this week in security — december 23 edition

|MC_PREVIEW_TEXT|

                December 23, 2018

            this week in security — december 23 edition

            |MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 1, issue 23.
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
As Facebook Raised a Privacy Wall, It Opened to Tech Giants (https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html)
The New York Times ($): Enough already, Facebook! It’s like we can’t go a week (or 12 days (https://www.buzzfeednews.com/article/ryanmac/literally-just-a-big-list-of-facebooks-2018-scandals) , specifically) without a Facebook scandal. This week, it was revealed that Facebook gave its tech rivals and partners more access to our data than we first thought, but without our express permission. Spotify had access to our private messages, Bing could see our friends list, and Yahoo saw live feeds of friends’ posts, to name just a few. (Sure, that’s how APIs work!) But it once again showed how fast and loose the company was with our data. Worse, Facebook all but blamed (https://newsroom.fb.com/news/2018/12/facebooks-partners/) the user. Maybe Zuckerberg had enough of saying “sorry.” (Here’s a BBC News link (https://www.bbc.com/news/technology-46618582) for the rest of us plebes without a Times subscription.)
More: The New York Times ($) (https://www.nytimes.com/2018/12/18/us/politics/facebook-data-sharing-deals.html) | Context: BuzzFeed News (https://www.buzzfeednews.com/article/ryanmac/literally-just-a-big-list-of-facebooks-2018-scandals) | BBC News (https://www.bbc.com/news/technology-46618582)
Google’s Secret China Project “Effectively Ended” After Internal Confrontation (https://theintercept.com/2018/12/17/google-china-censored-search-engine-2/)
The Intercept: Remember that China-focused censored search engine Google absolutely wasn’t working on — pinky promise? Well, it’s no more. Not that it existed in the first place! (It did, it definitely did (https://theintercept.com/2018/08/08/google-censorship-china-blacklist/) .) The so-called Dragonfly project was eventually confirmed, if not begrudgingly, to Congress when those pesky lawmakers wouldn’t back down. Now it seems that the internal ruckus effectively killed the project, largely after Google’s privacy confronted the company’s senior executives.
More: The Intercept (https://theintercept.com/collections/google-dragonfly-china/) | @rj_gallagher tweet thread (https://twitter.com/rj_gallagher/status/1074718903190896640)
Twitter Alerts Some Users to ‘Unusual’ Data Leak (https://gizmodo.com/twitter-alerts-some-users-to-unusual-data-leak-1831158698)
Gizmodo: Twitter’s password reset support form was leaking the country codes of users’ phone numbers associated with their accounts — not the full phone number. But it’s enough to identify the location(-ish) of critics and dissidents, especially of those in regimes where freedom of speech is, well, non-existent. Twitter effectively blamed (https://help.twitter.com/en/support-form) China and the Saudis — without citing evidence (https://twitter.com/zackwhittaker/status/1074744263446093824) . Maybe it was becuase Twitter knew of the bug two years earlier (https://techcrunch.com/2018/12/18/twitter-warned-country-code-form-leak-bug-security-researcher/) but did nothing? Makes you wonder.
More: Twitter (https://help.twitter.com/en/support-form) | TechCrunch (https://techcrunch.com/2018/12/18/twitter-warned-country-code-form-leak-bug-security-researcher/)
American Sues US Government For Forcing Phone Unlock at Airport (https://motherboard.vice.com/en_us/article/j5zny7/haisam-elsharkawi-lawsuit-against-us-government-cbp-dhs-unlock-phone)
Motherboard: CBP and DHS officers reportedly forced an American man — of Muslim faith (oh, here we go…) — into unlocking his phone at the U.S. border. Which, granted, it’s their right to demand he unlocks his phone, just as it’s much his right to tell them to “sod off.” He didn’t, as many innocent people are coerced into complying, for fear he won’t be allowed in, and wasn’t allowed a lawyer during his four-hour interrogation. Let’s hope he wins.
More: The New York Times ($) (https://www.nytimes.com/2017/02/14/business/border-enforcement-airport-phones.html) | CourtListener (https://www.courtlistener.com/docket/8168712/haisam-elsharkawi-v-united-states-of-america/)
EFF Sued To Obtain AT&T’s Hemisphere Program Documents — And Won (https://www.eff.org/deeplinks/2018/12/and-after-what-we-learned-about-hemisphere-program-after-suing-dea)
Electronic Frontier Foundation: A big win for the EFF this week, after it successfully sued the Drug Enforcement Administration for documents on AT&T’s Hemisphere program. Streams of unredacted pages were published about the clandestine DEA program, which showed AT&T gave trillions of phone records to federal prosecutors, dating back decades. The DEA called the program “Google on Steroids.”
Background: EFF (https://www.eff.org/cases/hemisphere) | EPIC (https://www.epic.org/foia/dea/hemisphere/2)
Feds Charge Three in Mass Seizure of DDoS-for-Hire Services (https://krebsonsecurity.com/2018/12/feds-charge-three-in-mass-seizure-of-attack-for-hire-services/)
Krebs on Security: The FBI, along with Dutch and British police, took down 15 DDoS booter sites from the internet this week, and charged three Americans with running a handful of them. One of the sites had 2,000 customers, which launched over 200,000 attacks — including on government sites and banking domains.
More: ZDNet (http://www.zdnet.com/article/law-enforcement-shut-down-ddos-booters-ahead-of-annual-christmas-ddos-attacks/) | Justice Department (https://www.justice.gov/opa/pr/criminal-charges-filed-los-angeles-and-alaska-conjunction-seizures-15-websites-offering-ddos)
New Hacks Mean China Broke 2015 Economic Espionage Pact (https://arstechnica.com/tech-policy/2018/12/us-indicts-two-chinese-state-sponsored-hackers-for-attacks-on-msps-in-12-countries/)
Ars Technica: The U.S. government accused China of breaking a 2015 promise that said it wouldn’t conduct offensive cyber-espionage, an Obama-era agreement that means nothing in this day and age, apparently. Its allies also chipped in, accusing China of breaking the pact. The accusations were made after the U.S. indicted two Chinese men for breaking into dozens of companies and stealing a ton of data, including private information on 100,000 Navy service members.
More: Justice Department (https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers) | Reuters (https://www.reuters.com/article/us-china-cyber-usa/u-s-slams-china-for-corporate-cyber-espionage-indicts-two-spies-idUSKCN1OJ1VN) | TechCrunch (https://techcrunch.com/2018/12/20/us-indictment-tech-hacks-chinese/)
~ ~
** THE STUFF YOU MIGHT’VE MISSED
US ballistic missile systems have very poor cybersecurity (https://www.zdnet.com/article/us-ballistic-missile-systems-have-very-poor-cyber-security/)
ZDNet: “No data encryption, no antivirus programs, no multifactor authentication mechanisms, and 28-year-old unpatched vulnerabilities,” according to a security audit by the Pentagon’s inspector general, reports @campuscodi (https://twitter.com/campuscodi) . The report reads like a hot mess of security issues.
How hackers bypass Gmail two-factor at scale (https://motherboard.vice.com/en_us/article/bje3kw/how-hackers-bypass-gmail-two-factor-authentication-2fa-yahoo)
Motherboard: Amnesty International discovered how hackers could bypass two-factor authentication and phish tokens sent to phones. And because it’s automated, the hackers can steal your tokens and break into your account in seconds — without you noticing. The full report can be found here (https://www.amnesty.org/en/latest/research/2018/12/when-best-practice-is-not-good-enough/) .
EFF reveals its annual list of creepy tech what not to buy (https://www.eff.org/deeplinks/2018/12/eff-gift-guide-whats-creeping-us-out)
Electronic Frontier Foundation: There are some usual suspects on here — anything that Facebook makes, for one — but also other creepy tech that you might not have thought of — or forgotten about. Mozilla also has a more comprehensive list (https://foundation.mozilla.org/en/privacynotincluded/) of creepy tech to avoid this holiday season. “Socks and books aren’t looking so bad now, are they?”
London’s Met Police runs facial recognition test (https://www.newstatesman.com/politics/uk/2018/12/why-metropolitan-police-needs-stop-playing-facial-recognition-tech)
New Statesman America: For two days, London’s police force deployed a facial recognition test in three busy spots across the capital. The problem: a FOIA found that the technology is basically useless — with a near 100% failure rate, reports @jamesrbuk (https://twitter.com/jamesrbuk) . By that logic, the facial recognition tech that Taylor Swift used at her concerts (https://www.vulture.com/2018/12/taylor-swift-scanned-audience-with-facial-recognition-tech.html) to spot stalkers was more effective. (That’s Detective Constable Taylor Swift, to you and me.)
India’s government goes gung ho on mass surveillance powers (https://www.buzzfeednews.com/article/pranavdixit/india-home-ministry-surveillance-computers-ten-agencies)
BuzzFeed News: India authorized mass interception and decryption of all data on any computer in the country this week. Naturally, everyone’s pissed off about it. Ten government agencies can demand data (https://www.indiatoday.in/technology/talking-points/story/10-govt-bodies-can-now-monitor-and-seize-any-computer-but-calm-down-india-is-not-a-surveillance-state-yet-1414420-2018-12-21) for any arbitrary reason. Worse, India’s government didn’t even say why it needed such draconian powers.
~ ~
** OTHER NEWSY NUGGETS
NASA discloses data breach of employee data: They can put a man on the moon but can’t seem to secure a server. NASA revealed a breach (http://spaceref.com/news/viewsr.html?pid=52074) this week affecting a server storing sensitive personal information of current and former NASA employees dating back to July 2006. Great work there, space boffins.
EU cables hack disclosure results in ethics debate: Here’s a strange one. The Times ($) (https://www.nytimes.com/2018/12/18/us/politics/european-diplomats-cables-hacked.html) reported on an EU diplomatic cable hack this week, said to be the Chinese (again). The twist? Area 1, a cybersecurity firm that discovered the breach, and gave some of the exposed cables to reporters. (BBC’s version is here (https://www.bbc.com/news/world-europe-46615580) .) That got a few people talking. Was it ethical (https://twitter.com/josephfcox/status/1075385358773379072) to hand over the hacked data to peruse through? Debatably (https://twitter.com/MalwareJake/status/1076513438401265665) . Possibly (https://twitter.com/razhael/status/1076196185373925377) . It’s a grey area, that’s for sure.
Amazon Echo recordings end up in the wrong hands: Every Echo owner’s worst nightmare. Amazon accidentally sent (https://www.reuters.com/article/us-amazon-data-security/amazon-error-allowed-alexa-user-to-eavesdrop-on-another-home-idUSKCN1OJ15J) an Echo user another person’s recordings under GDPR’s “give me all the data you have on me” laws. That’s because Amazon doesn’t encrypt the recordings on the back-end. Amazon responded how it usually does — by pretending it didn’t happen (https://twitter.com/internetofshit/status/1075719099668422656) and burying its head in the sand.
~ ~
** GOOD PEOPLE DOING GOOD THINGS
@GossiTheDog (https://twitter.com/gossithedog/status/1074273406135209987?s=21) ran a thread this week calling on submissions for “IT crimes” you’ve committed over the years. There are some hilarious results. He started: “At one company we couldn’t afford water leak detection, so we put in a tray below the aircon and I got rubber ducks off Amazon; if they started to float, we had a leak.”
Everyone’s favorite stabby security space bat @mzbat (https://twitter.com/mzbat/) once defined “infosec,” per an entry in Urban Dictionary (https://www.urbandictionary.com/define.php?term=Infosec) that was discovered this week (https://twitter.com/eeyitemi/status/1074791513572474880) . Used in a sentence: “Hi, I work in infosec. Please pass the whiskey. No, I won’t fix your computer.” The full definition is just as hilarious. Apparently things are “much worse” now than they used to be. (https://twitter.com/mzbat/status/1074791843022495745?s=21)
And, just in time for the holidays, Apple finally fixed (https://twitter.com/_r3ggi/status/1075473568534851584?s=21) a security bug that @patrickwardle (https://twitter.com/patrickwardle) and @_r3ggi (https://twitter.com/_r3ggi/) disclosed more than six months ago. macOS wasn’t properly encrypting photos and documents (https://wojciechregula.blog/your-encrypted-photos-in-macos-cache/) in its cache. Here’s the full security changelog (https://support.apple.com/en-us/HT209139) .
~ ~
** THIS WEEK’S CYBER CAT
This is Newton, who’s human is Amit Serper (https://twitter.com/0xamit) . Here he is gaining unauthorized access to Amit’s work machine. (You may need to enable images in this email.)
If you want your cybercat featured in an upcoming newsletter, send them along: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . They’ll always make it in — that’s a promise.
~ ~
** SO, ABOUT THIS NEWSLETTER…
Some good news: this newsletter is about to reach the 2,000 subscriber mark. The downside is that’s when it starts to cost me. Mailchimp charges $30 per month over that subscriber limit, and then a bit more as more people sign up. I’m reluctant to do sponsorships (because of editorial freedom), so I’m opening the door to donations. Please consider sending any loose change or a couple of bucks to my PayPal (http://paypal.me/thisweekinsecurity) . I’m also “zackwhittaker (https://gallery.mailchimp.com/e1ad6038c994abec17dafb116/images/f3332cd4-d967-4008-9774-1a35a9fb1d32.png) ” on Venmo. All donations go 100% to cover Mailchimp costs of the newsletter, and nothing else.
Anyone who donates and wants to leave their name will get a mention in the next newsletter. (Anonymous is fine, too — just let me know).
~ ~
** SUGGESTION BOX
That’s all for now. If you have any feedback or suggestions, please drop me a note here (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . A very happy Christmas to you all. I’ll be back next week for the last newsletter of the year.
~ ~
============================================================
 (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|)
 Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|)
 (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|)
 Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|)
 (|FORWARD|)
 Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|)
why did I get this? (|ABOUT_LIST|)     unsubscribe from this list (|UNSUB|)     update subscription preferences (|UPDATE_PROFILE|)
|LIST_ADDRESSLINE_TEXT|
|REWARDS_TEXT|

Don't miss what's next. Subscribe to ~this week in security~: