Pete Recommends – Weekly highlights on cyber security issues, September 3, 2022

Subject: BleepingComputer
Source: The Week in Ransomware – August 26th 2022 – Fighting back

We saw a bit of ransomware drama this week, mostly centered around LockBit, who saw their data leak sites taken down by a DDoS attack after they started leaking the allegedly stolen Entrust data.Last week, LockBit claimed responsibility for a ransomware attack on cybersecurity giant Entrust and began leaking the company’s allegedly stolen data Friday evening.

Soon after leaking the data, LockBit’s Tor data leak sites experienced a DDoS attack that made them inaccessible.


Subject: A US Propaganda Operation Hit Russia and China With Memes
Source: WIRED

Plus: An Iranian hacking tool steals inboxes, LastPass gets hacked, and a deepfake scammer targets the crypto world.

Subject: Why your organization should plan for deepfake fraud before it happens

Source: VentureBeat

Deepfakes defined – Deepfakes get their name from the underlying technology: Deep learning, a subset of artificial intelligence (AI) that imitates the way humans acquire knowledge. With deep learning, algorithms learn from vast datasets, unassisted by human supervisors. The bigger the dataset, the more accurate the algorithm is likely to become.

Deepfakes use AI to create highly convincing video or audio files that mimic a third-party — for instance, a video of a celebrity saying something they did not, in fact, say. Deepfakes are produced for a broad range of reasons—some legitimate, some illegitimate. These include satire, entertainment, fraud, political manipulation, and the generation of “fake news.”

The danger of deepfakes – The threat posed by deepfakes to society is a real and present danger due to the clear risks associated with being able to put words into the mouths of powerful, influential, or trusted people such as politicians, journalists, or celebrities. In addition, deepfakes also present a clear and increasing threat to businesses.


Subject: How attackers use and abuse Microsoft MFA
Source: Help Net Security

Microsoft has been pushing for the use of multi-factor authentication (MFA) to thwart attackers for many years.But threat actors are keeping up with the increasing enterprise adoption of MFA and are constantly coming up with ways to bypass the additional protection it offers.

We have already seen attacks involving SIM swapping, exploitation of vulnerabilities, rogue apps, legacy authentication protocols, MFA prompt bombing (aka MFA fatigue), stolen session cookies, and (custom) phishing kits with MFA-bypassing capability.

More recently, Mandiant and Mitiga researchers have documented different approaches that allow attackers to (mis)use Microsoft MFA to their advantage.

Attackers take over dormant Microsoft accounts and set up MFA.


Subject: FTC’s commercial surveillance rule-making. Coinbase user protections. NSTAC calls for OT inventories. US CyberCom and NSA on election security.

Source: The cyberwire

More on the FTC’s call for comment on commercial surveillance rule-making. Coinbase accused of employing inadequate user protections. NSTAC calls for required inventories of operational technology. US CyberCom and NSA join forces to fight election interference.

Summary By the CyberWire staff

At a glance.

  • More on the FTC’s call for comment on commercial surveillance rule-making.
  • Coinbase accused of employing inadequate user protections.
  • NSTAC calls for required inventories of operational technology.
  • US CyberCom and NSA join forces to fight election interference


Subject: Keeping Up With the Vacuum Cleaners

Source: Rob Slade <[email protected]> via The RISKS Digest Volume 33 Issue 42

Keeping Up With the Vacuum Cleaners

Rob Slade <[email protected]>
Fri, 26 Aug 2022 05:37:18 -0700
I tell people that everyone fights about which field of technology is changing the fastest.  I don't fight about it.  I figure security has a
lock on it.  Regardless of what else changes in whatever other field of technology, it has an implication for security.

We need to keep up. We need to keep up with each change in technology.  We need to keep up with the vulnerabilities that are being created 
as people create more "solutions."  We need to keep up with the latest threats; the latest exploits; the latest attacks; the latest news 
about who has been attacked, and how.  We have to pursue the news avidly, and effectively, to try and keep up with the most relevant 
issues of the day.

There are of course people who try to produce newsletters to help us out. Well, sometimes not to help us out.  Vendors, and trade rags, 
frequently produce such newsletters themselves.  Unfortunately, since their aim is to promote their own products, they put minimal work, 
and pretty much no analysis, into retailing whatever stories they consider to have security implications.


More and more companies are getting more and more information about you. Some of this information is helpful, both to you, and the authorities. 
Some of the information is just useful to the authorities. And some of the information is going to be useless, and even misleading, and 
mistakes will be made.

Subject: FTC Sues Broker Kochava Over Geolocation Data Sales
Source: Gizmodo

The Federal Trade Commission announced a lawsuit Monday against a major data broker, accusing it of offering services that allow for the tracking of Americans at sensitive locations, such as addiction clinics or domestic violence shelters.

Commissioners voted 4-1 this week to bring a suit against Kochava, Inc., which calls itself the “industry leader for mobile app attribution” and sells mobile geo-location data on hundreds of millions of people. The suit accuses the company of violating the FTC Act, and the agency warns that the company’s business practices could easily be used to unmask the locations of vulnerable individuals—including visitors to reproductive health clinics, homeless and domestic violence shelters, places of worship, and addiction recovery centers.

Kochava, which is based in Idaho, sells “customized data feeds” that can be used to identify and track specific phone users, the FTC said in the suit. Kochava collects this data through a variety of means, then repackages it in large datasets to sell to marketers. The datasets include Mobile Advertising IDs, or MAIDs—the unique identifiers for mobile devices used in targeted advertising—as well as timestamped latitude and longitude coordinates for each device (i.e., the approximate location of the user). The data is ostensibly anonymized, but there are well-known ways to de-anonymize it. The suit claims that Kochava is aware of this, as it has allegedly suggested using its data “to map individual devices to households.”

Samuel Levine, director of the FTC’s Bureau of Consumer Protection, similarly laid into the company: “Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” Levine said, in a statement. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”


Other SECURITY articles:

Subject: FCC Probe Reveals Mobile Carriers’ Data Management Practices are ‘All Over the Map’
Source: Nextgov

The last time the FCC investigated mobile carriers’ practices regarding location data, it resulted in fines Jessica Rosenworcel—now chair of the commission—said were unjustly meager.Inconsistent responses from the United States’ top 15 mobile carriers—in accordance with the Federal Communications Commission’s inquiry into the use of their consumers’ location data—show a need for the agency’s regulatory intervention, according to key public interest advocates.
“These letters show that, despite the constant invocation of carriers of ‘industry standards’ and ‘best practices,’ carrier geolocation data practices are all over the map. The only ‘industry standard’ appears to be that there is no standard at all for how long carriers retain data, how they protect it or how hard they make it for their customers to invoke their rights,” Harold Feld, senior vice president for the digital rights group Public Knowledge, said in reaction to the commission’s release of the companies’ responses Thursday….
According to the FCC, the carriers—which include mobile network operators like AT&T, T-Mobile and Verizon, as well as mobile virtual network operators like Best Buy Health, H2O Wireless and Lyca Mobile—are required to follow the commission’s rules for customer proprietary network information, which includes the geolocation data in question. Many of the MVNOs abdicated responsibility for such data, saying they generally don’t collect it. But others said consumer data reports sent to them by interconnecting service providers may be shared for marketing purposes, if explicit permission to do so is granted….“Continued reliance on such attenuated consent mechanisms and ineffective monitoring tools apparently did not meet the reasonableness requirement,” the FCC said in February 2020 under the Trump administration while issuing fines to T-Mobile, AT&T and Verizon after media reports revealed massive potential data exposures….

Subject: Pirate sites ban in Austria took down Cloudflare CDNs by mistake

Source: BleepingComputer

Excessive and indiscriminate blocking is underway in Austria, with internet service providers (ISPs) complying to a court order to block pirate sites causing significant collateral damage.

The legal case was launched by the copyright organization “LSG – Wahrnehmung von Leistungsschutzrechten GesmbH”, which convinced an Austrian court to block 14 websites for copyright law violations.

The problem arising from this measure is that the bans also extended to specific IP addresses belonging to Cloudflare servers that support many other sites that do not violate copyright laws.

Examples of impacted websites include Magenta, Salzburg AG, the Preis Zone shop, yesss!, Raiffeisen Mobil, SOS Mitmensch, and Hutchison Drei Austria GmbH.

As Austrian DerStandard comments in a report on the matter, the root of the problem is that the copyright organization provided a list of IP addresses that ISPs banned without checking who used them.

As it turned out, the list also included a set of at least nine IP addresses that Cloudflare uses for its CDN to provide services (security, reliability, performance) to legitimate websites.

Subject: Google Play rule change disallows ad-blocking VPN apps

Source: The Register

Google in November will prohibit Android VPN apps in its Play store from interfering with or blocking advertising, a change that may pose problems for some privacy applications.

The updated Google Play policy, announced last month, will take effect on November 1. It states that only apps using the Android VPNService base class, and that function primarily as VPNs, can open a secure device-level tunnel to a remote service.

Such VPNs, however, cannot “manipulate ads that can impact apps monetization.”

The rules appear to be intended to deter data-grabbing VPN services, such as Facebook’s discontinued Onavo, and to prevent ad fraud. The T&Cs spell out that developers must declare the use of VPNservice in their apps’ Google Play listing, must encrypt data from the device to the VPN endpoint, and must comply with Developer Program Policies, particularly those related to ad fraud, permissions, and malware.

Labdaoui points to the DuckDuckGo Privacy Browser for Android, which creates a local VPN service to make its App Tracking Protection block tracker server connections, as a potential casualty of the new Play policy.

Subject: Chrome extensions with 1.4 million installs steal browsing data

Source: BleepingComputer

Threat analysts at McAfee found five Google Chrome extensions that steal track users’ browsing activity. Collectively, the extensions have been downloaded more then 1.4 million times.

The purpose of the malicious extensions is to monitor when users visit e-commerce website and to modify the visitor’s cookie to appear as if they came through a referrer link. For this, the authors of the extensions get an affiliate fee for any purchases at electronic shops.

The five malicious extensions that McAfee researchers discovered are the following:

  • Netflix Party (mmnbenehknklpbendgmgngeaignppnbe) – 800,000 downloads
  • Netflix Party 2 (flijfnhifgdcbhglkneplegafminjnhn) – 300,000 downloads
  • Full Page Screenshot Capture – Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) – 200,000 downloads
  • FlipShope – Price Tracker Extension (adikhbfjdbjkhelbdnffogkobkekkkej) – 80,000 downloads
  • AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed) – 20,000 downloads

Related Articles:

Subject: Truth Social Isn’t on Android Over Content Moderation

Source: Gizmodo

Even though it’s been months since Truth Social went on the market, Google has still not let the hoards of Trump supporters download their favorite former president’s app off its app store. Finally, the company has revealed that Truth has so far failed to come up with a content moderation policy that will satisfy the tech giant.

Axios first reported that Google hasn’t approved Truth Social for distribution on the Google Play Store, simply because the app still fails to moderate content users post, especially those that relate to violence.

“On August 19 we notified Truth Social of several violations of standard policies in their current app submission and reiterated that having effective systems for moderating user-generated content is a condition of our terms of service for any app to go live on Google Play. Last week Truth Social wrote back acknowledging our feedback and saying that they are working on addressing these issues.”

Subject: State, local agencies to test geographic accuracy of emergency alerts

Source: GCN

Amid ongoing concerns from local leaders about the system’s reliability, the FCC will evaluate the accuracy, reliability and speed of Wireless Emergency Alert delivery. Federal Communications Commission Chairwoman Jessica Rosenworcel announced the commission has for the first time partnered with 42 state and local government agencies to test the geographic accuracy of Wireless Emergency Alerts (WEAs) during local tests later this month.

The testing is planned for Sept. 12 and 13, with the local agencies set to send an alert to the public in a targeted area of its choice at a designated time. The FCC said this round of tests will assess how geographically accurate the alerts are and analyze other factors like reliability and speed.

The bureau warned that it has heard reports that some emergency management agencies decline to use WEAs because they do not have confidence in the technology. That was especially prevalent during the Marshall fire in Boulder, Colorado, when local officials declined to use an WEA, and many residents did not receive a timely alert to evacuate.

The FCC tested WEAs last year for timeliness and reliability in partnership with 11 agencies at various levels of government. A report issued after that test found that almost 90% of intended recipients received the test alert, while T-Mobile, AT&T and Verizon reported that the test traversed their network infrastructure from the alert gateway to cell site in approximately 36, 41 and 55 seconds, respectively.

Subject: How to delete yourself from internet search results and hide your identity online
Source: ZDNET

[From 4 months ago but remains very relevant… ] There is now a very thin line between our physical and digital identities.

When you apply for a new job, many employers will evaluate your social media presence to ascertain if you are a suitable candidate. Advertisers will scrape publicly available information on you, your public profiles, and your search history for targeted marketing.

A misjudged tweet from years ago or an inappropriate Facebook photo can destroy future job prospects or ruin a career. A Google search that reveals an old conviction can make it more difficult to get hired, and allegations of criminal conduct spread online can cause misery and impact your mental well being.

There’s the idea that once something is online, it is immortal, immutable, and almost impossible to contain. You should not put anything online you wouldn’t want your grandmother to see, although sometimes you aren’t in control of what gets published.

Abuse, stalking, and bullying may also factor as reasons to erase our digital footprints and seize control of our devices. If you want to take control of your privacy and online data, here are some tips to get you started…

Subject: Google Chrome Bug Lets Sites Silently Overwrite System Clipboard Content
Source: The Hacker News

A “major” security issue in the Google Chrome web browser, as well as Chromium-based alternatives, could allow malicious web pages to automatically overwrite clipboard content without requiring any user consent or interaction by simply visiting them.The clipboard poisoning attack is said to have been accidentally introduced in Chrome version 104, according to developer Jeff Johnson.

While the problem exists in Apple Safari and Mozilla Firefox as well, what makes the issue severe in Chrome is that the requirement for a user gesture to copy content to the clipboard is currently broken.

User gestures include selecting a piece of text and pressing Control+C (or ⌘-C for macOS) or selecting “Copy” from the context menu.

Google is already aware of the issue and a patch is expected to be released soon, given the seriousness of the flaw and the likelihood of abuse by malicious actors.

In the interim, users are advised to refrain from opening web pages between any cut/copy and paste actions and verify their clipboard before carrying out sensitive operations on the web, such as financial transactions.

The development comes as Google released a new version of Chrome (105.0.5195.52/53/54) for Windows, macOS, and Linux with fixes for 24 shortcomings, 10 of which relate to use-after-free bugs in Network Service, WebSQL, WebSQL, PhoneHub…

Posted in: Computer Security, Cybercrime, Cybersecurity, Financial System, Internet Trends, Legal Research, Privacy, Search Engines, Social Media, Spyware, Technology Trends