this week in security — december 16 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 1, issue 22.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Your Apps Know Where You Were, and They’re Not Keeping It Secret (https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html) The New York Times ($): An incredible deep-dive into apps that track your location wherever you go — and they aren’t keeping it to themselves. Dozens of tracker companies collect millions of data points every minute — often without the explicit pop-up consent you might expect. Many of those firms were noted in @chronic (https://twitter.com/chronic) ‘s research into ad-tracking companies earlier this year (https://techcrunch.com/2018/09/07/a-dozen-popular-iphone-apps-caught-quietly-sending-user-locations-to-monetization-firms/) . The Times’ work, months in the making, paints a chilling picture of how much companies know about where we go, who we see, when and sometimes why. Background: TechCrunch (https://techcrunch.com/2018/09/07/a-dozen-popular-iphone-apps-caught-quietly-sending-user-locations-to-monetization-firms/) | More: @chronic (https://twitter.com/chronic/status/1072161351898947586) | @matthew_d_green (https://twitter.com/matthew_d_green/status/1072186785311133698)
Facebook Bug Exposed 6.8 Million Users’ Unposted Photos (https://techcrunch.com/2018/12/14/facebook-photo-bug/) TechCrunch: Time to reset the “days since last Facebook privacy scandal” back to zero, after another security snafu at the social media giant. This time, Facebook exposed photos you hadn’t even posted yet. Worse, the company took weeks to report the bug to Irish data authorities, so at least it’ll (probably) get hit with a massive GDPR fine (https://www.sfchronicle.com/business/article/Facebook-says-bug-opened-access-to-private-photos-13467625.php) . Bad news is that it’ll only be a drop in the ocean to its global annual revenue. You can find out if you’re affected by going to this help page (https://www.facebook.com/help/200632800873098?ref=photonotice) . Facebook apologized — again — for what feels like the millionth time this year. More: Facebook (https://developers.facebook.com/blog/post/2018/12/14/notifying-our-developer-ecosystem-about-a-photo-api-bug/) | San Francisco Chronicle (https://www.sfchronicle.com/business/article/Facebook-says-bug-opened-access-to-private-photos-13467625.php) | Check if you’re affected (https://www.facebook.com/help/200632800873098?ref=photonotice)
Experian Exposes Apparent Customer Data in Training Manuals (https://motherboard.vice.com/en_us/article/zmdg7e/experian-exposes-customer-data-training-manuals-credit-score) Motherboard: Experian, the other leaky credit rating agency after Equifax, exposed customer data after including a company’s actual records on a training manual that it left on an open directory on a forgotten-about subdomain. Motherboard confirmed the data was real, which included Experian’s proprietary credit score. Experian didn’t respond to Motherboard’s request for comment — so they’re hoping you’ll ignore it as much as they clearly are. More: @notdan tweet thread (https://twitter.com/notdan/status/1072564350072905728) | Motherboard (https://www.theguardian.com/business/2015/oct/01/experian-hack-t-mobile-credit-checks-personal-information)
Everything You Need To Know About Australia’s Encryption Law (https://www.zdnet.com/article/whats-actually-in-australias-encryption-laws-everything-you-need-to-know/) ZDNet: Australia’s new anti-encryption law was rushed through parliament so fast after the opposition Labor party buckled under accusations of helping terrorists and sex offenders that few actually know what’s in it. Nothing says forced bipartisanship like political blackmail! @stilgherrian (https://twitter.com/stilgherrian) read through the 243-page document so you don’t have to. (Hint: it’s still a shitty law.) More: ZDNet (https://www.zdnet.com/article/australias-anti-encryption-law-will-merely-relocate-the-backdoors-expert/) | AFP (https://www.yahoo.com/news/tech-giants-warn-australia-against-law-break-encryption-062910049–finance.html)
Iran Hackers Hunt Nuke Workers and U.S. Officials (https://apnews.com/7f4d814ebf0642b4b381fd9ce01345f7) Associated Press: Another home run by @razhael (https://twitter.com/razhael) . Iran is hitting nuclear workers and government officials with a targeted cyber-espionage campaign — likely as an effort to figure out what’s happening with newly imposed sanctions. The hacker group’s work was only found because it left a server exposed by mistake. @RidT (https://twitter.com/RidT) has a really interesting tweet thread (https://twitter.com/RidT/status/1073211349000486912) on this with answers in a follow-up (https://twitter.com/certfalab/status/1073242199314391041) from @certfalab (https://twitter.com/certfalab/) . More: @RidT tweet thread (https://twitter.com/RidT/status/1073211349000486912)
Border Agents Fail to Delete Personal Data of Travelers After Device Searches (https://gizmodo.com/u-s-customs-fails-to-delete-personal-data-after-electr-1831006534) Gizmodo: Homeland Security’s watchdog found that border agents weren’t properly deleting data they had collected from device searches at the border, often leaving travelers’ personal data sitting on unencrypted flash drives. On the flip side border agents couldn’t conduct “advanced searches” (where they plug in your device and download its contents) for more than six months because someone forgot to renew a software license. More: DHS Inspector General [PDF] (https://www.oig.dhs.gov/sites/default/files/assets/2018-12/OIG-19-10-Nov18.pdf)
3D Printed Heads Bypassed Android’s Facial Recognition Security (https://www.forbes.com/sites/thomasbrewster/2018/12/13/we-broke-into-a-bunch-of-android-phones-with-a-3d-printed-head/) Forbes: Bad news: Face unlocking on several Android phones can be easily duped with a 3D-printed head, making it possible for hackers (and police!) (https://techcrunch.com/2018/12/16/3d-printed-heads-unlock-cops-hackers/) alike to break into your phone. Good news: the iPhone X doesn’t seem to be affected. More: Forbes Video (https://www.forbes.com/video/5978671815001/#63fd298d2461) | TechCrunch (https://techcrunch.com/2018/12/16/3d-printed-heads-unlock-cops-hackers/) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Google+ leaked more data than first thought (https://www.blog.google/technology/safety-security/expediting-changes-google-plus/) Google: Google+, the world’s least fun social network, became even more loathed this week after it was revealed a previous bug (and subsequent cover-up (https://techcrunch.com/2018/10/08/google-plus-hack/) ) wasn’t the end of the social network’s problems as was believed. A new API bug exposed the data on over 52 million users. The only surprise was that it had that many users in the first place.
Billboards are taking scary inspiration from social media (https://techcrunch.com/2018/12/10/google-security-bug-gave-developers-access-to-non-public-data-from-52-5m-users/ ) Medium: A new report by @yaelwrites (https://twitter.com/yaelwrites) digs into the creepy world of billboards, which are “integrating facial recognition, location data, artificial intelligence, and other powerful tools that are more commonly associated with your mobile phone.” Some billboards are using technology from companies like Cuebiq, which — surprise, surprise — was one of the location tracking giants noted in the Times’ bombshell report at the top of this newsletter.
WordPress plugs bug that led to Google indexing some user passwords (https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords/) ZDNet: Patch yo’ CMS: WordPress 5.0.1 came out this week which fixes seven security bugs, one of which resulted in WordPress email addresses and passwords leaking into Google’s index.
How the Dreamcast copy protection was defeated (http://fabiensanglard.net/dreamcast_hacking/) Fabien Sanglard: An interesting read this week from @fabynou (https://twitter.com/fabynou) , revealing how hackers busted the Dreamcast’s infamous proprietary copy protection system, making it possible for pirates to extract and copy games. It likely set into motion the game console’s eventual demise.
John Kerry says Russia was behind 2014 State Dept. hack (https://www.npr.org/templates/transcript/transcript.php?storyId=644830886) NPR, Twitter: Remember when the State Dept. had its unclassified email system hacked (https://www.reuters.com/article/us-cybersecurity-statedept/state-departments-unclassified-email-systems-hacked-idUSKCN0J11BR20141117) ? (It was likely a lack of two-factor (https://www.zdnet.com/article/state-department-shamed-for-poor-adoption-of-multi-factor-authentication/) , which persisted until this year!) Now, John Kerry, who was secretary of state at the time, said in an NPR interview this week that it was the Russians. We already suspected it (https://www.washingtonpost.com/world/national-security/new-details-emerge-about-2014-russian-hack-of-the-state-department-it-was-hand-to-hand-combat/2017/04/03/d89168e0-124c-11e7-833c-503e1f6394c9_story.html?utm_term=.798fd0fec27c) , but Kerry became the first official to state it on the record (https://twitter.com/Joseph_Marks_/status/1073262850376957952) . Better late than never. ~ ~
** OTHER NEWSY NUGGETS
House committee slams Equifax’s crappy post-breach response: The House Oversight Committee this week ripped Equifax a new one (https://oversight.house.gov/report/committee-releases-report-revealing-new-information-on-equifax-data-breach/) for its massive data breach. The report is long, but it paints a detailed picture of institutional failings at the credit rating giant — including bad patch management — which in no uncertain terms could have prevented the breach of nearly 150 million records. @GossiTheDog (https://twitter.com/gossithedog/status/1072281673432223751?s=21) did a lunch-break deep dive (definitely worth reading), as did @sawaba (https://twitter.com/sawaba/status/1072319618352627714) , who gave his take
GCHQ looks to juice up its hacking powers: UK intelligence agency GCHQ wants to ramp up its mass hacking powers (https://www.theguardian.com/uk-news/2018/dec/08/gchq-bulk-hacking-hacking-human-rights-privacy-alarm) , reports The Guardian, which critics call a “grave threat” to human rights. U.K. security minister Ben Wallace said it’s because its existing targeted operations are being rendered obsolete by modern technology. Pesky encryption! Bet the U.K. government can’t wait for Brexit to kick in — no more annoying European human rights laws to worry about.
U.S. intelligence sounds the alarm on the quantum gap with China: It’s not just the U.K. — the U.S. is worried about encryption too, this time of the quantum kind, reports @JennaMC_Laugh (https://twitter.com/JennaMC_Laugh) . On one hand, quantum computers can be used to build near-unbreakable encryption, but also render some older cryptography useless. China’s getting a head start (https://news.yahoo.com/u-s-intelligence-sounds-alarm-quantum-gap-china-100017743.html) , and the U.S. feels left behind.
Amazon booby-traps boxes to catch thieves: Porch pirates rank slightly higher on the “asshole scale” than the Grinch himself at holiday season. Now, Amazon’s trying to catch parcel thieves (https://www.apnews.com/c654020c42b94055a19801b849d337a2) in the act by placing GPS trackers in dummy boxes. New Jersey police have already made several arrests.
SQLite bug borks most modern software: A bug in SQLite, a commonly used light database library, borks pretty much everything that uses it, reports Tencent’s Blade Team (https://blade.tencent.com/magellan/index_en.html) . “So literally everything,” said one Twitter user (https://twitter.com/carrickdb/status/1074028891855933441) . Pretty much! The team exploited the vulnerability to attack Google Home, which uses the software. The bug can cause result in full remote code execution. More, including proof-of-concept code, available here (https://worthdoingbadly.com/sqlitebug/) . ~ ~
** GOOD PEOPLE DOING GOOD THINGS
A few things to note this week:
Firstly, a big congrats to Eric Mill (https://twitter.com/konklone/status/1072562039908913154) for his new position (https://www.techcongress.io/fellows) as a TechCrongress fellow. He spent the past four years at the General Services Administration, working hard to secure the government one domain at a time.
After last week’s passing of Australia’s anti-encryption law, a parody ad video (https://twitter.com/fluidfluxation/status/1072497782756438018?s=21) made the rounds, ripping into the government’s new powers. It’s two-minutes long, but worth it for the laughs.
And, if you’re as interested in hacking Christmas tree lights as NSA cyber chief Rob Joyce (https://twitter.com/RGB_Lights/status/939633578492792832) (no, seriously — he’s actually very good at it (https://www.theregister.co.uk/2018/01/22/rob_joyce_hacking/) ), you might want to consider investing in Twinkly (https://www.twinkly.com/) , an app that does exactly this. Here it is in action (https://imgur.com/gallery/NWpO6if) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercats are Fuzzwinkel (left) and Tubbs (right). Incredibly cute, would definitely trust with my two-factor backup codes. Thanks to Megan Allison for sending these two in! (You may need to enable images in this email.) Bad news: there are no more cybercats in the queue. We’re in a cybercat drought! I need many, many more! Please drop me an email here with your submissions here: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That’s all for this week. Hope you have a good week. A little over a week until Christmas — make sure you get your shopping done. I’ll be back next week. Any feedback: drop me a note here (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Take care. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|
|REWARDS_TEXT|