this week in security — june 13 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 23 View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Justice Department seized $2.3 million in cryptocurrency paid to Darkside (https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside) Justice Department: The FBI managed to recoup $2.3 million in bitcoin that Colonial Pipeline paid in ransom to get online after its recent ransomware attack. That’s 63 bitcoin, down from 75 bitcoins paid, and after some depreciation in the market. The feds are believed to have grabbed the private key for the wallet used by Darkside to store the bitcoin. Decrypt (https://decrypt.co/73290/how-did-the-feds-get-the-pipeline-hackers-bitcoin-heres-the-best-theory) has the likely answer: the wallet’s private key was likely stored on a cloud server run by Digital Ocean. Follow the money, see where it lands, and grab it while it’s in U.S. jurisdiction — at least that’s the theory going. But this successful attempt to get the money back may be (https://twitter.com/kimzetter/status/1402059077719494667?s=21) the carrot/stick that gets victims to at least report ransomware incidents, even if the government can’t help (https://twitter.com/ericgeller/status/1401986623001223171) all the time. More: New York Times ($) (https://www.nytimes.com/2021/05/14/business/darkside-pipeline-hack.html) | Wall Street Journal ($) (https://www.wsj.com/articles/u-s-retrieves-millions-paid-to-colonial-pipeline-hackers-11623094399) | Motherboard (https://www.vice.com/en/article/93y3w7/how-did-the-feds-seize-the-colonial-pipeline-ransomware-bitcoins) | @ericgeller tweets (https://twitter.com/ericgeller/status/1401991459423887363?s=21)
The hard truth about ransomware (https://doublepulsar.com/the-hard-truth-about-ransomware-we-arent-prepared-it-s-a-battle-with-new-rules-and-it-hasn-t-a93ad3030a54) Double Pulsar: Probably one of the best reads on ransomware in the past year by @GossiTheDog (https://twitter.com/GossiTheDog) , who has spent years following ransomware. His conclusion is that this is new normal because we’re not prepared (and haven’t been for years), there are few rules of engagement, and the worst is likely yet to come. This 5,000-worder explains what we need to do next, and what happens if we don’t. It’s clear that there’s pressure on these groups. Bleeping Computer (https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/) reported this week that the Avaddon ransomware is shutting down and has released its decryption keys. Also don’t miss @kimzetter (https://twitter.com/kimzetter) ‘s fascinating interview with Bill Siegel, CEO of Coveware, which negotiates ransomware payments for victims. More: @brianhonan (https://twitter.com/BrianHonan/status/1403792302766755843?s=20) | Zero Day (https://zetter.substack.com/p/negotiating-ransoms-when-to-play)
How the FBI secretly ran a phone network for criminals (https://www.vice.com/en/article/akgkwj/operation-trojan-shield-anom-fbi-secret-phone-network) Motherboard: This is a wild read. Newly released court records show how the FBI secretly ran Anom, the encrypted app used almost exclusively by criminals, to collect more than 20 million messages from close to 12,000 devices. The operation, dubbed Trojan Shield, allowed Australia’s federal police to monitor the network’s communications by quietly attaching a master key to each communication, allowing police to intercept and decipher the messages. Europol officially announced (https://www.europol.europa.eu/newsroom/news/800-criminals-arrested-in-biggest-ever-law-enforcement-operation-against-encrypted-communication) the news of more than 800 criminals arrested. This was a win for police, but @granick (https://twitter.com/granick/status/1402717627777044483) rang the civil liberties alarm bell, since it almost looks like the FBI was trying to avoid U.S. law. More: New York Times ($) (https://www.nytimes.com/2021/06/08/world/australia/operation-trojan-horse-anom.html) | BBC News (https://www.bbc.com/news/world-57397779) | @theage (https://twitter.com/theage/status/1402047548269998080?s=21) | @granick (https://twitter.com/granick/status/1402719699733860354) tweets https://twitter.com/granick/status/1402719699733860354 Hacker known as Max is a 55-year-old woman, prosecutors say (https://www.bloomberg.com/news/articles/2021-06-09/hacker-known-as-max-is-55-year-old-woman-from-russia-u-s-says) Bloomberg: Alla Witte, a 55-year-old Latvian woman, has been detained in Miami after she was arrested and detained on federal charges that she’s allegedly one of the seven alleged members of the notorious TrickBot botnet, which prosecutors (https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization) say has infected tens of millions of computers and stole hundreds of millions of dollars. It’ll be curious to see how this case shakes out, since Witte will almost certainly have a ton of knowledge into how TrickBot survived an attempted takedown (https://www.lawfareblog.com/persistently-engaging-trickbot-uscybercom-takes-notorious-botnet) by Microsoft and Cyber Command earlier this year. More: ZDNet (https://www.zdnet.com/article/after-doj-arrest-of-latvian-trickbot-user-experts-highlight-public-private-efforts/)
How hackers used Slack to steal a ton of data from EA Games (https://www.vice.com/en/article/7kvkqb/how-ea-games-was-hacked-slack) Motherboard: Bad news for EA, after it had to admit that source code for FIFA 21 and the Frostbite engine were taken from its servers after hackers broke in and stole other code and internal tools. User data wasn’t believed to have been taken. The stolen source code data was put up for sale on a hacking forum. Turns out the hackers bought a cookie for $10, getting the hackers into a Slack channel as if they were an employee, and tricked the company’s IT support into turning over a MFA token after the hackers claimed they “lost our phone at a party last night.” More: Motherboard (https://www.vice.com/en/article/wx5xpx/hackers-steal-data-electronic-arts-ea-fifa-source-code) | BBC News (https://www.bbc.com/news/technology-57431987) | @josephfcox (https://twitter.com/josephfcox/status/1403339739852279814?s=20) ~ ~ SUPPORT THIS NEWSLETTER
Thanks to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), to help cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) , or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Hackers can mess with HTTPS connections by sending data to your email server (https://arstechnica.com/gadgets/2021/06/hackers-can-mess-with-https-connections-by-sending-data-to-your-email-server/) Ars Technica: A vulnerability called ALPACA (https://alpaca-attack.com/#question-answer) (or Application Layer Protocol Confusion-Analyzing and Mitigating Cracks in TLS Authentication, if we’re going to be fancy) is an application layer protocol content confusion attack, which allows attackers under very certain conditions to redirect traffic one subdomain to another, resulting in a valid encrypted TLS connection (which shouldn’t be possible). Around 114,000 servers are exploitable because they use software known to be vulnerable to this attack. It’s an interesting read, but as the authors note, you probably don’t have to drop everything and fix this right now. https://alpaca-attack.com/#question-answer Onewheel sent thousands of customers’ private data to a random customer (https://www.vice.com/en/article/epnppe/onewheel-sent-thousands-of-customers-private-data-to-random-customer) Motherboard: Onewheel, the makers of that omni-wheel skateboard-kinda thing (I honestly don’t know how else to describe it) mistakenly shared a spreadsheet with a random customer containing thousands of other customers’ private data, including their full names, email addresses, and home addresses. Whoops.
Protonmail gets a long-overdue facelift (https://techcrunch.com/2021/06/09/protonmail-gets-a-slick-new-look-as-privacy-tech-eyes-the-mainstream/) TechCrunch: Protonmail has a new user interface and some much-needed new features. The encrypted email company now has over 50 million users and got a much needed lick of paint, including filters and keyboard shortcuts. https://techcrunch.com/2021/06/09/protonmail-gets-a-slick-new-look-as-privacy-tech-eyes-the-mainstream/ Europe’s AI rules open door to mass use of facial recognition, critics warn (https://www.politico.eu/article/eu-ai-artificial-intelligence-rules-facial-recognition/) Politico Europe: A coalition of digital rights and consumer protection groups across the globe are calling for an international ban on biometric recognition technologies by both governments and companies. The letter has 170 signatories, arguing that this surveillance “goes against human rights and civil liberties.” It comes as the EU is putting forward an AI bill, which restricts the practice but doesn’t outright ban it. ~ ~
** OTHER NEWSY NUGGETS
CISA launches platform to allow hackers to report flaws in federal tech (https://www.fedscoop.com/cisa-moves-forward-with-vulnerability-disclosure-policy-platform-for-all-civilian-agencies/) CISA has launched a vulnerability disclosure program to allow participating federal agencies receive, triage and fix security flaws from the wider security community. The VDP comes about a year after CISA issued a directive mandating that civilian federal agencies must set up VDP policies for reporting cybersecurity flaws.
Apple’s new private browsing feature won’t be available in China, others (https://www.bbc.com/news/business-57395094) Apple has a new private browsing feature bundled with iCloud+, which is basically Oblivious DNS-over-HTTPS (https://techcrunch.com/2020/12/08/cloudflare-and-apple-design-a-new-privacy-friendly-internet-protocol/) , which decouples DNS queries from the internet user, effectively making it far more difficult to track which websites a user is going to. But some countries, like China and Saudi Arabia, won’t get the feature, given their hostile laws there. A ton of new security and privacy features were also (https://therecord.media/new-apple-privacy-features-announced-at-wwdc-2021/) announced at Apple’s WWDC this week. https://www.bbc.com/news/business-57395094 Ring won’t say how many users had video footage obtained by police (https://techcrunch.com/2021/06/08/ring-police-warrants-neighbors/) It’s a simple number that most other tech companies have published in their biannual transparency reports, but Ring — like its owner Amazon — won’t break out how many users have their doorbell video footage obtained by police. When asked repeatedly, Ring refused to disclose that figure, in what I call “transparency through obscurity.” (Disclosure: I wrote this story.) It comes as Ring’s partnerships with police and fire departments continue (https://www.buzzfeednews.com/article/carolinehaskins1/amazon-ring-partnered-with-350-fire-departments) to grow, despite concerns from civil liberties groups. CNBC this week did a deep-dive (https://www.cnbc.com/2021/06/12/a-year-later-tech-companies-calls-to-regulate-facial-recognition-met-with-little-progress.html) on how companies have responded to facial recognition with regards to police. While many tech companies are putting the brakes on their facial recognition tech, Congress still hasn’t passed any laws or regulations regulating their use. We’re once again at the mercy of Big Tech and their moratoria, which can end anytime.
Apple and Google refuse to say whether Citizen bounty hunt violated policies (https://www.vice.com/en/article/wx5xj9/apple-google-citizen-policies-manhunt-bounty) Speaking of being at the mercy of Big Tech — guess what Apple and Google have done in response to Citizen, an app on both of their app stores, whose CEO put a bounty on the head of an entirely innocent person thought to have started a wildfire in California? Absolutely nothing. Neither Apple or Google would say if Citizen violated their policies, which can see apps banned from the app store. ~ ~
** THE HAPPY CORNER
After that week, time to cool down with some good news from the happy corner.
Five years ago, @johnlatwc (https://twitter.com/JohnLaTwC/status/802241625388765184) tweeted a line of code that can block remote use of PSEXEC. Last week, that same tweet was used to stop an ongoing ransomware attack. Incredible. “File under: this tweet flapped its butterfly wings and 5 years later it stopped a ransomware attack,” he said (https://twitter.com/JohnLaTwC/status/1402991860432343046) . https://twitter.com/ionstorm/status/1402983485338390529 Getting a lot of spam calls recently? Here’s your new voicemail greeting (https://twitter.com/christoperj/status/1403718070292656129?s=21) .
And, this Pi-Hole (https://twitter.com/danielhepper/status/1403624545010003970?s=21) has the most wonderful and authentic casing: a real Spam can. https://twitter.com/danielhepper/status/1403624545010003970?s=21 And finally. This might be my favorite Easter egg (https://twitter.com/andrew_taylor/status/1403709080737390592?s=21) of all time! You can see for yourself (https://developer.bbc.com/login-required) . https://twitter.com/andrew_taylor/status/1403709080737390592?s=21 If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
This week’s cyber cat is Click, who is doing everything possible to not just walk all over their human’s keyboard. The struggle is real. Big thanks to @bustedsec (https://twitter.com/bustedsec) for the submission! Send in your cyber cats (and their friends)! Drop a photo, their name, and email it here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s it from this very busy week. If you have any feedback, feel free to drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Thanks again for reading and subscribing. Hope you have a great one — see you next week.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .