this week in security — july 14 edition

|MC_PREVIEW_TEXT|

                July 14, 2019

            this week in security — july 14 edition

            |MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 27.
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Zoom security flaw exposes four million users, Apple steps in (https://www.buzzfeednews.com/article/nicolenguyen/zoom-webcam-hacker-watching-you-vulnerability)
BuzzFeed News: Zoom was caught in a storm this week after a researcher found the popular video chat app left a hidden and undocumented web server on Macs, which ran in the background and wasn’t removed (https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5) when the app was uninstalled. That meant anyone could join users to a call, often without their permission. Zoom’s response (https://news.ycombinator.com/item?id=20389812) was probably worse than the bug itself. Here’s NIST’s writeup (https://nvd.nist.gov/vuln/detail/CVE-2019-13450) on the bug. In the end, Apple pushed a silent update (https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/) to Macs to patch the bug and prevent exploitation.
More: TechCrunch (https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/) | Zoom blog (https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/) | Medium (https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5)
Mozilla blocks DarkMatter from becoming an internet security guardian (https://www.reuters.com/article/us-usa-cyber-mozilla/mozilla-blocks-uae-bid-to-become-an-internet-security-guardian-after-hacking-reports-idUSKCN1U42CA)
Reuters: DarkMatter, a UAE surveillance and hacking outfit, was recently accused of targeting journalists and high profile critics of the UAE government — but the company’s side business as a certificate authority has a clean track record. So when the hackers asked to be included on Mozilla’s whitelist, it put the Firefox browser maker in a bind. The fear was that DarkMatter could abuse its position to spy on users. In the end, Mozilla dropped DarkMatter like it’s hot and refused, calling the company a “significant risk” to its users.
Background: Reuters (https://www.reuters.com/investigates/special-report/usa-spying-raven/) | ZDNet (https://www.zdnet.com/article/surveillance-firm-asks-mozilla-to-be-included-in-firefoxs-certificate-whitelist/)
British Airways hit by record $230M fine for breach (https://www.bbc.com/news/business-48905907)
BBC News: The U.K. data protection watchdog handed down a record $230 million fine for British Airways for its credit card breach, in which card skimmers installed malware on the airline’s website and downloaded 500,000 users’ data over a period of several weeks. It’s the biggest U.K. fine handed out since GDPR went into effect. A day later Marriott, which owns Starwood, was fined (https://techcrunch.com/2019/07/09/marriott-data-breach-uk-fine/) $123 million for its guest booking system hack last year.
More: Information Commissioner’s Office (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-ico-announces-intention-to-fine-british-airways/)
The sinkhole that saved the internet (https://techcrunch.com/2019/07/08/the-wannacry-sinkhole/)
TechCrunch: Particularly proud of this 3,300-word behemoth. It’s a deep-dive into the WannaCry attack two years ago. I spoke to the two researchers — @malwaretechblog (https://twitter.com/MalwareTechBlog) and @2sec4u (https://twitter.com/2sec4u) who found the “kill switch” and kept it alive for a week, despite police raids and botnet attacks, until they handed it off to Cloudflare. The kill switch was the only thing keeping another outbreak at bay. @2sec4u (https://twitter.com/2sec4u) described it as the most stressful week of his life. No more relevant than now given the current threat posed by BlueKeep. (Disclosure: I wrote this story.)
More: @2sec4u (https://twitter.com/2sec4u/status/1148325541579239426) | @zackwhittaker (https://twitter.com/zackwhittaker/status/1148342297492381701)

            The sinkhole that saved the internet – TechCrunch
            Keeping the ‘kill switch’ alive is the only thing preventing another WannaCry outbreak.

Congress is in the dark on new U.S. cyberattack rules (https://www.wsj.com/articles/trump-administration-hasnt-briefed-congress-on-new-rules-for-cyberattacks-lawmakers-say-11562787360)
Wall Street Journal ($): Here’s an interesting one from @dnvolz (https://twitter.com/dnvolz/status/1149040196861734913?s=21) . The Trump administration has refused to allow lawmakers in Congress to see a classified order issued by the president a year ago that explains how the government decides, plans and operates its use of cyber-weapons, despite bipartisan efforts to receive the directive. Worst timing possible given the use of a recent offensive U.S. cyberattack against Iran (https://news.yahoo.com/pentagon-secretly-struck-back-against-iranian-cyber-spies-targeting-us-ships-234520824.html) a few weeks ago.
Background: Yahoo News (https://news.yahoo.com/pentagon-secretly-struck-back-against-iranian-cyber-spies-targeting-us-ships-234520824.html) | More: Washington Post ($) (https://www.washingtonpost.com/world/national-security/with-trumps-approval-pentagon-launched-cyber-strikes-against-iran/2019/06/22/250d3740-950d-11e9-b570-6416efdc0803_story.html?utm_term=.e2cb41f9759a)
ICE uses facial recognition to sift through driver’s license photos (https://www.npr.org/2019/07/08/739491857/ice-uses-facial-recognition-to-sift-state-drivers-license-records-researchers-sa)
NPR: Immigration officials are sifting through and mining facial recognition data from millions of driver’s license photos, according to documents obtained by Georgetown University. Federal agencies weren’t given congressional approval to mine the data, but did it anyway over a span of five years. In some cases ICE agents would simply ask states for the data without bothering for a warrant.
More: Washington Post ($) (https://www.washingtonpost.com/technology/2019/07/07/fbi-ice-find-state-drivers-license-photos-are-gold-mine-facial-recognition-searches/?utm_term=.206f2dcceab7) | New York Times ($) (https://www.nytimes.com/2019/07/07/us/politics/ice-drivers-licenses-facial-recognition.html?smid=nytcore-ios-share)
Cybercom’s latest warning is a win for government data sharing (https://www.cyberscoop.com/cyber-command-information-sharing-virustotal-iran-russia/)
Cyberscoop: @shanvav (https://twitter.com/shanvav) has a deep-dive into Cyber Command’s latest malware sample share, which was submitted to VirusTotal and tweeted (https://twitter.com/CNMF_VirusAlert/status/1146130046127681536) out. In the rare case the DoD agency goes public with malware it finds, the government doe sit as a power move to demonstrate agencies’ “visibility into attacks in order to discourage adversaries from launching more.”
More: @cnmf_virusalert (https://twitter.com/CNMF_VirusAlert/status/1146130046127681536) | FireEye (https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html)
This is Palantir’s secret user manual for cops (https://www.vice.com/en_us/article/9kx4z8/revealed-this-is-palantirs-top-secret-user-manual-for-cops)
Motherboard: This was a really good get by Motherboard. Palantir, the secretive surveillance company in Silicon Valley, is used in hundreds (https://www.vice.com/en_us/article/neapqg/300-californian-cities-secretly-have-access-to-palantir) of California districts alone — and many across the U.S. for various reasons — including law and immigration enforcement. This document gives the first major insight into Palantir’s capabilities — and the kinds of companies that use it.
More: Wired ($) (https://www.wired.com/story/palantir-surveillance-apple-watch-security-roundup/)
~ ~
** THE STUFF YOU MIGHT’VE MISSED
Seriously, stop using RSA (https://blog.trailofbits.com/2019/07/08/fuck-rsa/)
Trail of Bits: “RSA is an intrinsically fragile cryptosystem containing countless foot-guns which the average software engineer cannot be expected to avoid,” writes Trail of Bits. “While it may be theoretically possible to implement RSA correctly, decades of devastating attacks have proven that such a feat may be unachievable in practice.” Maybe it’s time you should move away from RSA if you haven’t already. This is a good read on why.
How U.S. tech giants are helping build China’s spy state (https://theintercept.com/2019/07/11/china-surveillance-google-ibm-semptian/)
The Intercept: The blandly named OpenPower Foundation, a non-profit set up by Google and IBM executives, is helping Chinese chip maker Semptian to create far more advanced microprocessors which are said to be critical in China’s surveillance market. Semptian claims its technology is used to covertly monitor the internet activity of 200 million citizens. Sen. Mark Warner (D-VA) said it was “disturbing to see that China has successfully recruited Western companies” to build out its surveillance machine. Slate (https://slate.com/technology/2019/07/automatic-license-plate-readers-hoa-police-openalpr.html) has an interesting read on how automatic license plate readers (ALPR) are creeping into neighborhoods all across the U.S.
Can you trust Huawei or any other networks supplier for that matter? (https://www.theregister.co.uk/2019/07/10/huawei_feature/)
The Register: This is a good short-ish read on the risks associated with any network equipment supplier, not just Huawei. Given Cisco hardware is also riddled with bugs, who can you trust? This piece says often decisions are made based on what’s politically efficient, and not what’s necessarily most secure.
Why aren’t more journalism schools teaching digital security? (https://freedom.press/news/why-arent-more-journalism-schools-teaching-security-hygiene/)
Freedom of the Press Foundation: Ever wonder why journalism schools aren’t teaching digital security or basic opsec? So did @mshelton (https://twitter.com/mshelton) , who penned a piece for the Freedom of the Press Foundation. It’s more important than ever to keep sources’ identities safe, so why aren’t schools teaching it? There are some bucking the trend but many still aren’t. It’s suggested that it’s more overlooked than deliberately avoided.
Camera and microphone require https in Firefox 68 (https://blog.mozilla.org/webrtc/camera-microphone-require-https-in-firefox-68/)
Mozilla: Going forwards in Firefox 68, all camera and microphone connections will require an HTTPS connection. An insecure HTTP connection simply won’t work, matching how Chrome works.
~ ~
** OTHER NEWSY NUGGETS
Florida city paid a ransom but its pains are not over (https://www.nytimes.com/2019/07/07/us/florida-ransom-hack.html)
A cautionary tale from Lake City, Florida and told by The New York Times ($) (https://www.nytimes.com/2019/07/07/us/florida-ransom-hack.html) about how the city paid to get its documents back after a ransomware attack but not everything was restored. Audrey Sikes, city clerk, “spent years digitizing all the papers of a city that incorporated before the Civil War.” But all those documents still have not been decrypted, she said. “It puts us years and years and years behind,” Sikes said.
Ruby password library backdoored (https://withatwist.dev/strong-password-rubygem-hijacked.html)
Beware if you use the “strong_password” Ruby library. It contained a backdoor, which downloaded and ran a second payload from Pastebin. That allowed the attacker – whose identity isn’t known — to run code inside any app that included the backdoored library. The library owner explained how this happened in a Hacker News thread (https://news.ycombinator.com/item?id=20382779) .
FEC approves discounted cybersecurity help for federal campaigns (https://www.fec.gov/updates/fec-approves-three-advisory-opinions-07-11-2019/)
Some good news: the FEC now says it will allow one security company to offer discounted help to federal political campaigns, such as for president and Congress. Area 1 Security, which brought the case to the FEC, is allowed to provide services to fight disinformation campaigns and hacking efforts, both of which were prevalent during the 2016 presidential election. The ruling was made because Area 1 said it was not giving anyone a special deal — which could’ve been seen as an “in kind donation” (https://techcrunch.com/2019/07/12/fec-discounted-cybersecurity-campaigns/) — but are offered the same price as others on its lowest tier of service.
Cisco says DNS hijacking campaign continues on (https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html)
Cisco researchers at its Talos group say DNS hijacking, which first triggered alarms earlier this year (https://www.icann.org/news/announcement-2019-02-22-en) , continues to pose a problem. The researchers say a new hijacking technique is currently in play. There are a few new nuggets in here (https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html) that network defenders need to know. “Unfortunately, unless there are significant changes made to better secure DNS, these sorts of attacks are going to remain prevalent,” they write. Maybe it’s time to DNSSEC up your domains?
Apple patches iMessage bug that bricks iPhones (https://threatpost.com/apple-patches-imessage-bug/146277/)
“Apple patched a high-severity iMessage bug found by Google Project Zero that can be exploited by an attacker who sends a specially-crafted message to a vulnerable iOS device,” reports Threatpost. “Those iPhones receiving the malicious message are rendered inoperable, or bricked.” Apple patched the bug in iOS 12.3 (https://twitter.com/zackwhittaker/status/1146549651765682176) in mid-May.
What happened with Firefox’s add-ons outage? (https://hacks.mozilla.org/2019/07/add-ons-outage-post-mortem-result/)
Remember earlier this year when Firefox ground to a halt because an expired certificate meant add-ons weren’t loading? Mozilla posted its post-mortem this week and finally confirmed this week: yeah, they let the certificate expire and apologized for the outage. Turns out it was a bit more complicated than we first thought: “The team responsible for the system which generated the signatures knew that the certificate was expiring but thought (incorrectly) that Firefox ignored the expiration dates,” the blog post said.
U.K. porn site age verification system “a mess” (https://apnews.com/632fde45a57b4c318be323d76aea79a6)
U.K. efforts to police online porn isn’t going so well. Delay after delay, the porn verification system is slated to go into effect later this year. Anyone over 18 must obtain proof that they’re old enough to access online porn. What’s the catch? “The British government isn’t operating the system itself. Instead, it’s being outsourced to private companies, which can sell their own age verification technology to porn sites.” Hoo-boy. If this is the first time you’re hearing of this, buckle up. This AP dispatch (https://apnews.com/632fde45a57b4c318be323d76aea79a6) has a good rundown of just how bad it is.
Google mea-culpas on leaked Google Assistant user recordings (https://techcrunch.com/2019/07/11/google-is-investigating-the-source-of-voice-data-leak-plans-to-update-its-privacy-policies/)
Google was forced to respond to a report this week by Belgian broadcaster, which revealed contractors had access to Google Assistant user recordings — similar to the situation with Amazon’s Echo (https://www.bloomberg.com/news/articles/2019-04-10/is-anyone-listening-to-you-on-alexa-a-global-team-reviews-audio) . Google said in its blog post (https://www.blog.google/products/assistant/more-information-about-our-processes-safeguard-speech-data/) that language experts “only review around 0.2 percent of all audio snippets.” Assuming users collectively ask their devices a billion requests per year, that’s still two million recordings.
~ ~
** THE HAPPY CORNER
Some good news this week:
Google browser boss Parisa Tabriz (https://twitter.com/laparisa/status/1149001375474257921) was named in Fortune’s 40 Under 40 List (https://fortune.com/40-under-40/2019/parisa-tabriz/) . If you recall, Tabriz was last year’s Black Hat keynote speaker (https://twitter.com/laparisa/status/1027932436649275392) . You can read more about what her team does in this Fortune profile (https://fortune.com/2017/06/23/google-project-zero-hacker-swat-team/) . A big congrats to Parisa — an honor well deserved.
And given Hacker Summer Camp (Black Hat and Def Con) is just a few weeks away, here’s what you can expect from the Wi-Fi networks. A big thanks to @Scott_Helme (https://twitter.com/Scott_Helme/status/1149760141237149696) for posting this — a laugh we all needed this week.
https://twitter.com/Scott_Helme/status/1149760141237149696
If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) .
~ ~
** THIS WEEK’S CYBER CAT
This is Blackie, this week’s cybercat, who wants to remind you to use long, unique passwords and two-factor all the things. A big thanks to @siraero (https://twitter.com/siraero)  for the submission. (You may need to enable images in this email.)
You can submit your cybercats here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) .
~ ~
** SUGGESTION BOX
That’s all for now. Feel free to leave any comments or feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Hope you have a great week — see you next Sunday.
~ ~
============================================================
 (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|)
 Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|)
 (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|)
 Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|)
 (|FORWARD|)
 Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|)
why did I get this? (|ABOUT_LIST|)     unsubscribe from this list (|UNSUB|)     update subscription preferences (|UPDATE_PROFILE|)
|LIST_ADDRESSLINE_TEXT|

Don't miss what's next. Subscribe to ~this week in security~: