Twisting the IT Privacy and Security Weekly update for April 26th., 2022


You may gain a couple of kilos in this week’s IT Privacy and Security Weekly update, but we promise it’s got some of the tastiest content yet!

We start with what may become the latest rage in M.I.T. degrees and finish with a whisper.

In between we find a good reason to organize cold storage, we lose our monkeys, and then as we search for sponges, discover a 2000-year-old computer.

We see the ripples of a schoolchildren’s data breach grow into waves, we learn the cost of Zoom Bombing, and get a surprise when we find out who is writing the most code for the new Linux kernel.

This is the most calorific update yet, so let’s start in the creamy center and work our way to the edges!

US: On Oreology, the fracture and flow of “milk’s favorite cookie

Confidentially speaking, the mechanical experience of consumption (i.e., feel, softness, and texture) of many foods is intrinsic to their enjoyable consumption, one example being the habit of twisting a sandwich cookie to reveal the cream.

Scientifically, sandwich cookies present a paradigmatic model of parallel plate rheometry in which a fluid sample, the cream, is held between two parallel plates, the wafers.

When the wafers are counter-rotated, the cream deforms, flows, and ultimately fractures, leading to the separation of the cookie into two pieces.

We introduce Oreology, from the Nabisco Oreo for “cookie” and the Greek rheo logia for “flow study,” as the study of the flow and fracture of sandwich cookies.

Through a series of experiments with a laboratory rheometer used to hold whole Oreo cookies, we determined that creme distribution upon cookie separation by torsional rotation is not a function of rate of rotation, creme level, or flavor, but was mostly determined by the preexisting level of adhesion between the cookie creme and each wafer.

So what’s the upshot for you? MIT researchers announced what just might be the hottest new career path: Oreologist. We’re in for that and a glass of milk.

Global: MetaMask warns Apple users over iCloud phishing attack

The firm warned that If an Apple user has enabled automatic iCloud backups of their MetaMask wallet data, their seed phrase is being stored online.

The security issue for iPhone, Mac, and iPad users is related to default device settings which see a user’s seed phrase or “password-encrypted MetaMask vault” stored on the iCloud if the user has enabled automatic backups for their application data.

In a Twitter thread posted on Monday, MetaMask noted that users run the risk of losing their funds if their Apple password “isn’t strong enough” and an attacker is able to phish their account credentials.

The warning from MetaMask came in response to reports from an NFT collector who goes by “revive_dom” on Twitter, who stated on Friday that their entire wallet containing $650,000 worth of digital assets and non-fungible tokens (NFTs) was wiped via this specific security issue.

They noted that the victim received multiple text messages asking to reset his Apple ID password along with a supposed call from Apple which was ultimately a spoofed caller ID.

As they were reportedly unsuspecting of the caller, “revive_dom” handed over a six-digit verification code to prove that they were the owner of the Apple account. The scammers
subsequently hung up and accessed his MetaMask account via data stored on iCloud.

So what’s the upshot for you? This highlights the value of cold storage or… plenty of due diligence if you are planning to store assets in a hot wallet.

GR: Scientists Have Unlocked the Secrets of the Ancient 'Antikythera Mechanism’

In the early 1900s, divers hunting for sponges off the coast of Antikythera, a Greek island in the Aegean Sea, discovered a Roman-era shipwreck that contained an artifact destined to dramatically alter our understanding of the ancient world.

Known as the Antikythera Mechanism, the object is a highly sophisticated astronomical calculator that dates back more than 2,000 years.

Since its recovery from the shipwreck in 1901, generations of researchers have marveled over its stunning complexity and inscrutable workings, earning it a reputation as the world’s first known analog computer.

“This is such a special device,” said Adam Wojcik, a materials scientist at UCL and a co-author of the study, in a call. “It’s just so out-of-this-world, given what we know, or knew, about contemporary ancient Greek technology. It’s unique and there’s nothing else that remotely approaches it for centuries, or maybe a millennia afterward.”

This computer figures out the positions of celestial bodies in the sky.

“If you’re going to show all the planets, you’re going to have to get all their positions correct.

As you rotate the handle on the side of the mechanism, all these little planets start to move around like clockwork in this kind of mini-planetarium and occasionally, one of them will turn backward, and then it would move forwards again, and then another one, further out, will start to turn backward.

But at any one point, when you stop the machine, it’s got to give you a faithful reproduction of the heavens because that’s the purpose of the machine,” he said. “And it does.”

“It is so remarkable in terms of its requirements for accuracy and manufacturing ability that it’s out of sync with what we think Greeks could have achieved.

But we have to accept that that is the way the machine worked, and the Greeks made it.”

So what’s the upshot for you? How did “they” create such an intricate, precise, and refined analog computer over 2200 years ago? “Unless it’s from outer space, we have to find a way in which the Greeks could have made it. That’s the next stage, and the real challenge, finding the final piece of this jigsaw.”

US: Nearly 12B spam texts were sent last month in the US. That’s about 40 texts for every American

11.66 Billion spam texts were made in the US in March 2022.

That’s nearly 42 spam texts for every person in the country!

376,032,773 Spam Texts per day
2,632,229,413 Spam Texts per week
555,467,785 Spam Texts on weekends
261,133 Spam Texts per minute
42 Spam Texts per person

So what’s the upshot for you? This square can of spam is rolling out of control. It’s almost inconceivable that controls cannot be put in place to throttle these numbers, because in one way or another we bear the cost of them.

US: Illuminate Education breach that affected NYC schools spreads to Connecticut

A school district in Coventry, Connecticut, notified families of its students last week that students’ data may have been swept up in a breach of one of its vendors earlier this year.

The breach-notification letter, dated last Tuesday, stated that data belonging to the roughly 1,700 students enrolled in Coventry Public Schools may have been exposed in a January breach of Illuminate Education, a software company that develops software that tracks students’ academic progress.

The Illuminate product in question, called eduCLIMBER, is used by school districts to track students’ grades, attendance, and behavioral development, according to the company’s website.

The letter is evidence that Illuminate Education’s woes are not limited to New York City and could spread further, according to Doug Levin, who heads up the K-12 Security Information Exchange.

The group, which tracks cybersecurity incidents affecting grade schools, has found in some years that three-fourths of attacks and breaches begin with one of the numerous IT vendors that supply primary and secondary schools.

So what’s the upshot for you? “It’s hard to imagine it was New York City and this Connecticut district and no other districts.”

Global: Bored Ape Yacht Club Instagram Hacked, NFTs Worth Millions Stolen

On Monday, the Bored Ape Yacht Club NFT project announced that its Instagram account had been hacked in a tweet.

“There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything,” the group wrote.

On its official Discord channel, a moderator warned users: “THERE IS A FAKE LAND MINT WEBSITE BEING SHARED BY THE BAYC IG. DO NOT MINT ANYTHING.”

The hackers advertised a fake distribution of NFTs, known as an airdrop in the web3 world, which tricked users into clicking on a malicious link. Once people clicked on it, they gave control of their wallets to the hackers, according to CoinDesk.

In a tweet, independent blockchain sleuth Zachxbt shared a link to the hacker’s Ethereum address, which is currently labeled as being a phishing address on Etherscan.

Blockchain records show that the address received 134 NFTs within the space of a few hours on Monday morning.

The stolen assets include numerous NFTs from Yuga Labs, the firm behind BAYC, including Bored Ape, Mutant Ape, and Kennel Club NFTs. The value of those NFTs before they were stolen was $2.7 million.

It’s unclear at this point how the hackers compromised the Instagram account.

So what’s the upshot for you? Bored Apes are now Bored Stolen Apes.

Global: What is an API and how can it be used to provide higher security?

An Application Programming Interface (API) is a software intermediary that allows your applications to communicate with one another.

Whenever you use a social networking app, gaming app, or any other app to send or receive messages, your actions pass through an API that connects you and the sender or receiver.

APIs are built with REpresentational State Transfer (REST) or Simple Object Access Protocol (SOAP).

REST is famous for its simple techniques, and it has a simple architectural style for building web services.

SOAP, on the other hand, is a message protocol that allows seamless communication between the elements of an application.

REST APIs function with transport layer security and HTTP and can also use Javascript Object Notation (JSON), while SOAP functions primarily with Hypertext Transfer Protocol (HTTP).

API security functions primarily with the help of authorization and authentication.

Authentication is the first process involved in API security, and it verifies that your application process has a safe identity that allows you to use an API.

Authorization is the next step that determines the type of data an authenticated application has access to while communicating with an API.

How can they be configured to provide greater security?

  1. Security Tokens provide you with two-factor authentication to identify your login details. Your tokens have to be verified before you can use any service or resource assigned to the API(s).

  2. Data encryption and signatures via Transport Layer Security (TLS) are additional methods to facilitate API security. Transport Layer Security keeps your internet connection private and secures the data sent between you and a server. With this in place you cannot extract your data from a website without a signature that identifies you as a permissioned user.

  3. Quotas and Throttling: Quotas are placed on your APIs to track their use and history and check if anyone abuses them. Throttling is an API security method that limits people’s access to data. With throttling, high query levels halt responses for a predetermined period of time.

  4. API Gateways can serve as a muster point for all your API traffic. A secure API gateway can be configured to authorize and authenticate your traffic and then control API use.

So what’s the upshot for you? They are such a common type of interface we thought it was time to bring everyone up to some level of familiarity because increasingly, APIs are being poked by hackers: and although security is generally better, a poorly configured API can be like an unlocked doorway.

US: Zoom Agrees To ‘Historic’ $85 Million Payout For Graphic Zoombombing Claims

The Covid-19 pandemic brought on a surge of “zoom-bombing” as hackers and pranksters crashed into virtual meetings with abusive messages and imagery.

Zoom has agreed to a “historic” payout of $85m as part of a class-action settlement brought by its users, including church groups who said they were left traumatized by the disruptions.

As part of the settlement agreement, Zoom Video Communications, the company behind the teleconference application that grew popular during the pandemic, will pay the $85m to users in cash compensation and also implement reforms to its business practices.

Last week a federal judge approved the settlement.

So what’s the upshot for you? The settlement stems from 14 class-action complaints filed against the San Jose-based company by users between March and May of 2020, in which they argued that the company violated privacy and security.

US: Former NSA Computer Scientist: Patching Vulnerabilities Can Give a False Sense of Security

Patching of vulnerabilities is the security industry’s equivalent of thoughts and prayers, a prominent American security expert has said during a debate on the topic “Patching is useless” at a recent online conference named Hack At The Harbor.

Dave Aitel, 46, a former NSA computer scientist who ran his own security shop, Immunity, for many years, said the remedies proposed by security vendors and big technology companies had served to lull people into a false sense of security all these years and ensure that all the old problems still remained… Aitel pointed out that if there were vulnerable devices on a network, then they should be removed and substituted with others, rather than being continuously patched…

Aitel was no less severe on Linux, noting that the biggest contributor to the kernel was the Chinese telecommunications vendor Huawei Technologies, which he claimed had been indicted by the US, and asking how one could rest content if so many patches were coming from a company of this kind.

On the positive side, he had praise for ChromeOS, an operating system that is produced by Google, and recommended the use of Chromebooks rather than Windows machines.

Aitel called for vulnerability management, advocating the government as the best entity to handle this.

His argument was that no other entity had sufficient power to push back against the lobby of the big software vendors and the security industry.

So what’s the upshot for you? Yes, we had to reread that again “Huawei the biggest contributor to the Linux kernel”. Apparently, Huawei overtook Intel this year (2022) as the major contributor.

Huawei Technologies submitted 1434 changesets or 8.9% overall, versus Intel with 1297 changesets amounting to 8.0% of the code contributions.

Why is Huawei contributing more to the Linux kernel? Huawei has several products and services that rely heavily on Linux. Its smartphones that used Android and its new mobile OS Harmony is most likely a revamped Android and thus based on Linux.

Apart from that, Huawei also offers Huawei Cloud services to compete with the likes of AWS and Google Cloud, and obviously, it needs to customize the Linux kernel to power its cloud infrastructure.

CA: We promised more on the NSO group: "Spyware, Pegasus and How Democracies Spy on Their Citizens"

There is evidence that Pegasus is being used in at least forty-five countries, and it and similar tools have been purchased by law enforcement agencies in the United States and across Europe.

Cristin Flynn Goodwin, a Microsoft executive who has led the company’s efforts to fight spyware, said, “The big, dirty secret is that governments are buying this stuff — not just authoritarian governments but all types of governments…”

“Almost all governments in Europe are using our tools,” Shalev Hulio, NSO Group’s C.E.O., said.

A former senior Israeli intelligence official added, “NSO has a monopoly in Europe.” German, Polish, and Hungarian authorities have admitted to using Pegasus.

Belgian law enforcement uses it, too, though it won’t admit it.

Calling the spyware industry “largely unregulated and increasingly controversial,” the article notes how it’s now impacting major western democracies.

"The Citizen Lab’s researchers concluded that, on July 26 and 27, 2020, Pegasus was used to infect a device connected to the network at 10 Downing Street, the office of Boris Johnson, the Prime Minister of the United Kingdom…

The United States has been both a consumer and a victim of this technology.

Although the National Security Agency and the C.I.A. have their own surveillance technology, other government offices, including in the military and in the Department of Justice, have bought spyware from private companies, according to people involved in those transactions."

So what’s the upshot for you? We told you we would have more on this story and it just keeps unfolding.

US: If you want to get someon’s attention, just whisper. American Phone-Tracking Firm Demo’d Surveillance Powers By Spying On CIA and NSA

In the months leading up to Russia’s invasion of Ukraine, two obscure American startups met to discuss a potential surveillance partnership that would merge the ability to track the movements of billions of people via their phones with a constant stream of data purchased directly from Twitter.

According to Brendon Clark of Anomaly Six – or “A6” – the combination of its cellphone location-tracking technology with the social media surveillance provided by Zignal Labs would permit the U.S. government to effortlessly spy on Russian forces as they amassed along the Ukrainian border, or similarly track Chinese nuclear submarines.

To prove that the technology worked, Clark pointed A6’s powers inward, spying on the National Security Agency and CIA, using their own cell phones against them.

Virginia-based Anomaly Six was founded in 2018 by two ex-military intelligence officers and maintains a public presence that is scant to the point of mysterious, its website disclosing nothing about what the firm actually does.

But there’s a good chance that A6 knows an immense amount about you.

The company is one of many that purchases vast reams of location data, tracking hundreds of millions of people around the world by exploiting a poorly understood fact: Countless common smartphone apps are constantly harvesting your location and relaying it to advertisers, typically without your knowledge or informed consent, relying on disclosures buried in the legalese of the sprawling terms of service that the companies involved count on you never reading.

So what’s the upshot for you? If you want to make an impact, spy on the spies.

And our final quote for this week:
“Whoever said that the definition of insanity is doing the same thing over and over again and expecting different results has obviously never had to reboot a computer.”
–William Petersen

That’s it for this week. Stay safe, stay, secure, pass the milk while we reboot, and we’ll see you in se7en.

oreo double

1 Like