this week in security — december 27 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 49
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Journalists hacked with suspected NSO’s iMessage ‘zero-click’ exploit (https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/) Citizen Lab: Researchers at internet watchdog Citizen Lab say they’ve found evidence that dozens of journalists were targeted with a “zero-click” exploit that was used to silently deliver the NSO-developed Pegasus spyware, which can tap into the phone’s data, camera, microphone, and location. The Pegasus operators, all said to be governments, used an undisclosed vulnerability in iMessage to silently deliver the spyware, the researchers said. One London-based journalist was targeted with a rare zero-click zero-day, using a previously undisclosed vulnerability to target her phone, which was running at the time the latest version of iOS. Apple said the iMessage vulnerability was fixed in iOS 14 (but wouldn’t say what changed — classic). “To be a journalist is not a crime,” one of the targeted journalists told me. More: The Guardian (https://www.theguardian.com/media/2020/dec/20/citizen-lab-nso-dozens-of-aljazeera-journalists-allegedly-hacked-using-israeli-firm-spyware) | Forbes (https://www.forbes.com/sites/thomasbrewster/2020/12/20/apple-security-warning-zero-click-iphone-hacks-hit-36-al-jazeera-journalists/) | TechCrunch (https://techcrunch.com/2020/12/20/citizen-lab-iphone-nso-group/) SolarWinds hack infected critical infrastructure, including power industry (https://theintercept.com/2020/12/24/solarwinds-hack-power-infrastructure/) The Intercept: At least 15 critical infrastructure firms in the electric, oil, and manufacturing industries were running the backdoored SolarWinds Orion software, per @kimzetter (http://twitter.com/kimzetter) . Zetter also said at least three hardware makers, or OEMs, which have access to their customers’ networks in order to provide remote support, were also using the backdoored SolarWinds software, which may have allowed the hackers access to critical infrastructure networks. According to Dragos’ @RobertMLee (https://twitter.com/robertmlee) , two of the OEMs compromised had access to hundreds of networks. But it’s not known if the hackers actively used the backdoors to gain access to the segmented networks that control industrial control networks because most don’t do extensive logging. But Lee explained that any access obtained doesn’t necessarily equal calamity. “Just because you have access…doesn’t mean they can then flip off the lights.” More: @kimzetter tweets (https://twitter.com/KimZetter/status/1342200712093028354) | @RobertMLee tweets (https://twitter.com/RobertMLee/status/1342205147787759617)
Suspected Russian hackers used Microsoft vendors to breach customers (https://www.reuters.com/article/uk-global-cyber-usa/suspected-russian-hackers-made-failed-attempt-to-breach-crowdstrike-company-says-idUKKBN28Y1BY) Reuters: OK, so keeping with that OEM theme for a hot second — now Reuters says that the hackers behind the SolarWinds breach used access to Microsoft resellers to penetrate targets that weren’t backdoored by SolarWinds at all. The hackers used access to the reseller, which sells Office licenses but also has access to client systems for maintenance and customer support, to try to read the Office 365 cloud email belonging to cybersecurity giant CrowdStrike. Luckily, CrowdStrike only uses Office desktop apps and not Office 365 for its email. Had it been, it would’ve been “game over,” per a source speaking to Reuters. Microsoft stressed that it has “not identified any vulnerabilities or compromise of Microsoft product or cloud services.” It goes to show — even at this early stage of understanding the SolarWinds attack — just how far and wide the hackers’ access was to U.S. systems. More: @josephmenn tweets (https://twitter.com/josephmenn/status/1342209005578407936) | Wired ($) (https://www.wired.com/story/russia-solarwinds-hack-targets-fallout/) | NBC News (https://www.nbcnews.com/tech/security/why-russian-hack-so-significant-why-it-s-close-worst-n1252131)
Law enforcement take down three bulletproof VPN providers (https://www.zdnet.com/article/law-enforcement-take-down-three-bulletproof-vpn-providers/) ZDNet: If there’s ever a perfect example of why you shouldn’t trust your VPN provider any more than your ISP, it’s this. A trio of “bulletproof” VPN providers, used by criminals because these services are known for resisting law enforcement requests, were seized this week by U.S. and European authorities. The VPNs were allegedly used to hide the real identities of credit card skimmers, hackers, and ransomware groups. Europol, which was involved in the operation, said it plans to analyze the collected information and start cases to identify and take action against some of the services’ users. More: Justice Dept. (https://www.justice.gov/usao-edmi/pr/us-law-enforcement-joins-international-partners-disrupt-vpn-service-used-facilitate) | Europol (https://www.europol.europa.eu/newsroom/news/cybercriminals%E2%80%99-favourite-vpn-taken-down-in-global-action)
The New York school district that used facial recognition now has to stop (https://www.buzzfeednews.com/article/carolinehaskins1/new-york-stops-school-facial-recognition) BuzzFeed: New York Governor Andrew Cuomo announced a moratorium on facial recognition in schools across the state this week — including Lockport City School District, which uses the controversial face scanning technology. BuzzFeed obtained documents of a presentation given by the school in support of facial recognition, saying “history is on our side.” Many schools took to facial recognition in the wake of the 2018 shooting at the Marjory Stoneman Douglas High School in Florida, but experts have long said that the technology is disproportionately biased against vulnerable communities. More: @caro1inehaskins (https://twitter.com/caro1inehaskins/status/1341864480033140736)
Hackers threaten to leak plastic surgery pictures (https://www.bbc.com/news/technology-55439190) BBC News: Another day, another major ransomware incident. This time it’s at a large cosmetic surgery chain, and the hackers are threatening to publish patient before-and-after photos and other data if the company doesn’t pay up. The Hospital Group was hit by the REvil ransomware group, which steals data before encrypting the network. If the victim doesn’t pay up — even if the victim restored their files from a backup — the hackers threaten to publish the files online. The cosmetic surgery chain confirmed the breach, but didn’t tell patients that their information had been held for ransom, angering some patients. The chain could also incur considerable fines if found in violation of GDPR. More: @joetidy (https://twitter.com/joetidy/status/1342107785987821568) ~ ~ SUPPORT THIS NEWSLETTER
A big thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Why the butt pajamas will follow you forever (https://gizmodo.com/the-butt-pajamas-will-follow-you-forever-1845929307) Gizmodo: If you read a certain Elle piece this week, you likely also encountered “the ad” — for buttless pajamas (or “buttflapped onesies”) no less. Turns out this particular ad was programmed to follow you around the web. @swodinsky (https://twitter.com/swodinsky) does an excellent job on explaining the technical details of how this particular ad campaign works, why it follows you across the web, and why it’s so damn persistent. If there’s ever been a reason to use an ad blocker… Tech titans throw weight behind WhatsApp allegations in NSO surveillance lawsuit (https://www.cyberscoop.com/microsoft-google-nso-group-lawsuit/) Cyberscoop: Back to NSO Group for a hot second. WhatsApp sued NSO last year for exploiting a vulnerability in the messaging app that was used to deliver its Pegasus spyware on some 1,400 victims — including journalists and human rights activists. A key part of NSO’s defense is that it enjoys legal immunity because its customers are foreign governments. But Microsoft said in a blog post (https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/) last week that it was going to take on NSO in the courts to challenge that defense. Now Microsoft has got the support (https://blogs.microsoft.com/on-the-issues/2020/12/21/cyber-immunity-nso/) from other companies — including Google, Cisco, and VMware — to ask the court to rule in WhatsApp’s favor. “We believe the NSO Group’s business model is dangerous and that such immunity would enable it and other [private-sector offensive actors] to continue their dangerous business without legal rules, responsibilities or repercussions,” Microsoft said (https://blogs.microsoft.com/on-the-issues/2020/12/21/cyber-immunity-nso/) . Several rights groups, including Amnesty International, have also joined in WhatsApp’s defense.
How the Covid-19 pandemic affected our privacy in 2020 (https://www.vox.com/recode/22189727/2020-pandemic-ruined-digital-privacy) Recode: This year, our lives went almost exclusively digital — thanks to the pandemic. But because Congress was either deadlocked or focused on other things, privacy laws have failed to keep up. @SaraMorrison (https://twitter.com/SaraMorrison) explains how the year started with promise, but that the shift to the online world meant that our data went with it. ~ ~
** OTHER NEWSY NUGGETS
How are police actually breaking phone encryption? (https://twitter.com/matthew_d_green/status/1341750252815208451?s=21) @matthew_d_green (https://twitter.com/matthew_d_green/) had a great thread this week in response to a tweet of mine about the ACLU suing (https://www.aclu.org/news/privacy-technology/the-fbi-is-secretly-breaking-into-encrypted-devices-were-suing/) the FBI over its efforts to break into encrypted devices. How are cops actually breaking into locked iPhones? Green and his students found (to be published in an upcoming report) that police are likely relying on the owner typing in their passcode before their device is seized, not after. Green explains (https://twitter.com/matthew_d_green/status/1341761480673398785) how Apple’s encryption efforts fall short, and why those shortcomings make it easier for cops to use technology to break into locked phones. The whole thread (https://twitter.com/matthew_d_green/status/1341750252815208451?s=21) is worth the read. No, Cellebrite cannot ‘break Signal encryption’ (https://signal.org/blog/cellebrite-and-clickbait/) This is why you should care about device encryption: if cops (or hackers) can break into your phone, they can access the data inside. That’s not a controversial viewpoint — it’s just how it is. But this week, Signal founder @moxie (https://twitter.com/moxie/status/1337434126186553345) responded to a claim that phone hacking company Cellebrite could break the app’s encryption. Turns out, the write-up was a bust, which he explains in more detail in a blog post (https://signal.org/blog/cellebrite-and-clickbait/) . But that didn’t stop news outlets breathlessly reporting that Signal’s encryption had been broken. It hasn’t been — but it’s a good reminder to use disappearing messages in case your phone is hacked or seized, since you can’t recover what isn’t there.
GoDaddy employees were told they were getting a holiday bonus. It was a phishing test (https://coppercourier.com/story/godaddy-employees-holiday-bonus-secruity-test/) If there’s one way to destroy your company’s already dwindling morale ahead of the holiday season, it’s by tricking them into thinking they got a holiday bonus when they didn’t. It was a phishing test. This unconscionable act was compounded by making employees who “failed” the phishing test to retake the mandatory security social engineering training. That in itself makes no sense, since the email was sent from a corporate @godaddy.com email. I seldom swear in this newsletter, but this was an extremely shitty thing for GoDaddy to do. ~ ~
** THE HAPPY CORNER
In the happy corner this week, @caseyjohnellis (https://twitter.com/caseyjohnellis/status/1341593119280619521?s=21) asks what you’re most proud of doing or being a part of in 2020 — and some of the responses (https://twitter.com/caseyjohnellis/status/1341593119280619521?s=21) are as much hilarious as they are wholesome. Nice to remember that this year hasn’t been complete garbage (just most of it).
Meanwhile, Sisyphus gets a job in cybersecurity. (Credit to @summer__heidi (https://twitter.com/summer__heidi/status/1340914826902523904?s=21) .) It’s past Christmas but this home hacker project (https://www.youtube.com/watch?v=TvlpIojusBE) involved plotting the coordinates of hundreds of LED Christmas tree lights to make a ton of patterns and sequences. All the code and equipment used is on the YouTube video below the fold. A big, big thank you to Motherboard (https://www.vice.com/en/article/4adnjw/the-cybersecurity-stories-we-were-jealous-of-in-2020) for including ~this week in security~ on its annual cyber jealousy list. It’s a genuine honor from two reporters who consistently do such incredible work themselves. There are a ton (https://www.vice.com/en/article/4adnjw/the-cybersecurity-stories-we-were-jealous-of-in-2020) of other cyber stories in this list from the year which you should read if you haven’t read already. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CAT & FRIENDS
From the very first edition, ~this week in security~ has featured a cyber cat, submitted by a reader. But a lot of you have asked me in the past year if it’s time to open submissions to non-cats. At first I was reluctant, admittedly, especially for the folks who (like me) really love the cyber cats. But then my partner @ja_davids (https://twitter.com/ja_davids) suggested why not just have both? “You can call it ‘cyber cats and friends’,” she said. I can’t really argue with that, since it’s the best of both worlds. And so it will be. So keep sending in your cyber cats(!) but also feel free to send in your non-feline friends and they’ll also be featured in an upcoming newsletter. You can submit them here. (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.)
This week features Willow, who thinks this particular moment would be a great time to stop working. A big thanks to Willow’s human @AprilFDoss (https://twitter.com/AprilFDoss) for the submission ~ ~
** SUGGESTION BOX
And that’s all for now. Thanks so much for reading. Keep sending in your cyber cats (and their friends). As always, if there’s any feedback, feel free to drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you in the new year. Hopefully it won’t be as bad as this one.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .