Unravelling the IT Privacy and Security Weekly update for the week ending November 1st., 2022


This week we start down the road of your data collection and discover ways and places it’s being shared that you might never have suspected.

Next, we learn who’s included in the hubbub about ransomware and what the ransomware baddies are doing to build greater efficiencies into their exploits.

From there we move on to companies with more leaks than a wicker canoe, a submarine screendoor, or a porcupine’s raincoat.
Submarine screen door real color

We have a great story about how one company has finally made it to the top, and how sometimes it’s not as great as it’s made out to be.

We end with a warm and cuddly way to go invisible and perhaps the perfect holiday gift for those in the Northern hemisphere.

Layer up and let’s go have an adventure!

Global: QR Code Menus Are the Restaurant Industry’s Worst Idea’

The QR-code menu – which you access by scanning a black-and-white square with your smartphone – has taken off since the pandemic.

Many of the codes "are actually generated by a different company that collects, uses, and then often shares your personal information, " the American Civil Liberties Union has warned.

“In fact, companies that provide QR codes to restaurants like to brag about all the personal information you are sharing along with that food order: your location, your demographics such as gender and age group, and other information about you and your behavior.”

So what’s the upshot for you? The article also makes the case that even checking a menu on your smartphone, means you are just a flick away from answering texts and reviewing social media feeds and opines for the “Good ol’ paper menu”.

In light of the privacy concerns associated with QR code menus, we’ve kind of lost our appetite…

Global: Square sells access to your inbox.

The article’s author wondered how the merchants he had made purchases from in the recent past via credit card all seemed to be contacting him via e-mail. He had not provided them his e-mail.

So he put his reporter hat on and went back to the merchants to find out.

It turned out that Square’s parent company, Block, sells access to customers’ inboxes, even if all we do is elect to receive a receipt from a single transaction, at a single merchant.

Square provides all those merchants the ability to manage email campaigns. It takes its vast store of contact information — which a close reading of its terms of service reveals it collects from consumers who want a receipt sent to them — and sells smaller businesses access to those email and text inboxes.

That includes the ability to reach out to customers whose details the sellers never collected themselves.

All Square needs is for the targeted customer to have made a purchase at some point from the merchant that wants to send you that ad.

Square’s ubiquitous card scanners and checkout consoles are first among equals in the fintech revolution that made it so most small businesses could easily afford to take credit card payments.

Block disclosed in securities filings that it handled more than 3 billion card payments in 2021 and kept 261 million consumer profiles — a major increase from more than 2 billion payments and 210 million profiles in 2020. It serves everyone from parents running a local bake sale for the PTA to regional chains like Compass.

So what’s the upshot for you? OK, so perhaps your range of shops is not that large, and this is not that much of a bother, but you still want your phone number and email to be removed from the mailing list that is resold: Block has those options hidden behind multiple verification prompts and nested them within seemingly unrelated menus like a credit card preferences screen.

So think carefully before requesting a vendor e-mail you a copy of the receipt.
You may end up with way more than just a receipt.

US: White House Invites Dozens of Nations For Ransomware Summit

The White House brought together a number of nations, the European Union, and a slew of private-sector companies for a two-day summit yesterday and today that looked at how best to combat ransomware attacks.

The second International Counter Ransomware Summit focused on priorities such as ensuring systems are more resilient to better withstand attacks and disrupt bad actors planning such assaults.

So what’s the upshot for you? The list of countries attending is about three dozen. Glaring in their omission were Russia, China, and North Korea.

US: Leaked Documents Outline DHS’s Plans To Police Disinformation

These are the key takeaways from the report:

  • Though DHS shuttered its controversial Disinformation Governance Board, a strategic document reveals the underlying work continues.
  • DHS plans to target inaccurate information on 'the origins of the COVID-19 pandemic and the efficacy of COVID-19 vaccines, racial justice, U.S. withdrawal from Afghanistan, and the nature of U.S. support to Ukraine."
  • Facebook created a special portal for DHS and government partners to report disinformation directly.
  • The work is primarily done by CISA, a DHS sub-agency tasked with protecting critical national infrastructure.
  • DHS, the FBI, and several media entities are having biweekly meetings as recently as August.
  • DHS considered countering disinformation relating to content that undermines trust in financial systems and courts.
  • The FBI agent who primed social media platforms to take down the Hunter Biden laptop story continued to have a role in DHS policy discussions.

So what’s the upshot for you? No government is squeaky clean when it comes to information/disinformation administration and that includes the US.

US: FTC Accuses Ed Tech Firm Chegg of ‘Careless’ Data Security

In a legal complaint, filed yesterday, regulators accused Chegg of numerous data security lapses dating to 2017.

Among other problems, the agency said, Chegg had issued root login credentials, essentially an all-access pass to certain databases, to multiple employees and outside contractors.

Those credentials enabled many people to look at user account data, which the company kept on Amazon Web Services’ online storage system.

As a result, the agency said, a former Chegg contractor was able to use company-issued credentials to steal the names, email addresses, and passwords of about 40 million users in 2018.

In certain cases, sensitive details on students’ religion, sexual orientation, disabilities, and parents’ income were also taken.

Some of the data was later found for sale online.

Chegg’s popular homework help app is used regularly by millions of high school and college students.

To settle the F.T.C.'s charges, the agency said Chegg had agreed to adopt a comprehensive data security program.

So what’s the upshot for you? You have to ask yourself, why they are collecting this range of data about kids in the first place?

In cases where parents and students have to provide detail of this nature just to gain access to an app, we say “Throw the book at those that don’t keep the data safe.”

Global: Thomson Reuters Collected and Leaked at Least 3TB of Sensitive Data


You won’t be surprised to hear that this story is not being covered by Thompson Reuters.

Thomson Reuters, a multinational media conglomerate, left an open database with sensitive customer and corporate data, including third-party server passwords in plaintext format.

Attackers could use the details for a supply-chain attack.

The Cybernews research team found that Thomson Reuters left at least three of its databases accessible for anyone to look at.

One of the open instances, the 3TB public-facing ElasticSearch database, contains a trove of sensitive, up-to-date information from across the company’s platforms.

Thomson Reuters provides customers with products such as the business-to-business media tool Reuters Connect, legal research service and database Westlaw, the tax automation system ONESOURCE, an online research suite of editorial and source materials Checkpoint, and other tools.

The size of the open database the team discovered corresponds with the company using ElasticSearch, a data storage favored by enterprises dealing with extensive, constantly updated volumes of data.

So what’s the upshot for you? They may never cover the story, but thankfully the company recognized the issue and fixed it immediately.

Global: Could Data Destruction + Exfiltration Replace Ransomware?

Let’s face it. Encrypting data so it can be held to ransom for a fee is time-consuming and the decryption often doesn’t work anyway."

Some security researchers think the trend suggests that ransomware groups may change their tactics entirely and abandon ransomware in favor of a combined approach of data destruction and exfiltration, stealing the data before destroying it and any backups, thus leaving the stolen copy of the data as the only hope for victims to recover their data.

After all, if ransomware just destroys data anyway, why waste resources developing it?

“With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly endeavor compared to corrupting files and using the exfiltrated copies as the means of data recovery,” Cyderes researchers wrote after analyzing an attack last month.

“Eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full payout, or that the victim will find other ways to decrypt the data,” they added.

"Data destruction is rumored to be where ransomware is going to go, but we haven’t actually seen it in the wild.

During a recent incident response, however, Cyderes and Stairwell discovered signs that threat actors are actively in the process of staging and developing this capability."

So what’s the upshot for you? And we will need to believe that after the ransom is paid the baddies’ copy of the data will be destroyed. Yes, Right.

Global: Dropbox discloses breach after a hacker stole 130 GitHub repositories

“To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers,” Dropbox revealed today.

“The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users).”

The successful breach resulted from a phishing attack that targeted multiple Dropbox employees using emails impersonating the CircleCI continuous integration and delivery platform and redirecting them to a phishing landing page where they were asked to enter their GitHub username and password.

On the same phishing page, the employees were also asked to “use their hardware authentication key to pass a One Time Password (OTP).”

After stealing the Dropboxers’ credentials, the attackers gained access to one of Dropbox’s GitHub organizations and stole 130 of its code repositories.

“These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team,” the company added.

“Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled.”

So what’s the upshot for you? Dropbox added that the attackers never had access to customers’ accounts, passwords, or payment information, and its core apps and infrastructure were not affected as a result of this breach.

DE: Germany Plans To Approve Chinese Takeover of Elmos’ Chip Production

German outlet Handelsblatt reported Thursday that the deal – which would see a takeover of the semiconductor production of Dortmund-based Elmos by Sweden’s Silex, a wholly owned subsidiary of China’s Sai Microelectronics – was set to get the green light against security advice.

The deal is currently being reviewed by the German economy ministry.

A final decision on approval is expected within the next few weeks.

Elmos is one of Germany’s smaller semiconductor companies, which mainly produces chips for the automotive industry.

Silex plans to take over the plant for 85 million euros.

Elmos will use the investment to give up its own production and instead process chips bought from contract manufacturers.

The German government says that the technology Elmos uses is old and not to expect any outflow of critical know-how to China.

The German security authorities, on the other hand, argued that they are not only concerned about exiting knowledge, but also that China is systematically increasing its chip production capacities.

According to Handelsblatt, they advised the government to block the deal.

The president of the Federal Intelligence Service (BND) also recently warned that China is deliberately buying into strategic industries in order to exert pressure on other countries.

So what’s the upshot for you? We don’t know if anyone has checked recently but didn’t automobile production fall off a cliff recently because no one could get the “old” 10n chips that no one wanted to invest in production of anymore?

And let’s see, Cosco shipping (Chinese) buying into German ports (against advice), Germany reliant on Russian Oil and Gas (against advice), it’s no wonder that EU partner France put a pause on conferring with them recently.

Global: One way to make it to the top: DHL Replaces LinkedIn As Most Imitated Brand in Phishing Attempts

Shipping company DHL has knocked LinkedIn off the top spot as the number one brand being imitated in phishing attempts between July and September this year.

The data comes from Check Point’s Q3 Brand Phishing Report.

According to the new data, DHL now accounts for just under a quarter (22%) of all phishing attempts worldwide.

Check Point has said this is due partly to a significant global scam and phishing attack that the logistics firm warned about days before the quarter started.

Microsoft is in second place (16%), and LinkedIn has fallen into third, accounting for just 11% of scams, compared to 52% in Q1 and 45% in Q2.

So what’s the upshot for you? These are kind of like the Phishing league tables. Can Microsoft fight back to regain the title for year-end? Stay tuned!

Global: Saudis ‘second largest investors’ in Twitter after Musk takeover

So what did the second largest holder of Twitter stock say back when Elon initially proposed to buy Twitter?

"I don’t believe that the proposed offer by @elonmusk ($54.20) comes close to the intrinsic value of @Twitter given its growth prospects.

Being one of the largest & long-term shareholders of Twitter, @Kingdom_KHC & I reject this offer.https://twitter.com/Alwaleed_Talal/status/651819883576074240 https://twitter.com/Alwaleed_Talal/status/1514615956986757127/photo/1

— (@Alwaleed_Talal) April 14, 2022"

So what’s the upshot for you? Musk’s purchase of Twitter was secured with funding from a number of investors, including Larry Ellison, the co-founder of software company Oracle, and Qatar Holding, which is controlled by Qatar’s sovereign wealth fund.

No… we are not worried about the Twitter narrative being tweaked based on the beliefs of the world’s richest man, the world’s fourth richest man, Saudi Arabia or Qatar. Why would we be?

US: The perfect Holiday pullover?

“This stylish pullover is a great way to stay warm this winter,” the team writes, "whether in the office or on-the-go.

It features a stay-dry microfleece lining, a modern fit, and adversarial patterns that evade most common object detectors.

In [our] demonstration, the YOLOv2 detector is evaded using a pattern trained on the COCO dataset with a carefully constructed objective."

Initially, the team’s work focused on simulated attacks: generating an “adversarial pattern,” which could be applied to detected objects within a given image to prevent the model from recognizing them.

The key was in the creation of a “universal adversarial patch:” a single pattern that could be applied over any object to hide it from the model.

While it’s easy to swap patterns out in the simulation, it’s harder in the real world — especially when you’ve printed the pattern onto a sweater.

So what’s the upshot for you? No, it’s not yet for sale as far as we could find, but that probably won’t stop some adventurous soul from knitting one!

And our quote of the week: “Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it’s digital cameras or satellites or just what you click on, we need to have more explicit rules - not just for governments but for private companies.” - Bill Gates

That’s it for this week. Stay safe, stay secure, remember you can’t stay afloat in a wicker boat, and see you in se7en.
wicker canoe

I’m subscribed to your podcast and love the creativity!!

Superb! Thanks Manish! We love the feedback and we hope you can share the podcast, Daml and this whole great community!

Best, RPS