Information Technology

British Virgin Islands-based VPN service ExpressVPN Digital Security Lab has released a new report revealing the prominence of location tracker SDKs in dating apps.
Your online privacy is becoming a big deal as apps and business websites track you without your permission and target you due to the information you provide online. But the prominence of questionable location trackers is proliferating among the dating apps you use.
Location data is commonly harvested from your smartphone. It can enrich user-profiles and provide insights into user behavior via intimate details about a user’s movements. Data collected by location and proximity sensors could end up in the hands of law enforcement, intelligence agencies, and military organizations. This massive amount of data about the movements of populations can threaten the privacy of ordinary people around the globe with potential human rights issues.

ExpressVPN Digital Security Lab worked with Esther Onfroy of the Defensive Lab Agency and used the app scanner provided by Exodus Privacy to analyze 450 apps across messaging, gaming, social, and shopping apps used by everyday consumers.
It used a combination of automated tools and manual analysis, to determine whether there are “signatures,” or identifying information, for a tracker in an app’s code, gathering other interesting information such as network endpoints that the app may communicate with.
To do this, it downloaded and unpacked each app installer, disassembled machine language into human-readable source code, searched the source code for tracker signatures and other identifiers, and correlated its findings with web databases, public information, and app stores.
It found that all apps that it analyzed contained questionable trackers. These apps collectively have been downloaded at least 1.7 billion times by consumers globally.

It identified 64 dating apps that have been downloaded at least 52 million times globally. These location trackers are associated with several companies such as X-Mode (subject to a ban by Apple and Google), OneAudience, and Predicio, amongst others, which have repeatedly been called out for privacy violations.

X-mode appeared in 44% (199) of all 450 apps analyzed. Despite the ban, only 10% of these apps have been removed from Google Play.
These dating apps remain available for mass download at the end of January 2021 on the Google Play Store and specifically target a range of sexual orientations and dating preferences, as well as a large assortment of national, ethnic, and racial groups.
These include apps such as Jack’d – Gay Chat & Dating (five million downloads), FEM – Free Lesbian Dating App, Chat and Meet Singles (one million downloads), Encore – Single Parents and Divorced Dating and Chat (500,000 downloads), Black Dating – Meet Online Black Singles Nearby (100,000 downloads), and Asian Mingle – Free Asian Dating and Singles Chat (100,000 downloads).
They also cover more generic dating apps like Mingle2, which claims to have over 39 million members.
There is a growing threat to consumer privacy. When you download an app, you can not take advantage of privacy-protecting searches like Xayn, you are at the mercy of the app. Many apps will not work without location services, and some updates turn settings back on stealthily.
But do you live a life without the apps that bring you joy and keep your location secret, or do you accept that this data may, one day, be used against you in some way? The choice is yours. More

Russian search engine and email provider Yandex said today that it caught one of its employees selling access to user email accounts for personal gains.
The company, which did not disclose the employee’s name, said the person was “one of three system administrators with the necessary access rights to provide technical support” for its Yandex.Mail service.
The Russian company said it’s now in the process of notifying the owners of the 4,887 mailboxes that were compromised and to which the employee sold access to third-parties.
Yandex officials also said they re-secured the compromised accounts and blocked what appeared to be unauthorized logins. They are now asking impacted account owners to change their passwords.
Incident discovered during a routine check
Yandex said it discovered the incident during a “routine screening” by its internal security team but did not elaborate.
The Russian company said that a “thorough internal investigation” of the incident is currently underway and that it plans to make changes to how its administrator staff can access user data.
It also said that there was no evidence to suggest that user payment data was accessed during the recent incident.

While the Russian tech giant said it referred the incident to authorities, a spokesperson did not return a request for comment from ZDNet seeking additional details about the employee and the incident. More

Image: Microsoft
Microsoft says the number of malicious web shells installed on web servers has almost doubled since its last count, last year in August 2020.

In a blog post yesterday, the Redmond company said it detected roughly 140,000 web shells per month between August 2020 and January 2021, up from the 77,000 average it reported last year.
The number has increased as a result of a shift in how hackers view web shells. Once considered a tool for script kiddies defacing websites and the go-to tool of DDoS botnet operators, web shells are now part of the arsenal of ransomware gangs and nation-state hackers alike and are crucial tools used in complex intrusions.
Two of the reasons they have become so popular is their versatility and access they provide to hacked servers.
Web shells, which are nothing more than simple scripts, can be written in almost any programming language that runs on a web server —such as PHP, ASP, JSP, or JS— and such, can be easily hidden inside a website’s source code. This makes detecting them a difficult operation, which often involves a manual analysis from a human operator.
In addition, web shells provide hackers with a simple way to execute commands on a hacked server via a graphical or command-line interface, providing attackers with a simple way to escalate attacks.
Web shells more prevalent as more servers are put online
As the corporate IT space has moved towards hybrid cloud environments, the number of companies running web servers has increased over the past few years, and, in many cases, public-facing servers often have direct connections to internal networks.

As Microsoft’s stats have shown, attackers appear to have figured out this change in the makeup of corporate IT networks as well, and have amped up their attacks on public-facing systems.
Web shells now play a crucial role in their attacks, providing a way to control the hacked server and then orchestrate a pivot to a target’s internal network.
These types of attacks are exactly what the US National Security Agency warned about in April 2020 when it published a list of 25 vulnerabilities that were often used to install web shells.
The NSA report didn’t just warn about web shells used on public-facing systems but also about their use inside internal networks, where they’re used as proxies to jump to non-public-facing systems.
Microsoft urges companies to re-prioritize their approach to dealing with web shells, which are slowly becoming one of today’s biggest security threat. As ways to keep networks secure, the OS maker recommends a few basic actions:
Patch public-facing systems, as most web shells are installed after attackers exploit unpatched vulnerabilities.
Extend antivirus protections to web servers, not just employee workstations.
Network segmentation to limit the damage of an infected server to a small array of systems and not the entire network.
Audit and review logs from web servers frequently, especially for public-facing systems, which are more vulnerable to scans and attacks.
Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.
Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports. More

Australia’s Consumer Data Right (CDR) officially launched on July 1 with the first tranche, an open banking-like regime, requiring financial services providers to share a customers’ data when requested by the customer.
While the first tranche of the CDR applies to the financial services industry, energy and telecommunications will soon join the regime.
Read more: Australia’s Consumer Data Right: Here’s everything you need to know
Data can only be shared with accredited data recipients (ADRs). But of concern to Australian Information and Privacy Commissioner Angelene Falk is that “big tech” has the ability to apply for ADR status.
“It’s currently open to large technology and social media companies to apply to be accredited as data recipients in the CDR scheme, however, I understand that none are currently accredited and I’m not aware of any specific use cases as to why they may wish to engage, so in a sense, I’m speaking in the abstract,” she said.
Appearing before the Senate Select Committee on Financial Technology and Regulatory Technology on Friday, Falk said one of the strong protections in the CDR system is consumer consent and the ability for individuals to exercise choice and control about how their data is handled.
She’s concerned that this may also give the technology giants access to more data than they already have.

“I think because of the rich data holdings that are held by some of the social media platforms, care would need to be taken to ensure that individuals understand what they’re consenting to if their Consumer Data Right information were to be combined with that [which is] perhaps is on their social media profile,” Falk said.
“Some of the risks I think are around the insights that could be derived from that information and it could include sensitive information and be used in ways that individuals might not expect.”
See also: NZ Privacy Commissioner labels Facebook as ‘morally bankrupt pathological liars’
She pondered whether the committee consider that a digital platform should have access to all data, or whether there be a condition that it not be combined with sensitive data the organisation may already hold.
“There’s other issues around the use of algorithms and artificial intelligence in the combining of data that may lack transparency for consumers and be difficult to explain … [they are] some of the challenges with having fully informed and freely given consent when you enter into very complex data handling arrangements,” she added.
Individuals have the ability to make a complaint if they feel that their personal information has not been handled in accordance with the legislative requirements, and the OAIC has had 20 “contacts” in relation to the CDR system.
“We have a triaging role so that consumers who are engaging in the system don’t need to navigate government in order to make a complaint or make an inquiry, so they’ll come to our office and we’ll triage them to the appropriate entity,” deputy commissioner Elizabeth Hampton explained.
She said of those 20 contacts, the OAIC has had two complaints and eight inquiries for its office; and nine inquiries and one “report” that have been sent to the ACCC.
While those numbers are low, Falk said they reflect the number of people engaged in the system, expecting the number to grow alongside scheme uptake.
MORE FROM THE OAIC More

Brazil’s National Data Protection Authority (ANPD, in the Portuguese acronym) has informed today (11) that it has started an investigation into the country’s second largest data leak of the year.
The investigation relates to the exposure of data relating to more than 102 million mobile phone lines from two mobile operators, which, according to Brazilian news website Neofeed, included names, taxpayer registration numbers, minutes spent on phone calls and other details, including information relating to president Jair Bolsonaro.

A cybercriminal based outside Brazil who claimed to have obtained 57,2 million customer data sets from Vivo and 45,6 million data sets relating to Claro customers has been selling the data in the dark web, the article said. Cybersecurity and privacy firm Psafe discovered the incident on February 3, but couldn’t find evidence that both mobile operators had actually been the source of the leaks – and both companies deny that any customer data has been leaked.
The data protection authority stated that “it is taking all the appropriate measures” to investigate the case. The ANPD has summoned the Federal Police, as well as “the company that reported the fact and the companies involved”. The idea is that the organizations will help the newly-formed authority, which has released its initial strategy last week, to assist in the investigation and the adoption of actions to contain and mitigate risks related to the personal data of the consumers that have potentially been affected.
The news of the latest leak follow a previous incident earlier this year whereby details of 223 million Brazilians, including deceased citizens, ranging from name, address to current income, personal vehicle information and tax returns were exposed and sold in the dark web. More

Security software specialists Cloudflare this afternoon reported Q4 revenue and profit that topped analysts’ expectations, and forecast this quarter’s sales, and the full year, higher as well, citing health in sales to large enterprises. 
Despite the upbeat report, Cloudflare shares dropped 7% in late trading.
Chief executive and co-founder Matthew Prince called it “a remarkable end to a year we’ll never forget.”
Prince noted the company had “delivered more than 550 products and capabilities during 2020 that also supported needs bigger than all of us—whether it was helping to secure the US election from cyberattacks or ensuring COVID-19 vaccine registration sites withstand demand with Project Fair Shot.
Cloudflare’s revenue in the three months ended in December rose 50%, year over year, to $125.9 million, yielding a net loss of 2 cents a share, excluding some costs.
Analysts had been modeling $118 million in revenue and a 4-cent loss per share.
Cloudflare said it had a dollar-based net retention rate in the quarter of 119%, up 3 percentage points from the prior quarter, which it said was “driven by continued strength from large enterprise customers.”

For the current quarter, the company expects revenue in a range of $130 million to $131 million, and a net loss of 2 cents to 3 cents a share. That compares to consensus for $126 million and a 3-cent loss. 
For the full year, Cloudflare projects revenue of $589 million to $593 million, and a net loss of 8 cents to 9 cents per share. That compares to consensus for $561 million and 9 cents. 

Tech Earnings More

US cloud service provider Accellion has announced the end-of-life for its FTA product after the software has been abused in recent attacks to breach tens of companies and government agencies across the world since December 2020.

Developed in the early 2000s, Accellion’s FTA was among the first products of its kind to provide a simple way to share large files.
Created long before the age of cloud-based products like Box, Dropbox, Google Drive, and OneDrive, companies would buy an FTA license, install the software on their own servers, and use it to allow employees and customers to store and share large files that couldn’t be sent via email.
While Accellion eventually developed better products, such as Kiteworks, which superseded FTA in features and security, many FTA appliances remained in use across thousands of companies and government organizations across the world, even to this day.
The FTA zero-day and subsequent attacks
And as the FTA code aged, security researchers also began finding vulnerabilities in the appliance, most of which were privately reported to the company and fixed before any damage could be done to its customers.
But in December last year, the person who found one of these bugs was a threat actor who began exploiting FTA appliances installed across the world.
The first case of an FTA-linked hack was reported by the Reserve Bank of New Zealand and then followed by other cases at the Australian Securities and Investments Commission (ASIC), law firm Allens, the University of Colorado, the Washington State Auditor Office, and this week, at the QIMR Berghofer Medical Research Institute and Singtel, Singapore’s largest telco.

According to a report from Guide Point Security, the attacker(s) appears to have been using an SQL injection to install a web shell and use this initial access to steal files stored on the FTA appliance.
In a press release [PDF] published on January 11, Accellion said it knew about the attacker’s zero-day vulnerability since mid-December 2020 and had responded by releasing an FTA firmware update within three days of the first attacks.
At the time, Accellion said that based on its data, less than 50 FTA customers appeared to have been attacked, but now, critics believe the company was being too positive in its assessment.
But the team behind infosec podcast Risky Business also noted that the software vendor failed to inform its customers. Besides releasing patches on Christmas Eve, when most IT staffers were away, Accellion didn’t publish patch notes for its firmware update, nor did it assign CVE security bug identifiers to the vulnerabilities it patched.
When IT staff returned from their winter holidays, many didn’t even know that a crucial firmware update was waiting to be applied for days.
Accellion announces official EOL for FTA appliances
Now, the Palo Alto-based company is seeing an ever-increasing fallout from the December 2020 attacks. Every time a new FTA-related hack is discovered and exposed, the company’s reputation takes a hit.
Last week, a Seattle law firm filed the first lawsuit against Accellion in relation to the Washington State Auditor Office, and many others are expected to be filed in the coming months as companies review appliances and discover signs of a breach.
And more hacks are expected to come to light. In a press release on February 1, the company said the initial December 2020 attacks “continued into January 2021.”
Two days later after this press release, Accellion published a PDF on its website announcing a formal end-of-life date for the FTA appliance, scheduled for April 30, 2021. After this date, Accellion said it wouldn’t honor requests to extend FTA appliance licenses.
While Accellion had designated Accellion a legacy product for years, the move to retire the appliance might have come a little bit too late, for both its reputation and its customers’ networks. More

Image: ZDNet
A Spanish student released a free decryption utility that can help victims of the Avaddon ransomware recover their files for free.

ZDNet Recommends

Published on GitHub by Javier Yuste, a student at the Rey Juan Carlos University in Madrid, the AvaddonDecrypter works only in cases where victims have not powered off their computers.
The tool works by dumping an infected system’s RAM and scouring the memory content for data that could be used to recover the ransomware’s original encryption key.
If enough information is recovered, the tool can then be used to decrypt files and help victims recover from Avaddon attacks without needing to pay the gang’s ransom demand.
Avaddon gang fixes their code
But while the tool’s release will most likely help past victims, it won’t be helping companies that fall victim to new Avaddon attacks.
This is because the tool’s release did not go unnoticed. In a forum post on Wednesday, the Avaddon gang said it also learned of Yuste’s decrypter and has already deployed updates to its code, effectively negating the tool’s capabilities.

Image: ZDNet
The Avaddon team’s reaction mirrors how the Darkside ransomware crew also answered the release of a similar decrypter for their own strain last month, in January.

Image: KELA
Infosec experts: Keep some ransomware decrypters private!

In the end, the release of both decryption utilities had a very limited impact. While a few victims were able to decrypt files, once the existence of the decryption tool was made public, the ransomware gangs analyzed how the tools worked and fixed their code within days.
The release of these two tools, along with a blog post from Dutch security firm Eye Control showing how victims could recover from attacks with the Data Doctor ransomware, has rekindled, once again, a years-long conversation in the cyber-security industry about how decryption utilities should be handled and released to victims.
Several prominent security researchers with a long history of helping ransomware victims since the mid-2010s have made their opinions known again over these past two months, highlighting the fact that decryption utilities that take advantage of ransomware encryption bugs should be kept private and distributed to victims via non-public channels rather than advertised online.
Furthermore, even if such tools need to be made public, there should not be any technical details that accompany the tool’s release, details that will obviously help the attackers patch their own code as well.

Good work, but it is nothing sensational… Actually, it would be much more helpful (or maybe even say, only would be helpful) if he not published this only says something like “if you got Avaddon ransomware, contact me immediately”.😫cc @demonslay335
— MalwareHunterTeam (@malwrhunterteam) February 9, 2021

Keep it in you pocket folks! You can help victims and hold that blog post till AFTER the TA patches..win win!
— Bill Siegel (@billseagull) January 9, 2021

You could have just posted that you have a fix for this particular ransomware and ask people to reach out to you. Then reach out to initiatives like NoMoreRansom or communities like BleepingComputer to propagate the news. You know, like everyone else who is responsible.
— Fabian Wosar (@fwosar) January 9, 2021

On the other side, decryption utilities that are built around master decryption keys obtained from the attackers’ servers are OK to share online, as there’s little that ransomware authors can do about these tools.
All in all, seeing how the Avaddon and Darkside groups have reacted —by fixing their encryption schemes within days— it’s hard to argue against the arguments made online over the past two months, namely that some decryption tools should never make it into the public domain. More