this week in security — april 14 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 15.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Tracking Phones, Google Is a Dragnet for the Police (LINK) The New York Times ($): Incredible reporting by @jenvalentino (https://twitter.com/jenvalentino) on uncovering Google’s database known as Sensorvault, which turns cellphone data to a “digital dragnet” for law enforcement. Using so-called reverse location warrants, police obtain the anonymous location details of anyone within a box of coordinates for a set time period. After the data is narrowed down to just a few suspects, Google hands over the names of the people involved. Forbes (https://www.forbes.com/sites/thomasbrewster/2018/10/23/feds-are-ordering-google-to-hand-over-a-load-of-innocent-peoples-locations/#4b2a74da5a0d) previously covered these warrants and how broad they can be, but the Times showed that innocent people get dragged into a process they shouldn’t be — sometimes after spending days unnecessarily in a jail cell. Background: MPR News (https://www.mprnews.org/story/2019/02/07/google-location-police-search-warrants) | Forbes (https://www.forbes.com/sites/thomasbrewster/2018/10/23/feds-are-ordering-google-to-hand-over-a-load-of-innocent-peoples-locations/#4b2a74da5a0d)
Cameras Linked To Chinese Government Stir Alarm in U.K. Parliament (https://theintercept.com/2019/04/09/hikvision-cameras-uk-parliament/) The Intercept: China state-owned camera maker Hikvision, accused of human rights violations for its involvement in the oppression of the Uighur ethnic minorities, has cameras dotted everywhere — including around the U.K. parliament. The U.S. recently banned federal agencies from using Hikvision products, but that hasn’t stopped the U.K. from pursuing contracts. One of these days we’ll realize that our supply chain reliance on products and components from China is putting everyone at risk — or so goes the theory. More: Financial Times ($) (https://www.ft.com/content/46f85f8a-e33b-11e8-a6e5-792428919cee) | Archive: Wall Street Journal ($) (https://www.wsj.com/articles/surveillance-cameras-made-by-china-are-hanging-all-over-the-u-s-1510513949)
WikiLeaks Founder Julian Assange Arrested In London (https://www.bbc.com/news/uk-47891737) BBC News: Julian Assange is out of the Ecuadorian embassy — some seven years after he took refuge in there after fleeing from U.K. bail amid sexual assault allegations in Sweden. He was accused of conspiring (https://twitter.com/josephfcox/status/1116315790914072576) to help Chelsea Manning hack into a computer network while she was still in the army. The whole case stirred up concerns of press freedom. Motherboard (https://motherboard.vice.com/en_us/article/mb8qyn/julian-assange-charged-with-hacking-conspiracy-not-publishing) has a good write-up arguing that the charges don’t relate to the publishing of classified content, while Just Security (https://www.justsecurity.org/63595/assange-indictment-is-shot-across-the-bow-of-press-freedom/) has an opposing viewpoint. Take your pick — we’ll see how this plays out. (I’m still curious about what happened (https://twitter.com/jamesrbuk/status/1116285679728832518?s=21) to his cat.) More: @josephfcox tweet thread (https://twitter.com/josephfcox/status/1116315790914072576) | Motherboard (https://motherboard.vice.com/en_us/article/mb8qyn/julian-assange-charged-with-hacking-conspiracy-not-publishing) | Just Security (https://www.justsecurity.org/63595/assange-indictment-is-shot-across-the-bow-of-press-freedom/)
‘Dragonblood’ Flaws Affect WPA3 Security Protocol (https://wpa3.mathyvanhoef.com) PUBLICATION: Wireless network protocol WPA3 has barely been out a year before a major flaw dropped. Mathy Vanhoef (https://twitter.com/vanhoefm) , who developed the KRACK attacks against WPA2, said his new bug can allow an attacker in-range to recover the password from that network. His full paper (https://wpa3.mathyvanhoef.com/#paper) is available to read. Ars Technica’s @dangoodin001 (https://twitter.com/dangoodin001) has the best write-up (https://arstechnica.com/information-technology/2019/04/serious-flaws-leave-wpa3-vulnerable-to-hacks-that-steal-wi-fi-passwords/) . More: Ars Technica (https://arstechnica.com/information-technology/2019/04/serious-flaws-leave-wpa3-vulnerable-to-hacks-that-steal-wi-fi-passwords/) | US-CERT (https://www.us-cert.gov/ncas/current-activity/2019/04/12/Multiple-Vulnerabilities-WPA3-Protocol)
Researchers Uncover New Version of the Infamous Flame Malware (https://motherboard.vice.com/en_us/article/d3maw7/researchers-uncover-new-version-of-the-infamous-flame-malware) Motherboard: Flame, the nation-state spy tool once linked with Stuxnet, has reared its ugly head again, this time in form of a new version that ran likely between 2014 and 2016. Believed to have developed by Israel, Flame spread through what looked like Windows Update. The researchers at Alphabet’s Chronicle hope by going public the researchers can get more eyes on it in a hope of cracking the malware’s encryption. More: Cyberscoop (https://www.cyberscoop.com/flame-malware-second-life-chronicle/)
Thousands Of Cars Exposed Due To Hardcoded Password (https://www.zdnet.com/article/tens-of-thousands-of-cars-left-exposed-to-thieves-due-to-a-hardcoded-password/) ZDNet: MyCar, a telematics systems that provides cars with 3G and 4G connectivity, stored hardcoded passwords in its apps, allowing anyone to gain control of a connected car, according to @jmaxxz (https://twitter.com/jmaxxz/status/1115378734947885056) who found the flaw. CERT/CC said the vulnerable apps could be used to “learn the location of a target” (such as a car) then take off with it. The app has since been updated. More: CERT/CC (https://kb.cert.org/vuls/id/174715/) | @jmaxxz (https://twitter.com/jmaxxz/status/1115378734947885056)
Yes, Amazon Staff Listen To Your Echo Recordings (https://www.bloomberg.com/news/articles/2019-04-10/is-anyone-listening-to-you-on-alexa-a-global-team-reviews-audio) Bloomberg: File under “shocking, though not surprising.” In case you didn’t know Amazon doesn’t encrypt your Echo records, so anyone at the company can listen in on your recordings. Guess what — they do. It’s part of Amazon’s effort to help Alexa learn more and understand better — some things you just can’t teach a computer to do. Unsurprisingly, not everyone thinks that’s a great idea for customer privacy. More: BBC News (https://www.bbc.com/news/technology-47893082) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Online privacy isn’t dead — if we fight for it (https://medium.com/s/oversight/online-privacy-isnt-dead-if-we-fight-for-it-ef586a27d9b7) Medium: @trevortimm (https://twitter.com/trevortimm/) breaks down four fallacies on privacy. Privacy isn’t dead, it’s just that we have to want it and fight for it. It’s becoming increasingly apparent that we’re “not going to take” violations (https://www.nytimes.com/2019/04/10/opinion/internet-privacy-regulation.html) of our privacy any longer, says @karaswisher (https://twitter.com/karaswisher) in her latest column for The Times ($).
Berkely High student tried to rig his own election (https://www.berkeleyside.com/2019/04/09/berkeley-high-student-tried-to-rig-his-own-election-exposing-flaw-in-districts-cybersecurity) Berkeleyside: Two student government candidates were disqualified after they revealed a vulnerability in the district’s voting technology — after taking advantage of the flaws themselves. The candidates were disqualified, but exposed how students were issued formulaic default passwords. More than 500 students didn’t even bother changing their passwords. Maybe they should spend a little less time on student politics and consider working for the feds. Give those kids a job.
It’s time to start notarizing your Apple apps (https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution?language=objc) Apple: The maker of expensive rectangles will soon mandate notarized apps for macOS. It’s a way of giving users the nod that Apple’s reviewed an app’s code to ensure there are no malicious components — even if developers don’t want to distribute their apps through the App Store. macOS 10.14.5 — which is just around the corner — will require new developers to notarize their apps.
Years later, U.S. still won’t fix SS7 flaws (https://arstechnica.com/features/2019/04/fully-compromised-comms-how-industry-influence-at-the-fcc-risks-our-digital-security/) POGO, Ars Technica: This was a good read. SS7, the protocol that keeps cell networks communicating, is hideously flawed and can allow hackers to intercept calls and text messages. Why won’t the cell carriers fix it? The FCC doesn’t give much of a hoot, so much so it declined to comment for the report, even though Homeland Security has long called for a fix. But the industry association, the CTIA, pushed back and said everything was basically fine (narrator:: it wasn’t.) From the report: “FCC has largely abandoned its responsibility for protecting America’s networks from looming digital threats,” wrote @kansasalps (https://twitter.com/kansasalps) , an investigator with the Project On Government Oversight.
How to spy on your own smart home (https://gizmodo.com/this-simple-tool-will-reveal-the-secret-life-of-your-sm-1832264323) Gizmodo: After @kashhill (https://twitter.com/kashhill) spied on her own smart home (https://gizmodo.com/the-house-that-spied-on-me-1822429852) revealing little more than a dystopic window into the future, she released the code to let anyone check their homes. Now, Princeton researchers have taken it to the next step. The Princeton IoT inspector (https://iot-inspector.princeton.edu/) is free to use — there’s a small privacy tradeoff (which they’re very clear about) in that you have to upload your data (to researchers, so not for money) — but in the grand scheme it gives you a wide look at the innards of your smart home. It’s currently only available for macOS.
Silk Road 2 founder jailed — and we all pretty much knew him (https://motherboard.vice.com/en_us/article/9kx59a/silk-road-2-founder-dread-pirate-roberts-2-caught-jailed-for-5-years) Motherboard: Well, this was weird. Thomas White, a technologist and privacy activist from the U.K., was sentenced to more than five years in prison for running Silk Road 2. Most of us knew him as The Cthulhu (http://web.archive.org/web/20190401202408/https://twitter.com/cthulhusec) on Twitter. He ran Tor exit nodes and provided comment to many publications over the years. He seemed — the key word there — like a decent bloke. Except, he pleaded guilty to drug trafficking, money laundering, as well as making indecent images of children. You can read @josephfcox (https://twitter.com/josephfcox) ‘s detailed profile (https://motherboard.vice.com/en_us/article/3dad83/the-secret-life-of-a-silk-road-20-mastermind) of Dread Pirate Roberts 2, White’s online persona, from 2016. ~ ~
** OTHER NEWSY NUGGETS
Firefox rolls out anti-fingerprinting technology in beta (https://blog.mozilla.org/futurereleases/2019/04/09/protections-against-fingerprinting-and-cryptocurrency-mining-available-in-firefox-nightly-and-beta/) Firefox maker Mozilla has pushed out (https://blog.mozilla.org/futurereleases/2019/04/09/protections-against-fingerprinting-and-cryptocurrency-mining-available-in-firefox-nightly-and-beta/) new anti-fingerprinting and anti-cryptomining features to the browser’s nightly and beta builds. The tech will help prevent sites from identifying its users by building a digital fingerprint (https://techcrunch.com/2019/04/09/mozilla-adds-fingerprinting-and-cryptocurrency-mining-protection-to-firefox/) of a computer’s configuration. The Tor Browser, which runs off Firefox, already has this feature installed by default. Firefox users will get it in Nightly 68 and Beta 67, with an aim of rolling out the features more widely later this year.
Two-thirds of hotel websites leak booking data (https://www.symantec.com/blogs/threat-intelligence/hotel-websites-leak-guest-data) Symantec research out this week (https://www.symantec.com/blogs/threat-intelligence/hotel-websites-leak-guest-data) revealed 67 percent of more than 1,500 hotel websites in 54 countries leaked booking data to third-party advertisers and trackers, including names, addresses, emails and passport numbers. Much of the data was sent unencrypted. Reuters has more (https://www.reuters.com/article/us-cyber-breach-hotels/two-out-of-three-hotels-accidentally-leak-guests-personal-data-symantec-idUSKCN1RM15A) on the story.
Google now lets you use your Android phone as a two-factor key (https://blog.google/technology/safety-security/your-android-phone-is-a-security-key/) Rejoice! Your Android 7.0+ phone can now be used as a two-factor key without requiring any additional hardware. Google said (https://blog.google/technology/safety-security/your-android-phone-is-a-security-key/) any Bluetooth-powered macOS, Windows or Chrome OS computer is supported. It’s basically the same technology (https://techcrunch.com/2019/04/10/google-turns-your-android-phone-into-a-security-key/) as what Google uses in its Titan keys.
Amazon helps police catch package thieves (https://motherboard.vice.com/en_us/article/3k3833/how-amazon-helped-cops-set-up-a-package-theft-sting-operation) We’ve known for a while that Amazon helps police catch package thieves (https://www.apnews.com/c654020c42b94055a19801b849d337a2) . Now we know how. Motherboard obtained a bunch of leaked documents (https://motherboard.vice.com/en_us/article/3k3833/how-amazon-helped-cops-set-up-a-package-theft-sting-operation) showing how the operation works. Police use fake Amazon boxes rigged with GPS location trackers to track “porch pirates” as part of Operation Safe Porch. Then, the police surveil the target and obtain a warrant for search or arrest. You can read all the documents here (https://www.documentcloud.org/documents/5817240-HAYWARD.html) . ~ ~
** THE HAPPY CORNER
Here are some of the more cheery things from the week.
The BT Tower in London, once a national security secret, has for the past week or so (https://twitter.com/thomasdaigle/status/1114878670139809792) displayed a Windows boot message on its 360-degree display that can be seen across the capital. How very apt, given the shitshow that is Brexit.
Microsoft has launched (https://twitter.com/msuiche/status/1115774234268016640) a cybersecurity scholarship fund. The so-called Cybersecurity Talent Initiative (https://www.cybertalentinitiative.org/) will give students up to $75,000 in student loan assistance.
And, last but absolutely not least: long-time newsletter subscriber @elinormills (https://twitter.com/elinormills) sent me a t-shirt my way. I posted a photo to Twitter (https://twitter.com/zackwhittaker/status/1115075623049945088) . And yes, of course it has cats. Thanks again, Elinor! If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
In a rare two-for-one special, meet this week’s cybercats Hunter (top) and Tweed (below). Finally, an unhackable computer — there’s no way you’re getting past these two kitties any time soon. Thanks to Peter Sterne (https://twitter.com/petersterne) for the submission!(You may need to enable images in this email.) I’m on the last batch of cybercats — it’s a drought! Please email in your cyberat submissions! They will always get featured — it’s just a matter of time.
Submit your cybercats here! (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) ~ ~
** SUGGESTION BOX
Hope you enjoyed this week’s newsletter. My suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is open as always. Small programming note: there will be no newsletter next week on April 21 due to scheduling, but I’ll be back on April 28. Have a good one, all. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|