this week in security — december 8 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 47
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Life for U.S. students under constant surveillance (https://www.theguardian.com/education/2019/dec/02/school-surveillance-us-schools-safety-shootings) The Guardian: This was the latest installment of The Guardian’s look at the rise of school surveillance in the era of school shootings. Now schools are responding by adding security systems, email monitoring, and see-through backpacks. Yet, despite this, Motherboard reported this week that there’s little evidence to support the vast snooping effort – and some students are responding by doubling down on their own opsec, like covering their webcams and more. More: Motherboard (https://www.vice.com/en_us/article/8xwze4/schools-are-using-spyware-to-prevent-shootingsbut-theres-no-evidence-it-works) | BuzzFeed News (https://www.buzzfeednews.com/article/carolinehaskins1/gaggle-school-surveillance-technology-education)
A new Mac malware uses ‘fileless’ technique to remain stealthy (https://arstechnica.com/information-technology/2019/12/north-koreas-lazarus-hackers-up-their-game-with-fileless-mac-malware/) Ars Technica: Hackers working for North Korea have stepped up their malware game with new ‘fileless’ malware, which uses in-memory execution rather than files in an effort to stay hidden. In other words, nothing is ever written to disk. @patrickwardle (https://twitter.com/patrickwardle) breaks down some of the more technical details in his blog post (https://objective-see.com/blog/blog_0x51.html) . More: Objective-See (https://objective-see.com/blog/blog_0x51.html) | @dineshdina04 (https://twitter.com/dineshdina04/status/1201834142704394242)
FBI: Russian apps could be a ‘counterintelligence’ threat (https://www.bloomberg.com/news/articles/2019-12-02/russian-apps-could-pose-counterintelligence-threat-fbi-warns) Bloomberg ($): A bizarre statement from the FBI this week, blanketing potentially every app made in Russia as a “counterintelligence” threat. That includes that face-swapping app, FaceApp, despite there being no evidence (https://www.buzzfeednews.com/article/daveyalba/what-happens-when-you-upload-faceapp-photos) that the data leaves the U.S. In related news this week, Reddit detected (https://www.reddit.com/r/redditsecurity/comments/e74nml/suspected_campaign_from_russia_on_reddit/) a Russia-backed operation on its site. Reddit thinks the Russian trolls used the site to spread documents about U.K.-U.S. trade talks, which were later used by Jeremy Corbyn, the leader of the opposition. Crazy stuff. More: BuzzFeed News (https://www.buzzfeednews.com/article/daveyalba/what-happens-when-you-upload-faceapp-photos) | BBC News (https://www.bbc.com/news/uk-50699168) | TechCrunch (https://techcrunch.com/2019/12/07/reddit-links-uk-us-trade-talk-leak-to-russian-influence-campaign/)
Amazon’s Ring threw a ‘racist’ party for doorbell-buying cops (https://www.vice.com/en_us/article/bjw9e8/inside-rings-quest-to-become-law-enforcements-best-friend) Motherboard: A big scoop by @carolineha (https://twitter.com/carolineha_/) , who recently departed for BuzzFeed (https://www.buzzfeednews.com/author/carolinehaskins1) (congrats!). Video doorbell maker Ring, owned by Amazon, threw a party for cops who were buying and using its doorbells as part of their neighborhood surveillance efforts. @jason_koebler (https://twitter.com/jason_koebler/status/1202293339527221248) has the short version, but there were staff wearing racist costumes and “FUCK CRIME” shirts. It’s part of Ring’s efforts to expand its involvement with law enforcement across the United States. More: Vox (https://www.vox.com/2019/9/5/20849846/amazon-ring-explainer-video-doorbell) | CNET (https://www.cnet.com/news/ring-gave-police-a-street-level-view-of-where-video-doorbells-were-for-over-a-year/) Homeland Security backs down on plans to face-scan U.S. citizens at airports (https://techcrunch.com/2019/12/05/homeland-security-drops-airport-citizens-face-scans/) TechCrunch: Homeland Security about-turned very quickly this week when the ACLU piled on the pressure after the agency said it planned to start facially recognizing U.S. citizens at the airport as they arrive and leave the country. Citizens are currently allowed to opt-out of the scanning. CBP said in a filing (https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201910&RIN=1651-AB22&=biometric-collection-data-citizens) it wanted to expand the face scanning to U.S. citizens, but quickly backed down amid criticism. (Disclosure: I wrote this story.) More: Reginfo.gov (https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201910&RIN=1651-AB22&=biometric-collection-data-citizens)
IBM warns of dangerous Iranian data-wiping malware (https://www.cyberscoop.com/iran-destructive-malware-ibm/) Cyberscoop: IBM security experts say Iranian hackers are launching data-wiping attacks against energy and industrial companies in the Middle East. The malware, dubbed ZeroCleare, tries to destroy devices by targeting the master boot record, critical to the running of the operating system. IBM said the attacks were destructive enough that victims could “take months” to recover. More: IBM Security Intelligence (https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/)
PlayStation, Evernote gave police access to users’ data, warrants show (https://www.vice.com/en_us/article/zmjp73/fbi-asked-sony-playstation-4-user-data-cocaine-dealer) Motherboard: A triple-whammy from Motherboard this week. @josephfcox (https://twitter.com/josephfcox/status/1201915744495263750) found a law enforcement warrant targeting a PlayStation 4 user, who’s accused of using the console to coordinate large cocaine deals. Law enforcement are increasingly targeting gaming companies and makers of in-home devices. (A friendly reminder, most smart home makers still don’t have transparency reports.) This same week, Cox wrote about how Evernote (https://www.vice.com/en_us/article/j5yyxp/evernote-search-warrant-gave-data-to-us-government) turned over an alleged drug dealer’s notes from its servers to the DEA. More: @josephfcox (https://twitter.com/josephfcox/status/1201915744495263750) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Russian-owned company attempted Ohio election hack (https://apnews.com/6518b9a986f640c4899a979bbc48390b) Associated Press: Ohio’s secretary of state said Russians carried out a “relatively unsophisticated” attempted hack on November 5 — Election Day in the U.S. — originating in Panama but traced back to Russia. It sounds like, based off the report, that the alleged hackers were “looking around for vulnerabilities” on the secretary’s office’s website, using SQL injections. “The bad guys lost,” said the secretary of state, after the website’s firewall stopped the attack.
Labour MP and Russia critic targeted by hackers (https://www.theguardian.com/world/2019/dec/03/labours-ben-bradshaw-claims-he-was-targeted-in-russian-cyber-attack) The Guardian: Ben Bradshaw, a Labour member of parliament in the U.K., said he was sent an email believed to be from Moscow that contained a malicious attachment. The email also included legitimate, real documents but also a booby-trapped file that would’ve installed malware if opened. @EliotHiggins (https://twitter.com/EliotHiggins/status/1201986439136849920) , who runs Bellingcat, also received the email.
Privacy analysis of TikTok’s app and website (https://rufposten.de/blog/2019/12/05/privacy-analysis-of-tiktoks-app-and-website/) Rufposten: Matthias Eberl did a thorough review of Chinese video sharing app TikTok. The results were not good! He found the website was using device fingerprinting to track users, including audio fingerprinting — where the app generates a unique and specific sound that’s also used to track users. With GDPR in mind, Eberl said TikTok is “breaking the law in multiple ways while exploiting mainly teenagers data.”
Apple explains mysterious iPhone 11 location requests (https://krebsonsecurity.com/2019/12/apple-explains-mysterious-iphone-11-location-requests/) Krebs on Security: Brian Krebs found (https://krebsonsecurity.com/2019/12/the-iphone-11-pros-location-data-puzzler/) this week that his iPhone 11 Pro was accessing his location data, even after he turned the location services off. Apple said it was by design, but wouldn’t say why. When I asked, Apple declined to comment. @chronic (https://twitter.com/chronic/status/1202386593387966464) found that no data was leaving the device, so we all assumed it was a bug or totally benign. Then, a day later, Apple came clean — with a totally reasonable explanation (https://krebsonsecurity.com/2019/12/apple-explains-mysterious-iphone-11-location-requests/) . Apple said it was because of restrictions with its ultra wideband technology. Why it didn’t say something sooner is beyond me — I even wrote about exactly that in my own write-up (https://techcrunch.com/2019/12/05/apple-ultra-wideband-newer-iphones-location/) . “Apple could have said something days ago, immediately squashing rumors with a simple explanation,” I said. “But Apple’s delayed response made this a far bigger issue than it ever had to be.”
HackerOne breach lets outside hacker read customers’ private bug reports (https://arstechnica.com/information-technology/2019/12/hackerone-breach-lets-outside-hacker-read-customers-private-bug-reports/) Ars Technica: A bruising week for bug bounty platform HackerOne. A HackerOne analyst sent a security researcher “parts of a ‘curl’ command that mistakenly included a valid session cookie that gave anyone with possession of it the ability to read and partially modify data the analyst had access to.” Whoops! The security researcher reported it, the cookie was revoked, and the researcher got a $20,000 bounty in return. ~ ~ SUPPORT THIS NEWSLETTER
Thanks for reading this newsletter. As subscribers rise, costs are going up. Please support my Patreon (https://www.patreon.com/thisweekinsecurity) to keep this newsletter going. You can support for as little as $1/month — or more for exclusive perks. Thanks for your support! ~ ~
** OTHER NEWSY NUGGETS
Justice Dept. charges Russian hacker behind the Dridex malware (https://www.justice.gov/opa/pr/russian-national-charged-decade-long-series-hacking-and-bank-fraud-offenses-resulting-tens) Russian hacker Maksim Yakubets is the alleged head of cybercrime group, Evil Corp. (Yes, like in Mr. Robot.) The Russian is still at large, but was indicted this week for creating Dridex, a powerful banking malware which later became a delivery mechanism for ransomware. BBC’s @BBCDanielS (https://twitter.com/BBCDanielS/status/1202607235014242304) has a good tweet thread explainer on the indictment. The hacker group stole over $100 million over the past decade — likely more, prosecutors said. CISA also put out a PSA (https://www.us-cert.gov/ncas/alerts/aa19-339a) on Dridex shortly after the indictment dropped. Hackers find ways around a years-old Microsoft Outlook fix (https://www.wired.com/story/microsoft-outlook-home-page-hack/) Outlook normally opens to the user’s inbox, but hackers realized that if they could get someone’s account credentials, they could exploit a flaw in Home Page and manipulate it to load malicious content, reports @lilyhnewman (https://twitter.com/lilyhnewman) . Microsoft fixed an Outlook bug in 2017, but hackers are still finding ways around it.
All new phone users in China must have their face scanned (https://www.afp.com/en/news/3954/china-introduces-mandatory-face-scans-phone-users-doc-1mp8yr2) Another day, another massive privacy invasion by Beijing. China’s new law will match faces to SIM card and phone purchases to “reduce fraud and boost cybersecurity,” Beijing said. But residents have expressed anger at the move.
Facebook says Chinese company hit users with malware (https://www.buzzfeednews.com/article/craigsilverman/facebook-lawsuit-malware-ads-chinese-company) Facebook said in a post this week (https://about.fb.com/news/2019/12/taking-action-against-ad-fraud/) that it’s filed a lawsuit against a Hong Kong-based company and two Chinese citizens for allegedly using malware to compromise Facebook user accounts to run millions of dollars of deceptive Facebook ads. Facebook calls this “cloaking,” but admits “there have not been many legal actions of this kind.” We’ll wait and see where (or if) it goes. ~ ~
** THE HAPPY CORNER
Two snippets of good news this week.
Google said this week (https://security.googleblog.com/2019/12/an-update-on-android-tls-adoption.html) that TLS (SSL) adoption in Android has gone up to 80%. Apps were told to use TLS encryption in 2016. Now the number is growing. The greater the proliferation of TLS in apps, the more secure Android users will be.
And lastly, RSA announced — for the first time in a long time — a gender-diverse lineup. Last year, the conference caught considerable flack for all-male panels — or “manels”. But this year, its a far better mix. The line-up can be found here (https://twitter.com/KimZetter/status/1202306641460260865) . @RobertMLee (https://twitter.com/RobertMLee/status/1202344002529435652) also has a related RSA tweet thread. If you want to nominate some good news from the week, feel free to reach out (mailto:zack.whittaker@gmail.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
Meet Ethel, this week’s cybercat. Her human tells me that she’s a relatively new cybercat but very motivated to help her human on the computer. A big thank you to Nick J. for the submission! (You may need to enable images in this email.) Keep sending in your cybercats! Really looking forward to featuring them in upcoming newsletters. You can send them in here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
From a cold Berlin where I’m on assignment, thank you for reading. As always, the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is open for feedback. See you next Sunday — have a great week.,
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .