this week in security — december 29 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 50
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Popular chat app was a UAE spy tool (https://www.nytimes.com/2019/12/22/us/politics/totok-app-uae.html) The New York Times ($): Top of the newsletter two weeks in a row: this time, it’s because the paper found evidence that popular Emirati messaging app, ToTok, was a spying tool. The app was approved by Apple to its app store, which has since been removed, but not before being installed by millions. The app was used to “track every conversation, movement, relationship, appointment, sound and image” of those who installed it. How did the UAE pull it off? Ban (https://twitter.com/lorenzofb/status/1209028681995292673) existing messaging apps, then give citizens only one option left. @patrickwardle (https://twitter.com/patrickwardle/status/1210742545451323392) , who did the app’s analysis and has a separate blog post (https://objective-see.com/blog/blog_0x52.html) covering his work, did so by jailbreaking a device — despite Apple’s recent jihad against breaking out of Apple’s walled garden in recent weeks. More: Objective-See (https://objective-see.com/blog/blog_0x52.html) | @patrickwardle (https://twitter.com/patrickwardle/status/1210742545451323392)
Pentagon warns military members DNA kits pose ‘risks’ (https://news.yahoo.com/pentagon-warns-military-members-dna-kits-pose-personal-and-operational-risks-173304318.html?ncid=twitter_yahoonewst_sjwumo1bpf4) Yahoo News: If you’re in the military, maybe think twice before using that DNA testing kit you got for the holidays. The Pentagon says DNA data collected by private companies could pose a security risk, according to a memo obtained by Yahoo News. The memo didn’t go into specifics, however. Some DNA-focused companies have already seen (https://techcrunch.com/2019/11/07/veritas-genetics-data-breach/) security issues. More: @JennaMC_Laugh (https://twitter.com/JennaMC_Laugh/status/1209166839810609152) | @vermontgmg (https://twitter.com/vermontgmg/status/1209213933355241472)
How close did Russia really come to hacking the 2016 election? (https://www.politico.com/news/magazine/2019/12/26/did-russia-really-hack-2016-election-088171) Politico: VR Systems, a major provider of election technology, was hacked — per the U.S. government — in the run-up to the 2016 presidential election. But the company has continued to deny it was ever hit. This @kimzetter (https://twitter.com/KimZetter) deep-dive looks at the company and why it matters — its technology is used all over critical swing states. With 2020 just around the corner, officials might be going into the new year — and election — without as much visibility as they should have. More: @kimzetter tweets (https://twitter.com/KimZetter/status/1210246393085825024) | @mattblaze tweets (https://twitter.com/mattblaze/status/1210263591414325249) Malware broker behind U.S. hacks is now teaching computer skills in China (https://www.reuters.com/article/us-china-usa-cyber-exclusive-idUSKBN1YS0UI) Reuters: A Chinese malware broker who was sentenced to time served in the U.S. for dealing in malware linked to major hacks has returned to China. Yu Pingan is back teaching high-school computer courses — including one course on internet security, no less. Yu pleaded guilty to conspiracy charges including hacks against Qualcomm, Riot Games, and other large breaches. He was also accused of involvement in the massive Office of Personnel Management breach. Background: Reuters (https://www.reuters.com/article/us-usa-cyber-opm/chinese-national-arrested-in-los-angeles-on-u-s-hacking-charge-idUSKCN1B42RM)
Chinese hacker group caught bypassing 2FA (https://www.zdnet.com/article/chinese-hacker-group-caught-bypassing-2fa/) ZDNet: Chinese hacker group APT20 is able to bypass two-factor authentication protections, says security firm Fox-IT. Most of the APT’s targets include governments and managed service providers (MSPs). How it was done remains unclear, but the theory goes that the hackers stole a RSA software token from a hacked system and used it to generate one-time codes. More: Fox-IT (https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/)
Ransomware at IT services provider Synoptek (https://krebsonsecurity.com/2019/12/ransomware-at-it-services-provider-synoptek/) Krebs on Security: And speaking of managed service providers, Synoptek was hit by ransomware, disrupting operations for many of its customers. The MSP has over 1,100 customers, including state and local governments. The rEvil ransomware is to blame. More: /r/sysadmin (https://www.reddit.com/r/sysadmin/comments/ef2egh/synoptek_issues/) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Privacy implications of the Apple U1 chip and ultra-wideband (https://freedom-to-tinker.com/2019/12/21/every-move-you-make-ill-be-watching-you-privacy-implications-of-the-apple-u1-chip-and-ultra-wideband/) Freedom to Tinker: Here’s an interesting one. Apple’s ultra-wideband (UWB) chip in its newest iPhone 11s is said to be used for spatial awareness to “understand its precise location relative to other nearby” devices. Some say it’ll be useful for things like AirDrop wireless sharing. But it’s feared (https://twitter.com/ynotez/status/1209132871392346113) that the technology could be misused for extremely detailed tracking and surveillance.
What do companies know about you? (https://www.axios.com/tag/what-companies-know-about-you/) Axios: An oldie but a goodie, promoted (https://twitter.com/axios/status/1210286761626230786) this week. Axios looks at some of the major parts of our lives — social networks, search engines, shopping sites, and even hospitals and Axios itself — know about you through tracking and other technologies. It’s an insightful look at how organizations large and small are keeping tabs on your activities.
Citrix flaws could allow unauthorized access to internal networks (https://www.cyberscoop.com/citrix-adc-vulnerability-positive-technologies/) Cyberscoop: A bug in Citrix’s application delivery controller, which lets remote users access applications from the cloud, can allow attackers to break into enterprise networks and remotely run code. Some 80,000 companies are said to be affected, per the research (https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/) by Positive Technologies. Citrix has acknowledged (https://support.citrix.com/article/CTX267027) the flaw. ~ ~ SUPPORT THIS NEWSLETTER
Thank you for reading! As subscribers (and costs) go up, you can support this newsletter by contributing to its Patreon (https://www.patreon.com/thisweekinsecurity) . You can donate just $1/month — or more for exclusive perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) . A big thank you for all your support. ~ ~
** OTHER NEWSY NUGGETS
Hackers are breaking into websites and adding links to game Google (https://www.buzzfeednews.com/article/craigsilverman/hackers-website-links-backlinks-seo-spam) Hackers are using dirty tricks to game Google for SEO juice by breaking into sites and adding backlinks. This is done to better improve the search ranking score by other websites so they are more easily found in Google.
That new anti-robocall law won’t stop the calls (https://www.wsj.com/articles/washingtons-new-anti-robocall-law-wont-stop-the-calls-heres-why-11577367931) The Wall Street Journal ($) says a new anti-robocall law set to go into effect soon will not stop the scourge of constant spam calls. Although the new law boosts penalties for those who robocall, enforcement will be the real challenge. The Federal Communications Commission can’t act immediately and has to follow due process, meaning some of the largest robocallers will have to be shut down with evidence and a court order. The reality is that it’s still largely down to the phone owner to block the calls themselves.
U.K. government apologizes after addresses of honors’ recipients published (https://www.bbc.com/news/uk-50929543) A big congrats to all those who received honors from the Queen this week, even if the news was tarnished by a security lapse. More than 1,000 recipients of the U.K. awards scheme — including senior police officers and politicians — had their addresses published on the U.K. government’s website by mistake. Critics said it was an “inexcusable mistake.” The U.K.’s data protection agency has been notified.
U.S. Cybercom contemplates information warfare to counter 2020 election interference (https://www.washingtonpost.com/national-security/us-cybercom-contemplates-information-warfare-to-counter-russian-interference-in-the-2020-election/2019/12/25/21bb246e-20e8-11ea-bed5-880264cc91a9_story.html) The NSA’s sister agency, U.S. Cybercom, tasked with offensive cyber operations, may target “senior leadership and Russian elites” in Russia — “though probably not President Vladimir Putin, which would be considered too provocative” — to send a message that the U.S. isn’t playing around in this upcoming election. It comes after a largely successful effort by Russia to interfere in the 2016 election. ~ ~
** THE HAPPY CORNER
It’s that time of year again… NSA’s chief cyber guy Rob Joyce (https://twitter.com/rgb_lights/status/1209610800257740801?s=21) has his usual Christmas lights display in full force. In case you don’t know, when Joyce isn’t protecting the U.S. from cyberthreats he’s tinkering with Christmas lights as a hobby. Each year he puts on a great show. This year is no different. And props to @clur19 (https://twitter.com/clur19/status/1210707428289007616) for revealing the winner of this year’s The Bachelor by looking at the public Venmo profiles of the contestant and his friends. In case you didn’t know, Venmo transactions are public by default (https://techcrunch.com/2019/06/16/millions-venmo-transactions-scraped/) . Now that’s some OSINT chops right there.
If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Newt. According to his human, he enjoys destroying plants and tearing down Christmas decor. That’s the spirit, Newt. A big thanks to Darya F. for the submission! Please keep sending in your cybercats! You can send them here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
Hope you had a great holiday. A big thank you for reading! If you have any feedback, please drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Back next week/year/decade(!). Have a safe New Year’s.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .