this week in security — january 3 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 1
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Microsoft says Russians hacked its network, viewing source code (https://www.washingtonpost.com/national-security/microsoft-russian-hackers-source-coce/2020/12/31/a9b4f7cc-4b95-11eb-839a-cf4ba7b7c48c_story.html) Washington Post ($): Hackers believed to be working for the Russian government broke into Microsoft’s network and viewed its proprietary source code, but were unable to modify it. We knew that Microsoft was one of the companies that was using compromised and backdoored SolarWinds software, the original target for the hacks that swept across the federal government. But the company has reiterated that the intrusion hasn’t put customers at risk. Microsoft says it uses an “inner source” approach — so it doesn’t rely on the secrecy of its source code for security, but the software giant didn’t say what kind of code was accessed, only that the intruders used a employee’s account. Reuters, which first reported on the breach two weeks (https://www.reuters.com/article/us-global-cyber-microsoft/solarwinds-hackers-accessed-microsoft-source-code-the-company-says-idUSKBN2951M9) earlier (which Microsoft had frostily rejected), asked some of those outstanding questions. In any case, it suggests that this could have been the prelude to a “much more ambitious offensive.” More: Reuters (https://www.reuters.com/article/us-global-cyber-microsoft/solarwinds-hackers-accessed-microsoft-source-code-the-company-says-idUSKBN2951M9) | @razhael (https://twitter.com/razhael/status/1344738195896987650)
Police turn to car data to destroy suspects’ alibis (https://www.nbcnews.com/tech/tech-news/snitches-wheels-police-turn-car-data-destroy-suspects-alibis-n1251939) NBC News: Car infotainment systems are a goldmine of evidence for police, and have been used to crush alibis and prosecute suspects. Many might think of cars as “cellphones on wheels” with the amount of data they collect. It’s not just the usual stuff when you connect your phone to the system — call logs, text messages, emails and the rest of it. Actually the amount is far greater than you’d imagine — think about it, the sensors in your car can figure out how much you weigh. “In a criminal case, the sequence of doors opening and seat belts being inserted could help show that a suspect had an accomplice.” This is a fascinating look at the data that infotainment systems have on you, and how police are using this new field of forensics to solve crime. More: @oliviasolon tweets (https://twitter.com/oliviasolon/status/1343633194755624960) | @wmb312 (https://twitter.com/wbm312/status/1343658724070547457) | @kashhill (https://twitter.com/kashhill/status/1344045161215647745)
NSO used real people’s location data to pitch its contact-tracing tech, researchers say (https://techcrunch.com/2020/12/30/nso-fleming-data-location/) TechCrunch: From the debunk department: Remember a few months ago when notorious spyware maker NSO Group was touting its new contact tracing tool, Fleming, by giving governments and media outlets demos using “simulated” location data? Turns out it wasn’t simulated data at all — as NSO had claimed. A few weeks after NSO gave the demos, Fleming’s back-end data was left exposed (https://techcrunch.com/2020/05/07/nso-group-fleming-contact-tracing/) on the internet. So I sent that exposed data off to researchers at @ForensicArchi (https://twitter.com/forensicarchi/status/1344336802430263296?s=21) at Goldsmiths in London, who analyzed the data. By mapping the location points across time and space, they found plausible movements and errors they’d only expect to see in real data. They concluded that NSO had used tens of thousands of unwitting people’s location data — which NSO used to drum up business for its contact tracing tech. NSO, as you might expect, denied the allegations. (Disclosure: I wrote this story.) More: Forensic Architecture (https://forensic-architecture.org/investigation/nso-groups-breach-of-private-data-with-fleming-a-covid-19-contact-tracing-software) | @ForensicArchi (https://twitter.com/forensicarchi/status/1344336802430263296?s=21) | @zackwhittaker (https://twitter.com/zackwhittaker/status/1344327937806503938?s=21) Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways (https://www.zdnet.com/article/backdoor-account-discovered-in-more-than-100000-zyxel-firewalls-vpn-gateways/) ZDNet: More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers have a hardcoded admin-level backdoor which, frankly, is about as bad as it gets for tech that’s supposed to — well, control access to the entire network. The backdoored account was discovered by Dutch security firm Eye Control. The risk of hijack is pretty huge, now that the backdoored account has been made public. On the plus side, there are patches available. You’d figure the company would’ve learned the mistake from its 2016 backdoor incident but, alas, clearly not. More: Eye Control (https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html) | @campuscodi (https://twitter.com/campuscodi/status/1345219320503300097)
Ticketmaster will pay $10 million for hacking rival ticket seller (https://www.theverge.com/2020/12/30/22206955/ticketmaster-songkick-crowdsurge-hacking-deferred-prosecution-fine) The Verge: Who had “Ticketmaster hacking into a rival to spy on their business” on their 2020 bingo card? The ticket selling giant has agreed to pay $10 million after admitting to hiring a former employee from rival seller CrowdSurge and using passwords he knew to log back into old systems and learn more about the rival’s business. The charges date back to 2013 but only really emerged this week. Ticketmaster executive Zeeshan Zaidi and the employee in question were fired after their conduct came to light in 2017. The judgment defers prosecution under the CFAA, which the Supreme Court is examining that very question of unauthorized access (https://techcrunch.com/2020/11/29/supreme-court-van-buren-hacking/) right now. More: @KlasfeldReports (https://twitter.com/KlasfeldReports/status/1344352681637380098?s=20) | Background: Cyberscoop (https://www.cyberscoop.com/supreme-court-hacking-law-cfaa-research-security/) ~ ~ SUPPORT THIS NEWSLETTER
A big thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
The worst hacks of 2020, a surreal pandemic year (https://www.wired.com/story/worst-hacks-2020-surreal-pandemic-year/) Wired ($): 2020 was a garbage year for everyone — except for threat actors, who saw unprecedented opportunities to see their goals through. @lilyhnewman (https://twitter.com/lilyhnewman) walks us through the worst of the worst breaches, hacks and espionage campaigns — including some you may not have known (or forgotten). You should also read Ars Technica’s (https://arstechnica.com/information-technology/2020/12/2020-had-its-share-of-merorable-hacks-and-breaches-here-are-the-top-10/) list, which has a little overlap but also features some impressive vulnerability research.
U.K. arrests suspects tied to WeLeakInfo, a site seized for selling breached data (https://www.cyberscoop.com/weleakinfo-arrests-uk/) Cyberscoop: Some 21 people have been arrested across the U.K. for using data bought from WeLeakInfo, a site that sold breached data until it was taken down in an international sting operation almost a year ago. The people arrested, all men, included nine charged with hacking offenses, nine for fraud, and three for both. Some used the purchased data to buy RATs and other trojans. And another 69 were served cease and desist notices, warning them that they’re in the government’s crosshairs. The @NCA_UK (https://twitter.com/NCA_UK/status/1342500186191503360) put out on Christmas Day a video of a British police officer very politely making an arrest. ~ ~
** OTHER NEWSY NUGGETS
The most dangerous people on the internet in 2020 (https://www.wired.com/story/2020-most-dangerous-people-internet/) From the Wired ($) (https://www.wired.com/story/2020-most-dangerous-people-internet/) staff: meet the most dangerous people on the internet this year. Some of these names you’ll know, and others you might never have heard of — and that’s all the more why you need to know who’s who.
Corellium, the tiny startup driving Apple crazy, leads Forbes Cybersecurity Awards (https://www.forbes.com/sites/thomasbrewster/2021/12/27/forbes-cybersecurity-awards-2020-corellium-the-tiny-startup-driving-apple-crazy/) Corellium this week won Forbes’ best cybersecurity product award, in the same week that the company prevailed (https://www.washingtonpost.com/technology/2020/12/29/apple-corellium-lawsuit/) (in large part) in a legal case brought by Apple. Corellium lets security researchers and developers emulate iPhones and Android devices to test their apps (and hunt for security bugs) instead of having to buy expensive hardware. Apple hates that, and sued the startup earlier this year. The judge ruled that Corellium’s technology developing virtual iPhones was not a copyright infringement, but a DMCA claim remains. Also, Greynoise (https://twitter.com/Andrew___Morris/status/1343217866645114884) also gets a mention in Forbes’ awards, as does Dragos (https://twitter.com/RobertMLee/status/1343170085582680064) and @Fox0x01 (https://twitter.com/Fox0x01/status/1343189758969851912) . ~ ~
** THE HAPPY CORNER
A quick look at the happy corner. Saying goodbye to 2020 gets an obvious honorary mention. Onwards and upwards, as they say.
@DAkacki (https://twitter.com/DAkacki/status/1344430573000011777) found a shell in the wild. Also a big congrats to @kimzetter (https://twitter.com/KimZetter/status/1344768150747840512) for winning this year’s @defcon (https://twitter.com/brysonbort/status/1344764500415832064) truth speaker award. Kim (you don’t need me to tell you this) is one of the sharpest cyber reporters, who brought us solid election security coverage throughout the year when we needed it most — and, on top of that, her recent coverage of the SolarWinds breach. Absolutely earned and deserved. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CAT & FRIENDS
This week’s cyber cat is Moe, who recently went through some health stuff but is now back to full speed and back to his usual kitten self. Thanks to Moe’s human @__runal (https://twitter.com/runal___) for the submission! Don’t forget to send in your cyber cats to be featured in an upcoming newsletter. Yes, you can now send in your non-feline friends (https://mailchi.mp/zackwhittaker/this-week-in-security-december-27-edition) too. Send them in here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s it for this shorter-than-usual week, thanks to the holiday. Happy New Year! Thanks as always for reading. Feel free to drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .