August 11, 2019

this week in security — august 11 edition

|MC_PREVIEW_TEXT|

** ~this week in security~

a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)

volume 2, issue 30.

View this email in your browser (|ARCHIVE|) ~ ~

** THIS WEEK, TL;DR

Critical U.S. election systems left exposed online (https://www.vice.com/en_us/article/3kxzk9/exclusive-critical-us-election-systems-have-been-left-exposed-online-despite-official-denials) Motherboard: Election machine makers have one job. Well, two in fact — don’t screw up the vote, and don’t connect your systems to the internet. One very much rests on the other. Yet despite this, close to three-dozen critical election systems in several swing states were left online and protected with an out-of-date firewall. Yet another great election system scoop by @kimzetter (https://twitter.com/kimzetter) . Just read this in case you have any shred of faith left in U.S. election technology and want to feel as pissed off as the rest of us. More: @ronwyden (https://twitter.com/RonWyden/status/1159887387700236288) | @kimzetter (https://twitter.com/KimZetter/status/1159860847499288577) | Background: The New York Times ($) (https://www.nytimes.com/2018/02/21/magazine/the-myth-of-the-hacker-proof-voting-machine.html)

AT&T workers took $1 million in bribes to unlock 2 million phones (https://arstechnica.com/tech-policy/2019/08/att-employees-took-bribes-to-unlock-phones-and-plant-malware-doj-says/) Ars Technica: AT&T workers were bribed to help fraudsters and scammers to unlock two million phones. Two men were indicted for the scheme, which saw one man extradited from Hong Kong to the U.S. The fraudsters used malware (https://www.zdnet.com/article/at-t-employees-took-bribes-to-plant-malware-on-the-companys-network/) on internal AT&T systems to help unlock the devices and defraud the cell giant. More: Forbes (https://www.forbes.com/sites/thomasbrewster/2019/08/06/att-insiders-bribed-with-over-1-million-to-unlock-2-million-phones-and-hack-their-employer-doj-claims/#1da50e9cce1e)

Hackers can break into an iPhone just by sending a text (https://www.wired.com/story/imessage-interactionless-hacks-google-project-zero/) Wired ($): Dial up the scream-o-meter up to “11.” Google’s Project Zero discovered a set of vulnerabilities in Apple’s iMessage — one of which relied on sending a target a text message to break into an iPhone. “These can be turned into the sort of bugs that will execute code and be able to eventually be used for weaponized things like accessing your data,” said @natashenka (https://twitter.com/natashenka) . She also blogged more (https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surface-of.html) about the bugs. You can see more (https://twitter.com/maddiestone/status/1159227802681368576?s=21) about the bugs from her Def Con talk with colleague @5aelo (https://twitter.com/5aelo) . The bugs would’ve earned the team a pretty sum under Apple’s bug bounty, which this week increased (https://techcrunch.com/2019/08/08/apple-hackers-macos-security/) its bounty payouts. More: Google Project Zero (https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surface-of.html) | TechCrunch (https://techcrunch.com/2019/08/08/apple-hackers-macos-security/) | @maddiestone (https://twitter.com/maddiestone/status/1159227802681368576?s=21)

Microsoft contractors are listening to some Skype calls (https://www.vice.com/en_us/article/xweqbq/microsoft-contractors-listen-to-skype-calls) Motherboard: First Amazon, then Google and Apple, now Microsoft. All four have now been accused of using contractors to listen in to voice recordings — from smart speakers to Siri conversations, and now Skype calls in Microsoft’s case. Contractors listened to calls part of Skype’s translation service, when most people assumed the company was using AI. (Hint: It wasn’t.) More: @josephfcox tweet thread (https://twitter.com/josephfcox/status/1159089406793224197)

Meet APT41, the Chinese hackers moonlighting for personal gain (https://www.cyberscoop.com/apt41-fireeye-china/) Cyberscoop: New research by FireEye has revealed a new threat group, APT41, which are believed to be Chinese hackers who use sophisticated malware for personal gain. “Sometime after 2012, the group now labeled APT41 expanded from money-making campaigns to activity that was likely state-backed, according to FireEye. They then maintained a balance between their state-sponsored work and the financially-motivated moonlighting.” FireEye’s research is quite the read. More: FireEye (https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html) | Reuters (https://www.reuters.com/article/us-china-cyber-moonlighters/chinese-government-hackers-suspected-of-moonlighting-for-profit-idUSKCN1UX1JE)

Instagram’s let another startup scrape millions of locations, stories (https://www.businessinsider.com/startup-hyp3r-saving-instagram-users-stories-tracking-locations-2019-8) BBC News: This was solid reporting by Business Insider, but is behind a paywall so you can’t read it. The BBC’s version is largely the same: Hyp3r, a San Francisco-based startup was “scraping profiles, copying photos, and siphoning off data supposed to be deleted after 24 hours” as well as user locations. The startup violated Instagram’s policies, but Instagram’s crap approach to privacy practices — as we’ve seen before (https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/) — allowed the scraping to happen in the first place. More: Business Insider ($) (https://www.businessinsider.com/startup-hyp3r-saving-instagram-users-stories-tracking-locations-2019-8)

CafePress tried to cover up data breach with a password reset (https://www.theregister.co.uk/2019/08/05/cafebreach_breach_23m_user_records/) The Register: Just a week after StockX tried to pull the same trick (https://techcrunch.com/2019/08/03/stockx-hacked-millions-records/) , CafePress also sent out a password reset in the hopes nobody would notice a data breach. Instead, @haveibeenpwned (https://twitter.com/haveibeenpwned/status/1158191148378181632) tweeted out the news to 23 million people, resulting in many realizing they had been duped. More: Have I Been Pwned (https://haveibeenpwned.com/PwnedWebsites#CafePress)

GDPR privacy law exploited to reveal personal data (https://www.bbc.com/news/technology-49252501) BBC News: About one in four companies revealed personal information to a woman’s partner, who had demand for the data by citing GDPR, Europe’s new-ish data privacy law, which grants citizens access to their own data. He pretended to be her and obtained her data (with her consent). Motherboard also has a write-up (https://www.vice.com/en_us/article/xwe8wz/researchers-show-how-europes-data-protection-laws-can-dox-people) . “[The researcher] was able to get his fiance’s Social Security Number, date of birth, mother’s maiden name, passwords, previous home addresses, travel and hotel logs, high school grades, partial credit card numbers, and whether she had ever been a user of online dating services.” More: Motherboard (https://www.vice.com/en_us/article/xwe8wz/researchers-show-how-europes-data-protection-laws-can-dox-people) | The Register (https://www.theregister.co.uk/2019/08/09/gdpr_identity_thief/) ~ ~

** THE STUFF YOU MIGHT’VE MISSED

U.S. military bought $32.8M of electronics with known security flaws (https://www.zdnet.com/article/us-military-purchased-32-8m-worth-of-electronics-with-known-security-risks/) ZDNet: The Pentagon spent millions on tech with known security vulnerabilities, from Lexmark printers to GoPro cameras and Lenovo computers, despite knowing about supply chain issues with the China-based company. “These vulnerabilities could allow remote attackers to use a connected Lexmark printer to conduct cyber-espionage or launch a denial of service attack on a DoD network,” wrote the Pentagon’s inspector general. Lexmark denied the claims.

The scramble to secure America’s voting machines (https://www.politico.com/interactives/2019/election-security-americas-voting-machines/) Politico: This interactive map looks at 14 states and their counties where paperless voting devices are in use. These voting machines have no paper record for verification, which anyone with a right mind says is problematic, despite being in use by tens of millions of voters. This was a great bit of interactive journalism.

Skype, Slack, other Electron-based apps can be easily backdoored (https://arstechnica.com/information-technology/2019/08/skype-slack-other-electron-based-apps-can-be-easily-backdoored/) Ars Technica: Electron apps are popular — they include Skype, WhatsApp and Slack — but these apps have come under fire for various security issues. One researcher showed how a backdoored version of Microsoft Visual Studio Code sent the contents of every code tab opened to a remote website. Worse, Electron apps don’t trigger warnings, making it near-impossible to know if an app has been modified.

Picking the FB50 smart lock (https://icyphox.sh/blog/fb50/) Anirudh Oppiliappan: Another day, another dodgy smart lock. This time it’s the Shenzhen Dragon Brother FB50, which @icyphox (https://twitter.com/icyphox) says is early hacked. It was easy to get an authenticated HTTP request to the lock. “You’re better off with the ‘dumb’ [locks] with keys,” he said. There are an estimated 15,000 FB50 smart locks out there.

New cars can be broken into in 10 seconds (https://www.bbc.com/news/business-49273028) BBC News: U.K. magazine Which did a bunch of research into keyless cars. Some models have vulnerable systems and can be exploited by thieves. One car could be broken into in just 10 seconds. This video (https://www.youtube.com/watch?v=sE2Uxxtci-4&feature=youtu.be) explains the flaw.

North Korea took $2B in cyberattacks to fund weapons program (https://www.reuters.com/article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyberattacks-to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX) Reuters: A leaked U.N. report says North Korea has generated about $2 billion in proceeds from cyberattacks on banks and cryptocurrency exchanges. It’s part of the North’s efforts to fund its ICBM missIle program amid sanctions from all corners of the world.

U.S. government’s relationship with ethical hackers has improved (https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/08/06/the-cybersecurity-202-the-government-s-relationship-with-ethical-hackers-has-improved-security-experts-say/5d48a4bf88e0fa1454f8019a/) Washington Post ($): A survey says 72 percent of experts who responded to an informal survey by The Washington Post said they thought the ethical hacking community and the U.S. government has improved since 2013, when NSA director Keith Alexander addressed the Black Hat conference for the first time post-Snowden. The government has embraced bug bounties, they attend conferences, and ethical hackers are playing nicer, too, say the respondents. Interesting reading. You can see some of the experts . And there’s a tl;dr thread (https://twitter.com/Joseph_Marks_/status/1158768624854683649?s=20) on Twitter.

Another speculative execution vulnerability fixed (https://www.bleepingcomputer.com/news/security/swapgs-vulnerability-in-modern-cpus-fixed-in-windows-linux-chromeos/) Bleeping Computer: A new Spectre 1 speculative execution side channel attack has been found. First reported by Bitdefender in August 2018, the details are just out this week. Microsoft took over the coordination of the vulnerability, found in Intel CPUs. Microsoft rolled out patches for the bugs in July, according to its security advisory (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1125) .

A multi-millionaire surveillance dealer steps out of the shadows (https://www.forbes.com/sites/thomasbrewster/2019/08/05/a-multimillionaire-surveillance-dealer-steps-out-of-the-shadows-and-his-9-million-whatsapp-hacking-van/) Forbes: @iblametom (https://twitter.com/iblametom) got unprecedented access to Tal Dillian, a normally secretive man who runs a mobile malware surveillance shop. He says he’s able to obtain WhatsApp messages from nearby devices and more. “Every 15 minutes, he can know where you are,” he says. “This is, after all, a market that’s been linked to snooping on murdered Saudi journalist Jamal Khashoggi, not to mention attacks on human rights lawyers and activists in London, Mexico, the U.A.E. and beyond,” writes Brewster.

Steam flaw in Windows client affects millions (https://amonitoring.ru/article/steamclient-0day/) Amonitoring: A privilege escalation bug in Steam’s Windows client was rejected by HackerOne, even though it was possible to gain and run any malicious app with system privileges. The researcher was forced to drop the flaw as a zero-day. ~ ~

** OTHER NEWSY NUGGETS

Inside the hidden world of elevator phone phreaking (https://www.wired.com/story/elevator-phone-phreaking-defcon/) Wired ($) has another story on elevator phone phreaking — yes, that thing hackers used to do in the ’80s. Turns out many elevators are still susceptible to hackers listening in. “I can dial into an elevator phone, listen in on private conversations, reprogram the phone so that if someone hits it in an emergency it calls a number of my choosing,” said freelance researcher Will Caruana.

Monzo said it wasn’t storing 480,000 customer PINs safely (https://techcrunch.com/2019/08/05/monzo-says-it-wasnt-storing-some-customer-pins-correctly-but-has-now-fixed-the-bug/) Monzo, the digital-only bank, said it inadvertently stored “some” customer PINs in plaintext. Turns out “some,” according to The Guardian, is about (https://www.theguardian.com/business/2019/aug/05/monzo-urges-480000-customers-to-change-their-pin-numbers) 480,000 customers, or about one-fifth of its entire customer base. The security lapse meant that some customer PINs were simultaneously stored in encrypted log files accessible by certain Monzo staff. Monzo said in a blog post (https://monzo.com/blog/2019/08/05/weve-fixed-an-issue-storing-some-customers-pins) that it has messaged everyone affected.

Indian court trying to get WhatsApp to break its encryption (https://www.buzzfeednews.com/article/pranavdixit/whatsapp-is-fighting-to-keep-indias-government-out-of-your) An Indian court wants WhatsApp to punch a backdoor in its end-to-end encryption. The Facebook-owned company has already submitted a court filing saying its encryption is essential for those in India to operate and function “without fear of surveillance or retaliation.” Here’s a tl;dr tweet thread by @PranavDixit (https://twitter.com/PranavDixit/status/1158757514596368386?s=20) .

Group dating app 3Fun exposed sensitive data on 1.5 million users (https://techcrunch.com/2019/08/08/group-dating-app-3fun-security-flaws/) 3fun, a threesome dating app, exposed its 1.5 million users by not securing its API properly, allowing anyone to intercept and change their geolocation and spoof it anywhere — from the White House to the CIA — and see who’s there. The app was leaking users’ precise location, photos and other personal details of any nearby user. (Disclosure: This was one of my stories this week.) BBC News also did a story (https://www.bbc.com/news/technology-49265245) on gay dating apps that are leaking user locations.

https://www.pentestpartners.com/security-blog/group-sex-app-leaks-locations-pictures-and-other-personal-details-identifies-users-in-white-house-and-supreme-court/

A model hospital where the devices get hacked — on purpose (https://www.wired.com/story/defcon-medical-device-village-hacking-hospital/) @lilyhnewman (https://twitter.com/lilyhnewman?lang=en) has a story over at Wired ($) looking at a model hospital at Def Con, where hackers focus on tapping into and breaking medical devices and implants.

Kaspersky software still on U.S. government computers two years after ban (https://www.forbes.com/sites/thomasbrewster/2019/08/08/exclusive-kaspersky-software-lingers-on-sensitive-government-systems-2-years-after-us-ban/#5974b874381c) Two years ago the U.S. government banned Kaspersky software on its computers over fears it was (or at least could) send classified data back to Moscow, where the antivirus maker is based. But new research says the government — and over a dozen contractors — are still reliant on the antivirus software.

Twitter admits to another adtech data leak (https://techcrunch.com/2019/08/07/twitter-fesses-up-to-more-adtech-leaks/) Twitter has disclosed more bugs related to how it uses personal data for ad targeting that means it may have shared users data with advertising partners even when a user had expressly told it not to. “If a Twitter user clicked or viewed an ad for a mobile application on the platform and subsequently interacted with the mobile app Twitter says it ‘may have shared certain data (e.g., country code; if you engaged with the ad and when; information about the ad, etc)’ with its ad measurement and advertising partners — regardless of whether the user had agreed their personal data could be shared in this way.”

SimpliSafe’s home security system can be compromised with a $2 keyfob (https://www.theverge.com/2019/8/7/20758529/simplisafe-home-security-system-flaw-compromise-lockpickinglawyer) This is embarrassing — SimpliSafe’s home security system can be disabled with a $2 wireless emitter because the base station relies on the 433.92MHz frequency, which is also popular among baby monitors and garage door openers. SimpliSafe said it was unrealistic. The researcher responded with some harsh words of his own.

Data breach reporter hit by bogus Indian lawsuit (https://www.databreaches.net/a-misconfigured-aws-bucket-exposed-personal-and-counseling-logs-of-almost-300000-indian-employees/) Dissent Doe (https://twitter.com/PogoWasRight) , collator and collector of data breach stories, reported on a data exposure at 1to1Help (https://www.1to1help.net/) , an Indian employee assistance company. The company tried to get an injunction to prevent Doe’s disclosure. Turns out, they were successful — in getting the injunction at least. She had posted days earlier. Ars Technica has a good write-up (https://arstechnica.com/tech-policy/2019/08/blogger-says-she-got-an-injunction-for-a-post-published-five-days-earlier/) of the situation. But whatever you do, don’t read this DataBreaches.net story (https://www.databreaches.net/a-misconfigured-aws-bucket-exposed-personal-and-counseling-logs-of-almost-300000-indian-employees/) . Definitely don’t share it on all of your social media channels. It would really piss off the company. And we wouldn’t want that, would we (https://twitter.com/zackwhittaker/status/1159258716224524293?s=21) ? ~ ~

** THE HAPPY CORNER

There’s a lot in the happy corner this week.

Next time someone criticizes you because of your hair or style, you can kick their ass by succeeding in only ways they can imagine. Which is exactly what this fantastic tweet by @ComradEeevee (https://twitter.com/comradeeevee/status/1158419821882748929?s=21) teaches us.

https://twitter.com/comradeeevee/status/1158419821882748929?s=21

@MalwareJake (https://twitter.com/MalwareJake/status/1159169681401364480) has a tweet thread reminding us all to be safe and mindful when we’re out and about, especially in Vegas, after he was drugged by some creep. Be good to one another, and never be afraid to ask for help. It’s literally what hackers do.

There’s a gig going at the FTC as technology fellow. It’s an incredibly important position, as noted by @MChrisRiley (https://twitter.com/MChrisRiley/status/1159512765515460608?s=20) . You can apply here [PDF] (https://www.ftc.gov/system/files/attachments/careers-bureau-competition/ttf_technology_fellow_description_0.pdf) — and you should! It’s DC-based, but don’t let that put you off.

And a big round of applause for hero of the hour @dguido (https://twitter.com/dguido/status/1159634281339265024?s=20) for calling bullshit on an obviously snake oil talk — oh, and for getting kicked out of the Black Hat talk as a result. You can read more (https://www.vice.com/en_us/article/8xw9kp/black-hat-talk-about-time-ai-causes-uproar-is-deleted-by-conference) about the talk at Motherboard, and watch Guido heckling here (https://twitter.com/dguido/status/1159579063540805632?s=12) . Totally worth it. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~

** THIS WEEK’S CYBER CAT

Meet Siber, short for Siberia. “We we’re working on a project in Russia, and asked our friend the what the word for snow is. Turns out the Russians have dozens of words for snow, so we settled on Siberia,” said his human @davelafontaine (http://twitter.com/davelafontaine) . Here is Siber meowing in frustration because his phishing efforts never involve tuna. (You may need to enable images in this email.) If you want your cybercat featured, please submit them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . Your cybercats will always be featured in an upcoming newsletter. Please send them in! ~ ~

** SUGGESTION BOX

And that’s a wrap for this week. Please drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . If you went, I hope you had a great time at Hacker Summer Camp and safe travels for your return home. See you again next Sunday. ~ ~

============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)

This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|