this week in security — may 31 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 22
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
After a tumultuous week, House Democrats pull FISA vote (https://www.rollcall.com/2020/05/27/house-delays-votes-on-fisa-bill/) Roll Call: A vote that would have reauthorized the Foreign Intelligence Surveillance Act, the basis of U.S. spying laws that allows the NSA to collect vast amounts of web and phone data, was scrapped this week after the president threatened to veto (https://arstechnica.com/tech-policy/2020/05/in-surprise-tweet-trump-urges-republicans-to-vote-against-spying-bill/) the bill. Last week’s Senate amendment, which failed but would have compelled authorities to obtain a warrant before getting access to web browsing and search data, was taken up by the House in the Lofgren-Davidson amendment. But Rep. Adam Schiff weakened (https://twitter.com/danielschuman/status/1265622310620401664?s=21) the language, effectively rendering the amendment dead after lawmakers pulled their support for the weakened version. In the end, the final FISA bill failed to make it to a vote. It’s not immediately clear when another vote will be held. More: Washington Post ($) (https://www.washingtonpost.com/national-security/privacy-and-civil-liberties-board-will-review-surveillance-law-that-has-vexed-trump/2020/05/27/65864df8-a02d-11ea-9590-1858a893bd59_story.html) | CNET (https://www.cnet.com/news/government-surveillance-bill-pulled-after-trump-veto-threat-privacy-conflicts/) | Ars Technica (https://arstechnica.com/tech-policy/2020/05/in-surprise-tweet-trump-urges-republicans-to-vote-against-spying-bill/) | @danielschuman (https://twitter.com/danielschuman/status/1265622310620401664?s=21) | @dellcam (https://twitter.com/dellcam/status/1265448593550462976?s=21) Russian hackers are exploiting a bug that gives over control of U.S. servers (https://arstechnica.com/information-technology/2020/05/russian-hackers-are-exploiting-bug-that-gives-control-of-us-servers/) Ars Technica: The notorious Sandworm hacker group (https://www.wired.com/story/sandworm-kremlin-most-dangerous-hackers/) , linked to power outages in Ukraine and other major cyberattacks, is actively exploiting a security flaw in efforts to break into computers run by the U.S. government. The hackers are exploiting a bug in Exim, an open-source mail transfer agent, for Unix-based operating systems. NSA said in an advisory [PDF] (https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf) that Sandworm has been launching attacks since at least August 2019. The advisory was to warn both businesses and government agencies, but also as an effort (https://www.zdnet.com/article/nsa-warns-of-new-sandworm-attacks-on-email-servers/) to “name and shame” the Sandworm hackers. More: Wired ($) (https://www.wired.com/story/nsa-sandworm-exim-mail-server-warning/) | ZDNet (https://www.zdnet.com/article/nsa-warns-of-new-sandworm-attacks-on-email-servers/)
‘Turla’ spies have been stealing documents from foreign ministries in Eastern Europe (https://www.cyberscoop.com/turla-espionage-russia-eset-eastern-europe/) Cyberscoop: New research this week shows another Russian hacking group, Turla, is building custom malware to achieve “long-term persistence in their target’s network,” according to ESET (https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/) . The attacks started two years ago, targeting ministries in Eastern Europe, using booby-trapped PDF and Word documents. Interestingly, the group uses Gmail as a command and control server to receive commands and exfiltrate data, making it less conspicuous than a custom domain. More: ESET (https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/)
Arkansas calls the person who discovered a breach a criminal (https://arktimes.com/arkansas-blog/2020/05/18/governor-shooting-the-messenger-wrong-tact-in-arkansas-pua-data-breach-experts-say) Arkansas Times: So, this happened. Arkansas’ unemployment assistance website had a bug that was exposing Social Security and bank account numbers. A computer programmer found the bug and got in touch with a reporter, who flagged the issue to the state’s governor’s office. So far so good — I’ve done this countless times before. Fix the bug, job done. But that’s where things got messy: the governor’s office called the person who found the breach a criminal, claiming the website had been “exploited.” The governor called in the FBI to investigate. Cue the reporter’s (rightfully) critical article (https://arktimes.com/arkansas-blog/2020/05/18/governor-shooting-the-messenger-wrong-tact-in-arkansas-pua-data-breach-experts-say) on the matter. Another day, another good-faith researcher facing the backlash of a confused and reactive politician. More: Techdirt (https://www.techdirt.com/articles/20200522/08170444554/arkansas-cant-secure-financial-assistance-site-so-governor-decides-to-call-person-discovering-breach-criminal.shtml) | @Andrew_Morris tweets (https://twitter.com/Andrew___Morris/status/1262545006696583169)
A massive database of 8 billion Thai internet records leaks (https://techcrunch.com/2020/05/24/thai-billions-internet-records-leak/) TechCrunch: Thailand’s largest cell network AIS pulled a database offline that was spilling billions of customers’ real-time internet records on millions. These internet records, including DNS logs and Netflow data, can “quickly paint a picture” about what an internet user does. It’s particularly egregious in Thailand, where web censorship and surveillance is through the roof. @xxdesmus (https://twitter.com/xxdesmus) found the exposed data. Between us, it took about a week to get the database pulled offline — and another few days for the ISP to respond. (Disclosure: I wrote this story.) More: Rainbow Tables (https://rainbowtabl.es/2020/05/25/thai-database-leaks-internet-records/)
DHS wants access to 300 million more facial recognition photos (https://onezero.medium.com/the-dhs-is-working-to-access-300-million-more-facial-recognition-photos-eef02e3ccb4b) OneZero: U.S. Homeland Security is linking its facial recognition database to the FBI, the Department of Defense, and the Department of State, which will allow DHS staff vast access to other departments’ facial recognition databases. That will help DHS access records on more passport and visa holders, and correlate names against those who have fallen into the criminal justice system. DHS already has 250 million people’s biometric data from border crossings. But State and the FBI have much bigger databases, and DHS wants in. More: FCW (https://fcw.com/articles/2020/05/27/ice-facial-recognition-privacy.aspx) | @davegershgorn tweets (https://twitter.com/davegershgorn/status/1266367327806816256) ~ ~ SUPPORT THIS NEWSLETTER
Thanks to everyone who reads and subscribes to this newsletter! Subscribers are going up, as are the monthly costs. If you can spare $1/month (or more for perks (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to keep the newsletter going. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) here. ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Feds arrest member of Fin7, a group tied to $1B dollars worth of hacks (https://www.vice.com/en_us/article/qj488m/feds-arrest-fin7-member-denys-iarmak) Motherboard: U.S. authorities have arrested a Ukranian national, Denys Iarmak, an alleged member of the Fin7 hacking group (https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html) , accused of breaking into systems belonging to Chipotle, Whole Foods, Trump Hotels, and more. The group is a prolific credit card stealer, taking as much as $1 billion in illicit and stolen revenue since it first emerged on the hacking scene. Despite the indictment, the Fin7 group remains “incredibly active,” according to one of the FBI agents who wrote the Iarmak complaint. Dangerous SHA-1 crypto function will die in SSH linking millions of computers (https://arstechnica.com/information-technology/2020/05/dangerous-sha-1-crypto-function-is-about-to-die-in-ssh/) Ars Technica: Developers of two open-source code libraries for SSH, used by millions of computers to create encrypted connections to each other, are finally retiring the SHA-1 hacking algorithm, months after researchers found it was possible (https://arstechnica.com/information-technology/2020/01/pgp-keys-software-security-and-much-more-threatened-by-new-sha1-exploit/) to create a “collision” that costs as little as $45,000. In other words, it’s possible to spend that amount on impersonating a target, rendering the algorithm largely useless. The decision to move away from SHA-1 to stronger algorithms is late, but better now than never.
Zoom plans to roll out strong encryption for paying customers (https://www.reuters.com/article/us-zoom-encryption-exclusive/exclusive-zoom-plans-to-roll-out-strong-encryption-for-paying-customers-only-idUSKBN23600L) Reuters: Two steps forward, one step back with Zoom. Just when you thought things were on the up for Zoom after its calamitous few weeks (https://nymag.com/intelligencer/2020/04/the-zoom-app-has-a-lot-of-security-problems.html) during the pandemic, it gained ground by promising to invest in actual end-to-end encryption. Now it seems, per Reuters, that only paid customers will get the end-to-end encryption features. @alexstamos (https://twitter.com/alexstamos) said, though, the plan was subject to change. Meanwhile, @micahflee (https://twitter.com/micahflee) reviewed Zoom’s new end-to-end encryption protocol and walked through it in a tweet thread (https://twitter.com/micahflee/status/1265407886999482368) . It seems like the new encryption will work well — but it’s just a shame that you may have to pay to use it (for now). ~ ~
** OTHER NEWSY NUGGETS
ACLU sues Clearview AI over privacy “nightmare scenario” (https://www.nytimes.com/2020/05/28/technology/clearview-ai-privacy-lawsuit.html) The New York Times ($) (https://www.nytimes.com/2020/05/28/technology/clearview-ai-privacy-lawsuit.html) reports that the ACLU is suing controversial surveillance startup Clearview AI in Illinois for collecting facial biometric data without permission. The ACLU says that’s a violation of Illinois’ biometric privacy law, which stung Facebook only a few weeks earlier to the tune of $550 million (https://techcrunch.com/2020/01/29/facebook-will-pay-550-million-to-settle-class-action-lawsuit-over-privacy-violations/) .
Qatar’s mandatory contact tracing app fixes major security flaw (https://www.amnestyusa.org/press-releases/contact-tracing-app-security-flaw-exposed-sensitive-personal-details-of-more-than-one-million/) Amnesty International found a critical vulnerability in Qatar’s mandatory-to-use Ehteraz contact-tracing app, which had it not been reported and fixed, could’ve allowed attackers access to highly sensitive data, “including the name, national ID, health status and location data of more than one million users.” The bug allowed the researchers to pull users’ data from the server, which didn’t have security measures in place to protect the data. ~ ~
** THE HAPPY CORNER
Ars Technica’s @dangoodin001 (https://twitter.com/dangoodin001?lang=en) did a deep-dive (https://arstechnica.com/information-technology/2020/05/choosing-2fa-authenticator-apps-can-be-hard-ars-did-it-so-you-dont-have-to/) looking at two-factor authentication apps. You might not think there’s much of a decision, but there is! Which apps let you backup? Which apps restore your two-factor accounts if you lose your phone? Goodin breaks it down in detail.
And, especially for the reporters and threat intel workers out there, a new web mashup lets you upload photos, remove metadata, and blur photos — without having to upload the photo or it leaving your browser. You can find the tool here (https://everestpipkin.github.io/image-scrubber/) . It’s really easy to use, and works on your phone. A big thanks to @everestpipkin (https://twitter.com/everestpipkin) for making this! If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is Tippi, who likes to help out by generating secure random passwords — even if that means rolling around on his human’s keyboard. Thanks to @gl0ck (https://twitter.com/gl0ck) for the submission! Please keep sending in your cyber cats! You can email them in here (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
And I’m out. Thanks for reading (as always). The suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is open for feedback. Stay safe out there. See you next week.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .