this week in security — march 15 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 11
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Windows has a new wormable vulnerability in SMBv3 (https://arstechnica.com/information-technology/2020/03/windows-has-a-new-wormable-vulnerability-and-theres-no-patch-in-sight/) Ars Technica: A critical bug in SMBv3 this week was leaked by mistake and left unpatched for several days. It’s unclear (https://www.zdnet.com/article/details-about-new-smb-wormable-bug-leak-in-microsoft-patch-tuesday-snafu/) exactly how the details of the bug leaked, but Microsoft scrambled to issue an out-of-band patch on Thursday. Because the bug affects SMB, there were concerns it could lead to another wormable-style bug like WannaCry or NotPetya. But no attacks have been publicly seen to date. The patch can be downloaded from Windows Update and the like. More: CERT/CC (https://kb.cert.org/vuls/id/872016/) | ZDNet (https://www.zdnet.com/article/details-about-new-smb-wormable-bug-leak-in-microsoft-patch-tuesday-snafu/) | @dangoodin001 tweets (https://twitter.com/dangoodin001/status/1237791018931511297) | @MalwareJake tweets (https://twitter.com/MalwareJake/status/1237512617817751552)
European power grid organization says its IT network was hacked (https://www.cyberscoop.com/european-entso-breach-fingrid/) Cyberscoop: The European Network of Transmission System Operators for Electricity (ENTSO-E), an organization that ensures the coordination of energy markets across the EU, said its IT network was hacked. The good news is that the hacked IT systems were segmented from the operational system, so critical control systems were unaffected. Dragos said (https://dragos.com/blog/industry-news/energy-organizations-continue-to-be-compromised-globally/) it was the latest in a string of attacks targeting energy organizations. More: Dragos (https://dragos.com/blog/industry-news/energy-organizations-continue-to-be-compromised-globally/) | @snlyngaas tweets (https://twitter.com/snlyngaas/status/1237095298746527745)
Trial of programmer accused in CIA Vault 7 leak ends in mistrial (https://www.nytimes.com/2020/03/09/nyregion/cia-wikileaks-joshua-schulte-verdict.html) The New York Times ($): The trial of Joshua Schulte, the CIA programmer accused of leaking the Vault 7 cache of government hacking tools, ended with a hung jury after a verdict in the case could not be reached. The four-week trial ended with “chaotic deliberations” after one juror was dismissed after researching the case and another telling reporters in tears that it was a “horrible experience.” The Vault 7 exploits were released and published by WikiLeaks in 2017. More: Wall Street Journal ($) (https://www.wsj.com/articles/split-verdict-for-cia-programmer-charged-in-massive-leak-11583774050) | @dnvolz (https://twitter.com/dnvolz/status/1237080920848506882) FBI arrests alleged owner of Deer.io, a broker of stolen accounts (https://krebsonsecurity.com/2020/03/fbi-arrests-alleged-owner-of-deer-io-a-top-broker-of-stolen-accounts/) Krebs on Security: Late on March 9, @seamushughes (https://twitter.com/seamushughes/status/1237176176633950211?s=21) broke the news that the alleged founder of Deer.io, a website dealing in stolen accounts, had been arrested at the U.S. border. Turns out the U.S. government offered the alleged founder, a Russian national named Kirill V. Firsov, an entry visa and was subsequently arrested at New York’s JFK Airport when he landed. Deer.io sells thousands of allegedly compromised accounts, Social Security numbers, dates of birth and more, according to the indictment. More: @seamushughes (https://twitter.com/seamushughes/status/1237176176633950211?s=21)
U.S. is preparing to ban foreign-made drones from government use (https://techcrunch.com/2020/03/11/us-order-foreign-drones/) TechCrunch: The Trump administration is planning an executive order to crack down on the government’s use of foreign-made drones, specifically naming China in the order, home to drone maker DJI, which makes some 70 percent of the world’s drones. The military and intelligence agencies will receive broad exceptions, however. But with so few U.S. drone makers, it’s not known how practical the ban — which has yet to be signed by the president — would be. (Disclosure: I wrote this story.) More: Politico Pro ($) (https://subscriber.politicopro.com/article/2020/03/white-house-draft-would-bar-feds-from-using-chinese-drones-3977727) | @zackwhittaker tweets (https://twitter.com/zackwhittaker/status/1237877296893063168)
Microsoft takes down the Necurs botnet with law enforcement help (https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/) Microsoft: This week, Microsoft launched a coordinate strike on the Necurs botnet, which has infected more than 9 million machines globally. The New York Times has a pretty good rundown of what happened (https://www.nytimes.com/2020/03/10/us/politics/microsoft-botnets-malware.html) during the strike — including how the Microsoft staffers launched the strike against six million malicious domains from a near-empty campus. More: The New York Times ($) (https://www.nytimes.com/2020/03/10/us/politics/microsoft-botnets-malware.html) ~ ~ SUPPORT THIS NEWSLETTER
A big thank you to everyone who reads and supports this newsletter! Subscribers are going up, as are the monthly costs. Please consider sparing $1/month (or more for exclusive perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) such as stickers and mugs) to help maintain the upkeep of this newsletter. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) here! ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Cyber Command was worried that WikiLeaks dump would burn Operation Aurora (https://www.cyberscoop.com/wikileaks-2010-state-department-cyber-command-operation-aurora-google-chinese-hackers/) Cyberscoop: A newly declassified “secret” document from U.S. Cyber Command said the WikiLeaks’ cable dump back in 2010 may have harmed its ability to track a group of hackers, which the U.S. believed was responsible for the attacks against Google, prompting the search giant to leave China weeks later. The document said the Pentagon was worried the leak would scupper its ongoing surveillance of the threat group by modifying their tactics, techniques, and procedures.
Popular VPN And ad-blocking apps are secretly harvesting user data (https://www.buzzfeednews.com/article/craigsilverman/vpn-and-ad-blocking-apps-sensor-tower) BuzzFeed News: Sensor Tower, the popular mobile analytics firm, has been secretly collecting data from millions of users who have installed a number of VPN and ad-blocking apps for Android and iOS, BuzzFeed News report. Sensor Tower owns at least 20 apps that are sending data back to the company, but the relationship between the apps and the analytics firm is either hidden or undisclosed, the report says. Some apps require the user to install a root certificate, which gives the app full access to the device’s network traffic. @doctorow (https://twitter.com/doctorow/status/1237723061878571009) has a good tweet thread on this. Utah spent $250,000 on a surveillance startup instead of a life-saving drug (https://www.vice.com/en_us/article/qjdxa7/utah-spent-dollar250k-on-a-surveillance-startup-instead-of-life-saving-drugs) Motherboard: If this doesn’t boil your blood… Utah wanted to spend $250,000 on a life saving drug, naloxone, which reverses the effects of an opioid overdose, but instead the state funneled the money to a surveillance startup building an unproven technology.
Comcast accidentally published 200,000 “unlisted” phone numbers (https://arstechnica.com/tech-policy/2020/03/comcast-accidentally-published-200000-unlisted-phone-numbers/) Ars Technica: Comcast mistakenly published the names, phone numbers, and addresses of close to 200,000 customers who paid to have their information private and unlisted. Those customers were rightfully angry. One person told Ars that their information was “published all over the web” because of Comcast’s snafu. Comcast once made this mistake before and had to pay $33 million as a result.
Federal employees ordered to work from home may pose cybersecurity risks (https://www.washingtonpost.com/nation/2020/03/13/federal-employees-may-soon-be-ordered-work-home-that-could-pose-serious-cybersecurity-risks/) Washington Post ($): Ever wondered how government workers handling classified material work from home during a pandemic? Turns out they don’t — with the exception of high-ranking officials with SCIFs in their own home. Although no federal workers have been ordered to work from home — yet — it’s expected to be on the cards as the coronavirus pandemic gets worse. The Post explains the challenges and pitfalls brilliantly. ~ ~
** OTHER NEWSY NUGGETS
Secret-sharing app Whisper left users’ locations, fetishes exposed on the Web (https://www.washingtonpost.com/technology/2020/03/10/secret-sharing-app-whisper-left-users-locations-fetishes-exposed-web/) Whisper, once called the “safest place on the internet,” wasn’t so safe after all. It turns out hundreds of millions of users’ intimate messages — tied to their locations — were publicly viewable for a period of time. A core Whisper database was left online without a password. Classic. @drewharwell (https://twitter.com/drewharwell/status/1237341716555927554?s=21) explains more.
High-severity flaws plague Intel chips and drivers (https://threatpost.com/high-severity-flaws-intel-graphics-drivers/153568/) Intel has patched a bunch of flaws in its chips and drivers this week. One of which was a so-called load value injection bug, found by the same team of hackers who discovered Meltdown and Spectre. @jovanbulck (https://twitter.com/jovanbulck/status/1237423893989687296) and team presented the new flaw, which allows skilled hackers to inject data into a victim’s app to acquire sensitive information. The LVI attack website (https://lviattack.eu/) also explains more.
Solarium Commission report is out (https://www.cyberscoop.com/cybersecurity-solarium-report-angus-king-5g-oversight/) A bipartisan congressional committee is urging the U.S. government to enact a sweeping set of cybersecurity upgrades to modernize defenses against intellectual property theft, preventing ransomware, and mitigating 5G security risks. The so-called Solarium Commission report has 75 recommendations in total. But it’s not clear if any of the recommendations will be put into practice. @lukOlejnik (https://twitter.com/lukOlejnik/status/1237797288136847370) has the tl;dr in tweet format. ~ ~
** THE HAPPY CORNER
Just a couple of things this week.
@dellcam (https://twitter.com/dellcam/status/1238329847396458496) tweeted about a virtual library, built in Minecraft, which lets those in censored countries — like Russia or Egypt — access to materials otherwise banned. Why? Because Minecraft isn’t banned in those countries. No, it’s not a closely guarded secret, but it’s a novel way of busting through censorship.
Given the coronavirus is forcing a lot of us to work from home, this Twitter event has a pretty funny selection (https://twitter.com/i/events/1238552189259272192) of work-from-home setups for your viewing and inspirational pleasure. Some are less serious(!) than others. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
Meet this week’s two-for-one cybercats, Sientje and Simba, who want to remind you all to wash your hands! (https://www.cdc.gov/coronavirus/2019-ncov/prepare/prevention.html) Stay safe out there! A big thanks to Martijn Kamminga (https://twitter.com/InfoSecISee2IT) for the submission! Please keep sending in your cybercats! You can send them here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
And that’s it for this week. A big thank you as always for reading and subscribing. If you have any feedback, please drop me a note in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a great Sunday. See you next week.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .