this week in security — may 23 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 20 View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Irish health system struggling to recover from ransomware attack (https://apnews.com/article/europe-asia-health-technology-business-2cfbc82beb75dfede32fc225113131b3) Associated Press: Tough week for the Irish health authorities (HSE) as it continues to recover following a ransomware attack. It could be weeks before the public health service will return to normal, the AP reports. The Conti ransomware group is to blame, demanding $20 million in ransom, or face the hackers publishing private medical data online. Meanwhile the HSE got an injunction barring anyone from handling the data. As much as that court action stops anyone in Ireland from receiving or handling the data, that also effectively puts restrictions on press freedoms (https://twitter.com/tjmcintyre/status/1395700637111832577) . The FBI only (https://twitter.com/kevincollier/status/1395783498829635590?s=20) began warning this week that Conti was targeting healthcare facilities. But late in the week, the Conti group showed some mercy and provided the decryptor tool for free. But the Irish government said it had not paid the ransom. More: BBC News (https://www.bbc.com/news/world-europe-57197688) | Irish Times (https://www.irishtimes.com/news/crime-and-law/courts/high-court/hse-hack-clinical-diagnostic-and-payroll-data-all-potentially-compromised-1.4570810) | @PogoWasRight (https://twitter.com/PogoWasRight/status/1395745332273758214) | @tjmcintyre (https://twitter.com/tjmcintyre/status/1395700637111832577) https://twitter.com/kevincollier/status/1395783498829635590?s=20 AXA hit by ransomware after announcing it would stop covering extortion fees (https://www.bbc.com/news/world-europe-57197688) Cyberscoop: It’s also been a bad week for cyber insurers. First, AXA’s operations in Asia were hit by ransomware just days after the French insurer said it would no longer pay for extortion fees. Hard to see how this doesn’t send a message, but Cyberscoop reported there was “no connection” between the move to deny ransom payouts to their customers and their own attack. Meanwhile, @Bloomberg ($) (https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack) reported that another insurance giant CNA paid $40 million in extortion fees after its March cyberattack. Ransomware expert @BrettCallow (https://twitter.com/BrettCallow/status/1395477572243255296) said it “may be the biggest paid demand to date” that’s publicly known. More: | The Verge (https://www.theverge.com/2021/5/20/22446388/cna-insurance-ransomware-attack-40-million-dollar-ransom)
Censorship, surveillance and profits: A hard bargain for Apple in China (https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html) The New York Times ($): Very deep reporting on how Apple complied with a Chinese cybersecurity law that requires Chinese users’ data to be stored in the country. Apple said it had “never compromised the security” of its customers, including its Chinese users, but the report details how Apple moved its Chinese users’ iCloud encryption keys to China months after the law went into effect in 2017. It’s a good read on how China can get access to its citizens’ data, but also how the country has used the move to push for greater censorship. @matthew_d_green (https://twitter.com/matthew_d_green/status/1394389869540089856) has a very good tweet thread on this, too. More: BBC News (https://www.bbc.com/news/technology-57186275) | @doctorow tweets (https://twitter.com/doctorow/status/1394706787828305921)
Mandatory opt-out and data breach notification part of new privacy bill (https://www.theverge.com/2021/5/20/22444515/amy-klobuchar-data-privacy-protection-facebook-state-laws) The Verge: Sen. Amy Klobuchar has a new bill designed to protect people’s data collected by the big tech companies, like Google, Facebook, and Twitter. The bill will require companies to rewrite their terms of service so they’re simple and readable, and to notify users of a data breach within 72 hours of it happening — a similar provision taken from Europe’s GDPR rules. The bill was first introduced after the Cambridge Analytica scandal, but stalled thanks to opposition at the time. More: Ars Technica (https://arstechnica.com/tech-policy/2021/05/privacy-bill-would-force-big-tech-to-offer-tracking-opt-out-breach-notices/) | Sen. Amy Klobuchar (https://www.klobuchar.senate.gov/public/index.cfm/2019/11/klobuchar-senate-democrats-unveil-strong-online-privacy-rights)
Inside the post office’s covert internet operations program (https://news.yahoo.com/facial-recognition-fake-identities-and-digital-surveillance-tools-inside-the-post-offices-covert-internet-operations-program-214234762.html) Yahoo News: The Post Office’s Inspection Service, the enforcement arm for the Post Office, is using Clearview AI’s facial recognition database to “to help identify unknown targets in an investigation or locate additional social media accounts for known individuals,” per Yahoo News. It’s one of several tools used by the Inspection Service, which has been under fire since earlier reporting by @janawinter (https://twitter.com/janawinter) showed it was surveilling Americans’ social media posts. This is a wild read about iCOP, the program used by the service, which “found no credible threats, but compiled what it described as ‘inflammatory’ posts.” More: @hypervisible (https://twitter.com/hypervisible/status/1394875918443851776) | @RachelBLevinson (https://twitter.com/RachelBLevinson/status/1395017713500803072)
Air India says February’s data breach affected 4.5 million passengers (https://www.reuters.com/world/india/air-india-says-februarys-data-breach-affected-45-mln-passengers-2021-05-21/) Reuters: Air India said a data breach in February involving SITA (https://techcrunch.com/2021/03/04/sita-airline-passenger-breach/) , which serves the Star Alliance of airlines including Singapore Airlines and Lufthansa. Air India was caught up in the breach too, affecting some 4.5 million customers. The breach involved personal data, like contact, passport, credit card details and ticket information between August 2011 and February 2021. (Yes, you read that right. That’s a decade’s worth of data.) Background: TechCrunch (https://techcrunch.com/2021/03/04/sita-airline-passenger-breach/) ~ ~ SUPPORT THIS NEWSLETTER
Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), to help cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) , or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
SolarWinds saw signs of hackers invading its network in January 2019 (https://www.cyberscoop.com/solarwinds-ceo-reveals-much-earlier-hack-timeline-regrets-company-blaming-intern/) Cyberscoop: SolarWinds’ CEO Sudhakar Ramakrishna said at the RSA Conference this year that it found evidence of reconnaissance as early as January 2019, months before it previously said it first spotted suspicious activity around September/October 2019 which led to its massive supply chain attack. More than a year later and details are still emerging. Ramakrishna also apologized for blaming an intern for using a weak password, which many capitalized on as related to the incident (it turns out it wasn’t).
Only one NYC mayor candidate is promising to ban facial recognition (https://www.vice.com/en/article/5dbg4q/only-one-nyc-mayor-candidate-is-promising-to-ban-facial-recognition) Motherboard: More and more cities are banning facial recognition, from Portland, Oregon, to Oakland, San Francisco and Boston. But New York has fallen behind. With a new mayor set to be elected later this year, it turns out just one of those candidates would ban facial recognition across the city. https://twitter.com/Dianne4NYC/status/1385379329555718145 Cyber insurance premiums rise as ransomware, hacks continue, GAO finds (https://www.cyberscoop.com/cyber-insurance-ransom-hack-payments-gao/) Cyberscoop: Back to ransomware for a minute. Turns out that the growing number of cybersecurity incidents is causing many insurers to raise their rates. That’s according to the GAO, the government watchdog’s office, which found premiums went up by between 10% and 30% in late 2020. In the end, it’s the smaller businesses that suffer the most. “Small businesses may purchase cyber insurance less often if they perceive their risks to be minimal or policies too costly,” per the GAO (https://www.gao.gov/products/gao-21-477) ‘s report.
White House to nominate national security veteran for DOJ post (https://www.wsj.com/articles/white-house-to-nominate-national-security-veteran-for-doj-post-11621284598) Wall Street Journal ($): Matt Olsen, the Uber executive who took over from former chief security officer Joe Sullivan after he was charged with concealing a massive hack of 57 million drivers and passengers, is going back to public service. Olsen has been nominated to head up the Justice Department’s National Security Division, which would see him oversee national security cases, including terrorism and counterintelligence threats. Oh, and cyber, which is to be expected. ~ ~
** OTHER NEWSY NUGGETS
Amazon gave the FBI the shopping list of an anti-fascist activist (https://www.forbes.com/sites/thomasbrewster/2021/05/17/amazon-gave-the-fbi-the-shopping-history-of-an-alleged-antifa-activist/) @iblametom (https://twitter.com/iblametom) with the scoop: Amazon gave the shopping list of an antifa activist to the feds in 2019, but the court case was recently unsealed — though no charges have been brought. “After getting her Facebook data, they discovered messages from earlier in 2017 referencing unspecified online orders. So they went to Amazon and asked for records associated with her Gmail account.” It’s a rare look at what Amazon turns over, despite what the company releases in terms of numbers in its incredibly vague and obfuscative biannual transparency report.
Google Threat Analysis Group lead explains “in the wild” exploitation (https://twitter.com/ShaneHuntley/status/1395121169288753153) There’s been, understandably, a lot of confusion about how and when companies, like Google and Apple (especially), reveal details of bugs that are considered to be exploited “in the wild.” Apple says it only rarely and gives very little information, and Google has caused confusion itself by often not explaining precisely what it means. @ShaneHuntley (https://twitter.com/ShaneHuntley/status/1395121169288753153) explained more in this tweet thread this week in response to @dangoodin001 (https://twitter.com/dangoodin001/status/1395050319961227269) , which is worth the read. https://twitter.com/ShaneHuntley/status/1395121169288753153 Stalkers using surveillance software on partners are exposing their own data (https://www.cyberscoop.com/stalkerware-app-spying-abuse-eset/) ESET researchers say (https://www.welivesecurity.com/2021/05/17/android-stalkerware-threatens-victims-further-exposes-snoopers-themselves/) a number of stalkerware apps that domestic abusers use to spy on their partners without their consent, are full of bugs and security issues that are further exposing their victims, including allowing outsiders to “intercept text messages, call logs, contact lists, keystrokes, browsing histories, recorded phone calls, pictures and screenshots.” It’s a similar situation to when KidsGuard exposed (https://techcrunch.com/2020/02/20/kidsguard-spyware-app-phones/) its stalkerware victims, along with other stalkerware apps that had similar security issues, like mSpy, Mobistealth and Flexispy. A world without stalkerware is a better world for all.
So long (and good riddance) Internet Explorer (https://www.wired.com/story/internet-explorer-browser-dead/) Internet Explorer is on its way out, finally, after more than 25 years in service… and 25 years of security bugs. @lilyhnewman (https://twitter.com/lilyhnewman) wrote its swan song and why it [DEL: will (https://techcrunch.com/2021/05/20/so-long-internet-explorer-and-your-decades-of-security-bugs/) :DEL] won’t be missed. Plus, it still has a year (https://www.wired.com/story/internet-explorer-browser-dead/) to cause is remaining users security headaches. ~ ~
** THE HAPPY CORNER
Alright, onto the good stuff. @thepacketrat (https://twitter.com/thepacketrat/status/1394693345994330116?s=21) offers us a look at how a threat researcher works at home. (The full version is here (https://twitter.com/thepacketrat/status/1394693345994330116?s=21) .) https://twitter.com/thepacketrat/status/1394693345994330116?s=21 Also, @TonyaJoRiley (https://twitter.com/TonyaJoRiley/status/1395026167908945924) has bonus pet content in her tweets this week, as she departs (https://twitter.com/TonyaJoRiley/status/1395412047576371203) Washington Post for Cyberscoop. This thread is well worth the time. (Also below is my personal favorite from the thread, thanks @nohackme (https://twitter.com/nohackme/status/1395066387756986370) .) https://twitter.com/nohackme/status/1395066387756986370 If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
Meet Copper, who features this week, seen here wanting to jump up and help with his human’s homework. What a good boy. A big thank you to Ben T. for the submission! Keep sending in your cyber cats (and their friends). You can always drop them here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s all for now. Hope you enjoyed this week’s newsletter. As always, the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is always open for feedback. See you next week!
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .