this week in security — august 18 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 32.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
A look at the Windows 10 exploit Google Zero found this week (https://arstechnica.com/information-technology/2019/08/a-look-at-the-windows-10-exploit-google-zero-disclosed-this-week/) Ars Technica: A privilege escalation bug found in Windows has been lurking for more than 20 years, but finally got fixed this week. The bug, found by Google’s Project Zero, could’ve allowed an attacker to gain system/root privileges by exploiting a flaw in Microsoft’s Text Services Framework. More: Project Zero (https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html) | MSRC (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162)
Hackers found serious flaws in a U.S. military fighter jet (https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/08/14/the-cybersecurity-202-hackers-just-found-serious-vulnerabilities-in-a-u-s-military-fighter-jet/5d53111988e0fa79e5481f68/) Washington Post ($): From Def Con, several highly vetted hackers tried — and succeeded(!) — in sabotaging a U.S. military fighter jet. It’s the first time hackers were allowed access to a critical F-15 system. They soon found a vulnerability that could’ve shut down the Trusted Aircraft Information Download Station, which collects reams of data from video cameras and sensors while the jet is in flight. The Air Force admitted that it was expecting some of the worst flaws after “decades of neglect” of cybersecurity as a key issue. More: @Joseph_Marks (https://twitter.com/Joseph_Marks_/status/11616653045664358401)
U.S. spy chief asks Congress to reauthorize NSA call records program (https://www.nytimes.com/2019/08/15/us/politics/trump-nsa-call-records-program.html) The New York Times ($): In his last act as U.S. spy chief, Dan Coats asked Congress to reauthorize the recently-suspended (https://techcrunch.com/2019/06/26/nsa-improper-phone-records-collection/) NSA call records collection program after several issues of massive inadvertent over-collection. The legal authority — Section 215 of the Patriot Act — expires at the end of the year. It’s the same call records program that Edward Snowden disclosed — which saw Verizon turn over daily records of its customer call logs to the NSA. Coats suggested despite the legal issues, the call records program might one day prove useful again. Background: Associated Press (https://www.apnews.com/c87c6b215d22436699dbc57ce6dda63d) | Reuters (https://www.reuters.com/article/us-usa-cyber-surveillance/spy-agency-nsa-triples-collection-of-u-s-phone-records-official-report-idUSKBN1I52FR)
Hacker site’s incriminating database published online by rival group (https://arstechnica.com/information-technology/2019/08/hacker-sites-incriminating-database-published-online-by-rival-group/) Ars Technica: Hacker turf war, commence: Hackers from Raidforums recently hit the site of rival hacking forum Cracked.to, spilling 321,000 records on its members. Have I Been Pwned reported (https://haveibeenpwned.com/PwnedWebsites#CrackedTO) the breach. It contained private messages, along with usernames, email addresses and IP addresses of buyers. It’s an example of how “blatantly” the fraud economy operates, according to cybercrime expert @ThirdEmily (https://twitter.com/thirdemily/status/1161267275846094849) . More: @haveibeenpwned (https://twitter.com/haveibeenpwned/status/1160875855268208647)
Have I Been Pwned: Pwned websites
Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.
DeVos-linked adoption agency exposed children’s medical data (https://www.vice.com/en_us/article/vb5myx/devos-linked-adoption-agency-exposed-highly-sensitive-childrens-medical-data) Motherboard: Bethany Christian Services, one of the nation’s largest adoption agencies, left highly sensitive medical data on dozens of children on its website without a password, according to @josephfcox (https://twitter.com/josephfcox) . The charity is linked to the family of U.S. education secretary Betsy DeVos. More: @jason_koebler (https://twitter.com/jason_koebler/status/1162066652105756672)
ECB shuts down website after hack (https://www.reuters.com/article/us-ecb-cyber/ecb-shuts-down-one-of-its-websites-after-hacker-attack-idUSKCN1V51N0) Reuters: The European Central Bank shut down one of its websites this week after it was hacked. Its Banks’ Integrated Reporting Dictionary (BIRD) website provides bankers with information on how to produce financial reports. But malware injected into the site allowed the hackers to scrape names, email addresses, and the titles of subscribers. The breach came to light during maintenance work, according to the ECB, and dated back to December 2018. More: ECB (https://www.ecb.europa.eu/press/pr/date/2019/html/ecb.pr190815~b1662300c5.en.html)
Cybercom has posted malware linked to North Korea (https://techcrunch.com/2019/08/15/cyber-command-north-korea-malware/) TechCrunch: U.S. Cyber Command, the NSA’s sister agency, has released a set of new samples of malware linked to North Korean hackers. The offensive security military unit posted the malware belonging to APT38, a group linked to but entirely separate from the Lazarus Group, which the U.S. blamed for the WannaCry attack in 2017. The malware in question, Electric Fish, allows data to be exfiltrated from a network back to a server run by the malware operator. (Disclosure: I wrote this story.) More: @CNMF_VirusAlert (https://twitter.com/CNMF_VirusAlert/status/1161727314658562048) | Background US-CERT (https://www.us-cert.gov/ncas/analysis-reports/AR19-129A) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
New attack exploits a serious Bluetooth bug to intercept sensitive data (https://arstechnica.com/information-technology/2019/08/new-attack-exploiting-serious-bluetooth-weakness-can-intercept-sensitive-data/) Ars Technica: The hilariously named KNOB attack, named after the key negotiation of Bluetooth, forces devices to use encryption keys that are easy to break. Attackers within radio range can then use commodity hardware to quickly crack the key. From there, attackers can use the cracked key to decrypt data passing between the devices.
4G hotspots are a hot mess of security flaws (https://www.pentestpartners.com/security-blog/reverse-engineering-4g-hotspots-for-fun-bugs-and-net-financial-loss/) Pen Test Partners: The latest findings from the British pen test crew show 4G hotspots are a mess, say Pen Test Partners. Several hotspots contained pre- and post-auth command injection and code execution flaws. One hotspot made by ZTE was apparently end of life and wouldn’t get fixed — even though it was still being sold on its online store. Devices made by Netgear, Huawei and TP-Link also had issues.
Huge survey of firmware finds no security gains in 15 years (https://securityledger.com/2019/08/huge-survey-of-firmware-finds-no-security-gains-in-15-years/) Security Ledger: Here’s a great deep-dive: a massive survey of more than 6,000 firmware images spanning over a decade finds “no improvement” in security and lax standards for the software by Linksys, Netgear and many more. “Nobody is trying,” said Sarah Zatko, who carried out the testing. “There was no evidence that anybody is making a concerted effort to address the safety hygiene of their products,” she said. You should really read this entire thing — we have a long way to go before firmware is even close to being bug free. It’s a pretty dismal picture for what is essentially at the heart of all our networking gear.
https://securityledger.com/2019/08/huge-survey-of-firmware-finds-no-security-gains-in-15-years/Rare interview with NSA chief Gen. Paul Nakasone (https://www.npr.org/2019/08/14/751048230/new-nsa-task-force-takes-on-russian-election-interference) NPR: Meet the Russia Small Group. It’s a task force that’s hacked into ISIS servers, locked fighters out of their social media accounts, and shut down networks used to distribute propaganda. This small NSA team that’s using offensive operations to shut down criminal and terrorist enterprises.
Apparently the NSA uses Slack but won’t say why (https://www.vice.com/en_us/article/59np93/fearful-of-americas-enemies-the-nsa-refuses-to-tell-us-the-name-of-its-slack) Motherboard: Speaking of the NSA… why does the NSA use Slack? The intelligence agency admits to using the app but refuses to say why. Slack does allow enterprises to hold onto their encryption keys so it makes sense, but the NSA won’t reveal for what reason it uses the all-consuming work chat, according to FOIA documents. “We were hoping to get the name of the Slack in part so that we could then ask for the names of the channels in use in it, and so glean a bit of insight into what NSA staffers do all day.”
NYC has hired hackers to hit back at stalkerware (https://www.technologyreview.com/s/614168/nyc-hires-hackers-to-hit-back-at-stalkerware/) MIT Technology Review ($): This is an initiative we can all get behind: A New York City government pilot program is bringing technologists in to help domestic violence and abuse victims who are victims of stalkerware — apps that secretly record voice, video and locations of their victims. The city program developed the ISDi tool (https://github.com/stopipv/isdi) designed to spot stalkerware where most antimalware solutions don’t. ~ ~
** OTHER NEWSY NUGGETS
Stop doxing yourself with your pet photos (https://gizmodo.com/stop-doxing-yourself-with-your-pet-photos-1837313790) Some great opsec advice from @dellcam (https://twitter.com/dellcam) . Every time you post a photo of your pupper, make sure you’re not accidentally also disclosing your phone number — which is more often than not on a tag around your dog’s neck. Dogs are cute, but don’t let them dox you.
Humans listen to voice recordings. Why don’t tech companies say that? (LINK) This great BuzzFeed (https://www.buzzfeednews.com/article/nicolenguyen/human-review-voice-assistant-recordings) report explains that machine learning and artificial intelligence aren’t as great as we think they are — it’s humans that listen to recordings and verify what we ask of our computers. Microsoft was forced to update its privacy policy (https://www.vice.com/en_us/article/qvgpkv/microsoft-updates-privacy-policy-admits-humans-listen-to-cortana-skype) to state this after Vice caught out Skype using contractors to listen to some Skype calls and Cortana requests. It comes in the same week that Facebook Messenger also had data siphoned off (https://www.bloomberg.com/news/articles/2019-08-13/facebook-paid-hundreds-of-contractors-to-transcribe-users-audio) to contractors. Some said voice recordings of users talking to other users was more invasive (https://twitter.com/petersterne/status/1161730218790461440) than recordings talking to smart speakers.
Feds plan to use SecureDrop as a vulnerability reporting portal (https://www.cyberscoop.com/securedrop-dhs-vulnerability-disclosure-def-con/) Great news for SecureDrop, the whistleblowing reporting platform — now even the feds want to use it. Cyberscoop reports that the government wants to allow people to report security flaws with the utmost level of security. SecureDrop allows news outlets to receive anonymous tips while protecting the source. It’s hoped that Homeland Security’s CISA unit can do the same but with security flaws. ~ ~
** THE HAPPY CORNER
There has been so much good news this week.
First and foremost, a big congrats to @IanColdwater (https://twitter.com/iancoldwater/status/1160689060228108288?s=21) and @JasonStinson612 (https://twitter.com/JasonStinson612) who only went and got married at Def Con! May you two have many, many happy years together. This was almost certainly the best news to come out of summercamp. (Also, I love the tiara (https://twitter.com/k8em0/status/1160681064894832640?s=21) .)
Here’s everyone’s favorite cyber-congressman @tedlieu (https://twitter.com/tedlieu/status/1160610517754368001?s=21) at Def Con learning how to pick a lock. How awesome is that? Lieu is one of the few congresspeople with a computer science background — and to see him get involved is a huge step for normalizing hacking, especially from a legislator.
And just for laughs — what happens when you get a license plate as ‘NULL’? Turns out you get a hell of a lot of tickets (https://knrs.iheart.com/content/2019-08-12-clever-vanity-license-plate-backfires-on-man-winds-up-with-tons-of-tickets/) . The owner thought it’d make him invisible to traffic tickets — in fact it had the opposite effect. The DMV processes far, far more ‘NULL’ tickets than he bargained for. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
This is Luca. Don’t worry — Luca won’t dox you like those pesky dogs. Thanks to Luca’s human, Nick D’Alessandro, for the submission. (You may need to enable images in this email.) Please send in your cybercats! You can submit them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . We’re in a drought. They will always be featured — first come first served. Send them in! ~ ~
** SUGGESTION BOX
That’s it for this week. Thanks again for reading. If you have any feedback, please send it in to the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you next Sunday — be well. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|