Unwrapping P & S news for W/E 2020 11 24

Dear DAML’ers,

They used to say, “If you want to get someone’s attention, just whisper.” In these trying times where social distancing keeps people more than 6 feet away, that strategy falls flat, so instead we come bearing news of gifts.

We start with free e2ee calls for up to 29 hours 59 minutes and 59 seconds, we move on to leaky apps, why your new car might have gone missing while you shopped for Raspberries, how many Apples it takes to get a CCW, why you might want to change your doorbell…again… and what you might be thinking about if you are a Liverpool Football Club fan while Man U fight off cyber attacks.

We share the most common breeds of phish, Oxford University’s word??!!? of the year, and why Minecraft mods might be bad for your vision (at two minute intervals).

And of course we end with another gift for you, but we are not going to bang on about it.

It’s our best collection of Privacy and Security updates yet so, no holding back! Let’s get unwrapping!!! Read on or listen in!


Zoom to lift 40-minute meeting limit on Thanksgiving for longer family hangouts

It’s only a 30 hour-long removal of the 40-minute restriction, lasting from 12:01am November 26th to 6AM EST on November 27th. But the fact that Zoom is doing this at all — and that it will likely go a long way in helping users employ video chatting as a substitute for a traditional family gathering — speaks volumes about the bizarre and uncharted territory we’re entering this holiday season as COVID-19 continues to rage across the world.


Android Apps Leaking Sensitive Data Found on Google Play With 6 Million U.S. Downloads

https://unit42.paloaltonetworks.com/android-apps-data-leakage/

Two Android applications belonging to Chinese tech giant Baidu have been removed from the official Google Play Store at the end of October after they’ve been caught collecting sensitive user details.

  • Phone model.
  • Screen resolution.
  • Phone MAC address.
  • Carrier (Telecom Provider).
  • Network (Wi-Fi, 2G, 3G, 4G, 5G).
  • Android ID.
  • IMSI (International Mobile Subscriber Identity).
  • IMEI (International Mobile Equipment Identity).

While some of this information, such as screen resolution, is rather harmless, data such as the IMSI can be used to uniquely identify and track a user, even if that user switches to a different phone and takes the number. The IMEI is a unique identifier of the physical device and denotes information such as the manufacturing date and hardware specifications.

Android applications that collect data, such as the IMSI, are able to track users over the lifetime of multiple devices. For example, if a user switches their SIM card to a new phone and installs an application that previously collected and transmitted the IMSI number, the app developer is able to uniquely identify that user.


8 breeds of phishing (and, for a limited time only, a 9th for free)

With phishing attacks on the rise, it might be time to do a little review of the different methods used to compromise users and businesses through e-mail, text and voice.

1). Mass-market emails. Someone sends an email pretending to be someone else and tries to trick the recipient in doing something, usually logging into a website or downloading malware. Attacks frequently rely on email spoofing, where the email header—the from field—is forged to make the message appear as if it were sent by a trusted sender.
2). Spear phishing attacks: extend the fishing analogy as attackers are specifically targeting high-value victims and organizations. A nation-state attacker may target an employee working for another government agency, or a government official, to steal state secrets. Usually much more time spent crafting something specific to the end user.
3). Whaling: A phishing attack specifically targeting an enterprise’s top executives. As the victim is considered to be high-value, and the stolen information will be more valuable than what a regular employee may offer. Attacker needs to know who the intended victim communicates with and the kind of discussions they have.
4). Business email compromise (BEC) scams and CEO email fraud: By impersonating financial officers and CEOs, criminals attempt to trick victims into initiating money transfers into unauthorized accounts. The attack takes the form of a false email that looks like it has come from the compromised executive’s account being sent to someone who is a regular recipient. The email appears to be important and urgent, and it requests that the recipient send a wire transfer to an external or unfamiliar bank account.
5). Clone phishing: requires the attacker to create a nearly identical replica of a legitimate message to trick the victim into thinking it is real. The email is sent from an address resembling the legitimate sender, and the body of the message looks the same as a previous message. The only difference is that the attachment or the link in the message has been swapped out with a malicious one.
6). Vishing: Stands for “voice phishing” and it entails the use of the phone. Typically, the victim receives a call with a voice message disguised as a communication from a financial institution. For instance, the message might ask the recipient to call a number and enter their account information or PIN for security or other official purposes.
7). Smishing: a mashup of “phishing” and “SMS,” the latter being the protocol used by most phone text messaging services, is a cyberattack that uses misleading text messages to deceive victims. SMS that tricks you into taking action that gives the attacker exploitable information (like bank account login credentials) or access to your mobile device. This one has a high success rate because more people read and respond to texts than e-mails.
8). Snowshoeing, or “hit-and-run” spam: requires attackers to push out messages via multiple domains and IP addresses. Each IP address sends out a low volume of messages, so reputation- or volume-based spam filtering technologies can’t recognize and block malicious messages right away.
9). Hailstorm campaigns: same principle as snowshoeing, except the messages are sent out over an extremely short time span. Some hailstorm attacks end just as the anti-spam tools catch on and update the filters to block them.

As with all of these methods, look for urgency in the message. If you think the message is real, independently go to a browser, manually type in the website and see if there is any notice of what you are being asked to do. If it’s your CEO with an urgent request to wire 200BTC to a bank in Nigeria, check with her or him first. We are guessing even if the request is real, they won’t mind you checking first.


Oxford Dictionary’s word of the year for 2020 becomes “Words of an Unprecedented year”.

January 2020 featured “bushfire” and “impeachment” before “acquittal” gained popularity in February. By March “coronavirus” took center stage and on it rolled.

Notables:

  • allyship n. active support for the rights of a minority or marginalized group without being a member of it.
  • anthropause n. a global slowdown of travel and other human activities
  • Blursday n. a day of the week that is indistinguishable from any other.
  • Sanny n. (chiefly Australian) hand sanitizer.
  • Zoombombing n. the practice of infiltrating video conference calls on the Zoom application, and posting offensive content.

US: Biden Team Finally Gets .Gov Domain, Federal Cybersecurity Support After Weeks Of Using Google

After weeks of demurring, the head of the General Services Administration finally authorized Biden to formally begin his transition to president Monday, giving him access to a swathe of resources meant to aid the move.

Official cybersecurity support is included in this package, and Biden took to Twitter to announce the new .gov domain for his site buildbackbetter.gov.

The official government domains are generally more secure and better able to withstand attacks than other domains, and are considered to be part of. The US’ “critical infrastructure”. <-- like Highways, Airports, banks, etc…


Malware in Minecraft mods

More than 20 apps on Google Play that promised cool Minecraft mods turned out to be malicious. most of the unscrupulous apps we found on Google Play had already been removed. The five that remained were:

  • Zone Modding Minecraft,
  • Textures for Minecraft ACPE,
  • Seeded for Minecraft ACPE,
  • Mods for Minecraft ACPE,
  • Darcy Minecraft Mod.

The humblest of them had more than 500 installations, and the most popular more than 1 million. Although the apps have different publishers, two of the fake modpacks carried almost the exact same description, down to the typos.

Over 20 fake ‘modpack’ apps that are actually designed to bombard users with adverts in such an intrusive and aggressive fashion that using the phone becomes virtually impossible.

According to the team at Kaspersky, users find that no actual mods are loaded after installing the bogus Minecraft modpacks.Indeed, to the user it appears that the app does nothing at all.

And that’s why a user might forget that they ever installed the fake modpack, especially as it hides its icon.

But the bogus app is still there, and – according to researchers – automatically opening a browser window containing ads every two minutes.

According to the researchers, the best way to remove the offending app is to look in Settings > Apps and notifications > Show all apps and delete it from there.


BE: Oops! Tesla Hacked and Stolen Again Using Key Fob

This new attack again shows a security vulnerability in the keyless entry system of one of the most expensive electric vehicles (EVs) on the market, ranging in cost from about $40,000 for the most basic models to more than $100,000 for a top-of-the-line Tesla Model X.

The team detailed the two-stage proof-of-concept attack they staged using a self-made device built from widely available and fairly inexpensive equipment: a Raspberry Pi computer that they purchased for $35 accompanied by a $30 CAN shield; a modified key fob and Electronic Control Unit (ECU) from a salvage vehicle that they bought for $100 on eBay; and a LiPo battery that cost $30. Tesla has already released an over-the-air software update to mitigate the flaws, researchers said.

In the attack’s first step, researchers used the ECU to force the key fobs to make themselves available as Bluetooth devices wirelessly, an action that can be achieved at up to five meters distance.

“By reverse engineering the Tesla Model X key fob we discovered that the BLE interface allows for remote updates of the software running on the BLE chip. As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it.”

It then took researchers about a minute and a half at a range of more than 30 meters to gain access to the key fob. Once it was compromised, researchers obtained valid commands to unlock the target vehicle and then gain access to the diagnostic connector inside the car, they said.

“By connecting to the diagnostic connector, we can pair a modified key fob to the car,” said Professor Benedikt Gierlichs, who led the research team. “The newly paired key fob allows us to then start the car and drive off. By exploiting these two weaknesses in the Tesla Model X keyless entry system we are thus able to steal the car in a few minutes.”


Apple’s global security boss accused of bribing cops with 200 free iPads in exchange for concealed gun permits

Thomas Moyer, 50, was last week charged with bribing senior officers in Santa Clara county, home to Apple’s Cupertino headquarters.

According to prosecutors, between February and August last year, Undersheriff Rick Sung and Captain James Jensen refused to issue four concealed-carry weapon (CCW) licenses to Apple employees unless the pair got something in return. Moyer, it is claimed, promised to donate 200 iPads, worth about $70,000 at retail, to the sheriff’s office in exchange for the permits, it is alleged.

The deal was scrapped by Moyer and Sung after the county district attorney stuck a probe into the sheriff’s operations, and got a search warrant to obtain the office’s CCW records in August last year, it is said. Sung, 48, and Jensen, 43, have been charged with receiving or asking for bribes.

As the name suggests, a CCW license gives a person permission to carry a gun around with them that’s concealed in some way, and they can be difficult to obtain in the US state of California, depending on where you are.


Mount Locker ransomware now targets your TurboTax tax returns

The Mount Locker ransomware gang is gearing up for the next U.S. tax season by specifically targeting TurboTax returns for encryption.

Mount Locker is a relatively new ransomware operation that began infecting victims in July 2020. Like other human-operated ransomware gangs, the Mount Locker gang will compromise networks, harvest unencrypted files with the .tax extension to be used for blackmail, and then encrypt the devices on the network.

Stolen data and the encrypted files are then used in a double-extortion scheme where victims are warned that their stolen files will be published on a data leak site if a ransom is not paid.

To be safe from Mount Locker and other ransomware, be sure to make backups of your TurboTax files and other essential documents on detachable media after you make any changes.

Simply backing up your important files to a USB drive every night and then unplugging it from your personal machine will guarantee the safety of your files even if you suffer a ransomware attack.


GoDaddy Employees Tricked into Compromising Cryptocurrency Sites

A recent social-engineering “vishing” attack on domain registrar GoDaddy temporarily handed over control of cryptocurrency service sites NiceHash and Liquid to fraudsters, exposing personal information of users.

Vishing is a phishing scam that uses voice interactions over the phone to gain trust with victims and fool them into handing over their credentials. Both sites, as well as GoDaddy itself, have since recovered from the compromise.

On Nov. 18, Liquid’s CEO Mike Kayamori announced the breach to its systems.

“On the 13th of November 2020, a domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” Kayamori’s statement said. “This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”

Security researcher Brian Krebs reported that he was able to use Fairsight Security to find domain name changes across GoDaddy over the past week and that he found similar cryptocurrency sites Bibox, Clecius.network and Wirex.app might have also been targeted. he added that none of those companies has said anything about a possible breach.


Security Researchers could just rename Smart Doorbells, "Dumb-bells"

Security consultancy the NCC Group, in collaboration with UK consumer organization Which?, selected 11 video doorbells available on popular online markets in the UK. Some looked very similar to each other but were from different manufacturers. Other devices looked like copycats of Amazon Ring. All of the products had prices that were substantially lower than the average retail price for well-known brands, such as Ring and Google’s Nest Hello smart doorbell.

A smart doorbell from Victure, which Amazon had labeled as a top seller and had a score of 4.3 out of 5 stars from over 1,000 users, was found to be sending a lot of sensitive data, including the Wi-Fi network name and password, in unencrypted fashion to servers in China.

One device being sold on Amazon and eBay, which had no discernible brand associated with it, had a vulnerable WPA-2 protocol implementation that would allow an attacker to gain access to a video doorbell owner’s entire home network. A Qihoo 360 smart video door, on Amazon, was easy to hack with just a standard SIM-card ejector, and another had a flaw that allowed attackers to knock the device offline by setting the device back to a “pairing” stage.

Time to go back to door knockers?


UK: Telecom Companies Face Big Fines Under New Security Law

The Telecommunications (Security) Bill tightens security requirements for new high speed 5G wireless and fiber optic networks, with the threat of fines of up to either 10% of sales or 100,000 pounds ($134,000) a day for companies that don’t follow the rules.

The new rules are a major step to protecting the U.K. from hostile cyber activity by state actors or criminals, the government said, citing previous cyber attacks attributed to Russia, China, North Korea and Iran.

“This groundbreaking bill will give the U.K. one of the toughest telecoms security regimes in the world and allow us to take the action necessary to protect our networks,” Digital Secretary Oliver Dowden said.

The bill, which needs to be approved by Parliament, spells out tougher security standards for the electronic equipment and software at mobile phone mast sites and in telephone exchanges that handle internet traffic and telephone calls.


UK: Manchester United Football Club Suffers Cyber attack

European Premiere League soccer club Manchester United recently disclosed it was hit by a cyberattack by “sophisticated” cyber criminals on its internal network.

The club said its security systems detected the attack and “shut down affected systems to contain the damage and protect data.”

Meanwhile if your focus is slightly west of Manchester, you might be celebrating a three nil win over Leicester City.


and for our final story…


No security, No Privacy, just a bit of gift giving.

Although it takes forever to load, if you have little’uns yearning to take up the drums during the holiday season, this might get you off the hook and save your sanity.

Just remember to organize some headphones for them first.


and that’s it for this week DAML’ers! See you bright and shiny in se7en days time!


3 Likes