Pete Recommends – Weekly highlights on cyber security issues, December 4, 2021

Subject: Interpol Says Email Fraud Operation Resulted In 1,000 Arrests
Source: Gizmodo

The operation, HAECHI-II, involved police from 20 countries and targeted a range of internet and email scams. Police in 20 separate countries arrested 1,003 suspects as part of a sweeping crackdown on digital financial crime from June 2021 to September, including suspected operators of a type of scam called “business email compromise” (BEC), according to Interpol.

Other scams involved in the Interpol-coordinated operation include romance scams, investment fraud, and money laundering. Interpol, which is not a police force but an international organization that coordinates action by police across member countries, said in a press release that the effort resolved nearly 1,660 ongoing investigations and led to the seizure of over 2,350 bank accounts and nearly $27 million in allegedly illicit proceeds.

Interpol wrote the operation, titled HAECHI-II, targeted scams suspected to be linked in some fashion to North Korean operators—such as a “single case in Colombia” that resulted in losses of over $8 million to a “prominent textiles company.”


Subject: Over 300,000 Android users have downloaded these banking trojan malware apps, say security researchers
Source: ZDNet

Over 300,000 Android smartphone users have downloaded what have turned out to be banking trojans after falling victim to malware which has bypassed detection by the Google Play app store.
Detailed by cybersecurity researchers at ThreatFabric, the four different forms of malware are delivered to victims via malicious versions of commonly downloaded applications, including document scanners, QR code readers, fitness monitors and cryptocurrency apps. The apps often come with the functions which are advertised in order to avoid users getting suspicious.

The most prolific of the four malware families is Anatsa, which has been installed by over 200,000 Android users – researchers describe it as an “advanced” banking trojan which can steal usernames and passwords, and uses accessibility logging to capture everything shown on the user’s screen, while a keylogger allows attackers to record all information entered into the phone.


Topic: Security

Subject: CISA issues enterprise mobile security checklist
Source: GCN

With an increasing number of enterprise threats coming through mobile devices, the Cybersecurity and Infrastructure Security Agency has issued guidance to help government agencies and private-sector organizations better secure their mobile devices.The Enterprise Mobility Management (EMM) system checklist outlines steps for device management, authentication, app and network security as well as defending enterprise systems from mobile devices.

When selecting devices for enterprise use, agencies should keep an eye on supply chain risks and require devices to be trusted – meaning, configured to enterprise standards and continuously monitored, CISA advises. Platforms should be automatically patched and updated through a mobile device management system, and all devices should be denied access to enterprise resources until they meet agency standards.

Communications can be protected by disabling Bluetooth, Wi-Fi and GPS networks when they are not in use. Agencies should also configure their EMM to use VPNs between devices and enterprise networks.

 CISA also issued companion mobile cyber hygiene guidance for consumers, covering the use of strong authentication and automatic operating system updates.

Subject: If You Have an HP Printer, Install this Patch Right Now
Source: Gizmodo

HP patched two security vulnerabilities that could be used to steal information and spread to other devices.HP printer owners should download the latest firmware to protect their devices from critical security flaws.

Researchers at F-Secure recently revealed serious vulnerabilities affecting approximately 150 HP printer models including HP Color LaserJet Enterprise, HP LaserJet Enterprise, HP PageWide, HP OfficeJet Enterprise Color, and HP ScanJet Enterprise 8500 FN1 Document Capture Workstation series.

Dubbed “Printing Shellz,” the flaw consists of two separate vulnerabilities that give attackers a way to steal your personal information. The flaw exists in the printers’ communication board and font parser. When exploited, an attacker can gain code execution rights to nab information from the printer or use the machine as a source for further attacks.

Subject: Twitter Bans Sharing Photos of Private Individuals Without Consent
Source: Gizmodo company’s new rules crack down on users who share pictures or videos without the subject’s permission.As part of Twitter’s never-ending attempt to thwart the doxxers and trolls that seem to lurk in every corner of its platform, the company overhauled its private information policies on Monday to explicitly ban sharing pictures or videos of private individuals without their consent.Even before this update, Twitter’s existing policies on the types of personal information that can and can’t be shared were already pretty robust. Until now, Twitter barred users from sharing information like a person’s home address, private phone numbers or emails, credit card numbers, or medical information. (Whether Twitter is good at enforcing its own policies is a different issue.) And the company’s had similar rules in place for banning revenge porn since early 2015. Now, the company’s extending user protections to all forms of filmed and photographed media—even if they’re not porn-related in the least.

As for the accounts that run afoul of this new policy, Twitter notes that it will put a temporary lock on the profile until whoever’s behind it takes the media down. There are two major exemptions to Twitter’s new update, though. First, these new policies don’t apply to media featuring public figures like political figures or celebrities—so you’re still free to tweet out pictures of Donald Trump or Kim Kardashian to your heart’s content. Second, the new policy doesn’t apply to pics or clips that are “shared in the public interest or add value to public discourse.”

Subject: Robocallers Try New Tactics to Evade Crackdowns
Source: The Pew Charitable Trusts

Like the Whac-A-Mole game at the carnival, every time state and federal law enforcement officials think they have smacked down scam robocalls, the unwanted calls pop up in a slightly different place with a slightly different face.One new trick is for callers to send messages straight to voicemail. The scammers argue that because they don’t cause phones to ring, they aren’t really calling at all.

They also may buy or hijack lists of real phone numbers to trick spam-blocking software into letting the calls through. Law enforcement officials have asked phone carriers to make it harder for scammers to obtain real numbers, but those lists are legally for sale by third-party data providers, and ferreting out who is buying them is difficult.

Earlier this month, North Carolina Attorney General Josh Stein, a Democrat, and Florida Attorney General Ashley Moody, a Republican, led all 51 attorneys general, including the District of Columbia’s, in a letter calling on the Federal Communications Commission to reduce unwanted robocallers’ access to real phone numbers.

YouMail, a private company that sells call-blocking software and tracks the estimated number of calls, reported 4.1 billion unwanted robocalls in October, up from 3.9 billion in September.

Those numbers translate to 132 million calls a day, 5.5 million an hour, 1,530 a second and, in perhaps the most affecting of all, an average of 12.6 calls per person with a phone in that month.

He said the temporary decline in the number of calls also is partly attributable to a federal program known by its acronym STIR/SHAKEN. The program, implemented by the FCC, identifies spoofed or fake numbers that mirror legitimate area codes and exchanges, with an eye toward giving regulators the tools to go after the spammers. The acronym stands for STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs).

FCC acting Chair Jessica Rosenworcel said in June that the largest voice service phone providers are using the STIR/SHAKEN caller ID standards. The technology, among other things, informs blocking tools of possible suspicious calls, she said in a news release announcing the technology’s broad implementation.

Subject: Who owns our health data — and why we should care
Source: Stat [Opinion]

It can be hard to fathom that anyone other than you might own your information. But they do. Everything from what’s in your electronic medical record to the average jogging speed recorded on an app may be someone else’s property. For a profit, the magic is in the aggregate. Innumerable hospitals, corporations, and apps are tracking their patients and users. But that information is worth more than money. On an individual scale, it’s valuable information that paints a full picture of health for individuals and their health care providers.

Subject: Bulletproof hosting founder imprisoned for helping cybercrime gangs
Source: Bleeping Computer

34-year-old Russian Aleksandr Grichishkin, the founder of a bulletproof hosting service, was sentenced to 60 months in prison for allowing cybercrime gangs to use the platform in attacks targeting US financial institutions between 2008 to 2015.Grichishkin, who was also the organization’s leader, provided multiple cybercrime operations with the infrastructure (IP addresses, servers, and domains) needed to distribute malware, host phishing kits, breach targets’ networks, build botnets, and steal banking credentials.

According to the sentencing memorandum, malware hosted on the organization’s bulletproof hosting platform—including Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit—was used in attacks against U.S. organizations and caused millions of dollars in losses.

As revealed in court documents, the US Federal Deposit Insurance Corporation (FDIC) estimated that just SpyEye and Zeus attacks caused roughly $64 million in damages to banks and their corporate clients in a single year, based on incidents in 2011.

He also aided cybercrime clients to register new infrastructure using false or stolen identities to circumvent law enforcement efforts to block their attacks.

Subject: Crowd-Sourced Suspicion Apps Are Out of Control
Source: Electronic Frontier Foundation

Technology rarely invents new societal problems. Instead, it digitizes them, supersizes them, and allows them to balloon and duplicate at the speed of light. That’s exactly the problem we’ve seen with location-based, crowd-sourced “public safety” apps like Citizen.These apps come in a wide spectrum—some let users connect with those around them by posting pictures, items for sale, or local tips. Others, however, focus exclusively on things and people that users see as “suspicious” or potentially hazardous. These alerts run the gamut from active crimes, or the aftermath of crimes, to generally anything a person interprets as helping to keep their community safe and informed about the dangers around them.

And even worse than incentivizing people to share their most paranoid thoughts and racial biases on a popular platform are the experimental new features constantly being rolled out by apps like Citizen. First, it was a private security force, available to be summoned at the touch of a button. Then, it was a service to help make it (theoretically) even easier to summon the police by giving users access to a 24/7 concierge service who will call the police for you. There are scenarios in which a tool like this might be useful—but to charge people for it, and more importantly, to make people think they will eventually need a service like this—adds to the idea that companies benefit from your fear.

These apps are part of the larger landscape that law professor Elizabeth Joh calls “networked surveillance ecosystems.” The lawlessness that governs private surveillance networks like Amazon Ring and other home surveillance systems—in conjunction with social networking and vigilante apps—is only exacerbating age-old problems. This is one ecosystem that should be much better contained.

Subject: Federal Judge Blocks Texas Social Media Law
Source: Gizmodo

The law would have prohibited major social media platforms with more than 50 million users from removing users based on their political viewpoint.

In a move just about anyone could have predicted, a federal judge has blocked Texas’ controversial social media law that would have restricted the way companies moderate content, claiming such efforts violate the First Amendment. If passed, Texas’ H.B. 20 would have prohibited major social media platforms with more than 50 million users from removing users based on their political viewpoint. Additionally, Texas residents under the law could sue these companies if they thought they were wrongfully banned. The law had inelegantly tried to tiptoe around these pretty obvious First Amendment issues by categorizing platforms as “common carriers,” something U.S. District Judge Robert Pitman called bullshit on in his ruling.

“First, social media platforms are privately owned platforms, not public forums,” Pitman wrote in the order. “Second, this Court has found that the covered social media platforms are not common carriers.”


Subject: Companies’ Printers Are Getting Spammed by Anti-Work Manifestos
Source: Gizmodo

A new report suggests someone has been hacking company printers and making them emit “anti-work” screeds.Some hacker out there is really taking that whole “Great Resignation” thing pretty seriously. According to a new report from Motherboard, “dozens” of companies’ receipt printers are getting spammed with “anti-work” screeds—the likes of which are encouraging employees to tell their bosses to take a hike.

Over the past few days, a slew of pictures have been posted to Reddit appearing to show lengthy receipts inscribed with the same pro-labor, anti-capitalist rhetoric. Many of them make reference to r/antiwork, the increasingly popular “anti-work” subreddit, and encourage workers to stand up to their employers over wages and benefits.

“Someone is using a similar technique as ‘mass scanning’ to massively blast raw TCP data directly to printer services across the internet,” said Andrew Morris, the founder of cybersecurity firm GreyNoise. Morris further clarified that someone was “broadcasting print requests for a document containing workers rights messaging to all printers that are misconfigured to be exposed to the internet and we’ve confirmed that it is printing successfully in some number of places.”

Filed: Tech and Privacy and Security

Subject: You Should Opt-Out of Verizon’s Data-Collection Scheme Right Now
Source: Gizmodo

The mobile carrier is reportedly gathering customers’ contacts, app usage, and location information. Verizon customers who value their privacy should immediately opt-out of the phone carrier’s disturbing new data tracking service.

As reported by Input, “Verizon Custom Experience” is a program being pitched to users as a way for the company to “personalize our communications with you, give you more relevant product and service recommendations, and develop plans, services and offers that are more appealing to you.”

Here’s the thing: to do so, the nation’s largest mobile carrier needs to see the websites you visit, the apps you use, your location, and the people you contact. If that wasn’t scary enough, the “Custom Experience” program is opt-out, meaning Verizon automatically enrolls you without asking for permission. Nothing I’ve read about the program would make me even consider staying in, especially since Verizon is sneakily signing people up without asking.

We’ve reached out to Verizon to learn more about its Custom Experience program but have not heard back.

Filed: Tech and News

Subject: White House Readies Plan to Boost Cybersecurity of Water Supply
Source: WSJ Pro Cybersecurity (paywall)

The Biden administration is readying a proposal to shore up the cybersecurity of the U.S. water supply, a system maintained by thousands of organizations with sometimes glaring vulnerabilities to hackers.

The plan broadens a White House initiative to persuade key industrial companies to upgrade technology for detecting cyberattacks. U.S. officials hope water utilities will analyze and voluntarily report such data to help authorities monitor threats to different types of critical infrastructure.

The White House previously said it would expand the program to water utilities this year as part of a push to prevent hackers from breaking into the increasingly digitized control systems of industrial firms.

Water-sector trade groups are evaluating the draft blueprint and potential technology needs, how U.S. officials would support the effort and the types of data the government wants, said Kevin Morley, manager of federal relations for the American Water Works Association.

Posted in: Courts & Technology, Cybercrime, Cybersecurity, Email Security, Privacy, Technology Trends