this week in security — march 21 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 12
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Foreign operatives were active in 2020 but did not alter vote, U.S. officials say (https://www.cyberscoop.com/russia-china-iran-2020-election/) Cyberscoop: A joint DHS-Justice report says foreign actors were active ahead of the 2020 U.S. presidential election but that there was no effect on the vote. It’s largely what we knew already, with a few extra points thrown in. Russian and Iranian actors were active, but China was less so — apparently Beijing “considered, but did not deploy” influence efforts as it sought a less fractious relationship with the West. It comes after months of breathless allegations that the vote was somehow (but wasn’t) altered. @shanvav (https://twitter.com/shanvav/status/1371887497823850506) has a good tl;dr thread on the report’s findings. More: NBC News (https://www.nbcnews.com/politics/national-security/u-s-intel-agencies-say-russia-tried-help-trump-china-n1261234) | @RidT (https://twitter.com/RidT/status/1371905858850938885) https://twitter.com/shanvav/status/1371906438067597324 A hacker got all my texts for $16 (https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber) Motherboard: A gaping hole in the telecommunications infrastructure allowed @Lucky225 (https://twitter.com/Lucky225) , co-founder and CIO at Okey Systems, to hijack all incoming SMS messages to @josephfcox (https://twitter.com/josephfcox) ‘s phone. There was no SIM swapping or bribing of telecoms staff. Instead, he used Sakari, a SMS marketing tool that rerouted SMS messages to him, simply by claiming he had the permission to do so. It’s a fascinating if not eye-opening story on just how vulnerable (https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80) SMS is — and why we should probably not rely on it. That kicked off a whole conversation on Twitter, but read this story and judge for yourself. More: @Lucky225 on Medium (https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80) | @josephfcox (https://twitter.com/josephfcox/status/1371509983842598918)
America’s drinking water is surprisingly easy to poison (https://www.propublica.org/article/hacking-water-systems) ProPublica: Last week, CISA’s cybersecurity chief Eric Goldstein described February’s attempted (https://apnews.com/article/hacker-tried-poison-water-florida-ab175add0454bcb914c0eb3fb9588466) water poisoning incident in Florida as “the gravest risk that CISA sees from a national standpoint.” He’s not wrong, in large part because we’ve done so little to protect these water systems. Despite warnings but with little funding to protect against cyberattacks — including at the U.S. Environmental Protection Agency — an attack was almost bound to happen. “As they turned to digital systems and monitors to boost efficiency while saving money and staff, they failed to install the safeguards and carry out employee training needed to secure the resulting vulnerabilities.” More: @propublica (https://twitter.com/propublica/status/1372356106174017537)
Your face is not your own (https://www.nytimes.com/interactive/2021/03/18/magazine/facial-recognition-clearview-ai.html) New York Times Magazine ($): @kashhill (https://twitter.com/kashhill) is back with another long read on Clearview AI, the controversial startup she first reported on last year. It’s a wild story, and worth the read. Clearview AI exploited a glaringly obvious market position by throwing legal and ethical considerations to the limits. “The more society-changing aspect of facial recognition in the United States may be how private companies deploy it: Americans’ right to privacy is relatively strong when it comes to the federal government but very weak when it comes to what corporations can do.” More: @shiraovide (https://twitter.com/ShiraOvide/status/1372511713791250439) | @kashhill (https://twitter.com/kashhill/status/1373603429214523392)
“Expert” hackers used 11 zero-days to infect Windows, iOS, and Android users (https://arstechnica.com/information-technology/2021/03/expert-hackers-used-11-zerodays-to-infect-windows-ios-and-android-users/) Ars Technica: Hackers have used at least 11 zero-day flaws over a year-long campaign to compromise websites and infect devices running Windows, iOS, and Android, according to Google’s Project Zero (https://googleprojectzero.blogspot.com/2021/03/in-wild-series-october-2020-0-day.html) . The hackers chained together the flaws to get full access to vulnerable devices. But Google still hasn’t said who is behind the attacks or offered any suggestion as to the motives of the attackers (or saying who are the victims). But clues suggest (https://twitter.com/lorenzofb/status/1372912376173969411) that the vulnerabilities may have been exploited by more than one threat actor. More: Google Project Zero (https://googleprojectzero.blogspot.com/2021/03/in-wild-series-october-2020-0-day.html) | @lorenzofb (https://twitter.com/lorenzofb/status/1372912376173969411) ~ ~ SUPPORT THIS NEWSLETTER
Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), to help cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) , or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
WeLeakInfo leaked customer payment info (https://krebsonsecurity.com/2021/03/weleakinfo-leaked-customer-payment-info/) Krebs on Security: WeLeakInfo can’t be accused of not being true to its name, after it ironically began leaking info after one of its domains used for emails and payments lapsed. Flashpoint said the leaked data contained “partial credit card data, email addresses, full names, IP addresses, browser user agent string data, physical addresses, phone numbers, and amount paid.” WeLeakInfo was a for-profit service that sold access to stolen and breached passwords and was — if you recall — seized (https://www.justice.gov/usao-dc/pr/weleakinfocom-domain-name-seized) by the feds last year for being extremely illegal. (Who would’ve thought?) @haveibeenpwned (https://twitter.com/haveibeenpwned/status/1371596628897845249) , the best-known legit data breach notification service, said 12,000 email addresses were leaked as a result.
Researcher finds a one-click RCE in TikTok for Android (https://medium.com/@dPhoeniixx/tiktok-for-android-1-click-rce-240266e78105) Sayed Abdelhafiz: Multiple bugs discovered by @dPhoeniixx (https://twitter.com/dPhoeniixx/status/1372353521866133508) and chained together allowed for remote code execution in TikTok’s Android app. He explains how he did it in his writeup. TikTok fixed the vulnerability.
Proctorio banned at the University of British Columbia (https://twitter.com/wilbowma/status/1372635215361761283?s=21) William Bowman: Proctorio, the remote exam proctoring company at the center of several scandals, including suing (https://www.eff.org/deeplinks/2021/02/student-surveillance-vendor-proctorio-files-slapp-lawsuit-silence-critic) an academic and filing DMCA complaints (https://techcrunch.com/2020/11/05/proctorio-dmca-copyright-critical-tweets/) to take down a student’s critical tweets, has been banned at UBC (with some exceptions). The decision was made in response to complaints by students. Here’s the full tweet thread (https://twitter.com/UbysseyNews/status/1372379714170449928) . Motherboard recently detailed how students could still cheat (https://www.vice.com/en/article/3an98j/students-are-easily-cheating-state-of-the-art-test-proctoring-tech) despite using Proctorio. https://twitter.com/wilbowma/status/1372635215361761283?s=21 New global model needed to dismantle ransomware gangs, experts warn (https://www.cyberscoop.com/ransomware-attacks-global-hacks-diplomacy/) Cyberscoop: Security experts and former diplomats are in the early stages of urging governments to figure out a way to work together against ransomware, whose victims have paid close to $350 million to hackers last year alone. Sanctions alone aren’t enough. But tackling ransomware actors at the source — their infrastructure — may be one possible solution.
Russian who tried to hack Tesla last summer pleads guilty (https://therecord.media/russian-who-tried-to-hack-tesla-last-summer-pleads-guilty/) The Record: @campuscodi (https://twitter.com/campuscodi/status/1372686972322508804) with the scoop: Russian hacker Egor Kriuchkov, who tried to plant malware on Tesla’s network using a recruited employee but fell flat when the employee told the feds, has pleaded guilty. The DOJ confirmed (https://twitter.com/TheJusticeDept/status/1372690824903983104) his report a short time later.
Swiss hacker’s indictment spotlights ethics of activist attacks (https://www.justice.gov/usao-wdwa/pr/swiss-hacker-indicted-conspiracy-wire-fraud-and-aggravated-identity-theft) Bloomberg ($): Tillie Kottmann, the Swiss hacker at the center (https://www.bloomberg.com/news/articles/2021-03-19/swiss-hacker-s-indictment-spotlights-ethics-of-activist-attacks) of the Verkada surveillance camera breach, has been indicted by the Justice Department. Kottmann (they/them) remains in Switzerland and likely won’t be extradited, but could face legal reprisals at home. The charges stem from Kottmann’s involvement in previous leaks at major companies and government entities, per @WilliamTurton (https://twitter.com/WilliamTurton/status/1373028769280233478) , who scooped this story and covered it extensively from the beginning. ~ ~
** OTHER NEWSY NUGGETS
Rising encrypted app Signal is down in China (https://techcrunch.com/2021/03/15/signal-is-down-in-china/) The good times might be over, as Signal is now blocked in mainland China. The ban happened a day after the non-profit secure messaging app’s website was blocked by the country’s so-called Great Firewall. The app had reached more than 100 million downloads, but it was a matter of time before Beijing cracked down. https://twitter.com/greatfirechina/status/1371737517477789698 With Spectre still lurking, Google looks to protect the web (https://www.wired.com/story/spectre-browser-attacks-google-proof-of-concept/) Wired ($) (https://www.wired.com/story/spectre-browser-attacks-google-proof-of-concept/) looks at Google’s efforts to guard against Spectre, the speculative execution bug in Intel chips. Google has developed a proof-of-concept exploit that “shows the danger Spectre attacks pose to the browser in hopes of motivating a new generation of defenses,” reports @lilyhnewman (https://twitter.com/lilyhnewman) .
Tampa Twitter hacker agrees to three years in prison (https://www.tampabay.com/news/crime/2021/03/16/tampa-twitter-hacker-agrees-to-three-years-in-prison-in-plea-deal/) Graham Ivan Clark, a 17-year-old at the time (https://twitter.com/KimZetter/status/1371876017824927746?s=20) of the Twitter hack last year, has pleaded guilty to fraud charges after he broke into Twitter and got access to an “admin” console, which he used to break into high profile accounts and spread a cryptocurrency scam. He netted some $117,000 in bitcoin before the scam was shut down. He will serve three years (https://twitter.com/NickAtNews/status/1371903781370261507) in prison.
Mimecast says SolarWinds hackers breached its network and spied on customers (https://arstechnica.com/gadgets/2021/03/mimecast-says-solarwinds-hackers-breached-its-network-and-spied-on-customers/) Email management giant Mimecast confirmed that its network intrusion, which was used to spy on its customers was carried out by the same hackers who hit the SolarWinds supply chain. In other words, it’s likely the Russians were behind the attack. The U.S. previously said the SolarWinds hackers were (https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure) “likely Russian in origin.” The hackers “accessed a Mimecast-issued certificate that some customers use to authenticate various Microsoft 365 Exchange web services.” ~ ~
** THE HAPPY CORNER
This week’s good news has to start with @C_C_Krebs (https://twitter.com/NeuSummits/status/1371930528400748547) flashing a much earned bottle of champagne live on MSNBC following the government report this week that showed there was no election hacking in 2020. If you recall, Krebs was fired as the of CISA by President Trump for pushing back against Trump’s false election claims. https://twitter.com/NeuSummits/status/1371930528400748547 A big congrats to @kimzetter (https://twitter.com/KimZetter/status/1372973969242873856?s=20) who has launched a new Substack called — appropriately — Zero Day, focusing on hackers, spies, and the intersection of cyber and national security. Zetter’s first post (https://zetter.substack.com/p/would-government-monitoring-have) is a deep-dive on how the government’s network monitors would not stop a SolarWinds-style attack, in part because of “blind spots” in the government’s legal authorities. Sign up!
And @redteamwrangler (https://twitter.com/redteamwrangler/status/1373406580574654467) ‘s JIRA nightmare is an absolute mood. https://twitter.com/redteamwrangler/status/1373406580574654467 If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
Meet this week’s cyber cat, Fortuna, who is helping her human with his OSCP lab. Fortuna had her right ear removed due to cancer last year, but that doesn’t keep her from cybering. What a trooper! A big thanks to her human, Simon H., for the submission. Fortuna is a very lovely cat with one ear, standing next to her dad’s computer screen. We’re running low on cyber cats and their friends! Please keep sending them in! (And yes, that includes your non-feline friends (https://mailchi.mp/zackwhittaker/this-week-in-security-december-27-edition) ). You can drop them here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) . The more the merrier! ~ ~
** SUGGESTION BOX
Thanks for reading this week! To make this newsletter more accessible, I am adding alt-text to images to support screen readers, and will make an effort to do this going forwards. I’m also experimenting with font size and compatibility for dark mode, but that’s proving somewhat tricky. Please drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you next Sunday!
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .