this week in security — february 9 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 6
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Iowa’s caucus reporting app could’ve been easily hacked (https://www.propublica.org/article/the-iowa-caucuses-app-had-another-problem-it-could-have-been-hacked) ProPublica: Iowa was at the top of the news this week — not for the caucus per se, but because the horrendous app that was designed to make the reporting process faster spectacularly crapped out. Though security wasn’t to blame, the conversation quickly turned to “what if” when ProPublica got hold of the app and found it wasn’t using basic security mechanisms (including a lack of HTTPS and other things). Motherboard also got a copy of the app and ripped it apart (because of course they did, classic Motherboard) and found (https://www.vice.com/en_us/article/3a8ajj/an-off-the-shelf-skeleton-project-experts-analyze-the-app-that-broke-iowa?) that the app was an absolute disaster. Homeland Security reportedly offered (https://twitter.com/dnvolz/status/1224781771570647042) to test the app but was basically rejected. @fs0c131y (https://twitter.com/fs0c131y/status/1224628685808066565) also looked at the app’s back-end infrastructure with hilarious (or depressing?) results. Anyway, this is exactly why elections on the internet are dumb, says @gregotto (https://twitter.com/gregotto/status/1224716692590383105) . More: Motherboard (https://www.vice.com/en_us/article/3a8ajj/an-off-the-shelf-skeleton-project-experts-analyze-the-app-that-broke-iowa?) | Politico (https://www.politico.com/news/2020/02/02/iowa-2020-election-security-110126) | @fs0c131y (https://twitter.com/fs0c131y/status/1224628685808066565)
Feds use phone app location data for immigration enforcement (https://www.wsj.com/articles/federal-agencies-use-cellphone-location-data-for-immigration-enforcement-11581078600?mod=breakingnews) Wall Street Journal ($): Not surprising and yet still shocking. The feds, specifically ICE, are buying access to the location data collected by apps and sold by data brokers and advertisers for use at the southern border to track migrants, among other things. ICE spent millions on the data instead of obtaining warrants — a loophole that’s legal, but hasn’t yet been tested in court. In some identified cases, police records didn’t say (https://twitter.com/rebeccaballhaus/status/1225772130371035136) how they got the location data used for arrests, so clearly it’s something they wanted to hide. @WolfieChristl (https://twitter.com/WolfieChristl/status/1225777424144703488) has a good tweet thread on this. More: @mhackman (https://twitter.com/mhackman/status/1225761770649849861) | @rebeccaballhaus (https://twitter.com/rebeccaballhaus/status/1225772130371035136)
Mysterious new ransomware targets industrial control systems (https://www.wired.com/story/ekans-ransomware-industrial-control-systems/) Wired ($): Ekans (or Snake backwards) is a new malware — specifically ransomware — that targets industrial control systems (ICS) devices, the sorts of kit you find in energy grids and water works. Given ICS devices are high value targets and can cause considerable disruption if attacked, there’s an ongoing scramble to better understand the malware. Dragos said (https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/) it’s likely launched by cybercriminals, not a nation-state. Not that much reassuring, as @a_greenberg (https://twitter.com/a_greenberg/status/1224503550845300736) put it. It’s not the first of its kind; Megacortex was the first, making its debut early last year. More: Dragos (https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/) | Ars Technica (https://arstechnica.com/information-technology/2020/02/new-ransomware-intentionally-meddles-with-critical-infrastructure/)
Ancestry.com refused a search warrant for access to its DNA database (https://www.buzzfeednews.com/article/peteraldhous/ancestry-dna-database-search-warrant) BuzzFeed News: Ancestry.com, one of the largest DNA profiling sites, was served an out-of-state warrant that it refused to comply with on “jurisdictional” grounds — which is within its right. Ancestry.com is based in Utah and the warrant came from Pennsylvania. The fact is that police are only a technicality away (https://techcrunch.com/2020/02/04/ancestry-warrant-dna-records/) from having to hand over gobs of user data. More: Ancestry.com (https://www.ancestry.com/cs/transparency) | TechCrunch (https://techcrunch.com/2020/02/04/ancestry-warrant-dna-records/)
Cybersecurity giant Darktrace haunted by its past (https://www.forbes.com/sites/thomasbrewster/2020/02/06/skeletons-in-the-closet-2-billion-cybersecurity-firm-darktrace-haunted-by-characters-from-hps-failed-autonomy-deal/) Forbes: This was an incredible story — must’ve taken @iblametom (https://twitter.com/iblametom) an absolute age to nail down. Brewster went down the Darktrace rabbit hole, a cybersecurity giant valued at $2 billion. The story follows Sushovan Hussain, a convicted fraudster who’s been involved in Darktrace but was jailed for fraud following his role in the collapse of Autonomy. But the report goes deeper and reveals sexual harassment, inappropriate conduct, and aggressive tactics. Incredible reporting. More: @iblametom (https://twitter.com/iblametom/status/1225374831459348480)
Cisco flaws put millions of workplace devices at risk (https://www.wired.com/story/cisco-cdp-flaws-enterprise-hacking/) Wired ($): Bugs in Cisco Discovery Protocol, which lets Cisco devices see each other on the same network, could be used to break out of a segmented network. If properly exploited, a skilled hacker with a foothold on a network could traverse the network with relative ease. Armis found the bugs and disclosed them to Cisco, which released patches for the bugs this week. Cisco said there’s no (current) evidence of active exploitation. More: Armis (https://www.armis.com/cdpwn/)
Twitter says state-backed actors may have accessed users’ phone numbers (https://www.reuters.com/article/us-twitter-security/twitter-says-state-backed-actors-may-have-accessed-users-phone-numbers-idUSKBN1ZY07G) Reuters: Twitter said a bug that allowed a security researcher in December to match randomly generated phone numbers to Twitter accounts may have also been used by nation-backed hackers. Cool, cool. I broke the story first back in December (https://techcrunch.com/2019/12/24/twitter-android-bug-phone-numbers/) . Twitter wasn’t thrilled, and suspended the researcher’s accounts. But now it seems that discovery helped find more nation-backed activity on the platform. Twitter, unpredictably, didn’t say much on how it reached that conclusion. (You’re welcome, I guess? Who knows.) More: TechCrunch (https://techcrunch.com/2019/12/24/twitter-android-bug-phone-numbers/) | @zackwhittaker (https://twitter.com/zackwhittaker/status/1224442287872069632) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Dear Ashley Madison user, I know everything about you. Pay up or else (https://arstechnica.com/information-technology/2020/02/four-plus-years-later-ashley-madison-hack-is-used-in-new-extortion-scam/) Ars Technica: An extortion scheme targeting Ashley Madison users is still going on some four years after the breach laid bare millions of user accounts. Researchers say “several hundred” emails have been sent of late, threatening former users to turn over bitcoin in exchange for their silence. It’s not the first extortion attempt — shortly after the breach, two members reportedly died by suicide after their data was included in the stolen data.
Lawyers argue Vault 7 suspect Joshua Schulte is a whistleblower (https://www.cyberscoop.com/vault-7-trial-joshua-schulte-wikileaks/) Cyberscoop: Three years after WikiLeaks started publishing classified CIA-built hacking tools, the lead suspect’s legal team will say he did so to reveal how the government breaks into common consumer tech products. By designating him a “whistleblower,” it’s hoped he’ll get a reduced sentence. Joshua Schulte, a former CIA software engineer, is accused of stealing the files and giving them to WikiLeaks. The massive collection of published files was called Vault 7 (https://www.cyberscoop.com/vault-7-operation-overwatch-cia-hacking-tools-rsa-conference/) .
Nightmare Google Photos bug sent private videos to the wrong people (https://arstechnica.com/gadgets/2020/02/google-photos-bug-let-strangers-download-your-private-videos/) Ars Technica: Here’s a nightmare situation: Google’s data export service, which keeps the company compliant with GDPR and California’s CCPA, accidentally delivered users’ private photos to the wrong people. It’s not known how many people were affected during the four-day security lapse in November 2019, only”less than 0.01%” of Photos users. Given it went past the billion mark (https://www.theverge.com/2019/7/24/20708328/google-photos-users-gallery-go-1-billion) last year, that could still be 100,000 people affected. Ouch. Dangerous ‘corp.com’ domain goes up for sale (https://krebsonsecurity.com/2020/02/dangerous-domain-corp-com-goes-up-for-sale/) Krebs on Security For all those years you were told to use “corp.com” across your internal network, now that might come back to bite you in the ass. If corp.com is sold, it could create a “namespace collision,” where domain names only to be used internally end up with an internet-resolvable domain name. That could be a real security concern down the line. Allowing corp.com to resolve could allow the siphoning off of email from internal networks that use corp.com as an internal-only domain name. A fascinating and eye-opening problem.
Safe harbor, or thrown to the sharks by Voatz? (https://magazine.cointelegraph.com/2020/02/07/safe-harbor-or-thrown-to-the-sharks-by-voatz/) Cointelegraph: @yaelwrites (https://twitter.com/yaelwrites) returns with new details on Voatz, a blockchain-enabled voting app that’s been used in a handful of states and localities. CNN (https://www.cnn.com/2019/10/01/politics/fbi-hacking-attempt-alleged-mobile-voting-app-voatz/index.html) wrote last year about a security researcher who was referred to the FBI over he found an out-of-scope vulnerability in Voatz’s system. But @yaelwrites (https://twitter.com/yaelwrites) goes further in examining the case, and found it was more to fire “warning shots” to prevent others from researching its closed-off voting system. I dream of a day where security research isn’t matched with a legal threat.
One small fix would curb stingray surveillance (https://www.wired.com/story/stingray-surveillance-cell-tower-pre-authentication/) Wired ($): Clearly it’s been a baller week for Wired. @lilyhnewman (https://twitter.com/lilyhnewman) looks at stingray surveillance — where police using specialist technology can use cellular downgrade attacks to track your location and in some cases listen to your calls and read your messages. Turns out there’s a simple fix to prevent this police snooping attack by adding a few extra bytes to the connection between the cell tower and the device. But surprise — the cell carriers don’t like it because those extra bytes add up and cost them money. Classic. You can also read @rival_elf (https://twitter.com/rival_elf/status/1224806567788384256) ‘s tweet thread here. ~ ~ SUPPORT THIS NEWSLETTER
Thanks to everyone who reads and supports this newsletter! Subscribers are going up, as are the monthly costs. Please spare $1/month (or more for exclusive perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) ) to help maintain the upkeep of this newsletter. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) here! ~ ~
** OTHER NEWSY NUGGETS
Critical remote execution flaw found in WhatsApp (https://www.perimeterx.com/tech-blog/2020/whatsapp-fs-read-vuln-disclosure/) These findings were pretty breathtaking. The RCE found is particularly interesting, allowing remote access to a computer’s files by sending a crafted message to a user on WhatsApp Desktop. Ars Technica (https://arstechnica.com/information-technology/2020/02/flaws-in-whatsapps-desktop-app-allowed-remote-access-to-files/) has a tl;dr read. Facebook, which owns WhatsApp, has fixed the bugs.
Microsoft Teams went down due to an expired certificate (https://twitter.com/MSFT365Status/status/1224351597624537088) “Whoops” is an understatement. @GossiTheDog (https://twitter.com/GossiTheDog/status/1224378198181498880) first spotted the cause, and was later confirmed (https://twitter.com/MSFT365Status/status/1224351597624537088) by Microsoft. The outage only lasted a few hours but it was nevertheless an embarrassing (and very public) fustercluck.
CISA has helped to improve federal cybersecurity, but improvements needed (https://www.gao.gov/products/GAO-20-133) CISA, the Homeland Security cybersecurity division, has “been effective in strengthening federal cybersecurity” by issuing security advisories and directives, according to GAO, the government watchdog. But it also found agencies didn’t always comply with the directives. That said, CISA didn’t always check to see if the agencies were complying either. Another report this week found that CISA still hasn’t released (https://twitter.com/ericgeller/status/1225509468646957056/photo/1) its election security plan, which is causing the watchdog considerable concern.
Iran-linked hackers posed as journalists in email scam (https://www.reuters.com/article/us-iran-hackers-exclusive-idUSKBN1ZZ1MS) Several emails sent using the names of real-life CNN and Wall Street Journal reporters tried to ensnare a number of would-be victims in an effort to hack into their email accounts. The attempt was traced back (https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/) to Charming Kitten, an Iranian-backed hacker group. Iran called the claims a “disinformation” effort against the country. Uh-huh. ~ ~
** THE HAPPY CORNER
This week, we saw HTTPS rise to over 90% of all Firefox requested webpages (https://twitter.com/troyhunt/status/1225879803598790657) in the U.S.. That’s a huge milestone from just five years ago when it was half that. We can basically thank @letsencrypt (https://twitter.com/letsencrypt) for that. You can see the stats here (https://letsencrypt.org/stats/) . And, also @laparisa (https://twitter.com/laparisa) , found a road crossing button that was offering some good security advice (https://twitter.com/laparisa/status/1226305702769020928) . Assuming, that is, it knows something we don’t… If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Smokey, who loves his human but only lets him have the far left corner of the mouse pad. Classic! A big thanks to her human @ITGuySoCal (https://twitter.com/ITGuySoCal) for the submission! Please keep sending in your cybercats! You can send them here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
And we’re done for this week. What a busy one. Thanks for reading and subscribing. If you can, feel free to drop a dollar in the newsletter’s Patreon (https://www.patreon.com/thisweekinsecurity) . And as always, if you have feedback please drop me a note in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a great week — see you next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .