Pete Recommends – Weekly highlights on cyber security issues, May 30, 2022

Subject: Chicago Police, FBI Have Social Media Surveillance Strategy
Source: Gizmodo

Police continue to use social media in questionable ways to monitor and track down protestors in photos and videos, according to a new report.Law enforcement agencies are finding new and flawed ways to try to arrest more people all the time. And police have been using posts on sites like Facebook and Instagram to track down and charge protestors suspected of property destruction for years. Now, newly released documents show that Chicago cops can catfish as part of their social media surveillance strategy, as first revealed in a report from The Intercept.

The Chicago Police Department created the Social Media Exploration (SOMEX) Team in 2019. The special order document defining that team, released by The Intercept today, details the department’s strategy of using fake social media profiles to investigate and communicate with people suspected of having committed a crime. Further, the document explains that those fake profiles are to be created with the FBI’s help.

Manufactured social media profiles, not linked to any real person, are theoretically a violation of Facebook’s authenticity policy. The company has previously asked police to stop using them in Los Angeles and Memphis. But clearly, the strategy has stuck around anyway.

Filed: Tech; News

Subject: Report: Russian Botnet Can Spam Social Media on ‘Massive Scale’
Source: Gizmodo

Need to spread some disinformation all over the world? A Russian company apparently has a quick and easy recipe for that.A new report claims that a subcontractor working for Russia’s intelligence service has a botnet capable of manipulating trends on social media platforms on a “massive scale.” The report, published Thursday by the cybersecurity firm Nisos, alleges that the Moscow-based firm 0day Technologies can spread disinformation at a frightening rate using a customizable suite that is tied to a malicious network. The company has previously worked with the Federal Security Service, one of Russia’s primary intelligence agencies.The report is based on documents and other materials that were stolen from the contractor and leaked by the hacktivist group “Digital Revolution” in March of 2020.

In this case, 0Day Technologies is alleged to have wielded a botnet codenamed “Fronton” (or “Фронтон,” in Russian), which came equipped with a dashboard suite capable of generating fake social media profiles and distributing inauthentic content at scale. The suite, dubbed SANA, enables the user to “formulate and deploy trending social media events en masse,” the Nisos report says.

An apparent real-world example of the deployment of SANA shows the ways in which this manipulation could potentially influence news and media coverage. Nisos writes that, weirdly, the suite was used to pelt ridicule at a large wooden squirrel sculpture that was erected in Kazakhstan in the summer of 2018. Criticism of the sculpture, some of which was apparently inauthentic, was reported on by a BBC news story published during that period.

Filed: Tech; Privacy and Security

Subject: Serious Warning Issued For Millions Of Google Gmail Users
Source: Forbes

[thx, Dale … ] Gmail is the world’s most popular email service, it is also known as one of the most secure. But a dangerous exploit might make you rethink how you want to use the service in future.

In an eye-opening blog post, security researcher Youssef Sammouda has revealed that Gmail’s OAuth authentication code enabled him to exploit vulnerabilities in Facebook to hijack Facebook accounts when Gmail credentials are used to sign in to the service. And the wider implications of this are significant.

Speaking to The Daily Swing, Sammouda explained that he was able to exploit redirects in Google OAuth and chain it with elements of Facebook’s logout, checkpoint and sandbox systems to break into accounts. Google OAuth is part of the ‘Open Authorization‘ standard used by Amazon, Microsoft, Twitter and others which allows users to link accounts to third-party sites by signing into them with the existing usernames and passwords they have already registered with these tech giants.

Commenting on Sammouda’s findings, security provider Malwarebytes Labs issued a warning to anyone using linked accounts: “Linked accounts were invented to make logging in easier,” writes Pieter Arntz, the company’s Malware Intelligence Researcher. “You can use one account to log in to other apps, sites and services… All you need to do to access the account is confirm that the account is yours.”

“We wouldn’t recommend it because if anyone gets hold of the one password that controls them all, you’re in even bigger trouble than you would be if only one site’s password is compromised,” he explains.


Subject: Firefox Browser Hacked In 8 Seconds Using 2 Critical Security Flaws
Source: Forbes via Davey Winder

With Windows 11, Microsoft Teams, Ubuntu Desktop, and the Tesla Model 3 all falling victim to hackers in one week, you might be forgiven for not noticing that Mozilla Firefox was also hacked. In just eight seconds using two critical security vulnerabilities. Who hacked the Mozilla Firefox browser in just eight seconds?

The hacker in question was the supremely talented Manfred Paul who pulled off the lightning-fast double exploit using two critical vulnerabilities at the PWN2OWN Vancouver, 2022, event that came to an end on Friday, May 20.

Manfred Paul was the fourth on stage during the opening session of PWWN2OWN on Wednesday, May 18. His incredibly quick, double-headed, zero-day hack earned him a total of $100,000 in bounty money from the event organizers. Later the same day, he went on to win another $50,000 for a successful zero-day exploit on the Apple Safari browser.

The patched and updated version numbers you are looking for are:

  • Firefox v100.0.2 for desktop users
  • Firefox v100.3.0 for Android users
  • Firefox v91.9.1 for Enterprise ‘Extended Support Release’ users

Subject: PDF smuggles Microsoft Word doc to drop Snake Keylogger malware
Source: Bleeping Computer

Threat analysts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.The choice of PDFs is unusual, as most malicious emails today arrive with DOCX or XLS attachments laced with malware-loading macro code.

However, as people become more educated about opening malicious Microsoft Office attachments, threat actors switch to other methods to deploy malicious macros and evade detection.

In a new report by HP Wolf Security, researchers illustrate how PDFs are being used as a transport for documents with malicious macros that download and install information-stealing malware on victim’s machines.

Subject: 5 ways to proactively protect government networks
Source: FCW

Adversaries appear to launch attacks with impunity, and their newfound speed and aggression has had a damaging impact on our national security.Over the past year, cyberattacks on the supply chain and critical infrastructure have not only shown adversaries are expanding their capability and sophistication but also revealed an increasing level of overt arrogance that has not been seen before.

The supply chain attacks on SolarWinds and Kaseya, attributed by many—including U.S. intelligence—to Russian intelligence services, were incredibly sophisticated, complex and successful. Large scale ransomware attacks like those targeting Colonial Pipeline and JBS Foods used to happen once or twice a year. Now they occur much more regularly. Adversaries are not hiding what they are doing—they’re being outright brazen about it.

The president’s Executive Order on Improving the Nation’s Cybersecurity is an important component to countering this new wave of adversary behavior.

Creating a Culture of Innovation – How can the government create a culture of innovation to support these efforts? It starts with hiring the right people. Agencies can incentivize an employee to be innovative, but the reality is innovative nature is a natural trait.

Filed: Cybersecurity

Subject: FTC Proposes Greater Control Of Stealth Advertizing
Source: Forbes

The U.S. Federal Trade Commission (FTC) is considering moves to tighten up its guidelines on fake reviews and misleading marketing.The FTC Endorsement Guides give guidance to businesses on ensuring that advertising using endorsements or testimonials is truthful, and that advertisers need to be upfront with consumers and clearly disclose unexpected material connections between endorsers and a seller of an advertised product. They warn that advertisers who lie to consumers via endorsements or testimonials may violate the FTC Act.

However, the guides haven’t been changed since 2009, leaving them ill-equipped to deal with the increasing use of use of social media and product reviews as marketing tools.

And, says the FTC, tags in social media posts are covered under the guides, as are virtual influencers — computer-generated fictional characters. Finally, there’ll be closer scrutiny of the microtargeting of specific audiences.


Subject: New Unpatched Bug Could Let Attackers Steal Money from PayPal Users
Source: The Hacker News

A security researcher claims to have discovered an unpatched vulnerability in PayPal’s money transfer service that could allow attackers to trick victims into unknowingly completing attacker-directed transactions with a single click. Clickjacking, also called UI redressing, refers to a technique wherein an unwitting user is tricked into clicking seemingly innocuous webpage elements like buttons with the goal of downloading malware, redirecting to malicious websites, or disclose sensitive information.

h4x0r_dz, who discovered the issue on the “www.paypal[.]com/agreements/approve” endpoint, said the issue was reported to the company in October 2021.

“This endpoint is designed for Billing Agreements and it should accept only billingAgreementToken,” the researcher explained. “But during my deep testing, I found that we can pass another token type, and this leads to stealing money from [a] victim’s PayPal account.”

“There are online services that let you add balance using PayPal to your account,” h4x0r_dz said. “I can use the same exploit and force the user to add money to my account, or I can exploit this bug and let the victim create/pay Netflix account for me!”

(Update: The story has been rectified to mention that the bug is still unpatched and that the security researcher was not awarded any bug bounty for reporting the issue. The error is regretted. We have also reached out to PayPal for more details.)


Subject: My Instagram account was hacked and two-factor authentication didn’t help
Source: ZDNet

After almost 40 years in technology, it finally happened. I had one of my accounts hacked. Blast it. The target was my Instagram account. While I’m very active on social networks, Instagram was the one I used the least. Here’s what happened.

It all started when I got a plausible Instagram message from a friend. His message asked for my help and included a reset link for their account. Rather than asking me to click the link, which I’d never do in a million years, it simply asked me to send him back a screenshot of the message including the link. I thought, “How can I be hacked by sending a PNG image?” After all, it wasn’t a reset link for my account. So I replied with the image. Oh foolish, foolish me. It turns out the combination of the URL on the image and my reply gave them enough information to take over my account.

Now, even when I saw trouble brewing — an Instagram e-mail came asking me if I wanted to change my phone number to one in Nigeria — I wasn’t too worried. I’d protected my account with two-factor authentication (2FA). While 2FA isn’t perfect, it’s better than anything else out there for basic security.

Subject: Cyber security 101: Protect your privacy from hackers, spies, and the government
Source: ZDNET

As surveillance becomes a common factor of our daily lives, privacy is in danger of no longer being considered an intrinsic right — and it seems we, too, are adopting our own personal forms of online digital stalking and spying.

Everything from our web browsing to mobile devices and the Internet of Things (IoT) products installed in our homes has the potential to erode our privacy and personal security, and you cannot depend on vendors or ever-changing surveillance rules to keep them intact.

Having “nothing to hide” doesn’t cut it anymore. We must all do whatever we can to safeguard our personal privacy not only from agencies and companies but also from each other. Taking the steps outlined below can not only give you some sanctuary from spreading surveillance tactics but also help keep you safe from cyberattackers, scam artists, and a new, emerging issue: technological stalking.

Subject: Inside the Government Fiasco That Nearly Closed the U.S. Air System
Source: ProPublica

The prospect sounded terrifying. A nationwide rollout of new wireless technology was set for January, but the aviation industry was warning it would cause mass calamity: 5G signals over new C-band networks could interfere with aircraft safety equipment, causing jetliners to tumble from the sky or speed off the end of runways. Aviation experts warned of “catastrophic failures leading to multiple fatalities.”

On Jan. 18, following nail-biting negotiations involving CEOs, a Cabinet secretary and White House aides, an eleventh-hour agreement averted these threats of aviation armageddon. Verizon and AT&T agreed not to turn on more than 600 5G transmission towers near the runways of 87 airports and to reduce the power of others.

Disaster was averted. But the fact that it was such a close call was shocking nonetheless. How did a long-planned technology upgrade result in a standoff that seemed to threaten public safety and one of the nation’s largest industries? The reasons are numerous, but it’s undeniable that the new 5G deployment represents an epic debacle by multiple federal agencies, the regulatory equivalent of a series of 300-pound football players awkwardly fumbling the ball as it bounces crazily into and out of their arms.

More than anything, a deep examination of the fiasco reveals profound failures in two federal agencies — the Federal Communications Commission and the FAA — that are supposed to serve the public. In the case of the FCC, the agency not only advocated for the interests of the telecommunications industry but adopted its worldview, scorning evidence of risk and making cooperation and compromise nearly impossible. In the case of the FAA, the agency inexplicably stayed silent and passively watched preparations for 5G proceed over a period of years even as the aviation industry sounded ever more dire warnings that the new networks could put air safety at risk.

But the underlying issues are far from resolved. Aviation companies say they need much more time — perhaps two years or more — to upgrade or replace all the equipment vulnerable to 5G interference, according to Bob Fox, a United Airlines pilot now serving as national safety coordinator for the Air Line Pilots Association, a key player in the drama.

Topics: Technology

Subject: Consumer Protection: Congress Should Consider Enhancing Protections around Scores Used to Rank Consumers
Source: U.S. GAO

Fast Facts – Companies increasingly use numeric scores to predict how consumers will behave. Scores are based on hundreds of pieces of information about a person’s purchases, consumer characteristics, and more. Scores are used to target ads, to help companies collect debts from consumers, to assess the likelihood of criminal behavior and flight risk, and more.

Unlike traditional credit scores, these scores may not be subject to consumer protection laws that seek to assure fair and transparent treatment. Consumers are generally unaware of how they’re scored. We urged Congress to consider a consumer right to view and correct this data and more.

Recommendations –  Congress should consider implementing appropriate consumer protections for consumer scores beyond those currently afforded under existing federal laws. Among the issues that should be considered are the rights of consumers to view and correct data used in the creation of scores and to be informed of scores’ uses and potential effects.

Posted in: Communications, Criminal Law, Cybercrime, Cyberlaw, Cybersecurity, E-Government, Economy, KM, Privacy, Social Media, Technology Trends, Travel