Trafficking the IT Privacy and Security Weekly Update for April 12th. 2022


This week we start in traffic and end in traffic. Most is ground-bound but we have been known to flit into low Earth Orbit when our speeds are high enough.

From between those bollards, we discover more nighttime glitter, more acronym definitions, and the need for higher quant resistance in our crypto.

Still hungry? Our Pi and REDSPICE stories will give you something to chew on, while new Crypto tracking sites have turned moving stolen crypto into a real meal.

stop-Sign small

For now, put your sandwich aside, adjust your seat, check the mirror, buckle up, and let’s put the pedal to the metal!

Global: Adversarial Fashion

Tired of getting tracked by every CCTV cam in the neighborhood. Perhaps this is your answer.

The patterns on the goods in this shop are designed to trigger Automated License Plate Readers, injecting junk data into the systems used by the State and its contractors to monitor and track civilians and their locations.

So far they cover US and EU license and registration plates, but unselfishly they also include copious instruction as to how to design and make your own. Our advice though, use someone else’s plate details.

So what’s the upshot for you? Personally we like the hoodie best, and if they were ever to do a full zip front version… we’d be in for one.

Inner Earth Orbit: 3000 more glittering objects in the night sky

There’s a new space race… and it’s centered on earthly WiFi, not Martian colonies.

A third of the world’s population still doesn’t have internet access.

One solution: small, low-orbiting satellites that send broadband to remote locations, and do it without the latency issues that satellite internet is known for.

Shoot for the moon… Even if you miss, you’ll land among the SpaceX satellites.

Last week Amazon announced the biggest rocket deal in commercial space history.

The goal: bring on partners to help launch thousands of satellites that beam WiFi across the globe.

The mission: Amazon’s Project Kuiper plans to send thousands of internet satellites into orbit in 83 rocket launches over the next five years (and will spend billions to do it).

The crew: Amazon tapped three rocket-makers: United Launch Alliance (run by Boeing and defense giant Lockheed Martin), French biz Arianespace, and of course Jeff Bezos’ Blue Origin.

The countdown: Amazon got Uncle Sam’s permission in 2020 to launch 3K+ satellites.

But there’s a catch: if half of those aren’t live by 2026, it loses its license.

SpaceX-owned Starlink has already launched 2K satellites that serve 250K customers, and has approval for 10K more. But competitors like Astra, OneWeb, Intelsat, and Amazon have submitted plans to launch 38,000 more.

So what’s the upshot for you? This won’t be Amazon’s first time blasting off into a new industry: the corporate behemoth has already successfully leveraged its size and scale to enter grocery, cloud computing, streaming, and healthcare. It may not have a head start with satellites, but its cash, customers, and infrastructure give it an edge in any “space”.

Global: APT: Advanced Persistent Teenagers

Many organizations are already struggling to combat cybersecurity threats from ransomware purveyors and state-sponsored hacking groups, both of which tend to take days or weeks to pivot from an opportunistic malware infection to a full-blown data breach.

But few organizations have a playbook for responding to the kinds of virtual “smash and grab” attacks we’ve seen recently from LAPSUS$, a juvenile data extortion group whose short-lived, low-tech and remarkably effective tactics have put some of the world’s biggest corporations on edge.

Since surfacing in late 2021, LAPSUS$ has gained access to the networks or contractors for some of the world’s largest technology companies, including Microsoft, NVIDIA, Okta, and Samsung. LAPSUS$ typically threatens to release sensitive data unless paid a ransom, but with most victims, the hackers ended up publishing any information they stole (mainly computer source code).

Microsoft blogged about its attack at the hands of LAPSUS$, and about the group targeting its customers. It found LAPSUS$ used a variety of old-fashioned techniques that seldom show up in any corporate breach post-mortems, such as:

  • targeting employees at their personal email addresses and phone numbers;
  • offering to pay $20,000 a week to employees who give up remote access credentials;
  • social engineering help desk and customer support employees at targeted companies;
  • bribing/tricking employees at mobile phone stores to hijack a target’s phone number;
  • intruding on their victims’ crisis communications calls post-breach.

If these tactics sound like something you might sooner expect from spooky, state-sponsored “Advanced Persistent Threat” or APT groups, consider that the core LAPSUS$ members are thought to range in age from 15 to 21. Also, LAPSUS$ operates on a shoestring budget and is anything but stealthy: According to Microsoft, LAPSUS$ doesn’t seem to cover its tracks or hide its activity. In fact, the group often announces its hacks on social media.

ADVANCED PERSISTENT TEENAGERS: This unusual combination makes LAPSUS$ something of an aberration that is probably more aptly referred to as “Advanced Persistent Teenagers,” said one CXO at a large organization that recently had a run-in with LAPSUS$.

“There is a lot of speculation about how good they are, tactics et cetera, but I think it’s more than that,” said the CXO, who spoke about the incident on condition of anonymity. “They put together an approach that industry thought was suboptimal and unlikely. So it’s their golden hour.”

LAPSUS$ seems to have conjured some worst-case scenarios in the minds of many security experts, who worry what will happen when more organized cybercriminal groups start adopting these techniques.

“LAPSUS$ has shown that with only $25,000, a group of teenagers could get into organizations with mature cybersecurity practices,” said Amit Yoran, CEO of security firm Tenable and a former federal cybersecurity czar, testifying last week before the House Homeland Security Committee. “With much deeper pockets, focus, and mission, targeting critical infrastructure. That should be a sobering, if not terrifying, call to action.”

My CXO source said LAPSUS$ succeeds because they simply refuse to give up, and just keep trying until someone lets them in.

“They would just keep jamming a few individuals to get [remote] access, read some onboarding documents, enroll a new 2FA [two-factor authentication method] and exfiltrate code or secrets, like a smash-and-grab,” the CXO said. “These guys were not leet, just damn persistent.”

So what’s the upshot for you? “It does force us to think about insider access differently.”

“Nation-states have typically wanted longer, more strategic access; ransomware groups want large lateral movement. LAPSUS$ doesn’t care, it’s more about, ‘What can these 2-3 accounts get me in the next 6 hours?’ We haven’t optimized to defend that.”

Any organizations wondering what they can do to harden their systems against attacks from groups like LAPSUS$ and is running Microsoft products should consult Microsoft’s recent blog post on the group’s activities, tactics, and tools.

FR: Spacewatch: French firm raises €2m to sail on sunlight

The French aerospace company Gama has raised €2m to deploy a solar sail in space.

Solar sails require no engines to move. Instead, they are pushed around by the pressure of sunlight. The angle of the sail determines the direction of motion.

Gama plans to deploy a 73.3-sq-metre solar sail in a 550km-altitude orbit in October. It will be launched as an additional payload on a SpaceX rocket.

Solar sails rely on photonic propulsion. This form of propulsion uses the pressure produced by photons when they bounce off a reflective surface. This force is weak, but when applied to large surfaces, can induce non-negligible effects.

In the void of space, with no air friction, a continuous force (even a small one) applied to a spacecraft induces a constant acceleration and continuously increases its speed” says Jordan Culeux, technically leading the first mission.

A solar sail could theoretically accelerate to 20% of the speed of light. Similar to maritime sailing, it is the position of the sail in relation to the Sun’s rays that will determine the trajectory of the craft. As with a conventional sail, it is, therefore, possible to move away from the Sun but also to get closer by sailing “upwind”.

So what’s the upshot for you? - Conventional chemical or electric propulsion systems are complex, costly and limited in range. Solar sails do not need to carry propellant and can unlock new types of missions (high speeds, polar station keeping, etc) at much lower cost.

Global: Even your Raspberry Pi is becoming more secure

Since its launch, the Raspberry Pi OS (and most operating systems based on it) has shipped with a default “pi” user account, making it simpler to boot up a Pi and start working without needing to hook up the device to a monitor or go through a multi-step setup process.

But that’s changing – new installs of the Raspberry Pi OS are shedding that default user account for both security and regulatory reasons.

Raspberry Pi Foundation software engineer Simon Long explains the thinking in this blog post. “[The “pi” user account] could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials,” he writes.

This move will improve the Pi operating system’s security.

Before, even if you assigned a good password to the “pi” account, attackers could still assume with a reasonable degree of certainty that most Raspberry Pi boards were using the “pi” username.

Many Pi OS-based operating systems also ship with the default “pi” user account enabled and are completely passwordless, requiring extra steps to assign the account a password in the first place.

The flip side is that the change could break some software and scripts, particularly those that are hard-coded to use the “pi” user account and home folder.

So what’s the upshot for you? "The Raspberry Pi OS now boots into a dedicated setup mode the first time you start it up instead of running the setup wizard as an app in the normal desktop environment. And that setup wizard now prompts you to create a username and password rather than simply assigning a password to the default ‘pi’ user account.

To aid with setup, the wizard can now pair Bluetooth keyboards and mice without requiring you to plug in a USB accessory first."

US: Fed-up managers declare WFH is over, as 77% say they’d fire you or cut your pay for not coming back to the office

About 77% of managers said they’d be willing to implement “severe consequences”—including firing workers or cutting pay and benefits—on those who refuse to return to the office, according to a recent survey by employment background check company GoodHire of 3,500 American managers.

Although many surveys have shown that the majority of workers prefer remote and hybrid work structures, most managers still believe in-person work is best.

Former Google CEO and chairman Eric Schmidt even recently weighed in about the return-to-work debate, saying that it’s important people be at the office and he’s happy the remote era seems to be ending.

“I don’t know how you build great management [with remote work]. I honestly don’t,” he said.

And about half of the managers, 51%, genuinely believe that their workers want to return to the office.

So what’s the upshot for you? Just because a company wants to head back to the office doesn’t mean it always goes smoothly. Financial giant Goldman Sachs, for example, reopened its New York headquarters in February and mandated its 10,000 employees return… Only about half showed up

RU: Microsoft takes down APT28 domains used in attacks against Ukraine

Microsoft has successfully disrupted attacks against Ukrainian targets coordinated by the Russian APT28 hacking group after taking down seven domains used as attack infrastructure.

Strontium (also tracked as Fancy Bear or APT28), linked to Russia’s military intelligence service GRU, used these domains to target multiple Ukrainian institutions, including media organizations.

The domains were also used in attacks against US and EU government institutions and think tanks involved in foreign policy.

“On Wednesday, April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks,” said Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft.

So what’s the upshot for you? “Microsoft have since re-directed these domains to a sinkhole they control, enabling them to mitigate Strontium’s current use of these domains and enable victim notifications.”

Global: Hackers Stole More Than $600 Million in Crypto, but laundering It Is the Tricky Part.

Many eyes in the crypto world are on a 42-character address on the Ethereum blockchain, which has unclear ownership and is currently home to the equivalent of about $600 million.

Hackers stole the funds from players of online game “Axie Infinity” in a March 23 heist uncovered last week.

The criminals have moved millions of dollars of assets in recent days, according to blockchain-monitoring tools, but the majority of funds remain in place, leaving victims and outside observers awaiting the next moves.

Crypto’s transparency has turned money laundering into a perverse spectator sport.

The fate of the money stolen from “Axie Infinity” users, one of the largest such thefts, has become a topic of speculation.

On Etherscan, a monitoring platform where users can see transactions to and from the address in question, commenters claiming to be victims, broke college students or Ukrainian refugees have posted messages asking the hackers to spread their newfound wealth.

Last week, blockchain analysts and amateur digital sleuths watched as ether worth about $20 million moved to crypto exchanges based in the Bahamas and Seychelles.

On Monday, an additional $12 million of assets flowed into a mixer, which blends different cryptocurrencies to help obscure their sources.

"Such efforts make the transfers of some Ronin Network funds to exchanges potentially dicey. This might be an opportunity for law enforcement to jump in,”

So what’s the upshot for you? The Etherscan link included shows you the wallets the crypto moves between and it seems to work pretty well until it hits a “mixer”.

AU: Australia gets REDSPICE

Almost $10 billion over the next decade will be pumped into helping Australia compete in cyber warfare with adversaries such as Russia and China in a major funding boost that will nearly double the size of the nation’s leading cyber security agency.

In its centerpiece defense budget announcement, the government will make the largest single investment in the 75-year history of the Australian Signals Directorate, the country’s powerful and highly secretive electronic intelligence agency.

The government said the funding increase – dramatically named Project REDSPICE (Resilience, Effects, Defense, Space, Intelligence, Cyber, and Enablers) – will significantly expand the ASD’s offensive cyber capabilities, as well as the agency’s ability to prevent hacking and other digital attacks.

So what’s the upshot for you? The funding increase will significantly increase Australia’s cyber, data science, and intelligence workforce, creating an extra 1900 jobs over the next ten years.

US: US Military Makes ‘Significant Effort’ in Quantum-Resistant Cryptography

In his first interview since leaving his post last month, David Spirk, who spent two years in his role, told Bloomberg News that the Pentagon needs to speed up efforts to counter adversaries who are developing military tools supported by advanced technologies such as artificial intelligence, machine learning and eventually quantum science.

Quantum computing may prove far more able than existing technology to solve mathematical problems at exponentially faster speeds. That could enable operators to unscramble the algorithms that underpin encryption protocols, unlocking an array of sensitive data.

“I don’t think that there are enough senior leaders getting their heads around the implications of quantum,” Spirk said. “Like AI, I think that’s a new wave of compute that when it arrives is going to be a pretty shocking moment to industry and government alike.”

If the U.S. doesn’t make the right investments in defensive quantum today, “then our concepts around encryption, data security, and cybersecurity will be obsolete because the computers will break our cryptography,” All the encrypted data that adversaries have already gathered would also risk exposure.

So what’s the upshot for you? Tim Gorman, a spokesperson at the Pentagon, said the Department of Defense was taking post-quantum cryptography seriously and coordinating with Congress and across government agencies. And indicated that there was already “a significant effort” underway.

UK: Speedcam Anywhere

A new app will allow any member of the public to submit evidence of other drivers speeding to the police.

Using AI to estimate the speed of a passing car, Speedcam Anywhere, has been created by a team of AI scientists with backgrounds in Silicon Valley companies and top UK universities, reports the Guardian.

The hope is it will encourage police to take speeding more seriously while enabling residents, pedestrians and cyclists to document traffic crimes in their area.

However, the app’s creators say they have been subjected to a vicious response, with many now scared to reveal their real identities due to the level of vitriol aimed at them by drivers.

“We’re getting quite abusive emails,” Sam, the app’s founder, told the Guardian on condition of anonymity.

"It’s a Marmite product – some people think it’s a good idea, some people think that it turns us into a surveillance state. "I can see both sides of that, but I think that if you’re going to have speed limits, then it’s the law that you obey them, and you should enforce the law.

It’s not a personal vendetta against anyone, it’s just – how do we make our roads safe? “There are 20,000 serious injuries on the roads every year – how can we reduce them? And the way we reduce them is we make a deterrent to speeding.”

The app has also faced other difficulties in getting off the ground. Google initially refused to allow it on the Play Store, claiming it wasn’t possible to estimate the speed of a passing vehicle using AI alone, however, this claim was later proved wrong.

An iOS version has also been developed, but it has not yet been approved for distribution by Apple, which has not given a reason for the delay. “We’re not sure why they would block a useful piece of technology, something that could save people’s lives,” Sam said.

Currently, the app cannot lead to drivers receiving speeding tickets, as the algorithm is yet to be vetted by the Home Office, meaning it is not legally a speed camera, although drivers could still be charged with ‘dangerous driving’ offenses if their behavior is deemed to be sufficiently negligent.

Sam says he hopes the use of the app will alert police to speeding hotspots, encouraging them to take more action against dangerous driving.

So what’s the upshot for you? Walkers, runners and cyclists take note: even if it is never used for anything more than providing a true idea of car speeds around us we think just having a sense of the velocity of passing cars will help us better judge how dangerous an area is for outdoor exercise and may lead to finding safer training grounds.

That’s it for this week.
stop-Sign small
Stay safe, stay, secure, watch your speed (and your altitude), and we’ll see you in se7en.