this week in security — february 3 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 5.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Facebook, Violating Apple Rules, Pays Teens To Install Snooping VPN (https://techcrunch.com/2019/01/29/facebook-project-atlas/) TechCrunch: Facebook was paying kids to install its rebranded Onavo app (https://techcrunch.com/2019/01/29/facebook-project-atlas/) outside of Apple’s App Store, violating its rules. Apple already banned Onavo from the app store last year for collecting too much data. Apple was furious, so this week it revoked Facebook’s enterprise developer certificate (https://techcrunch.com/2019/01/30/apple-bans-facebook-vpn/) — knocking all of its internal apps offline for a whole day. Every employee app failed to load — even Facebook’s corporate transportation and catering apps. Then, we found out Google was doing the same thing (https://techcrunch.com/2019/01/30/googles-also-peddling-a-data-collector-through-apples-back-door/) — albeit at a lesser scale — and Apple’s ban hammer dropped again. A huge thanks to “@chronic (https://twitter.com/chronic) for all his hard work in ripping Facebook’s sketchy app apart. This story wasn’t possible without his input. (Disclosure: I contributed reporting.) More: TechCrunch (https://techcrunch.com/2019/01/30/googles-also-peddling-a-data-collector-through-apples-back-door/) | The Verge (https://www.theverge.com/2019/1/31/18205795/apple-google-blocked-internal-ios-apps-developer-certificate) | @chronic tweet thread (https://twitter.com/chronic/status/1090394419902197761)
Huge Trove of Leaked Russian Docs Rejected By WikiLeaks Published (https://www.nytimes.com/2019/01/25/world/europe/russian-documents-leaked-ddosecrets.html) The New York Times ($): A massive cache of 175 gigabytes worth of emails belonging to the Russian government and private business were finally published, giving an unprecedented insight into Russian institutions — from the Kremlin to the church. Why important? It was the same batch of documents that WikiLeaks refused to published. Now anyone can read through the files. Although the leak and subsequent publication is not seen as direct retaliation for the 2016 hacked DNC emails that was blamed on Russia, @NatSecGeek (https://twitter.com/NatSecGeek) said it “does add some appreciable irony.” More: @DDoSecrets (https://twitter.com/DDoSecrets/status/1088768450460336136) | @NatSecGeek tweet thread (https://twitter.com/NatSecGeek/status/1088768917030477824)
Group FaceTime Hit By Eavesdrop Bug, Apple To Fix Shortly (https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/) 9to5Mac: Well, this was a doozy. A bug in Apple’s new multi-user video chat service, Group FaceTime, allowed users to listen in on conversations before the person even picked up the phone. Not good! A teenager first found the bug but spent a week trying to alert (https://www.bbc.com/news/technology-47050433) Apple — and nobody seemed to listen because there wasn’t a simple way for ordinary folks to report the bug. Unsurprisingly, other people found the bug and it was posted all over Twitter. (Worst timing — the bug was found (https://twitter.com/zackwhittaker/status/1090069307537661952) on #DataPrivacyDay, no less) Now the New York attorney general wants to investigate (https://techcrunch.com/2019/01/30/apples-facetime-bug-will-be-investigated-by-new-yorks-attorney-general/) . More: BBC News (https://www.bbc.com/news/technology-47050433) | TechCrunch (https://techcrunch.com/2019/01/30/apples-facetime-bug-will-be-investigated-by-new-yorks-attorney-general/)
Criminals Are Tapping Into Cell Network Backbone To Empty Bank Accounts (https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank) Motherboard: Motherboard identified UK-based Metro Bank as a victim to so-called SS7 attacks. This let hackers to steal text messages over-the-air by exploiting widespread weaknesses in the phone networks, allowing them to drain bank accounts. It’s a nightmare scenario, first revealed some two years ago in Germany (https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/) . Now it’s a far more widespread issue. Archive: The Register (https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/)
Ex-NSA Spies Helped Hack Enemies Of The UAE (https://www.reuters.com/investigates/special-report/usa-spying-raven/) Reuters: A long-read from Reuters this week, detailing some new reporting on how former NSA spies went to work for the United Arab Emirates — essentially as cyber-mercenaries. It’s a good read — and follows largely in the footsteps of @JennaMC_Laugh (https://twitter.com/JennaMC_Laugh) ‘s groundbreaking work three years ago (https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/) on DarkMatter, a UAE-based malware maker, which you should probably read first as a prequel. More: The Intercept (https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/) | Reuters (https://www.reuters.com/article/us-usa-spying-raven-uae-idUSKCN1PQ3DK) | @bing_chris tweet thread (https://twitter.com/Bing_Chris/status/1091371552443125762)
Inside NSA Hawaii, A Key Outpost Listening In On The Pacific (https://news.yahoo.com/inside-key-hawaii-intelligence-outpost-listening-pacific-174040136.html) Yahoo News: Speaking of @JennaMC_Laugh (https://twitter.com/JennaMC_Laugh) , she just got back from reporting in Hawaii where she visited the same NSA outpost that Edward Snowden once worked at. It’s a great insider story about what the listening post actually does and why it’s strategic location is so important. There’s also an interesting nugget in here about what happened when “that” ballistic missile alert went off. More: @weinbergersa (https://twitter.com/weinbergersa/status/1090699923052527616) | @JennaMC_Laugh (https://twitter.com/JennaMC_Laugh/status/1090671323557384195)
Google’s Plans To Sell Location Data On Millions Of Cellphones (https://theintercept.com/2019/01/28/google-alphabet-sidewalk-labs-replica-cellphone-data/) The Intercept: Not wanting to be outdone in privacy scandals this week, Google’s trying to one-up itself by setting up a new initiative from its city-building unit, Sidewalks Labs, to collect and sell data on millions of phone users. The data is said to be anonymized and aggregated, but many are skeptical, writes @eyywa (https://twitter.com/@eyywa) . Archive: The New York Times ($) (https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html) | Associated Press (https://www.apnews.com/ef95c6a91eeb4d8e9dda9cad887bf211)
Authorities Shut Down xDedic Marketplace For Buying Hacked Servers (https://www.zdnet.com/article/authorities-shut-down-xdedic-marketplace-for-buying-hacked-servers/) ZDNet: The feds, including the Justice Department and Europol, seized the xDedic marketplace this week and shut it down. The site once had tens of thousands of hacked servers on its lists, charging as little as $8 for access. Three suspects in Ukraine were also arrested. Some $68 million was generated, authorities said. More: xDedic (seized) (https://xdedic.biz/) | Justice Department (https://www.justice.gov/usao-mdfl/pr/xdedic-marketplace-website-involved-illicit-sale-compromised-computer-credentials-and) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
GDPR is great for getting your data, but good luck understanding it (https://www.theverge.com/2019/1/27/18195630/gdpr-right-of-access-data-download-facebook-google-amazon-apple) The Verge: Thanks to GDPR, most companies now let you download your data. But the problem is many let you download it in raw format — and there’s not always an easy way to parse it — let alone understand it. Or as The Verge (https://www.theverge.com/2019/1/27/18195630/gdpr-right-of-access-data-download-facebook-google-amazon-apple) put it, “138GB of data and no real answers.” I don’t know what the fix is to this but open standards (like JSON and XML) would be helpful — at least then so third-parties can help fill the space with tools that can break this stuff down.
Singapore HIV registry data leaked online in health breach (https://www.bbc.com/news/world-asia-47027867) BBC News: A devastating breach of Singapore’s HIV registry — names, addresses, HIV status and other medical information — was taken in the latest breach of Singaporean health data. The micro-country is blaming a 33-year-old U.S. citizen for the breach, who was reportedly deported from the country last year over drugs offenses.
Your crappy IoT devices are betraying your passwords (https://hackaday.com/2019/01/29/dont-toss-that-bulb-it-knows-your-password/) Hackaday: Cheap and disposable Internet of Things devices know your passwords because they need access to your network. But when that bulb blows or something inevitably stops working, you throw it out and don’t think twice about the data that’s stored on it. Limited Results did a bunch of posts on how easy it is to recover your network passwords from discarded light bulbs (https://limitedresults.com/2019/01/pwn-the-lifx-mini-white/) and other devices. Interesting stuff.
DOJ moves to take down North Korean botnet (https://www.zdnet.com/article/doj-moves-to-take-down-joanap-botnet-operated-by-north-korean-state-hackers/) ZDNet: The U.S. is using its hack-back powers to try to remotely shut down a botnet said to be operated by North Korean hackers. The botnet’s malware spreads over SMB by brute-forcing passwords. The Justice Dept. said it’s working (https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-efforts-map-and-disrupt-botnet-used-north) with the U.S. Air Force to take the botnet down.
Security things to consider when your apartment goes ‘smart’ (https://tisiphone.net/2019/01/28/security-things-to-consider-when-your-apartment-goes-smart/) Lesley Carhart: Many of you probably followed along with @hacks4pancakes (https://twitter.com/hacks4pancakes) ‘ long tweet thread on her building foisting smart devices on her apartment. The whole thread is here (https://twitter.com/hacks4pancakes/status/1086000837615382529) , but Carhart later wrote about the whole case in more detail. This isn’t an isolated incident and will only get more prevalent as more apartment buildings take to using smart locks and other technology — even when it’s woefully insecure. If these systems are the “future,” she says, let’s not screw it up so early on. A must read this week ~ ~
** OTHER NEWSY NUGGETS
Many popular cars can be easily stolen with hacked keyfobs: BBC reports (https://www.bbc.com/news/business-47023003) that many popular cars can be stolen through their keyless entry. Over 300 models are vulnerable — only the latest models of the Discovery and Range Rover, and the 2018 Jaguar i-Pace, all made by Jaguar Land Rover, were found to be secure, according to consumer rights group Which. The group said that attackers use relay attacks (https://www.which.co.uk/news/2019/01/how-easy-is-your-car-to-steal/) to replay the signal produced by the keyfob.
Facebook hired three of its toughest privacy critics: A big congrats to Access Now’s Nathan White, OTI’s Robyn Greene, and EFF’s Nate Cardozo for joining Facebook (https://arstechnica.com/tech-policy/2019/01/facebook-just-hired-a-handful-of-its-toughest-privacy-critics/) . They’ve been some of Facebook’s biggest critics for years, but all three will be going to the social media giant in three privacy-related roles to offer new insight — and oversight — of the company’s products and services. As @kevincollier (https://twitter.com/kevincollier) pointed out — they also serve as canaries for wrongdoing. “If one or more of these three quit, it can and should draw a ton of attention,” he tweeted (https://twitter.com/kevincollier/status/1091010252479303691) . Good luck to all three.
Yahoo breach payout blocked by judge: Yahoo’s massive 3 billion user data breach came down to a settlement of $37 million — most of which will go to attorneys fees and not the actual affected victims, says the BBC (https://www.bbc.com/news/technology-47044652) . The settlement was all good to go until Judge Lucy Koh nuked at the last minute for not being fair to the affected consumers. Koh added that Yahoo’s “vague commitments” to improve cybersecurity didn’t go far enough. (Disclosure: I work at… whatever company now owns Yahoo. Verizon (https://techcrunch.com/2018/12/18/oath-officially-becomes-verizon-media-group-on-january-8/) , I think?)
Cookieminer malware targets cryptocurrency wallets on Macs: This is really interesting malware (https://www.zdnet.com/article/cookieminer-new-malware-targets-macs-to-steal-from-cryptocurrency-wallets/) found by Palo Alto Networks. The so-called Cookieminer malware infects Macs, steals cookies from web browsers specifically relating to cryptocurrency websites, then uses those cookies to steal funds (https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/) . Adding insult to injury, the malware then installed a crypto-miner on the affected computer to rinse every drop of cryptocurrency of the computer.
Ethical hacker faces 8 years in prison for finding T-Mobile flaws: Hungarian prosecutors are pushing for an 8-year jail sentence for a white-hat hacker who found and responsibly disclosed vulnerabilities in T-Mobile’s systems, despite the fact that in the indictment “it is not clear what exactly has he done,” according to Hungary Today (https://hungarytoday.hu/ethical-hacker-faces-8-years-in-prison-for-exposing-vulnerability-in-telekoms-system/) . Yet another egregious case of ethical hackers facing legal repercussions for trying to make the world safer. He’s being represented by the Hungarian Civil Liberties Union. ~ ~
** GOOD PEOPLE DOING GOOD THINGS
A couple this week:
@IanColdwater (https://twitter.com/iancoldwater/) was tweeting this week about cybersecurity vacancies (https://twitter.com/iancoldwater/status/1089708258439372800?s=21) . Everyone piled in with their own findings — from FireEye to Coinbase, Leviathan, Tenable — and more.
And, a PSA from the EFF: those NSA webcam covers aren’t very good (https://twitter.com/EFF/status/1091449476613468160) . (What did you expect coming from the agency that helped develop Optic Nerve (https://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo) ?) For what it’s worth, there are some delightful webcam covers (https://www.etsy.com/market/webcam_cover) on Etsy — including (my favorite), a hand-crocheted football. Support small businesses! ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Boo. He may look judgmental but he’s a big softie, says his human, Shannon Campbell. (You may need to enable images in this email.) We’re low on cybercats! Please keep sending them in! Include their name, a photo and a description to: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That’s all for now. Thanks for tuning in this week. If you have any feedback about this newsletter, as always please do drop it in the anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you next week. Have a good one. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|