this week in security — may 26 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 20.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Google Has Stored Some Passwords in Plaintext Since 2005 (https://www.wired.com/story/google-stored-gsuite-passwords-plaintext/ ) Wired ($): A flaw dating back to 2005 meant Google stored some G-Suite and enterprise account passwords in plaintext. That’s more than a decade and a half! Google didn’t say how many accounts were affected — only that no consumer Gmail accounts were affected. It’s the latest company to face a security snafu with plaintext passwords after Facebook (https://techcrunch.com/2019/03/21/facebook-plaintext-passwords/) , Twitter (https://www.wired.com/story/change-your-twitter-password-right-now/) and Github (https://www.zdnet.com/article/github-says-bug-exposed-account-passwords/) . Here’s a thought: maybe just don’t? Given this wasn’t an isolated case, expect more companies to report similar issues. More: Google Cloud Blog (https://cloud.google.com/blog/products/g-suite/notifying-administrators-about-unhashed-password-storage) | TechCrunch (https://techcrunch.com/2019/05/21/google-g-suite-passwords-plaintext/)
A Huge Chinese Video App Exposed Data Without Their Knowledge (https://www.buzzfeednews.com/article/craigsilverman/vidmate-app-download) BuzzFeed News: VidMate, an Android app that allows users to download videos from YouTube and WhatsApp among others, said it was “investigating” claims its app was engaging in hidden ad click fraud, subscribing users to paid services without permission, and exposing personal information, such as unique mobile identifier numbers and their IP addresses. The app was later removed from Google Play. More: UpStream (https://www.upstreamsystems.com/secure-d-uncovers-vidmate-android-app-hides-background-activity-generating-fake-clicks-installing-suspicious-apps-without-users-consent/) | @CraigSilverman tweet thread (https://twitter.com/CraigSilverman/status/1130263911633248256)
Huawei’s Rise Is Littered With Claims of Theft and Dubious Ethics (https://www.wsj.com/articles/huaweis-yearslong-rise-is-littered-with-accusations-of-theft-and-dubious-ethics-11558756858) Wall Street Journal ($): Here’s a long WSJ profile of how Huawei rose to power. The report delves into how the Chinese telecoms giant came to prominence — and became a target of the U.S. government — not least through claims of theft of intellectual property and questionable ethics. One key line from the piece: “Huawei had built spy-proof secure rooms that were off-limits to American employees, according to current and former U.S. officials.” The WSJ said the rooms were used as a way to securely communicate with Beijing — which Huawei denied. Some likened (https://twitter.com/KimZetter/status/1132290912027987968) the rooms to how the NSA installed secret rooms — like 641A — in AT&T facilities. More: @kimzetter (https://twitter.com/KimZetter/status/1132290912027987968) | @dnvolz tweet thread (https://twitter.com/dnvolz/status/1132270452192284672?s=21)
First American Exposed Hundreds of Millions of Insurance Records (https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/) Krebs On Security: First American, one of the largest real estate title insurance providers, exposed hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by security reporter Brian Krebs. The data included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The data was accessible with a web browser — and anyone with a URL could’ve easily enumerated files based off the sequential URL structure. Krebs estimated as many as 885 million files dating back to 2003 were accessible. More: Reuters (https://www.reuters.com/article/us-first-am-cyber/first-american-says-product-defect-could-have-caused-customer-data-exposure-idUSKCN1SV017) | @robpegoraro (https://twitter.com/robpegoraro/status/1132072859579428870) | @kennwhite (https://twitter.com/kennwhite/status/1132049911195807745)
Apple’s Plan To Make Online Ads More Private (https://webkit.org/blog/8943/privacy-preserving-ad-click-attribution-for-the-web/) Apple: This is interesting. The web relies on ads — we know — but ad blockers are increasing in popularity because ads are crap, invasive, track you from site to site, and sometimes even serve malware. Apple has a plan to allow for advertisers to still get conversion attribution data (https://twitter.com/ashk4n/status/1131315800319483904) without identifying the individual in question. It’s an interesting approach that Apple says will be enforced at the browser level. The proposed standard was submitted to the W3C so we’ll see if it takes off. (I wrote a tl;dr here (https://techcrunch.com/2019/05/22/apple-online-ads-private/) if you’re interested.) More: TechCrunch (https://techcrunch.com/2019/05/22/apple-online-ads-private/) | @othermaciej tweet thread (https://twitter.com/othermaciej/status/1131260652532535296) | @ashk4n (https://twitter.com/ashk4n/status/1131314229682638851)
Australian Tech Unicorn Canva Hit By Security Breach (https://www.zdnet.com/article/australian-tech-unicorn-canva-suffers-security-breach/) ZDNet: More than 139 million user records were stolen from Australian graphic design site Canva, one of the biggest sites on the web. It was the same hacker behind some of the recent dozen-plus site hacks, totaling more than a billion stolen records (https://twitter.com/campuscodi/status/1132005633199398912) . About 78 million users had a Gmail address associated with their Canva account. The good news is that Canva used bcrypt, so user passwords are believed (let’s hope) to be safe. More: @campuscodi tweet thread (https://twitter.com/campuscodi/status/1132004116589424640)
License Plate Scanning Tech Had Its Website Hacked And Files Published (https://www.theregister.co.uk/2019/05/23/perceptics_hacked_license_plate_recognition/) The Register: Perceptics, a maker of license plate readers used by the U.S. government at the border to track citizens and immigrants, has been hacked and its internal blueprints and files stolen and published online. More: Motherboard (https://www.vice.com/en_us/article/qv7zxx/perceptics-license-plate-readers-hacked)
Homeland Security Warns Industry Of Chinese-Made Drones (https://www.cyberscoop.com/dhs-chinese-drones-warning/) Cyberscoop: Homeland Security is expanding its warnings from Chinese-owned telcos to Chinese-made drones. The agency’s cyber division, CISA, issued an advisory saying drones “can contain components that can compromise your data and share your information on a server accessed beyond the company itself.” Drones developed by Chinese manufacturers make up close to 80 percent of the market. More: BBC News (https://www.bbc.com/news/technology-48352271) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Company behind LeakedSource pleads guilty in Canada (https://www.zdnet.com/article/company-behind-leakedsource-pleads-guilty-in-canada/) ZDNet: LeakedSource, the for-profit data breach notification site that also sold access to account passwords (that was its big mistake!) pleaded guilty in Canada, according to a press release (http://www.rcmp-grc.gc.ca/en/news/2019/defiant-tech-inc-enters-guilty-plea-rcmp-cybercrime-investigation) by the Royal Canadian Mounted Police. The site had some of the biggest breaches in its database — including AdultFriendFinder (https://www.zdnet.com/article/adultfriendfinder-network-hack-exposes-secrets-of-412-million-users/) and Last.fm. Jordan Bloom, who ran the front company behind the site, pleaded guilty to trafficking in identity information and possession of property obtained by crime.
Bluetooth’s complexity has become a security risk (https://www.wired.com/story/bluetooth-complex-security-risk/) Wired ($): Here’s an interesting look at the Bluetooth stack, which runs on pretty much every device these days. The big reason why bugs exist isn’t with Bluetooth itself, but the way it’s implemented. “Bluetooth offers so many options for deployment that developers don’t necessarily have full mastery of the available choices, which can result in faulty implementations,” writes @lilyhnewman (https://twitter.com/lilyhnewman?lang=en) .
Snapchat employees abused data access to spy on users (https://www.vice.com/en_us/article/xwnva7/snapchat-employees-abused-data-access-spy-on-users-snaplion) Motherboard: An internal tool, known as SnapLion, was abused by staff across various departments to gain access to user data without permission, reports @josephfcox (https://twitter.com/josephfcox) . SnapLion provides “the keys to the kingdom” of the site’s 186 million users. Although tools like this are not uncommon in startups and data-intensive companies, the abuse still happened several times by multiple individuals.
New browser extensions for integrating Microsoft’s hardware-based isolation (https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) Microsoft: The tech giant has released a batch of browser extensions that take Edge’s containerized technology to Chrome and Firefox. The technology allows the third-party browsers to run untrusted or dangerous websites in a sandboxed Edge browser session to prevent any damage to the host computer.
How one engineer lost $100,000 in a SIM port hack (https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124?sk=4c29b27bacb2eff038ec8fe4d40cd615) Medium: There’s definitely some lessons to be learned from this devastating hack. Sean Coonce wrote up how hackers stole $100,000 from his Coinbase account using a SIM swapping hack. The details are all in there — spare a thought for the poor bloke — but props to him for his transparency in an effort to prevent this from happening again.
Researcher publishes Windows three zero-days in as many days (https://www.zdnet.com/article/researcher-publishes-windows-zero-days-for-the-third-day-in-a-row/) ZDNet: After the first two zero-days were uploaded to GitHub (https://www.zdnet.com/article/two-more-microsoft-zero-days-uploaded-on-github/) , a third was posted (https://www.zdnet.com/article/researcher-publishes-windows-zero-days-for-the-third-day-in-a-row/) on as many days in a row. The researcher, known as SandboxEscaper, didn’t notify Microsoft prior to her releases. (She almost never does.)
AT&T alerted customers of breach that never happened (https://www.vice.com/en_us/article/nea35k/att-mistake-data-breach) Motherboard: Someone at AT&T pulled a data breach notification trigger by mistake. Motherboard reports that the phone giant posted a notification on its website warning of a data breach that never happened. “The boilerplate FAQ is an interesting peek behind the curtain at how companies prepare for data breaches, and at how they pre-plan their apologies,” wrote @lorenzofb (https://twitter.com/lorenzofb) .
London’s Tube network to switch on Wi-Fi tracking by default in July (https://techcrunch.com/2019/05/22/mind-the-privacy-gap/) TechCrunch: Wi-Fi device tracking is coming to the London subway system starting in July. Transport for London, which runs the Tube, said it’ll help to provide greater insights into overcrowding and delays, but will “also use the information to enhance its in-station marketing analytics.” Unsuspecting travelers can opt-out… by switching Wi-Fi off. ~ ~
** OTHER NEWSY NUGGETS
Two years later, hundreds of US schools still haven’t patched for WannaCry (https://arstechnica.com/information-technology/2019/05/two-years-after-wannacry-us-schools-still-vulnerable-to-eternalblue/) A publicly accessible security-scan data shows that many public organizations have failed to do more than put a bandage over long-standing system vulnerabilities that, if successfully exploited, could bring their operations to a standstill, reports Ars Technica.
Vermont’s attorney general settles with software firm over security issues (https://ago.vermont.gov/blog/2019/05/23/attorney-general-donovan-settles-with-supplier-of-software-to-vermont-cities-and-towns/) A software maker which supplies its technology to “every city and town in Vermont” has resolved allegations of data security issues — including not using encryption to store passwords and other sensitive data, like Social Security numbers and banking information. The attorney general’s office “saw no evidence of security breaches at any municipality as a result of the software, but could not rule out the possibility of an undiscovered breach, due to the lack of logging or security monitoring.”
Techdirt sues ICE over a million seized domains (https://www.techdirt.com/articles/20190523/09390242264/techdirt-sues-ice-after-it-insists-it-has-no-records-1-million-domains-it-claims-to-have-seized.shtml) Techdirt has sued Immigration and Customs Enforcement for claiming it has no records about the million-plus domains it’s seized back in 2010 under claims of copyright infringement. Editor Mike Masnick (https://twitter.com/mmasnick) said the seizures raised serious First Amendment issues, and demanded answers. “The fact that these thugs have been literally seizing and pulling down entire websites – a clear First Amendment violation – based entirely on the say-so of a few biased corporate execs should be a major scandal,” he wrote. Definitely a case worth watching. You can read more here (https://causeofaction.org/techdirt-sues-ice-for-records-relating-to-seizures-of-website-domains/) .
Cyber Command’s latest VirusTotal upload is linked to an active attack (https://www.cyberscoop.com/cyber-command-virustotal-apt28-kaspersky-zonealarm/) From @shanvav (https://twitter.com/shanvav) : Cyber Command’s latest malware sample upload to VirusTotal is connected to active attacks linked to China-backed APT 28, known as Fancy Bear, researchers say. “A variant of the malware is being used in ongoing attacks, hitting targets as recently this month,” according to Kaspersky and ZoneAlarm researchers. The targets include Central Asian nations, as well as diplomatic and foreign affairs organizations.
Apple won’t patch macOS GateKeeper bypass bug (https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass) macOS Gatekeeper normally prevents downloaded and unsigned files from running without a user’s consent. But Filippo Cavallarin found a bug that bypasses the security feature by hosting potentially damaging content on a mounted network share. Here’s a video of his proof-of-concept (https://youtu.be/m74cpadIPZY) . Apple was contacted on February 22 but Apple didn’t fix — so he released per the industry-standard 90-day disclosure deadline.
Sensor calibration fingerprinting for smartphones (https://sensorid.cl.cam.ac.uk/) This is pretty interesting research: researchers found they can fingerprint a smartphone within a single second — including iPhones — using a device’s gyroscope and magnetometer sensors which can be used to track devices across the web. Apple patched the tracking in iOS 12.2 — so update if you haven’t already. There are two demo videos here (https://sensorid.cl.cam.ac.uk/#Demo) , and ZDNet has a write-up (https://www.zdnet.com/article/android-and-ios-devices-impacted-by-new-sensor-calibration-attack/) explaining more. ~ ~
** THE HAPPY CORNER
This week, we take a trip down memory lane and look at the inside story behind the Senate testimony @dotMudge (https://twitter.com/dotMudge/status/1130544366332911616) et al in 1998. “It was the first time the U.S. government publicly referenced ‘hackers’ in a positive context,” he tweeted (https://twitter.com/dotMudge/status/1130544366332911616) . This tweet thread is an incredible first-hand look at what happened that day.
Serial entrepreneur and CEO @ElissaBeth (https://twitter.com/ElissaBeth/) has a small Slack group for women CTOs, CSOs and technically focused CEOs, she tweeted this week (https://twitter.com/ElissaBeth/status/1130645557595332609) . The group is invite-only but open to those interested.
And finally, Threader this week published a conversation (https://threader.app/the-art-of-threading/a-conversation-with-tinker) with @TinkerSec (https://threader.app/@tinkersec) , everyone’s favorite physical pentester. It’s a great read about how he got into hacking, breaks into physical systems and uses social engineering as a way to gain access. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Misshka. She’s a purralegal (ba-dum-tssk) who loves and defends hackers. Thanks to Anirban Sen (https://twitter.com/AnirbanSen) for the submission! (You may need to enable images in this email.) Don’t forget to send in your cybercats. The more the merrier. Please send them in by dropping me a note here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
Have a great week. Thanks for reading and I’ll see you next week. As always, if you have any feedback, please drop a note in the anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|