The Wooly IT Privacy and Security Weekly Update for October 4th. 2022


Wooly Mammoth or Ferrari? One’s sprung a leak and the other could feature in the next chapter of a spy novel.

It’s not Ke$ha, but Tik Tok following us around these days, as Amazon hits the front page for providing cloud services to a couple of companies better avoided and the NYPD goes dark.

If you hate picking the boxes with the “buses and crosswalks” we could have some very good news for you, while for school kids in LA it’s time to learn Russian, and for one celeb… basic addition and subtraction.

Good or bad, old or new, prehistoric or cutting edge, numeric or pneumatic, if it’s within the realm of IT Privacy and Security we’ve got the best of it in the best update yet.

So grab a spanner, a butterfly net, and a calculator, and let’s see what we can track down!

US: The CIA Just Invested in Wooly Mammoth Resurrection Technology

As a rapidly advancing climate emergency turns the planet ever hotter, the Dallas-based biotechnology company Colossal Biosciences has a vision: “To see the Wooly Mammoth thunder upon the tundra once again.”

Founders George Church and Ben Lamm have already racked up an impressive list of high-profile funders and investors, including Peter Thiel, Tony Robbins, Paris Hilton, Winklevoss Capital – and, according to the public portfolio its venture capital arm released this month, the CIA.

Colossal says it hopes to use advanced genetic sequencing to resurrect two extinct mammals – not just the giant, ice age mammoth, but also a mid-sized marsupial known as the thylacine, or Tasmanian tiger, that died out less than a century ago.

On its website, the company vows: “Combining the science of genetics with the business of discovery, we endeavor to jumpstart nature’s ancestral heartbeat.”

In-Q-Tel, its new investor, is registered as a nonprofit venture capital firm funded by the CIA.

On its surface, the group funds technology startups with the potential to safeguard national security.

So what’s the upshot for you? In addition to its long-standing pursuit of intelligence and weapons technologies, the CIA outfit has lately displayed an increased interest in biotechnology and particularly DNA sequencing.

CN: TikTok Tracks You Across the Web, Even If You Don’t Use the App

A Consumer Reports investigation finds that TikTok, one of the country’s most popular apps, is partnering with a growing number of other companies to hoover up data about people as they travel across the internet.

That includes people who don’t have TikTok accounts.

These companies embed tiny TikTok trackers called “pixels” in their websites. Then TikTok uses the information gathered by all those pixels to help the companies target ads at potential customers, and to measure how well their ads work.

To look into TikTok’s use of online tracking, CR asked the security firm Disconnect to scan about 20,000 websites for the company’s pixels.

In our list, we included the 1,000 most popular websites overall, as well as some of the biggest sites with domains ending in “.org,” “.edu,” and “.gov.”

We wanted to look at those sites because they often deal with sensitive subjects.

We found hundreds of organizations sharing data with TikTok.

If you go to the United Methodist Church’s main website, TikTok hears about it.

Interested in joining Weight Watchers?

TikTok finds that out, too.

The Arizona Department of Economic Security tells TikTok when you view pages concerned with domestic violence or food assistance.

Even Planned Parenthood uses the trackers, automatically notifying TikTok about every person who goes to its website, though it doesn’t share information from the pages where you can book an appointment.
(None of those groups responded to requests for comment.)

The number of TikTok trackers we saw was just a fraction of those we observed from Google and Meta.

However, TikTok’s advertising business is exploding, and experts say the data collection will probably grow along with it.

After Disconnect researchers conducted a broad search for TikTok trackers, we asked them to take a close look at what kind of information was being shared by 15 specific websites.

We focused on sites where we thought people would have a particular expectation of privacy, such as advocacy organizations and hospitals, along with retailers and other kinds of companies.

Disconnect found that data being transmitted to TikTok can include your IP address, a unique ID number, what page you’re on, and what you’re clicking, typing, or searching for, depending on how the website has been set up.

What does TikTok do with all that information?

“Like other platforms, the data we receive from advertisers are used to improve the effectiveness of our advertising services,” says Melanie Bosselait, a TikTok spokesperson.

The data “is not used to group individuals into particular interest categories for other advertisers to target.” If TikTok receives data about someone who doesn’t have a TikTok account, the company only uses that data for aggregated reports that they send to advertisers about their websites, she says.

…but, there’s no independent way for consumers or privacy researchers to verify such statements.

So what’s the upshot for you? What can you do to protect your personal information? Consumer Reports recommends using privacy-protecting browser extensions like Disconnect, changing your browser’s privacy settings to block trackers, and trying a more private browser like Firefox and Brave.

Global: Amazon Provides Cloud Technology For a Chinese Military Company

Amazon’s business relationships with two Chinese surveillance giants, Hikvision and Dahua, may violate a U.S. law prohibiting federal contractors from doing business with certain Chinese firms, a joint investigation by National Review and IPVM, a surveillance and security research group, reveals.

While lawmakers are calling out these practices, Amazon has defended them and maintains that it is in full compliance with the law.

Specifically, the Seattle-based tech giant might be running afoul of a provision in the 2019 National Defense Authorization Act barring contracts with firms that use certain Chinese surveillance hardware or software.

One potentially significant issue is that Amazon Web Services simultaneously provides cloud Internet services to the U.S. National Security Agency and Hikvision, which the U.S. government designated as a Chinese military-industrial complex company last year.

“Facing a clear threat to federal networks, Congress drew a line in the sand for its contractors: if you do business with Hikvision or Dahua, you can’t do business with the federal government,” said Conor Healy, IPVM’s director of government research.

“Amazon seems determined to do the opposite. It is actively facilitating and incubating the very threat Congress sought to mitigate.”

Even absent the NDAA ban, enforcement of which is spotty, the record of the two Chinese surveillance firms should be cause for concern.

In 2019, Hikvision and Dahua were both blacklisted by the Commerce Department for their extensive work with the authorities in Xinjiang, as the Chinese Communist Party built out a sophisticated police state to systematically target ethnic minorities in the region.

Dahua sells cameras that can identify Uyghur faces, with an alarm that goes off when they are in view.

The company characterizes this as a smart-policing feature to detect “real-time Uyghur warnings” and “hidden terrorist inclinations.”

Hikvision, in addition to providing cameras used in Xinjiang prison camps, sells “tiger chair” torture and interrogation systems, among other things.

Hikvision also has a well-documented relationship with the Chinese military, providing the People’s Liberation Army air force with drone jammers, and pitching its technology as key to improving missile and tank systems.

So what’s the upshot for you? Amazon, you can’t have it both ways.

US: Hackers Leak 500GB Trove of Data Stolen During LAUSD Ransomware Attack

Vice Society, a Russian-speaking group that last month claimed responsibility for the ransomware attack that disrupted the Los Angeles Unified School District (LAUSD)'s access to email, computer systems, and applications, published the data stolen from the school district over the weekend.

The group had previously set an October 4 deadline to pay an unspecified ransom demand.

The stolen data was posted to Vice Society’s dark web leak site and appears to contain personal identifying information, including passport details, Social Security numbers, and tax forms.

While TechCrunch has not yet reviewed the full trove, the published data also contains confidential information including contract and legal documents, financial reports containing bank account details, health information including COVID-19 test data, previous conviction reports, and psychological assessments of students.

Vice Society, a group known for targeting schools and the education sector, included a message with the published data that said the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the government agency assisting the school in responding to the breach, “wasted our time.”

So what’s the upshot for you? The Los Angeles Unified School District breach appears to be the biggest education breach in recent years.

US: SEC Charges Kim Kardashian for Unlawfully Touting Crypto Security

The Securities and Exchange Commission today announced charges against Kim Kardashian for touting on social media a crypto asset security offered and sold by EthereumMax without disclosing the payment she received for the promotion.

Kardashian agreed to settle the charges, pay $1.26 million in penalties, disgorgement, and interest, and cooperate with the Commission’s ongoing investigation.

The SEC’s order finds that Kardashian failed to disclose that she was paid $250,000 to publish a post on her Instagram account about EMAX tokens, the crypto asset security being offered by EthereumMax.

Kardashian’s post contained a link to the EthereumMax website, which provided instructions for potential investors to purchase EMAX tokens.

“This case is a reminder that, when celebrities or influencers endorse investment opportunities, including crypto asset securities, it doesn’t mean that those investment products are right for all investors,” said SEC Chair Gary Gensler. "We encourage investors to consider an investment’s potential risks and opportunities in light of their own financial goals.

Ms. Kardashian’s case also serves as a reminder to celebrities and others that the law requires them to disclose to the public when and how much they are paid to promote investing in securities," Chair Gensler added.

So what’s the upshot for you? US$1.26M fine for a paycheck of US$0.25M Kim certainly didn’t make her billions that way.
Kim Kardashian crying

US: Pentagon is far too tight with its security bug bounties

Discovering and reporting critical security flaws that could allow foreign spies to steal sensitive US government data or launch cyberattacks via the Department of Defense’s IT systems doesn’t carry a high reward.

The Pentagon, in its most recent week-long Hack US program conducted with HackerOne, paid out $75,000 in bug bounties and another $35,000 in bonuses and awards to ethical hackers who disclosed critical- and high-severity vulnerabilities in Uncle Sam’s networks. […]

According to bug bounty platform HackerOne and the DoD, the Hack US initiative received 648 submissions from 267 security researchers who uncovered 349 security holes.

Information disclosure flaws were the most commonly reported vulnerabilities, followed by improper access controls and SQL injection.

The Pentagon didn’t say how many bug hunters received rewards, or how much they each earned.

However, in announcing the contest earlier this year, it pledged to pay $500 or more for high-severity flaws, $1,000 for critical holes, and as much as $5,000 for specific achievements, such as $3,000 for the best finding for *

Meanwhile, Microsoft paid $13.7 million in bug rewards spread out over 335 researchers last year, with a $200,000 Hyper-V Bounty payout as its biggest prize.

And Google awarded $8.7 million during 2021.

It’s also worth noting that the DoD’s pilot vulnerability disclosure program, which ended in April, didn’t pay any monetary rewards.

So at least Hack US, with its paid bug bounties, is a step up from that.

“The most successful bug bounty programs strike an even balance between monetary and social benefits.”

So what’s the upshot for you? "For bug hunters, there must be a monetary incentive to get them to participate – but, there’s also value in creating a space where folks can get together, connect with one another, and hack as a team.

Bringing together the top bug hunters requires both – one without the other is not enough."

Global: CloudFlare Launch Turnstile a CAPTCHA alternative

Cloud Flare are announcing the open beta of Turnstile, an invisible alternative to CAPTCHA. Anyone, anywhere on the Internet, who wants to replace CAPTCHA on their site will be able to call a simple API, without having to be a Cloudflare customer or sending traffic through the Cloudflare global network. Sign up for free.

There is no point in rehashing the fact that CAPTCHA provides a terrible user experience. The creator of the CAPTCHA has even publicly lamented that he “unwittingly created a system that was frittering away, in ten-second increments, millions of hours of a most precious resource: human brain cycles.” We hate it, you hate it, everyone hates it.

Turnstile is their smart CAPTCHA alternative.

It automatically chooses from a rotating suite of non-intrusive browser challenges based on telemetry and client behavior exhibited during a session.

UX isn’t the only big problem with CAPTCHA — so is privacy

While having to solve a CAPTCHA is a frustrating user experience, there is also a potential hidden tradeoff a website must make when using CAPTCHA.

If you are a small site using CAPTCHA today, you essentially have one option: an 800-pound Google gorilla with 98% of the CAPTCHA market share.

This tool is free to use, but in fact, it has a privacy cost: you have to give your data to an ad sales company.

According to security researchers, one of the signals that Google uses to decide if you are malicious is whether you have a Google cookie in your browser, and if you have this cookie, Google will give you a higher score.

Google says they don’t use this information for ad targeting, but at the end of the day, Google is an ad sales company. Meanwhile, at Cloudflare, we make money when customers choose us to protect their websites and make their services run better. It’s a simple, direct relationship that perfectly aligns with our incentives.

So what’s the upshot for you? If you ever thought you would lose your mind selecting the boxes with crosswalks, this could be a game changer.

Global: New Microsoft Exchange zero-days actively exploited in attacks

Threat actors are exploiting yet-to-be-disclosed Microsoft Exchange zero-day bugs allowing for remote code execution, according to claims made by security researchers at Vietnamese cybersecurity outfit GTSC, who first spotted and reported the attacks.

The attackers are chaining the pair of zero-days to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims’ networks.

“The vulnerability turns out to be so critical that it allows the attacker to do remote code execution on the compromised system,” the researchers said.

GTSC suspects that a Chinese threat group is responsible for the attacks based on the web shells’ code page, a Microsoft character encoding for simplified Chinese.

