this week in security — august 4 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 30.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
100 million, 6 million Canadians caught up in Capital One breach (https://www.zdnet.com/article/100-million-americans-and-6-million-canadians-caught-up-in-capital-one-breach/) ZDNet: Clearly we didn’t learn (https://techcrunch.com/2019/07/29/capital-one-breach-was-inevitable/) from Equifax because it happened again. In total, 106 million credit applications and files taken from an S3 bucket owned by Capital One by a single perpetrator, a former AWS worker no less, who was quickly taken (https://www.justice.gov/usao-wdwa/pr/seattle-tech-worker-arrested-data-theft-involving-large-financial-services-company) into FBI custody. Capital One’s response was utterly abysmal and drew immediate ire (https://www.vice.com/en_us/article/evyjkp/capital-one-is-to-blame-for-exposing-your-data) from pretty much everybody. Brian Krebs dug into (https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/) the details of the case. Luckily, at the moment, there’s no indication the data is out on the web. But several other companies (https://www.forbes.com/sites/thomasbrewster/2019/07/30/capital-one-mega-breach-suspect-may-have-hacked-many-more-companies/) may have also been compromised. More: Motherboard (https://www.vice.com/en_us/article/evyjkp/capital-one-is-to-blame-for-exposing-your-data) | Forbes (https://www.vice.com/en_us/article/evyjkp/capital-one-is-to-blame-for-exposing-your-data) | Krebs on Security (https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/)
Visa card flaw can bypass contactless limits (https://www.ptsecurity.com/ww-en/about/news/visa-card-vulnerability-can-bypass-contactless-limits/) Positive Technologies: Flaws found in Visa contactless cards could allow an attacker or fraudster to bypass the contactless limit of £30 (about $36). That means anyone could make as many transactions as possible — in theory — if they have your card. The bug requires a man-in-the-middle condition. Forbes (https://www.forbes.com/sites/thomasbrewster/2019/07/29/exclusive-hackers-can-break-your-credit-cards-30-contactless-limit/#6837c3d441e1) allowed the researchers to exploit the bug on a personal card, and absolutely to nobody’s surprise it worked. More: Forbes (https://www.forbes.com/sites/thomasbrewster/2019/07/29/exclusive-hackers-can-break-your-credit-cards-30-contactless-limit/#6837c3d441e1)
200 million devices affected by a little-known software in everything (https://www.wired.com/story/vxworks-vulnerabilities-urgent11/) Wired ($): Here’s something you don’t hear every day: 200 million devices running an operating system you’ve probably never heard of has some serious bugs. (Well, that last part probably isn’t news to anyone.) VxWorks is a real-time OS for continually functioning devices, like satellite modems or elevator controls. But vulnerabilities could give an attacker remote access and allow malware to “worm” its way to other vulnerable devices. It’s going to be a real pain in the ass to fix. More: CISA (https://www.us-cert.gov/ics/advisories/icsa-19-211-01) | ZDNet (https://www.zdnet.com/article/urgent11-security-flaws-impact-routers-printers-scada-and-many-iot-devices/) | Armis/YouTube (https://www.youtube.com/watch?v=bG6VDK_0RzU)
Equifax screwed so many people, it can’t pay everyone the $125 settlement (https://www.vice.com/en_us/article/nea8xq/equifax-may-not-pay-you-that-dollar125-settlement-because-it-screwed-too-many-people) Motherboard: You know you’ve really messed up when giving everyone the same settlement amount would bankrupt you many times over, but that’s exactly what happened with Equifax. The FTC said victims should instead settle for free credit monitoring instead. A $125 settlement for the 148.5 million affected would amount to about $18.5 billion, or about five-times the company’s 2018 revenue, effectively bankrupting the company. (Cue my tiny violin…) More: Federal Trade Commission (https://www.consumer.ftc.gov/blog/2019/07/equifax-data-breach-pick-free-credit-monitoring)
Expert wins settlement in whistleblower case against Cisco (https://apnews.com/2e56253a512a4622997e8b6e9b1d0e9b) Associated Press: Cisco fired a security expert a decade ago after reporting serious security flaws — who described it as giving an attacker “complete backdoor access” to Cisco’s video surveillance software, which was widely used by federal agencies and airports. Cisco ignored the flaws and continued to sell the buggy software. Under the False Claims Act unsealed Wednesday, the networking giant confirmed an $8.6 million settlement — about $1.6 million will deservedly go to the aggrieved expert. More: Cisco (https://blogs.cisco.com/news/a-changed-environment-requires-a-changed-approach) | Complaint (https://www.documentcloud.org/documents/6228665-Order-Dismissing-Cisco-Whistleblower-Case.html)
Customer data from Poshmark, StockX stolen by hackers (https://www.vice.com/en_us/article/8xw4n4/poshmark-hacked) Motherboard, TechCrunch: Clothing resale site Poshmark revealed this week (https://www.vice.com/en_us/article/8xw4n4/poshmark-hacked) it had been hacked but revealed very little (https://twitter.com/campuscodi/status/1157185625658994689) about it. A data breach seller, however, obtained the data and confirmed (https://twitter.com/zackwhittaker/status/1157700511262543872) some 36 million user records had been stolen. The same seller also confirmed StockX had been breached. StockX had earlier in the week reset passwords claiming it was due to “system updates.” Turns out it was a lie (https://techcrunch.com/2019/08/03/stockx-hacked-millions-records/) and the company tried to cover up the breach from back in May. (Disclosure: I wrote that second story.) More: TechCrunch (https://techcrunch.com/2019/08/03/stockx-hacked-millions-records/) | @panzer (https://twitter.com/panzer/status/1157729694642368512) | @campuscodi (https://twitter.com/campuscodi/status/1157695282433396736) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Google finds five bugs in Apple’s iMessage (https://twitter.com/natashenka/status/1155940557060919296) Google Project Zero: Five iMessage bugs in one go: @natashenka (https://twitter.com/natashenka/status/1155940557060919296) and @5aelo (https://twitter.com/5aelo) released four out of five after they were fixed by Apple but withheld one because it has yet to be resolved (https://twitter.com/natashenka/status/1155941211275956226) . The bugs are to be featured in an upcoming Black Hat talk (https://www.blackhat.com/us-19/briefings/schedule/#look-no-hands----the-remote-interaction-less-attack-surface-of-the-iphone-15203) this week. The bugs, disclosed privately, are worth more (https://www.zdnet.com/article/google-researchers-disclose-vulnerabilities-for-interactionless-ios-attacks/) than $5 million on the black market. It also turns out, according to a separate blog post (https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html) , that nearly all bugs are fixed before their 90-day deadline. Only a few seem to lapse… (oh hello Microsoft… (https://nakedsecurity.sophos.com/2018/04/24/google-project-zero-pulls-the-rug-out-from-under-microsoft-again/) )
Trumps’ cyber czar is back — he wants hackers to suffer (https://www.wired.com/story/tom-bossert-trinity-active-threat-interference/) Wired ($): This was an interesting read. Tom Bossert, formerly the Trump administration’s top cybersecurity official, was ousted (https://www.wired.com/story/rob-joyce-tom-bossert-white-house-cybersecurity-policy/) last year in the same shakeup that saw Rob Joyce (https://twitter.com/rgb_lights?lang=en) leave the White House for the NSA (again). Now Bossert is in it for himself with a new startup and wants the bad hackers to suffer with what he calls “active threat interference.” It’s already met criticism — with some calling it no different (https://twitter.com/gregotto/status/1155955593733013504?s=21) to “hacking back” (which pretty much everyone agrees is a bad idea). Still, it’s an interesting read.
Dahua device bugs can allow listening to remote audio (https://medium.com/tenable-techblog/i-always-feel-like-somebodys-w%CC%B6a%CC%B6t%CC%B6c%CC%B6h%CC%B6i%CC%B6n%CC%B6g%CC%B6-listening-to-me-938cc14aa13c) Tenable: Dahua, the same device maker labeled a Chinese spy (https://www.bloomberg.com/news/articles/2019-05-22/china-s-hikvision-weighed-for-u-s-ban-has-probably-filmed-you) by the U.S. government, has some extremely leaky devices. Security researchers bought one of the company’s cameras off Amazon and found it littered with several bugs, allowing them to extract audio and video.
One million bank call recordings found exposed (https://www.vice.com/en_us/article/43jkzp/one-million-bank-phone-calls-in-amazon-aws-bucket-bank-of-cardiff) Motherboard: Bad news if you’re a customer of the California-based Bank of Cardiff. You might’ve had your customer service call exposed. The bank left an S3 bucket open full of recordings — which contained customers talking about bank loans and other sensitive matters. The bank fixed the exposed data but didn’t return a request for comment. Yeah, like that’s going to save you from a stream of bad headlines…
CAN bus vulnerabilities in light aircraft disclosed (https://blog.rapid7.com/2019/07/30/new-research-investigating-and-reversing-avionics-can-bus-systems/) Rapid7: New avionics research found flaws in CAN bus systems, which small planes use as their communications controller, can be hacked with relative ease, forcing pilots to receive dodgy or just plain wrong flight data from the compass and altitude meters. CISA released an alert (https://www.us-cert.gov/ics/alerts/ics-alert-19-211-01) warning of the vulnerabilities. The flaws require local access (https://www.theregister.co.uk/2019/07/30/hack_airplane_can_bus/) to the aircraft which isn’t easy. ~ ~
** OTHER NEWSY NUGGETS
Google’s Titan key comes to the U.K., Canada, Japan and France (https://cloud.google.com/blog/products/identity-security/new-protections-for-users-data-and-apps-in-the-cloud) Google is now allowing customers in four new regions to buy its two-factor security key. They’ll all cost about $55-$65 or so, but free delivery is included. The original batch of keys had a security bug (https://techcrunch.com/2019/05/15/google-recalls-its-bluetooth-titan-security-keys-because-of-a-security-bug/) so might want to replace them if you haven’t already.
A potentially state-sponsored hacker tried phish U.S. utilities (https://www.cyberscoop.com/apt-10-utilities-phishing-proofpoint/) New research from Proofpoint suggests U.S. utilities may be a prime target for one allegedly nation-state backed group of hackers, which tried to phish several utility companies in an effort to break into their networks. They’re not sure for what the hackers’ motivations are but they said their weapon of choice was a malicious Word document capable of remotely controlling and extracting data from an infected computer.
Apple suspends human review of Siri recordings (https://techcrunch.com/2019/08/01/apple-suspends-siri-response-grading-in-response-to-privacy-concerns/) Apple is halting the use of human review for some Siri recordings after an outcry this week. It was revealed (https://www.theguardian.com/technology/2019/jul/26/apple-contractors-regularly-hear-confidential-details-on-siri-recordings) that contractors were listening to some recordings that contained sensitive or personal information. Apple said it’ll allow users to opt-out (https://www.wired.com/story/hey-apple-opt-out-is-useless/) in the future (which annoyed some — a company that supposedly doesn’t want your data doesn’t take an opt-in approach?), instead it’ll add a way for users to explicitly agree (https://twitter.com/panzer/status/1157139339324919808) for this kind of review in the future.
E3 Expo exposed the personal data of over 2,000 journalists (https://kotaku.com/e3-expo-leaks-the-personal-information-of-over-2-000-jo-1836936908) Thousands of journalists who attended the E3 Expo this year had their data exposed from a spreadsheet that was available from the public site. Sophia Narwitz initially found (https://www.youtube.com/watch?v=aDflWZ1CbrA&t=69s) the data leak, containing names, email addresses, phone numbers and in some cases home addresses. The data is no longer available. This one is going to sting under GDPR… ~ ~
** THE HAPPY CORNER
Here’s some good news from the week.
A big congrats (https://twitter.com/kennwhite/status/1157109661490909196?s=21) to @chronic (https://twitter.com/chronic) for the release of the Guardian Firewall (https://guardianapp.com/) app for iPhones and iPads. It’s a great app — I reviewed it when was first in beta, and love the approach they’re taking by actively rejecting the collection of data. Wired ($) has a great write-up (https://www.wired.com/story/guardian-firewall-ios-app/) of how the service looks now and what it aims to achieve.
This week and next is Hacker Summer Camp in the desert — anyone who’s going to Las Vegas for Black Hat, Def Con or BSidesLV, remember to be there for one another. That’s the friendly reminder from @iancoldwater (https://twitter.com/iancoldwater/status/1157616766014672896?s=21) . It’s a tough week, so remember self-care and be good to one another.
And the Pwnie Award nominations are out (https://pwnies.com/nominations/) , showcasing the very best and worst in infosec this year. An honorary mention to the NSA for being nominated for two Pwnies — for most innovative research and epic achievement for the declassification and release of Ghidra, the IDA tool it released (https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/) this year. “Apparently Ghidra used to be classified and now it’s on GitHub (intentionally, that is),” the Pwnies wrote. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Jack. When he’s not hacking, he’s watching hockey. A big thanks to Jack’s human, @OneEaredMusic (https://twitter.com/OneEaredMusic) , for the submission! (You may need to enable images in this email.) If you want your cybercat featured, please submit them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) ! Your cybercats will always be featured in an upcoming newsletter! ~ ~
** SUGGESTION BOX
And that’s it! If you have any comments, suggestions or feedback, please drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . For everyone going to or in Las Vegas this week, have fun and enjoy yourselves — take care, and stay well. See you next Sunday. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|