this week in security — march 10 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 10.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Disputed N.S.A. Phone Program Is Shut Down, Aide Says (https://www.nytimes.com/2019/03/04/us/politics/nsa-phone-records-program-shut-down.html) New York Times ($): A congressional aide said on a Lawfare podcast (https://www.lawfareblog.com/lawfare-podcast-luke-murry-and-daniel-silverberg-national-security-congress) this week that the National Security Agency no longer collects and analyzes domestic call records as part of the Section 215 program, the first program disclosed by the Edward Snowden revelations. It comes about six months after the agency was forced to purge (https://www.nytimes.com/2018/06/29/us/politics/nsa-call-records-purged.html) records that it unlawfully collected. But what’s more likely, according to national security blogger Marcy Wheeler (https://www.emptywheel.net/2019/03/04/lawfare-breaks-news-nsa-hasnt-restarted-the-section-215-cdr-function/) , is that the program wasn’t ceased but instead pulled under another authority, like Executive Order 12333, which authorizes the bulk of the U.S. government’s powers. It keeps the program secret, and largely out of Congress’ oversight. More: Emptywheel (https://www.emptywheel.net/2019/03/04/lawfare-breaks-news-nsa-hasnt-restarted-the-section-215-cdr-function/) | Lawfare (https://www.lawfareblog.com/lawfare-podcast-luke-murry-and-daniel-silverberg-national-security-congress)
Security Flaws In Big Brand Car Alarms Affect 3 Million Vehicles (https://www.bbc.com/news/technology-47485731) BBC News: This was great security research: by examining the API behind two big brand car alarms, the researchers at Pen Test Partners found insecure direct object references, allowing them to tamper with the systems on live cars. The researchers found they could track a car and kill its engine. Worse, hijacking a car is “trivially easy,” wrote @TheKenMunroShow (https://twitter.com/theKenMunroShow) . Some three million cars have one of the vulnerable systems — since fixed. More: Pen Test Partners (https://www.pentestpartners.com/security-blog/gone-in-six-seconds-exploiting-car-alarms/) | TechCrunch (https://techcrunch.com/2019/03/07/car-alarms-flaw-hijack/)
Facebook Still Tracks You on Android Apps — With or Without an Account (https://privacyinternational.org/blog/2758/guess-what-facebook-still-tracks-you-android-apps-even-if-you-dont-have-facebook-account) Privacy International: Late last year, Privacy International found several popular apps that send data to Facebook as soon as you open the app — whether you have an account or not. Now, about two-thirds of all retested apps have stopped immediately pinging Facebook with your data. But, seven major apps — including Yelp and Duolingo — still do, which the non-profit says violates user privacy because it’s done “before you can decide whether you want to consent or not.” It comes in the same week that Facebook chief executive Mark Zuckerberg promised to do better (https://newsroom.fb.com/news/2019/03/vision-for-social-networking/) on privacy. More: The Verge (https://www.theverge.com/2019/3/5/18252397/facebook-android-apps-sending-data-user-privacy-developer-tools-violation) | Ars Technica (https://arstechnica.com/gadgets/2019/03/zuckerberg-facebook-will-shift-focus-to-private-networks-instead-of-open-ones/) | Background: Privacy International (https://privacyinternational.org/appdata)
Tufts Expelled A Student For Grade Hacking. She Claims Innocence (https://techcrunch.com/2019/03/08/tufts-grade-hacking/) TechCrunch: This month-long investigation looks at a case of a student expelled from Tufts — one of the best schools in the U.S. — for allegedly hacking her grade. As a Canadian citizen, her visa was revoked and she was forced to leave the country the next day. One problem: the school’s evidence is weak, and her evidence is compelling. I’m really proud of this story (disclosure: yes, I wrote this story!). Tufts has a lot to answer for. More: Hacker News (https://news.ycombinator.com/item?id=19345462)
These Are The Data Brokers Quietly Selling Your Personal Information (https://www.fastcompany.com/90310803/here-are-the-data-brokers-quietly-buying-and-selling-your-personal-information) Fast Company: A new data privacy law introduced in Vermont has pushed 121 data brokers out of the shadows for the first time. These data brokers scrape and collect data and sell it for targeted advertising and other things. The law, as noted, does not require data brokers “to disclose who’s in their databases, what data they collect, or who buys it,” but they have to tell consumers how to opt-out — even if that means reaching out one by one. These companies are just a handful of players in the wider data brokerage industry, but it’s reassuring that lawmakers (some, at least) are taking this seriously. Background: Fast Company (https://www.fastcompany.com/90302036/over-120-data-brokers-inch-out-of-the-shadows-under-landmark-vermont-law) | Axios (https://www.axios.com/little-known-data-brokers-know-more-about-you-than-your-closest-friends-65a53a7d-4ac0-4228-a35d-b6599b5190a3.html)
U.S. Tracks Journalists and Advocates In a Secret Database (https://www.nbcsandiego.com/investigations/Source-Leaked-Documents-Show-the-US-Government-Tracking-Journalists-and-Advocates-Through-a-Secret-Database-506783231.html) NBC 7 San Diego: This was incredible work from local news station NBC 7 San Diego — another reminder of how important local journalism is. Documents obtained show the government has a secret database of activists and journalists, some of which covered the so-called “migrant caravan” from Central America, and used collected information to track them and place alerts on their passports. Several reporters speak of their detention at the border or being denied entry into Mexico. The documents finally prove long-held suspicions that they were under surveillance, they said. Homeland Security’s watchdog is looking into the matter (https://twitter.com/DannyEFreeman/status/1103774039921713152) . More: @DannyEFreeman (https://twitter.com/DannyEFreeman/status/1103774039921713152)
Google Employees Say China Project Is Back On (https://theintercept.com/2019/03/04/google-ongoing-project-dragonfly/) The Intercept: Google employees say they’ve uncovered evidence that the so-called Project Dragonfly, the search giant’s efforts to break back into China, is back on, despite pleas from employees who have protested the move. The project, if you recall, would reportedly give Chinese citizens access to a censored version of Google’s search engine. Keith Enright, Google’s chief privacy officer, was first to confirm in a Senate hearing in September that “there is” a Project Dragonfly. Google said, however, it is not working on the project. More: The Intercept (https://theintercept.com/2018/12/17/google-china-censored-search-engine-2/)
Citrix Confirms It Was Hacked, Security Firm Says It Was Iran (https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986) NBC News: Citrix said it got a visit from the FBI, who warned that hackers had breached its internal network and stole unspecified business documents (https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986) . Citrix provides enterprise tech to 98% of the Fortune 500. Now, a security firm talking to NBC News says Iranian-backed hackers were behind the breach, and they stole up to 10 terabytes of data. As we all know, attribution is difficult — so this is one to watch. More: Citrix (https://www.citrix.com/blogs/2019/03/08/citrix-investigating-unauthorized-access-to-internal-network/) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Facebook bug lets websites confirm visitor identities (http://www.tomanthony.co.uk/blog/facebook-bug-confirm-user-identities/) Tom Anthony: @TomAnthonySEO (https://twitter.com/TomAnthonySEO) found a Facebook bug that allowed any website to identify who is visiting their website by checking to see if a user was logged into a specific Facebook account. It’s not a perfect bug, but he still built a great proof-of-concept (http://www.tomanthony.co.uk/security/fb_identifier/index.html) , showing that it’s possible to check roughly 500 profiles per second. He earned $1,000 for the bug. It took Facebook about a year to fix the flaw.
Coinbase’s Neutrino staff to “transition” out (https://blog.coinbase.com/living-up-to-our-values-and-the-neutrino-acquisition-ba98174cdcf6) Coinbase: Many are still pissed that Coinbase acquired Neutrino, founded by former Hacking Team members, who are linked to human rights abuses. Neutrino was bought to monitor and detect suspicious transactions. Now, Coinbase has said those staff will “transition out” of the company — but it’s keeping the acquisition. “Bitcoin — and crypto more generally — is about the rights of the individual and about the technological protection of civil liberties,” said Coinbase co-founder Brian Armstrong in a blog post (https://blog.coinbase.com/living-up-to-our-values-and-the-neutrino-acquisition-ba98174cdcf6) .
NSA releases, Ghidra, its reverse engineering tool (https://www.nsa.gov/resources/everyone/ghidra/) National Security Agency: Ghidra, the NSA’s reverse engineering tool first spotted in a document leaked by WikiLeaks (https://wikileaks.org/ciav7p1/cms/page_51183656.html) , has finally been open-sourced and released to the community. There’s a great comic strip out this week (https://twitter.com/patchfriday/status/1103921729741586433?s=21) about it. (From my Twitter feed alone, it feels like Ghidra’s been around for weeks already…)
The inside story of Triton, the world’s most dangerous malware (https://eenews.net/stories/1060123327) Energywire: @BlakeSobczak (https://twitter.com/BlakeSobczak) deep-dives into Triton, a malware believed to be nation-state backed, which tried to blow up a Saudi oil refinery. Homeland Security said the malware was as dangerous as Stuxnet and CrashOverride, which caused a huge blackout in 2016. It’s still not clear exactly who’s behind the hack, but this is a really good read and recommended for all.
NSA’s Rob Joyce: It’s time to start putting teeth in cyber deterrence (https://arstechnica.com/tech-policy/2019/03/nsas-top-policy-advisor-its-time-to-start-putting-teeth-in-cyber-deterrence/) Ars Technica: At an event in Maryland, NSA’s chief cyber policy advisory Rob Joyce said as state-sponsored cyberattacks have shifted from exploitation to disruption,” the government’s deterrence has to be better. “We have to go out and try to make those operations less successful and harder to do,” he said. It comes a week after the Washington Post ($) reported that U.S. Cyber Command (https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html?tid=sm_tw) disrupted Russia’s troll army on Election Day to prevent any interference.
Many news media websites have paywalls that can be bypassed (https://hackernoon.com/how-i-hacked-the-mit-technology-review-website-many-more-and-gained-unlimited-online-access-e89a57cdc248) Hackernoon: Several major websites, like The New York Times and the Washington Post, can be tricked into bypassing their paywalls because there are no server-side checks, according to Papadopoulos Konstantinos. It’s an interesting read for sure — with a simple fix: “Avoid blocking only by client-side!” he said. I don’t want to get into a big thing about the media — I’m in it, we need money, but frankly paywalls make it difficult for those with little or no money to access journalism that can help inform public decisions — like voting! That’s why I mark paywalled content in this newsletter with a ($) symbol. ~ ~
** OTHER NEWSY NUGGETS
Google reveals ‘BuggyCow, a rare macOS zero-day From @a_greenberg (https://twitter.com/a_greenberg) : Google security researchers have found a major bug (https://bugs.chromium.org/p/project-zero/issues/detail?id=1726&q=) in macOS’ kernel, released to the public just after the 90-day private disclosure window expired. The bug, as explained by Wired ($) (https://www.wired.com/story/google-project-zero-buggycow-macos-zero-day/) , can be found in the kernel’s copy-on-write protections (or CoW, hence the bug’s name), which a skilled hacker can use to install malicious code with high privileges. Apple has yet to fix the bug. Google also this week disclosed a serious bug (https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html) in 32-bit versions of Windows 7, which has about a year left on the support clock.
Chinese hackers target universities to steal maritime secrets Researchers say Chinese hackers have targeted more than two-dozen U.S. schools (https://www.wsj.com/articles/chinese-hackers-target-universities-in-pursuit-of-maritime-military-secrets-11551781800) , including the University of Hawaii, the University of Washington, and Massachusetts Institute of Technology, in an effort to steal maritime military secrets. “The majority of the universities targeted either house research hubs focused on undersea technology or have faculty on staff with extensive experience in a relevant field, and nearly all have links to a Massachusetts oceanographic institute that also was likely compromised in the cyber campaign,” said security firm iDefense, owned by Accenture.
800 million emails leaked online by Verifications.io Verifications.io, a data company, inadvertently exposed more than 800 million records it had collected. @MayhemDayOne (https://twitter.com/MayhemDayOne) found the data and wrote up his findings (https://securitydiscovery.com/800-million-emails-leaked-online-by-email-verification-service/) . He gave the data to @troyhunt (https://twitter.com/troyhunt) , who whittled the number down slightly after loading the data into Have I Been Pwned. In a tweet (https://twitter.com/haveibeenpwned/status/1104468939197767680) , Hunt confirmed 763 million records were loaded, with some 66% percent matching existing records.
Firefox adds Tor’s anti-fingerprinting feature Firefox is taking a tip from the Tor Browser by rolling out a new anti-fingerprinting feature (https://www.zdnet.com/article/firefox-to-add-tor-browser-anti-fingerprinting-technique-called-letterboxing/) that’ll make it harder to track users across sites. The Tor Browser, a modified version of Firefox, already uses letterboxing, which resizes the screen slightly to help throw off ad trackers.
Marriott reveals more about massive Starwood hack And one more from ZDNet (https://www.zdnet.com/article/marriott-ceo-shares-post-mortem-on-last-years-hack/) this week: Marriott-owned Starwood was hacked last year, but details remain limited about what happened. Finally, the chief executive explained to a Senate committee what happened. Worth the read (https://www.zdnet.com/article/marriott-ceo-shares-post-mortem-on-last-years-hack/) . ~ ~
** GOOD PEOPLE DOING GOOD THINGS
Just a couple this week.
It’s worth raising this thread (https://twitter.com/gregotto/status/1103702182149287936?s=21) from Cyberscoop’s editor-in-chief @gregotto (https://twitter.com/gregotto) . A lot of reporters subscribe to this newsletter, but all too often we can never see what impact our work is having on the wider world. It’s not about clicks or headlines. Most of the time, we only care about story traffic because it means people care — and our readers are interested. Security journalism is about bringing security to the masses. Otto, at a bar in San Francisco during RSA this week, learned about the real-world impact that security reporters can have on ordinary, non-security people. “We spend so much time being cynical (I’m to blame as much as anyone else) that I feel it’s worth pointing out when we hear stories of people listening to the security community,” he tweeted (https://twitter.com/gregotto/status/1103702179964055552) . “The message isnt totally falling on deaf ears.” It’s a worthwhile thread to read for all reporters.
And, @troyhunt (https://twitter.com/troyhunt/) ‘s Have I Been Pwned now has more records in it than people on Earth, he tweeted (https://twitter.com/troyhunt/status/1104485455934873601?s=21) , thanks to the earlier 800 million breach. He added (https://twitter.com/troyhunt/status/1104486208875376640) that the number without duplicates is closer to 5 billion. Still, it just goes to show how big the breach notification site has become in just six years.
If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** THIS WEEK’S CYBER CAT
In a rare three-for-one special, this week’s cybercats (plural!) are Snow White, Guen, and Linus, from left to right. Are they red team cats or blue team cats? You’ll never know. Thanks to @Beaches (https://twitter.com/@Beaches) for the submissions. (You may need to enable images in this email.) You can submit your cybercats (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) by dropping me an email. ~ ~
** SUGGESTION BOX
What a busy week — that’s all for now. Safe travels to everyone returning home from RSA. If you have any suggestions or feedback, drop it in the anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a good one — see you same time next week. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|