June 23, 2019

this week in security — june 23 edition

|MC_PREVIEW_TEXT|

** ~this week in security~

a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)

volume 2, issue 24.

View this email in your browser (|ARCHIVE|) ~ ~

** THIS WEEK, TL;DR

U.S. secretly struck back against Iranian cyberspies targeting U.S. ships (https://news.yahoo.com/pentagon-secretly-struck-back-against-iranian-cyber-spies-targeting-us-ships-234520824.html) Yahoo News: The Pentagon hit Iranian cyber-spies in an operation Thursday in what’s believed to be the second ever U.S. offensive cyber-strike against a foreign target. Washington Post confirmed the report (https://www.washingtonpost.com/world/national-security/with-trumps-approval-pentagon-launched-cyber-strikes-against-iran/2019/06/22/250d3740-950d-11e9-b570-6416efdc0803_story.html?utm_term=.7bbe6c6a99b0) and added new color. It comes after a tense few days between the U.S. and Tehran. The AP reported (https://apnews.com/f01492c3dbd14856bce41d776248921f) that Iranian hackers have been targeting U.S. government agencies and critical infrastructure in recent weeks. For reference, the first cyber-strike was against the Russian troll factory, the Internet Research Agency, on the day of voting in the 2018 midterms. More: Associated Press (https://apnews.com/f01492c3dbd14856bce41d776248921f) | @CISAKrebs (https://twitter.com/CISAKrebs/status/1142520000135278594) | Background: Washington Post ($) (https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html)

How not to prevent a cyberwar with Russia (https://www.wired.com/story/russia-cyberwar-escalation-power-grid/) Wired ($): Next stop Russia — where we’re apparently already in the midst of a cyberwar there, too. It all started with this story — the Times reports that U.S. spies are already in Russia’s power grid ready to strike. Trump personally denied the story, but days later Russia like it was gunning for a cyberwar. No lights are flickering yet, but @a_greenberg (https://twitter.com/a_greenberg) spoke to former U.S. officials who said such actions were “uncharted territory” and that things could get worse before they get better. More: The New York Times ($) (https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html)

FBI, DHS blunder reveals name of child abuse victims (https://www.forbes.com/sites/thomasbrewster/2019/06/19/fbi-dhs-failures-reveal-names-of-child-abuse-victims-through-facebook-identities/) Forbes: Forbes reported this week that an FBI screw-up inadvertently revealed the names of several child abuse victims by publishing their Facebook ID — which when plugged into Facebook’s URL identifies the victim’s profile page. Forbes didn’t publish the names to protect their identities. More: @iblametom (https://twitter.com/iblametom/status/1141352289032122368)

Cloudflare aims to make HTTPS certificates safe from BGP hijacks (https://arstechnica.com/information-technology/2019/06/cloudflare-aims-to-make-https-certificates-safe-from-bgp-hijacking-attacks/) Ars Technica: Now onto some slightly lighter news. Cloudflare said this week it’s offering a new service that’ll prevent BGP hijackers from fraudulently obtaining browser-trusted HTTPS certificates. The new service is free “because the company believes that attacks on the certificate authority system harms the security of the entire Internet.” More: CloudFlare (https://blog.cloudflare.com/secure-certificate-issuance/)

Hacked documents reveal details of expanding border surveillance (https://www.washingtonpost.com/technology/2019/06/21/hacked-documents-reveal-sensitive-details-expanding-border-surveillance/?utm_term=.16f2e8fbc396) Washington Post: The breach of CBP data — blamed on subcontractor Perceptics — continues on. This week, Post reporters began digging into the hacked data, since made public. It appears CBP is looking expand border surveillance — even as it shows it can’t keep its own data safe. The data also includes “financial statements, project budgets, internal passwords, sales and marketing material, and information about employees’ performance reviews, insurance coverage and pay.” CNN found more (https://www.cnn.com/2019/06/17/politics/customs-and-border-protection-data-breach-license-plates-leaked/index.html) than 50,000 license plates leaked in a data dump believed to have come from the Perceptics. More: @kevincollier (https://twitter.com/kevincollier/status/1140764450456264707) | CNN (https://www.cnn.com/2019/06/17/politics/customs-and-border-protection-data-breach-license-plates-leaked/index.html)

Florida city pays $600,000 ransom to save computer records (https://www.apnews.com/0762caec21874fc09741abbdec0f78ab) Associated Press: Florida’s Riviera Beach bucked the trend and caved into ransomware actors by paying $600,000 in ransom to save their data. Email went down, systems were offline, and 911 operations were said to be disrupted during the attack. But the FBI and security experts have alike long warned against paying the ransom. In Riviera Beach’s case, the ransom payment is covered by the city’s cybersecurity insurance. More: New York Times ($) (https://www.nytimes.com/2019/06/19/us/florida-riviera-beach-hacking-ransom.html)

Hacked medical debt collector AMCA files for bankruptcy protection (https://www.theregister.co.uk/2019/06/18/hacked_amca_bankruptcy_protection/ ) The Register: The collections agency behind the Quest and LabCorp breaches has filed for bankruptcy protection after hackers pilfered more than 20 million records. A case was filed in Manhattan this week. AMCA owes owes around $20,000 to IBM and Cablevision, but the case makes no reference to the breach, arguably the bigger problem on its hands. More: Filing [PDF] (https://regmedia.co.uk/2019/06/18/amca_petition.pdf) | ZDNet (https://www.zdnet.com/article/amca-data-breach-has-now-went-over-the-20-million-mark/)

Iran says it dismantled a U.S. cyber espionage network (https://www.reuters.com/article/us-usa-iran-cyber/iran-says-it-dismantled-a-u-s-cyber-espionage-network-idUSKCN1TI1IY) Reuters: Back to Iran for a hot second. Tehran said it’s arrested several CIA spies “in different countries,” amid continuing tensions between the U.S. and Iran. If you cast your mind back, it’s likely related to recent reporting that a simple Google search led to a massive CIA communications system breach (https://news.yahoo.com/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html) , per a scoop by JennaMC_Laugh (https://twitter.com/JennaMC_Laugh) and @zachsdorfman (https://twitter.com/zachsdorfman) last year. Archive: Yahoo News (https://news.yahoo.com/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html)

MongoDB’s plan to stop breaches with database encryption (https://www.wired.com/story/field-level-encryption-databases-mongobd/) Wired ($): MongoDB gets the rough end of the stick over data exposures because developers forget to set passwords, so MongoDB fixed it. Now the database maker is going a step further with its new encryption technology. In short, the many major companies reliant on MongoDB — like Google and Adobe — will get greater protections with field-level encryption. In short, it’s an encrypted database that protects against database dumps but uses a client-side encryption, so only authorized users can access readable data. “That means MongoDB itself and cloud providers won’t be able to access customer data, and a database’s administrators or remote managers don’t need to have access to everything either,” writes @lilyhnewman (https://twitter.com/lilyhnewman?lang=en) More: TechCrunch (https://techcrunch.com/2019/06/18/mongodb-gets-a-data-lake-new-security-features-and-more/) | MongoDB (https://www.mongodb.com/blog/post/mongodb-atlas-data-lake-debuts-at-mongodb-world) ~ ~

** THE STUFF YOU MIGHT’VE MISSED

Irked researcher discloses Facebook WordPress plugin flaws (https://threatpost.com/irked-researcher-discloses-facebook-wordpress-plugin-flaws/145771/) Threatpost: A researcher dropped a zero-day in two Facebook-built WordPress plugins — used in more than 200,000 installs. The two CSRF bugs were dropped in “protest” against the moderators of the WordPress Support Forum. Facebook patched the bugs anyway.

Robocalls are overwhelming hospitals, threatening a new kind of crisis (https://www.washingtonpost.com/technology/2019/06/17/robocalls-are-overwhelming-hospitals-patients-threatening-new-kind-health-crisis/?utm_term=.8a3f156a94a1) Washington Post ($): From the @TonyRomm (https://twitter.com/tonyromm) reporting department: Tufts Medical Center is struggling to deal with the onslaught of robocalls overwhelming its phone system. In two hours, there were more than 4,500 robocalls. “The FCC and Justice Department need to go after these criminals with the seriousness and urgency this issue deserves,” said Rep. Frank Pallone, the chairman of the House Energy and Commerce Committee.

Nation-state hackers likely carried out hostile takeover of rival group’s servers (https://arstechnica.com/information-technology/2019/06/researchers-think-nation-sponsored-hackers-attacked-rival-espionage-group/) Ars Technica: The Russian-speaking Turla hacking group appeared to hijack the OilRig’s network, associated with Iranian hackers. Symantec, which carried out the research, said it was an “unprecedented hacking coup,” but may also make attribution harder in the future.

John Deere’s promotional USB drive hijacks your keyboard (https://www.vice.com/en_us/article/pajv5k/john-deere-promotional-usb-drive-hijacks-your-keyboard) Motherboard: I saw this on Reddit (https://www.reddit.com/r/assholedesign/comments/c1aq23/thought_it_was_a_flash_drive/?sort=old) first but later on Motherboard, which digs in a bit more. The farming equipment maker created a promotional USB drive hijacks a user’s keyboard to type in a web address in the user’s browser. “It’s an HID-compliant keyboard that, when connected detects what platform it’s on and automatically sends a keyboard shortcut to open a browser, and then it barfs the link into the address bar,” wrote the Redditor. John Deere apologized for the security snafu. Imagine the possibilities… also, never plug in a random USB drive to your computer.

Europol et al release Gandcrab decryption tool (https://www.europol.europa.eu/newsroom/news/just-released-fourth-decryption-tool-neutralises-latest-version-of-gandcrab-ransomware) Europol: Some more good news: Europol, with help from law enforcement agencies across the world and Bitdefender, have released a decryption tool (https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind/) for the Gandcrab ransomware. According to the security firm, its decryption tools have resulted in more than 30,000 successful decryptions and have saved victims roughly $50 million in unpaid ransom. Wow.

Guardian said to be target of Saudi hackers after Khashoggi killing (https://www.theguardian.com/world/2019/jun/19/guardian-told-it-was-target-of-saudi-hacking-unit-after-khashoggi-killing) The Guardian: The U.K.-based newspaper said it was warned it was “being targeted by a cybersecurity unit in Saudi Arabia” ordered to hack into the email accounts of journalists investigating the royal family. It comes following the murder of dissident Saudi journalist Jamal Khashoggi last year.

Firefox zero-day used in hack Coinbase employees, not its users (https://www.zdnet.com/article/firefox-zero-day-was-used-in-attack-against-coinbase-employees-not-its-users/) ZDNet: Arguably one of the better scooplets of the week: Two Firefox zero-days found recently were being used to attack Coinbase employees, not its users, to remotely run code in a browser and a sandbox escape bug to get access to the underlying operating system. The bug was under active exploitation, and their targets seemed to be cryptocurrency organizations.

Thoughts on the Assange Indictment: Where’s Vault 7? (https://www.lawfareblog.com/thoughts-assange-indictment-wheres-vault-7) Lawfare: @ncweaver (https://twitter.com/ncweaver) has some thoughts on the WikiLeaks indictment and why it doesn’t lead to any charges against Julian Assange for the Vault 7 leak — the publication of the CIA hacking tools, which were arguably a far more damaging leak to the U.S. than WikiLeaks’ previous releases. ~ ~

** OTHER NEWSY NUGGETS

Instagram finally does something about hacked accounts (https://www.vice.com/en_us/article/j5wkap/instagram-tests-new-methods-how-to-recover-hacked-account) Hackers are known to hijack (https://www.vice.com/en_us/article/59vnvk/hacked-instagram-influencers-get-accounts-back-white-hat-hackers) high-profile Instagram accounts for ransom, and Instagram didn’t seem to care. Why would it — it’s owned by Facebook? The social media giant now has new processes in place to help account owners get their accounts back in the event of a hijack. One Instagram account hacker known to Motherboard said the new measures would slow down hackers but likely wouldn’t prevent them entirely.

Ransomware attack hits police forensic work (https://www.bbc.com/news/uk-48721511) U.K. police have suspended work with a major private forensics company following a ransomware attack (https://www.reuters.com/article/us-eurofins-scient-cyber/eurofins-scientific-detects-ransomware-in-some-of-its-it-systems-idUSKCN1T40QH) earlier this month. Eurofins does about half of the U.K. police’s forensics, some 70,000 cases each year. The Crown Prosecution Service, which brings prosecutions to trial, said it’s “assessing” its cases to see if vital evidence has been lost. Wow.

Samsung’s secuirty reminder is a good reason not to own a smart TV (https://www.theverge.com/2019/6/17/18681683/samsung-smart-tv-virus-scan-malware-attack-tweet) Hard to think this happened this week given the amount of news, but yes, this happened. Samsung was ‘reminding’ smart TV owners in a tweet to run a virus scan on their TVs. Yes, your smart TV can be exploited — the CIA showed that’s completely possible (https://www.vice.com/en_us/article/8qbq5x/the-cia-spied-on-people-through-their-smart-tvs-leaked-documents-reveal) — but arguably you only need a smart TV antivirus because Samsung’s codebase is so crap. Amid bad headlines, Samsung’s social media team pulled the tweet.

Dell quietly patches flaw that affected millions of users (https://www.cyberscoop.com/dell-supportassist-patch-security-vulnerability-microsoft-windows/) Computer giant Dell released an advisory (https://www.dell.com/support/article/us/en/04/sln317291/dsa-2019-084-dell-supportassist-for-business-pcs-and-dell-supportassist-for-home-pcs-security-update-for-pc-doctor-vulnerability) this week warning about a security flaw that would’ve allowed hackers to obtain sensitive information on “millions” of machines running its buggy bloatware app.

BBC Box lets you store your data at home (https://www.bbc.co.uk/rd/blog/2019-06-bbc-box-personal-data-privacy) Here’s an interesting one from the Beeb: a prototype project its working on will allow users to pull data and store it in a box at your house, instead of its servers. The technology is based off a secure Databox (https://www.databoxproject.uk/about/) . The BBC describes it as “a physical device in the person’s home onto which personal data is gathered from a range of sources, although of course (and as mentioned above) it is only collected with the participants explicit permission, and processed under the person’s control.” Really cool if this takes off.

U.K. data surveillance powers unlawfully wide, court told (https://www.bbc.com/news/uk-48663613) U.K.’s bulk collection data powers are “too wide” and invade privacy, according to the U.K. High Court. The so-called snoopers’ charter, rolled out by surveillance queen Theresa May, are incompatible with European rules on human rights. “Even if a warrant has been granted for the data to be gathered, they argue, the searching of bulk data — sometimes known as secondary data — is not governed by any warrant,” writes the BBC.

DHS looking to move biometric data to Amazon’s cloud (https://www.nextgov.com/it-modernization/2019/06/dhs-move-biometric-data-hundreds-millions-people-amazon-cloud/157837/) Homeland Security’s biometric database containing fingerprints, irises and faces (and eventually DNA, palm prints, scars and tattoos) on some 250 million people could soon be hosted in Amazon’s government cloud. The system is said to replace the existing IDENT system with HART, which’ll contain far more data. Let’s just hope nobody leaves an S3 bucket open… ~ ~

** THE HAPPY CORNER

Here’s some good news.

@Tarah (https://twitter.com/tarah/status/1141509655564357633) has a new gig at New America’s Cybersecurity Initiative. Huge news! More details to come in the next few weeks — can’t wait to hear more.

And, follow along and donate to get Laura and Juma, who were granted a WISP scholarship to attend Def Con later this year. @marcusjcarey (https://twitter.com/marcusjcarey/status/1141504511011430400) has a thread going — so far, @flyawardcat (https://twitter.com/flyAwardCat) is donating the service and @tprophet (https://twitter.com/TProphet) is coordinating air miles. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~

** THIS WEEK’S CYBER CAT

This week’s cybercat is Lizard. Seem familiar? Yeah, she’s one of our foster cats — you’ve probably seen her in my tweets (https://twitter.com/zackwhittaker/status/1142174373035614208) . Lizard is about six-months old and is looking for a permanent home. She is a little derpy, sure, but she’s a cat’s cat and loves to snuggle (https://twitter.com/zackwhittaker/status/1142174373035614208) with other kitties. And if you’re wondering why she’s this week’s cybercat? She’s looking to hack into your heart (ba-dum-tssk). If you’re in the New York area and you’re interested in being her permanent cat parent, reach out (mailto:zack.whittaker@gmail.com?subject=I%20want%20to%20adopt%20your%20cybercat!) . (You may need to enable images in this email.) Feel free to submit your cybercats here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~

** SUGGESTION BOX

Busy week, right? That’s all for now — thanks for reading as always. If you have any feedback, drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a great week! ~ ~

============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)

This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|