this week in security — january 13 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 2.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
I Gave a Bounty Hunter $300, Then He Located Our Phone (https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile) Motherboard: By far one of the biggest stories of the week. T-Mobile, Sprint, and AT&T were caught selling access to our real-time phone location data — again. The story was particularly bad for T-Mobile, which @josephfcox (https://twitter.com/josephfcox) used in his story to ask a bounty hunter to track his phone down, despite a promise by CEO John Legere a year ago (https://twitter.com/JohnLegere/status/1009168217586061313?) to stop selling data to “shady middlemen.” After the companies were caught again, amid calls for an FCC (https://twitter.com/JRosenworcel/status/1082712600390127616) and congressional investigations (https://twitter.com/RonWyden/status/1083879039260155905) , Legere later tweeted (https://twitter.com/JohnLegere/status/1082824623740248065) that T-Mobile would stop “in March.” More: Motherboard (https://motherboard.vice.com/en_us/article/d3bnyv/google-demanded-tmobile-sprint-to-not-sell-google-fi-customers-location-data) | @josephfcox tweet thread (https://twitter.com/josephfcox/status/1082685714066796544) | @RonWyden tweet thread (https://twitter.com/ronwyden/status/1082691560477810688)
Kaspersky Gave Up NSA Hacker And Accused Leaker Hal Martin To The Feds (https://www.politico.com/story/2019/01/09/russia-kaspersky-lab-nsa-cybersecurity-1089131) Politico: Another major story this week was from @kimzetter (http://twitter.com/kimzetter) reporting a surprising twist that, after a year of hostilities towards Kaspersky for allegedly working for the Kremlin, it was the Russian antivirus and security firm that shopped Hal Martin, a former NSA hacker (https://www.zdnet.com/article/contractor-allegedly-steals-50-terabytes-of-nsa-data/) , to the feds. Martin was allegedly trying to make contact with the company, after removing thousands of classified documents and materials — including some of the agency’s most powerful hacking tools — from NSA headquarters. A half-hour later after Martin reached out to Kaspersky in a Twitter message, the Shadow Brokers started to dump the leaked tools publicly online (https://motherboard.vice.com/en_us/article/ezpa9p/hackers-hack-nsa-linked-equation-group) . Background: Politico (https://www.politico.com/story/2018/12/31/nsa-hacking-case-twitter-1077013)
Australia’s Emergency Text and Email Service Was Hacked (https://www.abc.net.au/news/2019-01-07/emergency-text-service-hacked-warning-about-personal-data-sent/10688748) ABC: The Australian “early warning network” was hacked, allowing a believed-to-be white-hat hacker to send out thousands of text messages to unsuspecting citizens, in what appears to be an an attempt to fix the issue. Now imagine if that happened in the U.S.? Not quite, but a year ago as of this week, was the infamous Hawaii missile alert (https://www.bbc.com/news/world-us-canada-42677604) . More: Early Warning Network (https://www.facebook.com/early.warning.network/posts/1988465077927790) | Archive: BBC News (https://www.bbc.com/news/world-us-canada-42677604)
DNS Hijacking Wave Is Targeting Companies On A Huge Scale (https://arstechnica.com/information-technology/2019/01/a-dns-hijacking-wave-is-targeting-companies-at-an-almost-unprecedented-scale/) Ars Technica: A wave of domain hijackings in recent weeks has triggered FireEye’s alarms. According to the newly released research this week (at 11pm at night, by the way), the hackers — believed to be Iranian — are replacing IP addresses on domain names with malicious addresses, allowing attackers to silently collect users’ login credentials from unsuspecting users who don’t see any changes to the domain name. Clever stuff, if not terrifyingly effective More: FireEye (https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html) | Wired ($) (https://www.wired.com/story/iran-dns-hijacking/) | US-CERT (https://www.us-cert.gov/ncas/current-activity/2019/01/10/DNS-Infrastructure-Hijacking-Campaign)
Feds Cracked El Chapo’s Encrypted Comms Network by Flipping His Sysadmin (https://www.reuters.com/article/us-usa-mexico-el-chapo/prosecutors-in-el-chapo-trial-play-calls-intercepted-by-fbi-idUSKCN1P2214) Reuters: How do you take down the world’s most prolific drug dealer? Target his systems administrator. That’s exactly what U.S. federal agents did, according to court filings (https://gizmodo.com/the-feds-cracked-el-chapos-encrypted-communications-net-1831595734) . Joaquín ‘El Chapo’ Guzmán had a massive encrypted communications network secured by master keys, which the sysadmin gave to investigators during a network upgrade. That gave authorities “access to roughly 1,500 of Guzmán’s and other cartel members’ calls from April 2011 to January 2012.” The lesson: if you’re going to do illegal stuff, don’t piss off your IT staff. More: Gizmodo (https://gizmodo.com/the-feds-cracked-el-chapos-encrypted-communications-net-1831595734) | New York Times ($) (https://www.nytimes.com/2019/01/08/nyregion/el-chapo-trial.html)
German Police Ask Router Owners To Help Identify A Bomber’s MAC Address (https://www.zdnet.com/article/german-police-ask-router-owners-for-help-in-identifying-a-bombers-mac-address/) ZDNet: Police in Germany are asking people to check their logs for a MAC address associated with a suspected bomber. (In case you were wondering, that MAC address is f8:e0:79:af:57:eb.) Brandenburg police say it belongs to a suspect who tried to blackmail German courier service DHL between November 2017 and April 2018, according to ZDNet (https://www.zdnet.com/article/german-police-ask-router-owners-for-help-in-identifying-a-bombers-mac-address/) . If you find it, you should probably contact the police (https://polizei.brandenburg.de/pressemeldung/f8-e0-79-af-57-eb-cyber-fahndung-nach-ma/1310909) . Think of it like participating in an unpaid bug bounty! More: Brandenburg Police [German] (https://polizei.brandenburg.de/pressemeldung/f8-e0-79-af-57-eb-cyber-fahndung-nach-ma/1310909)
Your Old Tweets Give Away More Location Data Than You Think (https://www.wired.com/story/twitter-location-data-gps-privacy/) Wired ($): Open up a incognito window for this one. Researchers say they can “infer detailed information about people’s most sensitive locations” from your Twitter location, even though tweets don’t come with precise geolocation data like it used to. @lilyhnewman (https://twitter.com/lilyhnewman?lang=en) writes: “By analyzing clusters of coordinates, as well as timestamps on the tweets, LPAuditor was able to suss out where tens of thousands of people lived, worked, and spent their private time.” More: Paper [PDF] (https://arxiv.org/pdf/1901.00897.pdf)
Zurich Refuses To Pay Out For NotPetya Ransomware Cleanup Bill (https://www.theregister.co.uk/2019/01/11/notpetya_insurance_claim/) The Register: Insurance company Zurich refused to pay out a claim related to a NotPetya ransomware attack. Mondelez was hit by ransomware in 2017, losing 1,700 servers and 24,000 laptops as a result. Zurich said it was essentially an “act of war,” given Russia was blamed for the NotPetya outbreak (https://www.theregister.co.uk/2017/07/04/sbu_claims_russia_was_behind_notpetya/) in the first place (which it denies). Bloomberg’s take (https://www.bloomberg.com/opinion/articles/2019-01-11/mondelez-lawsuit-shows-the-dangers-of-attributing-cyberattacks) on it — the attribution to a nation state could harm insurance claims down the line. Act of God, act of War — same thing. Bizarre. Maybe the company should’ve been refused for not patching its damn systems when it had the chance. More: CNBC (https://www.cnbc.com/2017/07/06/cyber-attack-will-cut-3-percent-from-mondelezs-second-quarter-revenue-growth.html) | Bloomberg (https://www.bloomberg.com/opinion/articles/2019-01-11/mondelez-lawsuit-shows-the-dangers-of-attributing-cyberattacks) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Apple’s increasingly tricky international trade-offs (https://techcrunch.com/2019/01/06/apples-increasingly-tricky-international-trade-offs/) TechCrunch: An interesting read by @riptari (https://twitter.com/riptari) on how Apple balances its core values — like privacy and free speech — around the world in places where, well, privacy and free speech don’t exist. A highlight from the piece is how Apple uses Google search in iOS by default. CEO Tim Cook admits that the arrangement is not “perfect.”
How To Blow Your Online Cover With URL Previews (https://www.bellingcat.com/resources/how-tos/2019/01/04/how-to-blow-your-online-cover-with-url-previews/) Bellingcat: This week, @jms_dot_py (http://twitter.com/@jms_dot_py) looked at several messaging apps (including some end-to-end encrypted messaging apps) and how they handle message previews. These previews often leak your real-world IP address, which can blow your cover, he writes. A nice bit of deep-dive research here (https://www.bellingcat.com/resources/how-tos/2019/01/04/how-to-blow-your-online-cover-with-url-previews/) covering a range of apps, including Slack, iMessage, and Wire. In the case of WhatsApp, it should probably disable message previews by default (https://techcrunch.com/2017/06/15/should-whatsapp-let-you-disable-url-previews/) to become a truly end-to-end encrypted messenger — but they make it look nice (so that’s probably why). Definitely not new (http://rsmck.co.uk/blog/imessage-preview/) , but fascinating stuff nonetheless.
NSA to release a free reverse engineering tool (https://www.zdnet.com/article/nsa-to-release-a-free-reverse-engineering-tool/) ZDNet: Later this year at RSA, the NSA will release its long-time internal reverse engineering tool — used for malware analysis, mostly — to the public. Named GHIDRA, it might have been first spotted a long time ago (https://twitter.com/rsesek/status/1083088995188383749) as part of the Snowden cache of leaked documents
When Chinese hackers declared war on the rest of us (https://www.technologyreview.com/s/612638/when-chinese-hackers-declared-war-on-the-rest-of-us/#) Bloomberg: This was a good read. This was a look at some of the recent cyberattacks by China against Western countries in recent years. Why did China target GitHub? “To remove a specific class of content,” suspected the workers. It was a show of force by Beijing, a “shot across the bow from the architects of the Great Firewall,” that China wouldn’t just try to censor content at home, but also overseas. ~ ~
** OTHER NEWSY NUGGETS
Google to warn you of data exports: The search giant has switched on another type of admin alert: the “domain data export initiated” warning (https://support.google.com/a/answer/9104585?#domain-data-export) , in case someone breaks into your network and tries to steal all your corporate data. Given the export takes about three days to complete, that should be enough time to have Google pull the plug on the attack.
U.S. government shutdown is hurting cybersecurity: Slate took a look (https://slate.com/technology/2019/01/government-shutdown-cybersecurity-dhs-nist.html) at the state of affairs during the government shutdown. The longer it goes on for, the more damage to cybersecurity there’ll be. (I also wrote a piece (https://techcrunch.com/2019/01/09/trump-shutdown-harming-cyber-national-security/) looking at the numbers of affected workers.) @MalwareJake (https://twitter.com/malwarejake) , who used to work for the government, has a huge tweet thread (https://twitter.com/malwarejake/status/1084197394349285376?s=21) warning about the threat to classified information. It’s also worth noting that security clearances of FBI agents are under threat because no paychecks mean missed mortgage payments. Not only that, TLS certificates aren’t getting renewed (https://techcrunch.com/2019/01/11/shutdown-government-websites-https-certificates-expire/) (which @konklone (https://twitter.com/konklone) has a good thread about (https://twitter.com/konklone/status/1084195941815590913?s=21) ) — and NASA, was unable to comment on a story (https://techcrunch.com/2019/01/11/security-lapse-nasa-project-data-exposed/) because its press relations staff were furloughed.
Yubikeys for iPhones — finally. And some good news. Yubikeys now support iPhones (https://techcrunch.com/2019/01/08/yubico-launches-a-new-nfc-security-key-and-preps-iphone-support/) , thanks to a dual USB-C and Lightning connector. Still small, still effective, and still attachable to your keyring. They’re $27 each. (I met Yubikey CEO Stina Ehrensvard a few weeks ago — she’s incredible to talk to — one of my favorite people in commercial infosec.) ~ ~
** GOOD PEOPLE DOING GOOD THINGS
If you missed it this week, @doctorow (https://twitter.com/doctorow) flipped off Bird after writing about flipping Bird’s electric scooters (https://boingboing.net/2018/12/08/flipping-a-bird.html) that had long been abandoned and auctioned off by the City of San Francisco. Bird’s chief lawyer sent him a takedown notice. Instead of complying, he published it and responded with a scathing letter (https://www.eff.org/document/happy-mutants-response-bird-takedown-letter-jan-11-2019) from the EFF (where he works). Bird told me that it apologized to Doctorow after its lawyers went overboard. Yeah, and you couldn’t have Googled him first? He’s the worst person to send a phoney takedown notice too. May this be a lesson to pushy companies!
And, Pen Test Partners’ founder @TheKenMunroShow (https://twitter.com/TheKenMunroShow) suggested a new rule for Internet of Things devices. Not only should default passwords be a thing of the past (thanks for passing that law (https://motherboard.vice.com/en_us/article/mbd5m4/california-is-making-it-illegal-for-devices-to-have-shitty-default-passwords) , California!), all device radios should be off by default (https://www.pentestpartners.com/security-blog/iot-off-by-default/) . That means that smart tech — from dishwashers to washing machines — should have their Wi-Fi and Bluetooth radios disabled until they’re explicitly needed – or wanted. That’ll prevent these devices from being abused with default passwords or other kinds of attacks. ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat comes from Charles Humphrey. This little guy is a curious cat, who stares and paws at his human’s screen when he’s on the computer. Look at those eyes! (You may need to enable images in this email.) If you want your cybercat featured in a future newsletter, send along their name, a photo and a description to: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That’s all for now. Thanks for reading — and hope you have a good one. As always, if you have any feedback, feel free to drop it in the anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you same time next week. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|