this week in security — january 24 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 4
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Intelligence analysts use U.S. smartphone location data without warrants, memo says (https://www.nytimes.com/2021/01/22/us/politics/dia-surveillance-data.html) New York Times ($): A belter of a story this week. Analysts at the Defense Intelligence Agency have searched for Americans’ movements using a commercial database of location data purchased from a data broker. The data was obtained and searched without a warrant, but was used in at least five investigations over the past two-ish years. The warrantless searches of Americans were disclosed in a memo to @RonWyden (https://twitter.com/ronwyden) ‘s office. Turns out it’s legal — or at least not illegal (yet), thanks in part to a loophole in the 2018 Carpenter decision that put restrictions on what the government can compel from phone companies. Wyden, predictably pissed off, plans to close the loophole with a legislative fix. “The Fourth Amendment is not for sale,” said Wyden. More: DIA unclassified memo [PDF] (https://int.nyt.com/data/documenttools/dni-to-wyden-on-commercially-available-smartphone-locational-data/5d9f9186c07993b6/full.pdf) | @charlie_savage (https://twitter.com/charlie_savage/status/1352673307322175488?s=21) These are the big cyber issues Joe Biden will immediately face (https://www.cyberscoop.com/biden-cybersecurity-russia-solarwinds/) Cyberscoop: Congratulations to Joe Biden who landed a new job this week! (Yes, that was a joke.) Cyberscoop has two good stories on exactly what Biden will face during his first few days in office. On his plate is obviously the SolarWinds breach (more on that in a second), and to bulk up his cyber picks across government — from Homeland Security to the CIA — and setting policies on offensive hacking operations. Really, the big challenge will be at the Cabinet level (https://www.cyberscoop.com/biden-cabinet-cyber-avril-haines-mayorkas-hearings/) . Another key area is ensuring that the government can defend against overseas threats while balancing its “defend forwards” (preemptively hacking to prevent a larger attack) strategy. More: Cyberscoop (https://www.cyberscoop.com/biden-cabinet-cyber-avril-haines-mayorkas-hearings/)
After big hack of U.S. government, Biden enlists ‘world class’ cybersecurity team (https://www.reuters.com/article/us-usa-biden-cyber-idUSKBN29R18I) Reuters: President Biden is also on a cybersecurity hiring spree as the government begins the recovery of the massive SolarWinds breach that allowed Russian (likely) hackers to break into several federal agencies. That includes a new permanent CISA head, after Chris Krebs was fired by tweet for debunking Trump’s false election claims. Rob Silvers is expected to take the helm at CISA, per Reuters, and former NSA official turned Morgan Stanley head of resilience Jen Easterly could be tapped as the new National Cyber Director, a new post that will help coordinate cyber across the federal government. More: Cyberscoop (https://www.cyberscoop.com/rob-silvers-biden-cisa-cyber-homeland-security/) | The New York Times ($) (https://www.nytimes.com/2021/01/21/us/politics/biden-russia-cyber-hack-nuclear.html)
Malwarebytes hit by hackers implicated in SolarWinds breach (https://blog.malwarebytes.com/malwarebytes-news/2021/01/malwarebytes-targeted-by-nation-state-actor-implicated-in-solarwinds-breach-evidence-suggests-abuse-of-privileged-access-to-microsoft-office-365-and-azure-environments/) Malwarebytes: Malwarebytes became the latest cyber giant to be hit by the same SolarWinds hackers — albeit using a different entry route. In a blog post, @mkleczynski (https://twitter.com/mkleczynski/status/1351626763059675138?s=20) said the company learned of the attack from Microsoft, which found suspicious activity from a dormant email protection product in its Office 365 tenant. (Microsoft has been investigating (https://www.reuters.com/article/us-global-cyber-usa/suspected-russian-hackers-used-microsoft-vendors-to-breach-customers-idUSKBN28Y1BF) Office 365 and Azure intrusions.) Malwarebytes said the hackers got access only to a “limited subset of internal company emails.” The company is now at least the fourth security company hacked after FireEye and Microsoft (if you count it, which you should). CrowdStrike was targeted but not breached. More: ZDNet (https://www.zdnet.com/article/malwarebytes-said-it-was-hacked-by-the-same-group-who-breached-solarwinds/) | @mkleczynski (https://twitter.com/mkleczynski/status/1351626763059675138?s=20) | Background: Reuters (https://www.reuters.com/article/us-global-cyber-usa/suspected-russian-hackers-used-microsoft-vendors-to-breach-customers-idUSKBN28Y1BF) This site published every face from Parler’s Capitol riot videos (https://www.wired.com/story/faces-of-the-riot-capitol-insurrection-facial-recognition/) Wired ($): You may remember that at least one hacker exploited (https://gizmodo.com/every-deleted-parler-post-many-with-users-location-dat-1846032466) a very simple bug to download every Parler post (and the user’s location!) since the U.S. Capitol riot on January 6. But now a new site has popped up with thousands of unmasked faces taken from the videos and organized in an easy-to-browse lineup. The anonymous creator of the site — dubbed Faces of the Riot (and also aptly named) — “used simple open source machine learning and facial recognition software to detect, extract, and deduplicate every face from the 827 videos that were posted to Parler from inside and outside the Capitol building.” It’s an interesting one: facial recognition (like any other technology) can be used for good or bad. Is this a good use of it? Arguably so, but the site — and the technology — doesn’t distinguish between those who broke the law and those who were simply outside, the article notes. More: Gizmodo (https://gizmodo.com/every-deleted-parler-post-many-with-users-location-dat-1846032466) | Wired ($) (https://www.wired.com/story/parler-hack-data-public-posts-images-video)
Bugs allowed hackers to hijack Kindle accounts with malicious ebooks (https://www.vice.com/en/article/93wgzy/bugs-allowed-hackers-to-hack-kindle-accounts-with-malicious-ebooks) Motherboard: Several vulnerabilities in Amazon’s Kindle could’ve allowed hackers to hijack devices by sending them a malicious ebook using Send to Kindle, a feature that lets users email ebooks to their Kindles. At worst, a hacker could’ve made malicious purchases using the victim’s saved credit card information and other personal data. The researcher also published a technical writeup (https://medium.com/realmodelabs/kindledrip-from-your-kindles-email-address-to-using-your-credit-card-bb93dbfb2a08) explaining the bugs in more detail, and netted $18,000 in a bug bounty reward. More: Medium (https://medium.com/realmodelabs/kindledrip-from-your-kindles-email-address-to-using-your-credit-card-bb93dbfb2a08) ~ ~ SUPPORT THIS NEWSLETTER
A big thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Fired former data scientist Rebekah Jones arrested, tests positive for COVID-19 (https://arstechnica.com/tech-policy/2021/01/florida-police-arrest-former-state-covid-19-data-manager-rebekah-jones/) Ars Technica: You may remember Rebekah Jones, a data scientist who built and managed Florida’s COVID-19 data dashboard, who was fired (https://www.npr.org/sections/coronavirus-live-updates/2021/01/18/957914495/data-scientist-rebekah-jones-facing-arrest-turns-herself-in-to-florida-authoriti) after she refused to alter or manipulate data to support the state’s plan to reopen businesses and restaurants. Police raided her home, and later issued a warrant for her arrest after an unknown person sent an “unauthorized message” to hundreds of Florida Dept. of Health employees urging them to “speak up” before more die of the pandemic. Jones denies having anything to do with the message. (Hundreds of staff have credentials for the system she allegedly accessed, and the credentials were at the time publicly available on the internet.) Jones claims Florida Gov. Ron DeSantis is trying to silence her. Definitely a case to watch since under Florida law it’s effectively a computer hacking case.
SonicWall’s internal network hacked using a SonicWall zero-day (https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability-updated-jan-23-2021/210122173415410/) SonicWall, ZDNet: Networking giant SonicWall says its internal network was breached by hackers using “probable zero-day vulnerabilities” in its own hardware. The company posted details to its website (https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability-updated-jan-23-2021/210122173415410/) , outlining which products are likely vulnerable. There are no immediate patches (which isn’t a surprise given the discovery). But as ZDNet (https://www.zdnet.com/article/sonicwall-says-it-was-hacked-using-zero-days-in-its-own-products/) notes, SonicWall may not be another SolarWinds victim — sources suggest the company may have been hit by ransomware actors. ~ ~
** OTHER NEWSY NUGGETS
Laptops given to British schools came preloaded with malware (https://www.theregister.com/2021/01/21/dept_education_school_laptops_malware/) The Register reports that a shipment of some 23,000 laptops given to British schoolkids during the pandemic came preloaded with a remote-access worm, Gamarue.I (https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Gamarue.I) . The U.K. government said it believes this is “not widespread.” According to BBC News (https://www.bbc.com/news/technology-55749959) , the government has sent out more than 800,000 laptops.
Hacker leaks data of millions of Teespring users (https://www.zdnet.com/article/hacker-leaks-data-of-millions-of-teespring-users/) Teespring was hacked, with details of some 13-ish million users’ email addresses and the date their account was registered. No passwords were released (yet). The breach dates back to June 2020, and was disclosed (https://community.teespring.com/blog/security-incident-june-2020/) in December. ~ ~
** THE HAPPY CORNER
I don’t really get the sea shanty thing that’s going around. But @racheltobac (https://twitter.com/RachelTobac/status/1352409636792492035) (and friends (https://twitter.com/RachelTobac/status/1352409849749934080) ) was incredible. Sing along and learn how to stay safe online. https://twitter.com/RachelTobac/status/1352409636792492035 If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
This is Duke, who debuts as the first featured non-cyber cat. (His cyber-cat pals, Notch and Marty, have been featured before.) Duke handles physical security for the cats. Here he is on patrol one evening. Good boy, Duke. A big thanks to his human, Robert M., for the submission! Please keep sending in your cyber cats (and friends)! The more the merrier. Yes, you can also now send in your non-feline friends (https://mailchi.mp/zackwhittaker/this-week-in-security-december-27-edition) too. Send them in here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) ! ~ ~
** SUGGESTION BOX
Thanks for reading! The suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is always open for feedback. Looking forward to seeing some of your cyber cats (and friends) — don’t forget to send them in! Be well, see you next week.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .