this week in security — february 2 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 5
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Leaked documents reveal how Avast was selling your browsing data (https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation) Motherboard, PCMag: Motherboard, in cooperation with PCMag (https://www.pcmag.com/news/the-cost-of-avasts-free-antivirus-companies-can-spy-on-your-clicks) , uncovered how Avast antivirus was using its Jumpshot subsidiary to sell hundreds of millions of users’ web browsing data to some of the world’s largest companies. Some 435 million users were caught up in the data selling scheme, including location data, LinkedIn pages, which porn sites people visited, and more. Days after the news broke, Avast said it will shut down (https://blog.avast.com/a-message-from-ceo-ondrej-vlcek) its subsidiary by buying back its 35% stake worth $60 million. “Hundreds” of staff will be laid off, the company said. More: PCMag (https://www.pcmag.com/news/the-cost-of-avasts-free-antivirus-companies-can-spy-on-your-clicks) | Avast (https://blog.avast.com/a-message-from-ceo-ondrej-vlcek) | Motherboard (https://www.vice.com/en_us/article/wxejbb/avast-antivirus-is-shutting-down-jumpshot-data-collection-arm-effective-immediately) Hackers acting in Turkey’s interests believed to be behind recent cyberattacks (https://www.reuters.com/article/us-cyber-attack-hijack-exclusive-idUSKBN1ZQ10XNK) Reuters: Hackers said to be part of the “Sea Turtle” group (https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html) are allegedly working in the interests of Turkey’s government, according to sources speaking to Reuters. The attacks involved DNS manipulation and hijacking to target its corporate victims, allowing the attackers to redirect unsuspecting users to spoofed web pages where they could phish their credentials. The attacks have been going on since 2018. Sea Turtle was first discovered by Cisco’s Talos group. More: @bing_chris (https://twitter.com/bing_chris/status/1221806195901636614?s=21) | Cisco Talos (https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html)
U.N. tried to cover up a cyber attack (https://www.thenewhumanitarian.org/investigation/2020/01/29/united-nations-cyber-attack) The New Humanitarian: Incredible work here — the United Nations was hit by hackers in 2019 but kept it quiet. According to the report, the hackers stole several active directories of various U.N. offices in Europe, and exfiltrated some 400 gigabytes of data. “Under diplomatic immunity, the U.N. is not obliged to divulge what was obtained by the hackers or notify those affected,” the story wrote. Cool, cool, cool. As @kevincollier (https://twitter.com/kevincollier/status/1222565277407289344) said. it’s “not like the UN is a target that holds sensitive information that could harm people if it fell into the wrong hands.” More: Seattle Times (https://www.seattletimes.com/business/leaked-report-shows-united-nations-suffered-hack/)
Huawei set for limited role in UK 5G networks (https://www.bbc.com/news/technology-51283059) BBC News: Good news for Huawei but bad news for the White House, which has for months been pressuring the U.K. to ban Huawei from its 5G network. But the U.K. decided against the advice and is going ahead with the deal. Caveat: Huawei will banned from supplying its networking technology to “sensitive” parts of the “core” 5G network, but also military bases and other restricted areas like nuclear sites. More: The Guardian (https://www.theguardian.com/technology/2020/jan/28/huawei-decision-is-a-sensible-compromise-but-could-still-anger-us) | TechCrunch (https://techcrunch.com/2020/01/28/uk-will-allow-huawei-to-supply-5g-with-tight-restrictions/)
Hackers infiltrated a big Facebook data partner to launch scams (https://www.cnet.com/news/hackers-infiltrated-a-big-facebook-data-partner-to-launch-scams/) CNET: Marketing giant LiveRamp has “privileged” access to ad accounts on Facebook, but hackers took notice and broke into one of LiveRamp’s admin accounts, and used it to “run ads using other people’s money.” It was a pretty smart scheme — even if LiveRamp said the damage was “contained.” LiveRamp is a major data partner for Facebook, which it uses to match a user’s real-world actions to online data for ads. But Facebook didn’t require two-factor on the account. Instead, it only “recommends” users switch on the security feature. More: @alfredwkng tweets (https://twitter.com/alfredwkng/status/1222628011008319491) | @malwarebytes (https://twitter.com/Malwarebytes/status/1223048353820422144)
FBI probes use of NSO Group’s spyware (https://www.reuters.com/article/us-usa-cyber-nso-exclusive/exclusive-fbi-probes-use-of-israeli-firms-spyware-in-personal-and-government-hacks-sources-idUSKBN1ZT38B) Reuters: A little nugget of good news this week: the NSO Group, which makes the Pegasus spyware maker that’s been used by governments to spy on activists, dissidents, and journalists, is under investigation by the FBI. NSO claims its spyware can’t target U.S. phone numbers but experts dispute that. The FBI is said to be investigating if Americans had been targets. Facebook-owned WhatsApp has sued (https://www.reuters.com/article/us-facebook-cyber-whatsapp-nsogroup/whatsapp-sues-israels-nso-for-allegedly-helping-spies-hack-phones-around-the-world-idUSKBN1X82BE) the NSO Group for developing malware that targets the end-to-end encrypted messaging app. Archive: Reuters (https://www.reuters.com/article/us-facebook-cyber-whatsapp-nsogroup/whatsapp-sues-israels-nso-for-allegedly-helping-spies-hack-phones-around-the-world-idUSKBN1X82BE)
DOD contractor Electronic Warfare Associates hit with ransomware (https://www.cyberscoop.com/ryuk-ransomware-ewa-dod-contractor/) Cyberscoop: Pentagon contractor Electronic Warfare Associates had its systems encrypted with ransomware, Cyberscoop confirmed this week. The company said it has no plans to pay the ransom. “I didn’t even ask [the amount],” the company’s chief executive said. ZDNet said the company was hit with Ryuk, a popular ransomware that’s recently been blamed for hitting The Tampa Bay Times (https://www.tampabay.com/news/business/2020/01/23/tampa-bay-times-hit-by-ransomware-attack/) and the City of New Orleans (https://statescoop.com/new-orleans-latest-apparent-victim-of-ryuk-ransomware/) . The contractor supports the government’s electronic warfare efforts. More: ZDNet (https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Newsrooms, let’s talk about Office 365 (https://freedom.press/training/blog/newsrooms-lets-talk-about-office365/) Freedom of the Press Foundation: Following on from its look at Google Docs a few months back (https://freedom.press/training/blog/newsrooms-lets-talk-about-gsuite/) , the Freedom of the Press Foundation is back with eyes on Microsoft’s Office 365, its rival cloud productivity suite to Google’s. The short of it is that “there are many reasons Microsoft may end up reading your data.” Reporters and newsrooms (and security professionals too!) should know the limits of these services — and know when to not use them.
Researchers say Saudi Arabia tried to hack New York Times reporter (https://www.nytimes.com/2020/01/28/reader-center/phone-hacking-saudi-arabia.html) New York Times ($): NYT reporter Ben Hubbard said he was sent a suspicious link by text message, which experts say was a hacking effort by the Saudi government. Hubbard, who has covered the Middle East and Saudi Arabia for years, suspected it was a hacking effort and enlisted the researchers at Citizen Lab who confirmed it was. Hubbard becomes the first U.S. journalist verified to have been targeted by the NSO Group’s malware. Citizen Lab also did a writeup on the malware. It’s worth the read (https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/) . Dept. of the Interior grounds drones over cybersecurity concerns (https://www.cyberscoop.com/drone-ban-interior-department-cybersecurity/) Cyberscoop: The Secretary of the Interior ordered the grounding of its fleet of non-emergency drones this week, amid fears that the Chinese-built drones could be used by Beijing to spy on operations. The DOI has about 800 drones (https://techcrunch.com/2020/01/29/interior-ground-drones-cybersecurity/) — but only 24 of them are U.S.-made (but still have Chinese components).
iPhone’s locked-down security may have helped alleged Saudi hackers (https://www.washingtonpost.com/technology/2020/01/29/apple-iphone-bezos-hack/) Washington Post ($): Speaking of which… (and this is not the greatest headline, to be fair) security researchers say iPhone security is making it difficult for incident response. That’s not a secret, but it’s still a really interesting read. The bottom line is that Apple’s locked-down security makes it difficult for researchers to figure out what’s going on inside. @patrickwardle (https://twitter.com/patrickwardle/status/1222584014587875328) said he’s a “huge fan” of Apple’s “impressive security,” but it’s “basically a blackbox, meaning their exploits [and] malware (if used correctly) will likely never be detected.” ~ ~ SUPPORT THIS NEWSLETTER
Thanks to everyone who reads and supports this newsletter! Subscribers are going up, and so are the costs. Please spare $1/month (or more for exclusive perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) ) to help maintain the upkeep of this newsletter. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) here! ~ ~
** OTHER NEWSY NUGGETS
Ring app shares personal data with third-parties, EFF says (https://gizmodo.com/ring-app-shares-personal-data-with-facebook-other-unli-1841289093) Filed under “why are we surprised” and yet we’re still here. EFF says the Ring app shared personal data with third-parties, including Facebook and other unlisted ad trackers. Several of the trackers aren’t listed in Ring’s own privacy policy, which was last updated almost two years ago. The EFF made the discovery (https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers) earlier this week. Although the data was sent using HTTPS, it’s delivered in a way that “eludes analysis,” the privacy group wrote.
Feds order tech giants to help hunt down WhatsApp meth dealer (https://www.forbes.com/sites/thomasbrewster/2020/01/29/a-problematic-government-order-forces-tech-giants-to-help-hunt-a-whatsapp-drug-dealer/#7981450b2516) @iblametom (https://twitter.com/iblametom) reports on a “problematic” legal demand by law enforcement in an effort to track down a meth dealer on WhatsApp. The feds have asked for information WhatsApp (which is owned by Facebook) can never provide on the dealer, who’s on the DEA’s most-wanted list, including “IP addresses of any websites or other servers to which the cellphone device or devices connected.”
Sprint exposed customer support site to the internet (https://krebsonsecurity.com/2020/01/sprint-exposed-customer-support-site-to-web/) Oh no, not again (https://techcrunch.com/2019/12/04/sprint-contractor-cell-phone-bills-exposed/) , Sprint! This time, Sprint accidentally exposed private customer support forum to the internet, which was indexed and cached by Google. The forum was used as a way to communicate with front-line Sprint staff about customer service issues. Some of the support forum posts had personal and account information, which @briankrebs (https://twitter.com/briankrebs) — who wrote the story (https://krebsonsecurity.com/2020/01/sprint-exposed-customer-support-site-to-web/) — said could be used to carry out fraud, like SIM swapping. ~ ~
** THE HAPPY CORNER
Here’s some much-needed good news from the week.
Google has open-sourced its security key technology, allowing anyone to build their own hardware security key for the strongest level of two-factor authentication. OpenSK (https://security.googleblog.com/2020/01/say-hello-to-opensk-fully-open-source.html) allows for greater customization and, because it’s open-source, it’s also open for improvements.
Some really good news: the Coalfire duo who were arrested and charged with trespassing as part of a red team pentest engagement have had all their charges dropped! The De Moines Register (https://www.desmoinesregister.com/story/news/crime-and-courts/2020/01/30/courthouse-break-ins-charges-dropped-against-coalfire-employees/4611574002/) broke the news, and Ars Technica (https://arstechnica.com/information-technology/2020/01/criminal-charges-dropped-against-2-pentesters-who-broke-into-iowa-courthouse/) has more. “Exonerated.” Shame it ever got this far, though.
And, @SamNChiet (https://twitter.com/SamNChiet/status/1222647282237169671) made a goose game that destroys your desktop, a tribute to the Untitled Goose Game, which stars an asshole goose that goes around destroying this. You can download it for Windows here (https://samperson.itch.io/desktop-goose) . HONK. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
Meet Daisy, this week’s cybercat. She likes to chase mice, voles, and nation state-backed hackers who try to get into her human’s computer. Good on you, Daisy. A big thanks to her human, Grant Blank, for the submission! Please keep sending in your cybercats! You can send them here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
A very big thank you for reading from Shmoocon in Washington DC. Hope you enjoyed this week’s newsletter. As always, if you have any feedback, please drop me a note in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you next week — have a great one.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .