this week in security — may 2 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 18 View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Hackers used ‘mind-blowing’ bug to sneak past macOS safeguards (https://www.wired.com/story/macos-malware-shlayer-gatekeeper-notarization/) Wired ($): A bug in macOS was misclassifying certain kinds of script-based applications and weren’t getting scanned by macOS’ in-built defenses. That meant it was possible to create a script-based app with malicious code, disguise it as a normal-looking PDF, and could be opened with a double-click — no prompts — from the internet. Incredible work here by security researchers @cedowens (http://twitter.com/@cedowens) , who discovered the flaw and wrote (https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508) about it, and @patrickwardle (https://twitter.com/patrickwardle) , who figured out (https://objective-see.com/blog/blog_0x64.html#detections) why the bug exists. Worse, the Shlayer malware has been exploiting this flaw for months. Security firm Jamf confirmed it had detected a version of Shlayer using this technique earlier in the year. Apple has fixed the bug. More: Motherboard (https://www.vice.com/en/article/wx5855/massive-mac-apple-security-bug-malware-hack) | Forbes (https://www.forbes.com/sites/ewanspence/2021/04/26/apple-macbook-pro-imac-mac-secuity-flaw-exploit-app-macos-problem/?sh=43320b986bbd) | TechCrunch (https://techcrunch.com/2021/04/26/shlayer-mac-malware-macos-security/) | Jamf (https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/) https://techcrunch.com/2021/04/26/shlayer-mac-malware-macos-security/ U.S. government probes VPN hack within federal agencies, races to find clues (https://www.reuters.com/technology/us-government-probes-vpn-hack-within-federal-agencies-races-find-clues-2021-04-29/) Reuters: Third time… unlucky. The federal government has been hacked again. This time it’s Pulse Secure to blame, the VPN product used across the government to let remote workers get access to their work networks. Reuters reports that more than a dozen agencies use Pulse Secure, and nation-backed hackers have been exploiting new zero-days attacking the VPN product. The U.S. government’s investigation into the Pulse Secure activity is still in its early stages, Reuters reports. Before this, the SolarWinds attack and the Exchange server breaches were number one and two, if you are keeping count. More: Wired ($) (https://www.wired.com/story/vpn-hacks-pulse-secure-espionage/) | @bing_chris tweets (https://twitter.com/bing_chris/status/1387853020738768903?s=21)
Ransomware gang threatens to expose police informants (https://therecord.media/ransomware-gang-threatens-to-expose-police-informants-if-ransom-is-not-paid/) The Record: Washington DC’s police department, MPD, has been hit by a ransomware attack. The Babuk Locker ransomware group, which began operating earlier this year, has claimed responsibility, and is threatening to publish files stolen from the police department’s servers — including details of informants — if it doesn’t pay the ransom, which hasn’t yet been made public. (Makes you wonder why details of police informants were just sitting on a non-compartmented system, but I digress.) MPD confirmed it was “aware of unauthorized access” to its servers. More: CNN (https://www.cnn.com/2021/04/29/politics/dc-police-ransomware-attack-personnel-files/index.html) | Statescoop (https://statescoop.com/d-c-police-chief-confirms-personnel-files-stolen-in-ransomware-attack/)
An ambitious plan to tackle ransomware faces long odds (https://www.wired.com/story/ransomware-task-force-proposal/) Wired ($): The MPD attack lands in the same week as a task force proposal was made to counter the ongoing threat of ransomware. It’s an ambitious plan, sure, but it faces long odds, reports @lilyhnewman (https://twitter.com/lilyhnewman) . Several big companies, including Amazon and Cisco — and the FBI — are proposing a public-private partnership to take out ransomware actors. But the DOJ already has a taskforce, and it’s not clear just how far — if at all — this new proposal will go. Nice idea, but “good luck,” as Newman writes. BBC News also did a good piece (https://www.bbc.com/news/technology-56933733) on the surge of ransomware ruining lives, and explains the international component of the spread of ransomware. More: BBC News (https://www.bbc.com/news/technology-56933733 )
Med-Data exposed health data, leading to mass breach notifications (https://www.databreaches.net/good-luck-explaining-to-hhs-why-your-phi-is-in-githubs-vault-for-the-next-1000-years/) DataBreaches.net: Good luck explaining to U.S. Health and Human Services why your personal health data is GitHub’s vault for the next millennium. Healthcare tech company Med-Data left personal health data exposed on GitHub for several weeks. A former employee was blamed for the exposure. The data was removed — but was it really? The data was also scooped up by GitHub’s Arctic Code Vault, which stores GitHub data on ice — almost literally — for safe keeping. The whole blog post is worth the read. Several hospitals and healthcare facilities have notified their patients of the Med-Data security lapse. More: Becker’s Hospital Review (https://www.beckershospitalreview.com/cybersecurity/university-health-phi-exposed-after-vendor-employee-downloads-data-posts-on-public-website.html)
Law enforcement delivers final blow to Emotet (https://www.cyberscoop.com/law-enforcement-emotet-botnet-ransomware/) Cyberscoop: Law enforcement have delivered a mass update to the Emotet botnet which they say (hopefully) will neuter it — effectively disinfecting the malware from victim’s devices. Emotet is a botnet that has hooks into millions of computers to spread spam and deliver ransomware. Last weekend, authorities sent an virtual antidote to infected devices to wipe Emotet from their machines. It’s a controversial (though not the first (https://twitter.com/KimZetter/status/1382143872550072321) ) use of government powers — even if it worked on this occasion. @lacyactivist192 (https://twitter.com/lazyactivist192/status/1386170543234330626?s=20) called it a “huge win” for defenders. Malwarebytes has a good post (https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/) on how the antidote payload works. Also, the FBI gave a list of email addresses of victims it was struggling to contact to Have I Been Pwned (https://www.troyhunt.com/data-from-the-emotet-malware-is-now-searchable-in-have-i-been-pwned-courtesy-of-the-fbi-and-nhtcu/) , so now victims can search to see if they are victims. Pretty cool use of the data breach notification site. More: Bleeping Computer (https://www.bleepingcomputer.com/news/security/emotet-malware-nukes-itself-today-from-all-infected-computers-worldwide/) | Malwarebytes (https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/) | @haveibeenpwned (https://twitter.com/haveibeenpwned/status/1386811581082652674?s=21) | @mbthreatintel (https://twitter.com/MBThreatIntel/status/1386413655659479043) Experian API exposed credit scores of most Americans (https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/) Krebs on Security: Experian this week fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, according to @briankrebs (https://twitter.com/briankrebs) . But the researcher who found the bug, @BillDemirkapi (https://twitter.com/BillDemirkapi/) , said the bug may be present at “countless” other lending sites that work with credit bureaus. “Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score.” Yikes! Impressive find, if not terrifying. More: @briankrebs (https://twitter.com/briankrebs/status/1387510858146848768) | @doctorow (https://twitter.com/doctorow/status/1388170503421009921) ~ ~ SUPPORT THIS NEWSLETTER
Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), to help cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) , or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Apple’s App Tracking Transparency feature has arrived (https://techcrunch.com/2021/04/26/apples-app-tracking-transparency-feature-has-arrived-heres-what-you-need-to-know/) TechCrunch: Apple’s new iOS 14.5 software has arrived with a new app tracking transparency feature, which lets users opt-out of in-app tracking. “If you say no to tracking, the app will no longer be able to use Apple’s IDFA identifier to share data about your activity with data brokers and other third parties for ad-targeting purposes. It also means the app can no longer use other identifiers (like hashed email addresses) to track you, although it may be more challenging for Apple to actually enforce that part of the policy.”
App used by emergency services under scrutiny (https://www.bbc.com/news/technology-56901363) BBC News: @Cybergibbons (https://twitter.com/cybergibbons/status/1388844414450155521) has found issues with What3Words, a proprietary system that divides the world into three-by-three meter squares and labels them with a three-word phrase, instead of latitude and longitude. (The idea is that it helps people in places where there are no roads or landmarks). He explains more in a blog post (https://cybergibbons.com/security-2/why-what3words-is-not-suitable-for-safety-critical-applications/) describing why it’s not adequate for safety-critical purposes. Also this week, What3Words sent a legal threat (https://techcrunch.com/2021/04/30/what3words-legal-threat-whatfreewords/) (I also wrote this) to @AaronToponce (https://twitter.com/AaronToponce/status/1387933438305394690?s=20) for sharing an open-source alternative to What3Words with security researchers, which the company claims (but has not yet provided evidence) violates its copyright.
The Intelligent Timing Lock is… barely intelligent, barely a lock (https://twitter.com/Foone/status/1388002537744175104) @Foone: Brilliant tweet thread on the Intelligent Timing Lock, a padlock that is easily bypassed by holding down two of the device’s buttons for ten seconds. Or, you can just hit it really hard on a flat surface and that’ll do the trick. Read the whole thread (https://twitter.com/Foone/status/1387999563382857729) . You may die of laughter — fair warning. https://twitter.com/Foone/status/1387999563382857729 Google promised its contact tracing app was completely private. It wasn’t (https://themarkup.org/privacy/2021/04/27/google-promised-its-contact-tracing-app-was-completely-private-but-it-wasnt) The Markup: Apple and Google’s contact tracing API was heralded as the most privacy-friendly system for monitoring the spread of COVID-19. Even California’s governor Gavin Newsom said the system was “100% private and secure.” (Narrator voice: it wasn’t.) The Android version of the contract tracing tool had a flaw that inadvertently logged Bluetooth identifiers, which were accessible to system-level applications. Worse, Google didn’t fix the bug when researchers (https://blog.appcensus.io/2021/04/27/why-google-should-stop-logging-contact-tracing-data/) contacted the company. Classic Big Tech response — only giving a hoot when a journalist reaches out.
Signal gets another subpoena for user data (https://signal.org/bigbrother/central-california-grand-jury/) Signal: End-to-end encrypted messaging app Signal received a subpoena for user data, including addresses, correspondences, and names of those communicating with each other. Problem is that Signal doesn’t store any data — except for Unix timestamps for when each account was created and the date that each account last connected to the Signal service. “That’s it,” the blog wrote, since the company can’t provide what it doesn’t have. Also, that’s precisely the same data Signal gave to prosecutors in 2016 when they came looking for data then. ~ ~
** OTHER NEWSY NUGGETS
Latest FISA court opinion reveals more domestic spying problems (https://www.justsecurity.org/75917/key-takeaways-from-latest-fisa-court-opinion-on-section-702-and-fbi-warrantless-queries/) A new declassified FISA court opinion came out this week, detailing new problems with how the FBI seeks authority to spy on Americans. The tl;dr version is that the FBI and/or NSA are “flagrantly violating Americans’ privacy in myriad ways, and there are essentially no consequences.” Sounds about right. @jakelaperruque (https://twitter.com/jakelaperruque) explains more in a blog post (https://www.justsecurity.org/75917/key-takeaways-from-latest-fisa-court-opinion-on-section-702-and-fbi-warrantless-queries/) and @trevortimm (https://twitter.com/trevortimm/status/1386811971937374208?s=21) has a good tweet thread explaining the basics.
The IRS wants help hacking cryptocurrency hardware wallets (https://www.vice.com/en/article/k78a53/the-irs-wants-help-hacking-cryptocurrency-hardware-wallets) There is about $100 billion worth of cryptocurrency in locked hardware wallets, and now the IRS wants help to break into them. That shouldn’t be too difficult — in theory — since many crypto wallets are hard drives with good encryption but dodgy implementations, making exploitation not difficult. Or, as @ncweaver (https://twitter.com/ncweaver) suggests, a simpler approach may be, “Either give us the password or rot in jail for contempt.”
DigitalOcean had a data breach involving customer billing data (https://techcrunch.com/2021/04/28/digitalocean-customer-billing-data-breach/) DigitalOcean emailed customers confirming a data breach between April 9 and April 22 involving customer billing data, including “billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date and the name of the card-issuing bank.” DigitalOcean hasn’t disclosed the breach publicly, and it’s not clear which authorities the company has informed. (Disclosure: I wrote this story, too.) ~ ~
** THE HAPPY CORNER
This week, @lorenzoFB (https://twitter.com/lorenzofb) wrote about a security researcher who donated part of a bug bounty to a couple to cover the costs of their daughter’s upcoming heart surgery. @samwcyo (https://twitter.com/samwcyo) found a bug in a large cryptocurrency project, reported it, got a $50,000 bug bounty, and donated a portion to tip the couple’s GoFundMe page over the $25,000 needed for the surgery. It’s such a lovely thing to have done — and yet, distressing and depressing that the U.S. healthcare system is so bad that it’s necessary to set up a GoFundMe page to begin with.
And, @yaelwrites (https://twitter.com/yaelwrites/status/1388677797107814401?s=21) gives really good advice. Read this thread and learn something (or five things) new. I certainly did. https://twitter.com/yaelwrites/status/1388367538422108165 If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
This week’s cyber cat is Fitz. When he’s not his human’s typing assistant, Fitz can be found snoozing on his human’s laptop — keeping it safe from the Red Team. You’re a very good boy, Fitz. A big thanks to @dr0037 (https://twitter.com/dr0037) for the submission! Please keep sending in your cyber cats (and their friends)! You can drop them here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) , and feel free to send updates on previously-submitted friends! ~ ~
** SUGGESTION BOX
And that’s all for this week — cheers for reading! As always, the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is open for feedback. I may be off next week, so probably no newsletter. See you in a couple of weeks!
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .