this week in security — march 17 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 11.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Beto O’Rourke Was A Hacker With The ‘Cult Of The Dead Cow’ (https://www.reuters.com/investigates/special-report/usa-politics-beto-orourke/) Reuters: Here’s a sentence I never thought I’d write: Texas former congressman turned Democratic presidential candidate Beto O’Rourke could be the first hacker president (https://techcrunch.com/2019/03/15/beto-the-hacker/) . O’Rourke admitted his secret membership to Reuters reporter @josephmenn (https://twitter.com/josephmenn/) for his new book (available on Amazon (https://www.amazon.com/Cult-Dead-Cow-Original-Supergroup/dp/154176238X) ) more than a year ago. After discovering the connection, Menn convinced O’Rourke to go public, after years of the group keeping it a secret for fear it would compromise his political ambitions. Based on the reaction from Twitter this week, it’s only encouraged many in the security community. More: Reuters backstory (https://www.reuters.com/article/us-backstory-usa-politics-orourke-idUSKCN1QX02M) | @josephmenn tweet thread (https://twitter.com/josephmenn/status/1106578730904764416)
U.S. Will Be Scanning Your Face At Top Airports By 2021 (https://www.buzzfeednews.com/article/daveyalba/these-documents-reveal-the-governments-detailed-plan-for) BuzzFeed: Documents obtained by BuzzFeed via EPIC (https://epic.org/foia/gallery/2019/#biometric-entry-exit) show the U.S. is hellbent on rolling out facial recognition at the top 20 U.S. airports by next year — despite criticisms from Homeland Security’s own watchdog that the technology often doesn’t work (https://www.buzzfeednews.com/article/daveyalba/these-documents-reveal-the-governments-detailed-plan-for) . CBP is rolling out the program to detect visa overstays. Americans can opt out but doesn’t make it easy. More: EPIC documents (https://epic.org/foia/gallery/2019/#biometric-entry-exit) | Background: TechCrunch (https://techcrunch.com/2018/09/25/watchdog-says-face-scanning-at-us-airports-is-plagued-with-technical-problems/)
Researchers Find Critical Backdoor in Swiss Online Voting System (https://motherboard.vice.com/en_us/article/zmakk3/researchers-find-critical-backdoor-in-swiss-online-voting-system) Motherboard: As if this was ever going to end well… it didn’t. Security researchers, led by @SarahJamieLewis (https://twitter.com/sarahjamielewis/status/1105378257317191680?s=21) , have for weeks prodded and poked the Swiss voting system, which the country semi-opened up (https://www.zdnet.com/article/swiss-government-invites-hackers-to-pen-test-its-e-voting-system/) to researchers to find bugs, subject to a strict NDA. The code was crazy buggy — and highly criticized by researchers for being so difficult to audit. But in the end, the researchers found (https://people.eng.unimelb.edu.au/vjteague/SwissVote) a “trapdoor” that could be used to alter votes without detection. @kimzetter (https://twitter.com/KimZetter) , who has written about election system security for years, had the scoop. More: Swiss Post (https://www.post.ch/en/about-us/company/media/press-releases/2019/error-in-the-source-code-discovered-and-rectified) | @kimzetter tweet thread (https://twitter.com/KimZetter/status/1105387067020738561)
Apple and Google Caught Mis-issuing One Million Certificates (https://arstechnica.com/information-technology/2019/03/godaddy-apple-and-google-goof-results-in-1-million-misissued-certificates/) Ars Technica: Google and Apple were found mis-issuing a million or so non-compliant certificates that don’t comply with industry standards. The certificates were issued with 63-bits of entropy, short of the 64 bits required as standard. There’s almost no chance of exploitation, but it’s a headache to a strict system of requirements and protocols. GoDaddy, which was noted in the story, later said none of its certificates were affected. More: Adam Caudill (https://adamcaudill.com/2019/03/09/tls-64bit-ish-serial-numbers-mass-revocation/)
U.S. to Germany: Drop Huawei or See Intelligence Sharing Limited (https://www.wsj.com/articles/drop-huawei-or-see-intelligence-sharing-pared-back-u-s-tells-germany-11552314827) Wall Street Journal ($): This was nuts: the U.S. threatened to pull back its intelligence sharing with Germany, a 14-Eyes Partner (two levels after Canada, the U.K., Australia and New Zealand), if it doesn’t drop Huawei from its upcoming 5G contract bidding. Germany relies on the U.S. for vital signals intelligence for countering terrorism — so this isn’t just some mild threat. Like the U.K., Germany said there’s no immediate risk to using Huawei networking equipment in its network — but the U.S. is hellbent on pushing the company out of the picture over fears it could be told to spy (https://www.technologyreview.com/s/612556/the-6-reasons-why-huawei-gives-the-us-and-its-allies-security-nightmares/) in the future. More: @zackwhittaker (https://twitter.com/zackwhittaker/status/1105874717733462019)
ICE Has A Huge License Plate Database (https://www.aclunc.org/blog/documents-reveal-ice-using-driver-location-data-local-police-deportations) ACLU: More than 1,800 documents obtained by the ACLU show ICE has a massive database of billions of license plate readings from across the U.S. — including from police departments in California covered under state sanctuary laws to protect immigrants. The stats in this report alone are staggering: 5 billion license plate readings, including locations, from more than 80 police departments and law enforcement agencies, covering some 60 percent of the U.S. (The ACLU provided me a copy of the documents and I wrote about the database here (https://techcrunch.com/2019/03/13/ice-license-plates-immigrants/) .) More: BuzzFeed (https://www.buzzfeednews.com/article/adolfoflores/ice-access-license-plate-scans) | ACLU documents (https://www.documentcloud.org/documents/5767094-ALPR-documents-from-ICE-FOIA.html)
Why Tech Didn’t Stop the New Zealand Attack From Going Viral (https://www.wired.com/story/new-zealand-shooting-video-social-media/) Wired: And I can’t not mention the horrific terrorist attack in New Zealand this week. The attack killed 50 people, mostly Muslims, who were praying in two mosques in Christchurch. Many were refugees who made New Zealand their new home. Thousands saw the video circulated on the internet of the murders — the social media platforms failed to keep take down the videos. Why could these platforms take down videos and propaganda from the so-called Islamic State so easily, but neglect other types of violence (https://twitter.com/ellievhall/status/1106942687398240258) ? The tech giants say it’s not easy as you might think. Wired explains more. The automated systems aren’t as good as the companies seem to make out, and a lot of it comes down to human intervention. At scale, that’s hugely difficult. More: @ellievhall tweet thread (https://twitter.com/ellievhall/status/1106942687398240258) | TechCrunch (https://techcrunch.com/2019/03/15/new-zealand-tragedy-social-media-responmse/) | Deep dive: Motherboard (https://motherboard.vice.com/en_us/article/eve7w7/documents-show-how-facebook-moderates-terrorism-on-livestreams) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
One professor’s lesson on privacy in public spaces (https://www.npr.org/2019/03/10/702028545/googling-strangers-one-professors-lesson-on-privacy-in-public-spaces) NPR: A lesson in opsec and how not to get hacked in public: a professor tasked his law students with “de-anonymizing” someone in a public place — and succeeded. “One student found the name of a man on a plane after hearing him arrange his pickup from the airport,” wrote NPR (https://www.npr.org/2019/03/10/702028545/googling-strangers-one-professors-lesson-on-privacy-in-public-spaces) . “Another pinned down the identity of a stranger on a train by putting together the name of the college on his shirt with a first name overheard in conversation.”
‘100 unique exploits and counting’ for latest WinRAR security bug (https://www.zdnet.com/article/100-unique-exploits-and-counting-for-latest-winrar-security-bug/) ZDNet: In the past month after a bug was found in compression software WinRAR, more than 100 different exploits have been detected. WinRAR has some 500 million users, according to McAfee (https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/attackers-exploiting-winrar-unacev2-dll-vulnerability-cve-2018-20250/) , which found the exploits.
Conservative app maker threatens security bug finder with the feds (https://gizmodo.com/owner-of-maga-friendly-yelp-knockoff-threatens-to-call-1833247075) Gizmodo: @63red (https://twitter.com/63red) , a self-styled maker of conservative apps, responded in a less than friendly way towards a security researcher who found hardcoded credentials in a new app, billed as a “Yelp for MAGA-friendly restaurants,” after several high-profile Trump-associated individuals were kicked out of or heckled from restaurants. Gizmodo has the story (https://gizmodo.com/owner-of-maga-friendly-yelp-knockoff-threatens-to-call-1833247075) , but in short, French security researcher @fs0c131y (https://twitter.com/fs0c131y/status/1105259901205516288) found keys that allowed access to the entire user database. The app maker fired back with a tweet (https://twitter.com/63red/status/1105469144445669379) saying that the FBI had been “notified.” No matter your politics, I think we can all agree that throwing in the law enforcement card has never down well (https://www.techdirt.com/articles/20180308/18090539393/keeper-security-reminds-everyone-why-you-shouldnt-use-it-doubles-down-suing-journalist.shtml) with infosec types.
Cookie warning walls have to stop (https://www.troyhunt.com/these-cookie-warning-shenanigans-have-got-to-stop/) Troy Hunt: Hunt, security expert and data breach collector, is about as pissed off as the rest of us with cookie prompts — particularly the full-screen displays that demand you accept everything before you’re allowed in. In a tweet (https://twitter.com/troyhunt/status/1105857407857487872) , Hunt says the cookie notices, rolled out following new European data protection rules some years ago, have “only gotten stupider.” Even the Dutch authorities have said cookie walls that block content aren’t compliant (https://autoriteitpersoonsgegevens.nl/nl/nieuws/websites-moeten-toegankelijk-blijven-bij-weigeren-tracking-cookies) with GDPR.
How hackers pulled off a $20 million bank heist (https://www.wired.com/story/mexico-bank-hack/ ) Wired ($): @lilyhnewman (https://twitter.com/lilyhnewman) reports North Korean-backed Lazarus Group stole up to $20 million from a Mexican bank by breaking into the bank’s internal network from the public internet. It followed an earlier failed attempt to steal $110 million. ~ ~
** OTHER NEWSY NUGGETS
New Chinese leak exposes “breed ready” status of 1.8 million women Going to flat out say that this is messed up, like it’s something out of the Handmaid’s Tale. Forbes this week reported (https://www.forbes.com/sites/zakdoffman/2019/03/11/exposed-chinese-database-includes-breed-ready-status-of-almost-2-million-women/#57d750e717e7) on another exposed database discovered by Victor Gevers (https://twitter.com/0xDUDE/) , who found the personal data of close to two million women — including whether they’re “breed ready.” Gevers, who tweeted a thread (https://twitter.com/0xDUDE/status/1104482014202351616) about his findings, didn’t conclude what the “breed ready” status meant.
DARPA is building a $10 million, open source, secure voting system DARPA, the Pentagon’s research arm, was long rumored to be working on a secure voting system in the wake of concerns over voting machine hacks and infrastructure woes. Now it’s confirmed, courtesy of Motherboard (https://motherboard.vice.com/en_us/article/yw84q7/darpa-is-building-a-dollar10-million-open-source-secure-voting-system) . The best bit: DARPA isn’t asking users to blindly trust the system. The research agency will publish the source code and bring the system to Def Con’s voting village to let people try it out. Universities will also get a crack at hacking the system. That’s security done right.
Georgia county pays $400,000 to recover from ransomware A ransomware infection knocked Jackson County, Georgia offline for two weeks, including local government services and the 911 emergency system, reports ZDNet (https://www.zdnet.com/article/georgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection/) . The infection, likely Ryuk, is currently undecryptable. The payout is one of the largest to date, following a $1.14 million bitcoin payout by a South Korean web hosting firm (https://www.zdnet.com/article/korean-web-host-hands-over-1-billion-won-to-ransomware-crooks/) . ~ ~
** THE HAPPY CORNER
In a small rebranding, welcome to The Happy Corner.
This week, @JarekMSFT (https://twitter.com/JarekMsft?lang=en) posted a handy explainer of how to maximize your Microsoft bug bounty awards. There’s some good advice in here for anyone who’s trying to get into the bug bounty space — or even experienced bug hunters who might need a refresher. You can also read his Nullcon slides (https://github.com/JarekMSFT/Presentations/blob/master/Getting%20to%2010K_Nullcon2019.pdf) on GitHub.
And, Vint Cerf (https://twitter.com/vgcerf) (who invented the internet) and Tim Berners-Lee (who invented the world wide web) posted a photo (https://twitter.com/vgcerf/status/1105467776477679616) this week of the two wearing t-shirts to celebrate 30 years of the web. Cute. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Mia, a rescue kitty from Bucharest. Some say she is the wisest of cats. She sees all. She knows you’ve been hacked before you do. Thanks to Alexandra Bideaua for the submission. (You may need to enable images in this email.) You can submit your cybercats (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) here by dropping me an email. ~ ~
** SUGGESTION BOX
That’s all for this week. The anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is open as usual. Hope you have a great week — I’ll be back same time next Sunday. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|