this week in security — december 6 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 47
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
iPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks ever (https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/) Ars Technica: Earlier this year Apple patched a vulnerability found by a Google security researcher that allowed him to take complete control of an iPhone remotely over Wi-Fi with no user interaction at all. Worse, the bug was wormable, allowing it to spread from one device to another. Dubbed the “Wi-Fi packet of death” by @dangoodin001 (https://twitter.com/dangoodin001) , Apple patched the bug in May. In a 30,000 word blog post (https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html) , Google’s Ian Beer (https://twitter.com/i41nbeer/status/1333884906515161089) described the bug in detail. The bug worked because of a flaw in AWDL, an Apple-proprietary mesh networking protocol that makes things like AirDrop work. Because AWDL processes Wi-Fi data, the attack can be launched over the air. At worst, Beer gained full access to an affected device in a room separated by a door, and was able to steal passwords stored in the Keychain. This was breathtakingly good work — no question. Beer also has a great tweet thread (https://twitter.com/i41nbeer/status/1333884906515161089) on the bug. More: Google Project Zero (https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html) | BBC News (https://www.bbc.com/news/technology-55157948) | @rgb_lights (https://twitter.com/rgb_lights/status/1333928951941566468?s=21) | @i41nbeer tweets (https://twitter.com/i41nbeer/status/1333884906515161089) The Supreme Court heard its first big CFAA case (https://techcrunch.com/2020/11/29/supreme-court-van-buren-hacking/) TechCrunch: The Supreme Court heard Monday its first CFAA case, which will decide what the law means by “authorization,” a critical part of the U.S. computer hacking laws that have plagued good-faith security researchers for years. The case centers on a former cop who was prosecuted for accessing a police database to look up a record for an acquaintance in exchange for cash. A final decision in the case isn’t expected for months, but this will be a landmark case for anyone involved in computer or information security, but also anyone who uses a work computer for personal reasons, lies on a dating profile, or scrapes a website (https://twitter.com/JuliaAngwin/status/1333425020341727233?s=20) as part of a journalist’s investigation. Law professor @OrinKerr (https://twitter.com/OrinKerr/status/1333468822246866945) thinks that the Supreme Court will reverse the decision in the end, but it might be a close one. (Disclosure: I wrote this story.) More: SCOTUSblogs (https://www.scotusblog.com/2020/11/case-preview-justices-to-consider-breadth-of-federal-computer-fraud-statute/) | Cyberscoop (https://www.cyberscoop.com/supreme-court-hacking-law-cfaa-research-security/) | @OrinKerr tweets (https://twitter.com/OrinKerr/status/1333468822246866945)
Citizen Lab finds surveillance tech that can find you with just a phone number (https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/) Citizen Lab: Bombshell findings from Citizen Lab, which found that 25 countries have deployed a technology from surveillance firm Circles, which merged with spyware maker NSO Group in 2014. Circles exploits flaws in SS7, the protocol that allows cell networks to switch calls and texts from one network to another. By exploiting the bug, a Circles user can trace the location of any phone in the world just with its phone number. @jsrailton (https://twitter.com/jsrailton/status/1333848872872013824?s=20) has a great tweet thread on the report, which came out this week. More: Motherboard (https://www.vice.com/en/article/wx8jax/researchers-find-powerful-ss7-cellphone-location-surveillance-in-europe-middle-east-australia) | Forbes (https://www.forbes.com/sites/thomasbrewster/2020/12/01/this-spy-tool-can-find-you-with-just-a-telephone-number-and-25-countries-own-it-warn-researchers/?sh=26c2ab1c331e)
U.S. used Patriot Act to gather logs of website visitors (https://www.nytimes.com/2020/12/03/us/politics/section-215-patriot-act.html) New York Times ($): The U.S. government used the Patriot Act to gather logs of who visited (from overseas) a U.S.-based website, which wasn’t named, but reveals for the first time the legal authority that the government interpreted in order to collect internet data. The disclosure comes after the Times hammered the ODNI’s office for an answer to a vague letter it gave Ron Wyden’s office in November. The Patriot Act was long suspected of being used to collect web browsing data, just as it was used to collect call records, before the law expired earlier this year. But, although the legal precedent has been confirmed, it’s not known if this law was used to collect internet records in bulk. No wonder Wyden was trying to close a loophole this year that would’ve made it illegal for the government to warrantlessly acquire web browsing data using the Patriot Act. The Wyden siren strikes again. More: @charliesavage tweets (https://twitter.com/charlie_savage/status/1334560751516839937) | @SaraMorrison (https://twitter.com/SaraMorrison/status/1334570986948227072?s=20)
TrickBot sputters back to health (https://www.cyberscoop.com/trickbot-status-microsoft-cyber-command-takedown/) Cyberscoop: Despite taking a hammering from efforts by Microsoft and U.S. Cyber Command to take it down, the TrickBot botnet is sputtering back to full health. The latest iteration of the malware makes it more difficult to detect, and comes with new features that can allegedly infect (https://www.zdnet.com/article/new-trickbot-version-can-tamper-with-uefibios-firmware/) a computer’s BIOS or UEFI firmware, making it much harder to remove. More: ZDNet (https://www.zdnet.com/article/new-trickbot-version-can-tamper-with-uefibios-firmware/) ~ ~ SUPPORT THIS NEWSLETTER
Thank you to everyone who reads this newsletter! If you can spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to maintain its upkeep. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
A broken piece of internet backbone might finally get fixed (https://www.wired.com/story/bgp-routing-manrs-google-fix/) Wired ($): The Border Gateway Protocol (BGP) has been the one (of many, granted) bugs in the internet’s backbone that’s caused havoc and issues for decades. But now a group, backed by Google, aims to help content delivery networks and other cloud services to harden against BGP attacks (or mistakes) that can cause slowdowns and major outages for hours at a time.
‘Smart’ doorbells for sale on Amazon and eBay came stocked with security flaws (https://www.cyberscoop.com/smart-doorbells-amazon-ebay-ncc-vulnerabilities/) Cyberscoop: NCC Group and U.K. consumer group Which? found vulnerabilities (https://www.which.co.uk/news/2020/11/the-smart-video-doorbells-letting-hackers-into-your-home/) in 11 smart doorbells for sale on Amazon and eBay, one of which could’ve allowed a remote attacker to break into a victim’s wireless network. Neither Amazon or eBay did anything about the device listings because, in their eyes, the bugs didn’t violate its safety standards.
How retailers track your every move in exchange for coupons and convenience (https://www.vox.com/recode/21587779/shopping-deals-coupons-privacy-data-collection-retail) Recode: This is a great write-up by @saramorrison (http://twitter.com/saramorrison) on how the pandemic has made it far easier for retailers to track how you shop and buy. It’s partly why so many companies want you to use their apps, so they can track you in ways that they couldn’t before. Worse, “to encourage customers to use apps as much as possible — and create personally identifiable accounts on those apps — retailers offer discounts and services the customer wouldn’t otherwise get.” Maybe think twice before signing up for that mailing list. ~ ~
** OTHER NEWSY NUGGETS
Massachusetts lawmakers vote to pass a statewide police ban on facial recognition (https://techcrunch.com/2020/12/01/massachusetts-votes-to-pass-statewide-police-ban-on-facial-recognition/) State lawmakers in Massachusetts have voted to pass a new police reform bill that will ban police departments and public agencies from using facial recognition technology across the state. The police reform bill was stuck in committee for months, but eventually a consensus was found on Monday. Within a day, the bill was overwhelmingly passed by the state House and Senate, and is now on its way to the governor’s desk to be signed into law. (Disclosure: I also co-wrote this one.)
DHS watchdog to investigate department’s use of phone location data (https://www.wsj.com/articles/homeland-security-watchdog-to-probe-departments-use-of-phone-location-data-11606910402) Homeland Security’s inspector general will investigate how the department buys cellphone location data from third-party companies to track suspects without first obtaining a warrant. DHS argues that buying access to location data is legal, but the watchdog isn’t so sure, hence the investigation. The ACLU also launched legal action (https://www.washingtonpost.com/politics/2020/12/02/technology-202-aclu-sues-dhs-over-purchase-cellphone-location-data-used-track-immigrants/) this week against ICE for buying cellphone location data to track immigrants. ~ ~
** THE HAPPY CORNER
In the barrel of good news this week, Microsoft is letting you buy your favorite ugly Windows sweater (https://gear.xbox.com/pages/windows) for the holiday season. Plus, if you buy before Christmas, each purchase will donate $20 to Girls Who Code (https://girlswhocode.com/) , a fantastic non-profit that helps to bring women into computer science. And this was cool to play with: a virtual cybersecurity escape room (https://eloeffler.gitlab.io/eloeffler/proto-vcser/) . I won’t give away any spoilers. The graphics aren’t great, it’s a lot of fun to play with. A lot of folks had opinions on Hacker News (https://news.ycombinator.com/item?id=25276033) . If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is Nell T. Blue, who as you can see is taking a much-needed break from fighting misinformation (or “fake mews”) about cats. It’s a tough job but someone has to do it. A big thanks to Jon C. for the submission! You can send in your cyber cats (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) here. They’re featured first come, first serve. ~ ~
** SUGGESTION BOX
Thanks for reading this week! As always, if you have any feedback or comments, please drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Take care and have a great week — see you next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .
~this week in security~ does not track email opens or link clicks.