this week in security — march 28 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 13 View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Google’s top security teams unilaterally shut down a counterterrorism operation (https://www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/) MIT Technology Review ($): Bombshell of the week. Google shut down a nine-month counterterrorism operation by an unknown Western government. The government was using (https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html) 11 zero-day vulnerabilities targeting Chrome, Android, but also iOS and Windows. Google’s logic to shut down the operation was that the vulnerabilities “will eventually be used by others,” and took action. But the move sent alarm bells ringing in both Google and the U.S. intelligence community. This was a monster scoop, and one that will likely have ramifications for a while. More: Google Project Zero (https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html) | @chronic (https://twitter.com/chronic/status/1375461855297081344?s=20) | @thegrugq (https://twitter.com/thegrugq/status/1375436519616352257)
Ransomwared bank tells customers it lost their Social Security numbers (https://www.vice.com/en/article/xgznxw/ransomwared-bank-tells-customers-it-lost-their-ssns) Motherboard: The Accellion breach (https://www.wired.com/story/accellion-breach-victims-extortion/) is getting bigger and costlier. Now it’s directly hitting consumers too. Flagstar, a bank in Michigan, told customers that hackers took their SSNs, @lorenzofb (https://twitter.com/lorenzofb) reports. The bank did not say how many customers were affected, but pointed the blame at a file transfer service it uses by Accellion, which earlier this year admitted it had been hit by data-stealing ransomware. This week Cyberscoop (https://www.cyberscoop.com/shell-accellion-hack-victims/) reported oil giant Shell was also impacted by the Accellion hack. More: Cyberscoop (https://www.cyberscoop.com/shell-accellion-hack-victims/) | @fbajak (https://twitter.com/fbajak/status/1374069149115289600)
FatFace criticized for telling customers to keep data breach ‘private’ (https://www.theregister.com/2021/03/24/fatface/) The Register: Clothing giant FatFace forgot the first rule of data breach notification — don’t try to cover it up. In a letter to victims this week, the company told its customers to keep the data breach notice “strictly private and confidential.” Obviously that’s not how it works. Names, email and postal addresses, and partial card data was taken in the breach, which the company first detected in January. Employees were also affected (https://techcrunch.com/2021/03/25/fatface-data-breach-strictly-private/) , with the hacker making off with employee National Insurance numbers (British SSNs) and banking information. FatFace reportedly (https://www.computerweekly.com/news/252498463/Retailer-FatFace-pays-2m-ransom-to-Conti-cyber-criminals) paid $2 million to the Conti ransomware group to get its files back. More: TechCrunch (https://techcrunch.com/2021/03/25/fatface-data-breach-strictly-private/) | Computer Weekly (https://www.computerweekly.com/news/252498463/Retailer-FatFace-pays-2m-ransom-to-Conti-cyber-criminals) | @theregister (https://twitter.com/TheRegister/status/1374776945569718276) https://twitter.com/meg_hocking/status/1374663423330500611 Software vendors must disclose breaches to U.S. government users, per draft order (https://www.reuters.com/article/idUSL1N2LN3E) Reuters: The Biden administration may require software vendors to warn the federal government if they’ve been hit by a security breach, according to a draft executive order seen by Reuters. It comes after the SolarWinds hack saw (believed to be) Russian hackers break into at least nine federal agencies and over 100 private companies using the ubiquitous SolarWinds software as a foothold. The order seems like an effort to elevate similar state-level data breach notifications to the federal level, in the hope — at least — of preventing a similar government-wide attack. More: @johnwetzel (https://twitter.com/johnwetzel/status/1375194881329655815?s=21)
Facebook caught Chinese hackers using fake personas to target Uyghurs abroad (https://techcrunch.com/2021/03/24/facebook-earth-empusa-evil-eye-china-uyghur/) TechCrunch: Facebook caught a group of China-based hackers dubbed “Earth Empusa,” “Evil Eye” or “Poison Carp” targeting about 500 people on Facebook, including in the U.S., through fake accounts posing as activists and journalists. Once hoodwinked, the hackers would send their targets to compromised websites with malware-laden prayer apps and keyboard downloads, designed to target Uyghur Muslims, an oppressed ethnic group in China’s Xinjiang region. (Beijing is accused of forcing over a million Uyghurs into detention camps.) Facebook fell short of attributing the campaign to the Chinese government. But these are the same hackers that were spotted by Google hacking similar Uyghur targets (https://techcrunch.com/2019/08/31/china-google-iphone-uyghur/) in 2019 using iPhone zero-days. More: Reuters (https://www.reuters.com/article/facebook-china-cyber/chinese-hackers-used-facebook-to-target-uighurs-abroad-company-says-idUSL1N2LM28P) | BBC News (https://www.bbc.com/news/technology-56518467)
Privacy protections and accessibility on state COVID-19 vaccine sites are not great (https://themarkup.org/coronavirus/2021/03/24/we-ran-tests-on-every-states-covid-19-vaccine-website) The Markup: The U.S. COVID-19 vaccine rollout has been, quite frankly, a mess. Anyone eligible at this stage faces a shortage of first-dose appointments, and every state and county has a different rollout protocol — and scheduling website. It turns out many aren’t so great for privacy. The Markup found that while many sites had no cookies at all, many did — Nevada’s, Utah’s, and Hawaii’s websites had “substantially” more than the average number of cookies than other sites. More: @alfredwkng (https://twitter.com/alfredwkng/status/1374700866863783946) | @juliaangwin (https://twitter.com/JuliaAngwin/status/1374706075077853187)
This is what happens when ICE asks Google for your user information (https://www.latimes.com/business/technology/story/2021-03-24/federal-agencies-subpoena-google-personal-information) Los Angeles Times ($): @JmBooyah (https://twitter.com/JmBooyah) has a deep dive on what happens when ICE demands Google for your private information (en español (https://www.latimes.com/espanol/eeuu/articulo/2021-03-25/si-quieres-evitar-que-google-proporcione-tu-informacion-personal) ). “It may seem like a phishing scam or an update to Gmail’s terms of service. But it could be the only chance you’ll have to stop Google from sharing your personal information with authorities.” This is an important read on what to know and how to protect yourself, because Google sure as hell isn’t going to help. More: @JmBooyah tweets (https://twitter.com/JMBooyah/status/1374724288075296770) ~ ~ SUPPORT THIS NEWSLETTER
Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), to help cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) , or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
New York’s Covid-19 vaccine passport leaves users clueless about privacy (https://theintercept.com/2021/03/24/andrew-cuomo-covid-ibm-blockchain/) The Intercept: New York’s blockchain-based vaccine “passport” is supposed to help the state open up again as the pandemic enters its second year. But when asked about privacy, the state government didn’t bother publishing a privacy policy and basically just said “blockchain” again and again in the hope that it’ll wear out critics, when in reality there is “zero reason” for blockchain to be involved, per @matthew_d_green (https://twitter.com/matthew_d_green) .
Credit card hacking forum hacked, exposing 300,000 hackers’ accounts (https://www.vice.com/en/article/v7m9jx/credit-card-hacking-forum-gets-hacked-exposing-300000-hackers-accounts) Motherboard: Credit card hacking forum Carding Mafia was ironically pwned, spilling close to 300,000 user accounts according to @haveibeenpwned (https://twitter.com/haveibeenpwned/status/1374238432013164545?s=20) . Emails, IP addresses, and passwords — stored in MD5(!) — were breached.
APT encounters of the third kind (https://igor-blue.github.io/2021/03/24/apt1.html) Igor Bogdanov: This is an incredible read on how @IgorBog61650384 (https://twitter.com/IgorBog61650384/status/1374800036366848002) found something weird in a network capture that turned out to be a really advanced and highly-developed Linux malware. This is a wild ride and worth the read for DFIR folks. (via @attrc (https://twitter.com/attrc/status/1375093810523439108?s=20) ). Below is a snippet from his post. https://igor-blue.github.io/2021/03/24/apt1.html FBI paid an anti-child predator charity $250,000 for hacking tools (https://www.vice.com/en/article/qjp7eq/fbi-paid-charity-for-hacking-tools-ni) Motherboard: @josephfcox (https://twitter.com/josephfcox) reports on how the FBI paid a non-profit organization focused on unmasking child predators $250,000 for a series of hacking tools (known as network investigative techniques — or NITs). This is particularly interesting since it’s the first known time of a charity either building or obtaining hacking tools. (Facebook previously bought (https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez) a hacking tool for the FBI.) The charity would not say whether the charity developed the NITs itself or sourced them from another party, however. Still, this shows the private surveillance industry goes far further than many would think.
Ransomware gang leaks data from US military contractor the PDI Group (https://therecord.media/ransomware-gang-leaks-data-from-us-military-contractor-the-pdi-group/) The Record: A major military supplier has fallen victim to a ransomware attack. PDI Group is based in Ohio and manufactures transporting equipment for weapons and airplane parts. The criminal group behind the file-stealing Babuk Locker ransomware has claimed responsibility for the breach after listing the company’s stolen files on its leak site. When @campuscodi (https://twitter.com/campuscodi) contacted the company, a spokesperson hung up the call. Sheesh. ~ ~
** OTHER NEWSY NUGGETS
Insurance giant CNA hit by ‘sophisticated cybersecurity attack’ (https://www.chicagotribune.com/business/ct-biz-cna-insurance-cybersecurity-attack-20210324-e4skjycxvra4zh7dxoxqoz7lsm-story.html) CNA, a cyber-insurance giant that made close to $11 billion in revenue last year, was itself hit by a cyberattack that caused a “network disruption” that took down several systems, including its email. The company disclosed the incident on March 21 and it’s still offline as of the writing of this newsletter. All signs point to ransomware, but the company remains mum on the cause or the malware. https://www.chicagotribune.com/business/ct-biz-cna-insurance-cybersecurity-attack-20210324-e4skjycxvra4zh7dxoxqoz7lsm-story.html Thoughts on selling to security leaders (https://www.linkedin.com/pulse/thoughts-selling-security-leaders-jason-chan/) Netflix’s infosec chief @chanjbs (https://twitter.com/chanjbs) wrote a blog about how not to pitch security gear or tech to security leaders. None of these are unreasonable, and are clearly designed to push back against some of the more aggressive (and unethical) sales tactics. (Thanks to @ryannaraine (https://twitter.com/ryanaraine/status/1374071140168044546) for the spot.)
A new Android spyware masquerades as a ‘system update’ (https://techcrunch.com/2021/03/26/android-malware-system-update/) Security researchers say a powerful new Android malware masquerading as a critical system update can take complete control of a victim’s device and steal their data. The app is called “System Update” and was installed outside of Google Play. But Zimperium, which discovered the malware, said this was “easily the most sophisticated” malware it’s seen. “We believe that there are other apps out there like this, and we are trying our very best to find them as soon as possible,” said CEO Shridhar Mittal. (Disclosure: I wrote this story.) https://techcrunch.com/2021/03/26/android-malware-system-update/ ~ ~
** THE HAPPY CORNER
Right, now onto the good news.
Google will make https:// by default in the address bar come Chrome 90. It’ll replace http:// for the first time, since HTTPS has become practically ubiquitous across the web. The news came in a blog post (https://blog.chromium.org/2021/03/a-safer-default-for-navigation-https.html) this week. “For sites that don’t yet support HTTPS, Chrome will fall back to HTTP when the HTTPS attempt fails (including when there are certificate errors, such as name mismatch or untrusted self-signed certificate, or connection errors, such as DNS resolution failure).”
A quick dash across the pond (or “the land that raised me” as I call it) because the Bank of England has unveiled its new £50 note (https://www.bbc.com/news/business-56503741) featuring WW2 codebreaker Alan Turing, whose work helped to shorten the war. He died by suicide at 41 after he was convicted under anti-LGBTQ+ laws in 1952, but posthumously pardoned in 2013. Then-PM Gordon Brown also issued an apology for the government’s “inhumane” treatment of Turing. It’s great to see Turing acknowledged after all these years. https://www.bbc.com/news/business-56503741 @US_CYBERCOM (https://twitter.com/US_CYBERCOM/status/1374803836397834245?s=20) made me laugh this week with this entirely predictable response to @cybersecmeg (https://twitter.com/cybersecmeg/status/1374463582826422276) ‘s tweet thread. Some more great responses here (https://twitter.com/cybersecmeg/status/1374463582826422276) . https://twitter.com/US_CYBERCOM/status/1374803836397834245?s=20 And, this @gcluley (https://twitter.com/gcluley/status/1375172450644865026) tweet is submitted without further comment. https://twitter.com/gcluley/status/1375172450644865026?s=20 If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
Meet Peanut, who features this week. His human told me that there’s definitely a joke in here about perimeter security or insider threats, since Peanut is very eager to find the bunny (in the back) but not as great at locating said bunny. You’re doing the best you can, Peanut! Many thanks to @margaretvaltie (https://twitter.com/margaretvaltie?lang=en) for the submission! Thanks for sending in your cyber cats (and their friends!) Please do keep sending them in. You can drop them here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) , and feel free to send updates on previously-submitted friends! ~ ~
** SUGGESTION BOX
That’s all for this week. As usual, feel free to drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a great week, and see you next Sunday. Be safe, and be well.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .