this week in security — december 30 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 1, issue 24.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
It was a quiet week, yet somehow we still have a lot to get through! How A Government Shutdown Affects America’s Cybersecurity Workforce (https://www.fifthdomain.com/congress/2018/12/21/how-a-government-shutdown-affects-americas-cybersecurity-workforce/) Fifth Domain: We’re in week two of the latest government shutdown and there’s no sign of it lifting any time soon. Who hurts? Federal workers, which — as @mzbat (https://twitter.com/mzbat) and others note — often take a huge pay cut or less overall compensation than those working in the private sector. “It’s called civil ‘service’ for a reason,” she said (https://twitter.com/mzbat/status/1079077565661413378) . NIST will get hit the hardest during the shutdown and even the analysis and operations side of the Director of National Intelligence will face a 60 percent closure. And, nearly half of Homeland Security’s new cyber division were furloughed — even though it’s the “most protected” agency. More: Roll Call (https://www.rollcall.com/news/politics/white-house-pay-federal-workers) | Nextgov (https://www.nextgov.com/cio-briefing/2018/12/government-shutdown-doesnt-mean-all-it-shuts-down/153651/)
Hardcoded Keys Let Anyone Snoop On Guardzilla Video Recordings (https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/) 0DayAllDay/Rapid7: Guardzilla, a maker of security cameras, hardcoded its AWS keys in its devices to upload user recordings to the cloud. That made it easy for researchers to extract the keys and — if they wanted to — rifle through user data. (I also covered the story here (https://techcrunch.com/2018/12/27/guardzilla-security-camera-flaws/) with some additional details.) The researchers contacted Rapid7 (https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/) to coordinate the disclosure. Guardzilla ignored their emails, so the researchers went public. A day later, Bitdefender went public (https://labs.bitdefender.com/2018/12/iot-report-major-flaws-in-guardzilla-cameras-allow-remote-hijack-of-the-security-device/) with its findings after — guess what? — Guardzilla ignored them, too. More: Rapid7 (https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/) | Charles Dardaman (https://charles.dardaman.com/cve-2018-5560) | Bitdefender (https://labs.bitdefender.com/2018/12/iot-report-major-flaws-in-guardzilla-cameras-allow-remote-hijack-of-the-security-device/) | TechCrunch (https://techcrunch.com/2018/12/27/guardzilla-security-camera-flaws/)
Hacker Steals Ten Years Of San Diego School District Data (https://www.zdnet.com/article/hacker-steals-10-years-worth-of-data-from-san-diego-school-district/) ZDNet: The day before Christmas, San Diego Unified School District dropped a whopper on its past and present students — it had kept their data for up to a decade and failed to protect it (https://www.sandiegounified.org/datasafety) from hackers, who broke in months earlier. The school district didn’t disclose it because it was “necessary for our investigation.” (Hint: it wasn’t and never is.) The hacker took personal data — including names, addresses, and phone numbers — and Social Security numbers on some 500,000 staff and students. More: San Diego Unified School District (https://www.sandiegounified.org/datasafety)
Opinion: Our Cellphones Aren’t Safe (https://www.nytimes.com/2018/12/26/opinion/cellphones-security-spying.html) The New York Times ($): Not a news story, but a quick explainer on why cell phones — even today – still aren’t safe. EFF’s Cooper Quintin (https://twitter.com/cooperq) , a senior staff technologist, says the cell network backend (specifically SS7) is insecure and opens up millions to eavesdropping and hacking. “There is no government agency that has the power, funding and mission to fix the problems,” he writes. Worse, it’s an international issue that nobody seems to want to fix. More: Electronic Frontier Foundation (https://www.eff.org/deeplinks/2018/10/there-are-many-problems-mobile-privacy-presidential-alert-isnt-one-them) | Motherboard (https://motherboard.vice.com/en_us/article/598xyb/what-is-ss7-and-is-china-using-it-to-spy-on-trumps-cell-phone)
Hackers Make a Fake Hand to Beat Vein Authentication (https://motherboard.vice.com/en_us/article/59v8dk/hackers-fake-hand-vein-authentication-biometrics-chaos-communication-congress) Motherboard: At the Chaos Communication Congress in Germany, researchers disclosed flaws in vein authentication systems — when a biometric device scans under your skin to match the pattern of veins it has in its system. Intelligence agencies are said to use vein authentication, as it’s believed to be one of the strongest methods of verifying a person’s identity. Turns out you can fool some biometric scanners with just a wax hand. The lesson here? “Change your veins regularly,” writes @josephfcox (https://twitter.com/josephfcox/status/1078405183669972992) More: Chaos Communications Congress [PDF] (https://berlin.ccc.de/~starbug/talks/1812-congress.pdf) | Background: DPA [German] (https://www.welt.de/regionales/bayern/article184668046/Bundesnachrichtendienst-Der-Umzug-der-Spione.html)
Twitter Hackers Hijack New Accounts After Company Claims It Fixed Bug (https://gizmodo.com/twitter-hackers-hijacked-new-accounts-after-company-cla-1831369315) Gizmodo: File this one down as a messy disclosure. Security researchers found a flaw in Twitter’s use of shortcodes — those five-digit phone numbers that Twitter uses for tweeting by text message. Insinia Labs (https://medium.com/insinia/this-account-has-been-hijacked-temporarily-4909fa190f5d) found that it was possible to tweet on behalf of nearly any user by obtaining their cell phone numbers and spoofing that number using readily available online tools. In testing this out on unwitting celebrities, the researchers likely broke (https://www.bbc.com/news/technology-46700995) the U.K.’s hacking laws — whoops. Twitter said it fixed the bug, but hours later it was found that the bug still existed (https://twitter.com/dellcam/status/1078795891610402819) . More: Insinia Labs (https://medium.com/insinia/this-account-has-been-hijacked-temporarily-4909fa190f5d) | BBC News (https://www.bbc.com/news/technology-46700995) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Six reasons why Huawei gives the U.S. and its allies security nightmares (https://www.technologyreview.com/s/612556/the-6-reasons-why-huawei-gives-the-us-and-its-allies-security-nightmares/ ) MIT Technology Review: Here’s an interesting short read. We all know that Chinese telecom equipment giant Huawei is in hot water with the U.S., the U.K., Australia… New Zealand — hey, that’s four out of the Five Eyes (https://gizmodo.com/five-eyes-spy-chiefs-agreed-to-contain-huaweis-global-r-1831131906) ! (It makes you wonder.) Anyway, this six-point story gives you the best run-down of why Huawei is being shunned across the world — even if little evidence has yet to show Huawei is in fact a direct threat to Western security.
White House mulls new year executive order to bar Huawei, ZTE purchases (https://www.reuters.com/article/us-usa-china-huawei-tech-exclusive/exclusive-white-house-mulls-new-year-executive-order-to-bar-huawei-zte-purchases-idUSKCN1OQ09P) Reuters: Speaking on Huawei, the White House is said to be mulling a New Year-timed executive order aimed at banning U.S. companies from using technology built by Huawei and ZTE (which has also been accused of spying for the Chinese). That’ll likely hamper 5G rollout and make any expansion far more expensive. That executive order will expand a law passed back in August (https://techcrunch.com/2018/08/13/new-defense-bill-bans-the-u-s-government-from-using-huawei-and-zte-tech/) that bans the U.S. government from using Huawei and ZTE technology on its federal and military networks.
Election cybersecurity progress report: Will the U.S. be ready for 2020? (https://media.ccc.de/v/35c3-9917-election_cybersecurity_progress_report) Chaos Communications Congress: World-renowned elections expert J. Alex Halderman (https://twitter.com/jhalderm?lang=en) gave his talk at 35c3 this week, talking about how U.S. elections fared during the midterms and what the prospects are for 2020 — the next presidential election. His talk is about an hour long, and free to download (https://media.ccc.de/v/35c3-9917-election_cybersecurity_progress_report) . Really interesting stuff. ~ ~
** OTHER NEWSY NUGGETS
A fake Amazon Alexa ‘setup’ app climbed up Apple’s App Store charts: A fake Amazon app shot up to sixth place in Apple’s App Store “utilities” charts before it was pulled (https://9to5mac.com/2018/12/27/fake-amazon-alexa-app-psa/) . The app wasn’t affiliated with Amazon, but asked for your IP address, device serial number, and a ‘name’. It wasn’t clear what the app was for — except to show as many ads as possible (https://mashable.com/article/fake-amazon-alexa-setup-ios-app/#LSbzSNHrzgqZ) (to make a quick buck) during the time you used it.
How a guy with a camera outsmarted the United States: A plane-spotter from a small South Yorkshire town (not far from where I grew up) snapped a photo of Air Force One, the U.S. president’s plane, flying over the U.K. last week (https://www.bbc.com/news/uk-england-south-yorkshire-46693916) during a press blackout to prevent it leaking out (for security reasons) that President Trump was on his way to visit troops in Iraq. News quickly spread across social media. @jamesrbuk (https://twitter.com/jamesrbuk) said in his write-up for The Atlantic (https://www.theatlantic.com/international/archive/2018/12/plane-enthusiasts-air-force-one-trump-iraq/579151/?utm_source=twb) that even the smartest governments are “unprepared even the world’s most advanced governments are to deal with the simplest of these threats.” Some even spotted Air Force Once on air traffic tracking sites (https://twitter.com/ETEJSpotter/status/1077913148374564866) as soon as it hit European airspace. ~ ~
** GOOD PEOPLE DOING GOOD THINGS
A few good things this week:
Malware researchers, rejoice, after dozens of APT variants and malware samples were made available for download (only accessible over Tor (http://iec56w4ibovnb4wc.onion) ). @0xffff0800 (https://twitter.com/0xffff0800) tweeted about it here (https://twitter.com/0xffff0800/status/1076919385250562048?s=21) .
Rob Joyce (https://twitter.com/rgb_lights) , the NSA’s cyber strategy chief and Christmas lights enthusiast (seriously! (https://archive.org/details/youtube-x64mrVwuuqs) ), tweeted a video of the Christmas lights display (https://twitter.com/rgb_lights/status/1076934831446073345?s=21) on his house this year. Very impressive stuff. I hope he has nice neighbors.
And finally, a belated happy ninth anniversary to Krebs on Security (https://krebsonsecurity.com/2018/12/happy-9th-birthday-krebsonsecurity/) , which launched on December 6, 2009 (https://krebsonsecurity.com/2009/12/welcome-to-krebsonsecurity-com/) . It’s been a real labor of love for @briankrebs (https://twitter.com/briankrebs/status/1079045225660801025) , who’s poured his heart and soul into his site. Nine years have flown by. Here’s to many more years to come. (You should also sign up (https://krebsonsecurity.com/subscribe/) for his newsletter!) ~ ~
** THIS WEEK’S CYBER CAT
This beautiful fluff-monster is this week’s cybercat. Cortana, submitted by @FrankMcG (https://twitter.com/frankmcg?lang=en) , is an advanced persistent threat for mice and kitty treats. (You may need to enable images in this email.) If you want your cybercat featured in a future newsletter, send along their name, a photo and a description to: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** GOOD NEWS!
Last week’s callout (https://mailchi.mp/c1f3b0048cb3/this-week-in-security-december-23) for donations to support the cost of this growing newsletter absolutely blew up. In short, Mailchimp starts to get pricey when a newsletter goes over 2,000 subscribers. In the past week, a flood of donations came in — enough to keep the newsletter going for at least a year.
A huge thank you to those who donated: Michael Grover, Dean Collins, Kristin Epley, Marisha Parker, Uwe Linck, Steve Ragan, Amit Serper, Florindo Gallicchio, Aaron Clark, PatchSavage87, Chris Howell, IT-Awareness, Robert Meineke, Rey Bango, Baptiste Robert, AskWoody, Tony Kava, and a few donors who asked to stay anonymous. Thanks to you, no more donations are needed for quite a while.
I can’t thank you enough for the support and feedback you send in. It helps make this newsletter better. Thank you again. ~ ~
** SUGGESTION BOX
That’s all for this year! As always, please leave any feedback in my anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Happy New Year to you. I’ll see you in 2019. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|