this week in security — december 22 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 49
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Twelve million phones, one dataset, zero privacy (https://www.nytimes.com/tracked) The New York Times ($): Absolute bombshell reporting this week from the Times, after obtaining a cache of location data on 12 million phones. The cache of location data was so vast and expansive that they tracked (https://www.nytimes.com/interactive/2019/12/20/opinion/location-data-national-security.html) President Trump around Washington, revealing what could be a major national security risk. These data aggregators ping your phone constantly and know exactly where we go, when, and sometimes even why. Or, as the Times puts it: “Connecting those pings reveals a diary of the person’s life.” Even children are being tracked. Some of the companies named, including Factal and Cuebiq (https://twitter.com/chronic/status/1207690432223690755) , were noted as major data aggregators more than a year ago. More: The New York Times ($) (https://www.nytimes.com/interactive/2019/12/20/opinion/location-data-national-security.html) | @chronic tweets (https://twitter.com/chronic/status/1207397074871799809) A data leak exposed data on 3,000 Ring users (https://www.buzzfeednews.com/article/carolinehaskins1/data-leak-exposes-personal-data-over-3000-ring-camera-users) BuzzFeed News: Amazon-owned Ring just can’t catch a break (not that it should). BuzzFeed found a cache of 3,000 Ring customers’ data, including email addresses, passwords, and the timezone and approximate location of the Ring device. I also obtained (https://techcrunch.com/2019/12/19/ring-doorbell-passwords-exposed/) a different but smaller set of data that was formatted identically. It looks like credential stuffing was to blame rather than a breach at Ring, but the company effectively blamed its users for not enabling two-factor. Wirecutter suspended (https://twitter.com/wirecutter/status/1207730874860609536) its recommendation of Ring products in the wake of the security problems, which Motherboard noted earlier (https://www.vice.com/en_us/article/epg4xm/amazon-ring-camera-security) in the week. More: TechCrunch (https://techcrunch.com/2019/12/19/ring-doorbell-passwords-exposed/) | Wirecutter (https://twitter.com/wirecutter/status/1207730874860609536) | Motherboard (https://www.vice.com/en_us/article/epg4xm/amazon-ring-camera-security)
The hacker who took down a country (https://www.bloomberg.com/news/features/2019-12-20/spiderman-hacker-daniel-kaye-took-down-liberia-s-internet) Bloomberg ($): A deep-dive from Bloomberg (I know, I know, but this was good reporting) about Daniel Kaye, also known as ‘Spdrman,’ who took down Liberia’s internet. It details how the Mirai botnet was used to pummel the country’s internet with junk traffic. It was largely possible because the east-coast of Africa had a single fiber cable going into the country. The main internet provider Lonestar couldn’t handle the barrage of data. @MalwareTechBlog (https://twitter.com/MalwareTechBlog/status/1208049982676164609) , who tracked Mirai, gave some insight into the attack for the first time. More: @razhael (https://twitter.com/razhael/status/1208048920020111361) | @GossiTheDog (https://twitter.com/GossiTheDog/status/1207997556732628994)
Wawa restaurants hit by card stealing malware (https://www.wawa.com/alerts/data-security) Wawa: Well this isn’t good news. Anyone who’s been to a Wawa restaurant between March and December 2019 likely had their credit card stolen. Wawa said PIN numbers and card verification numbers (CVV) were not taken. Some 850 locations were affected for eight months. This represents one of the largest credit card breaches of the year. More: Washington Post ($) (https://www.washingtonpost.com/business/2019/12/20/wawa-hit-with-massive-data-breach-potentially-affecting-all-locations-ceo-says/)
‘Massive errors’ found in face recognition tech (https://news.yahoo.com/massive-errors-found-facial-recognition-tech-us-study-215334634.html) AFP, Yahoo News: A study out this week (https://www.nist.gov/news-events/news/2019/12/nist-study-evaluates-effects-race-age-sex-face-recognition-software) shows facial recognition systems have inherent bias against people of color and can produce “wildly inaccurate” results by as much as a hundred-times than white people. The research, carried out by U.S. government agency NIST, said the false positives can increase surveillance or scrutiny of innocent individuals. More: NIST (https://www.nist.gov/news-events/news/2019/12/nist-study-evaluates-effects-race-age-sex-face-recognition-software)
