this week in security — february 10 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 6.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Hacker Won’t Tell Apple How Bug That Steals Passwords Works (https://www.forbes.com/sites/thomasbrewster/2019/02/06/teenager-finds-apple-mac-hack-that-steals-passwords-with-evil-apps/#7b1d895d1929) Forbes: A teenager found a bug that can easily steal Mac passwords, but the 18-year-old @LinusHenze (https://twitter.com/LinusHenze/) won’t tell Apple — because the company doesn’t have a Mac bug bounty. Apple only pays out for iOS bugs, leaving some to wonder why the company won’t extend the bounty out. Henze posted a proof-of-concept video (https://twitter.com/LinusHenze/status/1092152785318100992) on Twitter. The malicious code could be included in an legitimate app, and steal credentials to break into Apple ID accounts. More: @LinusHenze (https://twitter.com/LinusHenze/status/1092152785318100992)
Hundreds of Bounty Hunters Had Access to Phone Location Data for Years (https://motherboard.vice.com/en_us/article/43z3dn/hundreds-bounty-hunters-att-tmobile-sprint-customer-location-data-years) Motherboard: Another scoop by @josephfcox (https://twitter.com/josephfcox) on this long-running saga of companies using real-time phone location data to track individuals without their consent. This time, the customer GPS data was sold by the big telecom firms themselves (https://motherboard.vice.com/en_us/article/a3b3dg/big-telecom-sold-customer-gps-data-911-calls) , but was only supposed to be used in the event of locating people who called 911 for emergency services. More: Motherboard (https://motherboard.vice.com/en_us/article/a3b3dg/big-telecom-sold-customer-gps-data-911-calls) | @RonWyden (https://twitter.com/RonWyden/status/1093277470059577344) | Motherboard (explainer) (https://motherboard.vice.com/en_us/article/j575dg/what-a-gps-data-is-and-why-wireless-carriers-most-definitely-shouldnt-be-selling-it)
Gay Dating App Left Private Data Exposed Exposed to Web (https://arstechnica.com/information-technology/2019/02/indecent-disclosure-gay-dating-app-left-private-exposed-to-web/) Ars Technica: Here’s a lesson in responsible disclosure vs. a company not giving a hoot. @olihough86 (https://twitter.com/olihough86) found that a gay dating app, Jack’d, was leaking private images and data, but the company didn’t fix the bug. In fact, it took a year to get the issue patched, and only after Ars stepped in. Ars held their story back until the issue was resolved. More: BBC News (https://www.bbc.co.uk/news/technology-47156029)
Many Popular iPhone Apps Secretly Record Your Screen Without Asking (https://techcrunch.com/2019/02/06/iphone-session-replay-screenshots/) TechCrunch: Many major apps are secretly recording how you use them, without your knowledge or express permission. These session replay-enabled apps are often leaking data by not masking it properly. Apple put the kibosh on the practice a day later, telling app makers to pull the code (https://techcrunch.com/2019/02/07/apple-glassbox-apps/) from their apps or rework it so that apps ask for permission. So that’s why you’re getting all the updates (https://twitter.com/HenryFollows/status/1094475587685539841) today. Google, however, hasn’t responded. (Disclosure: I wrote this!) More: TechCrunch (https://techcrunch.com/2019/02/07/apple-glassbox-apps/) | @LeoNatan (https://twitter.com/LeoNatan/status/1094270890165051392)
How A Young Woman Followed Two Hackers’ Lies To Her Death (https://www.buzzfeednews.com/article/josephbernstein/tomi-masters-down-the-rabbit-hole-i-go) BuzzFeed News: A 23-year-old woman was lured to her death by the same UGNazi hackers that targeted Brian Krebs’ in a swatting attack. This is a long, compelling read about the depths of the hackers’ lies and deception. More: @daveyalba (https://twitter.com/daveyalba/status/1092851300826533890) | Techmeme (https://www.techmeme.com/190206/p4#a190206p4)
Australian Spy Notices Already Issued, Says Government (https://www.innovationaus.com/2019/02/AA-bill-notices-already-issued) InnovationAus: Australia has already began sending out “assistance and access” notices to companies, compelling assistance in turning over data on their customers, according to a report. It follows a rush to push the new spy bill through Australia’s parliament at the end of last year, despite heavy opposition. “The legislation is being actively used by law enforcement and security agencies in a number of investigations to keep Australia safe,” according to the government spokesperson. More: TechCrunch (https://techcrunch.com/2018/12/05/australia-rushes-its-dangerous-anti-encryption-bill-into-parliament/) | SBS News (https://www.sbs.com.au/news/tech-companies-could-leave-australia-over-dutton-s-encryption-bill-lobby) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Default password let anyone access Tightrope digital signs (https://www.drewgreen.net/vulnerabilities-in-tightrope-media-systems-carousel/) Drew Green: Here’s a good, detailed write-up about how a default password allowed access to Tightrope digital billboard systems. Green walks through how he found the bugs that allowed him to gain access, and replace content. The company has said it will reach out (https://www.carouselsignage.com/knowledgebase/security-announcement-february-4-2019) to customers.
NSA’s Rob Joyce talks Huawei, Kaspersky and Bloomberg’s spy chip story (https://risky.biz/RB529/) Risky Business: Admittedly, I haven’t had time to listen yet but it’s high on my agenda this weekend. This promises to be an epic podcast with Patrick Gray. Joyce (https://twitter.com/RGB_Lights/) , the chief cyber guy at the NSA and Christmas light hacking enthusiast (https://twitter.com/RGB_Lights/status/939633578492792832) , talks about a range of topics relating to infosec and national security. It’s about 56 minutes long and is available on iTunes and as an MP3.
Apple is compensating 14-year-old who found FaceTime bug (https://www.theverge.com/2019/2/7/18215885/apple-group-facetime-security-bug-bounty-compensation) The Verge: 14-year-old student Grant Thompson, who found and tried to report the FaceTime eavesdropping bug with little success, will be “compensated” for finding the bug, Apple has said. The bug was fixed in iOS 12.1.4, out this week, and the unspecified payout falls under iOS’ bug bounty (https://techcrunch.com/2019/02/07/apple-group-facetime-fix/) . Apple will also provide a “gift” to support his education.
Google warns iOS bugs were exploited in the wild (https://www.forbes.com/sites/thomasbrewster/2019/02/07/google-warns-hackers-abused-apple-ios-bugsupdate-your-iphone-now/) Forbes: Speaking of iOS bugs, you should definitely update to the latest iOS version, after Google security researchers took the rare step of warning the public that two of Apple’s patched bugs were “exploited in the wild.” (https://twitter.com/benhawkes/status/1093581737924259840) In other words, hackers were already using them before they were patched. Little else is known, except that the bugs allowed an escalation of privileges that allowed the hackers to “gain complete access to the device.”
Google Should Force Better Security on Nest Users (https://gizmodo.com/google-should-make-two-factor-authentication-the-defaul-1832409728/amp) Gizmodo: In one of his debut posts for Gizmodo, @HowellONeill (https://twitter.com/HowellONeill) argues that Google should give Nest customers better protections, especially given the spate of webcam hacking issues in the past. Google told customers to two-factor their webcams, but here’s a case for pushing it to customers by default.
Children’s smartwatch recalled over data fears (https://www.bbc.com/news/technology-47130269) BBC News: The European Commission said the Enox Safe-Kid-One device posed a “serious” risk (https://ec.europa.eu/consumers/consumers_safety/safety_products/rapex/alerts/?event=viewProduct&reference=A12/0157/19&lng=en) to its users, because it allows data to and from the device to be easily intercepted. “A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS,” said the Commission. ~ ~
** OTHER NEWSY NUGGETS
Apple says Russian data now stored in Russia: According to Bloomberg (https://www.bloomberg.com/news/articles/2019-02-04/apple-filing-details-user-data-the-company-is-storing-in-russia) , Apple is now complying with a local law, introduced in 2015, that compels companies to store Russian citizen data in the country. It follows other companies that have moved to comply with local laws. LinkedIn, however, is a notable exception as it refused to move its data.
Abu Rofiq revealed “alive” after crappy opsec: It was believed that Uzbeki jihadist Abu Rofiq was killed in an air strike — until facial recognition revealed he was very much alive. Here’s the (translated) story (https://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fwww.hurriyet.com.tr%2Fdunya%2Fhtsnin-blackwateri-41105610) and another tweet thread (https://twitter.com/iBRABO_com/status/1092844162750263297) that explains how open source intel spotted him.
Navy needs two tons of classified data burning to ash: Not exactly great for the environment but the Navy wants to burn two tons of storage devices to the ground — and has issued a solicitation (https://www.nextgov.com/cybersecurity/2019/02/navy-needs-2-tons-storage-devices-burned-ash/154629/) to help it get there. The data belongs to the Naval Surface Warfare Center does all kinds of highly classified government weapons testing.
ESET finds clipper malware on Google Play: Another day, another bad Android app (https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/) on Google Play. This “clipper” app replaces a cryptocurrency wallet address copied to the clipboard with one belonging to the attacker. It’s since been removed from the app store after ESET warned of the problematic app.
Google patches malicious PNG bug: A single malicious PNG image appearing on an affected Android device’s display — such as in a web page or sent as a message — could allow a remote attacker execute arbitrary code at a higher privilege. Google fixed the bug (https://threatpost.com/google-patches-critical-png-image-bug/141524/) as part of its monthly security patches. ~ ~
** GOOD PEOPLE DOING GOOD THINGS
After the Apple FaceTime security bug reporting fiasco, Lifehacker put together a comprehensive guide on how to report bugs or security issues (https://lifehacker.com/how-to-submit-a-bug-report-to-apple-google-facebook-1832277266) to companies. Any seasoned security pro will know these already, but given the regular public have no clue (as demonstrated in Apple’s case), it’s always good to know and spread the word.
@sindresorhus (https://twitter.com/sindresorhus/status/1092813820706189313) put together a pretty cool video of stiched screenshots of his GitHub profile each day last year. The result was a nice looking timelapse (https://twitter.com/sindresorhus/status/1092813820706189313) of his contributions.
And, Microsoft engineer @johnlatwc (https://twitter.com/johnlatwc) did a really long tweet thread (https://twitter.com/JohnLaTwC/status/1093956949073289216) on how he and his team introduced ASLR (for helping to prevent memory corruption bugs) to Windows Vista. Really interesting stuff for fans of infosec and history. ~ ~
** THIS WEEK’S CYBER CAT
Meet Allie, this week’s cybercat. She just got paged during a nap and she is not a happy incident responder. Thanks to her human Eric Mill for the submission. (You may need to enable images in this email.) Please keep sending in your cybercat submissions! Include their name, a photo and a description to: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
Thanks for reading this week. As always, feel free to drop any feedback in the anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a good rest-of-your-weekend. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|