this week in security — february 17 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 7.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Former U.S. Air Force Officer Charged With Defecting, Spying For Iran (https://www.reuters.com/article/us-usa-iran-spy/us-charges-former-air-force-officer-with-spying-for-iran-idUSKCN1Q2228) Reuters: Hoo-boy. First deemed a missing person, now wanted by the FBI. Monica Witt, a Texas-raised U.S. Air Force officer, was this week charged with defecting to and spying for Iran. Witt had TS/SCI clearance, and knowledge of special access programs — such as names of informants, which she is accused of giving over to Iran. She also helped Iran’s cyber-units to spy on her former colleagues, who were still working for the intelligence community. It turns out she was recruited years ago by an American-Iranian TV anchor who, if you recall, was detained “for reasons unknown” (https://twitter.com/zackwhittaker/status/1096207927654973442) in a U.S. jail last month. More: Justice Department (https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber) | New York Times ($) (https://www.nytimes.com/2019/02/13/world/middleeast/air-force-monica-elfriede-witt-iran.html) | Background: BBC News (https://www.bbc.com/news/world-us-canada-46895015l)
30 Sites, Almost A Billion Accounts Stolen In Mass Breaches (https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/) The Register, TechCrunch: A hacker has uploaded three “rounds” of data breaches to dark web marketplace Dream Market over the past week, selling close to a billion stolen user records. The Register first reported (https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/) the first breach of 620 million records from 16 sites, including MyFitnessPal and Animoto but also unreported breaches, like 500px and CoffeeMeetsBagel. Then it got even bigger: then, Houzz, Roll20 and YouNow were uploaded in another breach (https://techcrunch.com/2019/02/14/hacker-strikes-again/) , then ClassPass, Gfycat and StreetEasy in a third round of sales (https://techcrunch.com/2019/02/16/classpass-gfycat-streeteasy-hacks/) . Now the total stands at 30 sites and by my count, about 841 million records. One researcher said it looks like a common vulnerability (https://techcrunch.com/2019/02/14/hacker-strikes-again/) exploited by the hacker. (Disclosure: I wrote some of the follow-ups.) More: TechCrunch (https://techcrunch.com/2019/02/16/classpass-gfycat-streeteasy-hacks/) | ZDNet (https://www.zdnet.com/article/hacker-puts-up-for-sale-third-round-of-hacked-databases-on-the-dark-web/)
Undercover Spy Exposed In New York Was One Of Many (https://apnews.com/a1d1af4256c04cc5a36347667e966a14) Associated Press: Remember a couple of weeks ago (https://www.apnews.com/9f31fa2aa72946c694555a5074fc9f42) how a spy was trying to get friendly with Citizen Lab to figure out what the unit knew about Israel’s spying operations? Bingo! It was one of many attempts to infiltrate the group, reports @razhael (https://twitter.com/razhael) . The attempts are believed to be orchestrated by the NSO Group, a maker of nation state malware, which reportedly infected a phone belonging to a confidant of murdered journalist Jamal Khashoggi. Background: Associated Press (https://apnews.com/a1d1af4256c04cc5a36347667e966a14) | @razhael tweet thread (https://twitter.com/razhael/status/1094885672664616961)
DHS Guts Task Forces Protecting Elections From Foreign Meddling (https://www.thedailybeast.com/trumps-dhs-guts-task-forces-protecting-elections-from-foreign-meddling) The Daily Beast: It was reported that Homeland Security was gutting its election taskforce following the midterms — despite another election less than two years away. 2020 was described as a “perfect storm” for meddling, the intelligence community has determined. “It’s very curious why the leadership has not committed resources to prepare for the 2020 election,’ said one DHS official to the publication. One lawmaker said the positions were never meant to be permanent and would be rolled into CISA, the new cyber-agency under DHS. For its part, DHS says it’s not reducing the efforts but is instead “doubling down,” according to the Washington Post ($) (https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/02/15/the-cybersecurity-202-we-re-doubling-down-dhs-insists-it-s-not-reducing-election-security-efforts/5c65b46d1b326b71858c6b91/?noredirect=on&utm_term=.b3a74a0e0328) . More: Washington Post ($) (https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/02/15/the-cybersecurity-202-we-re-doubling-down-dhs-insists-it-s-not-reducing-election-security-efforts/5c65b46d1b326b71858c6b91/?noredirect=on) | FCW (https://fcw.com/articles/2019/02/14/dhs-cisa-foreign-influence.aspx)
Chinese Company Leaves Muslim-Tracking Facial Recognition Database Exposed (https://www.zdnet.com/article/chinese-company-leaves-muslim-tracking-facial-recognition-database-exposed-online/) ZDNet: A database, found exposed, was used to track a massive Muslim population of Chinese citizens. The database was used to track the under-threat Uyghur Muslim population in Xinjiang. Beijing has been of cracking down (https://www.bbc.com/news/world-asia-china-45474279) on the population and sending over a million Uyghur Muslims to “re-education” camps. Victor Gevers (https://twitter.com/0xDUDE/status/1095702540463820800) found the database and has a tweet thread explaining what was inside. The database “received a constant stream of new GPS coordinates on a daily basis,” reports @campuscodi (https://twitter.com/campuscodi/status/1096114947665395714) More: @campuscodi tweet thread (https://twitter.com/campuscodi/status/1096113262972862468) | @0xDUDE tweet thread (https://twitter.com/0xDUDE/status/1095702540463820800)
Facebook Uses Its Apps To Track Threatening Users (https://www.cnbc.com/2019/02/14/facebooks-security-team-tracks-posts-location-for-bolo-threat-list.html) CNBC: At this point, would any of this surprise you? Facebook maintains a watchlist of users that have made threatening statements or comments about Facebook. “The company’s information security team is capable of tracking these individuals’ whereabouts using the location data they provide through Facebook’s apps and websites,” reports CNBC. That includes anyone who writes “Fuck you, Mark” or “Fuck Facebook” on social media — which, admittedly, is probably a lot of people given the year it’s had (https://techcrunch.com/2018/12/28/mark-zuckerberg-tonedeaf-end-of-year-remarks/) . In one case, Facebook found that a group of interns who didn’t log on when they said they were working from home were in fact on a camping trip. More: @oliviasolon tweet thread (https://twitter.com/oliviasolon/status/1096139763201990656) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
U.S. judge keeps documents secret in Facebook encryption case (https://www.reuters.com/article/us-facebook-encryption/u-s-judge-keeps-documents-secret-in-facebook-encryption-case-idUSKCN1Q100X) Reuters: Remember when the U.S. government tried to wiretap Facebook Messenger (https://www.reuters.com/article/us-facebook-encryption-exclusive-idUSKBN1L226D) , but couldn’t, so it wanted to force Facebook to do it for them? It was all part of a sealed case on a MS-13 crackdown, but a court refused without saying why. Was it a privacy reason? Who knows! Now the court said it’s keeping everything secret (https://www.reuters.com/article/us-facebook-encryption/u-s-judge-keeps-documents-secret-in-facebook-encryption-case-idUSKCN1Q100X) because it would compromise “many, if not all, future wiretap investigations.” That means we have no idea why it happened, how the government tried to ask, and why the case failed. ACLU and others said knowing about the case would help protect users in the future.
Security researchers scans Austria, finds more than he expects (https://blog.haschek.at/2019/i-scanned-austria.html) Christian Haschek: This was fun to read: Christian Haschek (from “I found a rogue Raspberry Pi in our networking closet” (https://blog.haschek.at/2019/the-curious-case-of-the-RasPi-in-our-network.html) fame) scanned the entire Austrian IP space and found a ton of things that shouldn’t be online. IP cameras, printers, and industrial control systems to name just a few. He even found four servers running Windows CE(!) It’s a fun read, but a cautious reminder not to put things on the internet.
Why can’t bots check the “I am not a robot” box? (https://www.quora.com/Why-cant-bots-check-%E2%80%9CI-am-not-a-robot%E2%80%9D-checkboxes/answer/Oliver-Emberton?share=1) Quora: Fascinating stuff from Quora. “How complicated can one little checkbox be?” Actually, very difficult. That reCAPTCHA one-box click button is powered by an entire virtual machine that uses its own language, which is encrypted twice, says @oliveremberton (https://twitter.com/oliveremberton) . And that’s just the start. So no wonder it’s so difficult for bots to bypass those “I am not a robot” boxes. ~ ~
** OTHER NEWSY NUGGETS
Email provider VFEmail suffers ‘catastrophic’ hack From the indomitable @briankrebs (https://twitter.com/briankrebs) : VFEmail was hit by a likely-unrecoverable hack that trashed some 18 years’ worth of customer email (https://krebsonsecurity.com/2019/02/email-provider-vfemail-suffers-catastrophic-hack/) . You don’t really get much worse than this. The company said a hacker was caught formatting one of the company’s Netherlands-based mail servers. Users are advised to disconnect their email clients from VFEmail’s network.
Selling 911 location data is illegal, but the big-four carriers did it anyway The big four cell networks are accused of breaking U.S. law (https://www.publicknowledge.org/news-blog/blogs/telecom-giants-broke-the-law-by-selling-detailed-location-data.-will-they-face-consequences) by selling 911 location data to third-parties. This so-called A-GPS (assisted GPS) data is used only for helping 911 operators and first-responders to help find people in the case of an emergency. A rights group, Public Knowledge, has called on the FCC to investigate. The revelations come after a Motherboard investigation (https://motherboard.vice.com/en_us/article/43z3dn/hundreds-bounty-hunters-att-tmobile-sprint-customer-location-data-years) last week.
U.S. and Facebook negotiating “multibillion-dollar” fine for privacy lapses From the Washington Post ($) (https://www.washingtonpost.com/technology/2019/02/14/us-government-facebook-are-negotiating-record-multi-billion-dollar-fine-companys-privacy-lapses/?noredirect=on&utm_term=.7eeb5b64215b) : Facebook is in talks with the FTC to settle the social media giant’s string of privacy lapses. The amount is said to be a “multi-billion dollar fine,” which could eclipse anything that’s been issued before. If the FTC fails to settle, it’s likely to take the matter to court, where the final number could be significantly more or less.
Student-run Stanford Daily pwns student records company This is excellent work from Stanford’s student-run newspaper (https://www.stanforddaily.com/2019/02/14/data-breach-allowed-students-to-view-other-students-admission-files-sensitive-personal-data/) . A single change to an enumerable digit in a URL of the students record system let any student access another student’s obtainable data, including “ethnicity, legacy status, home address, citizenship status, criminal status, standardized test scores, personal essays and whether they applied for financial aid.” The company who makes the software, Hyland, issued its own statement (https://www.hyland.com/products/nolijweb) . It doesn’t look good for the company at all. ~ ~
** GOOD PEOPLE DOING GOOD THINGS
It was a really quiet week in infosec, but there are still a few things worth highlighting:
We mentioned Victor Gevers (https://twitter.com/0xDUDE) earlier, but you should really understand the scope and breadth of his work. Gevers works for the GDI.foundation, which scans and reports vulnerabilities. To date, he’s found 33 million issues and reported 668,000. More than 562,000 have been fixed as a result. The stats are staggering (https://github.com/GDI-foundation/stats/blob/master/2018_11_09) .
And, after Bloomberg’s “spy chip” story fiasco, @taviso (https://twitter.com/taviso/status/1096431276645507072) made a “modest bet” that Super Micro would recover its losses after zero-supported evidence backed up Bloomberg’s story. In doing so, he made a “tidy profit,” that he wanted to donate to an organization that promotes higher standards in journalism. In the end, he donated to ProPublica (https://twitter.com/taviso/status/1096433332307427328?s=21) , as well as IRE and NICAR, and the Poynter Institute (https://twitter.com/taviso/status/1096449120225513472) . This was a kind gesture from him. Journalism isn’t cheap, nor does it make much money, but it’s a reminder to support journalism whenever you can. ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Mars. He rests like this after hours of red teaming. Protect your modesty, Mars — very NSFW! A big thanks to his human Vlad Sokolov for the submission. (You may need to enable images in this email.) We’re dangerously low on cybercats. Please send some my way! You can drop me an email here: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That’s all for now. You can always leave some feedback in the anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . I’m back same time next Sunday. Have a great week. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|