this week in security — august 25 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 33.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Hacker releases iOS 12.4 jailbreak after accidental unpatching (https://www.vice.com/en_us/article/qvgp77/hacker-releases-first-public-iphone-jailbreak-in-years) Motherboard: You don’t really hear about Apple screwing things up very often. Bugs, flaws, and decisions you might not agree with — sure. But screw-ups are rare. This was a real screw-up. In pushing out a bug fix for iOS 12.4, it undid a bug fix from months ago (https://support.apple.com/en-us/HT210118) in iOS 12.3, rendering a jailbreak from the previous iPhone softwares possible again and iPhone and iPads vulnerable to rooting. These jailbreaks can go for millions of dollars because they give root-level privileges, and that’s particularly helpful for shady mobile surveillance and spyware companies. Apple did not comment. More: Pwn20wn (https://github.com/pwn20wndstuff/Undecimus/releases) | @i0n1c (https://twitter.com/i0n1c/status/1163400360020598784) | Background: Motherboard (https://www.vice.com/en_us/article/gybppx/iphone-bugs-are-too-valuable-to-report-to-apple)
Google cuts some Android phone data for wireless carriers (https://www.reuters.com/article/us-alphabet-data-exclusive-idUSKCN1V90SQ) Reuters: Speaking of location data… Google parent Alphabet has shut down a service it gave to cell carriers that showed them network coverage weak spots over privacy fears, which could spark concern with regulators. The data it turned over was anonymous and aggregated, sources told Reuters. More: Wired ($) (https://www.wired.com/story/android-10-privacy-security-features/)
Fake cop tricked phone companies into turning over location data (https://www.thedailybeast.com/feds-say-bounty-hunter-matthew-marre-used-suicide-hoax-to-con-verizon-t-mobile-out-of-customer-data) The Daily Beast: Locationgate strikes again: this time, a fake cop asked T-Mobile to turn over a man’s real-time location data, claiming he was suicidal. T-Mobile provided the data. But the fake cop turned out to be a bail bondsman, and the guy wasn’t suicidal at all. But he had jumped bail. According to court filings, the fake cop did this several times with other cell networks, including Verizon. The fake cop pleaded not-guilty. It’s the latest example of cell networks turning over real-time location data without people’s permission. @SeamusHughes (https://twitter.com/SeamusHughes/status/1163577356226912257) , who wrote the story, had a good tweet thread. More: Indictment [PDF]
Two-dozen Texas local governments hit in ‘coordinated ransomware attack’ (https://www.zdnet.com/article/at-least-20-texas-local-governments-hit-in-coordinated-ransomware-attack/) ZDNet: Ransomware hit 23 local government departments in Texas last week. A list of departments wasn’t given. It’s believed the agencies were hit by the Sodinokibi (REvil) ransomware, which encrypts files with the .JSE extension. Only one agency was able to recover some four days later. More: Texas Dept. of Information Resources (https://dir.texas.gov/View-About-DIR/Article-Detail.aspx?id=209) | Dallas Morning News (https://www.dallasnews.com/business/technology/2019/08/17/20-texas-jurisdictions-hit-coordinated-ransomware-attack-state-says)
Thousands of banned Chinese surveillance cameras are still in U.S. networks (https://www.forbes.com/sites/thomasbrewster/2019/08/21/2000-banned-chinese-surveillance-cameras-keep-watch-over-us-government-sites/#21f4e6cd7f65) Forbes: Despite a ban on Huawei and ZTE, and surveillance camera makers Dahua and Hikvision, at least 2,000 devices from the latter named are still in U.S. government networks. The ban went into effect (https://techcrunch.com/2019/08/07/trump-huawei-zte-ban-tech/) last week. More: TechCrunch (https://techcrunch.com/2018/08/13/new-defense-bill-bans-the-u-s-government-from-using-huawei-and-zte-tech/)
MoviePass exposed thousands of unencrypted customer card numbers (https://techcrunch.com/2019/08/20/moviepass-thousands-data-exposed-leak/) TechCrunch: A massive database of 161 million records was left open, exposing tens of thousands of MoviePass debit card numbers and billing card numbers. MoviePass admitted the snafu a day later. Embarrassingly, the data had been exposed for three months and discovered by at least two security researchers independently of each other. (Disclosure: I wrote this story.) More: Washington Post ($) (https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/08/21/the-cybersecurity-202-l-a-county-voting-system-pits-cybersecurity-vs-disability-advocates/5d5c0b43602ff171a5d730a0/) | Variety (https://variety.com/2019/digital/news/moviepass-security-breach-customer-records-1203309976/) | Yahoo Finance (https://finance.yahoo.com/video/moviepass-exposes-credit-card-data-150510697.html)
Valve turned away security researcher who found major bug (https://arstechnica.com/information-technology/2019/08/valve-says-turning-away-researcher-reporting-steam-vulnerability-was-a-mistake/) Ars Technica: HackerOne turned away a security researcher who found bugs in the Steam gaming client that could’ve wreaked havoc users. The researcher went public, and Steam quickly fixed the flaws. Valve, which makes Steam, apologized (https://twitter.com/k8em0/status/1164654103626047488) but HackerOne clearly took heat for screwing up. The researcher still hasn’t been paid for his work. What a total mess. More: @campuscodi (https://twitter.com/campuscodi/status/1164600650199699456) | @viss (https://twitter.com/Viss/status/1164606195459489792)
Facebook really doesn’t want you to read these emails (https://techcrunch.com/2019/08/23/facebook-really-doesnt-want-you-to-read-these-emails/) TechCrunch: Facebook disastrously tried to preemptively bury bad news (https://newsroom.fb.com/news/2019/08/document-holds-the-potential-for-confusion/) , but it backfired. Turns out Facebook did know about Cambridge Analytica months before it claimed it did. Cambridge Analytica, if you recall, scraped tens of millions of Facebook user profiles in an effort to try to convince undecided voters to vote for Trump. More: Internal email chain [PDF] (https://fbnewsroomus.files.wordpress.com/2019/08/exhibit-1-document.pdf) | Facebook (https://newsroom.fb.com/news/2019/08/document-holds-the-potential-for-confusion/) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Hackers targets organizations focused on North Korea’s missile program (https://www.cyberscoop.com/north-korean-hacking-espionage-phishing/) Cyberscoop: A phishing campaign linked to attacks on foreign ministries has been traced back to a hacking group using North Korean infrastructure, per Cyberscoop, as part of a campaign to steal login credentials. The data was disclosed to the affected organizations and given to Google to flag in Chrome.
WeWork shares its Wi-Fi password across all locations (https://www.fastcompany.com/90391748/weworks-wi-fi-network-is-easy-to-hack) Fast Company: WeWork’s parent company is worth $47 billion, but can’t seem to get decent Wi-Fi management in place. Instead, every coworking location has the same shared password. Fast Company isn’t disclosing the password, but it’s easy to guess — and that means anyone within wireless earshot can tap into the network and eavesdrop on the local network. But don’t worry — WeWork said it “takes the security and privacy of our members seriously.” If I had a dollar for every time I’ve heard that line (https://techcrunch.com/2019/02/17/we-take-your-privacy-and-security-seriously/) . Hooboy, I would be rich.
Facebook to stop stalking you off-site… but you have to ask (https://www.bbc.com/news/technology-49410371) BBC News: Finally, after it first promised more than a year ago and several delays (https://www.engadget.com/2019/04/10/facebook-delays-its-clear-history-tool-yet-again/) , Facebook will now allow users to stop the site tracking them across the web. For now it’s limited to users in Ireland, South Korea and Spain — where regulators are heavier than most other places, coincidentally. The feature will let users delete data from third-party websites and apps that share data with Facebook. So, that’s pretty much most sites out there.
Libraries balk at Lynda.com amid LinkedIn privacy policy changes (https://www.zdnet.com/article/microsoft-is-moving-lynda-com-users-to-linkedin-learning-and-not-everyones-happy-about-it/) ZDNet: LinkedIn, which owns learning portal Lynda.com, is forcing library members to sign up to LinkedIn in order to use Lynda.com following a privacy policy change, reports @maryjofoley (https://twitter.com/maryjofoley) . The new privacy policy is expecting to come into force in September, but clearly a lot of library customers aren’t thrilled. “A LinkedIn account is required to access LinkedIn Learning,” said LinkedIn in a recent blog post reaffirming the decision. In other words, you have to sign up to LinkedIn — and remember to make the profile private if you choose — to use Lynda.com. The American Library Association said the change would “significantly impair library users’ privacy rights,” and some libraries have already pulled the plug on Lynda.com as a result.
The Many Possibilities of Apple’s recent iMessage bug (https://googleprojectzero.blogspot.com/2019/08/the-many-possibilities-of-cve-2019-8646.html?m=1) Google Project Zero: I noted a few weeks ago about Project Zero’s latest iMessage bugs (https://twitter.com/natashenka/status/1155940557060919296) , which allows an attacker to read files off an iPhone with zero user interaction. Now @natashenka (https://twitter.com/natashenka/) discusses the bug in more details in a blog post (and video!). There’s also this Hacker News thread (https://news.ycombinator.com/item?id=20772416) .
US phone carriers make empty promises to fight robocalls (https://arstechnica.com/tech-policy/2019/08/us-phone-carriers-make-empty-unenforceable-promises-to-fight-robocalls/) Ars Technica: This was a good deep-dive. This week, 12 cell carriers agreed with all 50 attorneys general to do more to block robocalls and to roll out STIR/SHAKEN (https://www.fcc.gov/call-authentication) , a cryptographic protocol that verifies callers. Small hitch: there’s no timeline in place, nor any enforcement if they fail to take action. In other words, it was a giant PR exercise with good intentions. ~ ~
** OTHER NEWSY NUGGETS
Google proposes new privacy and anti-fingerprinting controls for the web (https://techcrunch.com/2019/08/22/google-proposes-new-privacy-and-anti-fingerprinting-controls-for-the-web/) This might’ve been the most controversial posts of the week. Google said it’s following in Apple and Mozilla’s footsteps and rolling out anti-tracking technology to Chrome, like anti-browser fingerprinting. Great? Maybe not. Firstly, it’ll be “a multi-year journey,” according to Google, which has a blog post (https://blog.chromium.org/2019/08/potential-uses-for-privacy-sandbox.html) out. But critics say it’s the Chrome team is “cloaking Google’s business priorities in disingenuous technical arguments.” They say the move protects Google’s bottom line rather than putting users’ privacy and security first.
14,500 Pulse Secure VPN endpoints vulnerable to flaw (https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/) You might remember from July a story about how flaws in corporate VPN services (https://techcrunch.com/2019/07/23/corporate-vpn-flaws-risk/) were putting business secrets at risk. Uber and Twitter were already flagged and protected by the discovering researchers. But now it seems over 14,500 endpoints are vulnerable to one of the flaws which affects Pulse Secure’s VPN technology. Most affected endpoints are in the U.S. This flaw allows attackers to gain access to a corporate network as if they were an authorized corporate user.
Microsoft contractors listened to Xbox owners in their own homes (https://www.vice.com/en_us/article/43kv4q/microsoft-human-contractors-listened-to-xbox-owners-homes-kinect-cortana) Another story about Microsoft contractors broke this week. This time, the same contractors who were processing Cortana queries (https://www.vice.com/en_us/article/xweqbq/microsoft-contractors-listen-to-skype-calls) and Skype calls were also listening to gaming users. “The purpose of contractors listening in and working with audio snippets was, as with other Microsoft services, to improve the products themselves… but it still had issues, with contractors hearing audio of Xbox users who had mistakenly triggered the device.”
NASA investigating first allegation of a space crime (https://www.bbc.co.uk/news/world-49457912) Amid a bitter divorce battle, Anne McClain is accused of accessing her estranged spouse’s bank account from the International Space Station. That would, if proven, potentially amount to hacking. The astronaut denies any wrongdoing. Because of the complexities of space law — which yes, is a thing — each astronaut must follow the laws based off their country of citizenship. The news was first reported by The New York Times (https://www.nytimes.com/2019/08/23/us/nasa-astronaut-anne-mcclain.html) ($). ~ ~
** THE HAPPY CORNER
This week was, unsurprisingly, pretty quiet post-summer camp. But there’s just time for a handful of things.
Firstly, please enjoy this great, great career advice from @mzbat (https://twitter.com/mzbat/status/1163847854215053313?s=21) . Yes, while many of us are “expert shitposters,” it’s probably not wise to put it on your resume.
ok I know it’s funny but please don’t put expert shitposter on your resume I can’t believe I just had to type that but here we are
Me: How’s everything going in Britain with Brexit just around the corner? Britain: Well, not so much (https://twitter.com/Scott_Helme/status/1165219880733421568) .
And, here’s what happens when you accept cookies (https://twitter.com/berendjanwever/status/1145980681559924736) . They’re just in the last place you think to look! If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
Meet Batman. No, not the superhero — this week’s cybercat. He’s old enough to remember when 802.11b was brand new in laptops. Those were the (slow) days. A big thanks to @woojo (https://twitter.com/woojo) for the submission. (You may need to enable images in this email.) I definitely need more cybercats. Please send them in! You can submit them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . They’re featured first come first serve! ~ ~
** SUGGESTION BOX
That’s all for now. A big thanks for reading. As always, if you have any feedback or anything you want to contribute, please drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you next week. Have a great one. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|