Cloud flaws expose millions of child-tracking smartwatches (https://techcrunch.com/2019/12/18/cloud-flaws-millions-child-watch-trackers/) TechCrunch: A rash of flaws disclosed this year in popular white-label smart watches all missed one thing — a common point of failure: the cloud. The cloud systems supporting these devices were vulnerable to a number of flaws. The security was so bad that the APIs were easily abusable, exposing the locations of millions of smart watches — and their owners — which were often children. (Disclosure: I wrote this story.) @cybergibbons (https://twitter.com/cybergibbons/status/1207411248943575040) has a tl;dr tweet thread. Some devices also allow parents and kids to talk to each other, but those recordings were also exposed. @TheKenMunroShow (https://twitter.com/thekenmunroshow) described it as “another CloudPets,” referring to the defunct toy maker (https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/) . More: Pen Test Partners (https://www.pentestpartners.com/security-blog/kids-tracker-watches-cloudpets-exploiting-athletes-and-hijacking-reality-tv/?=pen-test-partners) | @cybergibbons tweets (https://twitter.com/cybergibbons/status/1207411248943575040) | Background: Troy Hunt (https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/)
Facebook separates two-factor security from friend suggestions (https://www.reuters.com/article/us-facebook-privacy-idUSKBN1YN26Q) Reuters: Finally and long overdue, Facebook won’t use phone numbers that users signed up to two-factor with for its “people you may know” feature, citing a privacy overhaul. Facebook shouldn’t have been doing this in the first place, but was caught out matching the numbers against its feature by journalist Kashmir Hill (https://twitter.com/lorenzofb/status/1208035667667668993) . There is a catch, though. You have to disconnect the two, you have to re-do two-factor (https://twitter.com/RMac18/status/1207710609904562176) . Facebook finally gives you some privacy, yet you still have to work for it. More: @RMac18 tweets (https://twitter.com/RMac18/status/1207708366388133889) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Epilepsy Foundation was targeted in mass strobe cyberattack (https://www.nytimes.com/2019/12/16/us/strobe-attack-epilepsy.html) The New York Times ($): Bad actors sent thousands of flashing images to The Epilepsy Foundation’s followers on Twitter, prompting the organization to file a criminal complaint (https://www.epilepsy.com/release/2019/12/epilepsy-foundation-files-criminal-complaint-and-requests-investigation-response) in response to the attack. It follows a similar attack carried out on Kurt Eichenwald in 2016 when he was targeted with the same flashing GIFs.
Minnesota Blue Cross scrambles to boost cyberdefenses (http://www.startribune.com/minnesota-blue-cross-scrambles-to-boost-cyber-defenses/566184041/) Minnesota Star Tribune: Internal documents show that Minnesota’s Blue Cross “allowed 200,000 vulnerabilities classified as ‘critical’ or ‘severe’ to linger for years on its computer systems, despite stark warnings to executives.” Most employee workstations weren’t protected either. Software patches were available to fix most of the weak points. Of course, Blue Cross said protecting its 2.8 million users’ info is a “top priority.” But as usual, the company showed no evidence of this and the facts speak for themselves.
Tories switch to messaging app Signal after WhatsApp leaks (https://www.theguardian.com/politics/2019/dec/17/tories-switch-to-messaging-app-signal-to-curb-whatsapp-leaks) The Guardian: The U.K.’s ruling Conservative Party are moving away from encrypted messaging app WhatsApp to Signal after message chains kept leaking to the press. Think about that next time the U.K. pipes up with anti-encryption rhetoric — one rule for them, another for the rest of us. The move is bizarre given most of the leaked WhatsApp messages were screenshotted, so it’s not clear how the Tories are going to solve that particular problem.
Facebook says it can get around disabled location settings (https://www.cnbc.com/2019/12/17/facebook-responds-to-senators-questions-on-location-tracking-policy.html) CNBC: In response to Sen. Josh Hawley and Chris Coons, Facebook said it “is able to estimate users’ locations used to target ads even when they’ve chosen to reject location tracking through their smartphone’s operating system,” such as using IP addresses and metadata within photos. It says this is done for security but that hasn’t sat well with many, given this week it finally decoupled two-factor phone numbers from its friend-matching feature.
Thousands of students in Germany queue for email access (https://www.bbc.com/news/technology-50838673) BBC News: Some 38,000 students in Germany were told to stand in a queue to wait for a new email password after their university was hit by a cyberattack. The attack knocked the entire network offline some days earlier. Well that’s one way to get your password reset… ~ ~ SUPPORT THIS NEWSLETTER
A big thanks to you for reading! As subscribers (and costs) go up, you can support this newsletter by contributing to the Patreon (https://www.patreon.com/thisweekinsecurity) . You can donate as little as $1/month — or more for exclusive perks. Thanks for your support! ~ ~
** OTHER NEWSY NUGGETS
Inside ‘Evil Corp,’ a $100 million cybercrime menace (https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/) @briankrebs (https://twitter.com/briankrebs) takes the Evil Corp deep-dive this week looking at the notorious Russian cybercrime gang that was indicted last week. The timeline goes way back to 2008 when Krebs was working for the Washington Post.
Local officials unhappy with election security framework (https://www.cyberscoop.com/election-security-west-virginia-state-local/) Cyberscoop obtained a transcript of a call with state election officials who were frustrated by the rollout of a security framework, designed to create a consistent process for alerting about foreign influence and interference efforts.
FISA court rebukes FBI over handling of wiretap request (https://www.wsj.com/articles/secretive-surveillance-court-rebukes-fbi-over-handling-of-surveillance-of-trump-aide-11576615299) The FISA Court, the secretive Washington DC-based court that handles the U.S. government’s secret surveillance requests, filed a public order berating the FBI for its handling of a FISA warrant issued by the court for Carter Page, a former Trump aide, which the FBI bungled. The court’s presiding judge was pissed off — but not as pissed off (https://twitter.com/emptywheel/status/1207079114768695296) as she has been in the past. Email cleanup service Unroll.me settles after misleading data claims (https://twitter.com/techmeme/status/1207153804971585537) Unroll.me said it wasn’t collecting and storing email data when users signed up to clean up their inboxes, but guess what — it absolutely was, and selling it onto Uber and other companies.
LifeLabs hit by data theft, hackers sell data back (https://arstechnica.com/information-technology/2019/12/clinical-lab-pays-hackers-for-the-return-of-data-of-15-million-patients/) Here’s a weird twist. Canada’s biggest speciality lab testing provider was hacked, with some 15 million customers hit by the attack. The hackers stole the data, but then sold the data back to the lab testing provider. It didn’t say how much the data was sold back for. LifeLabs’ response is here (https://customernotice.lifelabs.com/) . ~ ~
** THE HAPPY CORNER
Here’s some good news from the week.
A new anti-robocall law has been agreed on in Congress, spelling out fines for up to $10,000 per violating phone call. That’s huge news! It’ll also mandate the use of cryptographically verified phone calls, helping to weed out spam callers.
Apple’s cross-platform bug bounty is now in effect, including (long-awaited) Macs. @radian (https://twitter.com/radian/status/1207871162287611906) , who gave a Black Hat talk on bug bounties earlier this year, has all the details. As usual, there is small print (https://twitter.com/ryanaraine/status/1207851622732140544) .
And finally, Motherboard this week (https://www.vice.com/en_us/article/j5yyep/the-cybersecurity-stories-we-were-jealous-of-in-2019) posted its annual ‘jealousy’ list of all the articles they wish they had written themselves. Yours truly is on the list (thank you, Motherboard) as well as a ton of other really good stories you might’ve missed during the year. If you want to nominate some good news from the week, feel free to reach out (mailto:zack.whittaker@gmail.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
Meet Wingnut, this week’s cybercat. Wingnut loves warm routers and stray cables. A big thank you to Kristin E. for the submission! (You may need to enable images in this email.) Keep sending in your cybercats! You can drop them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . Looking forward to seeing them! ~ ~
** SUGGESTION BOX
That’s all for this week. A big thanks for reading. As usual, feel free to drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Happy Christmas and Hanukkah to everyone who’s celebrating this week. Have a safe, peaceful and stress-free week. See you next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .