September 8, 2023
In this Episode:
Marcel Brown: September 8, 2003. The Recording Industry Association of America, RIAA, sues 261 people for sharing music on internet peer-to-peer networks, including 12-year-old Brianna LaHara.
Edwin Kwan: Australian couple returns from holiday to discover their bank accounts were drained, shares sold, and 20 new credit and debit cards created under their names. This incident highlighted several issues, including the ability for cyber criminals to open online accounts without the bank verifying the person behind those accounts.
Julie Chatman: There may be something lurking in your Apple Wallet. Users are urged to update their devices now. Apple has confirmed that if you have a job, which makes you a target, you can place your phone in Lockdown mode to block this attack.
Katy Craig: A consumer signing key was exposed in a crash dump in April 2021 and later exploited by a China-based threat group, Storm0558. The incident has led to increased scrutiny of Microsoft’s security measures.
Hillary Coover: Is your modern car spying on you? Discover the shocking truth about the “wiretaps on wheels” and how your data privacy may be at risk.
The Stories Behind the Cybersecurity Headlines
Edwin Kwan
Identity Theft Victim Targeted While On Holidays
Having their identity stolen via phone porting, Australian couple returns from holiday to discover their bank accounts were drained, shares sold, and 20 new credit and debit cards created under their names.
This is Edwin Kwan from Sydney, Australia.
The semi-retired couple from Melbourne had the first indication that something was wrong when the husband’s phone reception switched to SOS. The couple contacted their banks, credit card providers, and phone provider to notify them. Thinking that their accounts were now safe, they went on holiday the next day.
The attackers had ported their phones and while the couple was overseas, accessed their emails, messaged their friends, families, and work clients in an attempt to scam them. The wife received scam WhatsApp messages from the husband’s account while they were both on holidays.
Attempts to contact their banks while overseas were unsuccessful, as they were told that they needed to go into a branch to confirm their identity. In the end, they returned from their holidays with $325,000 stolen from their bank accounts, $45,000 worth of their shares sold, and 20 credit and debit accounts created under their names.
They are not sure how the hackers got access to their license and passport details, but said they were victims of the recent Medibank and Latitude data breaches. This incident highlighted several issues, including the ability for cybercriminals to open online accounts without the bank verifying the person behind those accounts, that phone porting disables the effectiveness of MFA, and the victim-blaming mentality of banks.
There are calls for more regulation to be put on banks so they are compelled to better detect and respond to identity theft due to fraud and scams.
Resources
ABC News, Australia – https://www.abc.net.au/news/2023-08-09/melbourne-identity-theft-victims-lose-money-fraudsters/102701944
Julie Chatman
There may be something lurking in your Apple Wallet
I’m Julie Chatman in Washington, DC. There may be something lurking in your Apple Wallet. This is a developing story.
Passkit is the Apple Wallet app that allows you to save and organize things like airline boarding passes, tickets, gift cards, and loyalty cards. Attackers have a way to send Passkit attachments with malicious images to their targets. That means you.
Apple recently patched two major bugs that were used to put Pegasus spyware on iPhones. These bugs allowed attackers to hack a fully-updated iPhone. That is, an iPhone running the latest version of iOS, which is 16.6 at the time of this recording.
The iPhone belonged to a civil organization in Washington, DC. The hack was enabled using malicious Passkit attachments and without any interaction from the victim.
The list of devices that are affected is long. The two security bugs affect older and newer models, including iPhone 8 and later, all models of iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, iPad Mini 5th generation and later, Max running macOS Ventura, and Apple Watch Series 4 and later.
Users are urged to update their devices now. Apple has confirmed that if you have a job, which makes you a target, you can place your phone in Lockdown mode to block this attack.
Visit 505updates.com for a transcript of this recording and links to information, including a link to directions for enabling lockdown mode.
Stay safe out there!
Resources
https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/
https://www.bleepingcomputer.com/news/apple/apple-discloses-2-new-zero-days-exploited-to-attack-iphones-macs/
How to Enable Lockdown Mode: https://support.apple.com/en-ca/HT212650
What is Pegasus Software? https://www.britannica.com/topic/Pegasus-spyware
Katy Craig
Microsoft signing key exposed in crash dump
A consumer signing key was exposed in a crash dump in April 2021 and later exploited by a China-based threat group, Storm-0558. This led to the compromise of multiple customers, including U.S. State Department emails.
This is Katy Craig in San Diego, California.
The exposure of the consumer signing key occurred due to what Microsoft describes as a “race condition,” which allowed the key to be present in the crash dump. This dump was subsequently moved from a secure, isolated production environment to a debugging environment connected to the internet.
The incident has led to increased scrutiny of Microsoft’s security measures. Despite the company’s claims of maintaining a highly restricted and isolated production environment, the breach has raised questions about the inherent security of Microsoft’s products. In response to the incident, Microsoft has been compelled to change its policies regarding the premium charges for security log access.
Experts in the field express concerns about the potential for additional, undetected compromises. Microsoft has taken steps to address detection and response issues related to the exposed key, but the full impact remains under investigation.
This is Katy Craig. Stay safe out there.
Resources
Microsoft Blog – https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/
Microsoft Blog – https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/
Hillary Coover
Wiretaps on Wheels
Is your modern car spying on you? Discover the shocking truth about the “wiretaps on wheels” and how your data privacy may be at risk.
Hi, this is Hillary Coover in Washington, DC.
The Mozilla Foundation has issued a warning that modern cars are essentially “wiretaps on wheels” due to manufacturers’ inadequate data privacy controls for drivers. In their ‘Privacy Not Included’ survey of 25 car manufacturers, Mozilla revealed that most openly acknowledge the possibility of selling drivers’ personal information. While that may not be enough to ruffle most people’s feathers, get this: more than half the manufacturers surveyed expressed a willingness to share this data with governments or law enforcement agencies without requiring a court order.
The researchers emphasize that drivers have little to no control over the personal data their vehicles gather, and they express concerns about vague security standards, especially considering the automobile industry’s history of susceptibility to cyber attacks. Many vehicles have microphones and cameras that can record sensitive conversations and activities, making privacy a major concern.
The Mozilla researchers noted that most car brands ignored their questions on the matter, and those that did respond offered partial and unsatisfactory answers. Nissan stood out for its detailed breakdown of data collection and its privacy notice, even including sensitive information like driver’s license numbers, immigration status, race, sexual orientation, and health diagnoses. Nissan also stated that it could collect “genetic information” or “genetic characteristics.” Tesla’s privacy notice was rated high on Mozilla’s “creepiness index,” as it suggested reduced functionality if data collection is opted out, without specifying details.
To maintain your data privacy in the era of “wiretaps on wheels,” stay informed about your car’s data collection practices, and exercise your control whenever possible. Regularly review and adjust privacy settings, limit data sharing, and explore aftermarket privacy solutions designed to keep your personal information safe on the road.
Resources
Euro News – https://www.euronews.com/next/2023/09/06/wiretaps-on-wheels-drivers-warned-their-data-privacy-is-not-guaranteed-in-modern-vehicles
Marcel Brown
This Day in Tech History
This is Marcel Brown bringing you some technology history for September 7th through the 9th.
September 7th, 2005. Apple introduces the iPod Nano, effectively replacing the iPod Mini. The move surprised many in the industry, as the iPod Mini was extremely popular. However, the use of flash storage instead of a hard drive allowed for a much smaller form factor, increased reliability, and better battery life. These improvements proved extremely popular with customers as 1 million units were sold in the first 17 days. The pioneering use of flash storage in a consumer electronic device paved the way for its use in many future Apple product designs, such as the iPhone, iPad, and flash storage-based MacBooks.
September 8, 2003. The Recording Industry Association of America, RIAA, sues 261 people for sharing music on internet peer-to-peer networks, including 12-year-old Brianna LaHara. Eventually bringing suit against at least 30,000 people, the RIAA intended to reduce the amount of music being shared, but instead, generated a public backlash against the recording industry.
September 9th, 1945. Operators of the Harvard Mark II find a moth trapped in relay #70 in Panel F. The bug is taped to their troubleshooting log where it was written, “first actual case of bug being found.” This was not the first use of the term “bug” for computer problems, but this was the first time the word “debug” was used.
If you’d like to see a picture of the log, visit my website, thisdayintechhistory.com. That is all your tech history for this week. For more, tune in next week and also visit my website thisdayintechhistory.com.