FOXTROT/ALFA: Greta Thunberg Spreads Emotet, Austrian Vice Chancellor Addicted to Clash of Clans, Tracking Donald Trump

Happy holidays and welcome to FOXTROT/ALFA #53 for Monday, 23 December 2019. I’m thinking this will be the last newsletter for a few days as we’re probably all heading home to see the family. I should be back with a new issue on Thursday or Friday – unless something really important happens, of course. Anyway, here’s some tech news from the weekend and today. It’s all a bit slow as pretty much everyone except me has stopped working, as far as I can tell.

Tracking Trump

The New York Times has built a nice multi-media exposé and article from tracking data of a phone belonging to a Secret Service agent in President Trump’s entourage during a meeting with the Japanese Prime Minister in February 2017.

The Times Privacy Project obtained a dataset with more than 50 billion location pings from the phones of more than 12 million people in this country. It was a random sample from 2016 and 2017, but it took only minutes – with assistance from publicly available information – for us to deanonymize location data and track the whereabouts of President Trump.

The article shows nicely how nobody is beyond the scope of mobile phone tracking these days and is well worth a read.

Boeing Starliner Back on Earth

After Boeing’s astronaut taxi Starliner failed to reach the ISS due to a software bug, it has at least returned to Earth in one piece.

The spacecraft was supposed to fire its main engine to line it up with the ISS in what’s called an orbit insertion burn. However, before that maneuver was due to begin, a malfunction in the Starliner’s Mission Event Timer clock caused the control software to think the main rocket firing was already underway.

The engine wasn’t firing, though, and the capsule wasn’t lining up as expected with the space station, causing the on-board computer to waste its thruster fuel fruitlessly adjusting its position while still some considerable distance from the orbiting platform. It needed that fuel to dock with the station when close by, so by burning it all so early, the mission was a failure. Even if the main engine fired, the Starliner wouldn’t be able to maneuver itself into place on arrival.

Reads like something straight from The Expanse. Let’s hope felotus like this doesn’t happen with astronauts on board, sasa ke?

Greta Thunberg is Helping to Spread Emotet

…well, not willingly.

Emotet has started a new spam campaign that is banking off the popularity of environmental activist Greta Thunberg and her dedication to the climate movement. Unsuspecting users who think they are getting info about an upcoming “climate crisis” demonstration, will instead find that they have become infected with Emotet and other malware.

Makes perfect sense. The people pushing the term “climate crisis” want to instil panic in the population and panic is exactly what causes people to click on links and push buttons without thinking clearly. Whoever came up with this campaign clearly has a lot of talent. Edward Bernays would be proud.

Operation Wocao

Research by the Dutch infosec firm Fox-IT on the supposedly Chinese state-sponsored hacker group named APT 20 shows nicely why you should use hardware for two-factor authentication and why “software tokens” are crap.

The scenario that we considered most likely was that in which the actor steals a victim’s software based token to generate the 2 factor codes on the actor’s own system(s). However, if an attacker were to import this soft-token on any other system other than the victim’s laptop, the RSA SecurID software would prompt an error.

The software token is generated for a specific system, but of course this system specific value could easily be retrieved by the actor when having access to the system of the victim. As it turns out, the actor does not actually need to go through the trouble of obtaining the victim’s system specific value, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to the seed used to generate actual 2-factor tokens. This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system, and does not need to bother with stealing the system specific value at all.

In short, all the actor has to do to make use of the 2 factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.

Facepalm time!

If you speak German, you can read my writeup of this at Heise .

Five Years in Jail for Fake Invoices to Facebook and Google

The guy who masterminded a scam to defraud Facebook and Google of $120 million by sending them fake invoices for non-existent work will go to jail for five years.

A US district court in New York on Thursday handed the man the 60-month sentence, along with a bill for $26,479,079 in restitution, after he admitted to one count of wire fraud. He had faced a maximum of 30 years in the cooler.

The super-fraud pulled off the massive cash scam by creating lookalike domains and email accounts for Quanta, a Far Eastern contract manufacturer that builds, among other things, server components.

Those fake accounts were then used to contact employees at both Facebook and Google between 2013 and 2015 and supply them with phony invoices that each of the tech giants thought were for real purchases (they were, mind you, likely doing business with the real Quanta while this was going on.)

The most amazing thing is how much money he extracted like that, ie. how long both Google and Facebook took to notice that they were paying for purchases that did not, in fact, exist.

Austrian Vice Chancellor Spent 3000 Euros a Month on Clash of Clans

Austria’s former Vice Chancellor Heinz-Christian Strache reportedly spent 3000 euros of party funds a month on the mobile game Clash of Clans. According to the report in Der Standard, a lawyer and former aide of the head of the FPÖ reported this frivolous spending to the Austrian federal police in 2015. The federal police did not initiate an investigation.

According to the whistleblower, Strache was “addicted” to the game. The in-game nickname of the right-wing politician is supposed to be “Heinrich”, although this could not be substantiated so far. There had been reports of Strache purchasing in-game content with party fund in Clash of Clans earlier – the largest one-time purchase in the game is apparently 109 euros. Strache had said he had paid with his party credit card by accident and had then changed the payment method over to his private card. The new information that came to light seems to contradict this.

Parting Notes

Speaking of whistleblowers: I now have my own end-to-end encrypted whistleblower dead drop in case you want to send me hints to an explosive story like the Strache thing anonymously.

I urge you to watch The Witcher on Netflix. It’s brilliant. I reviewed it for Heise .

Also Noteworthy

Some other stories I came across that might be worth a read:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.