this week in security — may 12 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 18.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Hacker Used Leaked NSA Tools A Year Before Shadow Brokers Leak (https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit) Symantec: Looks like a hacking group, believed to be Chinese spies according to the Times ($) (https://www.nytimes.com/2019/05/06/us/politics/china-hacking-cyber.html) , obtained a stolen batch of NSA tools about 14 months before they were published online by the Shadow Brokers. The tools, specifically Windows-busting DoublePulsar, were used in the WannaCry ransomware attack in 2017 and NotPetya some months later. Symantec's research is solid — some of the other reporting was wonky — but Ars Technica's @dangoodin001 (https://twitter.com/dangoodin001) explains it the best (https://arstechnica.com/information-technology/2019/05/stolen-nsa-hacking-tools-were-used-in-the-wild-14-months-before-shadow-brokers-leak/) in my view. In short, Symantec hypothesizes that the hackers reverse-engineered the tools once they were used against their systems. More: Ars Technica (https://arstechnica.com/information-technology/2019/05/stolen-nsa-hacking-tools-were-used-in-the-wild-14-months-before-shadow-brokers-leak/) | Wired ($) (https://www.wired.com/story/nsa-zero-day-symantec-buckeye-china/)
Israel Bombing ‘Cyber Operatives’ Isn’t Cyber War, It’s Just War (https://www.vice.com/en_us/article/gy4vn3/israel-bombing-cyber-operatives-gaza-palestine) Motherboard: You might've heard about the recent uptick in violence in Israel and Gaza. Israeli forces this week bombed a building believed to be housing Hamas hackers (https://www.zdnet.com/article/in-a-first-israel-responds-to-hamas-hackers-with-an-air-strike/) . Israel's IDF said its air strike was in response (https://twitter.com/IDF/status/1125066395010699264) to a recent cyberattack. Some said it set a precedent — others said it wasn't. In any case, Motherboard dug into the analysis more. In short, it's not necessarily a game-changing situation but where lines are blurred between "cyber" and the real world, in the end it's just war. More: ZDNet (https://www.zdnet.com/article/in-a-first-israel-responds-to-hamas-hackers-with-an-air-strike/) | @IDF (https://twitter.com/IDF/status/1125066395010699264) | @mikko (https://twitter.com/mikko/status/1125295031454191616)
DOJ Indicts Deep Dot Web Admins With Money Laundering (https://techcrunch.com/2019/05/08/doj-deep-dot-web-indictment/) TechCrunch: News broke Tuesday that police arrested (https://techcrunch.com/2019/05/07/deep-dot-web-arrests/) the admins of Deep Dot Web, a website dedicated to covering the dark web and its marketplaces. Then, Wednesday, the indictment (https://www.documentcloud.org/documents/5993699-Deep-Dot-Web-Indictment.html) was unsealed. It turns out the site owners were getting referral revenue (https://techcrunch.com/2019/05/08/doj-deep-dot-web-indictment/) from each dark web marketplace sale they referred. That amounted to $15 million worth of kickbacks in the end — making money off drugs, weapons and stolen data. Ouch. (Disclosure: I wrote these stories.) You should also read Forbes, which dug in (https://www.forbes.com/sites/thomasbrewster/2019/05/09/coffee-poker-and-weed-entrepreneurs--meet-the-israelis-accused-of-being-15m-dark-web-drug-shills/#12dc81666e0a) to the lives of the alleged hackers. More: Justice Dept. (https://www.justice.gov/opa/pr/administrators-deepdotweb-indicted-money-laundering-conspiracy-relating-kickbacks-sales) | Indictment (https://www.documentcloud.org/documents/5993699-Deep-Dot-Web-Indictment.html) | Forbes (https://www.forbes.com/sites/thomasbrewster/2019/05/09/coffee-poker-and-weed-entrepreneurs--meet-the-israelis-accused-of-being-15m-dark-web-drug-shills/#12dc81666e0a)
Top U.S. Election Security Official Leaves Government (https://www.cyberscoop.com/election-assistance-commission-loses-key-tech-expert-ahead-2020/) Cyberscoop: With a year and a half before the biggest presidential election since... well, the last one, the top official responsible for certifying voting systems has stepped down. Ryan Macias left the government at a time the Election Assistance Commission was mulling an important update to voting system security guidelines. Don't forget, many districts and states use electronic-only voting machines, which critics say can be easily hacked (https://www.theguardian.com/us-news/2019/apr/22/us-voting-machine-private-companies-voter-registration) . More: @gregotto tweet thread (https://twitter.com/gregotto/status/1125932656728920066?s=21)
Ever Users Had Their Photos Used For Facial Recognition Without Consent (https://www.nbcnews.com/tech/security/millions-people-uploaded-photos-ever-app-then-company-used-them-n1003371) NBC News: From the investigations desk run by @oliviasolon (https://twitter.com/oliviasolon) and co-bylined with @cfarivar (https://twitter.com/cfarivar/) : the photo storage app Ever was secretly using uploaded photos were being used to train the company's facial recognition system sold to private firms, law enforcement, and the military. Wow. The ACLU called it an "egregious violation of people’s privacy." The app only mentioned its side project in its privacy policy after NBC News reached out to the company. It's not the first time it's screwed up over its app — including landing itself with an Apple ban (https://techcrunch.com/2016/11/01/photo-app-ever-removed-its-spammy-sms-feature-after-apple-banned-it/) and a couple of lawsuits in the app's recent history. More: @oliviasolon tweet thread (https://twitter.com/oliviasolon/status/1126490212849278976)
Mozilla Deep-Dives On Its Firefox Add-Ons Outage Last Week (https://hacks.mozilla.org/2019/05/technical-details-on-the-recent-firefox-add-on-outage/) Mozilla: Last week, Firefox add-ons ground to a halt after an intermediate certificate expired by mistake. Because of that, all apps became "unverifiable" and wouldn't be loaded by Firefox, wrote Mozilla's Eric Rescorla. That's when disaster management kicked in. This was a great read — and well done Mozilla for the transparency — about how a simple expired certificate can bring down one of the world's most popular browsers. Better yet, you see just how a massive mistake can be rectified so quickly. More: ZDNet (https://www.zdnet.com/article/firefox-add-ons-disabled-en-masse-after-mozilla-certificate-issue/)
U.S. Prosecutors Indict Hacker Responsible For 2015 Anthem Hack (https://www.justice.gov/opa/pr/member-sophisticated-china-based-hacking-group-indicted-series-computer-intrusions-including) Justice Department: Another day, another U.S. indictment. This time, prosecutors say they have the Anthem hacker. More than 78 million health, medical and personal records were stolen in the 2015-revealed hack of the health insurance giant. The DOJ says two Chinese nationals — Fujie Wang and an unnamed John Doe — were charged with the hack. The FBI said the hackers broke into Anthem's network in February 2014 and spent months waiting for the right time to pull the records. More: TechCrunch (https://techcrunch.com/2019/05/09/anthem-breach-indictment/) | Indictment (https://www.documentcloud.org/documents/5995386-Anthem-Indictment.html)
Baltimore Government Networks Hit By RobbinHood Ransomware (https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/) Ars Technica: Solid reporting by Baltimore native @thepacketrat (https://twitter.com/thepacketrat) . Most of the city's networks are down following a ransomware attack. Email is down, along with most of the government's departments — but police, fire and emergency are unaffected. The Baltimore Sun has a rolling list of affected departments (https://www.baltimoresun.com/news/maryland/baltimore-city/bs-md-ci-city-agencies-ransomware-20190509-story.html) . It's the second ransomware infection in as many years. This strain, however, seems to be a new variant, Ars reports. More: Baltimore Sun (https://www.baltimoresun.com/news/maryland/baltimore-city/bs-md-ci-city-agencies-ransomware-20190509-story.html) | StateScoop (https://statescoop.com/robinhood-ransomware-knocks-out-city-services-in-baltimore/) | Bleeping Computer (https://www.bleepingcomputer.com/news/security/robbinhood-ransomware-claims-its-protecting-your-privacy/) ~ ~
** THE STUFF YOU MIGHT'VE MISSED
Over 10,000 GPS trackers vulnerable to simple SMS bug (https://fidusinfosec.com/exploiting-10000-devices-used-by-britains-most-vulnerable/) Fidus: I covered this research on TechCrunch this week but you should read the full report (https://fidusinfosec.com/exploiting-10000-devices-used-by-britains-most-vulnerable/) . A popular kid tracker and elderly patient monitor has a bug that allows its location to be tracked, its microphone activated and disabled — all by sending an SMS text message to the device's phone number. Given most authorities buy these devices in bulk, their phone numbers are sequential, making it easy to find other devices in the sequence.
Meet Evil Clippy: a free red-team tool (https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/) Outflank: Evil Clippy, a twist on the old Microsoft Word assistant, helps red-teamers and pentesters make malicious Office documents that can hide Visual Basic macros and obfuscate code against popular tools. It's available for Windows, macOS and Linux. Its versions are here (https://github.com/outflanknl/EvilClippy/releases) and GitHub readme is here (https://github.com/outflanknl/EvilClippy/blob/master/README.md) . It was released in March after their Black Hat Asia talk. @StanHacked (https://twitter.com/StanHacked/status/1124961184749379584) announced the release this week.
Lawyer gets caught up in Canadian border device search (https://www.cbc.ca/news/business/cbsa-boarder-security-search-phone-travellers-openmedia-1.5119017?__vfz=medium%3Dsharebar) CBC: Canadians are nice — until you cross a Canadian bordie. (I think that's what border officials are called.) Anyway, a bordie took a lawyer's phone and devices without a warrant for not sharing his passwords, saying devices contained confidential information protected by attorney-client privilege. Sure, it's their right but it's also his right to call foul. It follows a similar case of 10 U.S. citizens getting the same treatment (https://www.aclu.org/blog/privacy-technology/privacy-borders-and-checkpoints/we-got-us-border-officials-testify-under) when they entered the U.S.
Experts call bullshit on Russian claims that crypto flaw was a coincidence (https://www.vice.com/en_us/article/43j3wm/experts-doubt-russian-encryption-standard-cryptography-backdoor-streebog-kuznyechik) Motherboard: A potentially flawed new encryption algorithm developed by the Russians came under fire despite the country's claims that what everyone else said was a backdoor wasn't actually a backdoor — it was merely a coincidence. It's only a year after the U.S. National Security Agency tried to get its own flawed cryptographic standard (https://www.theregister.co.uk/2018/04/25/nsa_iot_encryption/) through the door. "We cryptographers are a paranoid bunch," said Dr. Tomer Ashur, who represented the Belgian delegation.
Hacker stole $2.4 million in cryptocurrency SIM swapping spree (https://www.cyberscoop.com/hackers-allegedly-stole-2-4-million-cryptocurrency-six-month-sim-hijacking-spree/) Cyberscoop: Members of the so-called "Community" bribed customer support staff at some of the major phone providers in order to SIM swap vulnerable phones used as two-factor devices. In hijacking their phone numbers, they could steal their two-factor codes to break into cryptocurrency wallets and steal funds. Three of those charged work for the phone companies, who allegedly got a cut of the rewards — $2.4 million in total over a six-month stealing spree. ~ ~
** OTHER NEWSY NUGGETS
Meet the 'loopers': Diabetes patients hacking their own insulin pumps (https://www.theatlantic.com/science/archive/2019/04/looping-created-insulin-pump-underground-market/588091/) Diabetes patients are trying to buy old insulin pumps with security flaws — because they say they can "loop," a way of micromanaging their glucose levels. When done properly, it's safe and helps people lead more normal lives without being told to wake up at 3am to eat a Snickers bar. But getting your hands on an old device is difficult. There is, of course, a security risk. "There’s a tiny, theoretical risk that someone who knows his pump’s serial number and gets physically close can take over." Reminds me of that story (https://www.vice.com/amp/en_us/article/xwjd4w/im-possibly-alive-because-it-exists-why-sleep-apnea-patients-rely-on-a-cpap-machine-hacker) of how an Australian hacker hacked his DRM-rigged CPAP machine.
Wolters Kluwer in a "quiet panic" over ransomware attack (https://www.cnbc.com/2019/05/08/wolters-kluwer-accounting-giant-hit-by-malware-causing-quiet-panic.html?__source=sharebar%7Ctwitter∥=sharebar) U.S. accounting giant Wolters Kluwer got hit by a ransomware attack. That's a problem because it serves a good slice of the Fortune 500. It's said to be a possible MegaCortex infection (https://www.bankinfosecurity.com/malware-knocks-out-accounting-software-giant-wolters-kluwer-a-12462) . It follows Aebi Schmidt (https://techcrunch.com/2019/04/23/aebi-schmidt-ransomware/) , Arizona Beverages (https://techcrunch.com/2019/04/02/arizona-beverages-ransomware/) and Norsk Hydro (https://www.zdnet.com/article/norsk-hydro-ransomware-incident-losses-reach-40-million-after-one-week/) , which have all fallen foul of ransomware in recent weeks.
U.S. cell giants hit by class action over location data selling (https://www.vice.com/en_us/article/3k3dv3/verizon-tmobile-sprint-att-class-action-lawsuit-selling-phone-location-data) Remember how the big four U.S. cell giants were selling our location data to bounty hunters (https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile) and the like? Looks like they're getting sued by a class action. The complaints are largely the same — accusing the companies of providing data to companies that allowed police and prison staff to warrantlessly monitor millions of cell phones. Meanwhile, the FCC has done diddly-squat (https://www.techdirt.com/articles/20190502/11255842131/fcc-hasnt-done-damn-thing-to-seriously-police-wireless-location-data-scandals.shtml) to fix the problem, despite calls (https://twitter.com/JRosenworcel/status/1123689972488441858) from one of the commissioners themselves.
WordPress finally gets some decent security updates (https://www.zdnet.com/article/wordpress-finally-gets-the-security-features-a-third-of-the-internet-deserves/) The CMS giant released WordPress 5.2, which includes a bevy of security updates — including cryptographically-signed updates, a site health backend dashboard, and a backend protection system against white-screens-of-death (PHP errors). More than a third-of all websites feature WordPress.
SQLite flaws could lead remote code execution — so the theory goes (https://www.theregister.co.uk/2019/05/10/sqlite_rce_vuln/) Cisco Talos researchers found a bug (https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777) that affects (theoretically) every mobile app that relies on SQLite. An update is already available (https://www.sqlite.org/src/info/884b4b7e502b4e99) . In a tweet, @kennwhite (https://twitter.com/kennwhite/status/1127362974950277120) said if an attacker can execute arbitrary SQL, they can run arbitrary shell commands. Patch yo' apps. ~ ~
** THE HAPPY CORNER
Finally, some good news.
@campuscodi (https://twitter.com/campuscodi/status/1123569745779986433) flagged a Slack channel run by @GelosSnake (https://twitter.com/GelosSnake) for reporters to ask questions and verify findings with an expert. Malware researchers can sign up too, but definitely helpful for the reporters who read this newsletters. You can sign up here (https://docs.google.com/forms/d/1iYRDUK1QpFsj9NeAV8SYAFduhNpdw3cjVnVSQInMPgU/viewform?edit_requested=true) .
And, remember earlier how Firefox borked up? The quick and easy fix was to turn telemetry on. Mozilla said in a follow-up tweet (https://twitter.com/firefox/status/1126593558490693632?s=21) that it will delete "all data collected" since the add-ons failure "to respect your choice as much as possible." If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK'S CYBER CAT
This week's cybercat is Filo, who hails from Rio de Janeiro but travels a lot with her mom. She's a huge fan of hacker cons, though she doesn't get to go very often. (You may need to enable images in this email.) Send in your cybercats! Drop me a note: submit your cybercats here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That's all for now. The anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is open if you have any... suggestions. Take care, be happy, and have a good week. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|