this week in security — april 28 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 16.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
NSA Recommends Dropping Phone-Surveillance Program (https://www.wsj.com/articles/nsa-recommends-dropping-phone-surveillance-program-11556138247?mod=hp_lead_pos2) Wall Street Journal ($): Five years after lawmakers passed the Freedom Act to curtail the NSA’s phone records collection program, the NSA is asking the White House to shutter the program for good. The program vacuumed up millions of call records from Verizon daily (and believed others), a leaked FISA court order revealed. “Frustrations about legal-compliance issues” forced the NSA to halt the program earlier this year, reports the WSJ. Its legal authority expires in December unless Congress renews it. @Snowden (https://twitter.com/Snowden/status/1121449971604025345) said the news was a vindication for him leaking the program in the first place. But the White House has yet to decide (https://twitter.com/dnvolz/status/1121152453225930753) on the program’s fate. More: @Snowden (https://twitter.com/Snowden/status/1121449971604025345) | @dnvolz (https://twitter.com/dnvolz/status/1121152453225930753)
Facebook’s New Top Lawyer Helped Write The Patriot Act (https://www.theverge.com/2019/4/22/18511633/facebook-general-counsel-patriot-act-jennifer-newstead) The Verge: File under “terrible optics,” Facebook’s new chief legal counsel was a key figure in authoring the Patriot Act, which the government used to kick start the aforementioned phone records collection program. She helped “craft” the bill in the wake of the September 11 attacks in 2001. The law also allows the FBI to serve companies national security letters — of which Facebook has received many (https://nslarchive.org/) . The Verge’s story follows a BuzzFeed News story (https://www.buzzfeednews.com/article/zoetillman/trump-picks-patriot-act-lawyer-for-top-state-depar) two years ago when Newstead took up a senior position at the Justice Department. More: Facebook (https://newsroom.fb.com/news/2019/04/newstead-and-pinette-join-facebook/) | Background: BuzzFeed News (https://www.buzzfeednews.com/article/zoetillman/trump-picks-patriot-act-lawyer-for-top-state-depar)
FireEye Finds Carbanak Trojan Source Code On VirusTotal (https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html) FireEye: Turns out the source code for the Carbanak trojan was on VirusTotal all along, according to FireEye which reported on its findings this week in a multi-part series (https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html) . The malware is particularly nasty — developed by the FIN7 hacking group — it burrows into compromised networks and steals banking information. The group is said to have stolen as much as a billion euros to date. ZDNet has a write-up, which digests the story more (https://www.zdnet.com/article/source-code-of-carbanak-trojan-found-on-virustotal/) .) More: @ItsReallyNick tweet thread (https://twitter.com/ItsReallyNick/status/1120410950430089224) | FireEye (part 2) (https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html) | (part 3) (https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html) | (part 4) (https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html)
Inside The Secret Industry Of Voting Machine Makers (https://www.theguardian.com/us-news/2019/apr/22/us-voting-machines-paper-ballots-2020-hacking) The Guardian: This was some really strong work by @jojot_wilkie (https://twitter.com/jojot_wilkie?lang=en) . His latest deep-dive report looks at the secret world of voting machine makers ahead of the 2020 election. His second report (https://www.theguardian.com/us-news/2019/apr/22/us-voting-machine-private-companies-voter-registration) in the two-part series focuses on how the handful of private companies involved in the space have little oversight and keep information secret run U.S. elections. More: @jojot_wilkie tweet thread (https://twitter.com/jojot_wilkie/status/1120364347719671809)
Amazon’s Alexa Team Can Access Users’ Home Addresses (https://www.bloomberg.com/news/articles/2019-04-24/amazon-s-alexa-reviewers-can-access-customers-home-addresses) Bloomberg: Not only can some Amazon staff access your Echo recordings, now they can figure out where you live. Bloomberg reports that staff at the company’s Alexa Data Services can “see latitude and longitude” — making it easy in some cases to obtain a user’s home address. That’s contrary to Amazon’s earlier statement that “employees do not have direct access to information that can identify the person or account as part of this workflow.” More: Gizmodo (https://gizmodo.com/if-you-care-about-privacy-throw-your-amazon-alexa-devi-1834277824) | @bradstone (https://twitter.com/bradstone/status/1121088739495694336)
Manufacturing giant Aebi Schmidt hit by ransomware (https://techcrunch.com/2019/04/23/aebi-schmidt-ransomware/) TechCrunch: European manufacturing giant Aebi Schmidt became the latest company to get hit by ransomware in recent weeks — after Norsk Hydro and Arizona Beverages. A source told me that the company had to send staff home — in some cases on unpaid leave. The company later admitted the attack (https://www.aebi-schmidt.com/en/news/589) in a press release. (Disclosure: I wrote this story.) More: Aebi Schmidt (https://www.aebi-schmidt.com/en/news/589)
Hacker Can Remotely Kill Car Engines After Cracking GPS Tracking Apps (https://motherboard.vice.com/en_us/article/zmpx4x/hacker-monitor-cars-kill-engine-gps-tracking-apps) Motherboard: This was a great story. A hacker found two GPS tracking apps gave him real-time locations of tens of thousands of vehicles. Worse, the hacker could remotely kill the engines in some. The apps, iTrack and ProTrack, have close to 30,000 users between them. All customers have a default PIN, so bruteforcing the usernames through a non-rate limited API was a breeze. More: @lorenzoFB (https://twitter.com/lorenzofb/status/1121083840271921153) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Loose online lips sink hack targeting governments and embassies (https://arstechnica.com/information-technology/2019/04/loose-online-lips-sink-hack-targeting-governments-and-embassies/) Ars Technica: Security researchers at Check Point found a hacking campaign targeting governments and embassies to gain full control of infected computers. But the command and control server was poorly secured, allowing researchers to look in and see periodically uploaded screenshots. Worse, the malware was traced back to a Russian-speaking hacker, dubbed EvaPiks. Given the forum the hacker was on is focused on carding, the researchers believe the campaign is financially motivated.
How Magecart hackers use browser-based threats (https://www.riskiq.com/blog/external-threat-management/browser-threat-malicious-injects/) RiskIQ: RiskIQ, which first and continues to dig into the Magecart hacker group, best known for infecting sites like British Airways (https://techcrunch.com/2018/09/11/british-airways-breach-caused-by-credit-card-skimming-malware-researchers-say/) with credit card skimming malware, has an explainer on how card skimmers break into websites. It’s not just card skimming — cryptocurrency miners also use these techniques. The research is behind a registration page, but it’s a good read nonetheless.
EU votes to create giant biometrics database (https://www.zdnet.com/article/eu-votes-to-create-gigantic-biometrics-database/) ZDNet: The European Parliament has voted to create a massive new biometrics database, known as the Common Identity Repository (PDF) (https://www.securityresearch-cou.eu/sites/default/files/02.Rinkens.Secure%20safe%20societies_EU%20interoperability_4-3_v1.0.pdf) . It’ll store over 350 million people’s records, aggregating other personal data for identifying people at the border. The U.S. has a similar system in place.
‘Blockchain bandit’ is guessing private keys and scoring millions (https://www.wired.com/story/blockchain-bandit-ethereum-weak-private-keys/) Wired ($): Someone — an unknown hacker — is guessing the private keys of Ethereum cryptocurrency wallets, reports @a_greenberg (https://twitter.com/a_greenberg) . Researchers found many users are storing their cryptocurrency with extremely poor passwords. Their findings, compiled in a paper (https://www.securityevaluators.com/casestudies/ethercombing/) , called the hacker a “blockchain bandit” for stealing thousands of virtual ether currency.
How will newsroom handle hacked data in 2020? (https://www.cnn.com/2019/04/24/media/newsrooms-stolen-data/index.html) CNN: Given how the media were used by the Russians to digest and disseminate hacked information during the 2016 election, there’s a worry that the media haven’t learned their mistakes from the first time around. CNN asked a bunch of news organizations how they’ll handle any hacked data — in the event of — during the upcoming election. MSNBC, NBC, and ABC all declined to comment and Fox didn’t respond, but several news organizations, like the AP and the WSJ did — and it sounds more thought is going into it this time.
Hackers breached Docket Hub, stealing private keys and tokens (https://motherboard.vice.com/en_us/article/7xgbzb/docker-hub-breach-hackers-stole-private-keys-tokens) Motherboard: Filed under “this is bad.” Many major companies use Docker Hub for their internal software development, but the company lost control of the access tokens of 190,000 accounts — which could have a lasting effect downstream if source code was accessed. @kennwhite (https://twitter.com/kennwhite/status/1122117406372057090) had a good tweet worth checking out, while @dcuthbert (https://twitter.com/dcuthbert/status/1122091098346786816?s=21) saw the email sent to customers and criticized Docker Hub for downplaying the attack. This is as serious as it gets.
Massachusetts blocks warrantless access to cell phone data (https://www.eff.org/deeplinks/2019/04/massachusetts-court-blocks-warrantless-access-real-time-cell-phone-location-data) EFF: A victory for Mass. residents! The EFF reports that the state’s Supreme Judicial Court ruled police must obtain a warrant to access real-time cell phone location data — “whether it comes from a phone company or from technology like a cell site simulator—intrudes on a person’s reasonable expectation of privacy.” The only exception is emergencies, which police still need a warrant after the fact or the information can’t be used in court. ~ ~
** OTHER NEWSY NUGGETS
The CIA is now on Instagram. Edward Snowden explains why (https://www.theverge.com/2019/4/22/18511461/instagram-cia-gina-haspel-facebook-twitter-congress-social-media) This was a case of good timing — at least by the Motherboard guys, who virtually sat down with Edward Snowden (https://motherboard.vice.com/en_us/article/xwnznk/edward-snowden-explains-why-the-cia-just-made-an-instagram) in the same week that the CIA said it was joining Instagram (https://www.theverge.com/2019/4/22/18511461/instagram-cia-gina-haspel-facebook-twitter-congress-social-media) . It turns out showing you images of cute puppies makes them look better than had they showed you the aftermath of a drone strike. Makes sense, I guess.
A color print-out can help save you from facial recognition (https://www.technologyreview.com/f/613409/how-to-hide-from-the-ai-surveillance-state-with-a-color-printout/) It turns out you can confuse facial recognition engines — albeit in a very obvious way. A color printout can be enough to trick facial recognition systems into ignoring you, according to researchers from the Belgian university KU Leuven.
Nest hackers strike again (https://www.washingtonpost.com/technology/2019/04/23/how-nest-designed-keep-intruders-out-peoples-homes-effectively-allowed-hackers-get/?utm_term=.012bc025fb5d) The Washington Post ($) had a story this week about how a 3-year-old was inadvertently targeted by hackers who broke into a family’s Nest camera, which the family was doubling up as a baby monitor. It wasn’t a fancy hack: the hackers took advantage of the lack of two-factor on the account. Unsurprisingly, Gizmodo was sounding the alarm about this months ago (https://gizmodo.com/google-should-make-two-factor-authentication-the-defaul-1832409728) .
Emotet has a new evasion technique (https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/) Trend Micro researchers came out with new findings about Emotet — recently linked to ransomware attacks (https://www.zdnet.com/article/georgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection/) . The malware is now using compromised IoT devices as a proxy for traffic going back to the Emotet’s command and control server. The report has more details, but it’s yet another reminder that insecure IoT devices should be fixed or scrapped.
DNS hacks are “attacks on critical infrastructure”: U.S. diplomat (https://www.cyberscoop.com/dns-hacks-robert-strayer-united-nations/) The recent attacks on DNS — not only DNSpionage (https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html) but also the newer Sea Turtle group (https://techcrunch.com/2019/04/17/sea-turtle-talos-dns-hijack/) — are “attacks on critical infrastructure,” according to Robert Strayer, deputy assistant secretary of State. They’re also a violation of the latest cyberwarfare agreement signed in 2015, said Cyberscoop, which reported on Strayer’s comments. ~ ~
** THE HAPPY CORNER
@GossiTheDog (https://twitter.com/GossiTheDog/status/1120084599948890113) has a great tweet thread on working in infosec, and about the challenges many face — especially when you look at it through the lens of the Twitter bubble. “Don’t take the online stuff too seriously (Twitter is largely nonsense), find a company that doesn’t suck and you can help, and get to work,” he said.
I know each week this newsletter has a cybercat (coming up shortly) but @snlyngaas’ (https://twitter.com/snlyngaas/status/1121102119812124674) dog was too cute to pass up a mention.
Also, I met up with infosec hero @0xAmit (https://twitter.com/0xAmit/status/1122254114614927362) while I was in Washington DC this weekend. Two British dudes with beards, can you tell who’s who?
And last but not least: if you identify as a woman (including non-binary folks) and want to go to Def Con but funds are tight, @StephandSec (https://twitter.com/StephandSec/status/1122223790749102080) has your back. You can sign up for a WISP scholarship using the Google Form (https://docs.google.com/forms/d/e/1FAIpQLSepoTEs_glG6lIgVW1canaCGxzNGTFoIWhKW2e-FNlFU1y2iA/viewform) . A great opportunity. Also, the more people who sponsor the scholarship, the more women who can go. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
Meet this week’s cybercat, Indy, whose human is @ZakWinnick (https://twitter.com/zakwinnick?lang=en) . Indy practices good security hygiene by updating his iOS devices. Good job, Indy. You’re setting a fine example for us all. (You may need to enable images in this email.) Send in your cybercats! They’ll always get featured — it’s just a matter of time. You can submit your cybercats here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
It’s good to be back after a week off. As always, my suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is open. Hope you have a great rest of your Sunday, and a good week. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|