key cyber threat
The chief of the UK’s National Cyber Security Centre yesterday (Monday) said ransomware was the key threat facing the UK and urged the public and business to take it seriously.
Speaking virtually to an audience at the Royal United Services Institute (RUSI) Annual Security Lecture, Lindy Cameron warned of the “cumulative effect” of failing to properly deal with the rising threat.
She also revealed the threat faced by think tanks, noting that it is “almost certain” that the primary cyber threat they face is from nation-state espionage groups, and it is highly likely that they seek to gain strategic insights into government policy and commercially sensitive information.
So what’s the upshot for you? For some, the defense of our businesses and data has been like fighting a war. Now it seems that was the correct analogy to be using all along!
JP: FujiFilm hit by Ransomware
Japanese multinational corporation Fujifilm yesterday, 2021 06 14, reported that it had restored operations following a ransomware attack.
On June 4, the company announced that it had fallen victim to a ransomware attack that forced it to shut down its network.
According to Fujifilm, the attack did not result in data compromise. “The investigations completed so far have found no evidence of information leakage to the outside world,."
Fujifilm hasn’t provided specific details on the type of ransomware used, nor on the ransom demands the attackers made if any.
So what’s the upshot for you? It seems like Malware miscreants are photobombing Fuji’s pictures!
Global: Fake Online Reviews Linked to $152 Billion in Global Purchases
Customer acquisition security vendor CHEQ teamed up with the University of Baltimore to produce its Fake Online Reviews 2021 report — part of what it claims to be the “first-ever in-depth economic analysis of the full scale of internet harm.”
The report’s headline claim is based on an average rate for fake reviews of 4% across platforms including Amazon, TrustPilot, Yelp, and TripAdvisor, and an estimated global e-commerce market size of nearly $4.3 trillion in 2020.
The report reveals the sheer size of the underground trade in five-star reviews, which it claims are charged at anywhere between 25 cents to $100 per review. Reviewers may be encouraged to purchase an item for ‘review’, which they are then reimbursed for and allowed to keep, sometimes in addition to a commission.
So what’s the upshot for you? There are two sides to this: The reviews you used to be able to trust are simply not the resources they were either for favorable or unfavorable comment (as both sides of the product review had high fraudulent review numbers exposed). Now you really have to read and make a judgment call on the reviews themselves. Sound too glowy? Probably fake. Sound too negative and it could also be fake…
Global: Google Workspace Gets Client-Side Encryption
“With Client-side encryption, customer data is indecipherable to Google, while users can continue to take advantage of Google’s native web-based collaboration, access content on mobile devices, and share encrypted files externally.”
Client-side encryption works with key access service partners Flowcrypt, Futurex, Thales, and Virtru, which will be responsible for holding the key to decode Google Workspace data. However, organizations will also be able to build or integrate in-house key services. Google will publish key access service API specifications later this year.
In the coming weeks, Client-side encryption will become available in beta for Google Workspace Enterprise Plus and Education Plus customers and will support Google Docs, Drive, Sheets, and Slides.
Now available in Google Workspace is Drive labels, which allows users to classify the files stored in Google Drive, so that they are handled correctly. The feature is integrated with Google Workspace’s data loss prevention (DLP) capabilities so that admins can set retention policies. Files can also be automatically classified, based on admin-defined DLP rules.
Currently, in beta, the Drive labels feature has been released for Google Workspace Business Standard, Business Plus, Enterprise, Education Standard, and Education Plus customers.
In the coming weeks, Google Workspace administrators will have the option to implement phishing and malware protection for content within their organizations, the Internet giant announced.
So what’s the upshot for you? These would bring huge advantages to many companies struggling with data handling within the Google Workspace suite of products. We are looking forward to testing these new features and reporting further.
US: DARPA shoots streamers to counter drone swarms in urban areas
Defense Advanced Research Projects Agency 's(DARPA) Mobile Force Protection (MFP) program has developed a system designed to counter unauthorized drone intrusions over military installations or operations. Because they may need to be used over populated areas, the program sought a non-explosive approach and hit upon the idea of using drones that fire stringy streamers.
The Counter-Unmanned Air System (C-UAS) uses a number of methods that don’t rely on explosives or high-velocity projectiles to take out drones.
the MFP system uses stringy streamers in a similar way to bring down hostile drones by tangling in their propellers and control surfaces.
So what’s the upshot for you? We wonder how many billions of dollars the research into throwing holiday tinsel into the rotors of drones has actually cost, but it sure looks like fun!
And that’s it for this week! Be kind, stay safe, stay secure and we’ll see you in se7en!