this week in security — june 9 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 22.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
20 million affected by Quest, LabCorp breaches (https://www.wsj.com/articles/quest-diagnostics-says-11-9-million-patients-may-have-been-affected-by-breach-11559562193) Wall Street Journal ($), USA Today: A breach at third-party payments site, American Medical Collection Agency, put the data of 11.9 million Quest Diagnostics and 7.7 million LabCorp patients (https://www.usatoday.com/story/money/2019/06/04/labcorp-data-breach-7-7-million-consumers-affected/1346264001/) at risk. That’s just shy of 20 million patients — with likely more affected. Lab results were not stolen in the breach, however, but payment data may have been exposed. More: USA Today (https://www.usatoday.com/story/money/2019/06/04/labcorp-data-breach-7-7-million-consumers-affected/1346264001/) | TechCrunch (https://techcrunch.com/2019/06/03/quest-diagnostics-breach/) | SEC filing (https://www.sec.gov/Archives/edgar/data/1022079/000094787119000415/ss138857_8k.htm?g8oi23jg43g)
Wave of SIM swapping attacks hit U.S. cryptocurrency users (https://www.zdnet.com/article/wave-of-sim-swapping-attacks-hit-us-cryptocurrency-users/) ZDNet: Dozens of U.S.-based cryptocurrency owners saw their mobile phone numbers hijacked in SIM swapping attacks. “The purpose of this attack is so that hackers can reset passwords or receive [two-factor] verification codes and access protected accounts,” wrote @campuscodi (https://twitter.com/campuscodi) . Several victims said T-Mobile customers were affected. Others had their accounts restored, which likely involved account PINs being bypassed by employees. It comes just a week after Sean Coonce wrote about how he had his SIM swapped and $100,000 worth of cryptocurrency stolen (https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124) . More: Medium (https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124) | Background: NBC Bay Area (https://www.nbcbayarea.com/investigations/Hackers-Steal-Millions-from-Bay-Area-Residents-by-Targeting-Cell-Phones-in-SIM-Swap-Scams-510302201.html)
Google confirms backdoor came preinstalled on Android devices (https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/) Ars Technica: Google came clean two years after hackers managed to slip an “advanced” backdoor, dubbed Triada, preinstalled on Android devices. The search and mobile giant said in its blog post (https://security.googleblog.com/2019/06/pha-family-highlights-triada.html) that it worked with device makers by “supplying them with instructions for removing the threat from devices,” which “reduced the spread of preinstalled Triada variants and removed infections from the devices through the OTA updates.” It comes two years after Dr. Web found (https://news.drweb.com/show/?i=11390&lng=en) the malware in several Android images, sparking concerns. More: Google Security (https://security.googleblog.com/2019/06/pha-family-highlights-triada.html) | Background: Kaspersky (https://www.kaspersky.com/blog/triada-trojan/11481/) | Dr. Web (https://news.drweb.com/show/?i=11390&lng=en)
Baltimore’s bill for ransomware: Over $18 million, so far (https://arstechnica.com/information-technology/2019/06/baltimores-bill-for-ransomware-over-18-million-so-far/) Ars Technica: Whether or not you think EternalBlue was the cause of Baltimore’s ransomware attack. the recovery is still going. It’s cost the city some $18 million so far. The ransom itself was only $70,000 — but the FBI warned against paying — as it often does. “Even if you pay, you still have to go into your system and make sure they’re out of it,” said Sheryl Goldstein, the city’s chief of staff for operations. “You can’t just bring it back up and believe they are gone… we would bear much of these costs regardless.” More: Ars Technica (https://arstechnica.com/information-technology/2019/06/baltimore-ransomware-perp-pinky-swears-he-didnt-use-nsa-exploit/)
Election software vendor opened gap for hackers in 2016 swing state (https://www.politico.com/story/2019/06/05/vr-systems-russian-hackers-2016-1505582) Politico: Another major @kimzetter (https://twitter.com/KimZetter) scoop. Election software vendor VR Systems remotely logged into a central computer for several hours in 2016 to figure out problems with its voter list tool. That’s a massive no-no by security experts, who say that could’ve been abused or exploited by hackers. “But interference with voter records or electronic poll book software could allow an attacker to alter records in a way that prevents people from voting in crucial swing precincts,” Zetter wrote. More: @KimZetter tweet thread (https://twitter.com/KimZetter/status/1136329187340374017) | Washington Post ($) (https://www.washingtonpost.com/investigations/federal-investigators-to-examine-equipment-from-2016-north-carolina-election-amid-renewed-fears-of-russian-hacking/2019/06/05/b70402e6-7816-11e9-b7ae-390de4259661_story.html)
Apple macOS security protections can easily bypassed with ‘synthetic’ clicks (https://techcrunch.com/2019/06/03/macos-security-flaw-synthetic-clicks/) TechCrunch: Turns out those click protections on macOS designed to prevent malware from making consent decisions on your behalf aren’t that good. @patrickwardle (https://twitter.com/patrickwardle) found he could generate manufactured or “synthetic” clicks to gain access to a user’s microphone, webcam, location and more — even though they’re not supposed to. (Disclosure: I wrote this story.) More: Wired ($) (https://www.wired.com/story/apple-macos-bug-synthetic-clicks/)
Company advertised U.S., Canadian and Indian phone location data for sale (https://www.vice.com/en_us/article/597kk5/phone-location-data-america-canada-india-philippines) Motherboard: Just when you thought the location data scandal (https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile) was over — think again! Turns out an LA-based company TeleSign was until recently advertising access to real-time phone location data in the U.S., Canada, India — with the Philippines coming soon. “When Motherboard approached TeleSign for comment and asked about the sources for its international phone location data access, the company removed the product from its website,” wrote @josephfcox (https://twitter.com/josephfcox) . Hmm! Background: Motherboard (https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile) | CBC (https://www.cbc.ca/news/technology/rogers-bell-telus-enstream-location-data-sharing-securus-1.4666739) | The New York Times ($) (https://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html)
440 million Android users installed apps with aggressive advertising (https://www.zdnet.com/article/440-million-android-users-installed-apps-with-an-aggressive-advertising-plugin/) ZDNet: About 440 million Android users downloaded and installed apps from Google Play that contained an ad library that aggressively pushed out-of-app ads to make bank. More than 230 apps were taken off the Google Play app store following the discovery. More: ZDNet (https://www.zdnet.com/article/android-adware-has-plagued-the-google-play-store-in-the-past-two-months/) | Lookout (https://blog.lookout.com/beitaplugin-adware) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Joseph Menn: The band of hackers that defined an era (https://www.wired.com/story/cult-of-the-dead-cow-at-stake-hackers-excerpt/) Wired ($): @josephmenn (https://twitter.com/josephmenn/) has a book excerpt out from his widely acclaimed book, Cult of the Dead Cow, which earlier this year revealed Democratic presidential candidate Beto O’Rourke as a member. The excerpt looks at a small firm, @stake, which became a main focal point for early hackers back in the day, like Mudge, Alex Stamos and Chris Wysopal.
Apple announces ‘Sign in with Apple’ feature (https://www.zdnet.com/article/wwdc-2019-apple-announces-sign-in-with-apple-feature/) ZDNet: Apple’s new sign-in feature is interesting — it’s a new way of authenticating with a service without giving away your private information. Or, as Apple describes it, “a fast, easy way to sign in, without all the tracking.” It’ll be mandatory for any developer using a third-party sign-in option. @sarahintampa (https://twitter.com/sarahintampa) has a bunch of answers (https://techcrunch.com/2019/06/07/answers-to-your-burning-questions-about-how-sign-in-with-apple-works/) from the event explaining how it works and more.
Exim mail server flaw affects millions of machines (https://arstechnica.com/information-technology/2019/06/millions-of-machines-affected-by-command-execution-flaw-in-exim-mail-server/) Ars Technica: Millions of internet-connected Exim mail servers are vulnerable to a bug that “allows unauthenticated attackers to execute commands with all-powerful root privileges.” Qualys said in an advisory (https://www.openwall.com/lists/oss-security/2019/06/05/4) that the fix is now public after details of the bug leaked.
iOS 13 will let you limit app location access to ‘just once’ (https://techcrunch.com/2019/06/03/apple-ios-13-location-privacy/) TechCrunch: iOS 13, the next version of the iPhone software (iPadOS is the new name of the iPad software, confusingly), will allow users to grant apps access to their iPhone’s location just once. That’ll give users a more granular options over how their location data is used and collected. (Disclosure: I wrote this story.) You’ll also get to see where your location has been used. Really looking forward to iOS 13.
Pretty neat new privacy stuff in iOS 13
Russia says Tinder must share user data, private messages (https://www.zdnet.com/article/russia-says-tinder-must-share-user-data-private-messages/) ZDNet: Russia’s internet regulator Roskomnadzor is demanding Tinder register (https://rkn.gov.ru/news/rsoc/news67394.htm) with the government, forcing the dating app maker to share user data and private messages to the country’s intelligence agencies. According to ZDNet (https://www.zdnet.com/article/russia-says-tinder-must-share-user-data-private-messages/) , Tinder faces fines or a ban if it doesn’t comply. Mamba, Wamba, and Badoo are already on the database. It’s particularly chilling for the LGBTQ+ community, given Russia’s atrocious human rights record.
Even the NSA is warning users to patch BlueKeep (https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/) National Security Agency: In a rare advisory, the NSA said it’s “urging” Windows users to patch against the BlueKeep RDP vulnerability, which has the capacity to spread like wildfire. “We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw,” wrote the NSA. Well, duh — remember EternalBlue?
Assange won’t face charges over role in devastating CIA leak (https://www.politico.com/story/2019/06/02/julian-assange-cia-leak-1349425) Politico: @natashabertrand (https://twitter.com/natashabertrand/status/1135195539656650753?s=21) reports that the DOJ is done laying charges on WikiLeaks founder Julian Assange, who already faces charges of computer hacking and the publication of classified materials (https://techcrunch.com/2019/05/26/assange-charges-freedom-press-threat/) — the latter being very bad for press freedom. Despite releasing some of the CIA’s most precious hacking tools, the so-called Vault 7 disclosures, prosecutors have no plans to prosecute over the leak. Apparently it’s more of a national security issue by not wanting classified information in court.
The clever cryptography behind Apple’s ‘Find My’ feature (https://www.wired.com/story/apple-find-my-cryptography-bluetooth/) Wired ($): And one more on the Apple front. There’s this new feature that allows Apple users to find their devices even when they’re offline. It works similarly to Tile’s beacon-based technology. Even if there’s no network connection, nearby devices will be able to ping your offline device — like a phone or a MacBook — and it’ll send the data back to Apple using a working connection. The feature is cryptographically protected so Apple, nor anyone else, can use it to track unwitting users (or so it currently stands). @matthew_d_green (https://twitter.com/matthew_d_green/status/1136355463065427968) has a pretty good explainer on how it works (https://blog.cryptographyengineering.com/2019/06/05/how-does-apple-privately-find-your-offline-devices/) from a cryptographic point of view. ~ ~
** OTHER NEWSY NUGGETS
The EU’s embassy in Russia was hacked but kept it a secret (https://www.buzzfeednews.com/article/albertonardelli/eu-embassy-moscow-hack-russia) Well this is awkward. A leaked document obtained by BuzzFeed News shows the EU’s embassy in Moscow was hacked. It happened just weeks before the crucial European Parliament elections, but it was never publicly acknowledged. “Russian entities” — surprise, surprise! — are said to be behind the hack.
A push to protect political campaigns from hackers hits a snag (https://www.wired.com/story/fec-campaign-law-cybersecurity-limits/) Campaign finance laws must be seriously broken if in this day and age they don’t allow nonprofits and businesses to help on cybersecurity. @lilyhnewman (https://twitter.com/lilyhnewman?lang=en) at Wired ($) explains more on why the FEC allows some and not others. It seems right now there are rare exceptions and no formal rules behind providing cybersecurity services to political campaigns.
Microsoft wants more security researchers to hack into its cloud (https://www.bloomberg.com/news/articles/2019-06-07/microsoft-wants-more-security-researchers-to-hack-into-its-cloud) Microsoft said it’s codifying a long-held policy that it won’t sue or seek to prosecute hackers who hack into its systems in good faith. The safe harbor statement, said Bloomberg ($), will give researchers legal clearance to report a vulnerability. “We’ve always done that but we’ve never formally articulated it,” said Microsoft’s @kym_possible (https://twitter.com/kym_possible) . GitHub, Dropbox, Tesla and Mozilla have all promised and set out legal protections for good faith security researchers.
Plot to steal cryptocurrency foiled by the npm security team (https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm) This was an absolutely wild read. npm’s security team protected against a $13 million cryptocurrency heist. It was down to a code supply chain attack. “The attack was carried out by using a pattern that is becoming more and more popular; publishing a “useful” package (electron-native-notify) to npm, waiting until it was in use by the target, and then updating it to include a malicious payload,” the blog post wrote.
Firefox now has advanced tracking protection and other security fixes (https://blog.mozilla.org/blog/2019/06/04/firefox-now-available-with-enhanced-tracking-protection-by-default/) The browser’s new enhanced tracking protection blocks sites from tracking users, including tracking cookies. It’s a fairly invisible feature, working mostly in the background. Also by using container technology, Firefox will now help users to protect their data from getting uploaded to Facebook. (I’m serious about taking another look at Firefox this week.)
Microsoft deletes massive face recognition database (https://www.bbc.com/news/technology-48555149) Microsoft has deleted a massive database of 10 million images which was being used to train facial recognition systems. According to the BBC, the database was used to train a system used by police and the armed forces. The database drew ire because it included photos from artists, musicians, but also journalists (https://twitter.com/KimZetter/status/1136701694421549056) and activists. Really creepy. ~ ~
** THE HAPPY CORNER
Here are some of the good things from the week:
@MicahFLee (https://twitter.com/micahflee/status/1136285008891645954?s=21) has a “semiphemeral” project out which automatically deletes tweets, except a few you choose not to delete. It’s a free, open-source project — and it’s pretty cool. It’s command line only but it’s really easy to use.
Here’s a funny joke (https://twitter.com/RichRogersIoT/status/1134973002196574209) about smart speakers (who knew that was even possible!), in case you missed it.
And, 65 years after his passing, Alan Turing, one of the cryptographers and mathematicians who helped the Allies win World War II through their codebreaking effort, was given an obituary (https://www.nytimes.com/2019/06/05/obituaries/alan-turing-overlooked.html) in The New York Times. Turing is said to have died by suicide after he was forced out of his government job, ostracized and prosecuted for being gay. British laws back then treated LGBTQ+ people in the worst possible way. The U.K. government eventually apologized in 2009 and was granted a royal pardon in 2013. Finally, the Times is giving Turing the recognition he so deserved. It’s fitting that he gets his long-deserved obituary in Pride Month. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
Meet this week’s cybercat, Frankie Fangs. Sure, he could let you study for your GIAC malware analysis test… or you could pet him. A big thanks to his human, @Tarah (https://twitter.com/tarah) , for the submission. (You may need to enable images in this email.) Don’t forget to send in your cybercats! They will always get featured. The more, the merrier. You can submit your cybercats here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That’s all for now. What a week! Very busy. If anyone’s interested, I wrote a tweet thread (https://twitter.com/zackwhittaker/status/1135235231525593090) about how the newsletter is written — a little behind-the-scenes look behind my Sunday mornings. As always, the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is open for feedback.
Have a great week, and see you next Sunday. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|