this week in security — march 8 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 10
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Five years of Intel CPUs and chipsets have an unfixable flaw (https://arstechnica.com/information-technology/2020/03/5-years-of-intel-cpus-and-chipsets-have-a-concerning-flaw-thats-unfixable/) Ars Technica: Virtually every Intel chip from the past five years has a concerning, unfixable flaw, which now patched makes it harder but not impossible to exploit. The problem is found in a security subsystem of the chip, known as CSME, which is part of Intel’s root of trust. Without that, there’s no guarantee that an affected computer hasn’t been compromised at the hardware level. More: Positive Technologies (https://blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html) | The Register (https://www.theregister.co.uk/2020/03/05/unfixable_intel_csme_flaw/) | @profwoodward (https://twitter.com/profwoodward/status/1235607580032069633)
Through apps, not warrants, ‘Locate X’ allows feds to track phones (https://www.protocol.com/government-buying-location-data) Protocol: Babel Street, a little-known surveillance company, has big contracts with the federal government. It claims it can allow investigators to “draw a digital fence around an address or area, pinpoint mobile devices that were within that area, and see where else those devices have traveled, going back months,” according to the publication. It uses data collected from a range of apps, which are sold on to data brokers. Privacy advocates said people are “generally unaware” of how far their personal information could travel, or that it could be used by the feds — like ICE and CBP — without a warrant. More: @levinsonc tweets (https://twitter.com/levinsonc/status/1235553885563105280) US threatens to pull big tech’s immunities if child abuse isn’t curbed (https://techcrunch.com/2020/03/05/tech-giants-immunities-encryption/) TechCrunch: This week, the DOJ and its Five Eyes partners rolled out 11 “voluntary” principles for tech giants to combat online child sex abuse. What the DOJ didn’t mention was that behind the scenes, lawmakers were passing out (https://www.judiciary.senate.gov/press/rep/releases/graham-blumenthal-hawley-feinstein-introduce-earn-it-act-to-encourage-tech-industry-to-take-online-child-sexual-exploitation-seriously) draft bills to put those same principles into law. If tech companies fail to meet the lawmakers’ standards, they could have their Section 230 provisions revoked — essentially the powers that give tech companies immunity for what their users say on their platforms. Critics say Section 230 keeps the internet alive, and that the bill is a “direct attack” (https://blog.cryptographyengineering.com/2020/03/06/earn-it-is-an-attack-on-encryption/) on encryption, which some say was the goal all along. (Disclosure: I co-bylined this story.) More: Senate Judiciary Committee (https://www.judiciary.senate.gov/press/rep/releases/graham-blumenthal-hawley-feinstein-introduce-earn-it-act-to-encourage-tech-industry-to-take-online-child-sexual-exploitation-seriously) | The New York Times ($) (https://www.nytimes.com/2020/03/05/us/child-sexual-abuse-legislation.html) | Cryptography Engineering (https://blog.cryptographyengineering.com/2020/03/06/earn-it-is-an-attack-on-encryption/)
Accused LinkedIn hacker worked with alleged SEC hacker, DOJ accuses (https://www.cyberscoop.com/nikulin-trial-linkedin-oleksandr-ieremenko/) Cyberscoop: Yevgeniy Nikulin, a Russian hacker who allegedly stole 117 million usernames and passwords from LinkedIn, Dropbox, and Formspring in 2012, was allegedly in regular contact with Oleksandr Ieremenko, a Ukrainian charged with allegedly breaking into the U.S. Securities and Exchange Commission, prosecutors now allege. Nikulin is set to stand trial in San Francisco. Prosecutors called the hackers part of a “criminal clique.” More: Justice Dept. (https://www.justice.gov/opa/pr/two-ukrainian-nationals-indicted-computer-hacking-and-securities-fraud-scheme-targeting-us) | SEC (https://www.sec.gov/litigation/litreleases/2019/lr24381.htm)
An Android app with 1 billion downloads is recording users’ web browsing (https://www.forbes.com/sites/thomasbrewster/2020/03/03/warning-an-android-security-app-with-1-billion-downloads-is-recording-users-web-browsing/#75239bf42149) Forbes ($): This week @iblametom (https://twitter.com/iblametom) reported on an app, Clean Master, a security tool developed by Cheetah Mobile, which was evicted from Google’s app store. Turns out it was recording users’ web browsing activity, including incognito browsing sessions. Avast and Trend Micro were previously caught pulling the same stunts. Archive: Malwarebytes (https://blog.malwarebytes.com/threat-analysis/2018/09/mac-app-store-apps-are-stealing-user-data/)
Contacts of 1 million Virgin Media customers left on unsecured database (https://www.theguardian.com/media/2020/mar/05/contacts-of-1m-virgin-media-customers-left-on-unsecured-database) The Guardian: A security researcher found an exposed database and reported it to Virgin Media, which secured and disclosed the incident. What Virgin Media didn’t say was that about 1,100 customers had their accounts linked (https://www.bbc.com/news/technology-51768577) to porn or other adult sites. That GDPR fine will be huge. More: BBC News (https://www.bbc.com/news/technology-51768577) | @thisisFoxx (https://twitter.com/thisisFoxx/status/1235959087688540161) ~ ~ SUPPORT THIS NEWSLETTER
A big thank you to everyone who reads and supports this newsletter! As subscribers go up, so do the monthly costs. Please spare $1/month (or more for exclusive perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) like stickers and mugs) to help maintain the upkeep of this newsletter. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) here! ~ ~
** THE STUFF YOU MIGHT’VE MISSED
WireGuard gives Linux a faster, more secure VPN (https://www.wired.com/story/wireguard-gives-linux-faster-secure-vpn/) Wired ($): Good news for Linux users: while most security folks are wary of VPNs for their varied (and often lacking) security, WireGuard has long been seen as the gold standard for open-source VPN software. WireGuard will soon be part of the Linux kernel. The software is expected to be fully rolled into the Linux code in the coming weeks.
A psychiatrist fights the cyber industry’s mental health stigma — and appeals for help (https://www.cyberscoop.com/cybersecurity-mental-health-rsa-conference-ryan-louie/) Cyberscoop: Really glad this story was published this week. @snlyngaas (https://twitter.com/snlyngaas) did a great job here: a psychiatrist is calling on security professionals to put stigma to one side and talk more about their mental health. Some 91% of all CISOs recently surveyed reported moderate to high stress, with one-quarter saying their jobs have harmed their mental or physical health. A really important topic, and one we all need to do more to help one another.
Let’s Encrypt bug forces revocation of some certificates (https://arstechnica.com/information-technology/2020/03/lets-encrypt-revoking-https-certs-due-to-certificate-authority-bug/) Ars Technica: Let’s Encrypt just celebrated 1 billion issued certificates, but this week it acknowledged a bug in its certificate authority authorization code, forcing the non-profit to revoke (https://www.zdnet.com/article/lets-encrypt-to-revoke-3-million-certificates-on-march-4-due-to-bug/) some 3 million certificates. In a blog post, Let’s Encrypt said (https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591) users should’ve renewed their certificates by March 4 or their sites would report security errors.
iOS, macOS bug let hackers remotely dump memory (https://bugs.chromium.org/p/project-zero/issues/detail?id=1982) Google Project Zero: A little zero-day to finish out the week. The bug, first discovered by Project Zero’s @i41nbeer (https://twitter.com/i41nbeer) , shows how a hacker can remotely dump the memory of iPhones and Macs. Apple has fixed the bugs. ~ ~
** OTHER NEWSY NUGGETS
This small company has turned Utah into a surveillance panopticon (https://www.vice.com/en_us/article/k7exem/banjo-ai-company-utah-surveillance-panopticon) Banjo is a small company in Utah, which combines AI with data collected from social media, satellites and other apps to “detect anomalies” in the real world. The idea is that the system can alert law enforcement to crimes as the happen. But the company has little to no oversight and has managed to secure several major contracts with Utah state government departments. How is that any different from Palantir, you might ask? “We essentially do most of what Palantir does, we just do it live,” said Banjo’s top lobbyist. As usual, @josephfcox (https://twitter.com/josephfcox/status/1235268969616920576) has a good tweet thread on the story. Google tracked his bike ride past a burglarized home. That made him a suspect. (https://www.nbcnews.com/news/us-news/google-tracked-his-bike-ride-past-burglarized-home-made-him-n1151761) You’ve heard of reverse location warrants before — they’re frequently mentioned in this newsletter. Police give Google (or any major location data collector) a set of geolocation coordinates and a timeframe, and anyone in that grid will have their information vacuumed up as part of that legal demand. NBC News reports on a case (https://www.nbcnews.com/news/us-news/google-tracked-his-bike-ride-past-burglarized-home-made-him-n1151761) of a guy who almost got accused of crime he didn’t commit — simply because he was caught in one of these dragnets. Welcome to our (dystopian) future.
Facebook sues Namecheap for its private-domain service (https://about.fb.com/news/2020/03/domain-name-lawsuit/) Facebook has sued Namecheap, which owns Whoisguard, a service used for privately registering domain names. Facebook’s short blog post said that hackers had registered 45 domains through Whoisguard, which were designed to impersonate Facebook, but Nominet “declined to cooperate” in taking them down.
Defense contractor, SpaceX and Tesla parts maker among those hit by ransomware (https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-6th-2020-breaches-everywhere/) This week was a busy week for ransomware. Visser, a parts maker for SpaceX and Tesla, was hit by (https://techcrunch.com/2020/03/01/visser-breach/) the DoppelPaymer ransomware, which resulted in some files being published online after it refused to pay the ransom. Legal services giant Epiq Global was also hit (https://techcrunch.com/2020/03/02/epiq-global-ransomware/) , reportedly by Ryuk (https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/) . Defense contractor CPI is still recovering (https://techcrunch.com/2020/03/05/cpi-ransomware-defense-contractor/) some two months after its ransomware attack, and one of Roman Abramovich’s companies, mining giant Evraz, was also briefly knocked offline (https://www.zdnet.com/article/one-of-roman-abramovichs-companies-got-hit-by-ransomware/) by Ryuk. Meanwhile, Grayson County in Texas (https://www.kxii.com/content/news/Grayson-County-No-data-compromised-during-ransomware-attack-568524511.html) and LaSalle County in Illinois (https://week.com/2020/03/02/ransomware-attack-affecting-lasalle-countys-technology/) also saw interruptions from file-encrypting malware. ~ ~
** THE HAPPY CORNER
Just one thing in the happy corner this week.
Turns out, @troyhunt (https://twitter.com/troyhunt/) isn’t selling Have I Been Pwned after all. In a blog post, Hunt explained (https://www.troyhunt.com/project-svalbard-have-i-been-pwned-and-its-ongoing-independence/) the reasoning. “I will continue running it independently,” he wrote. “After 11 months of a very intensive process culminating in many months of exclusivity with a party I believed would ultimately be the purchaser of the service, unexpected changes to their business model made the deal infeasible.”
And one small bonus nugget: if you thought your passwords were bad, turns out (https://www.theregister.co.uk/2020/03/05/cia_leak_trial/) the CIA’s password for its secret hacking tools is simply: 123ABCdef. Good to know. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
Meet Goose, this week’s cybercat. According to his human, Goose is learning to code, but he’s struggling with his lack of opposable thumbs. Classic cat problem! A big thanks to Katherine Bingham for the submission. Please keep sending in your cybercats! You can send them here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s all I have for you this week. Thanks for reading and subscribing. If you have any thoughts or feedback, please drop me a note in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a great week. See you Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .