Pete Recommends – Weekly highlights on cyber security issues, September 24, 2022

Subject: Lens reflections may betray your secrets in Zoom video calls
Source: The Register

Boffins at the University of Michigan in the US and Zhejiang University in China want to highlight how bespectacled video conferencing participants are inadvertently revealing sensitive on-screen information via reflections in their eyeglasses.With the COVID-19 pandemic and the rise in remote work, video conferencing has become commonplace. The researchers argue the ensuing privacy and security issues deserve further attention, and they’ve been casting an eye on this unusual attack vector.

In a paper distributed via ArXiv, titled, “Private Eye: On the Limits of Textual Screen Peeking via Eyeglass Reflections in Video Conferencing,” researchers Yan Long, Chen Yan, Shilin Xiao, Shivan Prasad, Wenyuan Xu, and Kevin Fu describe how they analyzed optical emanations from video screens that have been reflected in the lenses of glasses.

“Our work explores and characterizes the viable threat models based on optical attacks using multiframe super resolution techniques on sequences of video frames,” the computer scientists explain in their paper.

[shhh, don’t tell them about: – which movie/TV actors and others will wear /Pete]

Narrower topics

Subject: Chinese spy convicted with help from iCloud backup of his iPhone
Source: 9to5Mac

A Chinese spy carrying out industrial espionage against GE Aviation and Honeywell’s aerospace division was caught with the help of access to an iCloud backup of his iPhone. The data obtained included a never-before-seen copy of a security form used by the Chinese security service when recruiting spies.Xu Yanjun, an officer in China’s Ministry of State Security (MSS) was arrested and brought to trial in the US after investigators lured him out of the country to a meeting in Belgium, from where he was extradited to America …

Bloomberg tells the story in dramatic form, but the executive summary is that China targeted academics and engineers working on aerospace projects. They were invited to China on all-expenses-paid trips, where they ostensibly delivered conference papers – but were really giving away commercially sensitive information on airframe and engine development.


Subject: Watch it! Legal issues arise with home security cameras

The devices are on the way to becoming as commonplace as lawn sprinklers.A 2021 survey by the National Association of Home Builders suggested that 70 percent of likely home buyers want security cameras. Tech giant Amazon is rolling out a new TV series about Rings, and it’s not their billion-dollar blockbuster set in Middle-Earth.

This show is called “Ring Nation,” and it will feature videos captured by Amazon’s Ring home security cameras. The idea of a weekly TV series featuring surveillance videos has ticked off privacy experts, civil libertarians, and Senator Edward Markey, Democrat of Massachusetts. But it also proves that home security cameras are on the way to becoming as commonplace as lawn sprinklers.

We’ve still got a way to go. By the end of 2021, only about 14 percent of homes with broadband access had a network-connected security camera, while 15 percent owned a video doorbell, according to research firm Parks Associates.

But when people start pointing cameras and microphones at one another, certain issues arise. Like, what if your next-door neighbor complains that your camera invades his privacy? What if the microphone records people’s private conversations?

The law has little to say about such matters, according to Matthew Guariglia, a policy analyst at the Electronic Frontier Foundation, an online civil liberties group.

“There isn’t a lot of protection for people from household surveillance devices,” Guariglia said.

Subject: Crypto giveaway scams continue to escalate
Source: Help Net Security

The evolution of crypto giveaway scams. Crypto giveaway scams have evolved into an illicit market segment with multiple services that aim to facilitate fraudulent operations. According to Group-IB, 63% of the new fraudulent domain names were registered with Russian registrars, but the fake websites are primarily designed to target English and Spanish-speaking crypto investors in the US and other countries. The researchers also compiled a list of the most popular keywords used by scammers in fake domain names.

Researchers observed an increase in the number of fraudulent YouTube streams “featuring” big names such as Brad Garlinghouse, Michael J. Saylor, and Cathie Wood in February this year. The scammers used the footage of famous entrepreneurs and crypto enthusiasts to encourage users to visit a promotional website to double their crypto investment — by transferring crypto to the specified address or disclosing the seed phrase of their crypto wallet to receive even better terms.

The top five most popular domain zones used by scam websites promoting crypto giveaways include .com (31.65%), .net (23.86%), .org (22.94%), and .us (5.89%).

Subject: How Pig Butchering Scams Work
Source: ProPublica

If you’re like most people, you’ve received a text or chat message in recent months from a stranger with an attractive profile photograph. It might open with a simple “Hi” or what seems like good-natured confusion about why your phone number seems to be in the person’s address book. But these messages are often far from accidental: They’re the first step in a process intended to steer you from a friendly chat to an online investment to, ultimately, watching your money disappear into the account of a fraudster. “Pig butchering,” as the technique is known — the phrase alludes to the practice of fattening a hog before slaughter — originated in China, then went global during the pandemic. Today criminal syndicates target people around the world, often by forcing human trafficking victims in Southeast Asia to perpetrate the schemes against their will. ProPublica recently published an in-depth investigation of pig butchering, based on months of interviews with dozens of scam victims, former scam sweatshop workers, advocates, rescue workers, law enforcement and investigators, along with extensive documentary evidence including training manuals for scammers, chat transcripts between scammers and their targets and complaints filed with the Federal Trade Commission.

“We’ve had people from all walks of life that have been victimized in these cases and the paydays have been huge,” said Andrew Frey, a financial investigator for the Secret Service, the federal agency that is taking a lead role in combating online crime and trying to help victims recover their stolen funds.

Subject: FCC Adds China-linked Telecom Providers to List of National Security Threats
Source: Nextgov

The departments of Defense and Justice want the agency to take a more comprehensive approach to preventing foreign adversaries from accessing Americans’ communications and data.The Federal Communications Commission has effectively banned two entities associated with China from providing telecommunications services in the U.S., based on other federal agencies’ national security reviews from almost two years ago.

“Today we take another critical step to protect our communications networks from foreign national security threats,” FCC Chairwoman Jessica Rosenworcel said in a press release Tuesday. “Earlier this year the FCC revoked China Unicom America’s and PacNet/ComNet’s authorities to provide service in the United States because of the national security risks they posed to communications in the United States. Now, working with our national security partners, we are taking additional action to close the door to these companies by adding them to the FCC’s Covered List.”

Being on the “covered list” means the telecom providers—like Huawei and ZTE before them—will be restricted from accessing the U.S. market going forward. But the FCC’s action is based on letters it received back in November, 2020 from executive branch agencies responsible for reviewing foreign investment in the United States for national security threats. That kind of lag is a problem for addressing threats foreign adversaries pose through vulnerabilities in the internet routing system, the departments of Defense and Justice recently told the FCC.

The departments of Justice and Defense flagged the current lengthy process, and what they described as an ad-hoc, case-by-case approach as being insufficient for mitigating adversaries’ exploitation of the Border Gateway Protocol, which is used to identify the most efficient routes for delivering network traffic, but can be misdirected to access and exfiltrate sensitive data.


Subject: MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches
Source: BleepingComputer

Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue.When breaching corporate networks, hackers commonly use stolen employee login credentials to access VPNs and the internal network.

The reality is that obtaining corporate credentials is far from difficult for threat actors, who can use various methods, including phishing attacks, malware, leaked credentials from data breaches, or purchasing them on dark web marketplaces.

To counter this, enterprises have increasingly adopted multi-factor authentication to prevent users from logging into a network without first entering an additional form of verification. This additional information can be a one-time passcode, a prompt asking you to verify the login attempt, or the use of hardware security keys.

While threat actors can use numerous methods to bypass multi-factor authentication, most revolve around stealing cookies through malware or man-in-the-middle phishing attack frameworks, such as evilginx2.

However, a social engineering technique called ‘MFA Fatigue’, aka ‘MFA push spam’, is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.

What is MFA Fatigue? When an organization’s multi-factor authentication is configured to use ‘push’ notifications, the employee sees a prompt on their mobile device when someone tries to log in with their credentials. These MFA push notifications ask the user to verify the login attempt and will show where the login is being attempted, as shown below.

An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account’s owner’s mobile device.

The goal is to keep this up, day and night, to break down the target’s cybersecurity posture and inflict a sense of “fatigue” regarding these MFA prompts.

A demonstration of an MFA Fatigue attack, or MFA spam, can be seen in this YouTube video created by cybersecurity support company Reformed IT.


Subject: ‘Crypto King’ Has Luxury Cars Seized After $35 Million Vanishes
Source: Gizmodo

Aiden Pleterski bought ads disguised as news articles on websites like the Daily Caller to promote himself. Five luxury cars, including two BMWs, two McLarens, and a Lamborghini, have been seized from 23-year-old Aiden Pleterski, the self-described “crypto king” of Canada, during bankruptcy proceedings according to a new report from the CBC. But those cars are only worth a fraction of the $35 million that Pleterski allegedly took from investors who thought he’d make them rich in the cryptocurrency market, and it’s not clear whether they’ll ever see their money again.

Pleterski and his company AP Private Equity Limited are facing at least two civil lawsuits after 140 people have come forward to say they invested a combined $35 million with Pleterski. Those people believed they were investing in cryptocurrency, and Pleterski’s online presence—including photos of the 23-year-old on private jets and next to luxury cars—helped create the image that he knew what he was doing.

Despite a notice that the article is from a “featured partner” many people don’t understand such articles are bought and paid for—a practice that has a long history. The text of the Daily Caller article about Pleterski is rather ridiculous and riddled with grammatical errors, but may have been enough to convince some people with no experience in crypto that he was an up-and-coming entity who could make them rich.

Posted in: Cryptocurrency, Cybersecurity, Gadgets, Gadgets/Gizmos, Legal Research, Privacy, Technology Trends