Pete Recommends – Weekly highlights on cyber security issues, July 23, 2022

Subject: FTC explains ‘reasonable’ cybersecurity
Source: FCW

From risk-based management to staying up-to-date about known vulnerabilities and their patches, the Federal Trade Commission is detailing key steps companies can take to avoid getting hit with a data security complaint.The Federal Trade Commission expects companies to have “reasonable patching procedures in place” to identify and mitigate known vulnerabilities, a senior attorney for the FTC’s Division of Privacy and Identity Protection said on Thursday at a meeting of the Information Security and Privacy Advisory Board.

The FTC wants companies to include risk-based management processes and evaluations throughout their operations, as well as implement regular training actions around threat detection and mitigation.

The commission has published a series of publicly available guidelines and recommendations for the private sector around patching vulnerabilities, warning companies to remediate the Log4j security threat in early January and even providing a step-by-step response for dealing with a data breach.


Subject: iOS 16—Upgrade Warning Issued To Millions Of iPhone Users
Source: Forbes

When iOS 16 launches this Fall, it could leave millions of iPhone users needing to upgrade their phones. That’s because iOS 16 only works on the iPhone 8 and above, with some features even requiring a later Apple device to function.This is bad news for iPhone users—and not just because of the iOS 16 features you’ll miss out on. If you can’t upgrade to iOS 16, it also means you won’t receive security updates to your iPhone, which could of course leave you at risk.

Apple has been very proactive with iPhone security updates of late, pushing them out almost monthly over the last couple years. Some of the security updates have been for iPhone and iPad vulnerabilities already being exploited—in other words, used by adversaries in real-life attacks.

iOS 16 iPhones—what to do to stay secure. It’s not ideal, of course—while an iPhone’s life is not infinite, not everyone can afford to upgrade their devices when iOS 16 comes out later this year. So what can you do? I’m hoping that Apple continues upgrading iOS 15 with important security updates, as it did with iOS 14, but we can’t bank on it. If it does update iOS 15, it’ll probably buy you a few more months.


Subject: Password recovery tool infects industrial systems with Sality malware
Source: Bleeping Computer

A threat actor is infecting industrial control systems (ICS) to create a botnet through password “cracking” software for programmable logic controllers (PLCs).Advertised on various social media platforms, the password recovery tools promise to unlock PLC and HMI (human-machine interface) terminals from Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic.

Subject: Week in review: Kali Linux gets on Linode, facial recognition defeated, Log4j exploitation
Source: Help Net Security

Many abstracts w/ links …Here’s an overview of some of last week’s most interesting news, articles, interviews and videos…

RSS feed:

Subject: The Matrix messaging network now counts more than 60 million users
Source: Bleeping Computer

The Matrix open network for decentralized communication has announced a record growth of 79% in the past 12 months, now counting more than 60 million users.This is an important milestone for a project driven by a small team of developers and volunteers working to provide a secure and private alternative to modern messaging and collaboration options.

Accelerated growth – According to a press release shared with BleepingComputer, the Matrix decentralized messaging network has added a record 25 million users to its services in the past year, which was mainly the result of three events.

First, the popularity of the Element app started to take off as individuals and corporate entities looking for a secure collaboration platform are now recognizing the advantages of the project against mainstream products.

Secondly, Germany’s entire healthcare system decided to adopt Matrix last summer, which will see over 150,000 organizations in the country gradually migrating to the standard.

Thirdly, Rocket. Chat announced in May 2022 that it would start supporting the Matrix protocol giving its 12 million users the option to communicate with other users through the wider Matrix network.

“Matrix’s new milestone, surpassing 60 million users, is a clear sign that users don’t want to be subjected to advertising-funded messaging apps that data-mine their information,” Matrix co-founder and CEO Matthew Hodgson said in an email.


Subject: Online payment fraud losses to exceed $343 billion
Source: Help Net Security

Cumulative merchant losses to online payment fraud globally between 2023 and 2027 will exceed $343 billion, according to Juniper Research. As a comparison, this equates to over 350% of Apple’s reported net income in the 2021 fiscal year, showing the massive extent of these losses.Online payment fraud includes losses across the sales of digital goods, physical goods, money transfer transactions and banking, as well as purchases like airline ticketing. Fraudster attacks can include phishing, business email compromise and socially engineered fraud.

Online payment fraud losses are partly being driven by fraudster innovation in areas such as account takeover fraud, where a user’s account is hijacked. This is despite the wide employment of identity verification measures.

Subject: Google Boots Multiple Malware-laced Android Apps from Marketplace
Source: Threatpost
Google removed eight Android apps, with 3M cumulative downloads, from its marketplace for being infected with a Joker spyware variant.

Google has removed eight apps from its Google Play store that were propagating a new variant of the Joker spyware, but not before they already had garnered more than 3 million downloads.

French security researcher Maxime Ingrao of cybersecurity firm Evina discovered a malware that he dubbed Autolycos that can subscribe users to a premium service as well as access users’ SMS messages,. according to a post he made on Twitter last week. This type of malware–in which malicious applications subscribe users to premium services without their knowledge or consent to rack up payment charges–is called toll fraud malware, or more commonly, fleeceware.

Indeed, upon further examination, researchers from Malwarebytes believe the malware is a new variant of Joker–what Malwarebytes refers to as “Android/Trojan.Spy.Joker–Malwarebytes intelligence researcher Pieter Artnz said in a post published a day after Ingrao’s revelation.

Lag Time in Discovery and App Removal

The eight apps in which Ingrao discovered Autolycos are:

  • Vlog Star Video Editor ( – 1 million downloads
  • Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
  • Wow Beauty Camera ( – 100,000 downloads
  • Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
  • Freeglow Camera 1.0.0 ( – 5,000 downloads
  • Coco Camera v1.1 ( –  1,000 downloads
  • Funny Camera by KellyTech –  500,000 downloads
  • Razer Keyboard & Theme by rxcheldiolola – 50,000 downloads.


Subject: A Deep Dive Into the Residential Proxy Service ‘911’
Source: Krebs on Security

For the past seven years, an online service known as 911 has sold access to hundreds of thousands of Microsoft Windows computers daily, allowing customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States. 911 says its network is made up entirely of users who voluntarily install its “free VPN” software. But new research shows the proxy service has a long history of purchasing installations via shady “pay-per-install” affiliate marketing schemes, some of which 911 operated on its own.911[.]re is one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for his/her Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

“The 911[.]re network uses at least two free VPN services to lure its users to install a malware-like software that achieves persistence on the user’s computer,” the researchers wrote. “During the research we identified two free VPN services that [use] a subterfuge to lure users to install software that looks legitimate but makes them part of the network. These two software are currently unknown to most if not all antivirus companies.”

Highlighting the risk that 911 nodes could pose to internal corporate networks, they observed that “the infection of a node enables the user to access shared resources on the network such as local intranet portals or other services.”

“It also enables the end user to probe the LAN network of the infected node,” the paper continues. “Using the internal router, it would be possible to poison the DNS cache of the LAN router of the infected node, enabling further attacks.”

Subject: Amazon Sues Facebook Group Admins Over Massive Fake Reviews
Source: Gizmodo

Amazon has filed lawsuits against the administrators of over 10,000 Facebook groups that are allegedly part of a network to recruit individuals to leave fake reviews for products on Amazon in exchange for money or free products.Amazon, of course, is the marketplace where you can have unfettered access to almost any product you need. Likewise, Amazon’s trusted review system is usually an honest way to get a look at the quality of products—well, sort of. Today, Amazon revealed in a press release that it filed a lawsuit against the administrators of over 10,000 Facebook groups. These groups are reportedly part of a coordinated effort to recruit individuals to leave fake reviews for different products on Amazon stores in the United States, United Kingdom, Germany, France, Italy, Spain, and Japan.


Subject: Campaigns may have lost their most effective — and annoying — outreach tool
Source: Vox

Texting voters just got harder, right before the midterms. Text messaging — with their markedly high “open rates” — is an especially potent form of political outreach: Since 2016, texting has become one of the most appealing ways for campaigns to engage voters or supporters, especially as so many have ditched their landlines.

But as part of a broader effort to crack down on the fast-growing problem of spam calls and texts, mobile carriers like AT&T, T-Mobile, and Verizon have been rolling out a new policy that affects any business, nonprofit, union, or campaign that intends to send at least 3,000 messages per day.

It means that political campaigns and advocacy groups have fewer rights to text you, if you haven’t affirmatively opted in to receive the messages — and it’s causing distress among those groups ahead of the midterms.

The changes — known as “10DLC” for the 10-digit long codes that high-volume businesses and apps use to text local numbers — will require organizations to register with the Campaign Registry, a subsidiary of the Milan-based communications firm Kaleyra. Carriers will impose higher messaging fees and slower delivery rates for any group that fails to register, and in some cases block them from delivering messages altogether.

Campaigns had a preview of what the future might look like if they fail to comply with the new 10DLC rules. Last month, a Democratic National Committee texting campaign, meant to notify voters that it was primary day, provide them with `on making a voting plan, and invite them to attend a free virtual training on mobilizing others, was suspended after at least five recipients of the roughly 50,000 registered complaints about the unsolicited blasts.

“This shutdown … is nothing less than the silencing of core political speech at the hands of a private company pursuant to an ambiguous, unwritten policy,” DNC executive director Sam Cornale wrote in a letter to the CEOs of AT&T and T-Mobile. “As we have explained, in the wake of unprecedented voter disenfranchisement efforts, text messages have become a critical tool in combatting misinformation and attempts to disenfranchise in real time. … The health of our democracy demands you act now to change this harmful policy.”

[maybe the Republicans seeded some telephone numbers in the Democratic txt list?]

Subject: Air-gapped systems leak data via SATA cable WiFi antennas
Source: Bleeping Computer

A security researcher has found a new way to steal data from air-gapped systems by using serial ATA (SATA) cables present inside most computers as a wireless antenna that sends out data via radio signals. Air-gapped systems are used in critical environments that need to be physically isolated from less secure networks, such as those connected to the public internet.

They are typically seen in military, government, and nuclear development programs, as well as industrial control systems in critical sectors (e.g. oil, gas, financial, electric power).

Dubbed “SATAn”, the attack was discovered by Mordechai Guri, the Head of R&D of The Cyber Security Research Labs at Ben-Gurion University in Israel, and could theoretically help an adversary steal sensitive information.

SATAn attack – For a SATAn attack to succeed, an attacker first needs to infect the target air-gapped system. While this is not an easy task, there are reports of physical initial compromise since 2010, Sutxnet being the most notorious one.

Attack limitations – Through experimentation with various systems and settings, the researcher has determined that the maximum distance from the air-gapped computer to the receiver cannot be greater than 120 cm (3.9 ft), or the bit error rate increases too much to ensure the integrity of the message (above 15%).

The distance between the transmitter and the receiver also influences the time required to send the data. Depending on the gap, “sequences of three bits with 0.2 sec, 0.4 sec, 0.6 sec, 0.8 sec, 1.0 sec, and 1.2 sec have been modulated and received.”


Subject: Microsoft adds ‘Cloud for Sovereignty’ to its line-up
Source: ZDNet

Microsoft is adding yet another cloud bundle to its Microsoft Cloud line-up. The latest is known as the “Microsoft Cloud for Sovereignty.” It’s similar to Microsoft’s own Cloud for Government, except that it’s not only for US government customers; instead, it’s for government and public sector customers worldwide.Sovereignty is a bit of a loosely defined buzzword. It’s often used in conjunction with “data,” as in “data sovereignty.” But sovereignty doesn’t just apply to where data resides. It also has to do with security, compliance, and policy requirements that are particular to various countries’ governments.

I’m curious whether Microsoft’s own US government cloud offerings are considered part of the Cloud for Sovereignty solution. (It seems some at the company already consider its government clouds as “US Sovereign Cloud.”) I also wonder whether Microsoft is treating the Cloud for Sovereignty as yet another one of Microsoft’s industry clouds — a group which already includes Cloud for Healthcare, Retail, Manufacturing, Finance, Non-Profits, and Sustainability. I’ve asked about both of these questions; no word back so far.


Subject: Rising Cyberthreats Increase Cyber Insurance Premiums While Reducing Availability
Source: U.S. GAO

Cyber insurance has been around for about 20 years. These insurance policies cover common cyber-related losses, such as those associated with data breaches and ransomware attacks that result in loss of business or disruptions.But while more companies may be looking for insurance against attacks, stability in premium rates and access to policies are changing. Large-scale attacks—such as last year’s Colonial Pipeline ransomware attack, which led to short-lived gasoline shortages in the Southeastern U.S.—have highlighted the potential for catastrophic financial damages. As a result, insurers are starting to take steps to limit their exposure to these losses.

Today’s WatchBlog post looks at how the insurance market is reacting to increased cyberthreats, as well as the potential federal role in this market.

You can also learn more by listening to our podcast with GAO’s Dan Garcia-Diaz, who led work on our latest cyber insurance report.

Subject: Leverage v. Stock Market “Events”: Margin Debt Plunged in June
Source: Wolf Street

There is a huge amount of leverage out there, and most of it is hidden until it blows something up. The Fed encouraged leverage through interest rate repression and QE, and folks took that encouragement and piled into it. Some of this leverage is already blowing up with spectacular results, such as the leverage in the crypto world. In the stock market, leverage takes multiple forms. But only margin debt is reported and known, it’s the only visible part of stock market leverage – the tip of the iceberg. And it’s associated closely to “stock market events.”

That’s what leverage does: it drives up prices before, and it drives down prices during the sell-off. Leverage is the great accelerator, in both directions.

Margin debt, when it’s ballooning, can serve as an effective warning signal about risks and issues building up in the stock market. And when it starts to decline, as it did last November, it can ring the alarm bell.

If anyone ever tells you to put a financial chart on a log scale, such as margin debt, to make it look less scary, run!

When a market gets whipped to ludicrous levels, it pays to get out. Hundreds of hype and hoopla stocks have by now collapsed by 70%, 80% and over 90%, and I have tracked some of them in my Imploded Stocks column.

[Or, don’t forget to re-balance /pmw1]

Subject: The FBI Forced A Suspect To Unlock Amazon’s Encrypted App Wickr With Their Face
Source: Forbes

The feds are using an unprecedented type of search warrant to obtain encrypted communications that the agency says are nearly impossible to access otherwise.In November last year, an undercover agent with the FBI was inside a group on Amazon-owned messaging app Wickr, with a name referencing young girls. The group was devoted to sharing child sexual abuse material (CSAM) within the protection of the encrypted app, which is also used by the U.S. government, journalists and activists for private communications. Encryption makes it almost impossible for law enforcement to intercept messages sent over Wickr, but this agent had found a way to infiltrate the chat, where they could start piecing together who was sharing the material.

As part of the investigation into the members of this Wickr group, the FBI used a previously unreported search warrant method to force one member to unlock the encrypted messaging app using his face. The FBI has previously forced users to unlock an iPhone with Face ID, but this search warrant, obtained by Forbes, represents the first known public record of a U.S. law enforcement agency getting a judge’s permission to unlock an encrypted messaging app with someone’s biometrics

“Most courts are going to find they can force you to use your face to unlock your phone because it’s not compelling you to speak or incriminate yourself…”

Forcing people to unlock encrypted messaging with their biometrics is unprecedented — and controversial. That’s because of an illogical quirk in U.S. law: Courts across the U.S. have not allowed investigators to compel people to hand over a passcode for phones or apps, but they have allowed them to repeatedly unlock phones using biometrics. That’s despite the obvious fact that the result is the same.

There has been some pushback over such biometric unlocks from judges in some states. That includes two 2019 cases in California and Idaho, where the police wanted to force open phones inside properties relevant to the investigations. The judges in those cases declared biometric data was, in fact, testimonial, and law enforcement couldn’t force the owners of those phones to use their faces to unlock them.

For now, Greco says the best way a person can protect themselves from such searches is to lock a device with a complex passcode rather than a face. It’s possible to do the same with Wickr by disabling Touch ID or Face ID.

Subject: Leveraging the power of cyber fusion centers for organizational security
Source: TechRepublic

With the rise in the cost of data breaches across the globe, the cybersecurity industry is resorting to a more comprehensive defense intelligence paradigm. The comprehensive defense intelligence would be a cyberdefense system that helps address the challenges of the ever-evolving threat environment. This defense system is what is referred to as a cyber fusion center.Cyber fusion centers are set up to integrate processes, people and powerful technologies to address cybersecurity challenges. They provide comprehensive insights into malware, threat actors, vulnerabilities and threat intelligence to security teams in organizations. Hence, more organizations now seek ways to leverage the power of cyber fusion centers to give them deeper visibility into the threat landscape and help them with swift solutions to security issues.

What is a cyber fusion center? Cyber fusion centers (CFC) are unified and advanced security operations centers (SOCs) that enhance and improve enterprise security by devising a holistic approach to threat detection, hunting, response and threat intelligence.

The purpose of cyber fusion centers is to incorporate different teams such as SecOps, ITOps and NetSecOps within an organization to function as one team with an overarching goal of fast-tracking incident response and gathering security intelligence. This center helps to reduce risk and security costs by detecting security threats before they become disastrous to organizations.


Subject: Facebook has started to encrypt links to counter privacy-improving URL Stripping
Source: gHacks Tech News

Facebook has started to use a different URL scheme for site links to combat URL stripping technologies that browsers such as Firefox or Brave use to improve privacy and prevent user tracking. Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties.

Update: Facebook contacted us to provide us with their side of the story. According to the company, the change has nothing to do with URL stripping and user tracking, but as a countermeasure against scrapers.

“We changed the ID component of these URLs as a privacy measure intended to deter scrapers from collecting and potentially misusing people’s Facebook IDs. These modified IDs aren’t used to track people, and have not been designed to prevent browser tools from removing tracking components from the URL.” – a Meta spokesperson

Mozilla introduced support for URL stripping in Firefox 102, which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser’s Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes, but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well.



Subject: Report: 47% of orgs experienced a voice phishing attack last year
Source: VentureBeat

A new report by Mutare reveals serious shortcomings in enterprise security protections against voice network attacks. According to the report, nearly half (47%) of organizations experienced a vishing (voice phishing) or social engineering attack in the past year. The issue of these attacks is widely under reported as legacy voice networks are often ignored as a point of egress. The associated risks go unrecognized, particularly with the accelerated adoption of unified collaboration tools like Microsoft Teams and Slack, where voice and data networks converge.The majority of enterprises are unaware of the volume of unwanted voice traffic (phone calls) that traverses their voice network, or the significance of threats lurking in unwanted traffic — robocalls, spoof calls, scam calls, spam calls, spam storms, vishing, smishing and social engineering. Within the organizations that were the victims of a voice attacks in the past year, nearly one-third (32%) involved SMS/text scams, followed by attacks on collaboration platforms such as Cisco WebEx and Microsoft Teams (16%), and voice networks (14%).

Subject: South Carolina bill outlaws websites that tell how to get an abortion
Source: WaPo via beSpacific

Washington Post: “Shortly after the Supreme Court ruling that overturned the right to abortion in June, South Carolina state senators introduced legislation that would make it illegal to “aid, abet or conspire with someone” to obtain an abortion. The bill aims to block more than abortion: Provisions would outlaw providing information over the internet or phone about how to obtain an abortion. It would also make it illegal to host a website or “[provide] an internet service” with information that is “reasonably likely to be used for an abortion” and directed at pregnant people in the state. Legal scholars say the proposal is likely a harbinger of other state measures, which may restrict communication and speech as they seek to curtail abortion. The June proposal, S. 1373, is modeled off a blueprint created by the National Right to Life Committee (NRLC), an antiabortion group, and designed to be replicated by lawmakers across the country…”

Abstracted from beSpacific
Copyright © 2022 beSpacific, All rights reserved.

From WaPo:

Tech companies could soon be navigating a disparate patchwork of state laws, caught in the middle of a political tug of war between red states and blue states. Democrats are already considering new data privacy proposals to protect reproductive health data and other digital trails that could be used to prosecute people seeking abortion. Meanwhile, Republican states could attempt to preserve and collect that same data, which has been used as key evidence in cases against pregnant women.

Posted in: Civil Liberties, Criminal Law, Cybercrime, Cybersecurity, Free Speech, Government Resources, Healthcare, Legal Research, Legislative, Privacy, United States Law