this week in security — march 24 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 12.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Facebook Stored User Passwords in Plain Text for Years (https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/) Krebs on Security: Facebook admitted this week it stored passwords in plaintext for hundreds of millions of users and thousands of Instagram users. Facebook didn’t say how the “bug” came to be, but passwords weren’t exposed outside the thousands of developers(!) — if not more — so, that’s somehow better? Brian Krebs blew the story open just before Facebook published the most ridiculously headlined (https://twitter.com/jonswaine/status/1108754537324703744) blog post ever. And yet still, this is maybe a 4/10 on the shitty scale of things Facebook’s done in recent years. More: Facebook (https://newsroom.fb.com/news/2019/03/keeping-passwords-secure/) | Wired ($) (https://www.wired.com/story/facebook-passwords-plaintext-change-yours/)
Scooter Companies Give Real-Time Locations to Los Angeles (https://motherboard.vice.com/en_us/article/yw8j5x/scooter-companies-location-data-los-angeles-uber-lyft-bird-lime-permits) Motherboard: Scooter companies like Lyft and Bird have been told by LA to turn over real-time location data on riders, @josephfcox (https://twitter.com/josephfcox) reports. These two companies were given a year-long license to operate, whereas Uber — which resisted — only got a month-long license. Uber held back because it received “no assurance” that LA wouldn’t protect customer privacy. More: Los Angeles Times (https://www.latimes.com/local/lanow/la-me-ln-los-angeles-scooter-surveillance-privacy-20190315-story.html) | IEEE Spectrum (https://spectrum.ieee.org/telecom/wireless/mwc-barcelona-2019-los-angeles-to-require-scooter-companies-to-share-data)
Phone Companies Are Finally Trying To Fix Robocalls (https://gizmodo.com/phone-companies-are-finally-doing-something-about-our-r-1833434088) Gizmodo: Hallelujah (if it works). With some 26 billion bogus calls a year, robocalls are taking over. AT&T’s chief executive Randall Stephenson was interrupted (https://www.usatoday.com/story/tech/2019/03/21/at-t-ceo-gets-robocall-alert-his-apple-watch-during-live-interview/3233902002/) by none other than a robocall during an on-stage interview this week. Nobody’s immune! Phone companies have begun using SHAKEN/STIR, a cryptographic protocol for caller authentication, this might help prevent spoofed phone numbers in the future. More: AT&T (https://about.att.com/story/2019/anti_robocall.html) | Explainer: | Fast Company (https://www.fastcompany.com/90299767/heres-the-cure-for-the-deluge-of-scammy-spammy-robocalls) | TransNexus (https://transnexus.com/whitepapers/understanding-stir-shaken/)
Facebook Had Cambridge Analytica Concerns Earlier Than reported (https://www.theguardian.com/uk-news/2019/mar/21/facebook-knew-of-cambridge-analytica-data-misuse-earlier-than-reported-court-filing) The Guardian: As if you thought the Cambridge Analytica scandal couldn’t get worse, it turns out Facebook had concerns far earlier than was first reported. That’s per a court document (https://www.documentcloud.org/documents/5777489-Search-Page-3-1.html) by the Washington DC attorney general. The scandal saw data on 87 million users scraped by the political firm. The major accusation is that Facebook misled British lawmakers, a charge it denies. More: Court filing (https://www.documentcloud.org/documents/5777489-Search-Page-3-1.html)
Google Failed To Fix Android Flaw For Five Years (https://www.wired.com/story/android-vulnerability-five-years-fragmentation/) Wired ($): Millions of Android users were vulnerable to a “high severity” flaw that could be easily exploited by simply visiting a malicious link from your device. The bug existed on every Android version since KitKat — which, weirdly won’t get a patch, even though it has more usage share than the latest Oreo version, according to @lilyhnewman (https://twitter.com/lilyhnewmanen) . More: Positive Technologies (https://www.ptsecurity.com/ww-en/about/news/high-risk-vulnerability-in-android-devices-discovered-by-positive-technologies/)
Critical Flaws Lets Hackers Control Medtronic Defibrillators (https://arstechnica.com/information-technology/2019/03/critical-flaw-lets-hackers-control-lifesaving-devices-implanted-inside-patients/) Ars Technica: Basic security on your chest-implanted defibrillator is the least you could ask for. Alas, in Medtronic’s case, that wasn’t to be. These radio frequency-enabled implants had no authentication or encryption, allowing anyone nearby to potentially intercept and modify the device. Peter Morgan, who discovered the flaw, told me (https://techcrunch.com/2019/03/22/medtronic-defibrillators-critical-flaws/) that the flaws could “cause harm” to a patient, but no attacks have been reported in the wild. Plus, given how tricky the flaws are to exploit — timing-wise alone — patients shouldn’t be too concerned. More: TechCrunch (https://techcrunch.com/2019/03/22/medtronic-defibrillators-critical-flaws/) | CISA ICS-CERT (https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01) | Food & Drug Administration (https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm633960.htm)
This Spyware Leak Is So Bad, We Can’t Tell You About It (https://motherboard.vice.com/en_us/article/j573k3/spyware-data-leak-pictures-audio-recordings) Motherboard: A really well reported story by @lorenzofb (https://twitter.com/lorenzofb) — even though he couldn’t tell you the subject beyond it being a consumer spyware company. Motherboard reported that the company is leaking data but has not responded to getting the database fixed. Weeks later and pulling every string possible, Motherboard disclosed the lapse in what I described as “perfectly navigated” (https://twitter.com/zackwhittaker/status/1109164807742214144) to avoid revealing information that would put users’ data at risk. Huge amounts of highly sensitive photos, message logs, and more are still out there, accessible and viewable. Motherboard did good to report this the way it did. More: @lorenzofb (https://twitter.com/lorenzofb/status/1109159354408857600) | @josephfcox tweet thread (https://twitter.com/josephfcox/status/1109351597677727744) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Hacker returns with 26M user records for sale (https://www.zdnet.com/article/round-4-hacker-returns-and-puts-26mil-user-records-for-sale-on-the-dark-web/) ZDNet: The same hacker who stole data from dozens of other companies, raking in close to a billion user records, is back again with a fourth round of data. In all, 26 million new records from Coubic, GameSalad, YouthManual and LifeBear were taken and put up on the dark web.
When an app opens your apartment door, but you just want a key (https://www.nytimes.com/2019/03/23/nyregion/keyless-apartment-entry-nyc.html) New York Times ($): Another twist in the ongoing tale of residents who are forced to use an app instead of a key to get into their apartments. Pix11 (https://pix11.com/2019/03/17/residents-unhappy-they-have-to-use-app-to-get-into-manhattan-building-sue-their-landlord/) dug into the story of residents who are suing their landlord to roll back an app-based access system. The Times went a bit deeper, explaining that older residents who don’t have smartphones or the savviness to deal with smart locks. Many of the newer smart locks aren’t even compatible (https://twitter.com/alfredwkng/status/1107684204236537859) with older Android phones. They just want one thing: a physical key.
Microsoft rebrands Windows Defender, brings it to macOS (https://arstechnica.com/gadgets/2019/03/microsoft-ships-anti-virus-for-macos-as-windows-defender-becomes-microsoft-defender/) Ars Technica: Good news: Windows Defender, now Microsoft Defender, is available to Macs. Bad news: it’s only available to enterprise clients. The rebranded advanced threat protection system can detect and investigate Mac-based threats.
Some Democratic candidates aren’t using DMARC (https://www.cnn.com/2019/03/20/politics/democratic-candidates-email-security-2020/index.html) CNN: A friendly reminder: if you’re running for president, make sure you’re using DMARC so that your messages are going through and Russia isn’t taking advantage of you. CNN reported that only four of the 14 then-Democratic candidates used DMARC for email authentication. Elizabeth Warren, Kirsten Gillibrand, John Hickenlooper and Marianne Williamson had the security feature — or, rather IT staff who knew what they were doing.
Aluminum manufacturing giant Norsk Hydro shut down by ransomware (https://techcrunch.com/2019/03/19/norsk-hydro-ransomware/) TechCrunch/ZDNet: Aluminium making giant Norsk Hydro was hit by ransomware. The plant’s operations were hit by the LockerGoga ransomware. (Disclosure: I wrote this story.). Kevin Beaumont (https://twitter.com/GossiTheDog) had a great write-up (https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880) on the malware, which reportedly hit two other chemical plants (https://motherboard.vice.com/en_us/article/8xyj7g/ransomware-forces-two-chemical-companies-to-order-hundreds-of-new-computers) this week. Norsk Hydro said it would not pay the ransom (https://www.zdnet.com/article/norsk-hydro-will-not-pay-ransom-demand-and-will-restore-from-backups) and will restore from backups. ~ ~
** OTHER NEWSY NUGGETS
Don’t feel sad for this data hater Wired ($) had a pretty interesting story (https://www.wired.com/story/exactis-data-leak-fallout/) on the Exactis data breach, which exposed the personal records on 230 million people. What made it interesting was from the other side: from the side of the company that leaked the data by mistake. Instead, the company’s chief Steve Hardigree attacked the security researcher who found the data and downplayed the leak. Meanwhile, @troyhunt (https://twitter.com/troyhunt) , didn’t pull any punches. “I’m playing a very small violin right now,” he said (https://www.wired.com/story/exactis-data-leak-fallout/) .
Russia makes it illegal to… internet? Russian president Vladimir Putin tightened the rope on its internet this week by signing in two bills (https://arstechnica.com/tech-policy/2019/03/russia-makes-it-illegal-to-insult-officials-or-publish-fake-news/) that bans “fake news” — which is entirely subjective and subject to Russia’s totalitarian interpretation of everything it doesn’t like. The other makes it illegal to insult (https://www.washingtonpost.com/world/2019/03/18/with-putins-signature-fake-news-bill-becomes-law/?utm_term=.6035bfd7f1c7) public officials.
100,000 GitHubs are about to get you into a lot of trouble Do you know where your crypto keys are? You’d better hope that you haven’t somehow left them in your GitHub code. According to North Carolina State University, some 100,000 repos (https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/) have leaked API tokens and cryptographic keys. Maybe you should go check your repos…
Four-out-of-five EU websites use undisclosed trackers Well, well, well. It turns out most of the European Commission’s websites are using undisclosed trackers, according to a new report (https://www.theregister.co.uk/2019/03/18/cookie_government_tracking_report/) . “It found that there were 112 companies slurping up information on EU citizens’ browsing habits on the webpages of the governments supposedly fighting the good fight against excess stalking of netizens.” A little embarrassing for the curators of GDPR, which outlaws this kind of secret tracking.
FEMA exposes millions of disaster survivors’ data This was messy — FEMA, the disaster management agency, exposed the personal data on 2.5 million survivors’ information, reports Cyberscoop (https://www.cyberscoop.com/fema-exposed-personal-data-2-3-million-disaster-survivors-violated-privacy-law-ig-finds/) . That was in “direct violation” of federal requirements. The Washington Post ($) went further (https://www.washingtonpost.com/national/health-science/fema-data-breach-hits-25-million-disaster-survivors/2019/03/22/3e2c6232-4cec-11e9-93d0-64dbcf38ba41_story.html?utm_term=.0bfd4466b276) , explaining that 1.8 million had their banking information inadvertently shared. It wasn’t known if the oversharing had led to identity theft or other malicious actions, said a spokesperson. ~ ~
** THE HAPPY CORNER
One tweet that had me in stitches this week were these O’Reilly Python guides which… had something a little off about them. (https://twitter.com/neilcic/status/1108524100245442561)
And also, @Scott_Helme (https://twitter.com/Scott_Helme/status/1108345812084576256) has an interesting story about finding a web directory with certificates and private keys from the Safe Deposit Bank of Norway (facepalm (https://giphy.com/gifs/disney-frozen-review-WrNfErHio7ZAc) ). I won’t give away the ending (https://twitter.com/Scott_Helme/status/1108378002256216068) but it serves them right. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Grace. She sits and waits, then covertly watches you type in your password. But she doesn’t sell it on the dark web because she’s a good kitty. Thanks to Trevor Giffen for the submission. (You may need to enable images in this email.) You can submit your cybercats (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) here by dropping me an email. ~ ~
** SUGGESTION BOX
That’s it for now. The anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is always open — feel free to drop in some feedback. Have a good week. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|