this week in security — march 1 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 9
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Clearview AI was breached, and Apple blocks its iOS app (https://www.buzzfeednews.com/article/ryanmac/clearview-ai-fbi-ice-global-law-enforcement) BuzzFeed: Clearview AI, the controversial facial recognition startup, didn’t have a good week. Its client list was stolen in a data breach (https://www.thedailybeast.com/clearview-ai-facial-recognition-company-that-works-with-law-enforcement-says-entire-client-list-was-stolen) , then its client list was exposed (https://www.buzzfeednews.com/article/ryanmac/clearview-ai-fbi-ice-global-law-enforcement) to also include non-law enforcement users, including Macy’s, Walmart, and the NBA. Then, its iOS app was found to have broken (https://techcrunch.com/2020/02/28/apple-ban-clearview-iphone/) Apple’s rules, prompting the technology giant to bring down its ban hammer. And, we finally got to see what data (https://www.vice.com/en_us/article/5dmkyq/heres-the-file-clearview-ai-has-been-keeping-on-me-and-probably-on-you-too) the company is storing on us, thanks to a CCPA request. What a week. More: Motherboard (https://www.vice.com/en_us/article/5dmkyq/heres-the-file-clearview-ai-has-been-keeping-on-me-and-probably-on-you-too) | RCMP (http://www.rcmp-grc.gc.ca/en/news/2020/rcmp-use-facial-recognition-technology) | TechCrunch (https://techcrunch.com/2020/02/28/apple-ban-clearview-iphone/)
NSA phone records program cost $100 million, only turned up two leads (https://www.nytimes.com/2020/02/25/us/politics/nsa-phone-program.html) The New York Times ($): A program used by the NSA to collect phone records on millions of Americans cost $100 million over a four-year period, reports the Times, citing a report by the Privacy and Civil Liberties Oversight Board. But the program only turned over two leads — and only helped in one investigation. The program has since been shut down after the NSA was found to have overcollected data on two separate occasions. Some of the NSA’s powers of collection expire on March 15, as lawmakers scramble to extend the law and address its privacy issues. More: @pclob_gov (https://twitter.com/pclob_gov/status/1232721264126636032?s=21)
Internal docs show why the U.S. military is publishing Russian and North Korean malware (https://www.vice.com/en_us/article/5dmwyx/documents-how-cybercom-publishes-russian-north-korean-malware-virustotal) Motherboard: A declassified secret document reveals why the U.S. military is publishing malware samples from Russian and North Korean hackers. It’s to bring “attention and awareness supports this strategy by putting pressure on malicious cyber actors, disrupting their efforts.” U.S. Cyber Command first published the malware samples back in 2018, and has been followed closely by industry watchers. Cyber Command even gave it its own Twitter account (https://twitter.com/CNMF_VirusAlert) . More: Cyberscoop (https://www.cyberscoop.com/cyber-command-virus-total-north-korean-malware/) Flaw in billions of Wi-Fi devices left communications open to eavesdropping (https://arstechnica.com/information-technology/2020/02/flaw-in-billions-of-wi-fi-devices-left-communications-open-to-eavesdroppng/) Ars Technica: Billions of devices are affected by a Wi-Fi flaw that allows nearby attackers to decrypt sensitive data sent over the air. The flaw is in the Wi-Fi chips made by Cupress and Broadcom, and dubbed Kr00k. At its heart, the chips’ encryption key is all-zeros, making it easy to decrypt traffic under certain conditions. Almost every Wi-Fi device you can think of is affected — or was, now that patches have been posted. More: ESET (https://www.welivesecurity.com/2020/02/26/krook-serious-vulnerability-affected-encryption-billion-wifi-devices/)
GoodRX saves you money — it also shares your data with Google and Facebook (https://www.consumerreports.org/health-privacy/goodrx-shares-users-health-data-with-google-facebook-others/) Consumer Reports: At this point, we can probably assume the worst for most apps out there but it doesn’t feel any better knowing that certain apps, like GoodRX, which many use to pick up their prescriptions, is sharing your data unnecessarily with data and advertising giants like Google and Facebook. Apparently, not even Facebook knows (https://twitter.com/hannahkuchler/status/1232732925222887425?s=21) why it’s receiving this data. Turns out this data exchange is entirely legal (https://gizmodo.com/goodrx-shares-my-prescriptions-with-third-parties-and-i-1841772965?rev=1582832321935) and isn’t a violation of HIPAA — because HIPAA doesn’t extend that far. @thomasgermain (https://twitter.com/thomasgermain/status/1232389139074560000) , who wrote the story, has a good tweet thread. More: @thomasgermain tweets (https://twitter.com/thomasgermain/status/1232389139074560000) | Gizmodo (https://gizmodo.com/goodrx-shares-my-prescriptions-with-third-parties-and-i-1841772965?rev=1582832321935)
Samsung exposed the details of customers in mix-up (https://www.theregister.co.uk/2020/02/24/samsung_data_breach_find_my_mobile/) The Register: A mystery notification that for many just said “1” confused Samsung users this week. But in about 150 cases, according to the technology giant, it instead sent personal information to the wrong people. Samsung said it was an internal test that went wrong. More: Reuters (https://uk.reuters.com/article/uk-samsung-elec-website-breach/samsung-electronics-says-uk-website-error-exposed-data-of-150-customers-idUKKCN20K0AC) | ABC News (https://abcnews.go.com/Technology/disappearing-find-mobile-notification-baffles-samsung-galaxy-users/story?id=69099280) ~ ~ SUPPORT THIS NEWSLETTER
A big thank you to everyone who reads and supports this newsletter! As subscribers go up, so do the monthly costs. Please spare $1/month (or more for exclusive perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) like stickers and mugs) to help maintain the upkeep of this newsletter. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) here! ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Facebook’s latest ‘transparency’ tool doesn’t offer much — so we went digging (https://techcrunch.com/2020/02/25/facebooks-latest-transparency-tool-doesnt-offer-much-so-we-went-digging/) TechCrunch: Facebook’s new so-called Off-Facebook Activity tool lets users see which websites share data on them with Facebook. Turns out the tool doesn’t actually show much, so @riptari (https://twitter.com/riptari) went digging. She found six companies that were sharing data on her with the social media giant. One of the companies openly said that they had no idea what data it was sharing with Facebook. To call this entire “feature” a fustercluck is putting it mildly. Privacy International also had some choice words (https://privacyinternational.org/long-read/3372/no-facebooks-not-telling-you-everything) for the social media giant.
Android malware can steal Google Authenticator two-factor codes (https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/) ZDNet: A new mobile malware strain hitting Android devices can intercept one-time passcodes generated from Google Authenticator, effectively allowing an attacker to bypass two-factor security on protected accounts. The malware, dubbed Cerberus, is still in a “test phase,” according to by Dutch research firm ThreatFabric — which has its own write-up here (https://www.threatfabric.com/blogs/2020_year_of_the_rat.html) . But it’s only a matter of time before it’s rolled out in active attacks, they said.
Apple demands U.S. intelligence contractor spill how it uses an iPhone hacking tool (https://www.forbes.com/sites/thomasbrewster/2020/02/22/apple-just-demanded-santander-and-a-50-billion-us-intelligence-contractor-reveal-how-they-use-iphone-hacking-tech/#febe8af46c57) Forbes: The Apple v. Corellium fight continues, with Apple now demanding to know how L3Harris, a $50 billion intelligence contractor, uses Correllium’s software, which virtualizes iPhone software for security and functionality testing. Apple says that Corellium is violating its copyright. Apple is also demanding banking giant Santander turn over documents on how it uses the software.
Justice Dept. plans to strike against encryption amid ‘techlash” (ans-strike-against-encryption-while-techlash-iron-hot) Stanford University: The Washington Post ($) reported (https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/02/25/the-cybersecurity-202-the-justice-department-is-giving-up-on-an-encryption-truce-with-big-tech/5e54102688e0fa632ba828ea/) that the Justice Dept. is hoping to capitalize on the backlash against big tech (the so-called “techlash”) by piling on pressure to carve out encryption backdoors. @Riana_Crypto (https://twitter.com/riana_crypto?lang=en) blogged about this, explaining it in more detail and how we got here. Ultimately, nothing has changed: every crypto expert on the planet thinks backdoors are silly and fundamentally put people at more risk of abuse. Does the government care? Probably not. And that’s where we are. ~ ~
** OTHER NEWSY NUGGETS
Firefox turns encrypted DNS on by default to thwart snooping ISPs (https://arstechnica.com/information-technology/2020/02/firefox-turns-encrypted-dns-on-by-default-to-thwart-snooping-isps/) Mozilla will be switching on DNS-over-HTTPS, or DoH, to all U.S. Firefox users in the coming weeks. ISPs hate the decision because it means they can’t snoop as easily, so it’s great for individuals’ privacy. But some have noted that it’s not exactly great for incident responders or malware engineers, who lose visibility as a result. Here’s Mozilla’s blog post (https://blog.mozilla.org/netpolicy/2020/02/25/the-facts-mozillas-dns-over-https-doh/) explaining more.
Longest running Magecart operation discovered (https://sansec.io/labs/2020/02/25/longest-skimming-operation-yet/) Magecart, the collective name for several credit card skimming hacker groups, has been caught running its longest operation to date — some two and a half years. Sanguine Security has more (https://sansec.io/labs/2020/02/25/longest-skimming-operation-yet/) : the hackers targeted ESPN Magazine and the U.S. military publication Stars and Stripes.
A hacker’s mom broke into a prison — and the warden’s computer (https://www.wired.com/story/hackers-mom-broke-into-prison-wardens-computer/) This is an absolutely incredible read by @lilyhnewman (https://twitter.com/lilyhnewman) . John Strand, a security analyst, had a contract to test a prison’s security defenses. Instead of going himself, he sent his mom. “I want to break in somewhere,” his mom said. Strand said: “It’s my mom, so what am I supposed to say?”. Just read this story — it’s incredible. ~ ~
** THE HAPPY CORNER
Another week, another round of the happy corner.
This week, Let’s Encrypt, the free TLS certificate provider, issued its one billionth certificate. That’s huge — and in just five years. In doing so, Let’s Encrypt has helped to raise the number of HTTPS sites to 91% in the U.S.
@micahflee (https://twitter.com/micahflee/status/1232034094315339778) has a new app designed to sanitize potentially risky or dangerous PDF and Word documents. The tool, called Dangerzone, converts potentially malicious documents to clean, readable versions. Great for reporters and researchers alike. And, The New York Times posted on Medium (https://open.nytimes.com/how-to-dox-yourself-on-the-internet-d2892b4c5954) a series of guides to help you think like a doxxer to help you understand how to clean up your digital footprint. The hope is that it makes it harder for someone else to dox you. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This is Daisy May. She wants to remind you to use strong unique passphrases and don’t forget to two-factor everything. A big thank you to @lucky225 (https://twitter.com/lucky225) for the submission! Please keep sending in your cybercats! You can send them here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
And that’s a wrap for this week. Thanks again for reading and subscribing. As always, if you have any thoughts, comments, feedback, drop me a note in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you next week!
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .