this week in security — january 27 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 4.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Undercover Agents Target Cybersecurity Watchdog (https://apnews.com/9f31fa2aa72946c694555a5074fc9f42) Associated Press: This is an absolute wild ride of a story. Citizen Lab researchers, who spend their days analyzing nation-state or government-backed mobile malware and spyware, ambushed a group of undercover operatives who were trying to quiz them about their work exposing Israeli surveillance. “Their tactics recall those of private investigators who assume elaborate false identities to gather intelligence or compromising material on critics,” wrote @razhael (https://twitter.com/razhael/) . It comes after the Canadian academics reported that one of the confidants to murdered journalist Jamal Khashoggi had his phone bugged with NSO Group’s signature malware. More: @razhael tweet thread (https://twitter.com/razhael/status/1089168724425355264)
I Tried to Block Amazon From My Life. It Was Impossible. (https://gizmodo.com/i-tried-to-block-amazon-from-my-life-it-was-impossible-1830565336) Gizmodo: Maybe you don’t realize but Amazon is everywhere — from AWS running websites to apps that require an Amazon back-end. It’s not just shopping and Alexa. @kashhill (https://twitter.com/kashhill) wanted to block out Amazon from her life to see how easy it was. (Hint: it wasn’t.) Using a custom-built VPN server that blocked all requests to Amazon, she found that everything from Netflix to Vice Motherboard required Amazon to work. It’s one story in a wider series called “Goodbye Big Five,” (https://gizmodo.com/c/goodbye-big-five) where Hill tries to blanket block out some of the other major tech companies from her life. More: Gizmodo (https://gizmodo.com/c/goodbye-big-five) | @kashhill tweet thread (https://twitter.com/kashhill/status/1088503062551977984)
Everybody Is Infiltrating Global Computer Supply Chains (https://theintercept.com/2019/01/24/computer-supply-chain-attacks/) The Intercept: Another page from the Snowden cache as a follow up to the bunk Bloomberg “spy chip” report (https://techcrunch.com/2018/10/04/bloomberg-spy-chip-murky-world-national-security-reporting/) some months back. Even though Bloomberg’s story was widely considered rubbish, previously released but newly analyzed Snowden files show that actually, everyone’s doing it. “The documents also detail how the U.S. and its allies have themselves systematically targeted and subverted tech supply chains, with the NSA conducting its own such operations, including in China, in partnership with the CIA and other intelligence agencies.” France and Germany are also mentioned. More: @micahflee tweet thread (https://twitter.com/micahflee/status/1088511697550172160) | Background: TechCrunch (https://techcrunch.com/2018/10/04/bloomberg-spy-chip-murky-world-national-security-reporting/)
Apple’s Security Expert Joined the ACLU to Tackle ‘Authoritarian Fever’ (https://motherboard.vice.com/en_us/article/wjmqgw/apples-security-expert-joined-the-aclu-to-tackle-authoritarian-fever) Motherboard: @kimzetter () returns with an interview with Jon Callas, who recently left Apple to work for the ACLU as a technology fellow. Before that, he helped develop PGP. Callas talked surveillance and end-to-end encryption, and why verifying Signal safety numbers is so damn difficult — even for him. He also discusses why he joined the ACLU — and what some of the big security challenges and policy issues remain. More: Foreign Policy (https://foreignpolicy.com/2019/01/21/surveillance-is-a-tech-problem-but-it-requires-a-policy-solution/) | @joncallas on Twitter (https://twitter.com/joncallas)
DHS Releases Emergency Order To Prevent DNS Hijacking (https://www.cyberscoop.com/dhs-dns-directive-government-shutdown/) Cyberscoop: Homeland Security’s new dedicated cybersecurity agency CISA released its first emergency order this week, weeks after FireEye linked Iran to a massive DNS manipulation campaign (https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html) . The order mandated federal civilian agencies to secure the login credentials for their internet DNS records, according to a CISA blog post (https://cyber.dhs.gov/blog/#why-cisa-issued-our-first-emergency-directive) . Who was going to do it? The government was still in shutdown. A source told me that furloughed workers would have to come back for unpaid work (https://twitter.com/zackwhittaker/status/1088079869366411265) , after several agencies were confirmed affected by the DNS hijacking campaign, CISA’s director Chris Krebs said. More: CISA (https://cyber.dhs.gov/blog/#why-cisa-issued-our-first-emergency-directive) | @chriskrebs tweet thread (https://twitter.com/CISAKrebs/status/1088211827463503872) | Background: FireEye (https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html)
Millions Of Bank Loan And Mortgage Documents Have Leaked Online (https://techcrunch.com/2019/01/23/financial-files/) TechCrunch: A massive cache of millions of OCR’d mortgage and loan documents was found online this week. The culprit? No password on the server. The 46,000 or so loans were from major banks that were sold off. A vendor for a loan-buying company was to blame for the exposure. The only saving grace was that a lot of the OCR’d files were garbled — but still clear enough to expose sensitive financial information and social security numbers. Worse, a day later, that vendor had to secure a second exposure — the original files (https://techcrunch.com/2019/01/24/mortgage-loan-leak-gets-worse/) — with all the records easy to read. (Disclosure: I wrote this story) More: TechCrunch (https://techcrunch.com/2019/01/24/mortgage-loan-leak-gets-worse/)
Malvertisers Target Macs With Steganographic Code Stashed In Images (https://arstechnica.com/information-technology/2019/01/malvertisers-target-mac-uses-with-stenographic-code-stashed-in-images/) Ars Technica: A recently discovered bad ad campaign triggered as many as five million times per day that used hidden JavaScript stashed in images to install malware on visitors’ Macs. This image-based malware, dubbed VeryMal, targeted US users exclusively in some of its campaigns. More: ZDNet (https://www.zdnet.com/article/malvertising-campaign-targets-apple-users-with-malicious-code-hidden-in-images/) | Confiant (https://blog.confiant.com/confiant-malwarebytes-uncover-steganography-based-ad-payload-that-drops-shlayer-trojan-on-mac-cd31e885c202?gi=875b0895dcc2)
Period-Tracking Apps Are Monetizing Women’s Extremely Personal Data (https://www.bloomberg.com/news/articles/2019-01-24/how-period-tracking-apps-are-monetizing-women-s-extremely-personal-data) Bloomberg: Thanks to work (https://techcrunch.com/2018/09/07/a-dozen-popular-iphone-apps-caught-quietly-sending-user-locations-to-monetization-firms/) by @chronic (https://twitter.com/chronic) and team, we know that apps monetize your location data without your explicit consent. Now they’re targeting personal health apps — like period trackers. More than 100 million women use apps like Flo, Glow, Ovia, and Clue to monitor their cycles (and to help with fertility) but many period trackers are collecting millions of data points that gets passed onto third-parties, because they’re not beholden to the same privacy rules that hospitals and medical professionals have to meet. Archive: Broadly (https://broadly.vice.com/en_us/article/8xe4yz/menstrual-app-period-tracker-data-cyber-security) | Jezebel (https://jezebel.com/what-happens-when-you-tell-the-internet-youre-pregnant-1794398989) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Girl Scouts USA offer badges in cybersecurity (https://www.bbc.com/news/av/technology-46911157/girl-scouts-of-the-usa-offer-badges-in-cyber-security) BBC News: Good stuff here trying to get girls to think more about cybersecurity. Best at an early age so that the good advice proactively sinks in. There are five badges to earn. The move is also part of a push to get girls more interested in STEM topics (https://www.geek.com/tech/girl-scouts-can-now-earn-cool-cybersecurity-skills-badges-1771394/) .
If 5G is so important, why isn’t it secure? (https://www.nytimes.com/2019/01/21/opinion/5g-cybersecurity-china.html) The New York Times ($): 5G networks are coming, but some are just as flawed as their older 4G LTE counterparts. You don’t hear about SS7 flaws in 5G, but that’s because they’re different-but-similar Diameter vulnerabilities (https://www.google.com/search?q=5g+diameter+ss7&oq=5g+diameter+ss7&aqs=chrome..69i57.1734j0j7&sourceid=chrome&ie=UTF-8) . This is an interesting op-ed from the former Democratic chairman of the FCC, hitting out at his Republican successor. “The simple fact is that our wireless networks are not as secure as they could be because they weren’t designed to withstand the kinds of cyberattacks that are now common,” writes Tom Wheeler.
Big tech’s fake war on fake news (https://www.cnn.com/2019/01/21/opinions/big-tech-fake-war-fake-news-opinion-intl/index.html) CNN: This is interesting: CNN says (and rightfully so) that Facebook, Twitter and Google need to start working together to combat misinformation. They work independently in their efforts to tackle inauthentic behavior, but “they remain stuck in a competitive race where consumers continue to come a distant second,” writes @brettbruen (https://twitter.com/BrettBruen) , a former White House global engagement director. “All of them could agree to set up the kind of fusion center that would make us all safer,” he said. ~ ~
** OTHER NEWSY NUGGETS
Hackers baselessly blame women for the end of DerbyCon: A quick one on this: @lorenzoFB (https://twitter.com/lorenzofb) wrote a deep-dive into the baseless claims (https://motherboard.vice.com/en_us/article/eve4en/hackers-blame-women-and-sjws-end-of-derbycon-security-conference) made by some for why DerbyCon is no more. In short, many were using their revolting views towards women as a scapegoat for their own shitty behavior. I (like others (https://twitter.com/GossiTheDog/status/1088209407828209665) ) try not to follow the online drama. But this bubbled up this week after dozens of men, mostly, were using a private group to make highly offensive remarks and comments (https://twitter.com/thegrugq/status/1088374947917885442?s=21) about women in cybersecurity. Lorenzo’s story has the full breakdown (https://motherboard.vice.com/en_us/article/eve4en/hackers-blame-women-and-sjws-end-of-derbycon-security-conference) of what happened. Collectively, as an industry, we all have to do better and not let these horrible views permeate.
Facebook plans Instagram, WhatsApp, Facebook Messenger back-end merger: Mark Zuckerberg wants to create a unified end-to-end encrypted backend for its messaging apps, reports The New York Times ($) (https://www.nytimes.com/2019/01/25/technology/facebook-instagram-whatsapp-messenger.html) . That means you can talk to someone on Instagram using WhatsApp, which also means that Facebook is bringing long-awaited encryption to Instagram private messages. But some worry that means it’ll be easier for Facebook to target ads at you. Security expert @AlecMuffett (https://twitter.com/AlecMuffett) has a really good tweet thread (https://twitter.com/AlecMuffett/status/1089483304187973632) on what this might mean going forward.
Thousands tell HMRC to delete their voice data: HM Revenue & Customs, the U.K.’s tax authority, was secretly capturing the biometric voice print of millions of callers in 2017 without an easy way to opt-out. HMRC was told to back off, and offer taxpayers an opportunity to ditch their voice print. So far, more than 160,000 privacy-minded people (https://www.bbc.com/news/technology-47001458) have done so, according to a Freedom of Information request.
A warning to anyone who installed PEAR PHP in the last 6 months: If you installed PEAR PHP in the past six months, you might be infected with malware that popped a web shell, giving a hacker unfettered access to your backend. As always, @dangoodin001 (https://twitter.com/dangoodin001) has the scoop (https://arstechnica.com/information-technology/2019/01/pear-php-site-breach-lets-hackers-slip-malware-into-official-download/) . ~ ~
** GOOD PEOPLE DOING GOOD THINGS
Just one this week. I want to talk about a guy called Kevin.
Kevin Collier was laid off from BuzzFeed News (https://twitter.com/kevincollier/status/1088847766430932992) this week. He’s a well-known and highly respected cybersecurity reporter, who was on the national security team, which was decimated by layoffs. You’re probably thinking, “BuzzFeed is just cat GIFs and listicles.” No, BuzzFeed was where Kevin, and other reporters, did incredible and groundbreaking work. Whether you’re left or right of the political spectrum, cybersecurity is what brings us all here. I’ve known him for years as one of the top cyber reporters (https://twitter.com/kevincollier/status/1088848022144991232) — who has uncovered wrongful sexual behavior (https://www.buzzfeednews.com/article/kevincollier/hacker-hero-is-said-to-have-used-cyber-conferences-to) at tech conferences, detailed how the UAE and Qatar used U.S. media (https://www.buzzfeednews.com/article/kevincollier/qatar-uae-iran-trump-leaks-emails-broidy) as a sparring ground, and explained what happens when other countries inevitably hits back at U.S. hackers (https://www.buzzfeednews.com/article/kevincollier/us-nsa-hackers-identities-protection) — to name just a few of his stories. Not just that but truth be told, he’s been a great friend to me — whether if it’s lending an ear after a bad day, or giving advice when it’s needed most.
He put everything into that job and it shows. The world was more enlightened, thanks to his reporting. And, to my knowledge, now there’s no dedicated cybersecurity reporter at BuzzFeed. But BuzzFeed’s loss is everyone else’s gain.
At very least, buy him a beer. Better yet, hire him (https://twitter.com/kevincollier) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is Curry, who loves to rummage through your files when you’re not looking. Thanks to @BradD073 (https://twitter.com/BradD073) for sending in a picture. (You may need to enable images in this email.) Please keep sending in your cybercats! Include their name, a photo and a description to: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
See you same time next week. If you want to drop me any feedback about this newsletter, feel free to drop it in the anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|