this week in security — may 24 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 21
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
U.S. officials say they’ve cracked Pensacola shooter’s iPhones, blast Apple (https://www.cyberscoop.com/fbi-pensacola-terrorism-iphone-encryption/) Cyberscoop: The FBI said this week it successfully broke into the iPhones belonging to the terrorist who shot up a naval base in Pensacola, Florida, killing three sailors. But the feds also slammed Apple, claiming they had “effectively no help” from the company, a claim Apple strenuously denied (https://twitter.com/zackwhittaker/status/1262466741545861122) . If you thought the case sounded familiar, we were here four years ago (https://twitter.com/dnvolz/status/1262382648900673536) , in a legal case that almost (but failed) to set case law precedent on whether the government can compel a company to backdoor their own products. In reality, the DOJ is angry that its staff can get into iPhones, when really it wants an excuse (https://techcrunch.com/2020/05/22/the-fbi-is-mad-because-it-keeps-getting-into-locked-iphones-without-apples-help/) to take Apple back to court. The ACLU summed it up in a sentence (https://www.politico.com/newsletters/morning-cybersecurity/2020/05/19/pensacola-case-breakthrough-renews-encryption-battle-787730) . “The boy who cried wolf has nothing on the agency that cried encryption.” More: TechCrunch (https://techcrunch.com/2020/05/22/the-fbi-is-mad-because-it-keeps-getting-into-locked-iphones-without-apples-help/) | Politico (https://www.politico.com/newsletters/morning-cybersecurity/2020/05/19/pensacola-case-breakthrough-renews-encryption-battle-787730) | @dnvolz (https://twitter.com/dnvolz/status/1262382648900673536) | @zackwhittaker (https://twitter.com/zackwhittaker/status/1262466741545861122)
ShinyHunters is a hacking group on a data breach spree (https://www.wired.com/story/shinyhunters-hacking-group-data-breach-spree/) Wired ($): A new hacking group on a selling spree. In the first two weeks of May alone, the group known as ShinyHunters have posted 200 million records from at least 13 companies on the dark web, including Home Chef (https://techcrunch.com/2020/05/20/home-chef-data-breach/) and allegedly other companies like Zoosk. It’s the same group that allegedly stole 500GB of Microsoft source code (https://www.bleepingcomputer.com/news/security/microsofts-github-account-hacked-private-repositories-stolen/) from a private GitHub account. The group is following in the footsteps of a similar hacking group, known as GnosticPlayers, which stole data on dozens of companies last year. More: ZDNet (https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/) | @lilyhnewman (https://twitter.com/lilyhnewman/status/1263527960281300994)
iPhone spyware lets police log suspects’ passcodes when cracking doesn’t work (https://www.nbcnews.com/tech/security/iphone-spyware-lets-cops-log-suspects-passcodes-when-cracking-doesn-n1209296) NBC News: New details have emerged on how Grayshift, a company that sells iPhone hacking technology to law enforcement, breaks into devices when it doesn’t have the user’s passcode. NBC says when Grayshift’s technology, known as GrayKey, can’t unlock an iPhone, there’s another option: a spyware app called Hide UI, which can capture a user’s device unlock passcode when it’s typed in. But cops said the passcode app is buggy and doesn’t always work. More: TechDirt (https://www.techdirt.com/articles/20200519/17203344533/same-day-fbi-claimed-no-vendor-could-crack-iphones-another-way-to-crack-iphones-made-news.shtml) | @oliviasolon tweets (https://twitter.com/oliviasolon/status/1262467825966481414) | @josephfcox (https://twitter.com/josephfcox/status/1262480092174757888) | @jsrailton (https://twitter.com/jsrailton/status/1262506396828020736)
Bluetooth flaw exposes countless devices to BIAS attacks (https://francozappa.github.io/project/bias/) Project BIAS: BIAS, or Bluetooth Impersonation Attacks, is the name for a new set of flaws in the Bluetooth standard that can allow an attacker to bypass Bluetooth’s authentication procedures that take place when a Bluetooth device starts a connection. An attacker can then impersonate a device and take control of, or siphon off, data from another device. A number of devices are vulnerable, including Apple MacBooks, iPhones, iPads, and a number of Lenovo and HP laptops. More: ESET (https://www.welivesecurity.com/2020/05/19/bluetooth-flaw-exposes-countless-devices-bias-attacks/) | @lukOlejnik (https://twitter.com/lukOlejnik/status/1262741747811053571)
There’s a jailbreak out for the current version of iOS (https://www.wired.com/story/apple-ios-unc0ver-jailbreak/) Wired ($): Apple’s cat and mouse game with jailbreakers just reached a new level. A new unc0ver jailbreak tool (https://twitter.com/Pwn20wnd/status/1264315776338554880) works on all versions of iOS 11 through to 13.5, the current release, and on all iPhones dating back to the iPhone 5S. The jailbreak uses a zero-day bug that has not yet been made public — or patched by Apple. Jailbreaks are used to break through Apple’s walled garden, which prohibits third-party apps and customizations, which Apple says it helps to keep iPhones and iPads (relatively) secure. But security experts have long recommended against jailbreaking as it can open up devices to a larger attack surface. More: Motherboard (https://www.vice.com/en_us/article/dyz8nw/iphone-ios-ios13-jailbreak-uncover-unc0ver) | @pwn20wnd (https://twitter.com/Pwn20wnd/status/1264315776338554880)
NSO Group impersonated Facebook to help clients hack targets (https://www.vice.com/en_us/article/qj4p3w/nso-group-hack-fake-facebook-domain) Motherboard: @josephfcox (https://twitter.com/josephfcox) found further evidence that Israeli spyware maker NSO Group ran hacking infrastructure in the U.S. — a claim it’s long denied. This time the server was allegedly used to impersonate Facebook’s security team. NSO did this, per the Motherboard report, to help its clients entice targets to click on links that quietly install NSO’s spyware, dubbed Pegasus. Facebook said it later “gained ownership” of the domain to prevent misuse. These new findings are not likely to help NSO’s case. NSO is embroiled in a lawsuit with Facebook-owned WhatsApp, which sued the spyware maker for using a WhatsApp flaw to deliver Pegasus to a target’s phone. More: @josephfcox (https://twitter.com/josephfcox/status/1263121862344626179)
Struggle of unemployment claimants compounded by data breach (https://www.nbcnews.com/tech/security/four-states-warn-unemployment-benefits-applicants-about-data-leaks-n1212431) NBC News: At least four states, including Ohio and Illinois, are warning residents who have applied for unemployment benefits online that their personal data may have leaked. The breaches stem from two incidents, which have exposed tens of thousands of residents to identity theft. One of the incidents was traced back to a single vendor, consulting giant Deloitte, tasked with building the unemployment sites. The states said a bug let some claimants access others’ personal data. More: ABC News (https://abcnews.go.com/US/struggle-unemployment-claimants-compounded-data-breach/story?id=70795947) | @kevincollier (https://twitter.com/kevincollier/status/1263599146562392064) ~ ~ SUPPORT THIS NEWSLETTER
Thanks to everyone who reads and subscribes to this newsletter! Subscribers are going up, as are the monthly costs. If you can spare $1/month (or more for perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to keep the newsletter going. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) here. ~ ~
** THE STUFF YOU MIGHT’VE MISSED
The lack of women in cybersecurity leaves the online world at greater risk (https://theconversation.com/the-lack-of-women-in-cybersecurity-leaves-the-online-world-at-greater-risk-136654) The Conversation: Women are highly underrepresented in cybersecurity — but new data shows just how bad the gender disparity is. Just 14% of women are in cyber compared to about half in the general workforce. Worse, just 1% of women in cybersecurity are in senior management positions. The professor who wrote this piece said this isn’t just an employment issue but a major problem in how cybersecurity is represented — and dealt with. After all, it’s diversity and different backgrounds that helps to find threats that others may not have thought of. To wit: “Women’s representation is important because women tend to offer viewpoints and perspectives that are different from men’s, and these underrepresented perspectives are critical in addressing cyber risks,” the author writes.
Signal no longer requires phone numbers (https://signal.org/blog/signal-pins/) Signal Blog: Good news! Signal, the end-to-end encrypted messaging app, is moving away from using phone numbers to identify users and moving towards PINs. The PIN will help take ownership of profile data, settings, and who’s blocked. By reducing the reliance on phone numbers, it makes the system more secure — and private.
Using the Untappd beer app to trace military and intelligence personnel (https://www.bellingcat.com/news/2020/05/18/military-and-intelligence-personnel-can-be-tracked-with-the-untappd-beer-app/) Bellingcat: The investigative folks at Bellingcat have done it again. Turns out you can trace military and intelligence folks by how much they drink — when, and where — using the Untappd beer app. With more than 8 million EU and U.S. users, Bellingcat’s investigative researchers showed it’s possible to track down where certain people go near military bases and secure locations. “Cross-referencing these check-ins with other social media makes it easy to find these individuals’ homes. Their profiles and the pictures they post also reveal family, friends, and colleagues.” Incredible. U.K.’s contact tracing app riddled with flaws (https://www.bbc.com/news/technology-52725810) BBC News: New research (https://www.stateofit.com/UKContactTracing/) out of the U.K. shows that the NHS contact tracing app, used to identify the spread of the coronavirus, has a number of security flaws that could allow attackers to steal encryption keys, which could spoof transmissions or “prevent contagion alerts being sent,” effectively defeating the very point of the app. The U.K. National Cyber Security Center thanked (https://www.ncsc.gov.uk/blog-post/nhs-covid-19-app-security-two-weeks-on) the researchers for their findings.
FBI and CISA’s top 10 list of routinely exploited vulnerabilities (https://www.us-cert.gov/ncas/alerts/aa20-133a) CISA: CISA, the cyber advisory arm of Homeland Security, has published a list of the top 10 most routinely exploited bugs. The list is insightful on its own as it helps organizations know which bugs to patch first (if they haven’t already). Arguably, a more interesting take was from @benhawkes (https://twitter.com/benhawkes/status/1262776020127510531) , who had a great Twitter thread (https://twitter.com/benhawkes/status/1262776020127510531) diving into each of the 10 bugs, explaining in simple terms how they work and what they do. This, I’d say, is more important to read than the actual CISA post. ~ ~
** OTHER NEWSY NUGGETS
Calls between the House and Senate should be encrypted, lawmakers say (https://www.theverge.com/2020/5/19/21262751/senate-house-ron-wyden-encryption-voip-calls-capitol-hill) In things you probably never thought about, it turns out phone calls between the U.S. House and Senate are not encrypted. That makes it far easier to snoop in on calls between the two congressional chambers. In a letter (https://www.wyden.senate.gov/news/press-releases/wyden-rounds-and-eshoo-lead-bipartisan-call-to-secure-us-capitol-phone-networks) , several lawmakers — including Senate Intelligence Committee member Ron Wyden (D-OR) — warned that the lack of encryption could allow “foreign spies” to listen in. One assumes this also applies to U.S. intelligence — which, don’t forget, several years ago was caught spying (https://www.theguardian.com/us-news/2016/sep/10/cia-senate-investigation-constitutional-crisis-daniel-jones) on the U.S. Senate during the CIA torture inquiry.
Your face mask selfies could be training the next facial recognition tool (https://www.cnet.com/news/your-face-mask-selfies-could-be-training-the-next-facial-recognition-tool/) Just when you thought wearing masks en masse would thwart facial recognition systems, think again. Researchers are trawling the web for photos of people wearing masks to retrain facial recognition systems to detect only a portion of a person’s face.
Your Equifax settlement $125 isn’t coming, but banks get their $5.5M (https://arstechnica.com/tech-policy/2020/05/banks-get-their-slice-of-equifax-settlement-individuals-still-waiting/) Ever wondered where your $125 from the Equifax settlement went? The final price tag of $18 billion would have bankrupted the company so that idea was largely thrown out. But Equifax is still paying a ton to the banks for having to reissue millions of credit and debit cards. For everyone else, good luck getting a paltry few pennies — if any.
Analyzing over 1M leaked passwords from the UK’s biggest companies (https://www.passlo.com/blog/analysing-over-1m-leaked-passwords-from-the-uks-biggest-companies/) @darkp0rt (https://twitter.com/darkp0rt/status/1263481478756864000?s=12) analyzed 1 million passwords from the U.K.’s 100 largest companies. He found that some of the financial services companies were the worst password offenders, while biotech was one of the best verticals for password hygiene. His full post is well worth the read. ~ ~
** THE HAPPY CORNER
A couple of things from the week:
If you haven’t yet ordered @bartongellman (https://twitter.com/bartongellman) ‘s new book, Dark Mirror, you absolutely should. It’s a part history book, part first-person narrative of how the Edward Snowden leaks went down, from Snowden’s initial contact with Gellman through to today. Gellman wrote a piece for The Atlantic (https://www.theatlantic.com/magazine/archive/2020/06/edward-snowden-operation-firstfruits/610573/) — adapted from his book — about how he’s never stopped looking over his shoulder as a result of the story. I can’t recommend this book enough, I couldn’t put it down.
And, finally (https://twitter.com/scottreuwho/status/1263527772728651776) , this gem: If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
Meet this week’s cyber cat, Scout. You’re a handsome cat, Scout. A big thanks to @CorbinCofer (https://twitter.com/CorbinCofer) for the submission. Don’t forget to send in your cyber cats! You can email them in here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s it for this week. Thanks for reading! As always, the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is open for feedback. Hope to see you again next Sunday. Have a great week.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .