Watching the detectives and the IT Privacy and Security Weekly Update for November 2nd., 2021


This is the most “detective” update ever!

Inside this week’s update, we inspect overcommunication in Chinese manufactured telecoms equipment., and under communication from an info systems agency. We broadcast seed planting clips from outside our car prior to a deep dive into the methods used by the FBI to ascertain the Jan 6th. Insurrectionists in Washington DC. We discover fake ads, fake crypto, and we think some fake test results.

Yes, say it with us, “The best IT Privacy and Security detective work yet is in this week’s update”. listen_tiny

Grab your deerstalker cap, your magnifying glass, Watson, and let’s go sleuthing!

US/CN: The US Bans China Telecom Over National Security Concerns

The Federal Communications Commission (FCC) ordered China Telecom Americas to discontinue its services within 60 days, ending a nearly 20-year operation in the United States.

The firm’s “ownership and control by the Chinese government raise significant national security and law enforcement risks,” the FCC said in a statement.

It warned that it gives opportunities for Beijing “to access, store, disrupt, and/or misroute US communications, which in turn allow them to engage in espionage and other harmful activities against the United States.”

So what’s the upshot for you? Look to see not only activity here, but lots of Chinese telecoms equipment moving out the door.

Global: 2021 CWE Most Important Hardware Weaknesses

The 2021 CWE™ Most Important Hardware Weaknesses is the first of its kind and the result of collaboration within the Hardware CWE Special Interest Group, a community forum for individuals representing organizations within hardware design, manufacturing, research, and security domains, as well as academia and government.

The goals for the 2021 Hardware List are to drive awareness of common hardware weaknesses and to prevent hardware security issues at the source by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle. Security analysts and test engineers can use the list in preparing plans for security testing and evaluation. Hardware consumers could use the list to help them to ask for more secure hardware products from their suppliers. Finally, managers and CIOs can use the list as a measuring stick of progress in their efforts to secure their hardware and ascertain where to direct resources to develop security tools or automation processes that mitigate a wide class of vulnerabilities by eliminating the underlying root cause.

So why are we frustrated? Because we get a dozen weaknesses, not in any ranked order, so we decided to pick today’s top 3:

  1. Firmware Not Updateable. ← means time rolls on and the software on your device will continue to live in the neolithic era.
  2. Use of a Cryptographic Primitive with a Risky Implementation. ← easy to hack password
  3. Improper Isolation of Shared Resources on System-on-a-Chip (SoC). <— potentially allows one program to watch for and capture another program’s data

So what’s the upshot for you? Obviously, we think that you should choose your own top three, but the fact is that many of these weaknesses are in our hardware presently: cameras, and smart devices, make sure you read the reviews to ensure there is industry-grade encryption and upgradeable firmware BEFORE you purchase!

Global: Adobe and Apple patched a bunch of stuff last week

Adobe released patches with fixes for Photoshop, InDesign, Illustrator, Premiere, and 10 other products covering 92 documented vulnerabilities that exposed Windows, macOS, and Linux users to malicious hacker attacks.

Apple said the iOS 15.1 and iPadOS 15.1 updates provide cover for 22 flaws, some serious enough to cause arbitrary code execution or privilege escalation attacks.

So what’s the upshot for you? Get your patch on!

US: Realization from a Defense Information System Agency that no one can communicate with them

The US Defense Information Systems Agency DISA is reorganizing its structure to create a flatter agency, responding to feedback that it was too cumbersome to work with.

The re-organization includes top-down reviews of all of DISA’s programs. The change comes as DISA sees turnover in its senior leadership.

And to be really successful you have to identify and listen to the right people, so… "Steven Wallace, the head of DISA’s new chief technology officer, will be in charge of leading Identity Credentialing and Access Management (ICAM). “We will not be successful in the future if we do not have the right identity management.”

So what’s the upshot for you? An important realization from another government agency that loves acronyms and who insists on a level of verbosity that takes a chocolate chip cookie recipe to 22 pages.

Global: Tesla TV, now broadcasting from your own car!

Since launching Sentry Mode, an integrated surveillance system inside Tesla’s vehicles using the Autopilot cameras around the car, Tesla has been talking about leveraging the feature to enable a remote live view through the same feature.

You can now remotely view your car’s surroundings when parked to confirm the safety of your environment before returning to your car. Live Camera is end-to-end encrypted and cannot be accessed by Tesla. To enable or disable tap Controls > Safety & Security.

For now, it looks like the feature is only available on iOS devices with the latest version of the Tesla app.
It’s not clear when it will be available to Android users.

So what’s the upshot for you? It’s another $10/mo., but just think! If you have been live streaming from your car, now you can also live stream to, in, from, and around your car! Elon Musk adds that the feature “also lets owners remotely talk through the car’s speaker when enabled”.

Global: Photoshop will get a ‘prepare as NFT’ option soon

Adobe is launching a system built into Photoshop that can, among other things, help prove that the person selling an NFT is the person who made it. It’s called Content Credentials, and NFT sellers will be able to link the Adobe ID with their crypto wallet, allowing compatible NFT marketplaces to show a sort of verified certificate proving the art’s source is authentic.

According to a Decoder interview with Adobe’s chief product officer Scott Belsky, this functionality will be built into Photoshop with a “prepare as NFT” option, launching in preview by the end of this month.

Belsky says attribution data created by the Content Credentials will live on an IPFS system. IPFS (InterPlanetary File System) is a decentralized way to host files where a network of people are responsible for keeping data safe and available, rather than a single company.

So what’s the upshot for you? We did tell you this was coming.

USA/JP: The company that brought you Pokemon Go brings you Pikman Bloom

Pikmin Bloom, the next game from Pokémon Go creator Niantic, began its global rollout last week. The developer says that the app — which is billed as a joint project with Nintendo — “will be available on the App Store and Google Play over the coming days.” The rollout will start with Australia and Singapore before gradually hitting the rest of the world.

In the game, you walk around planting things, and …at the end of the day you can watch a little film of you walking around planting VR things.

So what’s the upshot for you? We’re sure it will be another big hit even if Harry Potter: Wizards Unite never really took off, and Catan: World Explorers only lasted around a year. Us? VR is great, but wouldn’t it be even better if this were real? We’re going to walk outside and plant some trees now. Be right back.

TX: Texas Republicans Want to Make the State the Center of the Cryptocurrency Universe

Last week, Texas Governor Greg Abbott met with the Texas Blockchain Council. He tweeted afterward that the state soon “will be #1 for blockchain & cryptocurrency.”

Late last decade, the town of Rockdale appeared on the verge of economic ruin. The Alcoa aluminum plant there, which provided nearly 1,000 jobs, closed in 2008. The Luminant coal-fueled power plant shut down in 2017.
But now a new industry has come to the town of about 5,300. North America’s largest bitcoin mine — owned and operated by Whinstone U.S. — sits just down the road from the old aluminum plant, about 60 miles northeast of Austin. The facility, which has added about 145 jobs, hasn’t fully filled the void created by Alcoa.
Whinstone U.S., which is owned by Riot Blockchain, is fast working to become a pillar of the community:

  1. It helped rebuild the local dog shelter.
  2. It installed lights at the high school softball and football fields.
  3. It bought the town’s 32-foot-tall Christmas tree.


Meanwhile, Texas is below the global average when it comes to renewable mining. Coal and natural gas account for 38% and 36% of power sources, respectively, and the volume of energy used for mining still means grave ecological consequences.

So what’s the upshot for you? Cast your mind back to Texas’ fragile power grid, high reliance on fossil fuels, and then consider Gov. Abbot’s anti-mask/vaccine anti-regulation stance while we go for another walk and plant some more trees.

US: How police tracked the Jan 6th Trump insurrectionists via their mobile phones.

Tomi T Ahonen: “This is my core competence, I’ve written 12 bestselling books to the telecoms, tech & media industries including the fastest-selling telecoms book of all time. Everything in this Thread is 100% true. FBI went into FAR more detail.

This adventure starts at end of Jan 6th. FBI has caught a man dressed in Oath Keeper outfit, at Capitol. He is unarmed, claims to be alone, was ‘a tourist’ gives his proper ID, has no cellphone. FBI interviews him. When the FBI asks him where is his phone, he says he forgot it in his car. They ask, where is his car. He says he parked it at Dulles airport long-term parking. FBI asks him if they can search his car, he says no, you need a search warrant. They hold him.

Now let’s find out if this guy acted in a militant cell with Oath Keepers or he wandered into the Capitol building all alone. Our forensic team turns to cellular tower data. So every phone that was even briefly turned on during Jan 6th is logged.

By every phone, I mean every cellphone, whether smart or dumb. It does not have to have GPS functionality or it won’t help if you have the tracking feature turned off. If someone could call you or text you, the network knew your phone was there. My guess on scale is that there are about 34,000 phones that were on, during the riot, at or near the Capitol building

There is a process called triangulation, by which the network knows roughly where you are, accuracy of about one city block. Through triangulation, we can eliminate all who attended the Maga rally but did not enter the Capitol building. That leaves us with about 11,000 phones.

Those who work in the Capitol used their phones on days before and after Jan 6. Eliminate those.

Nearly anyone working in the Capitol will have 2 phones (one work, one private). Eliminate those. 4,000 x 2 = 8,000. Have 3,000 phones left

Then we have legitimate visitors with permission to be in Capitol that day. Remove those who arrived before. When we remove all visitors to Capitol who arrived before Capitol was breached, another 1,000 phones, we have 2,000 phones left. Now remove the phones of the cops. say 500 were phones registered with DC & Maryland police officers. We have 1,500 left.

These 1,500 phones were carried by rioters who entered the Capitol. MOST of those people were NOT organized militants of Oath Keepers, Proud Boys, etc. Say 800 were MAGA (Make America Great Again) supporters who joined to storm the Capitol and 300 were ORGANIZED militants.

Now we go DEEPER into telecoms traffic forensics. The 800 ‘regular’ MAGA-nutters on average carry 1.5 phones (800 x 1.5 = 1,200 phones)

The organized militants did NOT bring their own phones. They were issued ‘Burner phones’ (like mafia drug dealers).

A regular MAGA-nutter would use his or her normal phone in a normal way. They made regular calls/texts every day, past weeks, on that phone. A ‘normal’ person calls during Trump speech AND sends pictures from inside the Capitol, at Nancy Pelosi’s desk

The Burner Phone traffic is TOTALLY different. It was NEVER used prior to Jan 6. Any calls or messages are short. The Burner is only used for a few hours, then the phone disappears forever. We can see from the pattern, which are Burners, which are normal phones.

When we eliminate the ‘normal’ traffic phones (1,200) we identify and catch 800 ‘regular’ MAGA rioters who trespassed, vandalized, pilfered in Capitol.

That leaves us 300 Burner phones, belonging to the MILITANTS like Proud Boys, Oath Keepers etc.

Typically the one cell of say Oath Keepers of 7 men, will not contact ANYONE outside those 7, with that set of Burner phones that day. Nobody on the outside, not their wife, not their best friend. They will ALSO not contact OTHER Oath Keeper groups

‘Military mission’ type of communications is a VERY specific pattern. One leader, others follow. The ‘orders’ come from the leader to the team. Usually, the team does NOT respond. very often it is a single word text message (code word, or code number)

So? Take the first phone that only received calls or messages but did not call or send. Look who sent the message to this phone, that is the team leader of this militant cell. Now look at the leader’s phone traffic: you find total militant cell, all members.

Proceed through all 300 remaining phone numbers, you have identified EVERY group that could be between say 5 and 11 terrorists per militant cell. And you have identified the phone of EACH leader of each cell. Then you connect the dots. Start with captured phones that were with a given militant. Here is a Boogaloo Boy. This is his phone number. Where is he in our list of groups? Here it is. This is a team of 6. Then go to video, ID the rest of his team.

Most militant teams are found this way because in most cases there will be at least 1 member who was caught with a phone. After that, a few groups remain, with no captured phones at all. But we know WHERE they were at a given time. More video ID work.

Now let’s go back to our FBI interrogation. Perp said, “Get a warrant!”. FBI keeps him locked, goes to judge, gets a search warrant, then breaks into his car. They find his personal smartphone. they turn it on. The battery is nearly full. Ah… That means… If our perp truly forgot his phone into his car, it would have drained over the past few days until we got the warrant to search his car.

But this phone has a near-full battery. The perp had TURNED HIS PHONE OFF before he went “criming” with Oath Keepers.

Anyway, we get a subpoena for his regular smartphone records for the past few months. We see he’s been communicating with 3 other Oath Keepers, who ALSO were found on the Capitol, also coincidentally without their own phones
Next FBI sees an interesting phone pattern. All 4 phones were turned off on 5 Jan, in the late afternoon, very close to the same time. & about 1 hour after these phones had been turned off, one unallocated group of militant phones were momentarily turned on.

That group of 7 Burner phones was turned on all at the same Motel 6. For about 5 minutes each. That was when this group of Oath Keepers checked their equipment and each verified their equipment (Burner phone) was operational.

The photos of the 4 Oath Keepers are brought to Motel 6. They identify 2 of them. Check out who paid for the motel room. Paid in cash (dead end)

But now they chase the remaining 3 members. They subpoena phone records of the known 3 other members. By cross-referencing phone traffic of the 4 known Oath Keepers, they see several other Oath Keepers, three of whom are in videos on Capitol near these 4 terrorists. Bingo.

The above was to catch ONE terrorist cell of 7 Oath Keepers in my ‘episode’. There were likely 30-50 such cells. EACH has been discovered by telecoms data. MOST of those members are ALREADY caught.

The above method means ANYONE in Congress (or their staffers) who contacted any of the terrorists, will be caught by the telecoms traffic. Remember how much Gym Jordan was freaking out about his phone calls with Trump? FBI knows who called whom.

So what’s the upshot for you? So now you understand the value of a mobile phone to the authorities.

Global: Trust no one when it comes to crypto

Fake Google ads are becoming a more popular phishing method and these phishing pages are now getting ranked above a legit crypto or wallet homepage in a Google search. It’s easy to miss if you aren’t specifically looking for it. When the first search result is a phishing site, a user clicks on it, needs to recover a password, and the next thing you know your user is now a victim.

So what’s the upshot for you? It seems if the incentives are high enough, baddies can pump enough ads at Google’s engines to skew the results and have their fake phishing sites returned instead of the real crypto sites. Wow!

Global: Squid Game cryptocurrency creators exit stage left.

Last week, with market players transfixed by the rise of Shiba Inu (SHIB), another meme coin based on the hugely popular “Squid Game” Netflix series came from nowhere.

In a matter of days, the squid coin went supernova — then crashed and burned as developers yanked the rug out from aspiring crypto fortune-hunters. To crib a phrase from that chef from Seinfeld, “no soup for you.” It should be noted that the Squid Game cryptocurrency project is not associated with the television series, Netflix, or its creators.

The online game was set to launch in November and would cost SQUID tokens to play. However, less than two weeks after the SQUID token was launched – having reached a peak of over $2,850 – the coin has now completely crashed by over 99.99% and is currently worth $0.003028.

On November 1, investors who had previously enjoyed seeing the coin rise in value from $0.01 to levels far beyond its original price on PancakeSwap found out they were unable to sell their tokens.

So what’s the upshot for you? This is known as a rug pull or an exit scam, in which investor funds are moved elsewhere and developers vanish – often leading to a coin’s value to tank and to become worthless.

CN: Zero-tolerance Hits Shanghai Disneyland like a slap from Minnie Mouse!

On Sunday, a woman who had visited Shanghai Disneyland tested Covid-positive outside the park somewhere else.

Because of that test result, over 30,000 Shanghai Disneyland visitors and staff were locked inside the park.

All visitors were forced to get Covid tests before being released just before midnight.

Every one of the 30,000 people tested negative but were still ordered to self-isolate for two days and take several more tests.

So what’s the upshot for you? Our understanding is that there is an expected slight deviation from 100% accuracy with the testing kits. Our question then is, how did all 30,000 come up negative?

That’s it for this week fellow reconnoiters! We hope you’ve enjoyed this week’s discoveries and look forward to seeing you soon. listen_tiny

Be kind, stay safe, stay secure and see you in se7en!