this week in security — may 3 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 18
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
When your freedom depends on an app (https://gizmodo.com/when-your-freedom-depends-on-an-app-1843109198) Gizmodo: This was one of those stories you cannot put down once you start reading. This harrowing story talks about an app that prison parolees are forced to download instead of wearing an ankle bracelet on release from jail. But the app, dubbed Guardian, is horribly flawed and often puts parolees’ locations at the wrong place, leading some to be returned to jail. One parolee was “begging my parole officer to put an ankle monitor on me” instead. The reporters also reverse-engineered the app, which the reporters explain in detail (https://twitter.com/dmehro/status/1254960619016654857?s=21) . If you thought the U.S. justice system was broken already, this just shows how absolutely messed up it really is. More: @dmehro tweets (https://twitter.com/dmehro/status/1254960619016654857)
Mobile giant Xiaomi is recording millions of people’s ‘private’ web and phone use (https://www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use/#2ce54e91b2a7) Forbes: This was great researching and reporting by @iblametom (https://twitter.com/iblametom) . Enlisting the help of security researcher @cybergibbons (https://twitter.com/cybergibbons) , the duo found Xiaomi devices are sending back browser search queries — even incognito searches — back to the Chinese phone maker. Unsurprisingly, Xiaomi denied the claims in a laughably weak (http://blog.mi.com/en/2020/05/02/live-post-evidence-and-statement-in-response-to-media-coverage-on-our-privacy-policy/) blog post that was largely filler and bluster. The evidence gathered by Forbes here was incredibly telling (https://twitter.com/cybergibbons/status/1256275170802745345) . Tip for companies: if you’re going to deny something, make sure there isn’t video evidence out there first. More: @cybergibbons (https://twitter.com/cybergibbons/status/1256586333105065985) | @iblametom (https://twitter.com/iblametom/status/1255852384133185538) Attackers exploit zero-day code-execution flaw in the Sophos firewall (https://arstechnica.com/information-technology/2020/04/sophos-firewall-0day-allowing-remote-code-execution-comes-under-attack/) Ars Technica: Sophos has confirmed its widely used and fully patched firewall was under attack from hackers, who are targeting victims with a new SQL injection exploit. The flaw can be used to steal usernames, hashed passwords and other sensitive data. A patch has been pushed (https://news.sophos.com/en-us/2020/04/26/asnarok/) out. More: Sophos (https://news.sophos.com/en-us/2020/04/26/asnarok/) | ZDNet (https://www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/)
Cyber-intel firms pitch governments on spy tools to trace coronavirus (https://www.reuters.com/article/us-health-coronavirus-spy-specialreport-idUSKCN22A2G1?) Reuters: A new special report out by Reuters this week looks at the phone hacking firms trying to jump on the coronavirus contact tracing efforts. Cellebrite and NSO Group are two named firms in the article, who by day develop technology that can hack into phones. It couldn’t come at a more critical time, given the privacy issues. Civil liberties advocates say opening the door to these companies during a time of crisis could open the door to abuse. Just this week, U.K. privacy and security experts warned (https://techcrunch.com/2020/04/29/uk-privacy-and-security-experts-warn-over-coronavirus-app-mission-creep/) about “mission creep” using contact tracing tools. More: TechCrunch (https://techcrunch.com/2020/04/29/uk-privacy-and-security-experts-warn-over-coronavirus-app-mission-creep/)
FISA national security orders fall amid Russia probe (https://www.nytimes.com/2020/04/30/us/politics/fbi-wiretaps-fisa-privacy.html) New York Times ($): The number of times the U.S. government asked a secret surveillance court to authorize its spying has fallen to its lowest levels in seven year, a drop that coincided with intense scrutiny of those wiretapping powers in the Russia investigation. Buried in the report were FISA violations, pointed out by @LizaGoitein (https://twitter.com/LizaGoitein/status/1255909351816146946) in a tweet thread and a blog post (https://www.justsecurity.org/69972/odnis-2019-statistical-transparency-report-the-fbi-violates-fisaagain/) . Goitein said the FBI violated FISA several times by running so-called “backdoor” searches on Americans’ communications in a non-national security case. More: Just Security (https://www.justsecurity.org/69972/odnis-2019-statistical-transparency-report-the-fbi-violates-fisaagain/)
Google Play has been spreading advanced Android malware for years (https://arstechnica.com/information-technology/2020/04/sophisticated-android-backdoors-have-been-populating-google-play-for-years/) Ars Technica: Hackers exploited scanning deficiencies in Google Play, Android’s app store, to distribute an advanced backdoor in at least eight apps, which can steal a wide range of sensitive data. The major problem here is that Google’s malware checks clearly aren’t enough to prevent these kinds of apps sneaking into the Play store. More: Wired ($) (https://www.wired.com/story/phantomlance-google-play-malware-apt32/) ~ ~ SUPPORT THIS NEWSLETTER
Thank you for reading this newsletter! As subscribers go up, so are the monthly costs. If you can spare $1/month (or more for exclusive perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps keep this newsletter going. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) here. ~ ~
** THE STUFF YOU MIGHT’VE MISSED
U.S. appeals court asks why Facebook encryption order should stay secret (https://www.reuters.com/article/us-encryption-rulings-facebook/u-s-appeals-court-asks-why-facebook-encryption-order-should-stay-sealed-idUSKCN22A354) Reuters: In 2018, the U.S. government asked a court (https://www.reuters.com/article/us-facebook-encryption-exclusive-idUSKCN1M82K1) if it was allowed to wiretap Facebook Messenger for an investigation into gang members. The government lost the case but the ruling was sealed. Now the ACLU wants to know what the legal reasoning was behind the dismissal in the hope that it will help the civil liberties group to fight against similar orders in the future.
Nine million British license plates spill onto the internet (https://www.theregister.co.uk/2020/04/28/anpr_sheffield_council/) The Register: A security mishap at one of the U.K.’s regional councils, Sheffield, saw close to 9 million license plates collected by automatic license plate cameras exposed. The passwordless server was spilling out logs to anyone who knew the IP address. ALPR, or automatic license plate readers, are controversial because they can track where vehicles go at any time. Quibi, JetBlue and others gave away email addresses, report says (https://www.nytimes.com/2020/04/29/business/media/quibi-jetblue-email-breach.html) New York Times ($): A security researcher says big companies, like Quibi and JetBlue, mishandled email addresses that allowed them to fall into the hands of analytics firms. The full report can be found here (https://medium.com/@thezedwards/the-2020-url-querystring-data-leaks-millions-of-user-emails-leaking-from-popular-websites-to-39a09d2303d2) , but the gist of it is that third-party JavaScript code installed on the websites of these major companies allows the siphoning off of email addresses, but also the tracking of users across the internet.
New bill threatens journalists’ ability to protect sources (https://techcrunch.com/2020/05/01/new-bill-threatens-journalists-ability-to-protect-sources/) TechCrunch: The controversial EARN-IT bill has not gone away. @runasand (https://twitter.com/runasand) , who used to run newsroom infosec at the New York Times, has an op-ed explaining how this bill, if passed, would threaten journalists’ ability to protect sources. “Our digital life is protected by the same features that allow some bad people to do bad things online,” she writes. ~ ~
** OTHER NEWSY NUGGETS
Shade ransomware shuts down, releases 750,000 decryption keys (https://www.bleepingcomputer.com/news/security/shade-ransomware-shuts-down-releases-750k-decryption-keys/) Anyone who’s been infected by Shade can now get their files back. The ransomware operation, also known as Troldesh, shut down this week and apologized for the harm that they had done. The group has consistently hit targets over the past five years. Now the keys can be accessed (https://twitter.com/k1k_/status/1254773729642475520) from GitHub.
EU turns to Signal in security clampdown (https://www.theverge.com/2020/2/24/21150918/european-commission-signal-encrypted-messaging) The European Commission, the ruling body of the 27 member state bloc, has turned to end-to-end encrypted messaging app Signal to start sending sensitive but unclassified information between staffers and offices. It comes as the EU tries to lock down its systems in the wake of high-profile hacks, including its embassy in Russia (https://www.buzzfeednews.com/article/albertonardelli/eu-embassy-moscow-hack-russia) and a massive leak of EU cables (https://www.nytimes.com/2018/12/18/us/politics/european-diplomats-cables-hacked.html) .
NSO employee abused phone hacking tech to target a love interest (https://www.vice.com/en_us/article/bvgwzw/nso-group-employee-abused-pegasus-target-love-interest) I think this headline says it all, really. The previously unreported news is a massive abuse of NSO’s products, which are typically used only by governments (and frequently linked to despotic regimes). NSO, as mentioned earlier, builds phone hacking tech. But one employee used the hacking tool to spy on a love interest. ~ ~
** THE HAPPY CORNER
Here are a few sprinklings of good news from the week.
@hexadecim8 (https://twitter.com/hexadecim8/status/1254759975131504640?s=21) has a short video 3D-printed secret butterfly box, which opens up if you know the right secret twists. Remarkable stuff. You can see it here (https://twitter.com/hexadecim8/status/1254759975131504640?s=21) .
@geoffwhite247 (https://twitter.com/geoffwhite247) found the original author of Love Bug, who sparked the world’s first major computer virus outbreak some 20 years ago. The author is a Filipino man, now in his 40s, who said he regrets the damage caused. White wrote the story (https://www.bbc.com/news/technology-52458765) for BBC News.
And, the U.K. National Cyber Security Center has moved its terminology away from “blacklist” and “whitelist” to “allow list” and “deny list” respectively. NCSC said the move was its part in “helping to stamp out racism” in cybersecurity. NCSC’s technical director Ian Levy said in his closing remarks: “If you’re thinking about getting in touch saying this is political correctness gone mad, don’t bother.” Couldn’t have said it better. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is Sweetpea, who love you to the ends of the earth and back, but woe betide you if you don’t take security seriously. Thanks to @flyingbluemonki (https://twitter.com/flyingbluemonki) for the submission! Please send in your quarantine cyber cats! They will be featured in an upcoming newsletter. You can send them here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
And we’re out! Thanks again for reading, whether you read in your inbox or online. If you have any feedback, drop it in the the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Take care, and be well. See you next week.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .