this week in security — august 30 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 35
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
U.S. indicts Russian for attempted ransomware attack on Tesla factory (https://www.justice.gov/opa/pr/russian-national-arrested-conspiracy-introduce-malware-nevada-companys-computer-network) Department of Justice: A Russian man was indicted this week for plotting to infect a Nevada company’s network (https://arstechnica.com/information-technology/2020/08/russian-man-offered-employee-1m-to-infect-company-network-feds-say/) with ransomware by bribing an employee with $1 million to install the malware on the network. The attempt failed and the Russian was caught as he tried to flee the United States. Although the indictment kept the name of the victim company under wraps, Tesla CEO Elon Musk confirmed (https://techcrunch.com/2020/08/27/elon-musk-confirms-tesla-was-target-of-foiled-ransomware-attack/) the attack in a tweet (https://twitter.com/elonmusk/status/1299105277485088768) , no less, targeted one of Tesla’s so-called Gigafactories. Not only was the ransomware designed to encrypt files in exchange for a ransom, the specific kind of ransomware also exfiltrated data from the network first. Hackers typically threaten to publish the files if the ransom isn’t paid. More: Ars Technica (https://arstechnica.com/information-technology/2020/08/russian-man-offered-employee-1m-to-infect-company-network-feds-say/) | TechCrunch (https://techcrunch.com/2020/08/27/elon-musk-confirms-tesla-was-target-of-foiled-ransomware-attack/) | @elonmusk (https://twitter.com/elonmusk/status/1299105277485088768) Bridgefy, the messenger promoted for mass protests, is a privacy disaster (https://arstechnica.com/features/2020/08/bridgefy-the-app-promoted-for-mass-protests-is-a-privacy-disaster/) Ars Technica: Bridgefy, an app for helping protesters communicate and used all over the world, has a number of security bugs that still haven’t been fixed — months after researchers warned the app maker that the bugs could deanonymize users, decrypt and read private messages, and shutting down the entire network, per Ars. The app has more than 1.7 million users. More: Martin Albrecht (https://martinralbrecht.wordpress.com/2020/08/24/mesh-messaging-in-large-scale-protests-breaking-bridgefy/)
Chinese-made smartphones are loaded with malware that secretly steals money (https://www.buzzfeednews.com/article/craigsilverman/cheap-chinese-smartphones-malware) BuzzFeed News: You may not have heard of Tecno smartphones, but these low-cost devices have become one of the most popular smartphone brands in Africa. Built by Chinese phone maker Transsion, researchers found some of these phones are loaded with malware that siphoned off a user’s mobile data and billed for premium apps that they never paid for. The phone maker blamed an unidentified vendor in the supply chain for the malware, but declined to say how many devices were infected. Researchers said the Transsion traffic accounts for 4% of all users in Africa. More: @craigsilverman (https://twitter.com/CraigSilverman/status/1297888535496794112)
This loophole lets the DMV sell your data to private investigators (https://www.vice.com/en_us/article/ep47na/dmv-dppa-drivers-privacy-protection-act-buy-data-private-investigators?) Motherboard: In case you didn’t know, the DMV sells (https://www.vice.com/en_us/article/43kxzq/dmvs-selling-data-private-investigators-making-millions-of-dollars) your data to private investigators, thanks to a little-known 1990s law. Case in point: Arizona’s DMV sells not only drivers’ photos but also (https://www.vice.com/en_us/article/pky8a8/dmv-mvd-sell-photo-ssn-private-investigators?) Social Security numbers to investigators — and it’s entirely legal. But some private investigators say that the reasons they give to obtain a person’s private data are dangerously broad. More: Motherboard (https://www.vice.com/en_us/article/pky8a8/dmv-mvd-sell-photo-ssn-private-investigators?) | Background: Washington Post ($) (https://www.washingtonpost.com/technology/2019/07/07/fbi-ice-find-state-drivers-license-photos-are-gold-mine-facial-recognition-searches/)
TikTok’s security boss makes his case — carefully (https://www.cyberscoop.com/tiktok-lawsuit-security-questions-roland-cloutier/) Cyberscoop: Here’s an interesting interview with Roland Cloutier, the security chief of besieged Chinese video sharing app TikTok. TikTok remains under fire from the Trump administration. Per a government order, TikTok must sell its U.S. operations by mid-November over fears that the app could be providing data to Beijing. Although the big question of whether the app helps Beijing in some way wasn’t answered in this interview, the interview does explore several topics, such as why overseas engineers (including in China (https://twitter.com/jeffstone500/status/1298999195882397696) ) can access user data, and more. More: @jeffstone500 tweets (https://twitter.com/jeffstone500/status/1298999195882397696)
Facebook apologizes for Apple trying to protect its customers’ privacy (https://www.theregister.com/2020/08/27/facebook_ios_ads/) The Register: A headline for the ages: Facebook apologized this week to its users and advertisers for “being forced to respect people’s privacy” ahead of an upcoming iOS update as Apple puts the kibosh on data-slurping apps. iOS 14 will allow users to opt-out (https://techcrunch.com/2020/08/27/facebook-vs-apple-ad-tracking/) of in-app ad tracking. That’s huge. But Facebook is spitting feathers because it’ll make it harder for big advertisers like Facebook to make money off your data. Cue the sound of the world’s tiniest violin. More: Facebook (https://www.facebook.com/audiencenetwork/news-and-insights/preparing-audience-network-for-ios14/) | Threatpost (https://threatpost.com/facebook-hits-back-at-apples-ios-14-privacy-update/158734/) ~ ~ SUPPORT THIS NEWSLETTER
A huge thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) !), it helps to maintain its upkeep. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Twitter accounts with expired email addresses can be easily hijacked (https://zainamro.com/hacks/finding-vulnerable-twitter-accounts) Zain Amro: Twitter accounts registered with email addresses attached to an expired domain can be easily hijacked by registering the domain, creating an associated email address, and resetting the Twitter user’s password. It’s an interesting “SIM swap”-style attack using expired email domains. It’s not an attack unique to Twitter, but it’s particularly useful on Twitter since its password reset prompt reveals partial email addresses.
Kindle e-books collect a surprisingly large amount of data (https://nullsweep.com/kindle-collects-a-surprisingly-large-amount-of-data/) Nullsweep: On the face of it, Kindles might seem simple-enough. But these e-readers are collecting and sending large amounts of data back to Amazon. Opening and flipping through a few pages of a book sends over 100 requests back to Amazon, one researcher found.
U.K. Southern Water’s internet pipes were leaking (https://medium.com/@teh_c/southern-water-customer-data-exposed-c2db2d237417) Medium: Southern Water, a water authority with close to 5 million customers in southern England, had a vulnerable customer management area that let anyone with a customer account access bills and documents of other customers. That bug could be used to access documents with a customer’s name, address, customer account number, payment reference number, bill and payment dates, account balance, payment amount, bill amount, meter details and meter readings. Not good! This was a pretty good write-up of the bug finding and remediating effort. ~ ~
** OTHER NEWSY NUGGETS
What it’s like for a hacker to get back online after a two-year internet ban (https://www.vice.com/en_us/article/z3ekk5/kane-gamble-cracka-back-online-after-a-two-year-internet-ban) If you were banned from the internet for two years, how would you get back online? @lorenzoFB (https://www.twitter.com/lorenzofb) talks to Kane Gamble, the U.K.-based hacker who broke into the AOL email account of former CIA chief John Brennan in 2015. He was allowed back online earlier this year after his 2018 sentencing. “It was an extremely weird feeling. It felt good,” he said. This interview looks back at Gamble’s time offline — and what it’s like to come back to the internet.
With Israel’s encouragement, NSO sold spyware to UAE and other Gulf states (https://www.haaretz.com/middle-east-news/.premium-with-israel-s-encouragement-nso-sold-spyware-to-uae-and-other-gulf-states-1.9093465) Another day, another NSO expose. This Haaretz ($) (https://www.haaretz.com/middle-east-news/.premium-with-israel-s-encouragement-nso-sold-spyware-to-uae-and-other-gulf-states-1.9093465) story takes another look at the notorious spyware maker, NSO Group. Its customers — notably the UAE and Saudi regimes — are said to have so much data from hacking phones that it hired Israeli ex-military officers to find buried intelligence. But some regions are off limits to NSO’s customers — specifically Iran — fearing that the Iranian government might get a copy of NSO’s spyware and reuse it.
Unredacted suit shows Google’s own engineers confused by privacy settings (https://arstechnica.com/tech-policy/2020/08/unredacted-suit-shows-googles-own-engineers-confused-by-privacy-settings/) You know a company has a privacy problem when its own employees complain about it. In newly unredacted court filings, Google’s own engineers admitted that Google’s privacy settings were so complicated that although users could disable certain settings they were “difficult enough that people won’t figure it out.” Another employee said: “Location off should mean location off, not except for this case or that case.” ~ ~
** THE HAPPY CORNER
Some good news for you Signal fans out there. Signal now comes with a “mark as unread” feature. Swipe to the right on any conversation.
And, @MG (https://twitter.com/MG) is back with a teardown on a USB data blocker he built — the Malicious Cable Detector, which you can see below. Interesting stuff — take a read (https://mg.lol/blog/data-blocker-teardown/) . Oh, and if you haven’t signed up for the #MalwareTechPodcast (https://twitter.com/MalwareTechBlog/status/1299094445061582848) , you should — it’s one of my favorite things to watch each week. Here’s the YouTube (https://www.youtube.com/playlist?list=PLPsJIruML_ZixS0jbSgufWiVAXbBK9zkG) link. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is Baracka, reminding you to use app-based two-factor paw-thentication wherever you can! A big thanks to Frank for the submission! Please keep sending in (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) your cyber cats! The more the merrier. Send them in! ~ ~
** SUGGESTION BOX
That’s it! Thanks for reading and hope you have a great week! Feel free to drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .