this week in security — june 14 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 24
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Facebook helped the FBI hack a child predator (https://www.vice.com/en_us/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez) Motherboard: Bombshell reporting by @lorenzofb (https://twitter.com/lorenzofb) this week. California man Buster Hernandez harassed and terrorized girls on Facebook for years, but he was an expert at hiding his identity online. So Facebook paid a cybersecurity firm to build a zero-day exploit for Tails, the privacy-focused operating system, to deanonymize him. Facebook handed the exploit to the feds, which are legally allowed — with a judicial order — to use it. Once unmasked, Hernandez was indicted. But as reported, questions remain. Tails, as you’d imagine, was out of the loop. The bug was eventually patched, without Facebook’s help. And it’s not known if the FBI reused the hacking tool it purchased, said Democratic senator Ron Wyden. Background: Motherboard (https://www.vice.com/en_us/article/gyyxb3/the-fbi-booby-trapped-a-video-to-catch-a-suspected-tor-sextortionist) | @kimzetter tweets (https://twitter.com/KimZetter/status/1270741500737929217)
An obscure Indian cyber firm spied on politicians, investors worldwide (https://uk.reuters.com/article/us-india-cyber-mercenaries-exclusive/exclusive-obscure-indian-cyber-firm-spied-on-politicians-investors-worldwide-idUKKBN23G1GQ) Reuters: A little known Indian cyber firm is behind a major hacking-for-hire effort that saw its clients spy on more than 10,000 email accounts over a decade. BellTroX targeted U.S. victims, which has apparently caught the attention of the Justice Dept. One such victim is short seller Muddy Waters, which said it was “disappointed but not surprised” that it was targeted by the hackers for hire. This was incredible reporting all round.@Bing_Chris (https://twitter.com/Bing_Chris/status/1270321149147258880) has a good thread on this story. Citizen Lab was one of the firms that uncovered (https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/) the hacking operation, dubbed Dark Basin. EFF reported in 2017 (https://www.eff.org/deeplinks/2017/09/phish-future) that Dark Basin targeted several well-known advocacy groups. Below, you can see some of the phishing sites BellTroX used to ensnare their victims. More: Citizen Lab (https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/) | Norton LifeLock (https://www.nortonlifelock.com/blogs/security-response/mercenary-amanda-professional-hackers-hire) | @Bing_Chris (https://twitter.com/Bing_Chris/status/1270321149147258880) Online voting system used in Florida, Ohio has severe security flaws, say researchers (https://onezero.medium.com/researchers-find-security-flaws-in-online-voting-system-used-in-florida-and-other-states-d079ca2af050) OneZero ($): It’s no surprise that given COVID-19, many are looking for alternative voting systems. Voting-by-mail seems to have the general consensus, even if politics is getting in the way (https://techcrunch.com/2020/04/13/coronavirus-vote-by-mail-wyden-klobuchar/) . But that’s not stopping the vote-by-internet crowd. Now, MIT researchers have found severe problems with Democracy Live’s OmniBallot internet voting system that could result in altered ballots “without detection.” As always, @kimzetter (https://twitter.com/kimzetter) ‘s work is well worth the read. More: MIT (https://internetpolicy.mit.edu/news-cyber-risks-associated-with-voting-from-home/) | Ars Technica (https://arstechnica.com/tech-policy/2020/06/researchers-say-online-voting-tech-used-in-5-states-is-fatally-flawed/) | Politico (https://www.politico.com/news/2020/06/08/online-voting-304013) | New York Times ($) (https://www.nytimes.com/2020/06/07/us/politics/remote-voting-hacking-coronavirus.html)
We mapped where CBP drones are flying in the U.S. and beyond (https://gizmodo.com/we-mapped-where-customs-and-border-protection-drones-ar-1843928454) Gizmodo: CBP drones have been flying over the U.S. for years as part of the agency’s border monitoring efforts. But last week Motherboard (https://www.vice.com/en_us/article/y3zvwj/military-fbi-flying-surveillance-planes-george-floyd-protesters) found that CBP was flying over Minneapolis, where much of the protesters in the wake of George Floyd’s death were centered. Lawmakers demanded that the aerial surveillance stop (https://www.vice.com/en_us/article/m7jvya/lawmakers-demand-fbi-dea-cbp-national-guard-stop-spying-george-floyd-protests) but CBP continues to spy from the sky. Although details about how CBP uses its drones, where, and why, Gizmodo looks at where those drones have been flying in the past year to reveal a bit more about its domestic surveillance. Background: Motherboard (https://www.vice.com/en_in/article/n7wnzm/government-flying-predator-drones-american-cities)
Senate bill wants DNI to investigate commercial spyware threats (https://www.cyberscoop.com/senate-intelligence-committee-spyware-report-dni/) Cyberscoop: Buried in a newly revealed bill (https://www.congress.gov/bill/116th-congress/senate-bill/3905/text/?=june-11-2020#toc-id1AAA1158FAD9430F90826D8B21C28E80) , the Senate Intelligence Committee is calling on the U.S.’ top spy to investigate commercial spyware threats, like from Hacking Team and NSO Group, which allegedly hacked into a phone of close to murdered journalist Jamal Khashoggi before his death. The committee specifically wants to look at the threat posed to U.S. citizens and federal workers both at home and abroad. More: TechCrunch (https://techcrunch.com/2020/06/11/us-intelligence-commercial-spyware/) | @jsrailton thread (https://twitter.com/jsrailton/status/1271113774649552899) ~ ~ SUPPORT THIS NEWSLETTER
Thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps keep the newsletter going. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) here. ~ ~
** THE STUFF YOU MIGHT’VE MISSED
ACLU sues Los Angeles over e-scooter tracking (https://www.aclusocal.org/en/press-releases/privacy-lawsuit-your-scooter-gps-data-being-tracked) ACLU: Electric scooter rental companies are required to provide real-time and historic GPS tracking data to Los Angeles city officials to make sure that those rental firms are operating legally. But the ACLU says that violates the Fourth Amendment and is suing the California city. The ACLU also says that this presents a data risk in the event that the data gets “in the wrong hands.”
Plundering of crypto keys from SGX sends Intel scrambling again (https://arstechnica.com/information-technology/2020/06/new-exploits-plunder-crypto-keys-and-more-from-intels-ultrasecure-sgx/) Ars Technica: Another day, another bug found in Intel chips. Researchers found two new vulnerabilities (https://sgaxe.com/) in Intel’s software guard extension, known as SGX, allowing them to pluck passwords (https://twitter.com/themadstephan/status/1270403954946592769) and encryption keys from the chip’s memory with access to the affected computer. Below you can see an image file that was pulled from a chip by exploiting the bug. Intel fixed the bugs, and operating system makers should be rolling out the patches in the coming weeks. What that Capital One court decision means for corporate cybersecurity (https://www.cyberscoop.com/capital-one-incident-response-mandiant-decision/) Cyberscoop: After Capital One’s massive data breach last year, a court has decided that the company must provide outsiders with an incident report detailing what led to the incident. In other words, it has to make its findings public. Typically these reports are kept hidden — much to the chagrin of researchers and experts, who’d want to know how the company was hacked so they can put in protections at their own organizations. Experts said this could be a game-changing decision.
Babylon Health says its GP app hit by data breach (https://www.bbc.com/news/technology-52986629) BBC News: An app maker for doctors, Babylon Health, has admitted a data breach after a “small number” of users gained access to other users’ sessions. Babylon allows doctors to remotely speak to patients and issue prescriptions to more than 2.3 million users across the U.K., but one user found footage of another person’s appointment. ~ ~
** OTHER NEWSY NUGGETS
Google got rich from your data. DuckDuckGo is fighting back (https://www.wired.co.uk/article/duckduckgo-android-choice-screen-search) Wired U.K. has a great profile (https://www.wired.co.uk/article/duckduckgo-android-choice-screen-search) on DuckDuckGo, the privacy-minded search engine. It got a much-needed boost from a European antitrust decision in 2014 that forced Google to offer a broader array of search engines than just its own. In the next few weeks, Android devices will let users pick DuckDuckGo by default. This profile looks back at how DuckDuckGo grew to prominence, and where it looks like it’ll go next.
U.K. security company exposed its own leaks database (https://securitydiscovery.com/data-breach-database-data-breach/) U.K.-based Keepnet Labs inadvertently exposed a massive database of more than 5 billion previously-leaked records. Keepnet, which published (https://www.keepnetlabs.com/public-statement-in-relation-to-data-briefly-exposed-on-an-elasticsearch-database/) its own statement, said it provides this for its threat intelligence. Making matters worse, Keepnet threatened blogger @gcluley (https://twitter.com/gcluley) with baseless legal action (https://www.grahamcluley.com/keepnet-labs-statement-data-breach/) over an apparent error that it refused to reveal.
Slovak police seize wiretapping devices connected to government network (https://www.zdnet.com/google-amp/article/slovak-police-seize-wiretapping-devices-connected-to-government-network/) Authorities in Slovakia arrested four suspects as part of an investigation into how a series of suspicious-looking devices got onto the government’s IT network. The devices are said to be used for wiretapping, according to local media. Two of the suspects work at the division overseeing the government’s IT network, and a third works for the deputy prime minister’s office. The arrests were announced in a Facebook post (https://www.facebook.com/policiaslovakia/posts/3416092678420930) . ~ ~
** THE HAPPY CORNER
A couple of things from the week that might put a smile on your face. Firstly, this thread (found via @josephfcox (https://twitter.com/josephfcox) ) is a brilliant example of using OSINT. You won’t be disappointed.
And: you can take your son’s car keys but you can’t stop him driving away (https://twitter.com/cyber_cox/status/1269812802199355392?s=21) . If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is Balkan. Here he is sitting on the router, sniffing your Wi-Fi. Classic Balkan! A big thanks to his dad Josh Snow (https://www.linkedin.com/in/jsnow/) for the submission! Send in your cyber cats! The more the merrier. They are always featured, first come first serve. And if you’ve sent in before, feel free to send in again! You can email them in here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s it for this week. The suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is always open for feedback, comments, and questions. Hope to see you again next Sunday. Take care, and stay safe.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .