this week in security — may 30 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 4, issue 21 View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Malware breaks macOS security to take sneaky photos (https://www.forbes.com/sites/thomasbrewster/2021/05/24/update-your-mac-now-nasty-hack-breaks-apple-security-to-take-sneaky-photos/) Forbes: The XCSSET malware has been targeting Mac users, allowing it to bypass macOS’ privacy protections and secretly take screenshots of a victim’s display. The exploit allowed the malware to inherit screen recording permissions from other apps, like Zoom. Apple has fixed the vulnerability and confirmed it was exploited in the wild. Jamf, which discovered the malware’s new technique, said the bug wasn’t limited to taking screenshots and easily could have abused other access, such as the microphone and webcam. The bug was recorded as CVE-2021-30713 (https://support.apple.com/en-us/HT212529) . More: The Record (https://therecord.media/apple-fixes-macos-zero-day-abused-by-xcsset-malware/) | Jamf (https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/) | Apple security updates (https://support.apple.com/en-us/HT212529)
Court rules encrypted email provider Tutanota must monitor messages in blackmail case (https://www.cyberscoop.com/court-rules-encrypted-email-tutanota-monitor-messages/) Cyberscoop: A federal court in Germany has told encrypted email provider Tutanota must monitor for three months the messages of accounts implicated in a blackmail case. The case impacts just two accounts but Tutanota said it shouldn’t be required to monitor accounts as it’s not a telecoms provider. “We consider this decision to be absurd,” said Tutanota. The decision will only impact unencrypted incoming and outgoing emails of the affected accounts, as Tutanota can’t decrypt data that has already been encrypted, per Cyberscoop. But it’s feared that the court ruling could open the door to action against other encrypted providers. More: @ilumium (https://twitter.com/ilumium/status/1397536409825779714)
Microsoft finds SolarWinds hackers targeted USAID (https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/) Microsoft: The Russian hackers behind the SolarWinds attack, which Microsoft calls “Nobelium,” was found targeting USAID and other agencies with an aggressive (and rather “loud”) phishing campaign, targeting around 3,000 individuals across 150 organizations. Was it bad? Yeah, not great! But Microsoft said a couple of days later to, basically, chill out. CISA, too, said it has “not identified significant impact” at the federal level. Wired ($) (https://www.wired.com/story/russia-solarwinds-hackers-phishing-usaid/) has a measured look at what happened and why this isn’t an escalation of tactics. @dangoodin001 (https://twitter.com/dangoodin001/status/1398074956022304768?s=21) has a good tweet thread, as does @johnhultquist (https://twitter.com/johnhultquist/status/1398086538081275905?s=21) , who said the hackers in this case “won’t all be Ocean’s 11.” Harsh, but fair. More: Volexity (https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/) | BBC News (https://www.bbc.com/news/world-us-canada-57280510) | @nakashimae (https://twitter.com/nakashimae/status/1398654072530554880?s=20) | @dnvolz (https://twitter.com/dnvolz/status/1398665282755911683?s=21) https://twitter.com/nakashimae/status/1398654072530554880?s=20 U.S. towns are buying Chinese surveillance tech tied to Uighur abuses (https://techcrunch.com/2021/05/24/united-states-towns-hikvision-dahua-surveillance/) TechCrunch: Towns and municipalities across the U.S. (https://ipvm.com/reports/hikua-us-map) are buying Hikvision and Dahua technology, such as surveillance cameras and thermal imaging sensors (which doesn’t work (https://www.washingtonpost.com/technology/2021/03/05/fever-scanner-flaws-covid/) that well), despite bans at the federal level, because of the companies’ links to human rights abuses against Uighurs and other ethnic minorities in China. The municipalities aren’t banned from buying this equipment like federal agencies are, but some local governments simply glossed over the human rights abuses and told me that Hikvision was the only manufacturer “with a viable solution that was ready for delivery.” Some municipalities spent close to $500,000 on this technology to put in public schools and correctional facilities. (Disclosure: I wrote this story!) It comes in the same week that a BBC (https://www.bbc.com/news/technology-57101248) report showed police in Xinjiang, where most Uighurs live, tested technology from an unnamed company that was tested on Uighurs to “reveal states of emotion.” More: IPVM (https://ipvm.com/reports/hikua-us-map) | BBC News (https://www.bbc.com/news/technology-57101248)
Clearview AI hit by wave of European privacy complaints (https://www.bloomberg.com/news/articles/2021-05-27/clearview-ai-hit-by-wave-of-european-privacy-complaints) Bloomberg ($): The controversial surveillance and facial recognition startup Clearview AI has been hit with several complaints filed with data watchdogs across Europe, including France, Greece, Italy and the U.K., arguing Clearview AI has “no place in Europe.” The startup boasted it scraped 3 billion public profile photos from the web, but has been ruled illegal (https://www.cbc.ca/news/politics/technology-clearview-facial-recognition-1.5899008) in Canada. Clearview AI says it doesn’t have any EU contracts. Still, it will be interesting to see if Europe takes action — regardless of whether it’s used there or not, as the company claims. More: BBC News (https://www.bbc.com/news/technology-57268121) | Gizmodo (https://gizmodo.com/clearview-ai-faces-fresh-legal-complaints-in-5-countrie-1846980506) ~ ~ SUPPORT THIS NEWSLETTER
Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), to help cover the server and email costs. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) , or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Doom CAPTCHA (https://vivirenremoto.github.io/doomcaptcha/) Miquel Camps Orteza: @vivirenremoto (https://twitter.com/vivirenremoto) made a Doom CAPTCHA. It’s not as strict as a regular CAPTCHA, and is “it’s pretty easy to break the security of this.” But it’s an impressive build. You can find the project here (https://vivirenremoto.github.io/doomcaptcha/) . It reminds me of the time @Foone (https://twitter.com/Foone/status/1302820468819288066) put Doom on a digital pregnancy test (https://www.popularmechanics.com/science/a33957256/this-programmer-figured-out-how-to-play-doom-on-a-pregnancy-test/) . https://vivirenremoto.github.io/doomcaptcha/ M1racles bug found in Apple M1 chip (https://m1racles.com/#dont-panic) M1racles: A new covert channel vulnerability (CVE-2021-30747 (https://vuldb.com/?id.175807) ) in Apple’s new silicon, M1, allows any two legitimate apps running under the same operating system to covertly share data between them. It’s believed to be a design flaw that can’t be easily fixed without a change to the actual hardware chip. But the bug isn’t that bad and “can’t be used by exploits or malware to steal or tamper with data stored on a machine,” per Ars Technica (https://arstechnica.com/gadgets/2021/05/apples-m1-chip-has-a-security-bug-but-dont-worry-its-mostly-harmless/) .
How Russian dark net market Hydra made more than $1 billion in 2020 (https://www.cyberscoop.com/hydra-cybercrime-russia-bitcoin-laundering-darkside/) Cyberscoop: They say crime doesn’t pay… well, clearly it does. Hydra, a notorious Russian-speaking dark net market that specializes in narcotics, has netted more than $1.4 billion according to researchers. That makes up about three-quarters of all dark web marketplace activity.
It’s ransomware, or maybe a disk wiper, and it’s striking targets in Israel (https://arstechnica.com/gadgets/2021/05/disk-wiping-malware-with-irananian-fingerprints-is-striking-israeli-targets/) Ars Technica: An interesting new wiper — well, what looks like a wiper, disguised as ransomware — is targeting victims in Israel, according to security firm SentinelOne. The malware is believed linked to the Iranian government, which has an affinity for disk wipers (remember Shamoon (https://www.zdnet.com/article/shamoon-malware-destroys-data-at-italian-oil-and-gas-company/) ?). ~ ~
** OTHER NEWSY NUGGETS
Crime app Citizen exposed users’ COVID data (https://www.vice.com/en/article/qj8kwq/citizen-safepass-privacy-covid-data-exposed) Bad week for Citizen, thanks in large part to @josephfcox (https://twitter.com/josephfcox) ‘s dogged reporting on the company, but really because of its own security failings that let exposed (https://www.vice.com/en_us/article/qj8kwq/citizen-safepass-privacy-covid-data-exposed) users’ personal COVID-19 exposure data, including self-reported test data and symptoms, and allowed a hacktivist to scrape (https://www.vice.com/en_us/article/pkbg89/hacker-hacktivist-citizen-app-scrape-dark-web) the company’s entire cache of app data on over 1.7 million incidents. While you’re here, you should read how Citizen operates — by cashing in (https://www.vice.com/en/article/y3dpyw/inside-crime-app-citizen-vigilante) on vigilantism (which isn’t far off from the company’s original name (https://techcrunch.com/2017/03/10/banned-crime-reporting-app-vigilante-returns-as-citizen-says-its-report-incident-feature-will-be-pulled/) ).
Privacy advocate explains how real-world ad tracking works (https://twitter.com/robertgreeve/status/1397032784703655938?s=21) You know that long running trope that Facebook (or Google) listens to your microphone to serve more targeted ads? No evidence has ever shown that’s really happening. It turns out that ads are (sometimes) that smart. Here is a really great thread by @RobertTGreeve (https://twitter.com/robertgreeve/status/1397032784703655938?s=21) on how ads know what you might want, even if you’ve never spoken about a product or searched for it. It’s a good primer for anyone who doesn’t really get how the real-world and digital worlds blend together to guess what ads you might be interested in. This is one of the best explainers I’ve seen. https://twitter.com/robertgreeve/status/1397032784703655938?s=21 DHS to issue first cybersecurity regulations for pipelines after Colonial hack (https://www.washingtonpost.com/business/2021/05/25/colonial-hack-pipeline-dhs-cybersecurity/) Homeland Security is moving to regulate cybersecurity in the pipeline industry to prevent a repeat of the ransomware attack that resulted in the Colonial Pipeline outage (and fuel shortages) a couple of weeks back. TSA, better known for violating your privacy at U.S. airports, will require pipeline companies to report cyber incidents to federal authorities.
A rise in opportunistic hacks and info-sharing imperil industrial networks (https://beta.darkreading.com/attacks-breaches/rise-in-opportunistic-hacks-and-info-sharing-imperil-industrial-networks-critical-infrastructure) Speaking of critical infrastructure… Mandiant researchers say recent high-profile hacks, including incidents at local water supply systems, have been far more rudimentary and simple than other, widely known attacks — the Stuxnet’s and the Triton’s out there. In many cases, inadvertently exposed systems to the open internet have been a hacker’s entry point. @kjhiggins (https://twitter.com/kjhiggins) has more. ~ ~
** THE HAPPY CORNER
Quiet week, but couldn’t help share this (https://www.bbc.com/news/uk-england-merseyside-57226165) incredible headline. The “s” in OPSEC stands for stilton. https://www.bbc.com/news/uk-england-merseyside-57226165 If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** CYBER CATS & FRIENDS
This week’s cyber cat is Miette, who will absolutely trade belly scritches for cybersecurity advice… but you have to pay up front first. A big thanks to @theemmazaballos (https://twitter.com/theemmazaballos) for the submission! This week’s cyber cat, Miette. Keep sending in your cyber cats (and their friends). You can always drop them here (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
And we’re outta here. Thanks so much for reading. The suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is always open for any feedback. Hope you have a peaceful and restful weekend (and Memorial Day, for the folks in the U.S.). See you next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
~this week in security~ does not track email opens or link clicks.
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .