this week in security — december 9 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 1, issue 21.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Another Major Breach: Quora Loses 100 Million Users’ Data (https://arstechnica.com/information-technology/2018/12/quora-says-hackers-stole-password-data-and-other-details-for-100-million-users/) Ars Technica: There’s a lot of angry people out there this week following Quora’s big breach reveal. Around 100 million accounts taken — but when the breach happened, however, remains a mystery. Quora didn’t require email verification, so many got an email despite not signing up. The data includes names, email addresses, messages and more. If Marriott’s disclosure was a 4/10, Quora’s was a close 5/10. The company still has a lot to answer for. More: Quora (https://blog.quora.com/Quora-Security-Update) | Motherboard (https://motherboard.vice.com/en_us/article/d3b43x/quora-data-breach-hackers-100-million-users)
Emails Of Top GOP Officials Stolen In 2018 Hack (https://www.politico.com/story/2018/12/04/exclusive-emails-of-top-nrcc-officials-stolen-in-major-2018-hack-1043309) Politico: Four senior officials in the House Republicans’ campaign arm had their email accounts hacked, Politico reported this week, citing sources. The officials, including House Speaker Paul Ryan and Majority Leader Kevin McCarthy, weren’t told of the breach, fearing that “revealing the hack would compromise efforts to find the culprit.” How hard is it to use two-factor, people? Still no clear on who was behind the hacks, though. More: @kennwhite on Twitter (https://twitter.com/kennwhite/status/1070055614288719874?s=21)
Australia Now Has Encryption-Busting Laws (https://www.zdnet.com/article/australia-now-has-encryption-busting-laws-as-labor-capitulates/) ZDNet: After Australia’s opposition Labor party struck a deal to bring an anti-encryption bill through the country’s parliament (full details here (https://www.abc.net.au/news/2018-12-04/encryption-whatsapp-signal-messages-explained/10580208) ), it was inevitable that the bill would pass. Few thought it would pass so quickly — less than a day later. The bill allows the Canberra to mandate encryption backdoors and more, despite heavy opposition from major tech companies — including Apple, Cisco, and more — who called the bill “dangerously vague.” (https://techcrunch.com/2018/12/05/australia-rushes-its-dangerous-anti-encryption-bill-into-parliament/) A sad day for Australia. ZDNet editor @dobes (https://twitter.com/dobes) has a deep-dive on the bill (https://www.zdnet.com/article/australia-now-has-encryption-busting-laws-as-labor-capitulates/) and its effects, and @joshgnosis (https://twitter.com/joshgnosis/status/1070445824407031808?s=21) had a blow-by-blow account of how it went down. More: ZDNet (https://www.zdnet.com/article/coalition-and-labor-strike-deal-on-encryption-legislation/) | TechCrunch (https://techcrunch.com/2018/12/05/australia-rushes-its-dangerous-anti-encryption-bill-into-parliament/) | ABC (https://www.abc.net.au/news/2018-12-04/encryption-whatsapp-signal-messages-explained/10580208) | @joshgnosis tweet thread (https://twitter.com/joshgnosis/status/1070445824407031808?s=21)
Saudi Surveillance Cities Are Being Built With American And British Tech (https://www.forbes.com/sites/thomasbrewster/2018/12/04/manhole-covers-that-spy-meet-the-westerners-helping-saudis-build-surveillance-cities/#4d5f0fa7eb13) Forbes: An interesting read from @iblametom (https://twitter.com/iblametom) on the export of spy tech from the U.K. and the U.S. to places like Saudi Arabia — still very much in global diplomatic hot water following the murder of journalist Kamal Khashoggi. Both nations export a ton of weaponry to the kingdom — but you don’t hear much about other “smart” (read: surveillance) tech that’s still flowing across the Saudi borders — regardless of ongoing diplomatic tensions. More: Global Justice Now (https://www.globaljustice.org.uk/news/2018/sep/14/legal-action-threatened-against-government-export-surveillance-equipment)
Marriott’s Incident Response Was A Shitshow, So Security Experts Stepped In (https://techcrunch.com/2018/12/03/marriott-data-breach-response-risk-phishing/) TechCrunch: Marriott sent out its data breach notification email to millions of customers from a non-Marriott domain — @email-marriott.com. Why? No idea. Many thought the email was a phishing attempt. To stop cybersquatters trying to cash in on hapless victims, several security experts registered similar-sounding domains at their own expense to prevent scammers from snapping them up. Good samaritans (https://twitter.com/dcuthbert/status/1069883974397378560) , indeed. (Disclosure: I wrote this story.) More: “email-marriot.com” by Rendition Infosec (http://email-marriot.com) | @ItsReallyNick tweet thread (https://twitter.com/ItsReallyNick/status/1069953651291185154) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Facebook could still get access to end-to-end encrypted WhatsApp messages (https://medium.com/@gzanon/no-end-to-end-encryption-does-not-prevent-facebook-from-accessing-whatsapp-chats-d7c6508731b2) Medium: An interesting take from @gzanon (https://medium.com/@gzanon/) on a possible route to backdoor end-to-end encrypted WhatsApp, now owned by Facebook. Yes, messages are encrypted when they’re sent, but the database that stores the messages on your iPhone isn’t. It’s a given that if someone has your phone, you’re already pwned — sure — but Zanon theorizes that it’s possible Facebook could grab this message data too.
Secret Service looking to test facial recognition near the White House (https://www.aclu.org/blog/privacy-technology/surveillance-technologies/secret-service-announces-test-face-recognition) ACLU: Homeland Security’s latest creepy idea: a document (https://www.dhs.gov/publication/dhsussspia-024-facial-recognition-pilot) revealed plans to roll out a facial recognition pilot around the White House in order to track “subjects of interest.” On one hand it makes sense, but on the other it’s a step towards normalizing facial recognition — on top of existing systems introduced at airports, to name just one case.
iTunes downloads aren’t encrypted — and that’s on purpose (https://www.wired.com/story/itunes-downloads-https-encryption/) Wired ($): Interesting insight from the @lilyhnewman (https://twitter.com/lilyhnewman) department: iTunes is one of the largest online stores on the web, but it doesn’t encrypt its downloads, making it theoretically easier to observe the data stream. Actually, Apple doesn’t encrypt its downloads on purpose — serving data exclusively over HTTP — to make it easier for sysadmins to cache large apps and files on their network. ~ ~
** OTHER NEWSY NUGGETS
Let’s be nicer to each other online: One of my favorite security researchers to read and learn from, @0xAmit (https://twitter.com/0xAmit) took to Medium to discuss internet etiquette (https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939) . The tl;dr is “don’t be an asshole,” in the face of the common “know-it-all” mentality online. If you know something that someone else didn’t — you don’t necessarily have to see it as trying to score “coolness points” as he says, but as a way to share knowledge for the future. Take a look — it’s a good five minute read (https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939) for anyone’s self-reflection.
200 companies call for a national privacy law: Hundreds of banks, retailers, and tech giants are calling for a national privacy law. Apple, Walmart, and Wells Fargo have signed up to the effort, says the Washington Post ($) (https://www.washingtonpost.com/news/powerpost/paloma/the-technology-202/2018/12/06/the-technology-202-more-than-200-companies-are-calling-for-a-national-privacy-law-here-s-an-inside-look-at-their-proposal/5c0819be1b326b60d128012e/?utm_term=.a9ba3e806245) . That’ll mean a unified set of federal rules applying across the 50 states, including a federal standard for breach notification laws and a reconsideration as to how small businesses that don’t process as much personal data are affected, as well as giving the FTC the authority to enforce the rules. Many have pushed the White House to introduce a bill before California’s new privacy law goes into effect in 2020. California may be one state, but it has a near-federal effect given that so many tech companies are located there.
Rudy Giuliani doesn’t know how the internet works: Former New York City mayor and incumbent Trump administration cybersecurity advisor Rudy Giuliani claimed his Twitter account was hacked (https://motherboard.vice.com/en_us/article/kzvndz/trumps-cybersecurity-advisor-rudy-giuliani-thinks-his-twitter-was-hacked-because-someone-took-advantage-of-his-typo?utm_source=reddit.com) — it wasn’t — because a typo in his tweet created a URL, which someone went and registered. The newly-registered domain called Trump a “traitor,” something Giuliani decried. Politics aside, you have to admit this is a hilarious self-own from someone who’s meant to know “all about the cyber” (he doesn’t — or, at least, has shown no proof (https://www.zdnet.com/article/nobody-seems-to-know-what-rudy-giulianis-cybersecurity-company-actually-does/) of that). Poor Rudy doesn’t seem to get how hyperlinks work. Or, as my TechCrunch colleague @jonrussell (https://twitter.com/jonrussell) put it this week (https://techcrunch.com/2018/12/04/rudy-giuliani-doesnt-understand-the-internet/) , Giuliani “doesn’t understand the internet.” Fair.
In case of emergency: This is a really interesting read (https://www.theatlantic.com/magazine/archive/2019/01/presidential-emergency-powers/576418/) from well-renowned civil liberties lawyer Elizabeth Goitein (https://twitter.com/lizagoitein) about the powers that the (or any) U.S. president has when declaring a national emergency, including freezing bank accounts and seizing control of the internet. Fascinating stuff, but not unique to the U.S. — in fact, most liberal democracies have powers like this in place, including the U.K.’s Civil Contingencies Act. Here’s Liza’s tl;dr tweet-thread (https://twitter.com/LizaGoitein/status/1070334968335884290) on her report — but I implore you to read the whole thing. ~ ~
** GOOD PEOPLE DOING GOOD THINGS
This week, three-times (https://www.zdnet.com/article/pgp-co-founder-who-rejoined-apple-to-bring-better-encryption-to-the-masses/) Apple employee Jon Callas has left the company to replace the long-departed @csoghoian (https://twitter.com/csoghoian) as the ACLU’s new technology fellow, reports Reuters (https://www.reuters.com/article/us-aclu-apple/apple-security-expert-moves-to-aclu-as-public-interest-tech-builds-idUSKBN1O32LY) , taking his cryptography and security knowledge to the privacy group, as well as a massive pay-cut. Callas co-created PGP, and has been highly critical of data-hungry companies like Facebook and Google.
And, @IanColdwater (https://twitter.com/iancoldwater/) tweeted a hot tip this week. Anyone wanting to play with vulnerable VMs from Vulnhub without the proper and safe setup, you can use Root-Me instead. More details here (https://twitter.com/iancoldwater/status/1071248076684300288?s=21) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Astro, a four-year-old rescue. He’s not just good looks — you’d definitely want him on your red team. Thanks to @ZeGuesst (https://twitter.com/zeguesst) for sending him in! (You may need to enable images in this email.) If you want your cybercat featured in an upcoming newsletter, please drop me an email here: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That’s all for now. Don’t forget to send in your cybercats! If you have any feedback, please drop me a note here (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a good one. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|
|REWARDS_TEXT|