this week in security — june 28 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 26
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Senators who don’t understand encryption introduce bill to break it (https://www.vice.com/en_us/article/y3z3z7/republican-encryption-bill-privacy-signal?) Motherboard: Three Republican Senators have released a draft bill that is the most brazen attempt to undermine and break encryption since the Burr-Feinstein bill (https://techcrunch.com/2016/04/13/burr-feinstein-encryption-bill-is-officially-here-in-all-its-scary-glory/) in 2016. The bill by Sens. Cotton, Graham and Blackburn would demand backdoors to allow police access to encrypted data, so long as a court approves a warrant. But again, for the millionth time (https://www.zdnet.com/article/because-there-is-no-such-thing-as-a-secure-backdoor-gosh-darn-it/) , there’s no way to put a backdoor in encryption without also making it possible for hackers to get in, weakening security for everyone, much to the chagrin (https://twitter.com/matthew_d_green/status/1275561169017876480) of cryptographers. @Riana_Crypto (https://twitter.com/riana_crypto) has more on the bill (https://cyberlaw.stanford.edu/blog/2020/06/there%E2%80%99s-now-even-worse-anti-encryption-bill-earn-it-doesn%E2%80%99t-make-earn-it-bill-ok) . More: Judiciary Committee (https://www.judiciary.senate.gov/press/rep/releases/graham-cotton-blackburn-introduce-balanced-solution-to-bolster-national-security-end-use-of-warrant-proof-encryption-that-shields-criminal-activity) | @snlyngaas tweets (https://twitter.com/snlyngaas/status/1275555852355854341) | Stanford (https://cyberlaw.stanford.edu/blog/2020/06/there%E2%80%99s-now-even-worse-anti-encryption-bill-earn-it-doesn%E2%80%99t-make-earn-it-bill-ok)
Anonymous stole and leaked a megatrove of police documents (https://www.wired.com/story/blueleaks-anonymous-law-enforcement-hack/) Wired ($): The collection of stolen police documents, known as BlueLeaks, contains internal memos, financial records and other confidential police files for over 200 state, local and federal agencies. It’s believed the source (https://krebsonsecurity.com/2020/06/blueleaks-exposes-files-from-hundreds-of-police-departments/?mid=1) was a breach at Netsential, a website developer and CMS maker, and was published by DDoSecrets (https://ddosecrets.com/) , which was later banned (https://twitter.com/micahflee/status/1275575438996156416?s=21) by Twitter, a move that for some reason leaves WikiLeaks’ account up. Bizarre. More: Krebs on Security (https://krebsonsecurity.com/2020/06/blueleaks-exposes-files-from-hundreds-of-police-departments/?mid=1) | ZDNet (https://www.zdnet.com/article/twitter-bans-ddosecrets-account-over-blueleaks-police-data-dump/)
Israeli spyware used to target Moroccan journalist, Amnesty claims (https://www.theguardian.com/technology/2020/jun/21/journalist-says-he-was-targeted-by-spyware-from-firm-despite-its-human-rights-policy) The Guardian: In an extremely detailed and technical post, Amnesty International accused (https://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/) a government, likely Morocco, of using NSO Group’s Pegasus spyware to hack into the phone of a Moroccan journalist. The infection was likely the zero-click exploit, which infects a device silently and without user interaction, by delivering the exploit through a man-in-the-middle network attack. Amnesty has one of the most detailed reports to date on this Pegasus infection technique. According to The Guardian, one of a few outlets with the embargo on the story, the journalist was targeted as part of a “broader campaign” to crack down on dissent. More: Amnesty International (https://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/) | @jsrailton tweets (https://twitter.com/jsrailton/status/1274876929607381001?s=21) Man says he was falsely arrested after facial recognition mistake (https://www.npr.org/2020/06/24/882678392/man-says-he-was-falsely-arrested-after-facial-recognition-mistake) NPR, The New York Times ($): This is a must read from the week. The ACLU has filed a complaint against the Detroit Police Dept. after a Black man was arrested because a flawed facial recognition system flagged him as a criminal. His mugshot, fingerprints, and DNA were taken, and he was held overnight for the “crime” of being, likely, the first American wrongly arrested based on a flawed facial recognition algorithm. @kashhill (https://twitter.com/kashhill?r) ‘s story in The Times is breathtaking (https://www.nytimes.com/2020/06/24/technology/facial-recognition-arrest.html) . More: The New York Times ($) (https://www.nytimes.com/2020/06/24/technology/facial-recognition-arrest.html) | @kashhill tweets (https://twitter.com/kashhill/status/1275761902879195145)
Boston votes to ban government use of facial recognition (https://www.cnet.com/news/boston-votes-to-ban-government-use-of-facial-recognition/) CNET: Boston has become the largest city on the east coast to ban the use of facial recognition, joining cities like San Francisco and Oakland who put in place similar bans last year. The ordinance passed unanimously, preventing the Massachusetts state capital from using the technology. There are some exceptions — city staff are still allowed to use their face-unlocking feature on their phones — a notable exception — but staff aren’t allowed to use it for other people. ACLU said it was a “crucial victory” for Bostonians’ privacy rights. More: ACLU (https://www.aclum.org/en/news/victory-boston-becomes-largest-city-east-coast-ban-face-surveillance?)
Apple pushes back against targeted ad tracking in iOS 14 (https://www.wired.com/story/apple-ios-14-safari-privacy-ad-tracking/) Wired ($): Some very good news for those who hate being ad-tracked across the web: Apple will allow users in iOS 14, expected out later this year, to decline ad tracking inside apps. Users will be able to allow or disallow it from a prompt when they first open the app. If the latter, the user’s ad tracking ID will simply be zero, like everyone else’s. It won’t stop ads but it’ll stop privacy invasive ad tracking. Apple also has a blog post (https://webkit.org/blog/10875/release-notes-for-safari-technology-preview-109-with-safari-14-features/) looking at more privacy features in Safari on iOS 14. More: The Verge (https://www.theverge.com/2020/6/22/21299407/apple-ios-14-new-privacy-features-data-location-tracking-premissions-wwdc-2020) | Apple WebKit (https://webkit.org/blog/10875/release-notes-for-safari-technology-preview-109-with-safari-14-features/) ~ ~ SUPPORT THIS NEWSLETTER
Thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps keep the newsletter going. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) here. ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Feds aim to bolster data encryption practices for .gov websites (https://www.cyberscoop.com/encryption-https-gsa-domains/) Cyberscoop: The government’s tech department is urging government domain operators to upgrade their website’s security to include HSTS (https://home.dotgov.gov/management/preloading/dotgovhttps/) , a security feature that ensures browsers are always using an HTTPS connection to access the site. By expanding HSTS to federal agencies, it makes it far more difficult for hackers to hijack or impersonate federal websites.
Former Maersk employee details the notPetya malware attack (https://gvnshtn.com/maersk-me-notpetya/) Gavin Ashton: @gvnshtn (https://twitter.com/gvnshtn) , who used to work at Maersk, wrote a detailed, in-depth account about the timeline of the notPetya malware attack that hit in 2017, shortly after the WannaCry outbreak. Ashton discusses the event and its aftermath, and what lessons should be learned. This is another must-read of the week. How thousands of misplaced emails took over this engineer’s inbox (https://www.wired.com/story/misplaced-emails-took-over-inbox-temporal/) Wired ($): @lilyhnewman (https://twitter.com/lilyhnewman) has this great story on how a Spanish-speaking engineer’s email address became a catch-all account for other people’s sensitive data, all because sis email is temporal@gmail.com, which means “temporary” in Spanish. As you can imagine, a lot of people in the Spanish-speaking world use that email to fill in a dummy email address on web forms — especially if they don’t want to give out their real email address. It’s almost like registering “noreply@gmail.com,” imagine the amount of replies you’d actually get.
Web skimmer hides credit card skimming code via web favicons (https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/) Malwarebytes: I tweeted this out because I had no idea (https://twitter.com/zackwhittaker/status/1276524893727793152) this was possible. Scammers can hide credit card skimming code in the favicon — that is the small icon in the website’s browser tab. If abused, it “grabs the content of the input fields where online shoppers are entering their name, billing address and credit card details.” Fascinating stuff, and arguably pretty impressive (even if illegal). ~ ~
** OTHER NEWSY NUGGETS
Privacy-focused Tails wants to know how Facebook and the FBI hacked it (https://www.vice.com/en_us/article/dyz3jy/privacy-focused-os-tails-wants-to-know-how-facebook-and-the-fbi-hacked-it) A couple of weeks ago, Motherboard reported (https://www.vice.com/en_us/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez) how Facebook paid six-figures to a cybersecurity firm to develop a hacking tool to target a child predator who used the privacy-focused Tails operating system. Now, Motherboard says the developers behind Tails want to know (https://www.vice.com/en_us/article/dyz3jy/privacy-focused-os-tails-wants-to-know-how-facebook-and-the-fbi-hacked-it) how the hack was carried out. The problem is that when the hack was used, nobody told the Tails developers. That means potentially others could be at risk. Tails wants to know what the bug is so it can fix it before innocent users could be targeted.
Crooks abuse Google Analytics to conceal theft of payment card data (https://arstechnica.com/information-technology/2020/06/google-analytics-trick-allows-crooks-to-hide-card-skimming/) Another interesting credit card card stealing trick this week. Hackers are abusing Google Analytics, which tracks how many visitors a website has, to covertly siphon stolen credit card data from infected sites. The research (https://securelist.com/web-skimming-with-google-analytics/97414/) said at least two-dozen sites are affected.
Twitter apologizes for business data breach (https://www.bbc.com/news/technology-53150157) Yet another Twitter security incident. This time, business users’ data was potentially exposed in their browser cache, including their name, email address, and the last four-digits of their payment card. Twitter said it was “possible” others could have accessed personal information. ~ ~
** THE HAPPY CORNER
Some good news for you this week:
The folks at @CircleCityCon (https://twitter.com/CircleCityCon) raised $1,000 in donations to support The Trevor Project, a great non-profit focused on suicide prevention for LGBTQ+ youth.
And, Citizen Lab, the University of Toronto internet watchdog that helps uncover censorship and nation-state spying, has created (https://twitter.com/jsrailton/status/1276595631918911488?s=21) a new fellowship on surveillance, digital security, and race. The fellowship is specifically for those who identify as Black. This can’t come at a more important time, given surveillance and facial recognition, for example, disproportionately affects people of color far more than most. You can read more and apply here (https://citizenlab.ca/2020/06/citizen-lab-fellowship-surveillance-digital-security-and-race/) . If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
Meet Charlotte, this week’s cyber cat. You can see here she’s performing a cat-in-the-middle attack on her human’s laptop. A big thanks to @douglawrencecan (https://twitter.com/douglawrencecan) for the submission! Please keep sending in your cyber cats!If you have sent in photos before, feel free to send in more again! You can email them in here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s it for this week. As always, a big thanks for reading and subscribing. If you have any thoughts or feedback, feel free to drop a note in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a great week.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .