this week in security — january 17 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 3
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Every deleted Parler post, many with users’ location data, has been archived (https://gizmodo.com/every-deleted-parler-post-many-with-users-location-dat-1846032466) Gizmodo, Wired ($): After the Capitol riot that left five dead, one hacker turned internet archivist (https://twitter.com/donk_enby/status/1348294151712944128) began an effort to download every post from Parler from the day of the attack, Gizmodo (https://gizmodo.com/every-deleted-parler-post-many-with-users-location-dat-1846032466) reports. Parler was one of several platforms (including Facebook, despite an attempted denial (https://twitter.com/RMac18/status/1348753545516908545) ) used by far-right extremists to storm the Capitol building on January 6. The archivist used an “absurdly basic bug” in Parler’s platform to download the content, per Wired ($) (https://www.wired.com/story/parler-hack-data-public-posts-images-video/) , which let the hacker download the reams of data — much of it included location data that could identify just how far the rioters got into the Capitol. In an analysis of the data, Gizmodo also found Parler users at police stations and U.S. military bases. The FBI has also raised concerns (https://theintercept.com/2017/01/31/the-fbi-has-quietly-investigated-white-supremacist-infiltration-of-law-enforcement/) of law enforcement adopting radical views and being recruited to allow access to secured buildings and high-value targets. More: Gizmodo (https://gizmodo.com/leaked-parler-data-points-to-users-at-police-stations-1846059897) | The Intercept (https://theintercept.com/2017/01/31/the-fbi-has-quietly-investigated-white-supremacist-infiltration-of-law-enforcement/) | @kcimc (https://twitter.com/kcimc/status/1348815246039805953) Larger CyberBunker investigation yields shutdown of DarkMarket (https://www.cyberscoop.com/darkmarket-shut-down-cyberbunker-case-germany/) Cyberscoop: DarkMarket, the “world’s largest illegal dark web marketplace” has been seized and shut down, Europol announced this week. The dark web marketplace traded largely in drugs, counterfeit money, hacked goods, and malware, and had close to half-a-million users and over 320,000 transactions. Turns out the marketplace was hosted by CyberBunker (https://www.newyorker.com/magazine/2020/08/03/the-cold-war-bunker-that-became-home-to-a-dark-web-empire) , a notorious underground (literally) bunker full of servers that went on to host WikiLeaks and The Pirate Bay. Europol said the seized servers will “give investigators new leaders to further investigate moderators, sellers and buyers.” More: Europol (https://www.europol.europa.eu/newsroom/news/darkmarket-worlds-largest-illegal-dark-web-marketplace-taken-down) | Background: The New Yorker ($) (https://www.newyorker.com/magazine/2020/08/03/the-cold-war-bunker-that-became-home-to-a-dark-web-empire)
Hackers steal Mimecast certificate used to encrypt customers’ Microsoft 365 traffic (https://arstechnica.com/information-technology/2021/01/mimecast-says-hackers-stole-a-certificate-and-used-it-to-target-its-customers/) Ars Technica: Email management provider Mimecast said hackers compromised one of its digital certificates that the company used to encrypt data sent and received by about 10 percent of its customers, or about 36,100 in total. But only a few customers had their accounts actively breached with the certificate. Mimecast, which says the issue is now remediated, said it found out from Microsoft, which has played a major part in uncovering the SolarWinds breach, but it’s not known if the incident is related. More: ZDNet (https://www.zdnet.com/article/mimecast-says-hackers-abused-one-of-its-certificates-to-access-microsoft-accounts/) | Mimecast (https://www.mimecast.com/blog/important-update-from-mimecast/)
CISA chief: More federal victims of SolarWinds hacking likely to come forward (https://www.cyberscoop.com/solarwinds-cisa-brandon-wales-russia/) Cyberscoop: Speaking of SolarWinds… CISA’s new acting chief Brandon Wales, who replaced Chris Krebs, said he expects the number of federal agencies confirmed breached will likely increase as the SolarWinds investigation goes on. So far, some fewer than 10 federal agencies have been confirmed compromised so far by what U.S. authorities are pointing to hackers “likely Russian” (https://techcrunch.com/2021/01/05/fbi-nsa-says-hacks-on-us-federal-agencies-likely-russian-in-origin/) in origin. “That being said, we do believe that the number will remain extremely small because of the highly targeted nature of this campaign. And that is going to be true for both government and private-sector entities compromised,” said Wales. CISA, which oversees cybersecurity for the federal government, said it needs additional resources to prevent a breach like this in the future. More: Bloomberg ($) (https://www.bloomberg.com/news/articles/2021-01-13/solarwinds-hack-followed-years-of-warnings-of-weak-cybersecurity) | @snlyngaas (https://twitter.com/snlyngaas/status/1348689583488299008)
Leaked location data shows another Muslim prayer app tracking users (https://www.vice.com/en/article/xgz4n3/muslim-app-location-data-salaat-first) Motherboard: Yet another (https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x) Muslim prayer app, Salaat First, was recording and selling granular locations on its users to a data broker, which then sold that data on to other customers. The app (and associated location data) could be used to track Muslims who pray, where, and at what time of the day. To call this is a huge breach of privacy doesn’t even come close to cutting it — the company collecting the data, a French firm called Predicio, has been linked to a supply chain that’s sold data to the U.S. government, including ICE and CBP. More: @josephfcox (https://twitter.com/josephfcox/status/1348647979045982208)
EMA warns over doctored COVID-19 vaccine data hacked and leaked online (https://techcrunch.com/2021/01/15/ema-warns-over-doctored-covid-19-vaccine-data-hacked-and-leaked-online/) TechCrunch: The European Medical Agency said that vaccine-related information stolen in a hack in December was deliberately doctored and then released. The agency, which oversees Europe’s COVID-19 vaccine response, said the data includes correspondence that’s been manipulated prior to publication “in a way which could undermine trust in vaccines,” @riptari (https://twitter.com/riptari) reports. No attribution was made, but it’s a similar effort seen before where hackers have carried out “hack and leak” operations with altered information. In 2017, Russia’s Fancy Bear was blamed (https://www.bbc.com/news/blogs-trending-39845105) for publishing and manipulating emails stolen from Emmanuel Macron’s presidential campaign. More: Ars Technica (https://arstechnica.com/information-technology/2021/01/hackers-alter-stolen-regulatory-data-to-sow-mistrust-in-covid-19-vaccine/) | @lukOlejnik (https://twitter.com/lukOlejnik/status/1350091322988888065) ~ ~ SUPPORT THIS NEWSLETTER
A big thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
WhatsApp to delay privacy policy change after backlash (https://www.reuters.com/article/us-facebook-whatsapp/whatsapp-to-delay-launch-of-update-business-features-after-privacy-backlash-idUSKBN29K2H8) Reuters: Well that was a mess. After Facebook flubbed its messaging on how it plans to change its privacy policy, the social media giant backed down — for now. WhatsApp users were alerted with a popup this month saying it reserved the right to share some user data with Facebook, which owns WhatsApp. The update “does not expand our ability to share data with Facebook,” per a statement. That’s largely true, because Wired ($) (https://www.wired.com/story/whatsapp-facebook-data-share-notification/) previously noted that WhatsApp had already been sharing your data with Facebook for years unless you opted out some time in 2016 (you no longer can). No wonder so many are confused and are flocking to Signal — some 40 million people by the looks (https://twitter.com/signalapp/status/1349577579091566592) of it. Biden to restore White House cybersecurity role (https://www.nytimes.com/2021/01/13/us/politics/biden-homeland-security-cybersecurity.html) The New York Times ($): Anne Neuberger, who for the past year headed NSA’s Cybersecurity Directorate, will soon serve as the new cybersecurity chief on the National Security Council under the Biden-Harris administration, heading the government’s cybersecurity efforts and likely leading the response into the SolarWinds breach. @natashabertrand (https://twitter.com/natashabertrand) first broke the news (https://www.politico.com/news/2021/01/06/biden-white-house-cybersecurity-neuberger-455508) last week, but it was only confirmed (https://buildbackbetter.gov/press-releases/president-elect-joe-biden-and-vice-president-elect-kamala-harris-announce-additional-members-of-the-national-security-council-2/) on Wednesday. Neuberger previously ran the Russia Small Group at the NSA, which launched a preemptive cyberattack on the Kremlin’s hackers during the 2018 midterm elections. Meanwhile, Rob Joyce will return (https://www.cyberscoop.com/rob-joyce-nsa-cybersecurity-director-neuberger/) from the U.K. and replace Neuberger as NSA’s cybersecurity director.
Amazon’s Ring Neighbors app exposed users’ precise locations and home addresses (https://techcrunch.com/2021/01/14/ring-neighbors-exposed-locations-addresses/) TechCrunch: Amazon-owned Ring fixed a security bug that allowed any user to siphon off other Ring users’ precise locations and home addresses directly from Ring’s servers, thanks to a leaky and easily enumerable API. The app was pulling in people’s real-world locations, even if it wasn’t displaying the data on screen. Gizmodo (https://gizmodo.com/ring-s-hidden-data-let-us-map-amazons-sprawling-home-su-1840312279) found a similar (if not the same) bug last year. Ring didn’t fix it then, instead it just made it difficult to detect the leaking data. (Disclosure: I wrote this story.) Apple removes feature that allowed its apps to bypass macOS firewalls and VPNs (https://www.zdnet.com/article/apple-removes-feature-that-allowed-its-apps-to-bypass-macos-firewalls-and-vpns/) ZDNet: Good news! Apple has removed a controversial feature from macOS that allowed dozens of Apple’s own apps to bypass third-party firewalls and VPN apps installed by users. That meant apps like App Store, Maps, and iCloud were communicating directly with Apple servers, but security tools couldn’t filter or inspect the traffic. @patrickwardle (https://twitter.com/patrickwardle/status/1349488392732491776) , who discovered the issue to begin with, explained more (https://twitter.com/patrickwardle/status/1349488392732491776) .
A profile of Jason A. Donenfeld, who develops the WireGuard VPN procotol (https://www.businessinsider.com/wireguard-jason-a-donenfeld-profile-secure-vpn-linux-mac-windows-2021-1) Business Insider ($): @yaelwrites (https://twitter.com/yaelwrites/status/1350448360054951937) is back with her latest, a profile on WireGuard VPN creator @zx2c4 (https://twitter.com/zx2c4) . WireGuard is an open-source VPN protocol that’s been lauded for its high security. This profile looks at the creator’s life and why WireGuard is praised by security folks across the globe. ~ ~
** OTHER NEWSY NUGGETS
Hacker locks internet-connected chastity cage, demands ransom (https://www.vice.com/en/article/m7apnn/your-cock-is-mine-now-hacker-locks-internet-connected-chastity-cage-demands-ransom) A few months ago I wrote (https://techcrunch.com/2020/10/06/qiui-smart-chastity-sex-toy-security-flaw/) about a buggy internet-connected chastity cage that left users at risk of permanent lock-in. The remotely-exploitable bug was mostly fixed. One victim says his device was hacked — it wasn’t on at the time, thankfully — but whoever remotely locked the device demanded a ransom of about $750 to release it. Capcom confirms at least 16,000 people affected by November data breach (https://arstechnica.com/gaming/2021/01/capcom-confirms-at-least-16000-people-affected-by-nov-data-breach/) Games aker Capcom said in November that 350,000 people may have had their data exposed by ransomware on its systems. Now it’s saying that number has gone up to 390,000, including 16,000 whose information was confirmed compromised. Most of those victims are Capcom business partners and current and former employees.
Period app tracker Flo slapped by FTC for sharing user data (https://techcrunch.com/2021/01/13/flo-gets-ftc-slap-for-sharing-user-data-when-it-promised-privacy/) Flo, a period and fertility tracker with over 100 million users, has settled with the FTC after the agency accused the startup of sharing its users’ health data with third-party companies — including analytics and marketing firms — when it promised privacy. The slapdown came after a 2019 investigation by the Wall Street Journal ($) (https://www.wsj.com/articles/you-give-apps-sensitive-personal-information-then-they-tell-facebook-11550851636) that revealed some of these health apps were sharing data with others. The FTC said Flo must comply with the settlement, which includes obtaining an independent review of its privacy practices and obtaining app users’ permission before sharing their health data with others.
How law enforcement gets around your smartphone’s encryption (https://www.wired.com/story/smartphone-encryption-law-enforcement-tools/) We touched on this a few weeks ago, sparked a really good thread by @matthew_d_green (https://twitter.com/matthew_d_green/status/1341746171220537344) . Now, the final report is out. @lilyhnewman (https://twitter.com/lilyhnewman) breaks the report down well. In the end, you’ll wonder why governments are calling for encryption backdoors to begin with. ~ ~
** THE HAPPY CORNER
Turns out the kids are alright, as evidenced this week.
First up, a 12-year-old helped to get at least 10,000 users (https://www.vice.com/en/article/n7vq4k/thousands-of-users-unknowingly-joined-signal-because-of-12-year-olds-app) signed up to Signal after cloning the open-source encrypted messaging app. These clones happen a lot — some are modified simply to change the font, but others pack with trackers and ads to make money. In this case, the 12-year-old just wanted to build an app. The newly-created app is basically just Signal with a “different coat of paint.” Adding 10,000 users to Signal might seem like a drop in the ocean to the 50 million+ now using the app, but it’s 10,000 users who otherwise might not be using an encrypted messaging app at all.
Meanwhile, if you’re wondering how to make Signal more secure and private, follow (https://www.zdnet.com/article/switching-to-signal-turn-on-these-settings-now-for-greater-privacy-and-security/) this ZDNet guide. Don’t forget to enable disappearing messages!
And, also this week, two kids found a bug that made it possible to bypass the screen lock (https://www.zdnet.com/article/linux-mint-fixes-screensaver-bypass-discovered-by-two-kids/) on Linux Mint desktops. The bug was reported through GitHub (https://github.com/linuxmint/cinnamon-screensaver/issues/354) , where it was tracked down and found in the on-screen keyboard component that ships with Cinnamon, the user interface used by Linux Mint. All it took was someone pressing the “ē” key on the on-screen keyboard to unlock the screen. Incredible. Those kids beat whatever I did this week, that’s for sure. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CAT & FRIENDS
Meet this week’s cyber cat, Ellie, who’s keeping an eye out for [DEL: mice :DEL] hackers. A big thanks to Ellie’s human, @Recurzion (http://) , for the submission! Please keep sending in your cyber cats (and friends)! The more the merrier. Yes, you can also now send in your non-feline friends (https://mailchi.mp/zackwhittaker/this-week-in-security-december-27-edition) too. Send them in here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) ! ~ ~
** SUGGESTION BOX
That’s it for this week. As usual, you can always drop your feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Don’t forget to send in your cyber animals! Have a great week, and see you next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .