this week in security — march 3 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 9.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
U.S. Cybercom Disrupts Russian Troll Factory On Election Day (https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html) Washington Post ($): Talk about disrupting the election disruptors. @nakashimae (https://twitter.com/nakashimae) reports U.S. Cyber Command launched an offensive cyberattack against Russia’s so-called Internet Research Agency, the government’s troll and disinformation unit, on Election Day(!) to prevent “the Russians from mounting a disinformation campaign that casts doubt on the results.” It comes weeks after the government said it would start offensive operations (https://techcrunch.com/2018/10/23/first-cyber-operation-gentle-approach-russian-trolls/) against election meddlers. Russia’s federal news site confirmed the attack, saying the Americans remotely wiped their computers (https://www.zdnet.com/article/us-wiped-some-hard-drives-of-russias-troll-factory-in-last-years-hack/) . More: Lawfare (https://www.lawfareblog.com/what-make-cyber-commands-operation-against-internet-research-agency) | Background: TechCrunch (https://techcrunch.com/2018/10/23/first-cyber-operation-gentle-approach-russian-trolls/) | New York Times ($) (https://www.nytimes.com/2018/10/23/us/politics/russian-hacking-usa-cyber-command.html)
Former Hacking Team Members Are Now Spying on the Blockchain (https://motherboard.vice.com/en_us/article/a3bn5e/coinbase-neutrino-former-hacking-team-members) Motherboard: Coinbase, a major cryptocurrency platform, bought Neutrino, a company founded by former members of Hacking Team, the Italian malware maker that got hacked some years back after it sold spyware to governments (https://motherboard.vice.com/en_us/article/nzeg5x/here-are-all-the-sketchy-government-agencies-buying-hacking-teams-spy-tech) . It’s believed Neutrino was brought on to conduct forensics and track transactions on Coinbase’s platform, per @lorenzoFB (https://twitter.com/lorenzofb) . That’s a little ironic given cryptocurrency was supposed to give people more anonymity than fiat money. Users were pissed, and tried (https://motherboard.vice.com/en_us/article/xwb7xj/coinbase-users-struggle-to-delete-their-accounts-in-protest) to delete their accounts. More: Motherboard (https://motherboard.vice.com/en_us/article/xwb7xj/coinbase-users-struggle-to-delete-their-accounts-in-protest) | Coinbase (https://blog.coinbase.com/welcoming-neutrino-to-coinbase-b3f56171850d)
Huawei Frightens Europe’s Data Protectors. America Does, Too (https://www.bloomberg.com/news/articles/2019-02-24/huawei-frightens-europe-s-data-protectors-america-does-too) Bloomberg: It’s not just Huawei that’s causing concern. Friends of the U.S., like Europe, are worried about the Cloud Act, which has the power to demand any data from any U.S. company in the world, regardless of their local laws. That’s naturally having a major concern in the EU where that isn’t allowed. Think of it as similar to China’s cybersecurity law (https://www.zdnet.com/article/nobody-can-seem-to-figure-out-new-china-cybersecurity-law/) it enacted and ratified in 2017 and you’re really not that far off. More: ZDNet (https://www.zdnet.com/article/nobody-can-seem-to-figure-out-new-china-cybersecurity-law/)
Dow Jones’ Watchlist Of 2.4M High-Risk Individuals Leaks (https://techcrunch.com/2019/02/27/dow-jones-watchlist-leak/) TechCrunch: This was a messy one: a massive database of 2.4 million records was exposed, without a password (as usual), on high-risk individuals and companies that are accused of links to terrorism or financial crimes. Others are politically exposed, such as current and former politicians. The data is gathered from public sources but the very inclusion of a name on the database — or how a person gets on it — is an industry secret. (Disclosure: I wrote this story!) More: Bob Diachenko (https://securitydiscovery.com/dow-jones-risk-screening-watchlist-exposed-publicly/) | Background: BBC News (https://www.bbc.com/news/technology-36662612)
Millions Of Utility Customers’ Passwords Stored In Plaintext (https://arstechnica.com/tech-policy/2019/02/plain-wrong-millions-of-utility-customers-passwords-stored-in-plain-text/) Ars Technica: Atlanta-based utility provider SEDC was storing passwords in plaintext — only revealed thanks to a disclosure by an anonymous researcher. In trying to get the vulnerability fixed, the researcher was sent the way of the general counsel, who told the researcher to “cease” repeating “erroneous assertions.” What a surprise… company does wrong, immediately lawyers up. SEDC said in a statement (http://www.sedata.com/industry-insider/on-behalf-of-sedcs-management-team/) it didn’t violate compliance policies and some other misdirecting bullshit nobody cares about. More: SEDC (http://www.sedata.com/industry-insider/on-behalf-of-sedcs-management-team/)
Revealed: Facebook’s Global Lobbying Against Privacy Laws (https://www.theguardian.com/technology/2019/mar/02/facebook-global-lobbying-campaign-against-data-privacy-laws-investment) The Guardian: New documents show Facebook launched a global lobbying effort — in some cases using Sheryl Sandberg’s own “Lean In” book — to try to influence global data protection and privacy laws. According to the Guardian’s reporting, the company “threatened to withhold investment from countries unless they supported or passed Facebook-friendly laws,” and sought to influence politicians, including in the U.K. and Ireland — to water down the recently implemented GDPR rules. More: ComputerWeekly (https://www.computerweekly.com/news/252458229/Facebook-asked-George-Osborne-to-influence-EU-data-protection-law)
Facebook Admits 18% Of Research Spyware Users Were Teens, Not 5% (https://techcrunch.com/2019/02/28/facebook-research-teens/) TechCrunch: And just in case you thought Facebook couldn’t screw up enough this week: a new scoop by my colleague @JoshConstine (https://twitter.com/JoshConstine) on the long-running saga of Facebook’s so-called Research app that it used to collect massive amounts of data on teenagers and other users. Facebook said less than 5% of the users it paid to install the app were teenagers, but in a disclosure to Sen. Mark Warner (D-VA), the social media giant admitted it was closer to 18% over the “complete lifetime of the program”. That’s a huge difference. More: Sen. Mark Warner on Scribd (http://www.scribd.com/doc/398582231) | Background: TechCrunch (https://techcrunch.com/2019/01/29/facebook-project-atlas/) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
FastMail faces calls to move over anti-encryption laws (https://www.itnews.com.au/news/fastmail-loses-customers-faces-calls-to-move-over-anti-encryption-laws-519783) ITnews.com.au: Aussie-based FastMail is losing customers and is being called on to move its email service out of the country following the new anti-encryption data access law — even though the company said it’s not materially affected by it. According to the article, FastMail also said that the secretive “technical capabilities” (read: backdoors) added to products and services to aid law enforcement were “unlikely to stay secret for long,” negating portions of the law entirely.
Thailand passes internet security ‘cyber martial’ law (https://www.reuters.com/article/us-thailand-cyber/thailand-passes-internet-security-law-decried-as-cyber-martial-law-idUSKCN1QH1OB) Reuters: Keeping with that in mind… Thailand, where freedom of speech is limited at best under the military regime, is about to get even more restrictive with a cybersecurity law described as a “martial” security law. Frankly, wouldn’t be far from the actual truth. The law will allow greater surveillance (https://techcrunch.com/2019/02/28/thailand-passes-controversial-cybersecurity-law/) and access to private data, despite concerns it’ll drive businesses out of the country.
Government-funded researchers probe flaws in EV charging station (https://www.cyberscoop.com/ev-charging-stations-hacked-idaho-national-laboratory/) Cyberscoop: New research shows how easy it is to effectively denial-of-service electric cars. Security researcher Kenneth Rohde “executed a spoofing command to trick the charging station into thinking the vehicle was 90-percent charged when it was really at a third of its power,” according to Cyberscoop. Similar flaws (https://www.zdnet.com/article/electric-cars-security-flaws-could-let-attackers-control-charging-stations/) were disclosed in January.
Spy firm asks Mozilla to be included in Firefox’s certificate whitelist (https://www.zdnet.com/article/surveillance-firm-asks-mozilla-to-be-included-in-firefoxs-certificate-whitelist/) ZDNet: DarkMatter, a spyware and malware-creation company, wants to be included on Mozilla’s approved list of HTTPS certificate issuers, despite the fact that DarkMatter is a United Arab Emirates-based malware company that was linked to spying on friends of murdered Saudi journalist Jamal Khashoggi (https://www.washingtonpost.com/opinions/global-opinions/how-a-chilling-saudi-cyberwar-ensnared-jamal-khashoggi/2018/12/07/f5f048fe-f975-11e8-8c9a-860ce2a8148f_story.html?utm_term=.5ae1d09dc9b6) . Mozilla says it’s stuck between a rock and a hard place because DarkMatter has a spotless record as a certificate authority so doesn’t know if it should break its own rules. Or, maybe common sense will prevail and it’ll never happen — because, I dunno, it’s a spyware company? You might as well add a Russian GRU certificate while you’re at it. ~ ~
** OTHER NEWSY NUGGETS
Supermicro hardware bug let researchers backdoor IBM cloud servers Bugs in baseboard management controllers (BMCs) — small chips that sit directly on the motherboard — can allow backdoors that persist even after the servers they’re in are wiped. BMC let admins update systems, apps and make configuration changes, but can also be abused (https://arstechnica.com/information-technology/2019/02/supermicro-hardware-weaknesses-let-researchers-backdoor-an-ibm-cloud-server/) , as reported by Ars Technica. Don’t get your hopes up that this proves “that” Bloomberg story right, it doesn’t.
Comcast set default PINs to “0000,” then scammers found out From the Washington Post ($) (https://www.washingtonpost.com/technology/2019/02/28/help-desk-digital-life-after-death-passwords-post-its-new-comcast-nightmare/?utm_term=.bce4007c0bec) and also covered by The Verge (https://www.theverge.com/2019/2/28/18245101/comcast-xfinity-mobile-pin-0000-default-customers-hack-privacy) , Comcast set some customer Xfinity Mobile phone service PIN codes to “0000.” It didn’t take long for scammers to find out, after one customer had his account hijacked. Comcast said a “very small number” of customers were affected — without saying how many — and was “working aggressively towards a PIN-based solution.” This is the third or fourth major Comcast snafu in as many years, if memory serves.
Cryptojacking code Coinhive shuts down Halle-damn-luyah, about time. The in-browser Monero cryptocurrency miner is no more (https://coinhive.com/blog/en/discontinuation-of-coinhive) . It’ll shut down next week. Few will shed tears for the miner, given how pervasive (https://www.zdnet.com/article/coinhive-cryptojacking-service-to-shut-down-in-march-2019/) it was in cryptojacking campaigns.
RSA ups its inclusivity game, but still work to do @iainthomson (https://twitter.com/iainthomson) looked at the upcoming RSA Conference’s lineup after last year’s diversity row and found that while the security meet is doing better, it’s still a way off any acceptable level of balanced representation. As he reported (https://www.theregister.co.uk/2019/03/01/rsa_speaker_lineup_inclusivity/) citing a source, “the conference organizers auction off many of the keynote spots to the highest bidder, and it’s up to the paying companies to decide who they send – and in the past, they’ve put mostly blokes on the stage.” ~ ~
** GOOD PEOPLE DOING GOOD THINGS
This week, @isunlocked (https://twitter.com/isunlocked/status/1101261141538299904) began the call out for mentors for anyone looking to submit their papers to infosec conferences. The so-called CFP (call for paper) process is a long and arduous, and often unsuccessful endeavor. It’s good to see Infosec Unlocked (https://twitter.com/isunlocked/status/1101261141538299904) try to get people in to help others out.
You all remember @hacks4pancakes’ (https://twitter.com/hacks4pancakes/) apartment drama? If you don’t, read her write-up (https://tisiphone.net/2019/01/28/security-things-to-consider-when-your-apartment-goes-smart/) ! She’s giving a talk soon (https://twitter.com/hacks4pancakes/status/1099031571506573316) in San Francisco. @CharlesDardaman (https://twitter.com/CharlesDardaman/status/1101626510333673474) et al posted a proof-of-concept video revealing the busted back-end hub that was at the center of the saga. He has a disclosure and blog post on the way.
And one last, quick note on @notdan (https://twitter.com/notdan/status/1101561019896352769?s=21) , whom many of us know well as an all-round friend to infosec. This week, he posted a short but incredibly powerful read about mental health. Warning: there’s mention of suicide within, but actually it’s a deeply personal story about when to know to seek help and how. We need to talk more about mental health and depression, and shouldn’t shy away from it. The more we talk about it, the more people get help. You can — and should — read his Medium post here (https://medium.com/@notdan/the-only-thing-you-cant-fix-is-killing-yourself-da8b555a99f1) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Puff. He has a loving exterior, but he will destroy you if you don’t take security seriously. A big thanks to @nofawkesgiven (https://twitter.com/nofawkesgiven) for the submission. (You may need to enable images in this email.) Please send in your cybercats! You can email: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
As always, thanks for taking the time to read. Hope you have a great week. If you have any feedback, drop it in the anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Take care. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|