Cybersecurity Roundup: October 27, 2020

This week we’ve got Cyber Advisor to the President Rudy Giuliani tucking in his shirt, a terrifying psychotherapy center hack, a cyberwar rages around COVID-19 vaccines, Watch Dogs: Legion looks amazing, problems with that big Trump-Twitter hacking claim last week, how to get info out of private Facebook profiles, and more.

Get inbox delivery of this weekly brief for as little as $1.

What the tuck

It can’t be easy to be the 99-cent store version of Roger Stone, who is in fact closer related to a sale-bin Hamburglar costume than any actual slick “dirty trickster” he believes himself to be. No, the cheap knockoff version of Stone is Rudy Giuliani, who last week tried to pull off the weakest version of a WikiLeaks information laundering op, and failed — only to then find himself quite literally exposed by … Borat.

I’m sorry to have to cover this; we’re all going to need to take deep swigs of the unsee juice after this one. Giuliani — Cybersecurity Advisor to the President of the United States — was in a clip released by “Borat” actor Sacha Baron, showing the former Mayor of New York laying back on a hotel room bed, stroking himself inside his trousers in preparation for a sexual encounter with a woman he did not know was an actress, but whom he believed to be a 15-year-old girl.

Giuliani, who spent the first few years of Trump’s term getting paid for speaking engagements where he was introduced as a cybersecurity adviser to the president, told press that he did nothing inappropriate. Inside Edition reported Sacha Baron Cohen’s response on “Good Morning America,” saying “if the president’s lawyer found what he did there was appropriate behavior, then heaven knows what he’s done with other female journalists in hotel rooms.”

What he’s been doing with other female journalists is a question that should be answered. And no, no one believed Rudy’s claim that with the Borat actress, he was just “tucking in his shirt.”

“Here is a 76-year-old man, with two children in their 30s, happily allowing himself to be lured into a bedroom by a woman he is supposed to be having a professional interaction with—a woman in her early 20s and who he was tricked into believing was a teenager.”
Borat 2: Rudy Giuliani ‘Tucking Shirt’ Excuse is Irrelevant (Den of Geek)

Everyone's gonna need therapy

The hack attack everyone’s buzzing about right now is 100% pure privacy nightmare fuel: I’m talking about Finland’s incident involving psychotherapy center Vastamo. This is being described as a ransomware attack, but a more accurate way to describe it is blackmail. With ransomware, systems are locked until a ransom is paid, usually in Bitcoin, then the victim gets a key to unlock their files. In the case of Vastamo, the attacker stole tens of thousands of psychotherapy patients confidential therapy records and demanded payment (from both the individuals and from Vastamo) to prevent publication of people’s files.

The breach actually occurred in November 2018, but the attacker waited to move forward with the blackmail scheme until this past weekend. This is the kind of story that should have a larger piece built around it examining wider cybersecurity practices (or lack of) in the psychotherapy field.

“The blackmailer says the group he represents has also broken into four other organizations, none of which are Finnish. It is alleged that these have paid ransoms of similar size or larger. Others are not actors in the field of therapy, but they also contain sensitive personal information alongside trade secrets.”
During an exchange with the extortionist, the site insisted that these actions could push some patients to suicide. The extortionist reportedly said he didn’t care if that happens. In fact, he reportedly went as far as to contact individual victims with smaller ransom demands.
The extortionist has so far leaked 300 patient records on the dark web.”
Vastamo Hacker Says He Doesn’t Care if Therapy Leaks Drive Patients to Suicide (HOT for Security | Bitdefender)

Not just one little prick

The race to find a safe and effective COVID-19 vaccine has set the stage for what’s become a raging cyberwar, in which attackers from all over the world are trying to sabotage, steal, or just make a ransombuck off our collective tragedies. Despicable? Completely. Here’s the most recent attack.

“Now, an Indian generics maker has been hit with a potential cyberattack, and it’s shutting down some of its plants to isolate the problem.
Dr. Reddy’s Laboratories isolated all data center services as a preventive measure after detecting a breach, the company said Thursday. The company has shut “key” plants, ET Times reported. Plants in the U.S., U.K., Brazil, India and Russia were said to have been impacted.”
Dr. Reddy’s shuts ‘key’ plants worldwide after potential cyberattack hits COVID work (FiercePharma)
See also: What the FBI did to make headway against COVID-19 research hackers (CyberScoop)

She said, she said

SC Media is running a giant feature on women in cybersecurity that includes some of the usual suspects, making me wish for a more diverse and creative selection — but to its credit, SC included a couple of the more outstanding hackers and fearless equality advocates. As in, women who fight and sacrifice for more than just advancing a career. I’m excited to see Quiessence Phillips, Tarah Wheeler, Lesley Carhart, Parisa Tabriz, Window Snyder, Katie Moussouris, Sophie Pingor, and more.

“The venture capital community has responded as well, pouring billions of dollars into startups who promise to close the security gaps of today and tomorrow. However, this golden age of investment continues to leave certain groups – like women and people of color – behind at the highest levels. ”
Women in IT Security news, articles & updates (SC Magazine)
See also: The Unsinkable Maddie Stone, Google’s Bug-Hunting Badass (WIRED)

Hack the planet

Some of you may remember that I worked on the video game Watch Dogs 2, as a hacking and culture advisor, then had a blast doing the press push when the game came out. Now the third game in this fantastic, realistic game series is about to come out, and everything that went into Watch Dogs: Legion looks incredible. I’m so proud to be part of this game’s legacy.

“In open-world games, players normally control a single protagonist, or a couple of carefully crafted main characters. But Hocking envisioned a Watch Dogs game where players could explore a metropolitan city and, with the press of a button, switch perspectives to inhabit the body of a spy, construction worker or an average Joe walking to their office job. 
Every passerby is their own person, primed with a web of relationships, an occupation and a personality. It flipped the notion of NPCs (non-player characters) on its head by making each and every person in the game playable.”
Pulling back the curtain on the tech and politics behind ‘Watch Dogs: Legion’ (Washington Post)

Curse of the lizard man

Ever wonder how effective it is, privacy-wise, when someone makes their Facebook profile private? Spoiler: private profiles are as good at privacy as Mark Zuckerberg is at convincing us he’s not a lizard. Here’s an eye-opening look at how anyone can wring a ton of info out of Facebook’s so-called “private” profiles.

“Probably every OSINT investigator has encountered this problem; you’ve found your targets Facebook profile but it is completely private. So what can you do? One of the ways to start is by ‘clicking the buttons’. On a Facebook-profile there are quite some buttons to be found. And sometimes a button might seem like they aren’t containing any info but in fact they do…”
What to do when a Facebook profile is private? (We are
See also: Think Private Facebook Profiles Pages Are A Dead End? Think Again! (hatless1der)

But it was a great week for clickbait

Late last week, Dutch magazine ignited headlines in the US when Vrij Nederland reported that “ethical hacker” Victor Gevers claimed to have logged into Trump’s Twitter account by simply guessing a very dumb, very simple password. As a number of people on infosec Twitter cautioned, everyone best be putting the word “alleged” in front of those claims…

“Both Twitter and the White House have dismissed claims that a Dutch ethical hacker managed to log into president Donald Trump’s Twitter account by guessing his password.
…But both US officials and Twitter say they have no evidence that supports the claims, and Vice and several tech commentators have disputed the evidence provided by VN.”
Questions remain about claims Dutch hacker logged into Trump’s email (Dutch News)

More bumpy rides ahead

This is the kind of story that gets lost in the mix of everyday madness, but I believe is going to become critically important in understanding what we’ve been going through — and are about to go through — in this country. I really want to know who made these dossiers, if they were used in facebook ad targeting, and why it’s now a fire sale.

“A database with information on virtually the entire US voting population has been circulated on hacker forums, opening up the potential for disinformation and scams that could impact the November 3 election, security researchers say.
…The databases “include a shocking level of detail about citizens including their political affiliation,” and the sellers claim to have 186 million records, which would mean nearly all US voters [Trustwave] said in a blog post.”
US voter data traded on hacker forums: researchers (AFP | MSN)

Here’s how to help

I am among the pandemic-cuts job seekers right now. If you can help me out right now, here’s how: Pitch in here on Patreon, help out with my rent on my PayPal, my Square Cash, or my Venmo (MissVioletBlue), or help out with quality of life stuff for me and my cat/life partner Max via my Amazon wish list.

If you’re a patron, thank you for not just keeping Max cat and I stocked up on kibble — you’ve made so much more possible. Like this three-part series on managing your mental health (and staying sane) online, as well as this guide for Adafruit, Digital privacy and security measures for staying safe while protesting.

If you can’t help support this labor of love in a concrete way, please consider sharing this free weekly roundup on social media.

Post image via Classical Studies.

Become a patron to

Unlock 139 exclusive posts
Listen anywhere
Connect via private message