So what’s the upshot for you? Until Microsoft releases security updates to address the two zero-days, GTSC shared temporary mitigation that would block attack attempts by adding a new IIS server rule using the URL Rewrite Rule module:

In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
Add string “.autodiscover.json.@.Powershell.“ to the URL Path.
Condition input: Choose {REQUEST_URI}

“We recommend all organizations/enterprises around the world that are using Microsoft Exchange Server to check, review, and apply the above temporary remedy as soon as possible to avoid potential serious damages.”

Admins who want to check if their Exchange servers have already been compromised using this exploit can run the following PowerShell command to scan IIS log files for indicators of compromise:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.autodiscover.json.@.*200’

Global: The Ever-Expanding Job of Preserving the Internet’s Backpages

A quarter of a century after it began collecting web pages, the Internet Archive is adapting to new challenges.

Within the walls of a beautiful former church in San Francisco’s Richmond district, racks of computer servers hum and blink with activity.

They contain the internet.

Well, a very large amount of it.

The Internet Archive, a non-profit, has been collecting web pages since 1996 for its famed and beloved Wayback Machine.

In 1997, the collection amounted to 2 terabytes of data.

Colossal back then, you could fit it on a $50 thumb drive now.

Today, the archive’s founder Brewster Kahle tells me, the project is on the brink of surpassing 100 petabytes – approximately 50,000 times larger than in 1997.

It contains more than 700bn web pages.

The work isn’t getting any easier.

Websites today are highly dynamic, changing with every refresh.

Walled gardens like Facebook are a source of great frustration to Kahle, who worries that much of the political activity that has taken place on the platform could be lost to history if not properly captured.

In the name of privacy and security, Facebook (and others) make scraping difficult.

So what’s the upshot for you? This is one undertaking that is only going to get bigger… and bigger.

US: By 2024, NYPD radios may ‘go dark’ with no assurances for media and public access

The NYPD says it wants to reimagine its current police communication system and transition to encrypted messages by 2024, according to a recent amNY report.

While law enforcement has spent years fighting to make encryption less accessible for everyday people, police think they need a little more privacy.

Critics worry a turn towards encryption by law enforcement could reduce transparency, hamstring the news media, and potentially jeopardize the safety of protestors looking to stay a step ahead.

According to amNY, the NYPD’s new plan would allow law enforcement officers discretion on whether or not to publicly disclose newsworthy incidents.

That means the NYPD essentially would get to dictate the truth unchallenged in a number of potentially sensitive local stories.

The report suggests police are floating the idea of letting members of the news media monitor certain radio transmissions through an NYPD-controlled mobile app.

There’s a catch though.

According to the report, the app would send radio information with a delay.

Users may also have to pay a subscription fee to use the service, the paper said.

So what’s the upshot for you? New York joins a growing list of cities considering encrypting radio communications.

“Denver, Baltimore, Virginia Beach, Sioux City, Iowa, and Racine, Wisconsin have all moved to implement the technology in recent years.”

IT: Ferrari hit by ransomware, hackers leak 7 GB of data

The Italian luxury car maker Ferrari had internal documents taken from the brand’s website.

Data from Ferrari’s website was posted on a dark web leak site owned by ransomware group RansomEXX.

Hackers claim they have obtained internal documents, datasheets, repair manuals, and other information.

The stolen data set consists of almost 7 GB of data.

The leak marks the second time Ferrari had the company’s documents stolen by hackers in less than a year.

In December 2021, Italian manufacturing company Speroni was hit by the Everest cyber gang.

Threat actors advertised stealing 900 GB of data from Speroni containing sensitive information about the company’s partners such as Ferrari, Lamborghini, Fiat Group, and other Italian car manufacturers.

Earlier this year, threat actors interfered with Ferrari’s entry into the NFT market. Threat actors took over the company’s subdomain and used it to host an NFT scam almost immediately after Ferrari announced it would mint tokens based on Ferrari cars.

So what’s the upshot for you? Two leaks in one year? Come on Ferrari you are starting to sound like the Nord Stream gas pipeline (4 leaks in one week), but maybe having your repair manuals in the public domain is not such a bad thing after all.


And the quote of the week: “All human beings have three lives: public, private, and secret.” ― Gabriel García Márquez

That’s it for this week. Stay safe, stay secure, feel free to pat the Mammoth… but not the Ferrari, and see you in se7en.

1 Like