this week in security — january 19 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 3
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Barr asks Apple to unlock Pensacola shooter’s phones (https://www.buzzfeednews.com/article/scottlucas/william-barr-apple-request-unlock-iphones) BuzzFeed News: U.S. attorney general William Barr wants Apple to unlock the Pensacola shooter’s iPhones, setting the scene for another cryptowars and legal showdown. Apple said it’s already helped the FBI obtain “gigabytes” of data from the two iPhones — both which are old enough to be cracked by the tools (https://www.bloomberg.com/news/articles/2020-01-14/the-fbi-can-unlock-florida-terrorist-s-iphones-without-apple?sref=9hGJlFio) that the feds have at their disposal, like Cellebrite and GrayKey devices. But that isn’t stopping the feds demanding an all-out backdoor. More: New York Times ($) (https://www.nytimes.com/2020/01/13/us/politics/pensacola-shooting-iphones.html) | @patrickmcgee (https://twitter.com/patrickmcgee_/status/1216905316186484738?s=21) | Forbes (https://www.forbes.com/sites/thomasbrewster/2020/01/15/the-fbi-got-data-from-a-locked-iphone-11-pro-max–so-why-is-it-demanding-apple-unlock-older-phones/)
Microsoft issues critical Windows security fix after tipoff from NSA (https://www.reuters.com/article/us-usa-microsoft-cyber/microsoft-issues-critical-windows-security-fix-after-tipoff-from-u-s-nsa-idUSKBN1ZD2C7) Reuters: Microsoft issued a patch for a serious security bug affecting Windows 10 this week, following a tipoff from the NSA. Instead of hoarding the vulnerability (https://www.schneier.com/blog/archives/2016/08/the_nsa_is_hoar.html) as it’s done before, it disclosed the bug so users can get fixed — but not without expecting a fanfare of good press. The bug can be used to spoof signed apps (https://kb.cert.org/vuls/id/849224/) and intercept SSL/TLS connections. Homeland Security told federal agencies to patch (https://cyber.dhs.gov/ed/20-02/) within 10 days to mitigate any fallout on the government side of things. Meanwhile, @saleemrash1d (https://twitter.com/saleemrash1d/status/1217495681230954506) already built a proof-of-concept. In case you missed it, @kennwhite (https://twitter.com/kennwhite) dubbed the bug “Chain of Fools” and has a deep-dive on why this bug is a big deal (https://blog.lessonslearned.org/chain-of-fools/) . You can read the NSA’s full advisory here (https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF) [PDF]. More: BBC News (https://www.bbc.com/news/technology-51106356) | Homeland Security (https://cyber.dhs.gov/ed/20-02/) | Lessons Learned (https://blog.lessonslearned.org/chain-of-fools/)
BlackVue dashcam has a flaw, allowing for tracking drivers (https://www.vice.com/en_us/article/wxedxb/blackvue-dashcams-users-location-tracked) Motherboard: @josephfcox (https://twitter.com/josephfcox) reverse engineered a dashcam app — which you pretty much never hear (https://twitter.com/iblametom/status/1217812143942356992) of a reporter doing — and found it was possible to track its drivers in real-time. “This issue with being able to scrape the real-time location of drivers across the US shows that although app developers may have one use-case/intention for their product, someone else can find a very, very different and often nefarious one,” he tweeted (https://twitter.com/josephfcox/status/1217816186886541312) . More: @josephfcox tweets (https://twitter.com/josephfcox/status/1217810473044926465) Pete Buttigieg’s campaign cybersecurity chief resigns (https://www.wsj.com/articles/pete-buttigiegs-campaign-cybersecurity-chief-resigns-11579109170) Wall Street Journal ($): And then there were zero. Mick Baccio, who ran Buttigieg’s campaign cybersecurity program, left the campaign citing “fundamental differences” in how the campaign managed its infosec. But that means there’s now no known (https://twitter.com/gregotto/status/1217506589382533121) cybersecurity directors across all the presidential campaigns with less than a year before voters go to the polls. More: Cyberscoop (https://www.cyberscoop.com/mick-baccio-ciso-pete-buttigieg-resigned/)
The secretive company that might end privacy as we know it (https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html) New York Times ($): A good read from @kashhill (https://twitter.com/kashhill/) this weekend. A company with access to 3 billion photos, mostly from social media, can match almost any face and track where they’ve been. “Someone walking down the street would be immediately identifiable,” she wrote. The company, Clearview AI, is in use by 600 law enforcement agencies and other private companies. One critic said the “weaponization possibilities of this are endless.” More: @kashhill tweets (https://twitter.com/kashhill/status/1218510902556811264?s=21)
Georgia election systems could have been hacked before 2016 vote (https://www.politico.com/news/2020/01/16/georgia-election-systems-could-have-been-hacked-before-2016-vote-100334) Politico: A Georgia election server at the center of an important lawsuit had two separate critical security flaws that officials failed to patch. One of those flaws, Shellshock, was used to breach the system in December 2014, according to new evidence. This once again raises important questions about the integrity of Georgia’s elections, which were among the systems that were targeted by Russian hackers during 2016. Great reporting by @kimzetter (https://twitter.com/KimZetter/) . More: @kimzetter tweets (https://twitter.com/KimZetter/status/1218055746534817792) | Background: Politico (https://www.politico.com/magazine/story/2017/06/14/will-the-georgia-special-election-get-hacked-215255) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Boing Boing says it was hacked (https://boingboing.net/2020/01/13/boing-boing-was-hacked.html) Boing Boing: Popular internet blog Boing Boing said it was hacked last week, with an attacker able to log in to the site’s CMS using a set of credentials belonging to a staff member. The hacker installed a widget allowing them to redirect users to malware hosted on a third-party site. Interestingly, the hacker got around the two-factor authentication prompt, reports Cyberscoop. (https://www.cyberscoop.com/boing-boing-breach-2fa-disclosure/)
Grindr, OkCupid are sharing personal data with third-parties (https://www.nytimes.com/2020/01/13/technology/grindr-apps-dating-data-tracking.html) New York Times: Dating apps Grindr and OkCupid may “violate data privacy laws” in Europe and the U.S., according to a report by the Norwegian Consumer Council. The apps are transmitting tracking codes and tagging sensitive personal information, such as age, gender, and sexual orientation, to third-parties and advertisers. The discovery prompted Twitter to suspend (https://adage.com/article/digital/twitter-suspends-grindr-its-ad-platform-it-investigates-privacy-concerns/2227116) Grindr from its ad network, MoPub. @natashanyt (https://twitter.com/natashanyt) has a good tweet thread (https://twitter.com/natashanyt/status/1217089288149467139) on the story.
Iowa caucuses will use new smartphone app, despite security fears (https://www.npr.org/2020/01/14/795906732/despite-election-security-fears-iowa-caucuses-will-use-new-smartphone-app) NPR: Two things that seldom mix: technology and elections. But that isn’t stopping Iowa from using a new smartphone app to calculate and transmit the results of the state’s caucuses next month. The process is complicated, but Iowa’s Democrats thinks the new app will get the results out there faster. But the party isn’t sharing much information on the app’s security, prompting concerns for cybersecurity experts.
Equifax to pay customers $380 million in breach settlement (https://www.cyberscoop.com/equifax-data-breach-settlement/) Cyberscoop: After the Equifax hack in 2017 that led to the theft of 147 million Americans’ data, the credit agency has finally settled with a court on a $380.5 million deal for affected customers. Yes, that amounts to about $2 each, though some will get up to $125 in cash. The deadline for a share of the settlement (https://www.equifaxbreachsettlement.com/) ends January 22. Even though it’s a pain in the ass, you should absolutely take advantage of this — your data, your rights, your money.
China isn’t the only problem with 5G (https://foreignpolicy.com/2020/01/10/5g-china-backdoor-security-problems-united-states-surveillance/) Foreign Policy: Bruce Schneier drops some truth bombs on the 5G brigade: 5G has a bunch of security flaws (which we know) but Schneier argues keeping companies like Huawei out of Western infrastructure won’t be a magic fix. Yes, there are improvements in 5G over 4G, but there’s still a long way to go. It’s an interesting short-ish read that really gives much-needed context and balance. ~ ~ SUPPORT THIS NEWSLETTER
A big thank you to everyone who reads and supports this newsletter. As subscribers and costs go up, please consider supporting this newsletter by contributing to its Patreon (https://www.patreon.com/thisweekinsecurity) . Donate from $1/month — or more for exclusive perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) . ~ ~
** OTHER NEWSY NUGGETS
Apple’s privacy features have rattled the location-based ad market (https://digiday.com/marketing/apples-new-privacy-features-rattle-location-based-ad-market/) iOS 13 has a bunch of new features, like reminding users when apps are sucking up a user’s location. And it’s precisely these kinds of features that are said to be helping to reduce the amount of location data being shared by apps. There’s just one word for this: good.
Want your personal data? Hand over more please (https://www.nytimes.com/2020/01/15/technology/data-privacy-law-access.html) Another @kashhill (https://twitter.com/kashhill) story: in order to comply with California’s new privacy law, such as the ability for consumers to access their own data, some companies are rushing to build data-access portals for customers that requires users to turn over more of their own data to get access to what a company has on them. One company wants users to send them a selfie to verify who they are. “This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” said one user.
FBI arrests data brokers behind WeLeakInfo, domain seized (https://arstechnica.com/information-technology/2020/01/fbi-partners-sieze-breach-data-marketplace-alleged-operators-arrested/) A data broker with over 12 billion usernames and passwords from more than 10,000 breaches has been seized by the feds. The Justice Dept. announced (https://arstechnica.com/information-technology/2020/01/fbi-partners-sieze-breach-data-marketplace-alleged-operators-arrested/) the seizure under civil forfeiture laws in a press release on Thursday. ~ ~
** THE HAPPY CORNER
Ahhh. The happy corner. We meet again.
This week, Bernie Sanders was asked about his campaign’s cybersecurity. He told The Times: “There is a woman in my office whose name is Melissa who drives me crazy and gets angry at me all the time.” As @xor (https://twitter.com/xor/status/1216754958114197512) said, “I think having a Melissa is likely the right way of doing security for an operation like his!” We need more people like Melissa. We also learned that @laparisa (https://twitter.com/laparisa) once started a rumor that @taviso (https://twitter.com/taviso/status/951138750116974592?s=21) “knew all the lyrics to ‘Ice Ice Baby’ and could sing on request. Sources seem to think the “rumor” is in fact true, and don’t let Tavis convince you otherwise.
@sjmurdoch (https://twitter.com/sjmurdoch/) , a computer science professor, got an urgent email from his “head of department,” which quickly spiraled into a long chain of how to get the alleged department head a bunch of gift cards. Yes, it’s obviously a scam, but the entire thread is a hilarious read.
And, last but certainly not least, @laurenkgurley (https://twitter.com/laurenkgurley) and @lorenzofb (https://twitter.com/lorenzofb) wrote a guide on how to organize your workplace (https://www.vice.com/en_us/article/y3md3v/how-to-organize-your-workplace-without-getting-caught) without getting caught. That includes organizing a union and blowing the whistle on sexual harassment and wrongdoing. Really useful stuff in here, including how to maintain good opsec. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This is Hazel, this week’s cybercat. She loves to lay on soft things — especially warm things like laptops. Some say she’s the best endpoint detection on the market. A big thank you to her human, Willem T., for the submission! Please keep sending in your cybercats! You can send them here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s all for now. Thanks again for reading. And as always, feel free to drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . I hope you have a great week. See you next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .