Pete Recommends – Weekly highlights on cyber security issues, November 12, 2022

Subject: Researchers Devise Wi-Peep Drone That Can ‘See Through Walls’
Source: Gizmodo

Using a $20 off-the-shelf drone, researchers at the University of Waterloo in Ontario have created what is effectively an airborne scanning device that can triangulate the location of every WiFi-connected device in your house. Yikes. Researchers Ali Abedi and Deepak Vasisht, who recently presented their findings at the 28th Annual International Conference on Mobile Computing and Networking, call this contraption “Wi-Peep,” which is a deceptively cute name for a project with such horrifying implications. Wi-Peep engages in what researchers call a “location-revealing privacy attack” that can manipulate the data in WiFi networks and use it to “see through walls,” or, rather, approximate the location of devices via sneaky scanning.


Subject: Week in review: High-severity OpenSSL vulnerabilities fixed, Patch Tuesday forecast
Source: Help Net Security

Another week in-review abstracts…

Subject: Cybersecurity expert: Paid Twitter verification ‘going to create a very chaotic environment’
Source: The Hill

Former top cybersecurity official Chris Krebs on Sunday said the paid subscription plan for a verification mark on Twitter will “create a very chaotic environment” because it would open the information space to foreign actors, election deniers and other potentially malign influencers.Krebs told moderator Margaret Brennan on CBS’s “Face the Nation” that being able to buy the “blue tick” for $8 a month goes against a long-standing policy of verifying authentic accounts.

“To have such a dramatic shift in that marker of trust [and] now you can buy it,” Krebs said. “It opens the information space to a broader community of influencers, clout chasers, election denialists and [foreign actors]. We’ve seen reports lately that Russia, China and Iran are back at their old tricks, and it is going to create a very chaotic environment.”

Twitter’s new owner, Elon Musk, launched the updated subscription service on Saturday, charging $7.99 for a verification mark as well as other features and benefits for Twitter Blue members, including seeing less advertisements.

There are also concerns about legitimate users who are unwilling to pay for the service who could be forced to compete against fake accounts impersonating them.

CBS News
check mark
Chris Krebs
Chris Krebs
Elon Musk
Elon Musk
Margaret Brennan

Subject: The Fallout From the First Trial of a Corporate Executive for ‘Covering Up’ a Data Breach
Source: Lawfare

Uber’s former chief security officer (CSO), Joe Sullivan, was found guilty on Oct. 5 of obstruction of justice (18 U.S.C. § 1505) and misprision of a felony (18 U.S.C. § 4) based on what the Justice Department called his “attempted cover-up of a 2016 hack of Uber.”

In 2016, while the Federal Trade Commission (FTC) was investigating Uber for an earlier incident, Sullivan learned of another hacking incident that affected the Uber accounts of more than 57 million riders and drivers. In its prosecution of Sullivan, the government alleged that, rather than disclose the incident to the FTC, Uber’s former CSO took steps to hide it from the government, as well as from many of his colleagues at Uber. Most notably, in his alleged attempt to cover up the incident, Sullivan also arranged a $100,000 payment to the hackers through Uber’s “bug bounty” program in exchange for their signatures on a nondisclosure agreement (NDA) promising not to reveal the incident and falsely stating that they did not exfiltrate sensitive customer information.

This case—which marks the first time a company executive faced criminal prosecution over their response to a data incident—is troubling. Most notably, it blurs the line between “covering up” a data incident and merely declining to report it.

… Filed:

Subject: What is social engineering? Definition, types, attack techniques
Source: VentureBeat

Social engineering is the very common practice of exploiting a human element to initiate and/or execute a cyberattack.

Human weakness and ignorance present such easy targets that fully 82% of the attacks in Verizon’s 2022 Data Breach Investigations Report were perpetrated, at least in part, via some form of social engineering.

In this article, we look at the forms of social engineering that are frequently used and best practices for limiting its effectiveness within the enterprise.



Subject: Malicious droppers on Google Play deliver banking malware to victims
Source: Help Net Security

Android users are often advised to get mobile apps from Google Play, the company’s official app marketplace, to minimize the possibility of downloading malware. After all, Google analyzes apps before allowing them on the market. Unfortunately, time after time, we read about malware peddlers finding ways around that vetting process.“Distribution through droppers on official stores remains one of the most efficient ways for threat actors to reach a wide and unsuspecting audience. Although other distribution methods are also used depending on cybercriminals targets, resources, and motivation, droppers remain one of the best option on price-efforts-quality ratio, competing with SMiShing,” Threat Fabric researchers recently pointed out, after sharing their discovery of several apps on Google Play functioning as droppers for the Sharkbot and Vultur banking trojans.

Evasion techniques of malware droppers on Google Play – These trojanized, functional apps – usually file managers, file recovery tools, or security (2FA) authenticators – are crafted to conceal their malicious nature from Google Play Protect, antivirus solutions, researchers, and users: they provide the advertized functionality, request few common permissions that don’t raise suspicion, and don’t contain overtly malicious code.


Subject: Apple Apps Track You Even With Privacy Protections on: Report
Source: Gizmodo

An independent test suggests Apple collects data about you and your phone when its own settings promise to “disable the sharing of Device Analytics altogether.”For all of Apple’s talk about how private your iPhone is, the company vacuums up a lot of data about you. iPhones do have a privacy setting that is supposed to turn off that tracking. According to a new report by independent researchers, though, Apple collects extremely detailed information on you with its own apps even when you turn off tracking, an apparent direct contradiction of Apple’s own description of how the privacy protection works.

The iPhone Analytics setting makes an explicit promise. Turn it off, and Apple says that it will “disable the sharing of Device Analytics altogether.” However, Tommy Mysk and Talal Haj Bakry, two app developers and security researchers at the software company Mysk, took a look at the data collected by a number of Apple iPhone apps—the App Store, Apple Music, Apple TV, Books, and Stocks. They found the analytics control and other privacy settings had no obvious effect on Apple’s data collection—the tracking remained the same whether iPhone Analytics was switched on or off.


Subject: 15,000 sites hacked for massive Google SEO poisoning campaign
Source: BleepingComputer

Hackers are conducting a massive black hat search engine optimization (SEO) campaign by compromising almost 15,000 websites to redirect visitors to fake Q&A discussion forums.The attacks were first spotted by Sucuri, who says that each compromised site contains approximately 20,000 files used as part of the search engine spam campaign, with most of the sites being WordPress.

The researchers believe the threat actors’ goal is to generate enough indexed pages to increase the fake Q&A sites’ authority and thus rank better in search engines.

Sucuri couldn’t identify how the threat actors breached the websites used for redirections. However, it likely happens by exploiting a vulnerable plugin or brute-forcing the WordPress admin password.

Hence, the recommendation is to upgrade all WordPress plugins and website CMS to the latest version and activate two-factor authentication (2FA) on admin accounts.


Subject: Warren blasts Wells Fargo, Zelle for rampant online fraud
Source: The Register

Customers ‘more than twice’ as likely to be hit by scams, says Dem SenatorWells Fargo customers who use Zelle to send and request payments suffer more than twice the rate of fraud and other online scams as people using other big banks, according to US Senator Elizabeth Warren (D-MA).

Warren chastised both financial firms in letters to their CEOs this week: she said Wells Fargo had sent her an “evasive and misleading reply,” and Zelle parent company Early Warning Services had made “inaccurate” claims, in response to an investigation she led into banking fraud that stems from Zelle’s payment system. She called on both companies to release all data on Zelle-related fraud and scams.

It’s worth noting that seven of the largest US banks including Wells Fargo own Early Warning Services (EWS), and thus Zelle. The other six are Bank of America, Truist, Capital One, JPMorgan Chase, PNC Bank and US Bank.

The senator has been fighting for more congressional oversight of Zelle and the banks that own it for the better part of the year. Crucially, it would be good to find out why exactly this fraud is so rampant.

According to Warren’s data, claims on the platform were in excess of $90 million in 2020, and are on track to exceed $255 million by the end of 2022. To make matters worse, Warren said that banks reported only repaying 9.6 percent of scam claims, amounting to just $2.9 million.

Zelle, on the other hand, said that 99.9 percent of the transactions on its network are sent without fraud or scam reports and that “any external analysis done is incomplete and does not reflect the efforts and data reported by more than 1,700 financial institutions on the Zelle Network.”

Similar topics:

Subject: Response to the FTC’s Advanced Notice of Proposed Rulemaking on Commercial Surveillance and Data Security
Source: Data & Society

We are pleased that the Federal Trade Commission (FTC) is seriously considering new rules aimed at addressing concerns about harmful commercial surveillance and inadequate data security. This is an important moment in the effort to reign in the power of big tech and advance the public interest, and a historic opportunity to help shape the future of how algorithmic decision-making systems are governed in the United States. It’s also a chance for researchers and activists to contribute directly to the public debate.Data & Society’s comment argues that FTC rulemaking is essential to curb the rampant, unfair, and deceptive commercial surveillance and data security practices that threaten consumers and impede a just and fruitful American technology ecosystem. Specifically, we recommend that the FTC:…Read our full comment here….

Other Announcements:

Subject: What to Do When You’ve Been Hacked
Source: PCMag

When your email, credit card, or identity gets hacked, it can be a nightmare. Knowing what to expect can be a help; knowing how to head off the hackers is even better. Our guide helps with both.When you discover that your personal information has been hacked, your first thought may be, why me? Why couldn’t it have been someone else? In truth, you might have fallen victim for a reason, perhaps a weak, easily guessed password, or a too-public social media account. But it’s just as possible that hackers got access to one of your accounts through a data breach and parlayed their access into a full-on hack attack. Either way, they’ll try to make money from their unauthorized access, and they may well do it before you even realize anything is wrong. What can you do when you realize that you’ve been hacked?


Subject: Is Cybersecurity Awareness Month Anything More Than PR?
Source: The Hacker News

Cybersecurity Awareness Month has been going on since 2004. This year, Cybersecurity Awareness Month urged the public, professionals, and industry partners to “see themselves in cyber” in the following ways:

  1. The public, by taking action to stay safe online.
  2. Professionals, by joining the cyber workforce.
  3. Cyber industry partners, as part of the cybersecurity solution.

CISA outlined four “things you can do” to stay safe online for individuals and families, including updating their software, thinking before they click, using strong passwords, and enabling multifactor authentication on sensitive accounts.

The industry has been teaching security tips to employees and the public for a long time. With so much repetitive media and education on cyber awareness in the rearview mirror, the returning October focus weighs on many. Here’s a roundup of reactions to cyber month and traction from this year’s themes and messaging which should tell us if there’s more to the campaign than a public relations angle.

Subject: Lawsuit Seeks Food Benefits Stolen By Skimmers
Source: Krebs on Security

A nonprofit organization is suing the state of Massachusetts on behalf of thousands of low-income families who were collectively robbed of more than a $1 million in food assistance benefits by card skimming devices secretly installed at cash machines and grocery store checkout lanes across the state. Federal law bars states from replacing these benefits using federal funds, and a recent rash of skimming incidents nationwide has disproportionately affected those receiving food assistance via state-issued prepaid debit cards.

Posted in: Cybersecurity, Education, Financial System, Gadgets/Gizmos, Privacy, Social Media, Viruses & Hoaxes