this week in security — april 12 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 15
View this email in your browser (|ARCHIVE|)
~ ~ Coronavirus is dominating the headlines, but security never sleeps. This newsletter will keep you updated every Sunday with all the cybersecurity news from the week. Stay safe and healthy, all. ~ ~
** THIS WEEK, TL;DR
PayPal and Venmo are letting SIM swappers hijack accounts (https://www.vice.com/en_us/article/pke9zk/paypal-and-venmo-are-letting-sim-swappers-hijack-accounts) Motherboard: Researchers say PayPal, Venmo, and other major online sites allow users to reset their password by sending a text message to a phone number, which they say presents an unacceptable security risk for users who have their phone number stolen in SIM-swapping attacks. The researchers at Princeton University (https://freedom-to-tinker.com/2020/03/25/vulnerability-reporting-is-dysfunctional/) contact the companies again to see if they removed the vulnerability. Turns out most of the companies didn’t. Only Adobe, Snapchat and eBay fixed the issue. But 9 out of the 17 websites affected either didn’t respond or understand the issue, and are still vulnerable. More: Freedom to Tinker (https://freedom-to-tinker.com/2020/03/25/vulnerability-reporting-is-dysfunctional/) | @lorenzofb (https://twitter.com/lorenzofb/status/1247147401468616704?s=21)
Apple and Google reveal joint COVID-19 tracing tool for iOS and Android (https://techcrunch.com/2020/04/10/apple-and-google-are-launching-a-joint-covid-19-tracing-tool/) TechCrunch: Apple and Google are working together to bring a Bluetooth contact-tracing API that can be incorporated into apps, which the tech giants hope will help inform others if they have come into contact with a confirmed case of COVID-19. It doesn’t use location data, and the proximity-based sensing of anonymous identifiers doesn’t include any health or identifiable data. Will it work? Only time will tell. The ACLU didn’t hate (https://www.aclu.org/press-releases/aclu-comment-applegoogle-covid-19-contact-tracing-effort) the idea — it even sounded somewhat optimistic. And, Signal creator Moxie Marlinspike has some technical context (https://twitter.com/moxie/status/1248707315626201088) . Google also has a pretty good infographic [PDF] (https://www.blog.google/documents/57/Overview_of_COVID-19_Contact_Tracing_Using_BLE.pdf) on how the opt-in system will work. More: Apple (https://www.apple.com/covid19/contacttracing) | Google (https://www.blog.google/inside-google/company-announcements/apple-and-google-partner-covid-19-contact-tracing-technology/) | ACLU (https://www.aclu.org/press-releases/aclu-comment-applegoogle-covid-19-contact-tracing-effort) | Abe Winter (https://abe-winter.github.io/2020/04/10/leaky.html) | @moxie thread (https://twitter.com/moxie/status/1248707315626201088?s=21) Attackers can bypass fingerprint authentication with an ~80% success rate (https://arstechnica.com/information-technology/2020/04/attackers-can-bypass-fingerprint-authentication-with-an-80-success-rate/) Ars Technica: We all know that biometrics have their limits. But now researchers at Cisco’s Talos unit say most fingerprint sensors are flawed and can be tricked into accepting a fake reading. The researchers unlocked an iPhone 8 and a Samsung S10 using a technique of printing fingerprints on 3D printers, but several Windows 10 laptop models seemed to fare well, given that researchers were unable to unlock the devices. More: Cisco Talos (https://blog.talosintelligence.com/2020/04/fingerprint-research.html) | Cyberscoop (https://www.cyberscoop.com/fingerprints-biometrics-talos-intelligence-agencies/) | | Wired ($) (https://www.wired.com/story/cheap-3d-printer-trick-smartphone-fingerprint-locks/) | @security_craig (https://twitter.com/security_craig/status/1247873938002149376)
Twitter notifies users that it’s now sharing more data with advertisers (https://www.theverge.com/2020/4/8/21213593/twitter-data-sharing-pop-up-mobile-app-advertising-settings) The Verge: If you got a Twitter popup this week that seemed to suggest it removed a privacy setting that now means Twitter will share more data with advertisers… yeah, you and (mostly) everyone else. The setting, per The Verge (https://www.theverge.com/2020/4/8/21213593/twitter-data-sharing-pop-up-mobile-app-advertising-settings) , prevented Twitter from sharing information like the ads you saw or interacted with and the tracking identifier for your phone. Only users in Europe (and the U.K.) are exempt from the change. Naturally, many are unhappy with the sudden change. The EFF had a good explainer (https://www.eff.org/deeplinks/2020/04/twitter-removes-privacy-option-and-shows-why-we-need-strong-privacy-laws) , and seems to suggest the decision was made largely because Twitter’s ad revenue dropped after it fixed a number of other bugs that let advertisers get access to data they shouldn’t have had access to. More: Twitter (https://help.twitter.com/en/safety-and-security/data-through-partnerships) | EFF (https://www.eff.org/deeplinks/2020/04/twitter-removes-privacy-option-and-shows-why-we-need-strong-privacy-laws)
Zoom apologizes for privacy woes, hires Alex Stamos and others (https://blog.zoom.us/wordpress/2020/04/08/update-on-zoom-90-day-plan-to-bolster-key-privacy-and-security-initiatives/) Zoom: On the same day that Google banned (https://www.buzzfeednews.com/article/pranavdixit/google-bans-zoom) its employees from using Zoom citing security concerns, the video calling company announced it was bringing on CISO advice, and former Facebook chief security officer Alex Stamos as an advisor. @k8em0 (https://twitter.com/k8em0/status/1248373260045021185) also confirmed her bug bounty advisory company was helping Zoom. It’s clear that Zoom’s finally starting to take its security and privacy concerns more seriously. It couldn’t come at a more crucial time, given its CEO admitted in an interview this week that Zoom “never thought” about the possible abuse of its platform by ordinary users. More: BuzzFeed News (https://www.buzzfeednews.com/article/pranavdixit/google-bans-zoom) | @natashanyt (https://twitter.com/natashanyt/status/1248238004419821570) | @k8em0 (https://twitter.com/k8em0/status/1248373260045021185) ~ ~ SUPPORT THIS NEWSLETTER
A big thanks to you for reading this newsletter! As subscribers go up, so do the monthly costs. If you can spare $1/month (or more for exclusive perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to maintain the upkeep of this newsletter. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) here. ~ ~
** THE STUFF YOU MIGHT’VE MISSED
For internet voting, the blockchain won’t help (https://www.coindesk.com/internet-voting-is-not-secure-and-blockchain-wont-help-warns-scientific-body) Coindesk: It’s an election year, and it waits for nobody — even a pandemic. It’s in the constitution (https://twitter.com/techreview/status/1248249901772759040?s=21b) so it’s going to happen — but how? Voting by mail seems to be the most logical, efficient and secure way if we can’t all get to the polls, but some are pointing to internet voting and blockchain. Experts say internet voting just isn’t secure. “At this time, internet voting is not a secure solution for voting in the United States, nor will it be in the foreseeable future,” a letter from experts read. As usual, @yaelwrites (https://twitter.com/yaelwrites) does a grand job of wading through the bullshit so you don’t have to.
Section 230, or not 230? That is the EARN IT question (https://signal.org/blog/earn-it/) Signal: The popular end-to-end encrypted messaging app said this week that it “would not be possible for a small nonprofit like Signal to continue to operate within the United States” if the EARN-IT Act is rolled into law. That’s the biggest signal (excuse the pun) that apps like Signal would suffer under the bill (https://www.wired.com/story/signal-earn-it-ransomware-security-news/) , which critics say undermines encryption and will harm security.
Some shirts hide you from cameras — but will anyone wear them? (https://arstechnica.com/features/2020/04/some-shirts-hide-you-from-cameras-but-will-anyone-wear-them/) Ars Technica: Some clothing can bust surveillance cameras and facial recognition systems. Ars does its usual deep-dive. “We have this notion that people who are going to help us get through the surveillance age are people who have special skills, like computer scientists,” said one anti-surveillance fashion designer. “I actually think the thing that we can do most to unlock the mainstream is to create tools that allow people who are not in these specialty jobs to be able to test things in their own closet.” ~ ~
** OTHER NEWSY NUGGETS
Cyber Threat Coalition serves up first weekly threat advisory (https://www.cyberthreatcoalition.org/covid-19-cyber-threat-updates-blog/2020-04-06-weekly-threat-advisory) This was mentioned in our newsletter a couple of weeks ago (https://www.reuters.com/article/us-coronavirus-cyber/cybersecurity-experts-come-together-to-fight-coronavirus-related-hacking-idUSKBN21D049) : some 400 volunteers from around the world are working together to fight coronavirus-related cyberattacks. Now the coalition has its first blog post (https://www.cyberthreatcoalition.org/covid-19-cyber-threat-updates-blog/2020-04-06-weekly-threat-advisory) up, detailing the week’s worth of thread advisories. The coalition’s first update warns of attacks against virtual meeting tools (like Zoom), ransomware remains an issue, and coronavirus themed phishing attacks are on the rise. A must read for any CISO.
Travelex paid hackers multimillion-dollar ransom before hitting new obstacles (https://www.wsj.com/articles/travelex-paid-hackers-multimillion-dollar-ransom-before-hitting-new-obstacles-11586440800) Foreign money exchange Travelex forked out $2.3 million in bitcoin to hackers after a ransomware attack over New Year’s. Interestingly, the WSJ reporters actually infected a computer to open up a line of communication with the ransomware operators to seek comment. Travelex may be back on its feet but with months of financial woes to contend with, it might soon be on its way out. ~ ~
** THE HAPPY CORNER
Welcome to the happy corner, once a luxury but now a necessity.
In case you didn’t know, Chrome has a hidden game when you go offline. Tap the spacebar on the Chrome page that says you’re offline, and you can play the dino-jumping game. Now, someone was able to hack it (https://twitter.com/null4bl3/status/1247032404990210053) to auto-jump at each obstacle. Why? Because they can. And, anyone with a cat needs to read this critical security advisory (https://labs.unit221b.com/2020/04/04/wfh-security-advisory/) as soon as possible. No fixes, but a spare, unplugged keyboard should mitigate any feline-based sleep attacks. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is Nico. He likes to eat, sleep, and dream about treats. He’a also a big advocate of multi-factor paws-thentication. Just look at that blep! Nico, what a cutey. A big thanks to Nico’s human for the submission! Stuck in quarantine? Cat doing something cute? Take a snap and send them in! We’re close to running out of cybercat photos! You can send them here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s all we have this week. As always, thanks so much for reading. You can always drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Stay safe out there. See you again next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .