this week in security — june 16 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 23.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
U.S. escalates online attacks on Russia’s power grid (https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html) The New York Times ($): The Times said the U.S. is ramping up its offensive cyber-operations on Russia’s power grid. Citing interviews with officials, it’s part of an ongoing effort to one-up the opponent. Earlier this week, the WSJ cited John Bolton as saying (https://www.wsj.com/articles/bolton-says-u-s-is-expanding-offensive-cyber-operations-11560266199) U.S. cyber operations are on the increase. “Mr. Bolton acknowledged that U.S. cyber offensives wouldn’t end hacking sponsored by foreign powers, but he said they were designed to impose costs on the attackers,” the paper wrote. Perhaps the most interesting nugget is that the NSA director has a lot more leeway to conduct operations without President Trump’s approval. In some cases, officials said they were worried the president may “countermand” or “discuss” details with foreign officials. More: Wall Street Journal ($) (https://www.wsj.com/articles/bolton-says-u-s-is-expanding-offensive-cyber-operations-11560266199) | @rgoodlaw tweet thread (https://twitter.com/rgoodlaw/status/1139945314754990081)
‘Most dangerous’ hackers are targeting U.S. utilities (https://www.eenews.net/stories/1060575609) E&E News: ‘Triton’ hackers that previously targeted oil and petroleum plants are now probing the U.S. power grid, according to a report. The grid regulator NERC sounded the alarm earlier this year, saying the hackers were conducting “reconnaissance and potential initial access operations.” The Triton hackers are the same group that targeted a Saudi petrochemical plant with an effort to try to blow it up (https://motherboard.vice.com/en_us/article/9k74az/triton-malware-russian-government-saudi-arabia-petrol-plant) . ICS security firm Dragos said the hacker group’s foray into energy systems was “emblematic of an increasingly hostile industrial threat landscape.” More: @RobertMLee tweet thread (https://twitter.com/RobertMLee/status/1139488384186028033) | Wired ($) (https://www.wired.com/story/triton-hackers-scan-us-power-grid/) | Dragos (https://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/)
Google disclosed bug that could “take down a Windows fleets” (https://www.zdnet.com/article/google-warns-this-unpatched-bug-could-quickly-take-down-a-windows-fleet/) ZDNet: Project Zero researcher Tavis Ormandy published details about a bug in a core cryptographic library in Windows 8 and later that could be used to “take down a Windows fleet pretty quickly.” The bug is found in SymCrypt, and an exploit could trigger a denial-of-service condition on affected devices. Microsoft was said to have committed to fixing the bug within Google’s 90-day disclosure window but couldn’t ship in time due to issues in testing — hence why it was made public. More: @taviso (https://twitter.com/taviso/status/1138469651799728128) | Project Zero (https://bugs.chromium.org/p/project-zero/issues/detail?id=1804)
CBP says traveler photos and license plate data stolen in breach (https://techcrunch.com/2019/06/10/cbp-data-breach/) TechCrunch: Customs & Border Protection confirmed one of its contractors had a data breach this week. What remains unclear is exactly who was behind it. CBP said one of its subcontractors improperly “transferred copies of license plate images and traveler images” to its network. About 100,000 records were stolen, CBP said. (Disclosure: I wrote this story.) Only weeks earlier, Perceptics had a data breach (https://twitter.com/theregister/status/1138210366486327296) which seemed to cover the data involved. The only clue that there was a connection was that the Word document containing the press statement had “Perceptics” in the title (https://www.washingtonpost.com/technology/2019/06/10/us-customs-border-protection-says-photos-travelers-into-out-country-were-recently-taken-data-breach/) . Later, Motherboard obtained the images (https://www.vice.com/en_us/article/43j5wm/here-are-images-of-drivers-hacked-from-a-us-border-protection-contractor-on-the-dark-web-perceptics) stolen from Perceptics. More: Motherboard (https://www.vice.com/en_us/article/43j5wm/here-are-images-of-drivers-hacked-from-a-us-border-protection-contractor-on-the-dark-web-perceptics) | Washington Post ($) (https://www.washingtonpost.com/technology/2019/06/10/us-customs-border-protection-says-photos-travelers-into-out-country-were-recently-taken-data-breach/) | @dellcam (https://twitter.com/dellcam/status/1138179051691159552)
Here Are Images of Drivers Hacked From a U.S. Border Protection Contractor
A license plate scanning company was hacked, and now thousands of images of drivers are on the dark web.
Hackers discussed targeting The Intercept after UAE coverage (https://theintercept.com/2019/06/12/darkmatter-uae-hack-intercept/) The Intercept: This lede from The Intercept says it all. “Operatives at a controversial cybersecurity firm working for the United Arab Emirates government discussed targeting The Intercept and breaching the computers of its employees, according to two sources, including a member of the hacking team who said they were present at a meeting to plan for such an attack.” Archive: The Intercept (https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/) | Reuters (https://www.reuters.com/investigates/special-report/usa-spying-raven/)
A year later, U.S. government sites are still redirecting to hardcore porn (https://gizmodo.com/a-year-later-u-s-government-websites-are-still-redire-1835336087) Gizmodo: Dozens of federal government websites contain a security flaw allowing anyone the generate URLs with their domains that redirect to external sites. Many sites fixed the redirect bug in the past year after it was discovered, but many haven’t — allowing bots to generate tons of spam porn links. That’s also going to make it easier to carry out phishing campaigns, writes @dellcam (https://twitter.com/dellcam) . More: StateScoop (https://statescoop.com/phishing-campaign-spoofs-local-government-websites-to-rip-off-small-businesses/)
Congress to take another stab at ‘hack back’ legislation (https://www.cyberscoop.com/hack-back-bill-tom-graves-offensive-cybersecurity/) Cyberscoop: Congress wants to legally allow companies to “hack back,” widely considered one of the “worst ideas in cybersecurity.” But that hasn’t stopped Rep. Tom Graves from reintroducing a bill to allow companies to do just that — go outside their networks to disrupt hackers. Heavy sigh! @shanvav (https://www.twitter.com/shanvav) has a good explainer on this, and you should also check out @RobertMLee (https://twitter.com/RobertMLee/status/1139130407813812224) ‘s take — he used to work in cyber offensive operations. More: @RobertMLee tweet thread (https://twitter.com/RobertMLee/status/1139130407813812224)
Ransomware halts production for days at major airplane parts manufacturer (https://www.zdnet.com/article/ransomware-halts-production-for-days-at-major-airplane-parts-manufacturer/) ZDNet: Airplane part manufacturer ASCO was hit by ransomware. The infection was so bad, the company had to stop production in its factories across four countries. The outage forced about 1,000 of its 1,400 workers to be sent home. It’s the latest major company to be hit by ransomware, after Norsk Hydro and Arizona Beverages. Archive: ZDNet (https://www.zdnet.com/article/aluminium-producer-switches-to-manual-operations-after-extensive-cyber-attack/) | TechCrunch (https://techcrunch.com/2019/04/02/arizona-beverages-ransomware/)
Google’s login chief really hates passwords (https://www.theverge.com/2019/6/12/18662594/google-login-apple-sso-account-security-passwords-mark-risher) The Verge: In an interview, Google’s sign-in and login chief Mark Risher said he’d much rather people use Apple’s new sign-in service than his own company’s — if it means nuking passwords from existence. “I honestly do think this technology will be better for the internet,” he told The Verge. “Even if they’re clicking our competitors button when they’re logging into sites, that’s still way better than typing in a bespoke username and password, or more commonly, a recycled username and password.” It’s an interesting concept. Possible that sign-in services will be better for security than biometrics, which can still be stolen. More: @benadida (https://twitter.com/benadida/status/1139993466316836864) | TechCrunch (https://techcrunch.com/2019/06/07/answers-to-your-burning-questions-about-how-sign-in-with-apple-works/) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Troy Hunt talks about the future of Have I Been Pwned (https://www.troyhunt.com/project-svalbard-the-future-of-have-i-been-pwned/) Troy Hunt: Have I Been Pwned (https://haveibeenpwned.com) , one of the world’s most useful sites in security, isn’t going anyway any time soon, but Troy Hunt is just one guy running the site — and he’s looking to take it to the next level. He’s looking to have HIBP acquired — and him with it — so it’ll go to a new home with greater resources and backing. “I’ll be working with KPMG to more clearly identify which organizations fit into the first category,” he wrote. Good for him.
LaLiga’s app listened in on fans to catch bars illegally streaming soccer (https://www.theverge.com/2019/6/12/18662968/la-liga-app-illegal-soccer-streaming-fine) The Verge: This is so creepy: a Shazam-like app was secretly recording audio using the geolocation of the phone to figure out the bars that didn’t have licenses to stream soccer matches. The app was downloaded more than 10 million times. The Spanish data protection authority caught wind of the privacy infraction and fined the app maker about $280,000.
Experts: Spy used AI-generated face to connect with targets (https://apnews.com/bc2f19097a4c4fffaa00de6770b8a60d) Associated Press: This one had me ‘wtf-ing’: Experts said an AI-generated face was part of a “vast army of phantom profiles lurking on the professional networking site LinkedIn.” The experts said it was an espionage effort to create fake social media profiles to hone in on American targets. “Instead of dispatching spies to some parking garage in the U.S to recruit a target, it’s more efficient to sit behind a computer in Shanghai and send out friend requests to 30,000 targets,” a senior U.S. spy told the AP. This entire story is well worth a read (https://apnews.com/bc2f19097a4c4fffaa00de6770b8a60d) . No surprise that @razhael (https://twitter.com/razhael) wrote the story.
Experts: Spy used AI-generated face to connect with targets
LONDON (AP) — Katie Jones sure seemed plugged into Washington’s political scene. The 30-something redhead boasted a job at a top think tank and a who’s-who network of pundits and experts, from the centrist Brookings Institution to the right-wing Heritage Foundation…
DOJ efforts to break encryption should be made public, EFF says (https://www.eff.org/press/releases/details-justice-departments-efforts-break-encryption-facebook-messenger-must-be-made) Electronic Frontier Foundation: The EFF wants to know why a court forbade the Justice Dept. from forcing Facebook to crack open the encryption on its Messenger app. The decision, made last year, remains secret (https://www.reuters.com/article/us-facebook-encryption/u-s-judge-keeps-documents-secret-in-facebook-encryption-case-idUSKCN1Q100X) . EFF wants to know what the reasoning was so it can protect users from over-broad requests in the future. Riana Pfefferkorn (https://twitter.com/Riana_Crypto) told the court that the public has a right under common law to access judicial opinions. The appeal is ongoing.
Hong Kong protesters fear surveillance and tracking (https://qz.com/1641519/photos-police-use-tear-gas-rubber-bullets-on-hong-kong-protesters/) Quartz, Sky News: An interesting look at the situation in Hong Kong, amid protests over a proposed law that would allow extraditions of suspects to the Chinese mainland. Britain gave Hong Kong back to the Chinese in 1997. Amid the protests, many were “reluctant” to use their rechargeable public transport cards for fear of leaving a paper trail (https://qz.com/1641519/photos-police-use-tear-gas-rubber-bullets-on-hong-kong-protesters/) , reports Quartz. Sky News reported (https://news.sky.com/story/beijings-surveillance-apparatus-pushing-hong-kong-protesters-analogue-11740374) that many masked their faces to prevent facial recognition systems from identifying them. “Individuals who have been detected referencing censored topics on WeChat are forced to provide their facial image to the app in order to reactivate their accounts after the suspensions,” reported Sky. ~ ~
** OTHER NEWSY NUGGETS
That push notification on your phone might be a phishing attempt (https://www.cyberscoop.com/mobile-phishing-push-notifications-lookout-research/) Phishers are now using push notifications that look like legitimate messages from known companies, reports Cyberscoop (https://www.cyberscoop.com/mobile-phishing-push-notifications-lookout-research/) . The researchers from Lookout “detected one phishing campaign in which attackers created what appeared to be a Chrome notification alerting them to a missed call.”
Researchers use Rowhammer bit flips to steal 2048-bit crypto key (https://arstechnica.com/information-technology/2019/06/researchers-use-rowhammer-bitflips-to-steal-2048-bit-crypto-key/) A new Rowhammer exploit lets unprivileged attackers extract and steal cryptographic keys and other secrets stored in vulnerable DRAM. Previously it was possible to cause bits in memory rows to flip. In a new exploit, the new bug — dubbed RAMbleed — lets attackers steal RSA keys (https://arstechnica.com/information-technology/2019/06/researchers-use-rowhammer-bitflips-to-steal-2048-bit-crypto-key/) and more. You can read the researchers’ full paper here (https://rambleed.com/) .
Another 200,000 patients affected by AMCA collections breach (https://www.databreaches.net/american-medical-collection-agency-breach-impacted-200000-patients-gemini-advisory/) Looks like the AMCA breach hit didn’t just affect Quest or LabCorp. This time, security firm Gemeni Advisory found a batch of data on the dark web — some 200,000 patients who used the AMCA’s third-party payment page. According to ZDNet, that now pushes the data breach over (https://www.zdnet.com/article/amca-data-breach-has-now-gone-over-the-20-million-mark/) the 20 million affected mark.
UK rights advocate co-owns spyware firm (https://www.theguardian.com/law/2019/jun/14/yana-peel-uk-rights-advocate-serpentine-nso-spyware-pegasus) Yana Peel, a leading human rights campaigner and “a self-proclaimed champion of free speech,” is said to co-own the NSO Group, a $1 billion Israeli spyware maker accused of spying on dissidents. It’s the same spyware outfit that reportedly hit WhatsApp a few weeks ago (https://techcrunch.com/2019/05/14/whatsapp-vulnerability-risk/) . It’s also the same company said to be linked (https://www.nytimes.com/2018/12/02/world/middleeast/saudi-khashoggi-spyware-israel.html) to the murder of Saudi journalist Jamal Khashoggi.
Yubico to replace Yubikey FIPS keys over reduced randomness bug (https://www.yubico.com/support/security-advisories/ysa-2019-02/) Yubico, the maker of security keys, said it found a bug in its FIPS key and will issue a replacement. According to an advisory (https://www.yubico.com/support/security-advisories/ysa-2019-02/) , the first set of random values used by YubiKey FIPS applications after each device power-up have reduced randomness. The complexity of an attack means exploitation is low and unlikely — but take the replacement anyway.
Most privacy policies are a nightmare to read (https://www.nytimes.com/interactive/2019/06/12/opinion/facebook-google-privacy-policies.html) Next time you accept a privacy policy, make sure you know what you’re agreeing to by reading it — if you’re lucky. The Times ($) (https://www.nytimes.com/interactive/2019/06/12/opinion/facebook-google-privacy-policies.html) found most policies are “incomprehensible.” The report looked at 150 policies and found many some, like Facebook’s policy, had a greater reading score than Immanuel Kant’s famously difficult “Critique of Pure Reason.” No wonder we have no idea what they’re really doing with our data. ~ ~
** THE HAPPY CORNER
Just a couple of good things this week.
A post on Hackernoon (https://hackernoon.com/hacking-google-chromes-t-rex-game-e88b0f31bd55) offers some cheats in Google Chrome’s error pages. Its most famous is the dino game — an 8-bit dinosaur game you see when there’s no internet connection. Click the page and you’re off. Hackernoon has some cheats you can use to modify the speed and immortality of the dino.
And, what happens if hackers steal your unreleased music and hold it for a hefty ransom? If you’re Radiohead, you publish the whole thing yourself and ask for donations to charity. That’s exactly what the band did (https://www.facebook.com/radiohead/posts/10155954042367245) when someone demanded $150,000 for the safe return. Radiohead said the music was only “tangentially interesting.” If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Fluffy — like name, like nature. He’s a big fan of privacy. Good kitty. Thanks to his human Ronny Pachel for the submission. (You may need to enable images in this email.) Please send in your cybercats! They will always be featured. You can submit your cybercats here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That’s all for now. Thanks for tuning in and hope you have a good week. Don’t forget, you can always leave feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|