this week in security — january 12 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 2
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Travelex held ransom to hackers (https://www.bbc.com/news/business-51017852) BBC News: Travelex, the currency foreign exchange, finally admitted it was hit by ransomware — as was widely believed but not confirmed until this week. Sodinokibi (REvil) is to blame, according to the BBC. The ransomware group is demanding $6m in payment to release the data. Some 5GB of data, including personal information and credit card data, is said to be in the ransomware group’s possession. Travelex said last week they’d informed the U.K. data regulator, the ICO, but now the ICO said it wasn’t informed. Good luck with that massive GDPR fine… More: Computer Weekly (https://www.computerweekly.com/news/252476283/Cyber-gangsters-demand-payment-from-Travelex-after-Sodinokibi-attack) | @joetidy (https://twitter.com/joetidy/status/1214638806378434567)
Free Android phones are installed with unremovable Chinese malware (https://www.forbes.com/sites/thomasbrewster/2020/01/09/us-funds-free-android-phones-for-the-poor—but-with-permanent-chinese-malware/) Forbes: A horror story for the modern ages: a U.S. government-funded scheme to get free Android phones (and calls and data) into the hands of low-income households sounds good on the face of it, but the phones come with unremovable Chinese malware, according to researchers. The backdoor allows the device to accept malicious code or updates without any user consent. Remove the feature, and you brick the phone. The phone companies that support the scheme deny that it’s malware. (Because of course they did.) More: MalwareBytes (https://blog.malwarebytes.com/android/2020/01/united-states-government-funded-phones-come-pre-installed-with-unremovable-malware/) | @iblametom (https://twitter.com/iblametom/status/1215353607241027585)
Google reinstates TokTok, said to be a UAE surveillance app (https://www.vice.com/en_us/article/dyg8qv/google-reinstates-reported-uae-surveillance-app-totok) Motherboard: ToTok, said to be a spying app for the UAE, has been allowed back into Google Play, despite intelligence officials and security researchers saying it’s used for surveillance. The logic was — allegedly — that the app itself isn’t the problem, it’s what the UAE government is doing with the data that’s the issue. Google still has a lot (https://twitter.com/Bing_Chris/status/1214277599691714565) of explaining to do, but won’t say why it reinstated the app on the record. Apple, for its part, hasn’t let the app back into its app store. More: @KimZetter tweets (https://twitter.com/KimZetter/status/1214209558496731140) | Background: New York Times ($) (https://www.nytimes.com/2019/12/22/us/politics/totok-app-uae.html)
Firefox gets patch for critical 0-day that’s being actively exploited (https://arstechnica.com/information-technology/2020/01/firefox-gets-patch-for-critical-zeroday-thats-being-actively-exploited/) Ars Technica: Update your Firefox, folks. Firefox 72 has now been updated to 72.0.1 to fix a bug in the JavaScript JIT complier, which the browser maker Mozilla said was under active exploitation by hackers. No word on who the attackers or targets are, but users should update immediately. More: Mozilla (https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/) | CISA (https://www.us-cert.gov/ncas/current-activity/2020/01/08/mozilla-patches-critical-vulnerability) | TechCrunch (https://techcrunch.com/2020/01/10/firefox-security-bug-zero-day/)
Citrix bug code published as attacks intensify (https://www.zdnet.com/article/proof-of-concept-code-published-for-citrix-bug-as-attacks-intensify/) ZDNet: After a group of hackers dropped the Citrix ADC exploit on GitHub, now the cat’s out of the bag. @TrustedSec (https://twitter.com/TrustedSec/status/1215790049859710982) released a proof-of-concept tool for the bug, which we covered two weeks ago (https://us18.campaign-archive.com/?u=e1ad6038c994abec17dafb116&id=45b4d1b1d8) , which can allow hackers to break into enterprise networks without credentials. Patches are several weeks away, Citrix said (https://twitter.com/GossiTheDog/status/1216104846455189505) It seems fitting that the bug has been dubbed Shitrix (https://twitter.com/GossiTheDog/status/1215803779536293888) . More: TrustedSec/GitHub (https://github.com/trustedsec/cve-2019-19781) | @RGB_Lights (https://twitter.com/RGB_Lights/status/1215526650605121537) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
A new SHA-1 exploit puts hashing at greater risk (https://arstechnica.com/information-technology/2020/01/pgp-keys-software-security-and-much-more-threatened-by-new-sha1-exploit/) Ars Technica: @dangoodin001 (https://twitter.com/dangoodin001) reports on a new exploit that makes it easier to cause “collisions,” giving attackers more flexibility and new options to impersonate a particular target. SHA-1, a hashing algorithm, has been “dead” for three years since the first collision occurred, but many still rely on it — even when stronger alternatives remain. Goodin also has a good tweet thread (https://twitter.com/dangoodin001/status/1214569749448802309?s=21) on the story.
A billion medical images left exposed, despite warnings to doctor’s offices (https://techcrunch.com/2020/01/10/medical-images-exposed-pacs/) TechCrunch: A billion medical images containing health information on millions of patients are floating around the internet for anyone to access, despite warnings by security researchers to hospitals and doctor’s offices. “It seems to get worse every day,” said Dirk Schrader, who’s monitored the flow of exposed data. The Mighty (https://themighty.com/2020/01/unsecured-medical-image-data-threat-to-patients) looked at the effect on patients. Most have no idea that their data is out there. (Disclosure: I wrote this story.) Is SMS 2FA secure? Researchers say no (https://www.issms2fasecure.com/) Princeton University: We all know SMS two-factor isn’t as secure as app-based two-factor (though it’s still better than nothing). Now researchers at Princeton University say the big five prepaid cell carriers use insecure authentication, which can easily be subverted by attackers. That makes SIM-swapping attacks far easier, the researcher said. Only T-Mobile modified its practices to reduce the risk to customers. One of the researchers, @random_walker (https://twitter.com/random_walker/status/1215689116253290501) , has a great tweet thread on the research. It comes in the same week that SIM swappers have been caught (https://www.vice.com/en_us/article/5dmbjx/how-hackers-are-breaking-into-att-tmobile-sprint-to-sim-swap-yeh) exploiting the Remote Desktop Protocol (RDP) to directly break into the cell carriers’ systems.
Ring employees fired for watching customer videos (https://www.vice.com/en_us/article/y3mdvk/ring-fired-employees-abusing-video-data) Motherboard: Amazon has fired four Ring employees for inappropriately accessing customer camera videos, the company confirmed, saying it was “aware of incidents” where employees violated customer policies. Amazon also said late Friday (https://finance.yahoo.com/news/amazon-said-fired-employees-leaked-235540098.html) that an unknown number of customers had their email address and phone numbers exposed by several employees — but just as the last time (https://techcrunch.com/2018/11/21/amazon-admits-it-exposed-customer-email-addresses-doubles-down-on-secrecy/) it happened, Amazon said very little about the incident, leaving customers without even the most basic of answers. ~ ~ SUPPORT THIS NEWSLETTER
Thank you for reading and supporting this newsletter. As subscribers and costs go up, please consider supporting this newsletter by contributing to its Patreon (https://www.patreon.com/thisweekinsecurity) . Donate from $1/month — or more for exclusive perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) . ~ ~
** OTHER NEWSY NUGGETS
ACLU loses New Hampshire case against learning of secret police equipment (https://www.concordmonitor.com/City-of-Concord-ACLU-going-to-court-over-police-equipment-27688396) Lawyers at the ACLU lost a case to learn what police in New Hampshire spent $5,100 on “covert communications equipment.” City officials said it was off-limits because of a non-disclosure agreement. Its baffling to think that a police department, funded by taxpayers, can hide what it spends on equipment.
FBI asks Apple for help unlocking phones of suspected Pensacola gunman (https://www.nbcnews.com/news/us-news/fbi-seeks-apple-s-help-unlocking-phones-suspected-pensacola-naval-n1111636) FBI agents have asked Apple to help unlock phones belonging to a Saudi airman suspected of killing three people at a naval air station in Florida. The letter was sent to Apple’s general counsel. But don’t be too surprised — this has happened before, and doesn’t necessarily signal another “crypto war” like we saw (https://www.zdnet.com/article/texas-shooter-fbi-cannot-access-texas-gunman-iphone/) with Apple v. FBI a few years back following the San Bernardino shooting. Apple regularly helps out law enforcement, but it draws the line at backdooring its own phones. Nevertheless, it’s a story that has some (unsurprisingly) on edge.
A Facebook bug exposed anonymous admins of pages (https://www.wired.com/story/facebook-bug-page-admins-edit-history-doxxing/) Normally you can’t see the names of those who administer pages on Facebook, but a bug exposed page owners, Facebook confirmed. Wired said it’s not something most people would’ve noticed, but it’s an embarrassing bug that once again questions if Facebook can properly look after user data. ~ ~
** THE HAPPY CORNER
@RayRedacted (https://twitter.com/RayRedacted) has an ad-free infosec-focused Twitter feed that anyone can access — 100.RayRedacted.com (http://100.rayredacted.com/) . It’s packed full of infosec news, tweets, opinions and other cybersecurity chatter. A great resource for anyone who wants to cut through the clutter.
And, in case you missed it, it was CES this week. And someone did the right and responsible thing by sneaking in a chunky Idaho spud with an antenna to make a “scathing point” about the futility of smart gadgets. Behold, the world’s most advanced smart potato. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is Galileo, whose favorite activity is blocking their human’s monitor at the worst possible time. A big thanks to @jernej__s (http://twitter.com/@jernej__s) for the submission! Your cybercats are always welcome — please send them here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
Thanks for reading this week. As always, if you have any feedback please drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a great week, and I’ll see you again next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .