this week in security — june 30 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 25.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
DHS cyber chief warns of surge in Iranian “wiper” attacks (https://arstechnica.com/information-technology/2019/06/dhs-cyber-director-warns-of-surge-in-iranian-wiper-hack-attacks/) Ars Technica: Amid ongoing tensions between the U.S. and Iran, Homeland Security’s cyber division chief Chris Krebs warned about a rise in “wiper” attacks, believed to be the tool of choice by Iranian hackers. “What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network,” said Krebs. In a later interview (https://arstechnica.com/tech-policy/2019/06/we-need-to-up-our-game-dhs-cybersecurity-director-on-iran-and-ransomware/) with Ars, Krebs said there was a “dramatic increase” in activity, even if there hasn’t been any malicious payloads seen yet. More: CISA (https://www.dhs.gov/cisa/news/2019/06/22/cisa-statement-iranian-cybersecurity-threats) | Ars Technica (https://arstechnica.com/tech-policy/2019/06/we-need-to-up-our-game-dhs-cybersecurity-director-on-iran-and-ransomware/)
Western spies hacked ‘Russia’s Google’ Yandex to spy on accounts (https://www.reuters.com/article/us-usa-cyber-yandex-exclusive/exclusive-western-intelligence-hacked-russias-google-yandex-to-spy-on-accounts-sources-idUSKCN1TS2SX) Reuters: Western intelligence are said to have broken into Yandex, known as Russia’s Google, to spy on accounts using the Regin malware. Yandex said the attack was “fully neutralized” before any damage was done. Sources speaking to Reuters said the malware was looking for how users are authenticated — potentially allowing spies to impersonate any of the 108 million Yandex users. Background: Reuters (https://www.reuters.com/article/russia-fsb-yandex/yandex-and-fsb-reach-agreement-on-encryption-keys-tass-idUSR4N1D304V)
A device to detect ‘aggression’ in schools often misfires (https://features.propublica.org/aggression-detector/the-unproven-invasive-surveillance-technology-schools-are-using-to-monitor-students/) ProPublica: In response to mass shootings, some schools and hospitals are installing microphones equipped with algorithms designed to detect screams or stress before violence erupts. On one hand it’s a privacy invasion, on the other the technology barely works. Most of the time it picks up raspy coughs or even singing. It turns out these “aggression detection” devices are just an Orange Pi with a pared-down version of Linux. More: Wired ($) (https://www.wired.com/story/device-detect-aggression-schools-often-misfires/) | @jackgillum (https://twitter.com/jackgillum/status/1143520995636109312?s=21)
Myspace staff abused a tool, ‘Overlord’, to spy on users (https://www.vice.com/en_us/article/j5w4xx/myspace-employees-spied-on-users-with-internal-tool-overlord) Motherboard: Back when Myspace was the king of social networks, multiple staff reportedly used a tool called “Overlord” to read users’ messages and access their passwords, @josephfcox (https://twitter.com/josephfcox) reports. The tool was described as an “entire backdoor” to the Myspace platform. “While the tool was originally designed to help moderate the platform and allow MySpace to comply with law enforcement requests, multiple sources said the tool was used for illegitimate purposes by employees who accessed Myspace user data without authorization to do so.” Archive: Motherboard (https://www.vice.com/en_us/article/xwnva7/snapchat-employees-abused-data-access-spy-on-users-snaplion)
Inside the West’s failed fight against China’s ‘Cloud Hopper’ hackers (https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/) Reuters: This deep-dive investigation by Reuters was really well done. Chinese hackers broke into eight of the world’s biggest tech companies, including HPE, Fujitsu and NTT Data, for years. The hackers, believed to be associated with APT 10, were charged last year (https://techcrunch.com/2018/12/20/us-indictment-tech-hacks-chinese/) . The hackers were trying to steal intellectual property and industrial secrets. Typical China. More: TechCrunch (https://techcrunch.com/2018/12/20/us-indictment-tech-hacks-chinese/) | PwC
Trump officials weigh encryption crackdown (https://www.politico.com/story/2019/06/27/trump-officials-weigh-encryption-crackdown-1385306) Politico: This again. It’s reported that several members of the National Security Council were weighing up another possible crypto wars. Congress would have to outlaw end-to-end encryption, they said, but no decision had been made yet on supporting an effort. More: Gizmodo (https://gizmodo.com/trump-white-house-reportedly-debating-encryption-policy-1835920433)
Hackers are stealing years of call records from hacked cell networks (https://techcrunch.com/2019/06/24/hackers-cell-networks-call-records-theft/) TechCrunch: Security researchers say they’ve found evidence of multiple intrusions at several cell providers’ networks that led to the theft of hundreds of gigabytes of call detail records every time they broke in — at least four or five times over the past year alone. It was part of an espionage effort against at least 20 targeted individuals — likely more — to understand where they went, when, and who they talked to. It’s a very similar operation to the NSA’s phone records collection program — except nobody from the government came knocking on a telco’s door with a permission slip from the FISA court. (Disclosure: I wrote this story.) More: Reuters (https://www.reuters.com/article/us-cyber-telecoms-cybereason/hackers-steal-data-from-telcos-in-espionage-campaign-cyber-firm-idUSKCN1TQ0BC) | Cybereason (https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers)
Mistakes in phone record collection led NSA to close program (https://www.washingtonpost.com/world/national-security/repeated-mistakes-in-phone-record-collection-led-nsa-to-shutter-controversial-program/2019/06/25/f256ba6c-93ca-11e9-b570-6416efdc0803_story.html?utm_term=.9ad002b711c3) Washington Post ($): Speaking of which… in other news this week, the NSA was caught improperly collecting phone records for a second time. A second time! The ACLU obtained documents showing the collection happened just months after it was forced to delete (https://techcrunch.com/2019/06/26/nsa-improper-phone-records-collection/) hundreds of millions of records it wasn’t lawfully allowed to collect. It were these legal snafus that led the NSA to effectively shutter the phone metadata collection program over the past year, ahead of the law’s anticipated expiry in December. More: TechCrunch (https://techcrunch.com/2019/06/26/nsa-improper-phone-records-collection/) | ACLU (https://www.aclu.org/legal-document/nsa-foia-documents-quarterly-reports-intelligence-oversight-board-nsa-activities)
Silexbot is bricking IoT devices with known login credentials (https://blogs.akamai.com/sitr/2019/06/sirt-advisory-silexbot-bricking-systems-with-known-default-login-credentials.html) Akamai: Some interesting findings out of Akamai. A new bot, dubbed Silexbot, is a “blunt tool” used to login to IoT devices with default, unchanged credentials and effectively destroy them. The malware drops all network connections and deletes the memory. It’s not too dissimilar to BrickerBot (https://arstechnica.com/information-technology/2017/04/brickerbot-the-permanent-denial-of-service-botnet-is-back-with-a-vengeance/) , which first emerged some years ago, which would deliberately brick insecure devices. More: ZDNet (https://www.zdnet.com/article/new-silex-malware-is-bricking-iot-devices-has-scary-plans/) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Burned by Fire(fox): A three-part series (https://objective-see.com/blog/blog_0x45.html) Objective See: @patrickwardle (https://twitter.com/patrickwardle) has his final installment of a third-parter looking at a Firefox zero-day used to target employees of several cryptocurrency exchanges to install Mac backdoors. As usual, it’s a really good deep dive. You should also read Robert Heaton’s nailbiting blog post (https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear-phished/) on how he almost became a victim himself. He was lucky enough to be using Chrome, not Firefox.
Hackers are poking at a macOS flaw Apple left unfixed (https://www.wired.com/story/macos-gatekeeper-vulnerability/) Wired ($): Keeping with the Mac security thread, @brbarrett (https://twitter.com/brbarrett) has a story on a Mac vulnerability that hackers are beginning to use and abuse. Apple was notified of the Gatekeeper bypass flaw back in February, but Apple has yet to fix the bug. Security researcher Filippo Cavallarin lifted the lid on the bug after the 90-day disclosure lapsed. The bug, if exploited, can allow hackers to slip malicious code past Gatekeeper’s defenses.
Cloudflare blames outage on Verizon BGP issues (https://techcrunch.com/2019/06/24/cloudflare-outage-affecting-numerous-sites-on-monday-am/) TechCrunch: Cloudflare this week had an hours-long outage where at its worst about 15 percent of its global traffic dropped. The company quickly blamed the outage on Verizon for the BGP routing leak. In a blog post (https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/) , Cloudflare said Verizon’s snafu was the equivalent of routing an entire freeway down a neighborhood street. “This should never have happened because Verizon should never have forwarded those routes to the rest of the Internet,” wrote CEO Matthew Prince. The Register (https://www.theregister.co.uk/2019/06/24/verizon_bgp_misconfiguration_cloudflare/) also had a good explainer on what went down.
Huawei gear ‘more vulnerable’ to hackers than its rivals’ equipment (https://www.wsj.com/articles/huawei-telecom-gear-much-more-vulnerable-to-hackers-than-rivals-equipment-report-says-11561501573?shareToken=st2e6541e2613d4818bd7b4036159d8ca4) Wall Street Journal ($) Here’s a weird story about security oneupmanship. A new report out this week suggests Huawei’s telecom equipment is a lot more buggy than its rivals. In every tested firmware image there was at least one bug, the report found. Somehow having tech with the most bugs overshadows the fact that Western tech has a ton of bugs, too.
Deconstructing the Apple Card: A hacker’s perspective (https://www.cisomag.com/deconstructing-apple-card-a-hackers-perspective/) CISO Mag: The new Apple Card is meant to be a numberless, secure credit card with a rotating card verification number that aims to prevent fraud. Researchers gave it a pretty firm thumbs up — but warned that the hardware itself is a single point of failure. If there’s a bug in the card there’s no easy fix, they said. ~ ~
** OTHER NEWSY NUGGETS
A vendor for half the Fortune 100 exposed their backups (https://www.upguard.com/breaches/attunity-data-leak) UpGuard security researchers found an exposed Amazon S3 bucket containing about a terabyte of data — mostly backups from some of the largest companies in the world. Attunity, a data integration company, left the S3 bucket exposed and without a password, allowing anyone to look in. The data included email correspondence, system passwords, sales and marketing contact information, project specifications, and more.
OneDrive Personal Vault adds a new layer of security for sensitive files (https://www.microsoft.com/en-us/microsoft-365/blog/2019/06/25/onedrive-personal-vault-added-security-onedrive-additional-storage/) Microsoft rolled out Personal Vault this week, a “protected area in OneDrive” that comes with additional security features to get in. It requires a second step of identity verification, like a fingerprint or a PIN, to keep extra sensitive files locked away.
Gmail’s API lockdown will kill some apps starting July 15 (https://arstechnica.com/gadgets/2019/06/gmails-api-lockdown-will-kill-some-third-party-app-access-starting-july-15/) Google’s new API rules, announced last October (https://cloud.google.com/blog/products/g-suite/elevating-user-trust-in-our-api-ecosystems) , are about to come into force. On July 15, a bunch of third-party apps will be locked out of your Google account data. One of the new requirements applies to developers storing account data on a third-party server. “Google will now require those apps to pass a third-party security audit, which the app developer must pay for.” ~ ~
** THE HAPPY CORNER
In the happy world of good news this week, we saw:
@matthew_d_green (https://twitter.com/matthew_d_green/status/1143327951599153155?s=21) bleached and dyed his hair blue because his kid wanted the same but would only do it if his dad did, too. In an incredible show of strong dad game, Green live tweeted the whole thing, raising $12,500 in the process for @RaicesTexas (https://twitter.com/RAICESTEXAS) .
Thanks to donations and the collective community spirit, 23 women of color are going to Black Hat this year, says @IanColdwater (https://twitter.com/IanColdwater/status/1143595765178294279) . That’s incredible news!
And a huge congrats to Times cybermom @sheeraf (https://twitter.com/sheeraf/status/1144976473809276928) , who won a Loeb award and welcomed her second kid to the world shortly after. Sending love and good vibes your way. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Sweetpea, who — as you can see — is always on the lookout for advanced persistent threats. And catnip (obviously). A big thanks to Sweetpea’s human Matt Egen (https://twitter.com/flyingbluemonki) for the submission. (You may need to enable images in this email.) Please send in your cybercats! They will always be featured. You can submit your cybercats here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
Thanks for tuning in! As always, you can leave feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . I hope you have a great week — see you next Sunday. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|