Pete Recommends – Weekly highlights on cyber security issues, April 17, 2021

Subject: Cybercriminals Put Out Facebook Ads for a Fake Clubhouse App That Was Riddled with Malware
Source: Gizmodo

Cybercriminals have been pushing Facebook users to download a Clubhouse app “for PC,” something that doesn’t exist. The app is actually a trojan designed to inject malware into your computer. The popular new invite-only chat app is only available on iPhone but worldwide interest in the platform has risen and users are clamoring for Android and, presumably, “PC” versions.  Per TechCrunch, the malicious campaign used Facebook ads and pages to direct platform users to a series of fake Clubhouse websites. Those sites, hosted in Russia, asked visitors to download the app, which they promised was just the most recent version of the product: “We tried to make the experience as smooth as possible. You can check it out right now!” one proclaims.

Taking advantage of a popular new product to deploy malware is a pretty classic cybercriminal move—and given Clubhouse’s prominence right now, it’s no surprise that this is happening. In fact, researchers recently discovered a different fake Clubhouse app. Lukas Stefanko of security firm ESET revealed how another fictional “Android version” of the app was acting as a front for criminals looking to steal users’ login credentials from others services.


Subject: Zoom Bugs Would Have Let Hackers Control Your Computer
Source: Gizmodo

A pair of security researchers revealed several zero-day vulnerabilities in Zoom in recent days that would have let hackers take over someone’s computer even if the victim hadn’t clicked anything. Zoom confirmed to Gizmodo that it released a server-side update to address the vulnerabilities on Friday and that users did not need to take additional action.The vulnerabilities were identified by Dutch researchers Daan Keuper and Thijs Alkemade from Computest Security, a cybersecurity and risk management company, as part of the Pwn2Own 2021 hacking competition hosted by the Zero Day Initiative. Although not many specifics are known about the vulnerabilities because of the competition’s disclosure policy, in essence, the researchers used a three-bug chain in the Zoom desktop app to carry out a remote code execution exploit on the target system.

The user did not need to click anything for the attack to successfully hijack their computer. You can see the bug in action below.


Subject: 911 pilot tests emergency systems’ cyber defenses
Source: GCN

To better protect emergency communications systems from cyberattacks, the Department of Homeland Security’s Science and Technology Directorate is expanding a pilot to test 911 infrastructure.S&T is working with SecuLore Solutions to develop cybersecurity defenses based on predictive analytics that will help detect and mitigate attacks against legacy emergency communications systems as well as Next Generation 911 and IP-based technologies, agency officials said in an April 8 announcement. With S&T funding, the company is expanding its existing cybersecurity solutions to provide near-real-time behavioral threat analysis of network traffic at an emergency communications center (ECC) and recommended remediation strategies based on nature of the malware used.

The Emergency Services Department of Palm Beach County, Fla., is currently testing the technology, and the company plans to expand the pilot to five additional ECCs across the country over the next few months. Each pilot partner gets at least two months of assistance, including 24-hour oversight of the security operations center network, and a weekly vulnerabilities report, S&T officials said. Partners will also receive immediate notification of any critical vulnerability, and the company will ensure they understand the identified vulnerability and implement initial remediation steps.

Subject: We need more federal guidance on mobile IT security
Source: FCW

COVID has certainly accelerated — if not mandated — the adoption of teleworking alternatives and revisions to bring-your-own-device (BYOD) policies. The global pandemic forced many government officials to work from their own residences, using privately owned and configured computers, internet routers, smartphones, video cameras, messaging applications, teleconferencing platforms, encryption programs, etc. In no uncertain terms, federal chief information security officers (CISOs) lost control over the security perimeter of their organizations almost overnight.Not only are many more proprietary and/or sensitive communications now being transmitted over public telecommunications lines, but a vastly greater proportion of government work must now be conducted using the employees’ own personal hardware and software. From a strategic perspective, the threat surface has been dramatically increased while the administrative and/or legal authority of the agency’s most capable cyber defender to enact obligatory measures has been reduced. Consequently, federal departments urgently need to revisit their BYOD policies while expanding their remote and mobile network applications.

My strong recommendation is for the nation’s security-forward agencies to provide the rest of the federal government with more guidance on mobile technology security, to include best practices and even preferred technology solutions. In its Oct. 6, 2020, public service announcement about teleworking, for example, the FBI addressed the risk of lax hotel Wi-Fi security but did not discuss mobile security writ large. With so many remote employees now using their personal smartphones to join Zoom, Webex or Teams meetings, it is imperative they are warned of the broader risks to mobile devices in general. In its Telework Guidance and Resources, even the Cybersecurity and Infrastructure Security Agency did not adequately prioritize threats to mobile device users (e.g. smishing or phishing attacks).

Subject: Minnesota Has Begun Crafting Privacy Policies for Connected Transit Tech
Source: Gizmodo

Connected and automated vehicles are the future, but they carry with them a host of privacy concerns that rightfully necessitate a careful, thoughtful approach to crafting security frameworks to guide their widespread implementation. It’s mostly uncharted territory at this point, but a handful of states are taking proactive steps towards crafting privacy policies that will protect civilians from data misuse and privacy violations down the line.On Tuesday, the emerging technologies magazine Government Technology reported that Minnesota is one such state, with an entire council dedicated to ameliorating the tension between automated transit’s risks and rewards. That council — the Connected and Automated Vehicle Innovation Alliance, or CAV for short — was established last year by the Minnesota Department of Transportation with the intention to “get ahead of growing trends and act now to establish privacy and data security policies that can guide public-sector approaches to the technology at present and in the long term.”

Subject: Azimuth Security Cracked San Bernardino Shooter’s iPhone for FBI
Source: Gizmodo

When the U.S. government wanted to crack into a dead terrorist’s iPhone several years ago, they turned to a little-known cybersecurity startup in Australia to help them do it, a Washington Post investigation has revealed. Azimuth Security, located in Sydney, specializes in providing providing “best-of-breed technical services” to clients, according to its website.Those services allowed the FBI to unlock the cell phone of Syed Rizwan Farook who, along with his wife Tashfeen Malik, shot and killed 14 people in Southern California during the so-called “San Bernardino terrorist attack” in 2015. At the time, the government naturally wanted to know if the couple had ties to foreign extremists groups, and the killer’s phone data was seen as a natural way to find out.

So, the government paid Azimuth some $900,000 to help them literally crack the case. The firm’s contract with the government was exposed by the Post on Wednesday and confirmed by additional reporting from Motherboard. The news solves a years-long mystery about the identity of the hackers, the likes of which has been a well-kept government secret until now.

Though based in Australia, Azimuth is actually owned by L3 Technologies, a large American defense contractor that offers a variety of defense and intelligence services to large federal agencies like the Pentagon and the Department of Homeland Security, among others.

The San Bernardino iPhone case sparked what became known as the new “Crypto War”—a battle between Apple and the federal government over encrypted technology. Prior to actually cracking the phone, the federal government essentially attempted to bully Apple into decrypting its own product—with the FBI suing the phone maker for access in 2016. The tech giant refused, and the lawsuit was subsequently dropped.

At the time, critics argued—and were later proven correct—that the feud wasn’t really about technical access to the phone. Instead, the feds were merely trying to set a legal precedent that would allow them to call on the private sector to decrypt products for them in the future or install backdoors in encrypted tech. Indeed, a 2018 Justice Department inspector general’s report showed that the FBI didn’t really try that hard to find other options before it toted out its lawsuit against Apple. It just wanted to compel the tech company to do its work for it.


Subject: Better than the best password: How to use 2FA to improve your security
Source: ZDNet via beSpacific

ZDNET – “You are one data breach away from having your entire online life turned upside down. The problem is passwords, which are hopelessly fragile ways to secure valuable resources. Don’t be lulled into a false sense of security by the belief that creating a longer, more complex, harder-to-guess password will somehow make you safer online. You can create a password that is so long and complex it takes you five minutes to type, and it will do nothing to protect you if the service where you use that password stores it improperly and then has their server breached. It regularly happens. Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily. And even with reasonable policies in place (complexity, changed regularly, not reused), people are still the weakest link in the security chain. Social engineering can convince even intelligent people to enter their credentials on a phishing site or give them up over the phone. The solution is two-factor authentication, or 2FA.

ZDNet Topic: Security

Subject: Russian Foreign Intelligence Service Exploiting Five Publicly Known Vulnerabilities to Compromise U.S. and Allied Networks
Source: NSA Central Security Service

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) jointly released a Cybersecurity Advisory, “Russian SVR Targets U.S. and Allied Networks,” today to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. This advisory is being released alongside the U.S. Government’s formal attribution of the SolarWinds supply chain compromise and related cyber espionage campaign. We are publishing this product to highlight additional tactics, techniques, and procedures being used by SVR so that network defenders can take action to mitigate against them.

+ infographic [PDF]

Subject: Bill Would Prohibit Sale of Americans’ Personal Data to Adversarial Countries
Source: Netgov

The proposal would establish an interagency group to categorize data, then develop a list of countries banned from importing individuals’ data that could threaten national security.

Legislation introduced this week would make it illegal for companies to export data generated by people living in the U.S. to certain countries where that data could pose a national security risk.Federal agencies already regulate the kinds of technologies and industrial data that can be sold abroad, but a new bill introduced by Sen. Ron Wyden, D-Ore., would be the first to prohibit the sale of individuals’ data by a third party.

The Protecting Americans’ Data from Foreign Surveillance Act would first categorize the types of personal data people generate each day, and identify which data types could be used by foreign adversaries to the detriment of the U.S. In establishing the categories, regulators would be instructed to look at data collected by commercial entities; data that has already been shared with foreign adversaries; and both identifiable and anonymized data, if the latter can be reverse engineered using other data sources.

Conversely, the department will also be tasked with creating a list of countries where companies won’t require a license to import U.S. data, such as allies that don’t pose a risk to national security. But that list won’t be easy to get on.

“Countries can only be added or removed from this list after notifying Congress and giving Congress 180 days to object via a joint resolution of disapproval,” according to a summary breakdown of the bill.

The senator is currently taking feedback on the language in the legislation at  [email protected].


Subject: Six key takeaways from Biden’s Russia sanctions announcement
Source: CNNPolitics

Washington (CNN) – The Biden administration slapped sweeping sanctions on Russia Thursday over Moscow’s alleged interference in the 2020 election, the massive SolarWinds hack and the ongoing occupation of Crimea, signaling it is adopting a tougher posture toward the Kremlin and Russian President Vladimir Putin.

The sanctions announcement also showed that the Biden administration is more willing to directly call out Russia’s meddling in US affairs after Trump administration officials had to dance around former President Donald Trump’s frequent unwillingness to criticize Moscow.

Posted in: Big Data, Congress, Criminal Law, Cybercrime, Cybersecurity, Legislative, Privacy, Social Media