this week in security — january 6 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 1.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Fewer Affected By Marriott Hack, But 5 Million Passport Numbers Stolen (https://www.apnews.com/2e2f9aad21fc4fdd87b7852e5db2327f) Associated Press: Marriott’s massive data breach affecting its 2016-acquired Starwood properties was lower than first thought — from 500 million to upwards of 383 million. Still bad, but could’ve been worse. That said, over five million unencrypted passport numbers were stolen in the breach, the company confirmed, on top of 20 million encrypted passport numbers. Not good if you’re a spy asset, according to a former NSA officer speaking to the AP. More: Reuters (https://www.reuters.com/article/us-marriott-intnl-cyber/marriott-cuts-estimate-on-size-of-massive-starwood-hack-idUSKCN1OY13K) | Marriott breach site (http://info.starwoodhotels.com)
Ransomware Attack Delays Delivery of Print Papers (https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html) Los Angeles Times: Ransomware ate my newspaper — literally. It’s the new excuse for the ages. According to the LA Times, one of the papers affected, Ryuk ransomware was blamed for shutting down its printing presses, and not an unattributed “nation state” attacker (https://www.forbes.com/sites/daveywinder/2018/12/30/north-korea-implicated-in-attack-that-stops-wall-street-journal-and-new-york-times-presses/#af4455b20a2b) as first thought (it almost never is, but oh well). The New York Times, also affected by the ransomware-caused outage, did a better job (https://www.nytimes.com/2018/12/30/business/media/los-angeles-times-cyberattack.html) of explaining what happened. The newspaper was eventually delivered — a whole day later. More: Robert Lee (http://www.robertmlee.org/attribution-is-not-transitive-tribune-publishing-cyber-attack-as-a-case-study/) | @RobertMLee tweet thread (https://twitter.com/RobertMLee/status/1079644536073261056) | New York Times ($) (https://www.nytimes.com/2018/12/30/business/media/los-angeles-times-cyberattack.html)
Many Android Apps Sends Data To Facebook, Even If You’re Not A User (https://privacyinternational.org/appdata) Privacy International: A new Privacy International investigation found that 61 percent of tested Android apps are sending data back to Facebook, even if a user doesn’t have an account, giving the social media giant a lot more data to track you. Some of this data is “detailed” and “sometimes sensitive” — such as flight data and some health information. This is extensive and well-done research. More: Full report (https://privacyinternational.org/report/2647/how-apps-android-share-data-facebook-report) | Chaos Computer Congress (https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_android)
These Are The Big Election Security Measures In The House’s New Bill (https://www.cyberscoop.com/house-democrat-bill-election-security-measures-2019-hr-1/) Cyberscoop: The Dems have taken the House, and first on the agenda is election security. In H.R. 1, the first bill for the 116th session included several legislative fixes for election security, budget requests, bug bounties and the doing away with paperless voting machines. It’s won’t fix everything but it’s a step in the right direction. Now, can we all agree that it’s time to get get our nation’s finest back to work? More: Axios (https://www.axios.com/house-democrats-hr1-election-security-f6013b94-6f09-4d4d-b40e-be2c1fa73a69.html) | CNBC (https://www.cnbc.com/2019/01/03/democrats-plan-to-clean-up-dc-takes-swipe-at-corporate-america.html)
Hackers Are Hijacking Twitter Accounts To Spread Islamic State Propaganda (https://techcrunch.com/2019/01/02/hackers-islamic-state-propaganda-twitter/ ) TechCrunch: Twitter has an account hijack problem. So many accounts can be easily taken over because they were never verified by email — making the email addresses available to send password resets to. Some of these accounts have hefty followings, but even with a few, it’s enough to pique interest and spread propaganda. It’s a problem, one that Twitter doesn’t seem to know how to fix. (Disclosure: I wrote this story.) Related: Reuters (https://www.cnbc.com/2019/01/02/san-bernardino-shooting-suits-vs-facebook-google-twitter-dismissed–.html) | @WauchulaGhost tweet thread (https://twitter.com/WauchulaGhost/status/1081716006580412416)
Microsoft Testing ‘Bali’, A Data Control System (https://www.zdnet.com/article/microsoft-is-privately-testing-bali-a-way-to-give-users-control-of-data-collected-about-them/) ZDNet: Here’s an interesting one from @maryjofoley (https://twitter.com/maryjofoley) . A Microsoft Research program, codenamed ‘Bali’, aims to give users access to their own “personal data bank.” Specifically, the not-yet-released app will “allow the user to visualize, manage, control, share and monetize the data.” That would be cool — given so many companies now give us access to data they store on us (thanks GDPR!) but it’s visualized in a terrible, difficult to understand way. More: @never_released on Twitter (https://twitter.com/never_released/status/1080468842541924352) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
First data breach of 2019 disclosed on… January 1 (https://twitter.com/troyhunt/status/1080017959114821632?s=21) ABC News: Australia’s Victoria government had 30,000 employees’ data stolen (https://www.abc.net.au/news/2019-01-01/victorian-government-employee-directory-data-breach/10676932) in what’s believed to be the first data breach of 2019. It sounds like the corporate directory was stolen, as the stolen data “contains work emails, job titles and work phone numbers.”As @troyhunt (https://twitter.com/troyhunt/status/1080017959114821632?s=21) tweeted: “We didn’t even make it through one day in 2019!”
Intel’s elite team still fighting Meltdown and Spectre (https://www.wired.com/story/intel-meltdown-spectre-storm/) Wired ($): It’s been a whole year since Meltdown and Spectre graced us with its presence. @lilyhnewman (https://twitter.com/lilyhnewman) did a deep-dive on the team of about 60 people inside Intel trying to fix the chip bugs that can retrieve protected data from the processor’s memory.
India’s Aadhaar database is still going, despite leaks and breaches (https://qz.com/india/1501568/in-2018-supreme-court-backed-indias-aadhaar-despite-data-leaks/) Quartz India: India’s national identity and biometric database has been a worry for security experts for years. The past year saw several security issues (some of which I covered (https://www.zdnet.com/article/another-data-leak-hits-india-aadhaar-biometric-database/) , which the Indian authorities shot down as “fake news.” Thanks for that.) The database now contains data on over 1.2 billion Indians — and, though it was found problematic, it was ruled constitutional by the country’s supreme court. But not all has gone to plan, including people reliant on Aadhaar literally starving to death because of a faulty implementation of the database. This is an interesting but deeply saddening read (https://qz.com/india/1501568/in-2018-supreme-court-backed-indias-aadhaar-despite-data-leaks/) .
A brief update on MalwareTech’s case (https://www.emptywheel.net/2019/01/04/prosecutors-cite-osiris-in-an-attempt-to-resuscitate-dead-law-against-marcus-hutchins/) Emptywheel: Marcy Wheeler (https://twitter.com/emptywheel) , everyone’s favorite national security blogger, digs into recent developments in Marcus Hutchins (https://twitter.com/malwaretechblog?lang=en) ‘ legal case. It doesn’t look so hot for the prosecutors which began grasping at straws in its latest filing. As Wheeler explains: “Hutchins is on trial for code he wrote years ago, some of it while he was a minor. Because people associated with later generations of that code — with its literal rebirth as a new product — are causing havoc, the government is intent on holding him accountable.” In other words, this ruling could have a nasty effect on a lot of people who write code, which gets abused by other people. If you don’t read Wheeler already, you absolutely should (https://www.emptywheel.net/) . ~ ~
** OTHER NEWSY NUGGETS
CastHack busts exposed Chromecast devices — well, kinda You probably heard about the CastHack security issue (https://casthack.thehackergiraffe.com/) this week. Was it Chromecast at risk or your crappy router? In short, a hacker found thousands of exposed Chromecasts thanks to port forwarding, which he hijacked and began broadcasting on their TV sets a warning of the security issue. Some say it was UPnP, some said it wasn’t. @GossiTheDog (https://twitter.com/GossiTheDog/) did a good tweet thread (https://twitter.com/GossiTheDog/status/1080478697696776192) on what happened, and @0xAmit (https://twitter.com/0xAmit) did some a good post-mortem (https://twitter.com/0xAmit/status/1081262431840673792) on the many issues with UPnP, regardless. Meanwhile, @TheKenMunroShow (https://twitter.com/TheKenMunroShow) et al are finding new and interesting ways (https://www.pentestpartners.com/security-blog/hacking-the-echo-echo-echo/) to exploit Chromecasts by tricking other smart home devices — like the Amazon Echo — into accepting malicious commands. “Alexa, buy an iPad.” (Seriously! (https://techcrunch.com/2019/01/02/chromecast-bug-hackers-havoc/) )
Global hacking tensions rise as China-U.S. “no hacking” deal collapses After the Justice Dept. effectively called out China (https://techcrunch.com/2018/12/20/us-indictment-tech-hacks-chinese/) a few weeks ago for hacking U.S. companies despite a promise that neither would attack each other in cyberspace, escalations have risen — dramatically. Not just with the arrest of Huawei’s CFO Meng Wanzhou in Canada at the request of U.S. authorities, but in China, too. So far, over a dozen Canadians have been arrested in China since Wanzhou was detained — using them effectively as bargaining chips, and using Canada as a proxy in a war between the U.S. and China. The Globe and Mail (https://www.theglobeandmail.com/politics/article-thirteen-canadians-detained-in-china-since-huawei-executives-arrest/) has good reporting on this. As @kimzetter (https://twitter.com/kimzetter/status/1080949373633064960?s=21) noted, several former NSA hackers have warned that former U.S. government workers could soon face indictments in China — just as Chinese hackers are indicted in the U.S. all the time — which could lead to things getting really messy.
Defeating ReCAPTCHA will Google’s own tools A little embarrassing for Google: @FGRibreau (https://twitter.com/FGRibreau) found that you can trick Google’s reCAPTCHA challenge (https://twitter.com/FGRibreau/status/1080810518493966337) by downloading the MP3 audio and funnelling it through Google’s own Speech2Text API — and submitting the answer. It works really well! He even put the code on GitHub (https://github.com/ecthros/uncaptcha2) like an absolute hero. ~ ~
** GOOD PEOPLE DOING GOOD THINGS
Here are a few for you this week.
Journalists and media folk! @hacks4pancakes (https://twitter.com/hacks4pancakes/) and @selenalarson (https://twitter.com/selenalarson/) are putting on another free one-day seminar at Dragos’ HQ in Baltimore on January 17. It’s a starter workshop on all things ICS security: what it is, why it matters, and how to convey these issues to your readers — and a lot more. I went last year to the first one and it was extremely detailed and insightful. Highly recommended from yours truly. You can find more info here (https://twitter.com/hacks4pancakes/status/1080525241644969984?s=21) .
@J0hnnyXm4s (https://twitter.com/j0hnnyxm4s) did some ‘grade A’ trolling this week by tricking a malicious bots into solving JavaScript-based cryptographic challenges (https://twitter.com/j0hnnyxm4s/status/1081227041255706626?s=21) every time it hit his network, forcing the bot to use up expensive CPU resources. Good luck with that AWS bill, attacker!
A new addition from @patrickwardle (https://twitter.com/patrickwardle?lang=en) ‘s security keychain: ReiKey (https://objective-see.com/products/reikey.html) , a keylogger detector for macOS. ZDNet covered the big reveal (https://www.zdnet.com/article/new-reikey-app-can-detect-macos-keyloggers/) . The new app is meant to protect against the most common types of macOS keyloggers — which, as we all know, Macs aren’t immune (https://objective-see.com/blog/blog_0x3B.html) to malware. Add ReiKey to the many free Mac tools that Wardle’s created (https://objective-see.com/products.html) over the years. And yes, of course, the code is on GitHub (https://github.com/objective-see/ReiKey) .
And a late entry from @Viss (https://twitter.com/Viss/) : a bullshit-infused breach announcement bingo board (https://twitter.com/Viss/status/1081285841333321735) for anyone keeping track of all the buzzwords and nonsense out of security disclosures. I’m really looking forward to using this in the future on the next big breach.
Y’all are good people. ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Bella. She likes to keep an eye out for hackers while guarding her human’s laptop. Thanks to Chris Maiura for the submission. (You may need to enable images in this email.) If you want your cybercat featured in a future newsletter, send along their name, a photo and a description to: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
Lastly, a quick thank you to William Knowles and Eric Mill for donations this week for keeping this newsletter going. Hugely appreciated! The support has been overwhelming — and will keep the newsletter going for well over a year.
Enjoy the rest of your weekend, and hope you have a great week. And, Happy New Year! If you have any feedback, drop it in the anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|