Information Technology

Image: Rodion Kutsaev
An Iranian cyber-espionage group known as Charming Kitten (APT35 or Phosphorus) has used the recent winter holiday break to attack targets from all over the world using a very sophisticated spear-phishing campaign that involved not only email attacks but also SMS messages.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

“Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect,” said CERTFA, a cybersecurity organization specialized in tracking Iranian operations.
“The group started the new round of attacks at a time when most companies, offices, organizations, etc. were either closed or half-closed during Christmas holidays and, as a result, their technical support and IT departments were not able to immediately review, identify, and neutralize these cyber incidents,” it added.
CERTFA said it detected attacks targeting members of think tanks, political research centers, university professors, journalists, and environmental activists.
The victims were located in countries around the Persian Gulf, Europe, and the US.
How an attack unfolded
CERTFA researchers said that this particular campaign exhibited an advanced degree of complexity. Victims received spear-phishing messages from the attackers not only via email but also via SMS, a channel that not many threat actors use on a regular basis.
While the SMS messages posed as Google security alerts, the emails leveraged previously hacked accounts and tried to play on the festive mood with holiday-related lures.

The common denominator in both campaigns was that Charming Kitten operators managed to successfully hide their attacks behind a legitimate Google URL of https://www.google[.]com/url?q=https://script.google.com/xxxx, which would have fooled even the most tech-savvy recipients.

Image: CERTFA

Image: CERTFA
But behind the hood, CERTFA said that the legitimate Google URL would end up bouncing the user through different websites and eventually bring him to a phishing page, where they’d be asked for login credentials for personal email services like Gmail, Yahoo, and Outlook, but also business emails.

Image: CERTFA
The CERTFA team noted that this wasn’t the first time that Charming Kitten managed to successfully hide links to spear-phishing websites behind Google URLs.
The company points to a previous report from January 2020, exposing a Charming Kitten operation that abused sites.google.com links. More

Is privacy a good area to mock Facebook? Perhaps.
When a rival does something heinous, ignorant or just inevitably cynical, it’s tempting to (try to) take advantage.

more Technically Incorrect

So when Facebook announced last week that WhatsApp users either had to agree that the app would share more of their data with Facebook by February 8 or be excommunicated from WhatsApp, Microsoft couldn’t help itself.
Suddenly, here was Redmond protesting that its services are more privacy-conscious. Well, one of its services. Well, Skype.
In a serendipitous tweet on the Skype account, users were told: “Skype respects your privacy. We are committed to keeping your personal data private and do not sell to 3rd parties.”
This came with a link to Microsoft’s privacy statement. (Sample wording: “We also obtain data about you from third parties.”)

Perhaps some might have seen this as a noble, as well as commercial, message.
Anyone who suggests that Facebook is to privacy what Kanye West is to reticence surely has the respect of many.

Yet Twitterers who responded to Skype’s sudden bravado weren’t inspired. There were criticisms of Skype’s slowness on mobile, its tendency to demand your private phone number and even its past troubles with, oh, privacy.
It’s worth, of course, considering why Skype exists at all. Hasn’t Teams become what Skype was supposed to be, but never quite made it?
With the sudden onset of working from home, everyone was Zooming when they could have been — at least theoretically — Skypeing.
Indeed, my ZDNet colleagues recently offered a detailed exposition of why Skype is an unhappy relic of freedom-loving times. The bugginess, the spam, the constant updates. None of this earned Skype affection. Or respect.
Conversely, WhatsApp’s whole ethos was based around ease and encryption. How sad, indeed, that Microsoft thinks Skype — of all its products — could somehow replace that. WhatsApp vs Skype is like Steph Curry vs Jake Paul. It doesn’t even seem like the same sport.
Why, Elon Musk insists your best choice is Signal.
In any case, Facebook has been siphoning off data from WhatsApp for quite some time already. The latest announcement just made that process more grotesquely grabby. Why would Microsoft suddenly think that anyone would suddenly think Skype is a fine option?
Perhaps it’s better to do something than nothing. Could it be, though, that Microsoft is also trying to align itself with Apple’s hardline stance against Facebook, but in more muted tones?
At least, you might still insist, Skype doesn’t sell your data to third parties. This may be because, unlike Facebook, its business isn’t advertising.
I still worry that Skype is simply past it.
It’s instructive, indeed, how Microsoft sees Skype these days. The Skype Twitter profile offers this description: “The next generation of Skype from Microsoft gives you better ways to chat, call, and plan fun things to do with the people in your life every day.”
I can’t see anything about privacy there, can you? More

Facebook-owned WhatsApp has published a new FAQ that aims to clear up misunderstandings over a planned update to its privacy policy, which some people thought would force them to permit WhatsApp to share profile data, phone numbers and diagnostic data with Facebook.    
Chatter on social media about the policy change caused a mini exodus among WhatsApp’s two billion users to Signal – a messaging app that most security experts recommend. Signal also provides the end-to-end encryption protocol that WhatsApp uses. 

WhatsApp’s wording in the notification about its privacy update said users must accept the policy update after February 8 and suggested an alternative was to delete the WhatsApp account. WhatsApp’s previous policy let users opt-out of most sharing of user data with Facebook.
SEE: 5G smartphones: A cheat sheet (free PDF) (TechRepublic)
The surge in new Signal signups was probably helped by Elon Musk tweeting “Use Signal” following reports of WhatsApp’s upcoming privacy policy changes by Ars Technica and PCMag.  
Telegram also claimed to have gained 25 million new users in the past three days, pushing its user numbers beyond 500 million.  
Facebook has now explained the policy changes, which take effect on February 8, are actually about WhatsApp users messaging a business on WhatsApp. 

“We want to be clear that the policy update does not affect the privacy of your messages with friends or family in any way. Instead, this update includes changes related to messaging a business on WhatsApp, which is optional, and provides further transparency about how we collect and use data,” WhatsApp says in the FAQ. 
WhatsApp stressed that Facebook can’t see private WhatsApp messages and nor can WhatsApp because of end-to-end encryption. Additionally, neither WhatsApp nor Facebook can see users’ locations shared with each other. WhatsApp says it doesn’t share users’ contacts with Facebook or its other apps.
However, the FAQ also explains the three key scenarios where WhatsApp user data and communications can end up on Facebook’s servers, but these are limited to communications with businesses via WhatsApp. Those communications can be used to target ads to the user on Facebook.  
WhatsApp explains it is “giving businesses the option to use secure hosting services from Facebook to manage WhatsApp chats with their customers, answer questions, and send helpful information like purchase receipts.”
“Whether you communicate with a business by phone, email, or WhatsApp, it can see what you’re saying and may use that information for its own marketing purposes, which may include advertising on Facebook. To make sure you’re informed, we clearly label conversations with businesses that are choosing to use hosting services from Facebook.”
SEE: WhatsApp vs. Signal vs. Telegram vs. Facebook: What data do they have about you?
Additionally, with Facebook commerce features like Shops, Facebook is allowing businesses to display their goods within WhatsApp. Facebook says that when WhatsApp users choose to use these features, it will inform users within the WhatsApp app how a person’s data is being shared with Facebook. 
The third way is via ads on Facebook with a button to message a business using WhatsApp. 
“If you have WhatsApp installed on your phone, you’ll have the option to message that business. Facebook may use the way you interact with these ads to personalize the ads you see on Facebook,” said WhatsApp.  More

TikTok has announced sweeping changes to how the accounts of younger users are handled to shield minors from potentially inappropriate interaction with strangers. 

On Wednesday, TikTok’s Head of US Safety, Eric Han, said that any accounts registered to those of the ages between 13 and 15 will now be private by default, and so there are limits on who can view and comment on any content they post. 
When an account is set to private, only approved followers can view and interact with content created by the account holder on the video-sharing platform, and furthermore, users between 13 and 15 can now choose between allowing only friends to comment on their videos — or no-one. 
TikTok’s “Suggest your account to others” option has also been set to “Off” by default for this age group.
“We want our younger users to be able to make informed choices about what and with whom they choose to share, which includes whether they want to open their account to public views,” Han commented. “By engaging them early in their privacy journey, we can enable them to make more deliberate decisions about their online privacy.”
The switch to private-by-default is not the only change impacting this age group. From now, Duet and Stitch will also only be available to users aged 16 and over and will be set to friends only by default. 
TikTok Duet is a video collaboration feature for creating content based on an original piece, and having these videos displayed side-to-side. Stitch is another way to ‘remix’ content by plucking elements out of an original clip and building upon it. 

Both options are ways for TikTok content to spread further and to facilitate communication between users, but when minors and their privacy are thrown into the mix, app developers need to be careful — or potentially face accusations of failing to safeguard the information and privacy of younger audiences. 
Another important change TikTok has implemented is only permitting videos to be downloaded when they have been created by those aged 16 and over. For users between 16 and 17 years of age, the default option to allow their content to be downloaded will be set to “Off,” unless they choose to permit it. 
As TikTok, owned by ByteDance, has become popular with young and teen users worldwide over the past few years, the app began implementing additional privacy controls to help bring the app into line with regulations designed to protect child privacy online, such as the US’s child privacy act COPPA. 
In the US, TikTok for Younger Users caters to users aged 13 and below.
The app has also restricted direct messaging for younger users, as well as the buying and sending virtual gifts. In 2020, TikTok introduced “Family Pairing,” which allows parents to remotely control their child’s account. 
“We know there is no finish line when it comes to protecting users,” Han says. “We’ll continue to evolve our policies, work closely with regulators and experts in minor safety, and invest in our technology and teams so that TikTok remains a safe place for everyone to express their creativity.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Hackers have leaked the information they stole about the COVID-19 vaccines as part of a cyberattack targeting the European Union’s medical agency, the organisation has admitted.
The attack against the European Medicines Agency (EMA) was first disclosed last month and now it has been determined that those behind the hack gained access to information about coronavirus medicines.
“The ongoing investigation of the cyberattack on EMA revealed that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet. Necessary action is being taken by the law enforcement authorities,” the EMA said in a statement.

More on privacy

“The agency continues to fully support the criminal investigation into the data breach and to notify any additional entities and individuals whose documents and personal data may have been subject to unauthorised access,” the EMA added.
SEE: Network security policy (TechRepublic Premium)
The EMA’s work and the European medicines regulatory network  are unaffected by the breach and the approval and distribution of COVID-19 vaccines hasn’t been disrupted.
A previous update revealed that hackers gained access to the information by breaching one undisclosed IT application – and that the attackers were specifically targeting data related to COVID-19 medicines and vaccines. The investigation into the attack is currently still ongoing.

It isn’t the first time pharmaceuticals firms and other organisations involved in COVID-19 vaccine development and distribution have been targeted by hackers. The UK’s National Cyber Security Centre (NCSC) has previously warned that universities and scientific facilities are being targeted by state-sponsored hacking groups attempting to gain access to research data.
Microsoft has also issued a warning that state-sponsored hacking operations have been targeting coronavirus vaccine producers, while the World Health Organisation has also issued warnings over an increase in cyberattacks targetting health.

MORE ON CYBERSECURITY More

The owner of a cryptocurrency exchange used to launder millions of dollars gained from fake online auctions has been jailed for 10 years. 

Rossen Iossifov, the Bulgarian owner of RG Coins, was sentenced for his role in laundering criminal proceeds obtained from defrauded victims that were converted and funneled through cryptocurrency exchanges in order to hide the criminal sources of the dirty cash. 
The 53-year-old “intentionally engaged in business practices designed to both assist fraudsters in laundering the proceeds of their fraud and to shield himself from criminal liability,” the US Department of Justice (DoJ) said on Tuesday. 
The multimillion-dollar criminal scheme began with criminals based in Romania who operated a “large-scale” online auction scam that roped in at least 900 US citizens. Websites including Craigslist and eBay were used to list high-ticket items — usually vehicles — that did not exist. 
Once a victim won an auction and paid for their goods, these funds would then be converted into cryptocurrency and sent onwards to money launderers. 
According to US prosecutors, Iossifov was one of the money launderers who facilitated the “final steps” in the scheme. 
The DoJ says that Iossifov’s cryptocurrency exchange, located in Sofia, Bulgaria, catered to at least five clients who belonged to the Alexandria Online Auction Fraud (AOAF) network and he would provide “favorable” exchange rates specifically to clients in the criminal ring. 

In addition, the operator did not require any ID or proof relating to the source of the stolen funds, thereby removing that potential tie — and evidence — of criminal activity running through his cryptocurrency exchange. 
Prosecutors estimate that close to $5 million in cryptocurrency was laundered on behalf of four of the AOAF clients in less than three years. When converted into fiat currency, this represents close to $7 million stolen from US citizens alone. 
Money laundering requires a cut due to risk, and for his efforts, the owner of RG Coins earned himself over $184,000. 
However, AOAF has now been picked apart through cooperative investigations conducted by law enforcement agencies across the US, Romania, and Bulgaria. 
Following a two-week trial, US District Court Judge Robert Weir sentenced Iossifov to 10 years in prison for conspiracy to commit a Racketeer Influenced and Corrupt Organizations Act (RICO) offense and conspiracy to commit money laundering. At least 8.5 years of the sentence must be served.
In total, 17 AOAF members — including the Bulgarian national — have been convicted, with seven others also now serving prison sentences. Three members are on the run. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Over the past week or so we’ve seen a lot of chatter about people shifting their messaging platform from WhatsApp to Signal as a result of fallout from a change to its privacy policy. People were concerned that WhatsApp was going to start funneling data to its parent company Facebook.
There’s been subsequent clarification, but the damage has been done.
But what data do these apps have about you? That seems like a good place to start when comparing services.
Also: Cybersecurity 101: Protect your privacy from hackers, spies, and the government 
And fortunately, Apple has made this easier for us by requiring that companies publish their privacy policies and come clean about what they do with your data.
So, let’s take a look at what information this gives us on WhatsApp, Signal, and Telegram. And for a bit of perspective, let’s also look at Facebook.
WhatsApp
Data linked to you – The following data may be collected and linked to your identity:
Developer’s Advertising or Marketing

Identifiers
Usage Data
Advertising Data
Analytics
Purchases
Purchase History
Location
Coarse Location
Contact Info
Phone Number
User Content
Other User Content
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Diagnostics
Crash Data
Performance Data
Other Diagnostic Data
Product Personalization
User Content
Other User Content
App Functionality
Purchases
Purchase History
Financial Info
Payment Info
Location
Coarse Location
Contact Info
Email Address
Phone Number
Contacts
User Content
Customer Support
Other User Content
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Diagnostics
Crash Data
Performance Data
Other Diagnostic Data
Other Purposes
Contact Info
Phone Number
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Signal
Data not linked to you: The following data, which may be collected but is not linked to your identity, may be used for the following purposes:
App Functionality
Contact Info
Phone Number
Telegram
Data linked to you – The following data may be collected and linked to your identity:
App Functionality
Contact Info
Name
Phone Number
Contacts
Identifiers

Facebook
Data used to track you – The following data may be used to track you across apps and websites owned by other companies:
Other Data
Other Data Types
Contact Info
Physical Address
Email Address
Name
Phone Number
Identifiers
User ID
Device ID
Data linked to you – The following data may be collected and linked to your identity:
Third-Party Advertising
Purchases
Purchase History
Financial Info
Other Financial Info
Location
Precise Location
Coarse Location
Contact Info
Physical Address
Email Address
Name
Phone Number
Other User Contact Info
Contacts
User Content
Photos or Videos
Gameplay Content
Other User Content
Search History
Search History
Browsing History
Browsing History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Other Usage Data
Diagnostics
Crash Data
Performance Data
Other Diagnostic Data
Other Data
Other Data Types
Developer’s Advertising or Marketing
Purchases
Purchase History
Financial Info
Other Financial Info
Location
Precise Location
Coarse Location
Contact Info
Physical Address
Email Address
Name
Phone Number
Other User Contact Info
Contacts
User Content
Photos or Videos
Gameplay Content
Other User Content
Search History
Search History
Browsing History
Browsing History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Other Usage Data
Diagnostics
Crash Data
Performance Data
Other Diagnostic Data
Other Data
Other Data Types
Analytics
Health & Fitness
Health
Fitness
Purchases
Purchase History
Financial Info
Payment Info
Other Financial Info
Location
Precise Location
Coarse Location
Contact Info
Physical Address
Email Address
Name
Phone Number
Other User Contact Info
Contacts
User Content
Photos or Videos
Audio Data
Gameplay Content
Customer Support
Other User Content
Search History
Search History
Browsing History
Browsing History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Other Usage Data
Sensitive Info
Sensitive Info
Diagnostics
Crash Data
Performance Data
Other Diagnostic Data
Other Data
Other Data Types
Product Personalization
Purchases
Purchase History
Financial Info
Other Financial Info
Location
Precise Location
Coarse Location
Contact Info
Physical Address
Email Address
Name
Phone Number
Other User Contact Info
Contacts
User Content
Photos or Videos
Gameplay Content
Other User Content
Search History
Search History
Browsing History
Browsing History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Other Usage Data
Sensitive Info
Sensitive Info
Diagnostics
Crash Data
Performance Data
Other Diagnostic Data
Other Data
Other Data Types
App Functionality
Health & Fitness
Health
Fitness
Purchases
Purchase History
Financial Info
Payment Info
Credit Info
Other Financial Info
Location
Precise Location
Coarse Location
Contact Info
Physical Address
Email Address
Name
Phone Number
Other User Contact Info
Contacts
User Content
Emails or Text Messages
Photos or Videos
Audio Data
Gameplay Content
Customer Support
Other User Content
Search History
Search History
Browsing History
Browsing History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Other Usage Data
Sensitive Info
Sensitive Info
Diagnostics
Crash Data
Performance Data
Other Diagnostic Data
Other Data
Other Data Types
Other Purposes
Purchases
Purchase History
Financial Info
Other Financial Info
Location
Precise Location
Coarse Location
Contact Info
Physical Address
Email Address
Name
Phone Number
Other User Contact Info
Contacts
User Content
Photos or Videos
Gameplay Content
Customer Support
Other User Content
Search History
Search History
Browsing History
Browsing History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Other Usage Data
Diagnostics
Crash Data
Performance Data
Other Diagnostic Data
Other Data
Other Data Types More

Adobe’s first major batch of security updates in 2021 resolves seven critical bugs that can lead to code execution. 

On Tuesday, the tech giant released separate security advisories describing the vulnerabilities now resolved in seven products. The impacted software is Photoshop, Illustrator, Animate, Bridge, InCopy, Captivate, and Campaign Classic. 
The first security fix has been applied to the Photoshop image creation software on Windows and macOS machines. Tracked as CVE-2021-21006, the critical heap-based buffer overflow bug can be abused to trigger arbitrary code execution.  
Adobe Illustrator, on Windows PCs, is the subject of the firm’s second patch. The critical bug, CVE-2021-21007, is described as an uncontrolled search path element error that can also lead to code execution. 
The third critical problem, discovered in Adobe Animate on Windows machines, is the same kind of security flaw resulting in the same consequences. This vulnerability is tracked as CVE-2021-21008. 
Adobe Bridge, used to port and switch content between different forms of creative software — such as between Photoshop and Lightroom — is subject to a fix for CVE-2021-21012 and CVE-2021-21013, critical out-of-bounds write flaws leading to arbitrary code execution. 
Another uncontrolled search path element vulnerability was found in Adobe InCopy, tracked as CVE-2021-21010. This critical bug can also be weaponized for malicious code execution. 

In Adobe Campaign Classic, on Windows and Linux PCs, the company has tackled CVE-2021-21009, a critical server-side request forgery (SSRF) flaw that can be exploited for the purpose of sensitive information disclosure. 
A hotfix has also been issued for CVE-2021-21011, an uncontrolled search path element bug, deemed “important,” that was found in Windows-based versions of Adobe Captivate. If exploited, the vulnerability can lead to privilege escalation. 
It is recommended that users accept automatic updates where appropriate to update their builds and stay protected. 
Adobe thanked researchers from the nsfocus security team, Qihoo 360 CERT, Decathlon, Trend Micro’s Zero Day Initiative, and both Jamie Parfet and Saurabh Kumar for reporting the issues now resolved in the patch round. 
In December’s security update, the tech giant patched critical vulnerabilities in Adobe Lightroom, Prelude, and Experience Manager. 
Earlier this week, Adobe warned that the company has started to block Flash content worldwide in a bid to urge users to uninstall the software. 
While Flash was once a popular method to display animated content, the software is known for being riddled with security holes. As software best left as an artifact of 2000s website development, the company will no longer issue security fixes or updates. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More