this week in security — january 20 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 3.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Hackers Take Control Of Giant Construction Cranes (https://www.forbes.com/sites/thomasbrewster/2019/01/15/exclusive-watch-hackers-take-control-of-giant-construction-cranes/#566beec1d0a5) Forbes: One of my favorite stories of the week, simply for the scale of this effort. Two security researchers — or self-styled “crane spotters,” searched for vulnerable cranes that could be hacked and hijacked. “Cranes were hopelessly vulnerable,” said @iblametom (https://twitter.com/iblametom) in his exclusive. By reverse engineering radio frequencies, the pair of hackers remotely controlled a crane from nearby. They ended up jackin the battery on their own Volkswagen Polo to power all of the gear — so much so that on one day, it ran out of juice and had to be towed. More: @iblametom (https://twitter.com/iblametom/status/1085164591645118464)
Consumer Protection Sites Are Down Due To The Government Shutdown (https://www.theverge.com/2019/1/13/18178594/fcc-ftc-robocall-complaints-websites-government-shutdown) The Verge: Another week of the government shutdown drags on, and all government consumer protection websites aren’t functioning — meaning several specific consumer sites, like the Do Not Call registry (https://www.donotcall.gov) and identitytheft.gov are also shutdown, leaving victims unable to submit reports. Many other websites are shut down due to expiring HTTPS certificates (https://techcrunch.com/2019/01/17/federal-https-domains-expire-government-shutdown/) . Many more are expected to shutter this week because nobody is around to fix them. More: TechCrunch (https://techcrunch.com/2019/01/17/federal-https-domains-expire-government-shutdown/) | @zackwhittaker (https://twitter.com/zackwhittaker/status/1086315615630098433)
The American Military Sucks at Cybersecurity (https://motherboard.vice.com/en_us/article/7xy5ky/the-american-military-sucks-at-cybersecurity) Motherboard: The military isn’t looking so cyberhot these days either. A new report from the Pentagon’s inspector general says the department is a hot mess of security vulnerabilities. As of September when the report was commissioned, there were 266 open flaws, some dating back to 2008. We’ve known the Pentagon’s had issues for a while (https://www.zdnet.com/article/us-ballistic-missile-systems-have-very-poor-cyber-security/) — even in securing its weapons systems. But this latest deep dive shows that there’s little motivation to do anything about it. According to Motherboard, the Pentagon was criticized for not keeping “its cyber shit on lockdown.” Well put. More: Inspector general’s report PDF (https://media.defense.gov/2019/Jan/11/2002078551/-1/-1/1/DODIG-2019-044.PDF) | Archive: ZDNet (https://www.zdnet.com/article/us-ballistic-missile-systems-have-very-poor-cyber-security/)
Nine Charged In SEC Hacking Scheme That Netted $4.1M (https://arstechnica.com/information-technology/2017/09/sec-chairman-reveals-financial-reporting-system-was-hacked/) Ars Technica: Remember a few years ago when those press release services were hacked (https://www.sec.gov/news/pressrelease/2015-163.html) ? Prosecutors said that hackers broke into the newswire services to find unreleased information and trade on it — netting more than $100 million. Now, prosecutors say some of the same hackers broke into the SEC’s EDGAR filing system (https://arstechnica.com/information-technology/2017/09/sec-chairman-reveals-financial-reporting-system-was-hacked/) , stole unreleased filings, and that used that financial information to short stocks. Clever stuff, until they got caught. Nine were charged for the fraud that netted over $4M. More: Justice Dept. (https://www.justice.gov/usao-nj/pr/two-ukrainian-nationals-indicted-computer-hacking-and-securities-fraud-scheme-targeting) | Reuters (https://www.reuters.com/article/us-usa-cyber-stocks/u-s-authorities-charge-several-people-in-sec-hacking-scheme-idUSKCN1P91MX) | Background: Ars Technica (https://arstechnica.com/information-technology/2017/09/sec-chairman-reveals-financial-reporting-system-was-hacked/)
Some Android GPS Apps Are Just Showing Ads On Top Of Google Maps (https://www.zdnet.com/article/some-android-gps-apps-are-just-showing-ads-on-top-of-google-maps/) ZDNet: Well this is embarrassing. Another day, another set of dodgy Android apps on Google Play. This time, ESET researcher @LukasStefanko (https://twitter.com/LukasStefanko/) found several fake GPS apps just layering ads on top of Google Maps. Collectively, the apps were installed more than 50 million times — leading to a lot of fraudulent ad revenue. Here’s a list of all the bad apps (https://www.zdnet.com/article/some-android-gps-apps-are-just-showing-ads-on-top-of-google-maps/) . More: @LukasStefanko tweet thread (https://twitter.com/LukasStefanko/status/1085888553580707840) | Gizmodo (https://gizmodo.com/navigation-apps-with-millions-of-downloads-exposed-as-j-1831869725)
Twitter Bug Revealed Some Android Users’ Private Tweets (https://techcrunch.com/2019/01/17/twitter-bug-revealed-some-android-users-private-tweets/) TechCrunch: You had one job, Twitter. Tweets should be public, and private tweets should be private. Except for millions of Android users, that wasn’t the case at all. Twitter said it inadvertently disclosed some private tweets — for four years. “If the user had changed their account email address, the ‘Protect your Tweets’ setting was disabled,” said Twitter (https://twitter.com/TwitterSupport/status/1085962719444889600) . That might sound obvious to some, but not so much to others. Twitter only went public because it said it “can’t confirm every account that may have been impacted.” Wow. More: BBC News (https://www.bbc.com/news/technology-46918859) | @Twitter (https://twitter.com/TwitterSupport/status/1085962719444889600) | Twitter Support (https://help.twitter.com/en/protected-tweets-android)
Eight GDPR Complaints Filed on “Right to Access” (https://noyb.eu/access_streaming/) Noyb: And, speaking of possible GDPR violations, privacy superstar Max Schrems said eight companies — including Amazon, Apple, and Netflix — aren’t fully complying with GDPR rules. Schrems said these companies aren’t providing background information as part of their legal obligations to provide a “right to access” your own data. One company, SoundCloud, simply ignored the request, he said. More: The Register (https://www.theregister.co.uk/2019/01/18/streaming_services_slapped_with_complaints_alleging_failure_to_meet_gdpr_rights/) | Reuters (https://www.reuters.com/article/us-europe-privacy/austrian-data-privacy-activist-files-complaint-against-apple-amazon-others-idUSKCN1PC1FA) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Gaining access to Uber’s user data through AMPScript (https://blog.assetnote.io/bug-bounty/2019/01/14/gaining-access-to-ubers-user-data-through-ampscript-evaluation/) Assetnote: Uber has paid out a $23,000 bounty for a privately reported bug found by Shubham Shah (https://twitter.com/infosec_au) , which allowed access to user data by exploiting a bug in AMPScript (https://developer.salesforce.com/docs/atlas.en-us.mc-programmatic-content.meta/mc-programmatic-content/syntaxGuide.htm) , used by Salesforce customers. He showed that he was able to retrieve user data from the company’s backend. It was fixed in two days.
Why some hackers are getting pissed off with bug bounty platforms (https://medium.com/@zseano/are-you-submitting-bugs-for-free-when-others-are-being-paid-welcome-to-bugbounties-9e0fdb40a837) Medium: Sticking with bug bounties, I’ve heard over the past year companies trying to avoid paying out for bug bounties — when in reality they’re a drop in the ocean to their overall budgets, and far cheaper than paying out in FTC fines when someone inevitably steals a ton of user data. But often, it’s the platforms running the bounties that are screwing things up, says @zseano (https://twitter.com/zseano) . Go work and submit your bounties for free to get a better rep, while others are in the private beta submitting similar bugs and getting paid? No, that isn’t fair. Bug bounties are great in theory but can be crap in practice. Time for a fix.
Feds can’t force you to unlock your phone with your finger or face, says judge (https://www.forbes.com/sites/thomasbrewster/2019/01/14/feds-cant-force-you-to-unlock-your-iphone-with-finger-or-face-judge-rules/#4f6435a142b7) Forbes: Long has it been the case that your biometrics can be used by police to force you to unlock your phone, because something you have (your face or fingerprint) isn’t covered under the Fourth Amendment, whereas something you know (your password) is. It’s a step in the right direction for privacy, but still a long way off from becoming law.
Record fine on deck for Facebook? (https://www.washingtonpost.com/technology/2019/01/18/us-regulators-have-met-discuss-imposing-record-setting-fine-against-facebook-some-its-privacy-violations/?utm_term=.9c7e56ce7a75) Washington Post ($): It’s looking like Facebook could be on track to receiving a “record fine” for several privacy violations over the past year, including the Cambridge Analytica scandal. How big? It’s unclear: but @ashk4n (https://twitter.com/ashk4n) , who used to work at the FTC, noted in a tweet (https://twitter.com/ashk4n/status/1086358702901256193?s=21) that the agency imposed a $10 billion fine on VW in 2016 (https://www.ftc.gov/enforcement/cases-proceedings/refunds/volkswagen-settlement) , but only $100 million against Lifelock in 2015 (https://www.ftc.gov/news-events/press-releases/2015/12/lifelock-pay-100-million-consumers-settle-ftc-charges-it-violated) . Facebook made $40 billion in revenue last year. So, somewhere in between?
“Why is there a Raspberry Pi in the network closet?” (https://blog.haschek.at/2018/the-curious-case-of-the-RasPi-in-our-network.html) Christian Haschek: This would scare the crap out of me. A co-worker of Christian Haschek (https://twitter.com/geek_at) found a Raspberry Pi in the network closet with a powerful Wi-Fi dongle — with help from Reddit (https://www.reddit.com/r/sysadmin/comments/9xveq5/rogue_raspberrypi_found_in_network_closet_need/) for identifying. By tearing it apart, Haschek found it contained the attacker’s home address. Bingo. It turns out that an ex-employee sneaked the device in when they claimed they were going to clear their desk. This is a real infosec thriller.
Open Rsync connection leaked Oklahoma FBI investigation files (https://www.upguard.com/breaches/rsync-oklahoma-securities-commission) UpGuard: Another find by @VickerySec (https://twitter.com/vickerysec) revealed a massive store of exposed data as a result of an unprotected Rsync connection. This time it was Oklahoma’s Securities Commission, which included tons of sensitive and private data. Worse, it contained spreadsheets and documents detailing the timelines of FBI investigations and people they interviewed. One screenshot even showed T-Mobile accepting and responding to a federal subpoena (https://www.upguard.com/breaches/rsync-oklahoma-securities-commission) . Ouch. ~ ~
** OTHER NEWSY NUGGETS
GoDaddy found injecting JavaScript in customer sites: Web hosting giant GoDaddy was caught injecting JS code in websites as part of its “real user metrics” feature (https://au.godaddy.com/help/why-am-i-signed-up-for-real-user-metrics-31969) that monitors websites for bottlenecks. It creeped enough people out (https://www.bleepingcomputer.com/news/technology/godaddy-injecting-javascript-that-may-break-customer-sites/) to spark concerns. Dozens of people complained on Reddit (https://www.reddit.com/r/web_design/comments/9s37it/godaddy_will_inject_javascript_into_your_site_to/) . GoDaddy lets users opt-out, but many said that it should be opt-in by default.
Hack this Tesla, win $250,000: Tesla, which extended protections to good-faith hackers (https://techcrunch.com/2018/09/06/teslas-new-bug-bounty-protects-hackers-and-your-warranty/) who try to mess with their software, put one of its Model 3 cars up at the Pwn2Own hacking contest (https://www.thezdi.com/blog/2019/1/14/pwn2own-vancouver-2019-tesla-vmware-microsoft-and-more#rules) . Hackers can get anything from $35,000 for hacking the infotainment center, and up to $250,000 for achieving code execution on its autopilot feature.
733 million records in “mega breach”: @troyhunt (https://twitter.com/troyhunt/) loaded a massive 773 million “Collection #1” credential stuffing list into Have I Been Pwned (https://haveibeenpwned.com) this week. It’s a collection of previously collated breaches, totaling 2.6 billion rows (https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/) of usernames, email addresses and passwords. According to @briankrebs (https://twitter.com/briankrebs) , it’s years old and just one of many different collections — and isn’t even the largest (https://krebsonsecurity.com/2019/01/773m-password-megabreach-is-years-old/) . The as-of-yet-unreleased “Collection #2” is said to be 526 gigabytes in size.
Assassins, leave your smart tech at home: A lesson in terrible opsec (https://twitter.com/evacide/status/1086395502139195393?s=21) : a hitman, who loves to run and record his stats using his smart watch, was tied to a murder because his running data gave him away. The assassin plotted the murder with precision, doing careful recon on his target (https://www.liverpoolecho.co.uk/news/liverpool-news/inside-mind-iceman-assassin-gun-15656804) . But he wore his watch each time, which detectives later used to tie him to the murder. ~ ~
** GOOD PEOPLE DOING GOOD THINGS
Many good things this week. Here’s what you need to know:
From a reader: SlackPirate (https://github.com/emtunc/SlackPirate/) is a Python script — available on Github — that lets you “extract” interesting data from your Slack organization, including links to S3 buckets, passwords, AWS keys and more. “The tool allows you to easily gather sensitive information for offline viewing at your convenience,” says its readme (https://github.com/emtunc/SlackPirate/blob/master/README.md) . Great for both red and blue teams. Awesome stuff.
From the SCU Internet Law Organization (https://twitter.com/SCU_ILSO/) : if anyone in the San Francisco Bay area is looking for a legal or privacy internship, there are plenty of options from this tweet (https://twitter.com/SCU_ILSO/status/1086450132835422208) — including Apple, Mozilla, EFF and Cloudflare. Some great opportunities there.
The Disclose.io (https://disclose.io/) team has a full, ever expanding but easy to read list of public bug bounty lists and details of those who you can report vulnerabilities too. It’s a really long (but searchable! (https://www.bugcrowd.com/bug-bounty-list/) ) list — and it’s also available as a giant JSON file on Github (https://github.com/disclose/disclose/tree/master/bug-bounty-list) . Bookmark it! It’s a handy resource.
And last but certainly not least, @IanColdwater (https://twitter.com/IanColdwater) has some great advice for anyone, but especially those in infosec. In a tweet (https://twitter.com/IanColdwater/status/1086400485693763585) , she reminded us all that the people we admire “are just people.” Another lesson that even some of the smartest, toughest minds out there struggle with things too, and we’re not too dissimilar, you, I, and everyone else. ~ ~
** THIS WEEK’S CYBER CAT
This is Lily, this week’s cyber cat, sent in by her human Jim Cornell. She looks like she’s relaxing, but actually she’s thinking of all the ways she can hack you. (You may need to enable images in this email.) If you want your cybercat featured in an upcoming newsletter, please send along their name, a photo and a description to: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) .
(Also, a personal thank you to everyone who sent kind words about my personal cybercat Toby, who fell ill this week (https://twitter.com/zackwhittaker/status/1086085690155286528) . He’s much better after two nights at the vets. He’s eating and not puking, and this morning started hissing at our foster kittens again — so, yeah, I’m pretty sure he’s back to his usual self (https://twitter.com/zackwhittaker/status/1086999575968272384) .) ~ ~
** SUGGESTION BOX
That’s all for this week. As always, if you have any feedback, feel free to drop it in the anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Back same time next week. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|