this week in security — april 11 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 15 View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
What really caused Facebook’s 500M-user data leak? (https://www.wired.com/story/facebook-data-leak-500-million-users-phone-numbers/) Wired ($): So where did that cache of 500 million Facebook phone numbers come from? @lilyhnewman (https://twitter.com/lilyhnewman) got to the bottom of it. Turns out it was scraped from the site directly by exploiting an undisclosed vulnerability (https://twitter.com/ashk4n/status/1379190936970829825) in the site’s contact import feature, which allowed attackers to create (https://twitter.com/mikko/status/1379686946117668867?s=20) a massive address book with millions of phone numbers in order to “match” those numbers against existing Facebook accounts. Facebook never fully disclosed the issue, instead this past week pointed back to similar — but only tangentially related — stories. Even after the fact, Facebook said it has no plans (https://www.reuters.com/article/us-facebook-data-leak-idUSKBN2BU2ZY) to inform users of the incident. Meanwhile, Ireland’s data protection agency isn’t happy and said (https://dataprotection.ie/en/news-media/press-releases/dpc-statement-re-dataset-appearing-online) it received “no proactive communication” from Facebook. What’s clear is that half a billion Facebook users have their phone numbers floating around the web, and are now less safe as a result of Facebook’s efforts to cover this up. More: Reuters (https://www.reuters.com/article/us-facebook-data-leak-idUSKBN2BU2ZY) | @kennwhite (https://twitter.com/kennwhite/status/1379596367979495430) | @ashk4n tweets (https://twitter.com/ashk4n/status/1379190936970829825) https://twitter.com/ashk4n/status/1379190936970829825 There’s another Facebook phone number database online (https://www.vice.com/en/article/qj8dj5/facebook-phone-number-data-breach-telegram-bot) Motherboard: Cool, how about one more? There’s yet another cache of Facebook phone numbers in the form of a Telegram bot. @josephfcox (https://twitter.com/josephfcox/status/1380573488554123267) ran the numbers, verified with victims, and found the data to be distinctly separate to the recently reported set of 500 million Facebook phone numbers. Meanwhile, Facebook deflected blame in a blog post. “While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work.” I wonder how many people are allegedly on that team. More: @josephfcox (https://twitter.com/josephfcox/status/1380573488554123267)
Clearview AI offered thousands of cops free trials (https://www.buzzfeednews.com/article/ryanmac/clearview-ai-local-police-facial-recognition) BuzzFeed News: Breathtakingly good reporting here. BuzzFeed News found more than 7,000 users from close to 2,000 public agencies using Clearview AI, the controversial facial recognition app that checks faces against a database of 3 billion images scraped from social media sites. BuzzFeed News published the results in a searchable table — including ICE, the Air Force, and even public schools. This is incredible work that took the reporters over a year to complete. More: BuzzFeed News (https://www.buzzfeednews.com/article/carolinehaskins1/nypd-has-misled-public-about-clearview-ai-use) | @caro1inehaskins tweets (https://twitter.com/caro1inehaskins/status/1379421928830734342) | @rmac18 tweets (https://twitter.com/RMac18/status/1380282539470770178)
Pwn2Own ends with a three-way tie — and controversy (https://therecord.media/pwn2own-2021-hacking-contest-ends-with-a-three-way-tie/) The Record: International hacking contest Pwn2Own ended this week with a three-way tie between Team Devcore, OV, and security researchers Daan Keuper and Thijs Alkemade. Among the hacked includes Windows 10, Ubuntu, Chrome and Safari, Exchange, and Zoom. But anger swelled after @alisaesage (https://twitter.com/alisaesage/status/1380797761801445376?s=20) , the first solo woman (https://twitter.com/ryanaraine/status/1380545909306445825) to win Pwn2Own who found a bug in virtualization software Parallels, was only awarded a “partial win” because the bug she found was allegedly already reported privately prior to the contest. That drew ire (rightfully) from a ton of security folk because it’s still a valid find and therefore should still win. More: Forbes (https://www.forbes.com/sites/thomasbrewster/2021/04/08/microsoft-teams-and-zoom-hacked-in-1-million-competition/?sh=777f1a3f68f6) | Malwarebytes (https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/zoom-zero-day-discovery-makes-calls-safer-hackers-200000-richer/) | @0xcharlie (https://twitter.com/0xcharlie/status/1380510963837849601) https://twitter.com/alisaesage/status/1380797761801445376 European institutions were targeted in a cyberattack last week (https://www.bloomberg.com/news/articles/2021-04-06/european-institutions-were-targeted-in-a-cyber-attack-last-week) Bloomberg ($): A number of European Union institutions, including the bloc’s executive decision-maker the European Commission, were hit by a “significant cyberattack” last week. Details on what and how are scarce, but the EU said it experienced an “IT security incident,” and didn’t add more. Last month, the European Banking Authority was named as hacked (https://www.bbc.com/news/technology-56321567) by the ongoing Exchange email server hacks, and the European Medicines Agency said it was targeted (https://techcrunch.com/2021/01/15/ema-warns-over-doctored-covid-19-vaccine-data-hacked-and-leaked-online/) by a hack-and-leak operation. More: Cyberscoop (https://www.cyberscoop.com/european-union-it-security-incident-commission/) | TechCrunch (https://techcrunch.com/2021/01/15/ema-warns-over-doctored-covid-19-vaccine-data-hacked-and-leaked-online/) ~ ~ SUPPORT THIS NEWSLETTER
Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), to help cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) , or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Big Tech Detective lets you track and avoid tech giants as you browse the web (https://bigtechdetective.net/) Big Tech Detective: A couple of years ago @kashhill (https://twitter.com/kashhill/status/1379771326349635584) did an experiment cutting out the biggest tech giants to see what it’s like to live without the “big five” — Amazon, Apple, Facebook, Google, and Microsoft. Turns out it wasn’t so easy! (https://gizmodo.com/i-cut-the-big-five-tech-giants-from-my-life-it-was-hel-1831304194) The experiment worked by blocking access to the big five’s networks at the browser level. Now that tool has been released to the web. Big Tech Detective (https://bigtechdetective.net/about) is a browser extension that blocks access to these services. https://bigtechdetective.net/ The opportunities — and obstacles — for women at NSA and Cyber Command (https://www.wired.com/story/women-cybersecurity-nsa-cyber-command/) Wired ($): @lilyhnewman (https://twitter.com/lilyhnewman/status/1379494498301001731?s=20) spoke with three women at NSA and Cyber Command, who shared their insights for the struggle for gender equality in the intelligence community and the military. This is a really good read, but all the more reason why the intelligence community — which is inherently secret by nature — has to be more transparent about gender equity.
New CISOs should focus more on people and less on tech (https://www.scmagazine.com/home/security-news/new-cisos-should-focus-more-people-and-less-on-tech-report-finds/) SC Media: A new Forrester report, which draws on interviews with dozens of security executives, found two key themes: human connections are more important to a CISO’s early success than mastering the technical details, and second, “while it is virtually impossible to fix or address a company’s major security challenges in the first 100 days, it is definitely possible to alienate other business units and irreparably harm your security team’s brand in the eyes of peers and colleagues.” In other words, focus on the people! (Thanks to @ajohnsocyber (https://twitter.com/ajohnsocyber/status/1379829600771969024) for tweeting out.)
Hackers leak other hackers’ data online after carding forum breached (https://www.group-ib.com/media/swarmshop-breach/) Group-IB: Security firm Group-IB has obtained a database of 12,300 records belonging to users of Swarmshop, a forum dedicated to credit card fraud, including more than 600,000 payment cards. About two-thirds of the payment cards were issued by U.S. banks. ~ ~
** OTHER NEWSY NUGGETS
More details emerge on PHP’s Git server attack (https://externals.io/message/113981) An update to the PHP incident last week, which saw its self-hosted Git server popped and a backdoor added (though it never made it out the gate). Now it’s believed that PHP’s user database leaked or was compromised. All php.net passwords have been reset. The blog post (https://externals.io/message/113981) explains more on how the malicious commits were made.
Mobile carrier exposes data for millions of accounts (https://arstechnica.com/information-technology/2021/04/no-password-required-mobile-carrier-exposes-data-for-millions-of-accounts/) Q Link Wireless, which provides low-cost mobile phone and data services to two million U.S.-based customers, made private data available to anyone who knew a customer’s phone number. Reviews for the buggy app complained of security issues but the developer responded thanking them for the “suggestion.” ~ ~
** THE HAPPY CORNER
OK, onto the good stuff.
The Queen’s husband, Prince Philip, died this week. @pwnallthethings (https://twitter.com/pwnallthethings/status/1380501510476414984) has a story of when the Queen paid a visit to GCHQ and Philip put his foot in it — as he often did. Here’s the teaser. https://twitter.com/pwnallthethings/status/1380501510476414984 @deviantollam (https://twitter.com/deviantollam/) has a great thread (https://twitter.com/deviantollam/status/1380159110998556681?s=20) on how to evade surveillance through disguise, and how to set up your outfit in order to lose a tail. This is really cool, and I must’ve watched this on loop a dozen times already. https://twitter.com/deviantollam/status/1380159110998556681?s=20 And, welcome back to NSA, @RGB_Lights (https://twitter.com/RGB_Lights/status/1380676306883461123) , who returns after a stint in London. He replaces Anne Neuberger as NSA’s director of cybersecurity. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
This week’s cyber cat is Mipha. She is just 8 months old but is already preparing for a career in cybersecurity. Her focus is the influence of catnip on persuasion. You’ll definitely go far, Mipha! A big thanks to @margarita (https://twitter.com/margarita) for the submission! Please keep sending in your cyber cats (and their friends)!. You can drop them here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) , and feel free to send updates on previously-submitted friends! ~ ~
** SUGGESTION BOX
And that’s a wrap for this week. You can always drop any feedback you have in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Thanks so much for reading. Same time next week?
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .