this week in security — february 24 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 8.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
U.K. Lawmakers Call For Antitrust, Data Abuse Probe of Facebook (https://techcrunch.com/2019/02/17/uk-parliament-calls-for-antitrust-data-abuse-probe-of-facebook/) TechCrunch: Facebook’s back in the hot water with the British after a long-awaited parliamentary inquiry finally concluded. Facebook should be broken up and held accountable for misusing data, according to the final report (https://publications.parliament.uk/pa/cm201719/cmselect/cmcumeds/1791/179102.htm) . Facebook’s favorite line, “We’ve never sold anyone’s data,” is “simply untrue,” said the report, and the company should have done more to prevent it from being used as instrument to spread fake news and disinformation. But Facebook pushed back saying it rejects claims it broke competition and data protection laws. Expect little to change but after two years’ worth of data and privacy scandals, the most anyone can ask for is an investigation at home. More: Final report (PDF) (https://publications.parliament.uk/pa/cm201719/cmselect/cmcumeds/1791/1791.pdf) | @JamieJBartlett tweet thread (https://twitter.com/JamieJBartlett/status/1097443433269075971)
Experts Find Serious Problems With Switzerland’s Online Voting System (https://motherboard.vice.com/en_us/article/vbwz94/experts-find-serious-problems-with-switzerlands-online-voting-system-before-public-penetration-test-even-begins?utm_source=mbtwitter) Motherboard: Can we not put everything on the internet? This time, it’s Switzerland’s online voting system, which it opened up to a public bug bounty ahead of a wider rollout. But as @kimzetter (https://twitter.com/KimZetter) notes, the process is shrouded in secrecy and anyone who signs up signs an NDA. Unsurprisingly, the code leaked, and now experts say the voting system is poorly designed, difficult to audit, and dogged with problems. @sarahjamielewis (https://twitter.com/SarahJamieLewis/status/1099527466765320192) said, “burn it with fire.” More: @sarahjamielewis (https://twitter.com/SarahJamieLewis/status/1099527466765320192) | @alexis_roussel (https://twitter.com/alexis_roussel/status/1097926306749132800)
Australia’s Major Political Parties Hacked (https://www.smh.com.au/politics/federal/australia-s-major-political-parties-hacked-in-sophisticated-attack-ahead-of-election-20190218-p50yi1.html?utm_medium=Social&utm_source=Twitter#Echobox=1550452787) Sydney Morning Herald: Australia’s major political parties were hit by a “sophisticated state actor,” local media reports. The announcement was made not long before Australians go to the polls in an upcoming general election. The country’s prime minister blamed a foreign state, but didn’t say which — though speculation has put China at the top of the list. It’s not known what was taken, but it’s a little ironic that someone got in given Australia’s recent backdoor law. “You can’t keep your data safe, and neither can we,” someone probably said. More: BBC News (https://www.bbc.com/news/world-australia-47166590) | Background: TechCrunch (https://techcrunch.com/2018/12/05/australia-rushes-its-dangerous-anti-encryption-bill-into-parliament/)
Popular Password Managers Have Memory Security Flaws, Since Fixed (https://www.securityevaluators.com/casestudies/password-manager-hacking/) Security Evaluators: A bunch of password managers were found to have flaws. It wasn’t the end of the world but were still severe enough to note and fix. 1Password, KeePass, LastPass, and Dashlane had issues that could’ve allowed the retrieval of master keys from a Windows computer. The reporting on this was generally good — most noted the bugs but it’s still better than the alternative of no password manager at all. More: Washington Post ($) (https://www.washingtonpost.com/technology/2019/02/19/password-managers-have-security-flaw-you-should-still-use-one/?utm_term=.ecbc515c891b) | The Register (https://www.theregister.co.uk/2019/02/20/password_managers_security_bugs/)
Huawei Risk Can Be Managed, Say U.K. Cybersecurity Chiefs (https://www.bbc.com/news/business-47274643) BBC News: The U.S. (and others!) have accused the phone and network equipment maker of being a proxy that China can use to spy around the world, but the U.K.’s cyber-bosses this week said the risk can be “managed.” The end result will largely focus on advice to the effect of: “keep Huawei out of your core network but it’s OK to use its technology in phone masts and cell towers.” An interesting move, given U.S. secretary of state has all but called out the U.K. and other countries that use Huawei gear as a “threat” (https://www.foxbusiness.com/technology/pompeo-slams-huawei-us-wont-partner-with-countries-that-use-its-technology) to the U.S. More: Sec. Pompeo on Fox Business (https://www.foxbusiness.com/technology/pompeo-slams-huawei-us-wont-partner-with-countries-that-use-its-technology) | NCSC speech (https://www.ncsc.gov.uk/news/ciaran-martins-cybersec-speech-brussels)
You Give Apps Sensitive Personal Information, Then They Tell Facebook (https://www.wsj.com/articles/you-give-apps-sensitive-personal-information-then-they-tell-facebook-11550851636) Wall Street Journal ($): An interesting report about the data that apps send Facebook — even if Facebook claims it does nothing with it — such as health information, including “users’ body weight, blood pressure, menstrual cycles or pregnancy status,” reports the WSJ. There’s an entire tweet thread (https://twitter.com/antoniogm/status/1099009545274191872) debating whether this is Facebook’s fault or not. More: NBC News (https://www.nbcnews.com/tech/tech-news/some-apps-send-data-about-menstruation-home-buying-facebook-wsj-n974711)
Russian Hackers Targeted U.S. Think Tanks In Europe (https://www.cnn.com/2019/02/19/tech/russian-hackers-think-tanks-europe/index.html) CNN: Russian hackers said to be behind the DNC hacks a few years ago aso targeted The Aspen Institute and The German Marshall Fund, according to Microsoft. The German Council on Foreign Relations was also targeted. It’s believed the hackers known as Fancy Bear (APT28) tried to hack the think tanks between last September and December, but it isn’t know if they were successful. Microsoft contacted the non-profits immediately, the company said. More: Microsoft (https://blogs.microsoft.com/eupolicy/2019/02/20/accountguard-expands-to-europe/)
Google Says Hidden Nest Microphone Was Not Supposed To Be A “Secret” (https://www.businessinsider.com/nest-microphone-was-never-supposed-to-be-a-secret-2019-2) Business Insider, BuzzFeed News: Talk about facepalm-worthy. When Google revealed its new Nest Secure could double up as a smart assistant, people were pissed — they had no idea a microphone existed in their device to begin with. Google said it made the lack of disclosure out of “error.” And, from BuzzFeed News (https://www.buzzfeednews.com/article/nicolenguyen/american-airlines-planes-entertainment-system-cameras) , people found that Singapore Airlines and American Airlines have in-seat cameras, which they say aren’t connected but has people worried that they could be one day. More: TechCrunch (https://techcrunch.com/2019/02/20/nest-secret-microphone/) | BuzzFeed News (https://www.buzzfeednews.com/article/nicolenguyen/american-airlines-planes-entertainment-system-cameras) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
A deep dive on the recent widespread DNS hijacking attacks (https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/) Krebs on Security: Brian Krebs has a long take of recent DNS hijacking attacks, likely Iran, based on FireEye research. The U.S. government’s already been hit (https://cyber.dhs.gov/blog/#why-cisa-issued-our-first-emergency-directive) by the attacks, and even ICANN is warning (https://techcrunch.com/2019/02/23/icann-ongoing-attacks-dns/) of the issue, and asking domain owners to switch to the more-secure DNSSEC. Krebs has the deep-dive on how the attacks work, and why they’re so easy to carry out.
Swedish medical help service left 2.7M recorded calls exposed (https://www.cso.com.au/article/657874/it-subcontractor-left-2-7-million-recorded-calls-from-people-seeking-medical-advice-exposed-internet/) CSO: A web server with more than 2.7 million recorded calls (https://twitter.com/mikko/status/1097510235651170306) for Sweden’s 1177 health advice and medical assistance line was exposed for years — as far back as 2013 — without a password. Each caller has to state their equivalent Social Security number (or unique government identifier) when they call. It’s believed a contractor in Thailand exposed the data.
How did the police know you were near a crime scene? Google told them (https://www.mprnews.org/story/2019/02/07/google-location-police-search-warrants) Minnesota Public Radio: This is great journalism from Minnesota’s local NPR station. Prosecutors have been increasingly using “reverse location” warrants to figure out who was nearby to a crime scene at the time of a murder. It’s effectively reverse engineering who was in the location. By asking a judge for data within a polygon of coordinates (https://www.documentcloud.org/documents/5729046-Google-Reverse-Search-Warrant-Eden-Prairie-Home.html#document/p9/a480804) , the police can narrow down who might be the killer. Really fascinating read. More from Slate (https://slate.com/technology/2019/02/reverse-location-search-warrants-google-police.html) and Bruce Schneier (https://www.schneier.com/blog/archives/2019/02/reverse_locatio.html) , too. It follows from Forbes’ (https://www.forbes.com/sites/thomasbrewster/2018/10/23/feds-are-ordering-google-to-hand-over-a-load-of-innocent-peoples-locations/#2db82b3e5a0d) reporting last year on how these “reverse location” warrants work.
Wi-Fi hidden in a USB cable (https://hackaday.com/2019/02/18/wifi-hides-inside-a-usb-cable/) Hackaday: Some really cool work by MG (https://twitter.com/MG/status/1094389042685259776) , who embedded a Wi-Fi backdoor in a USB connector. Hackaday (https://hackaday.com/2019/02/18/wifi-hides-inside-a-usb-cable/) did the write-up, explaining how the backdoor works, following MG’s blog post (http://mg.lol/blog/omg-cable/) earlier this month. ~ ~
** OTHER NEWSY NUGGETS
Windows 7 to give up SHA-1 support by July From @maryjofoley (https://twitter.com/maryjofoley) : Users will need SHA-2 code-signing installed by mid-July to continue receiving Windows updates (https://www.zdnet.com/article/windows-7-users-you-need-sha-2-support-or-no-windows-updates-after-july-2019/) . It comes after the SHA-1 algorithm was deprecated two years ago following the first collision, rendering the algorithm insecure.
A “highly critical” Drupal update lands, update now Drupal posted a “highly critical” release, a 20 out of 25, on February 19, warning users to update. Not all configurations are affected, the advisory says (https://www.drupal.org/psa-2019-02-19) , but affected installations are vulnerable to remote code-execution (https://arstechnica.com/information-technology/2019/02/millions-of-websites-threatened-by-highly-critical-code-execution-bug-in-drupal/) , reports @dangoodin001 (https://twitter.com/dangoodin001) .
Shazam sheds third-party trackers and analytics Interesting, right? Shazam was bought by Apple six months ago (https://www.apple.com/newsroom/2018/09/apple-acquires-shazam-offering-more-ways-to-discover-and-enjoy-music/) , but since then Apple has been embroiled in app controversies — including Facebook’s bypassing the app store (https://techcrunch.com/2019/01/29/facebook-project-atlas/) to spy on teenagers. Google was also caught pulling a similar tactic (https://techcrunch.com/2019/01/30/googles-also-peddling-a-data-collector-through-apples-back-door/) . And, then it was discovered that many popular apps were secretly recording a user’s screen (https://techcrunch.com/2019/02/07/apple-glassbox-apps/) . Now it seems Apple is taking the high ground by stripping all of its analytics software (https://blog.appfigures.com/shazam-for-ios-sheds-3rd-party-sdks/) out of the latest iOS update — including its ads.
Exposed Chinese database shows depth of surveillance state We spoke about China’s massive (leaking) surveillance state last week. This week, the AP deep-dives into the issue, looking at how wide and pervasive (https://www.apnews.com/6753f428edfd439ba4b29c71941f52bb) China’s domestic spying goes. ~ ~
** GOOD PEOPLE DOING GOOD THINGS
Another quiet week. Just a couple of interesting things:
You might remember a few weeks ago the saga that @hacksforpancakes (https://twitter.com/hacks4pancakes) went through when her apartment building suddenly decided to go “smart,” (https://tisiphone.net/2019/01/28/security-things-to-consider-when-your-apartment-goes-smart/) throwing security to the wind. Now she’s announced she’ll be paneling (https://twitter.com/hacks4pancakes/status/1099031571506573316) alongside a privacy lawyer at a conference next month. Great to see something positive come out of the whole thing.
And, the GCHQ got a plaque in London this week marking the very first listening station, unveiled by The Queen last week. To nobody’s surprise, GCHQ hid some Morse code within the text (https://twitter.com/NCSC/status/1098872779582132224) . ~ ~
** THIS WEEK’S CYBER CAT
This is Barker. He’s a rescue, and likes to pen-test things by chewing them. What a good boy. (You may need to enable images in this email.) Please send in your cybercats! You can email: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That’s it for this week. The anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is always open. Back same time next week. Have a great one. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|