this week in security — december 15 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 48
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Facebook tells U.S. attorney general it will not undermine encryption (https://www.buzzfeednews.com/article/ryanmac/facebook-encryption-stays-bill-barr-letter-whatsapp) BuzzFeed News: Oh wow, this again. The crypto-wars have been simmering ever since the Apple-FBI legal challenge a few years back. But now we’re teetering on the edge of another slog to convince lawmakers and government (https://www.reuters.com/article/us-usa-encryption-facebook-idUSKBN1YE2CK) that encryption is a good thing, and is vastly better for society to keep it than get rid of it. “People’s private messages would be less secure and the real winners would be anyone seeking to take advantage of that weakened security,” said Facebook in a letter to the Justice Department. The day we have to rely on Facebook to defend our privacy and security is… well, here, and frankly it looks like we’ll need all the help we can get. More: Reuters (https://www.reuters.com/article/us-usa-encryption-facebook-idUSKBN1YE2CK) | CNET (https://www.cnet.com/news/congress-warns-tech-companies-take-action-on-encryption-or-we-will/) | MIT Technology Review (https://www.technologyreview.com/s/614898/cops-see-an-encryption-problem-spyware-makers-see-an-opportunity/)
Former White House staff helped the UAE build a secret spy unit (https://www.reuters.com/investigates/special-report/usa-raven-whitehouse/) Reuters: This is the latest in Reuters’ deep dive on Project Raven, a secret surveillance unit in the United Arab Emirates, staffed by former U.S. intelligence workers. Turns out the project was born from the highest echelons of the Bush-era White House. It’s a stellar read — one that reveals deep U.S. involvement in providing Gulf autocracies equipment to carry out spying operations against activists and journalists, among many more. More: @aaschapiro (https://twitter.com/aaschapiro/status/1204465170543775746?s=21) | @LizSly (https://twitter.com/LizSly/status/1204506526519574530) | @bing_chris tweets (https://twitter.com/Bing_Chris/status/1204407957980635136)
Ring’s hidden data let reporters map its massive surveillance network (https://gizmodo.com/ring-s-hidden-data-let-us-map-amazons-sprawling-home-su-1840312279) Gizmodo: Amazon’s Ring can’t catch a break. Then again, Ring can’t seem to do anything right. Gizmodo reporters found Ring’s Neighbors app was leaking the location of each Ring camera, allowing the reporters to map out thousands of cameras across any given area. Some cities were absolutely covered with Ring cameras, the reporters found, allowing police unprecedented access to vast swathes of metropolitan and even hard-to-get-to rural areas. Also, another flaw (https://www.cyberscoop.com/blink-amazon-camera-tenable-iot-flaws/) was found in another Amazon-owned brand this week, making this a really bad week for Amazon. More: Cyberscoop (https://www.cyberscoop.com/blink-amazon-camera-tenable-iot-flaws/) How hackers are breaking into Ring cameras (https://www.vice.com/en_us/article/3a88k5/how-hackers-are-breaking-into-ring-cameras) Motherboard: Speaking of Ring cameras, Motherboard found bespoke hacker-built software can easily gain access to some Ring cameras. Local media reported (https://www.wmcactionnews5.com/2019/12/11/family-says-hackers-accessed-ring-camera-their-year-old-daughters-room/) that a hacker broke into a Ring camera installed in the bedroom of three girls in Mississippi and spoke through the device’s speakers with one of the children. The software, found on hacking forums, can effectively brute-force the cameras, letting hackers in. Granted, Ring uses two-factor but only uses the insecure SMS tokens. Ring responded with a PR blitz, saying its service has “not been compromised,” but still no word on when it’ll roll out stronger app-based two-factor. More: @jason_koebler (https://twitter.com/jason_koebler/status/1205160867555368960?s=21) | Motherboard (https://www.vice.com/en_us/article/z3bbq4/podcast-livestreams-hacked-ring-cameras-nulledcast)
Hackers can mess with voltages to steal Intel chips’ secrets (https://www.wired.com/story/plundervolt-intel-chips-sgx-hack/) Wired ($): A new voltage-modifying attack can steal secrets from a vulnerable Intel chip’s secure enclave, researchers have found. It can be carried out if you have root access on your computer, so it can be theoretically carried out remotely. Of course the bug has a name — it’s called Plundervolt, and its website (https://plundervolt.com/) has an academic paper and a FAQ to explain more. More: Plundervolt (https://plundervolt.com/) | TechCrunch (https://techcrunch.com/2019/12/10/plundervolt-attack-breaches-chip-security-with-a-shock-to-the-system/)
Google handed feds 1,500 phone locations in unprecedented ‘geofence’ search (https://www.forbes.com/sites/thomasbrewster/2019/12/11/google-gives-feds-1500-leads-to-arsonist-smartphones-in-unprecedented-geofence-search/#1d35e99327dc) Forbes: Two search warrants submitted by ATF demanded Google turn over a list of user devices in a certain geographical area for a specific time, ensnaring anyone — including innocent people — who were in the “geofenced” area at the time. The geofence covered three hectares — about three football fields — as part of an effort to catch criminals. Some 1,500 devices were caught in the warrant’s net. These geofence-type warrants are rare but not unheard of, but are a huge invasion of privacy for those who are entirely innocent. Archive: Slate (https://slate.com/technology/2019/02/reverse-location-search-warrants-google-police.html) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Apple’s ad-targeting crackdown is hurting the ad market (https://www.theinformation.com/articles/apples-ad-targeting-crackdown-shakes-up-ad-market) The Information ($): Two years ago, Apple aggressively hit back against privacy-invading and cross-site tracking ads by rolling out intelligent tracking prevention and other anti-tracking browsing technologies. Now, the cost of reaching Safari users has fallen by almost two-thirds over those two years, while prices targeting Chrome users has gone up. Or, as Daring Fireball (https://daringfireball.net/linked/2019/12/09/the-information-ad-tracking) put it: the anti-tracking technology “is working.”
New Orleans hit by ransomware attack, 911 services remain up (https://www.bleepingcomputer.com/news/security/new-orleans-suffers-ransomware-attack-emergency-services-intact/) Bleeping Computer: New Orleans was hit by ransomware, knocking much of its systems offline. Its emergency services were largely unaffected, however. It’s the latest city hit by the file-encrypting malware after Pensacola, Florida (https://arstechnica.com/information-technology/2019/12/pensacola-city-government-was-hit-by-maze-ransomware-was-data-stolen/) and Jackson County, Georgia (https://apnews.com/31c9f81d71ba4203873550f8ec595fdc) . Louisiana state government was attacked (https://statescoop.com/louisiana-issues-another-emergency-declaration-over-ransomware/) last month, prompting officials to deactivate government websites and other digital services and causing the governor to declare a state of emergency.
How a TrickBot infection became a hacking operation targeting financial systems (https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware) Cybereason: Interesting findings from Cybereason: researchers found a TrickBot infection turned into a hacking operation targeting sensitive financial institutions. That’s a departure from delivering ransomware (like Ryuk), of which it’s typically associated. Instead, it dropped the newly named Anchor malware, which serves as a backdoor for high-profile targets. ~ ~ SUPPORT THIS NEWSLETTER
A big thank you to everyone for reading. You can support this newsletter by contributing to the Patreon (https://www.patreon.com/thisweekinsecurity) . You can contribute as little as $1/month — or more for exclusive perks. Thanks for your support! ~ ~
** OTHER NEWSY NUGGETS
Avast collects and sells data on 400 million users (https://www.forbes.com/sites/thomasbrewster/2019/12/09/are-you-one-of-avasts-400-million-users-this-is-why-it-collects-and-sells-your-web-habits/#1605e50a2bdc) Avast, the free antivirus maker, profits in part by collecting the web browsing habits of its 400 million users. The company is said to strip out sensitive information, but it’s still possible to track what users searched for and more. If you recall, Mozilla and Opera removed these extensions a few weeks back (https://palant.de/2019/12/03/mozilla-removes-avast-extensions-from-their-add-on-store-what-will-google-do/) . Motherboard said Sen. Ron Wyden (D-OR) wants to know (https://www.vice.com/en_us/article/v744v9/senator-ron-wyden-asks-avast-selling-users-browsing-data) why Avast is selling users’ browsing data.
Social media influencer sentenced to 14 years for plot to hijack internet domain (https://www.justice.gov/usao-ndia/pr/social-media-influencer-sentenced-14-years-federal-prison-after-plotting-hijack) This was a nutty story. An Iowa man forced a man held at gunpoint to transfer an internet domain to the gunman. OneZero had the full story (https://onezero.medium.com/the-influencer-and-the-hit-man-6c3905efd3c3) . And holy crap it’s one hell of a read.
DHS cyber chief Jeanette Manfra to join Google’s cloud division (https://www.cyberscoop.com/jeanette-manfra-google-cloud-dhs/) Manfra, who heads up Homeland Security’s CISA cyber division, will leave the government for Google’s Cloud division, where she will serve as global director of security and compliance in the new “Office of the CISO” to bolster security with cloud customers. Manfra was one of the most influential and important cybersecurity figures in the U.S. government. It’s not immediately known who will replace her at DHS. ~ ~
** THE HAPPY CORNER
This week, we found out what you’ll see if you hack @wendynather (https://twitter.com/wendynather/status/1204149929985429505) ‘s webcam. Also, here’s a slightly modified version from @Shadow0pz (https://twitter.com/Shadow0pz/status/1204289025391157250) . And, finally. We’re a week and a half away from Christmas. @hacks4pancakes (https://twitter.com/hacks4pancakes) wrote a blog post (https://tisiphone.net/2018/05/01/the-biggest-small-personal-digital-security-mistakes/) back in 2018 that can help cover some of the often-forgotten security basics. This will be a good post to share with friends and family when you’re all under the same roof. This holiday season, give the gift of good security. (A big thanks to @mzbat (https://twitter.com/mzbat/status/1205541242064527361) for resurfacing the post this week.)
If you want to nominate some good news from the week, feel free to reach out (mailto:zack.whittaker@gmail.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Orion. According to his human, he prefers to use touch interfaces for all the cybers. Keyboards don’t work as well because his feet are bigger than the keys, and any use of a mouse is far too distracting, even more than Slack channels. A big thanks to to @joncallas (http://twitter.com/joncallas) for submitting! (You may need to enable images in this email.) Keep sending in your cybercats! You can drop them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . Looking forward to seeing them! ~ ~
** SUGGESTION BOX
That’s it for now. I’m back in New York (where the weather is just as bleak). But hey, at least the jetlag is over with. A big thanks for reading. Feel free to drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) .
See you next week — have a great week.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .