this week in security — july 7 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 26.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
China is forcing tourists to install malware at its border (https://www.vice.com/en_us/article/7xgame/at-chinese-border-tourists-forced-to-install-a-text-stealing-piece-of-malware) Motherboard: Tourists visiting China are being forced to install malware on their phones that gives authorities access to their text messages, phone logs, calendar entries and other data, Motherboard reported with several other outlets. It’s reported that the authorities are looking for Islamic content or materials. It comes amid the country’s ongoing persecution against the Uighur minority in Xinjiang. The Guardian has more (https://www.theguardian.com/world/2019/jul/02/how-chinese-spy-app-allows-officials-to-harvest-personal-data) . More: The New York Times ($) (https://www.nytimes.com/2019/07/02/technology/china-xinjiang-app.html) | Motherboard (https://www.vice.com/en_us/article/neayxd/anti-virus-companies-now-flag-malware-china-installs-on-tourists-phones-xinjiang) | GitHub (https://github.com/motherboardgithub/bxaq)
Researchers crack open Facebook campaign that pushed malware for years (https://arstechnica.com/information-technology/2019/07/five-year-old-facebook-campaign-pushed-malware-on-100000-followers/) Ars Technica: Security researchers have found network of Facebook accounts that used Libya-themed news and topics to push malware to tens of thousands of unsuspecting users over the course of five years. The remote access tools, including Houdina, Remcos and Spynote, were mostly stored on file-hosting services such as Google Drive, Dropbox, and Box, reports @dangoodin001 (https://twitter.com/dangoodin001) . Facebook said it “took them down” once the pages were reported to it, but Facebook didn’t say why it had failed to spot the activity itself given its “heavy investment” in preventing such activity. More: Check Point (https://research.checkpoint.com/operation-tripoli/)
Border subcontractor suspended after hack revealed sensitive files (https://www.washingtonpost.com/technology/2019/07/02/border-surveillance-subcontractor-suspended-after-cyberattack-misuse-traveler-images/?utm_term=.e2e08b41921a) Washington Post ($): A rare punishment handed down for a Customs & Border Protection subcontractor, Perceptics, blamed for the exposure of thousands of border images and other sensitive government data after a hack (https://www.theregister.co.uk/2019/05/23/perceptics_hacked_license_plate_recognition/) in May. Perceptics, according to CBP, wasn’t supposed to store the government data on its networks. In response, the agency suspended the agency from its roster but didn’t say exactly why. Put two and two together and you (probably) have your answer. More: TechCrunch (https://techcrunch.com/2019/06/10/cbp-data-breach/)
YouTube briefly blocks and suspends hacking videos (https://www.theverge.com/2019/7/3/20681586/youtube-ban-instructional-hacking-phishing-videos-cyber-weapons-lab-strike) The Verge: Earlier this week YouTube began blocking (https://twitter.com/KodyKinzie/status/1146196570083192832) instructional hacking videos. Funny how they were banning hacking videos and yet still a great deal of questionable material (https://twitter.com/MalwareJake/status/1146742270856695809) on the site. Even ThugCrowd got banned (https://twitter.com/thugcrowd/status/1038792429216911360) . At one point Pornhub for a while looked like the last bastion of free speech on the internet. YouTube later admitted it was a mistake and reinstated many of the accounts. More: @Thugcrowd (https://twitter.com/thugcrowd/status/1038792429216911360) | @YouTubeInsider (https://twitter.com/YouTubeInsider/status/1147233238290534401)
We made a video about launching fireworks over Wi-Fi for the 4th of July only to find out @YouTube gave us a strike because we teach about hacking, so we can’t upload it. YouTube now bans: “Instructional hacking and phishing: Showing users how to bypass secure computer systems”
Apple and Google let domestic abusers stalk victims (https://www.wired.com/story/common-apps-domestic-abusers-stalk-victims/) Wired ($): For a few days @a_greenberg (https://twitter.com/a_greenberg) let his wife track his iPhone wherever he went to test out stalkerware. These mobile spy apps are often marketed as helping people catch their cheating spouses in the act, but many use it for stalking or other nefarious reasons. Apple and Google could do so much more to notify or remind users that their locations are being tracked but they don’t — yet, at least. More: Wired (https://www.wired.com/story/eva-galperin-stalkerware-kaspersky-antivirus/) | ZDNet (https://www.zdnet.com/article/over-58000-android-users-had-stalkerware-installed-on-their-phones-last-year/)
Utah man jailed for Christmas gaming service DDoS attacks (https://www.justice.gov/usao-sdca/pr/utah-man-sentenced-computer-hacking-crime) Polygon: A 23-year-old man has been sentenced to 27 months in prison for launching several distributed denial-of-service attacks against gaming services during Christmas 2013. Polygon reports the attacker, who went by the Twitter handle @DerpTrolling, was a member of Lizard Squad, and targeted several online gaming sites, including League of Legends and Dota 2 during the festive season. More: Justice Dept. (https://www.justice.gov/usao-sdca/pr/utah-man-sentenced-computer-hacking-crime) | TechCrunch (https://techcrunch.com/2018/11/09/utah-man-guilty-gaming-denial-of-service-attacks/)
Amazon and police set up a sting operation that did nothing (https://www.vice.com/en_us/article/43jmnq/how-amazon-and-the-cops-set-up-elaborate-sting-operation-that-accomplished-nothing) Motherboard: “For Amazon, fear is good for business.” Amazon worked with police to set up an elaborate public relations operation to track stolen packages from people’s porches — and partly as a way to endear Amazon’s Ring camera-enabled doorbell with law enforcement. But the operation yielded zero arrests, much to the disappointment of all parties involved. Background: Motherboard (https://www.vice.com/en_us/article/3k3833/how-amazon-helped-cops-set-up-a-package-theft-sting-operation) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
FBI investigates leak of ‘top secret’ Air Force intelligence (https://www.forbes.com/sites/thomasbrewster/2019/07/02/exclusive-fbi-investigates-leak-of-1000-pages-of-top-secret-air-force-intelligence/#41bd8a912973) Forbes: Great scoop by @iblametom (https://twitter.com/iblametom) . The FBI is investigating the leak of over a thousand pages of highly classified Air Force intelligence. Local police found the documents as they were investigating an alleged marijuana growing facility at a home. No weed was found, but the police looped in the FBI once they found the classified papers relating to the U.S. Air Force National Air and Space Intelligence Center, a Defense Dept. unit dedicated to analyzing foreign air, cyber and space threats. Many of the papers were “special access,” which should never leave protected and secure environments.
Security flaws in a popular smart home hub let hackers unlock front doors (https://techcrunch.com/2019/07/02/smart-home-hub-flaws-unlock-doors/) TechCrunch: Beware your smart home — turns out it’s probably not so smart. Security researchers Chase Dardaman (https://twitter.com/CharlesDardaman) and Jason Wheeler (https://twitter.com/INIT_3) found three flaws in a popular Zipato smart home hub, which when chained together allowed them to remotely unlock a smart lock on the front door of an apartment. They found a hardcoded private SSH key on the device, which they later confirmed was the same SSH key in every hub sold to customers. With one key, they could crack any lock. (Disclosure: I wrote this story.)
All your houses are belong to us! @INIT_3 and I have fully owned the smart hub controlling this lock. The lock is just to demonstrate that we can open your door if we get onto your network, or we live in your apartment building. Disclosure and blog post in the works.
How Google’s Jigsaw became a toxic work environment (https://www.vice.com/en_us/article/vb98pb/google-jigsaw-became-toxic-mess) Motherboard: A strong week for Motherboard: @lorenzoFB (https://twitter.com/lorenzofb) had a deep-dive on Jigsaw, the Google-owned incubator designed to counter extremism, online censorship and cyberattacks. Turns out the company was a fustercluck inside and out. Few words can describe how well researched and written this was — several employees broke their non-disclosure agreements so they could describe the conditions of working there.
Superhuman is spying on you (https://mikeindustries.com/blog/archive/2019/06/superhuman-is-spying-on-you) Mike Davidson: Here’s a good write-up on Superhuman, the buy-in email client, which Mike Davidson (https://twitter.com/mikeindustries) wrote about in detail this week. In short, the email app uses hidden tracking pixels to track opened emails and your location — and more. Clearly it touched a nerve with many. Worse, tracking pixels used without permission aren’t GDPR compliant (https://twitter.com/lukOlejnik/status/1146398126930038784) . In the end, Superhuman backed down (https://blog.superhuman.com/read-statuses-bdf0cc34b6a5) and promised to delete location data and these read receipt checks off by default — but not everyone (https://twitter.com/waltmossberg/status/1146561971636056064) was thrilled by the response, arguing it left a lot out that should’ve been in there.
81% flagged by Met’s police facial recognition technology are innocent (https://news.sky.com/story/met-polices-facial-recognition-tech-has-81-error-rate-independent-report-says-11755941) Sky News: London’s Metropolitan Police says its facial recognition only makes a mistake in one in 1,000 cases. But an independent report says as many as 81% of those flagged by its systems are wrongly matched against a watchlist when they shouldn’t be. The research was carried out by academics at the University of Essex. ~ ~
** OTHER NEWSY NUGGETS
With a single wiretap, police collected 9.2 million text messages (https://techcrunch.com/2019/06/29/wiretap-prosecutors-texas/) A single wiretap in Texas during 2018 collected 9.2 million text messages in a four-month period in 2018 but not a single arrest was made. It was one of the largest wiretaps seen in years, even though the number of overall wiretaps for the year went down. (Disclosure: I also wrote this story.) Interestingly, it’s believed the number went down because the DEA was forced to shut down (https://twitter.com/bradheath/status/1145715466125611008) its massive eavesdropping station in Riverside, California, forcing the number of wiretaps to drop by 90% since 2014.
Georgia’s courts hit by Ryuk ransomware (https://arstechnica.com/information-technology/2019/07/ryuk-ryuk-ryuk-georgias-courts-hit-by-ransomware/) Another day, another ransomware attack. This time it’s the Georgia courts system. It’s said to be the same kind of ransomware (https://arstechnica.com/information-technology/2019/06/is-there-something-in-the-water-third-florida-city-hit-by-ransomware/) that took down two Florida local governments last month.
PGP’s keyserver network under attack (https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) Attackers are spamming a key component in the PGP encryption software system, according to OpenPGP developers Robert Hansen and Daniel Gillmor, who were targeted in the attack this week. Hansen said attackers were “poisoning” their PGP certificates, which if spammed with a large number of signatures makes it difficult or impossible for others to check its authenticity. “We’ve known for a decade this attack is possible. It’s now here and it’s devastating,” Hansen wrote. “This is a mess, and it’s a mess a long time coming,” wrote Gillmor in his own write-up (https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html) .
Google scrubs over 100 adware-infected camera and gaming apps (https://www.cyberscoop.com/google-play-store-malicious-apps-trend-micro/) New findings from Trend Micro (https://blog.trendmicro.com/trendlabs-security-intelligence/adware-campaign-identified-from-182-game-and-camera-apps-on-google-play-and-third-party-stores-like-9apps/) showed more than 180 adware-infected apps, collectively downloaded more than nine million times, loaded with malicious ad-serving code in an effort to generate fake ad revenue. A total of 111 apps were found on the Google Play store.
D-Link settles with the FTC over bad router security (https://arstechnica.com/information-technology/2019/07/d-link-agrees-to-new-security-monitoring-to-settle-ftc-charges/) Router maker D-Link has agreed to implement a new security program to settle charges with the FTC. The federal agency said D-Link used hardcoded passwords on its camera software that let hackers in and stored mobile app logins in an unencrypted format — all while claiming its hardware was secured. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise,” said the FTC in a statement (https://www.ftc.gov/news-events/press-releases/2019/07/d-link-agrees-make-security-enhancements-settle-ftc-litigation) .
U.K.’s largest police forensics lab paid ransom demand to recover data (https://www.bbc.com/news/uk-48881959) Eurofins paid an undisclosed amount of money to obtain its files back after its systems were hit by ransomware, according to a press release (https://www.eurofins.com/media-centre/press-releases/2019-06-10/) . Eurofins deals with over 70,000 criminal cases in the UK each year, or about half of all forensics done by U.K. police forces. ~ ~
** THE HAPPY CORNER
Following the unexpected passing (https://twitter.com/pwcrack/status/1146776786459594753) of @kingtuna (https://twitter.com/kingtuna) , a renowned infosec scientist, the community came together to raise more than $18,000 for funeral expenses in a single day (https://twitter.com/dakacki/status/1146987660008919040?s=21) . At the time of writing the GoFundMe (https://www.gofundme.com/funeral-expense-funds-for-terrence-tuna-gareau) is now up to $21,700.
@hacks4pancakes (https://twitter.com/hacks4pancakes) , a CFP reviewer for Derbycon, did a huge tweet thread (https://twitter.com/hacks4pancakes/status/1146857011231023106) explaining how and why papers pass and others don’t. Some great insight from a fantastic security expert — and advice anyone who submits their content for conferences can all follow.
And, for anyone going to Black Hat or Def Con this year, here’s some handy advice from @aprilwright (https://twitter.com/aprilwright/status/1147618441769246720?s=21) — it’s a portable door lock that’ll protect your hotel room from intruders (or staff). If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercats are Laney and Millie. Yes, they look grumpy but maybe it’s because you should be using the Yubikey they got you for Christmas. A big thanks to their human Jeff Stone (https://twitter.com/jeffstone500) for the submission. (You may need to enable images in this email.) Feel free to send in your cybercats., They will always be featured in an upcoming newsletter. You can submit your cybercats here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** A VERY SPECIAL THANK YOU
A big thank you to everyone who’s subscribed and anyone who reads — this newsletter just hit the first year mark! I’m incredibly proud of this newsletter. A few weeks ago I did a tweet-thread (https://twitter.com/zackwhittaker/status/1135235231525593090) for a behind-the-scenes look at how it all works — feel free to check it out. Here’s to many more. Thank you so much. ~ ~
** SUGGESTION BOX
Thanks for reading. As always, you can leave feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a good week — back next Sunday. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|