this week in security — july 21 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 28.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Browser extensions leaked browsing histories from four million users (https://arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dished-private-data-from-apple-tesla-blue-origin-and-4m-people/) Ars Technica: Hoo-boy. Buckle in for this one. It’s a long read — and there’s a second part (https://arstechnica.com/information-technology/2019/07/dataspii-technical-deep-dive/) . Browser extensions used by over four million users collected and leaked the URLs of every site an extension-using computer visited. First discovered by security researcher Sam Jadali, he teamed up with @dangoodin001 (https://twitter.com/dangoodin001) . The two spend months digging in. They found a huge amount of sensitive information, like patient names, tax returns, surveillance videos, and more. This is this week’s absolute must read, hands down. More: Ars Technica (https://arstechnica.com/information-technology/2019/07/dataspii-technical-deep-dive/) | Sam Jadali (http://https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/) | @dangoodin001 tweet thread (https://twitter.com/dangoodin001/status/1152257807120420867)
Hackers made an app that kills to prove a point (https://www.wired.com/story/medtronic-insulin-pump-hack-app/) Wired ($): This was a really good read: @lilyhnewman (https://twitter.com/lilyhnewman?lang=en) has the scoop on historical Medtronic flaws, which Medtronic refused to fix. So, researchers built an Android app which they said could be used to exploit the flaws and literally kill people. “We’ve essentially just created a universal remote for every one of these insulin pumps in the world,” said one of the researchers. That’s one way to make your point. Terrifying. Background: Wired ($) (https://www.wired.com/story/pacemaker-hack-malware-black-hat/) | Medtronic (https://global.medtronic.com/xg-en/product-security/security-bulletins/minimed-508-paradigm.html)
Apple sends out another silent update to fix RingCentral flaw (https://www.buzzfeednews.com/article/nicolenguyen/ringcentral-and-zhumu-customers-vulnerability) BuzzFeed News: After Apple last week released a silent update (https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/) to Macs to patch the lingering Zoom flaw, Apple released another one to patch against the same bugs in white-label partners RingCentral and Zhumu, which license Zoom’s technology. Apple watcher John Gruber dug into the ethics (https://daringfireball.net/2019/07/another_zoom_update) on both sides of the fence — including why Apple should probably push these updates. More: Daring Fireball (https://daringfireball.net/2019/07/another_zoom_update)
WeChat filters images in real-time at the behest of Beijing (https://citizenlab.ca/2019/07/cant-picture-this-2-an-analysis-of-wechats-realtime-image-filtering-in-chats/) Citizen Lab: WeChat, one of the biggest messenger platforms in China, is filtering and censoring images in realtime by detecting banned images from being shared. Here’s the tl;dr (https://twitter.com/citizenlab/status/1151557370440507393) from Citizen Lab. It’s an impressive look at how companies in China have to operate — whether they like it or not. Archive: Citizen Lab (https://citizenlab.ca/2018/08/how-wechat-filters-images-for-one-billion-users/) | More: Quartz (https://qz.com/1666037/chinese-state-media-outlets-also-get-censored-on-wechat/) | ZDNet (https://www.zdnet.com/article/citizen-lab-wechats-real-time-censorship-system-uses-hash-indexes-to-filter-content/)
New election systems use soon-to-be vulnerable Windows software (https://apnews.com/e5e070c31f3c497fa9e6875f426ccde1) Associated Press: The AP found many counties are buying new election systems that use Windows 7 to create ballots, program voting machines, tally votes and report counts. That’s a problem because Windows 7 will no longer get security updates starting in January — months before the 2020 election is scheduled to take place. One group is planning to sue to prevent the use of potentially insecure or out-of-date voting machines. Voting machine makers said they plan on using Windows 10 for the fall (https://www.readingeagle.com/news/article/berks-county-officials-respond-to-report-that-election-system-is-vulnerable-to-hackers) but it’s not clear it’ll roll out in time for the election. More: Brennan Center (https://www.brennancenter.org/blog/us-elections-are-still-vulnerable-foreign-hacking) | Reading Eagle (https://www.readingeagle.com/news/article/berks-county-officials-respond-to-report-that-election-system-is-vulnerable-to-hackers)
Cybercom simulated a seaport cyberattack to test digital readiness (https://www.cyberscoop.com/us-cyber-command-simulated-seaport-cyberattack-test-digital-readiness/) Cyberscoop: U.S. Cyber Command simulated a cyberattack on a seaport in June as part of an exercise to test their readiness in the event of a cyberattack. The simulated attack blocked the seaport’s ability to move cargo, reports @shanvav (https://twitter.com/shanvav) . It comes just weeks after the U.S. Coast Guard issued a safety alert (https://www.cyberscoop.com/coast-guard-significant-malware-attack/) over marine cybersecurity. More: U.S. Coast Guard [PDF] (https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf) | Cyberscoop (https://www.cyberscoop.com/coast-guard-significant-malware-attack/)
A breach at Slack in 2015 comes back to haunt (https://slackhq.com/new-information-2015-incident) Slack: A previously disclosed breach in 2015 came back to bite Slack in the behind this week after they learned that a list of passwords — around 1% of Slack accounts — had been found online and provided to the company. Anyone with a Slack account prior to March 2015 who hadn’t changed their password or weren’t using an SSO provider should have been sent a notification. Keybase’s CEO got (https://keybase.io/blog/slack-incident) a notification and blogged about a potentially nightmarish scenario. More: Keybase (https://keybase.io/blog/slack-incident) | TechCrunch (https://techcrunch.com/2019/07/18/slack-password-breach/) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
How I could’ve hacked any Instagram account (https://thezerohack.com/hack-any-instagram) The Zero Hack: Great find: security researcher Laxman Muthiyah found an Instagram account bug that allowed him to brute force a two-factor code to a user’s phone by rotating IP addresses and exploiting issues in the site’s rate limits. Congrats to his $30,000 bug bounty!
Hackers breach Russia’s FSB contractor and expose anti-Tor program (https://www.bbc.com/russian/features-49050982) BBC Russia: Hackers have exposed a Russian FSB contractor, SyTech, which worked on a Tor deanonymization program. The article (translated (https://translate.google.com/translate?sl=auto&tl=en&u=https%3A%2F%2Fwww.bbc.com%2Frussian%2Ffeatures-49050982) ) says it’s the largest breach in the history of Russian intelligence. Several programs were uncovered by the hackers, including a torrent infiltration program and a program aimed at monitoring and searching the email communications of Russian-based email services. Как неловко!
Cracking my windshield and earning $10,000 on Tesla’s bug bounty (https://samcurry.net/cracking-my-windshield-and-earning-10000-on-the-tesla-bug-bounty-program/) Sam Curry: Thanks(?) to a crack in his Tesla windshield, Sam Curry found an XSS bug in a subdomain of teslamotors.com, which pulled data from other Tesla vehicles. The bug was fixed in 12 hours for the issue.
Office 365 declared illegal in German schools due to privacy risks (https://arstechnica.com/information-technology/2019/07/germany-threatens-to-break-up-with-microsoft-office-again/) Ars Technica: Schools in German district Hesse — of around six million citizens — have banned Office 365 over spying fears — or as the Germans put it, over allegations that the company has “not been transparent.” Google Docs isn’t much better, though.
Google VP says Chinese search app Dragonfly was “terminated” (https://www.buzzfeednews.com/article/daveyalba/google-project-dragonfly-terminated-senate-hearing) BuzzFeed News: Looks like China won’t be getting its censored search any time soon. Google VP Karan Bhatia said its Chinese-focused and censor-ready search engine, codenamed Dragonfly, has been terminated. But the executive didn’t rule the company working on tools for China going forwards.
Google pulls stalker Android apps from Google Play (https://blog.avast.com/avast-identifies-stalker-apps) Avast: Avast found a bunch of stalkerware apps on Google Play — with a combined install base of about 130,000 devices. These apps could track a victim’s location, messages, and more. Google eventually removed the apps ~ ~
** OTHER NEWSY NUGGETS
10,000 Microsoft customers targeted by nation-state attacks in the last year (https://www.cyberscoop.com/microsoft-nation-state-attacks-iran-north-korea-russia/) Microsoft said 10,000 customers in the past year have been targeted by state-sponsored hackers, mostly from North Korea, Russia and Iran. In an expanded blog post (https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/) , the company said 781 organizations using its AccountGuard program — designed for political campaigns and parties — were also targeted, but the tech giant wouldn’t say (https://techcrunch.com/2019/07/17/microsoft-state-sponsored-hacking/) what percentage were actually infiltrated.
U.S. rolls out two-factor for government domains (https://home.dotgov.gov/2step/) Filed under “you’d figure this was done already but actually it wasn’t” — all .gov domains can now be protected by two-factor authentication. It’ll make it more difficult for .gov domains to get hijacked.
Why BlueKeep hasn’t wreaked havoc yet (https://www.wired.com/story/bluekeep-worm-windows/) Wired took a deep-dive into the BlueKeep flaw, the nasty wormable remote code execution vulnerability, which for some reason hasn’t started spreading. Turns out it’s not as easy as you might think. New data (https://www.bitsight.com/blog/industry-response-to-bluekeep-vulnerability) suggests at last 805,000 computers are affected. Taking NAT into account, the figure is likely a lot higher.
FaceApp: Should we be worried? Not really (https://www.forbes.com/sites/thomasbrewster/2019/07/17/faceapp-is-the-russian-face-aging-app-a-danger-to-your-privacy/#4cf976d62755) And I can’t finish off the week without a FaceApp mention. Heavy sigh. This selfie app was thrown more FUD than anything I’ve seen before. All evidence points to the viral app not being as nefarious as some have claimed. TechCrunch (ie. me) did a traffic analysis (https://techcrunch.com/2019/07/16/ai-photo-editor-faceapp-goes-viral-again-on-ios-raises-questions-about-photo-library-access-and-clo/) and everything came back clean — as did @chronic (https://twitter.com/chronic/status/1151280938900262913) and @fs0c131y (https://twitter.com/fs0c131y/status/1151267523477889024?s=21) . It is a friendly reminder to remember that if something is free, you are the product. They still want your data… just to better serve you ads. ~ ~
** THE HAPPY CORNER
A couple of good things happened this week:
The new face of the £50 note in the U.K., starting in 2021, will be WWII codebreaker Alan Turing, reports the BBC (https://www.bbc.co.uk/news/business-48962557) . This is huge news! Only a few years ago the government had refused to pardon him for his “crimes” of being gay during a dark period in British history which criminalized LGBTQ+ people. He lost his security clearance and is believed to have died by suicide. Turing, who was eventually pardoned, cracked the Germans’ enciphered messages, helping the Allies win the war. The £50 note is the highest denomination of currency in the U.K. This is a really good way to bring his name to a new generation.
And a big happy 5th birthday to Project Zero, some of the best bug hunters on the planet. Tweets (https://twitter.com/laparisa/status/1151514393894481921) went out on Wednesday celebrating five years since the group’s inception. They even baked (https://twitter.com/itswillis/status/1151490532218155013) a cake. Congrats to all involved! If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Amadeus. He is done cybering for the day. According to his human he is also deaf. That’s OK! We’re an equal opportunities newsletter and we love you all the same. (You may need to enable images in this email.) If you want your cybercat featured, please submit them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) ! ~ ~
** SUGGESTION BOX
That’s it for this week — quite a busy one. As always you can leave any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a great week — see you next Sunday. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|