this week in security — april 7 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 14.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Former NSA Spies Hacked Media Figures for UAE (https://www.reuters.com/investigates/special-report/usa-raven-media/) Reuters: A big story this week. Reuters reports that former NSA spies working as surveillance mercenaries for the United Arab Emirates were paid more than $200,000 to implant the iPhones of important media figures in Qatar, a major U.S. military stronghold, following recent diplomatic conflicts. There were several other incidents around that time — including an attack on Al Jazeera. This is the latest in Reuters' series on the Project Raven group of U.S. hackers. More: Reuters Video (https://twitter.com/Reuters/status/1112780415884881922) | @bing_chris tweet thread (https://twitter.com/Bing_Chris/status/1112742196262916096) | @josephfcox (https://twitter.com/josephfcox/status/1112745952337633280)
Hacker Eva Galperin Has a Plan to Eradicate Stalkerware (https://www.wired.com/story/eva-galperin-stalkerware-kaspersky-antivirus/) Wired ($): Eva Galperin, head of EFF's Threat Lab, "got really mad and decided to kill an entire industry" — stalkerware, one of the worst industries of all. She sat down with @a_greenberg (http://twitter.com/a_greenberg) to talk about the non-profit's new cybersecurity lab and how they plan to kill stalkerware, which chiefly allows spouses to spy on their partners. She's calling on antivirus makers to take the matter more seriously — some already are (https://motherboard.vice.com/en_us/article/vbw9g8/kaspersky-lab-alert-stalkerware-domestic-abuse) — and wants other tech giants to step up to help. "It would be nice to see some people go to jail," she said. More: Motherboard (https://motherboard.vice.com/en_us/article/vbw9g8/kaspersky-lab-alert-stalkerware-domestic-abuse) | EFF (https://www.eff.org/deeplinks/2019/04/effs-new-threat-lab-dives-deep-surveillance-technologies-and-their-use-and-abuse) | @evacide (https://twitter.com/evacide/status/1113498477542039559)
Facebook Asks Amazon To Remove Exposed Data From Third-Parties (https://www.bloomberg.com/news/articles/2019-04-03/millions-of-facebook-records-found-on-amazon-cloud-servers) Bloomberg: Two Facebook apps built by Mexico-based digital media company Cultura Colectiva and defunct California-based app maker At The Pool between them exposed more than 540 million Facebook records hosted on an exposed Amazon S3 bucket. The data was found by UpGuard's @VickerySec (https://twitter.com/VickerySec) . Bloomberg alerted Facebook to the data, which asked Amazon to pull the data offline. Granted, this wasn't a Facebook breach — which makes a change — but embarrassing for the company nonetheless. More: UpGuard (https://www.upguard.com/breaches/facebook-user-data-leak) | @josephfcox (https://twitter.com/josephfcox/status/1114170527227183104)
Apple Engineer Files Complaint After CBP Border Search (https://medium.com/@andreasgal/no-one-should-have-to-travel-in-fear-b2bff4c460e5) Medium: A naturalized U.S. citizen working for Apple was stopped at the border and was told to unlock his devices. He didn't — largely because the NDA that Apple made him sign is was probably worse to violate than the law(!) He filed a complaint against the agency with help from the ACLU. Even that came under some scrutiny. There's an interesting thread between security reporter @kimzetter (https://twitter.com/kimzetter) and lawyer @orinkerr (https://twitter.com/orinkerr) , which you can read here (https://twitter.com/kimzetter/status/1113170260247494658?s=21) . More: @andreasgal (https://twitter.com/OrinKerr/status/1113185175272394754) | ACLU complaint (PDF) (https://www.aclunc.org/docs/ACLU-NC_2019-03-28_Letter_re._Electronic_Device_Search_SFO.pdf)
SamSam Outbreak Led To FBI Restructuring (https://www.cyberscoop.com/samsam-investigation-fbi-tonya-ugoretz/) Cyberscoop: An interesting one: the SamSam ransomware (remember the City of Atlanta (https://www.zdnet.com/article/atlanta-hit-by-ransomware-attack-also-fell-victim-to-leaked-nsa-exploits/) ?) was so prevalent that the FBI had to rejig its entire investigative structure to centralize its anti-SamSam resources. Nowadays, FBI headquarters pieces all of that intelligence together and shares it with other agencies, said Tonya Ugoretz, deputy assistant director of the FBI’s Cyber Division. The two behind SamSam were indicted last year (https://www.cyberscoop.com/samsam-ransomware-indictment-iran-mansouri-savandi/) but still operate. Background: TechCrunch (https://techcrunch.com/2018/11/28/justice-department-indicts-two-iranians-over-samsam-ransomware-attacks/) | ZDNet (https://www.zdnet.com/article/this-destructive-ransomware-has-made-crooks-6m-by-encrypting-data-and-backups/)
Arizona Beverages Knocked Offline By Ransomware (https://techcrunch.com/2019/04/02/arizona-beverages-ransomware/) TechCrunch: Iced tea giant Arizona Beverages is slowly recovering after a massive ransomware attack. The iEncrypt strike hit weeks after the FBI warned of an existing Dridex infection, believed to be the delivery system for the ransomware, according to a source who spoke to me. It took the company five days before incident response was called in — not good. Nobody at the company has responded to my requests for comment. (Disclosure: I wrote this!) More: @zackwhittaker tweet thread (https://twitter.com/zackwhittaker/status/1113130405425790976)
Former Senate Staffer Doxxed Five Senators on Wikipedia (LINK) The Verge: Jackson Cosko, a 27-year-old former staffer in Sen. Maggie Hassan's office, pleaded guilty to breaking into his former employer's office and posting private information online. According to The Verge, "he retaliated by using a key from another employee (who was later fired) to break into his old workplace at least four times, installing keyloggers on computers and using stolen login credentials to download gigabytes of data." The DOJ confirmed the charges (https://www.justice.gov/usao-dc/pr/man-pleads-guilty-charges-stealing-senate-information-illegally-posting-restricted) in a press release. He could get more than four years in prison. More: Justice Department (https://www.justice.gov/usao-dc/pr/man-pleads-guilty-charges-stealing-senate-information-illegally-posting-restricted) ~ ~
** THE STUFF YOU MIGHT'VE MISSED
Utah becomes first state to require warrants for third-party data (https://epic.org/2019/04/utah-becomes-first-state-to-re.html) EPIC: Utah now requires police and law enforcement to obtain a warrant to obtain certain third-party data, such as from wireless providers, email providers and other internet companies, increasing the legal bar needed to authorize the request — the first state to pass a law in the aftermath of the Carpenter v. US decision last year. The National Law Review (https://www.natlawreview.com/article/utah-first-state-to-require-warrant-third-party-data) has more on the implications.
Researcher prints 'PWNED!' on GPS watch map over unfixed bug (https://www.zdnet.com/article/researcher-prints-pwned-on-hundreds-of-gps-watches-maps-due-to-unfixed-api/) ZDNet: I love it when security researchers get mildly (key word!) pissed off when companies fail to fix flaws. A German security researcher printed the word "PWNED" in giant letters on a map after Austrian GPS watch maker Vidimensio didn't fix an unauthenticated API bug. @campuscodi (https://twitter.com/campuscodi) reports for ZDNet.
FBI has deficiencies in how companies are told they've been breached (https://www.cyberscoop.com/fbi-inspector-general-breach-notification-report/) Cyberscoop: A report by the Justice Department's watchdog found (PDF) (https://oig.justice.gov/press/2019/2019-04-01.pdf) the FBI's Cyber Guardian system, which is supposed to disseminate security breach warnings, was almost never used. "We found that 29 of 31 field agents we interviewed do not use the 'Victim Notification' lead type when setting leads for victim notification. Five of the agents had not even heard of it," wrote the report. Don't blame the agents entirely — the system is crap, and difficult to use, the watchdog said.
UK gives former teenage hackers a second chance — at a (low) price (https://www.bbc.co.uk/news/uk-england-devon-46757849) BBC News: Former teenager hackers have been given a second chance after run-ins with the police, thanks to a company that employs young people who could've continued on a path of cybercrime. The company, Bluescreen, also employs those on the autistic spectrum — definitely good for those who might struggle in more typical employment circumstances. The BBC has a great write-up (https://www.bbc.co.uk/news/uk-england-devon-46757849) about it. But as noted by some like @TheKenMunroShow (https://twitter.com/TheKenMunroShow) , they're paid a sub-par wage for what they do — about £650 per month, or about $850. Get them security clearance and pay them more, and they might just fill some of the U.K.'s much-needed cyber gap. ~ ~
** OTHER NEWSY NUGGETS
Facebook realizes asking for email passwords wasn't a smart idea Facebook has said it'll no longer ask for email address and password to verify your account. Yeah, because they were doing that in the first place! @inafried (https://twitter.com/inafried) reports for Axios: Facebook used the data — but didn't store passwords (allegedly (https://techcrunch.com/2019/03/21/facebook-plaintext-passwords/) ) — to confirm accounts were real. But then Facebook got called out and realized it was a stupid idea.
Xiaomi ironically preinstalled buggy security app on millions of phones Xiaomi, the fourth largest phone maker, preinstalled an app designed to protect devices on millions of phones. Just one problem: the software had a bug, putting users at risk (https://threatpost.com/this-preinstalled-mobile-security-app-delivered-vulnerabilities-not-protection/143468/) . The app was vulnerable to a man-in-the-middle attack, so somewhat limited in the attack scope, but could be exploited to run code on the device, reports Check Point (https://blog.checkpoint.com/2019/04/04/xiaomi-vulnerability-when-security-is-not-what-it-seems/) .
Finding and sinking a massive spam operation @MayhemDayOne (https://twitter.com/MayhemDayOne) found a database running a massive spam operation and, with the help of the hosting provider, we sunk the server to prevent it being used again. You can read my story here (https://techcrunch.com/2019/04/02/inside-a-spam-operation/) . This story was a rare look at the inside operations of a spam campaign — and exactly how it worked. Out of five million emails sent in ten days, some 100,000 people clicked through. That's a really bad ratio for a marketing campaign but great for a spammer. I posted screenshots of the Kibana dashboard and other items found on the database. Bob Diachenko also wrote up his findings (https://securitydiscovery.com/massive-spam-operation-uncovered-in-a-database-leak) .
When malware doesn't cut it, take the easier approach FireEye said in its latest report (https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html) that the FIN6 crime group, focused mostly on hacking point-of-sale devices, is shifting business strategy into ransomware, serving Ryuk specifically. Looks like it's paying off: FireEye said: "We have traced these intrusions back to July 2018, and they have reportedly cost victims tens of millions of dollars."
GCHQ reveals secret London office — which everyone knew about You can't keep much from the Brits (says the Brit). GCHQ, the U.K.'s electronics eavesdropping agency, confirmed — finally(!) (https://www.bbc.com/news/uk-england-london-47819408) it had a London office — as it was doing an Irish exit. The office block sandwiched between a pub and a Starbucks was an open secret among locals for years, but it didn't stop the agency from declaring it as revealing a "secret." (https://twitter.com/GCHQ/status/1114081884668080129) Oh sweet spies, if only you knew what we know. ~ ~
** THE HAPPY CORNER
Finally, some good news.
This week, @mrisher (https://twitter.com/mrisher) gave us a good tweet thread of why security keys are so important. Read his entire tweet thread here (https://twitter.com/mrisher/status/1111651130570792962) . They save you from phishing, credential stuffing, and more. "Phishing is the silent killer," he said. He's right. Two-factor all the things!
Read this excellent tweet (https://twitter.com/gattaca/status/1114288707069022208) from Dave Lewis (https://twitter.com/gattaca/status/1114288707069022208) on why you shouldn't be an asshole at the airport — or anywhere. (Security folk are everywhere.)
And, this wholesome a.f. tweet (https://twitter.com/marciahofmann/status/1114256552750280705?s=21) by everyone's favorite computer rights defender @marciahofmann (https://twitter.com/marciahofmann) literally made my Friday. Nothing makes a job in academia worthwhile than having a student fall "in love" with even the driest of internet law. I can't tell you how much joy this tweet brought me. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK'S CYBER CAT
This week's cybercat is Killer, the famous FDNY @station57cat (https://www.instagram.com/station57cat/) , not too far from where yours truly lives in New York. She was recently diagnosed (https://www.instagram.com/p/Bu_ivBKFHbi/) with cancer and is undergoing treatment. We wish her the best and all the love in the world. (You may need to enable images in this email.) Please send in your cybercats! The more the merrier. They will always be featured — it's just a matter of time. Submit your cybercats here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That's it for now. Thanks for reading — hope it was useful. The suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is open as usual. Take care and have a great week. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|