this week in security — january 5 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 1
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Iran may launch “destructive” cyberattacks against the U.S. (https://www.technologyreview.com/s/615006/iran-may-launch-destructive-cyberattacks-against-the-us-experts-warn/) MIT Technology Review ($): So this has been a week. The aftermath of the killing of top Iran military leader Qasem Suleimani is likely to spill into the cyber-world, experts say, who are warning that “disruptive and destructive” cyberattacks are on the cards. Iran is one of the most active cyber-actors on the world stage with some of the most powerful and destructive capabilities in their digital arsenal. Homeland Security’s CISA put out a statement (https://www.dhs.gov/news/2019/06/22/cisa-statement-iranian-cybersecurity-threats) about the increased threat. More: NBC News (https://www.nbcnews.com/tech/security/iran-strike-puts-u-s-cybersecurity-experts-alert-n1110256) | Wired ($) (https://www.wired.com/story/iran-soleimani-cyberattack-hackers/) | CISA (https://www.dhs.gov/news/2019/06/22/cisa-statement-iranian-cybersecurity-threats)
Inside the secret battle to save America’s undercover spies in the digital age (https://news.yahoo.com/shattered-inside-the-secret-battle-to-save-americas-undercover-spies-in-the-digital-age-100029026.html?soc_src=hl-viewer&soc_trk=tw) Yahoo News: A long read from @JennaMC_Laugh (https://twitter.com/JennaMC_Laugh) and @zachsdorfman (https://twitter.com/zachsdorfman) : spies are finding it tougher in the internet age to meet sources and steal secrets. The amount of surveillance is so pervasive in some cities, like London, that CIA officers “are no longer followed on the way to meetings because local governments no longer see the need.” Biometrics, facial recognition — and yes, even DNA self-testing kits (which they also covered (https://news.yahoo.com/pentagon-warns-military-members-dna-kits-pose-personal-and-operational-risks-173304318.html) ) — are all threatening the undercover spy world. “Even a switch of employer, or an unexplained gap in one’s résumé, can be a giveaway to a foreign intelligence service,” their report said. More: @JennaMC_Laugh tweets (https://twitter.com/JennaMC_Laugh/status/1212046870236848134) | @kevincollier (https://twitter.com/kevincollier/status/1211671107570262017)
Ryuk ransomware took down a U.S. Coast Guard facility (https://www.bleepingcomputer.com/news/security/us-coast-guard-says-ryuk-ransomware-took-down-maritime-facility/) Bleeping Computer: Operations at a U.S. Coast Guard facility shut down for more than 30 hours after Ryuk ransomware struck, according to a Marine Safety Information Bulletin. A phishing email was likely the cause, the bulletin said. Although details are limited, the ransomware reportedly shut down the “entire corporate IT network.” More: ZDNet (https://www.zdnet.com/article/us-coast-guard-discloses-ryuk-ransomware-infection-at-maritime-facility/) Ghosts in the clouds: Inside China’s major corporate hack (https://www.wsj.com/articles/ghosts-in-the-clouds-inside-chinas-major-corporate-hack-11577729061) Wall Street Journal ($): Another long-ish read: the “Cloud Hopper” breaches into major companies like HPE and IBM by China, first reported (https://www.reuters.com/article/us-china-cyber-hpe-ibm-exclusive/exclusive-china-hacked-hpe-ibm-and-then-attacked-clients-sources-idUSKCN1OJ2OY) by Reuters in 2018, were far bigger than first thought. Once the hackers were in, they could “hop” from client to client, stealing data as they went. The hackers were so smart, HPE allegedly struggled to keep the hackers out — even as they told customers they were all clear. “It’s an open question whether hackers remain inside companies’ networks today,” the reporters wrote. More: @dnvolz (https://twitter.com/dnvolz/status/1211717994440736768) | @JChengWSJ (https://twitter.com/JChengWSJ/status/1211852224969633794) | PwC (https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html)
White House expands use of cyber weapons, despite secrecy (https://www.wsj.com/articles/white-house-expands-use-of-cyber-weapons-but-stays-secretive-on-policies-11577728030) Wall Street Journal ($): While the Trump administration has increased efforts to use and deploy offensive cyber capabilities to targets overseas, lawmakers say they haven’t been kept as in the loop as they would have liked, the Journal reports. Members of Congress still haven’t seen the presidential directive that authorizes their use, more than a year after it was signed by Trump. Background: BBC News (https://www.bbc.com/news/technology-45208776)
Travelex ‘suspends services’ after cyberattack (https://www.bbc.com/news/business-50977582) BBC News: Foreign currency exchange Travelex was largely offline over the New Year’s holiday after it confirmed a cyberattack. It wouldn’t say what happened, only that it was hit by malware on Dec. 31, and that customer data was not compromised — leading to speculation that it was a ransomware attack (or at the very least, a precursor to ransomware, like a Dridex or Emotet infection). Not too surprising if that’s the case, given some major companies have been hit in recent months. More: TechCrunch (https://techcrunch.com/2020/01/02/travelex-malware/) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Microsoft takes court action against fourth nation-state cybercrime group (https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/) Microsoft: Software and services giant Microsoft is suing (for the fourth time) a nation-state hacking group associated with North Korea. If Microsoft, the court will grant it ownership of a number of domains used by the hackers to send spearphishing emails so it can sinkhole them and take them offline. Most of the targets of this APT group were in South Korea, Japan and the United States, the company said.
Caterpillar padlocks all use the same key (https://boingboing.net/2019/01/02/caterpillar-padlocks-all-use-t.html) Boing Boing: I couldn’t resist not dropping this in: from the LockPickingLawyer (https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ) , turns out that all Caterpillar padlocks use the same key. If you ever lose a key, just buy another padlock. Ransomware delivered to organizations via Pulse Secure VPN flaw (https://doublepulsar.com/big-game-ransomware-being-delivered-to-organisations-via-pulse-secure-vpn-bd01b791aad9) Double Pulsar: @GossiTheDog (https://twitter.com/GossiTheDog) says a widely reported flaw in Pulse Secure, a corporate VPN solutions, has been used to deliver ransomware to victim organizations that haven’t patched their installations since news of a major flaw was revealed a year ago. The flaw is bad — anyone without a valid username and password — can get access to the corporate network. Thousands of vulnerable hosts remain vulnerable. Now it’s being used to deliver ransomware, like REvil, for attackers to make an extra buck.
Apple accused of crackdown on jailbreaking (https://www.bbc.com/news/technology-50956680) BBC News: We all know jailbreaking — exploiting bugs in iOS to gain access to more features of the device — can be detrimental for device security, but it remains highly useful for security researchers to find and test vulnerabilities. That UAE spy app ToTok (https://www.bbc.com/news/technology-50890846) discovered last week was only found because @patrickwardle (https://twitter.com/patrickwardle/status/1210742545451323392) used a jailbreak! But Apple is cracking down and using its lawsuit against Corellium almost as a proxy fight against jailbreakers. Court case aside, security researchers say it’s a move that could damage security research across Apple platforms — which, let’s face it, will only hurt Apple and its customers. iFixit also has an good explainer (https://www.ifixit.com/News/apple-is-bullying-a-security-company-with-a-dangerous-dmca-lawsuit) . ~ ~ SUPPORT THIS NEWSLETTER
Happy New Year, and a big thanks for reading. As subscribers and costs go up, please consider supporting this newsletter by contributing to its Patreon (https://www.patreon.com/thisweekinsecurity) . Donate from $1/month — or more for exclusive perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) . Thanks for your support. ~ ~
** OTHER NEWSY NUGGETS
Police tracked a terror suspect — until a Facebook warning (https://www.wsj.com/articles/police-tracked-a-terror-suspectuntil-his-phone-went-dark-after-a-facebook-warning-11577996973) The Wall Street Journal ($) has a long read on how police in Europe tracked a terrorist linked to the so-called Islamic State using a WhatsApp exploit developed by NSO Group, until his phone went dark because Facebook caught the exploit being used — which was also used against journalists and activists. Many criticized (https://twitter.com/oxleyio/status/1212839602815418369) the framing of the article — though, it still offers an interesting backstory. @evacide (https://twitter.com/evacide/status/1212856709812604928) had some rare praise for Facebook, which “did the right thing by providing WhatsApp users with strong encryption and warning them when they’re compromised.”
IoT company Wyze leaks email addresses and device data (https://threatpost.com/iot-company-wyze-leaks-emails-device-data-of-2-4m/151451/) Some 2.4 million records were exposed after Wyze left an Elasticsearch database online without a password. It wasn’t a huge amount of sensitive data — email addresses, the names of Wi-Fi networks and some other metrics — but still embarrassing. Wyze blamed (https://forums.wyzecam.com/t/updated-12-30-19-data-leak-12-26-2019/79046) employee error.
U.S. legislation on spread of cyber tools passes after Reuters investigation (https://www.reuters.com/article/us-usa-spying/u-s-legislation-on-spread-of-cyber-tools-passes-after-reuters-investigation-idUSKBN1Z11KS?il=0) This is a great example of good journalism effecting change: a new U.S. law mandates that the State Department must disclose how it polices the sale of its offensive cyber tools and services abroad. It comes in the wake of Reuters’ investigations into a UAE-backed hacking group (https://www.reuters.com/investigates/special-report/usa-spying-raven/) . Under U.S. law, companies selling hacking products to foreign governments must first ask State for permission. ~ ~
** THE HAPPY CORNER
New year, a new batch of happy news. @andrew_strutt (https://twitter.com/andrew_strutt/status/1212185266447884288?s=21) flagged this spoof security site: undocumentedadm.in (https://undocumentedadm.in/) . “Are you in IT security yet not allowed to patch vulnerable systems? Enter Undocumented Admin!” the site reads. Hilarious stuff.
Good news! California’s Consumer Privacy Act (https://techcrunch.com/2020/01/01/the-california-consumer-privacy-act-officially-takes-effect-today/) is now in force — though, enforcement won’t kick in for another six months. That means anyone in California can now ask that companies don’t sell their data, and also request a copy of the data that companies have on them. To make it easier, a collaborative effort makes it easier (https://techcrunch.com/2020/01/02/california-privacy-opt-out-data/) to find links to CCPA-specific pages and for Californians to enact their rights. The so-called California Privacy Directory (http://caprivacy.me/) , set up by @decryptlyfe (https://twitter.com/decryptlyfe) , is a great resource.
And finally: @vmyths (https://twitter.com/vmyths/status/1212201412068818944?s=21) put a QR code on the back of his car which, when spotted by a license plate reader, “could trigger antivirus software to quarantine those databases.” Now that’s mischief. It’s a brilliant thread (https://twitter.com/vmyths/status/1212201412068818944) . If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
Meet Dalinar, this week’s cybercat, who’s reminding you to use a password manager and app-based two-factor. New year, new you. Thanks to Keith Hoodlet (https://twitter.com/securingdev) for the submission! Please keep sending in your cybercats! You can send them here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
Thanks for reading! If you have any feedback, please feel free to drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Hope you have a great week — see you next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .