this week in security — may 5 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 17.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
A Hacker Is Wiping Git Repos And Demanding A Ransom (https://www.zdnet.com/article/a-hacker-is-wiping-git-repositories-and-asking-for-a-ransom/) ZDNet: Looks like developers can’t catch a break. Last week, hackers breached Docker Hub (https://motherboard.vice.com/en_us/article/7xgbzb/docker-hub-breach-hackers-stole-private-keys-tokens) , and this week a hacker is breaking into Git repos, deleting private data and holding it for ransom. GitHub, GitLab, and Bitbucket users are affected. GitLab’s director of security said exposed Git config files are being exploited. So far, it looks like only one person (https://www.blockchain.com/btc/address/1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA) paid the ransom. More: GitLab (https://about.gitlab.com/2019/05/03/suspicious-git-activity-security-update/) | Motherboard (https://motherboard.vice.com/en_us/article/vb9v33/github-bitbucket-repositories-ransomware)
Denial Of Service Condition Caused Power Company Disruption (https://www.eenews.net/stories/1060254751) E&E News: @BlakeSobczak (https://twitter.com/BlakeSobczak) with the scoop: an energy company providing power to the western U.S. told the Dept. of Energy that it experienced a “cyber event” that caused its operations to stop for more than ten hours. There was no external disruption to the power grid or any power outages as a result, however. @kimzetter (https://twitter.com/KimZetter/status/1124048485999882241) made a good point — this is a denial of service condition and not necessarily an attack. Exactly what caused the condition remains unknown. More: TechCrunch (https://techcrunch.com/2019/05/02/ddos-attack-california-energy/)
NSA ‘Unmaskings’ of U.S. Identities Soared Last Year (https://www.nytimes.com/2019/04/30/us/politics/nsa-unmaskings-surveillance-report.html) New York Times ($): The government’s annual surveillance transparency report is out (https://int.nyt.com/data/documenthelper/786-odni-surveillance-transparency/e2f71410b93f094208d1/optimized/full.pdf#page=1) . In short, the number of warrantless search queries of the contents of Americans’ calls, text messages, emails and other communications went up by 28% last year to 9,637 searches, but the number of domestic phone records collected went down from 534 million phone records to 434 million records. The Times also digs into (https://www.nytimes.com/2019/04/30/us/politics/nsa-unmaskings-surveillance-report.html) so-called unmaskings, where U.S. officials reveal the names of Americans whose data was collected by the NSA. The number spiked, rising 75 percent. More: Washington Post ($) (https://www.washingtonpost.com/world/national-security/nsa-unmasked-more-us-identities-likely-to-warn-victims-of-foreign-spying-new-report-suggests/2019/04/30/35739e80-6b50-11e9-9d56-1c0cf2c7ac04_story.html?utm_term=.ef1d26f8e5cc) | Cyberscoop (https://www.cyberscoop.com/nsa-unmasked-u-s-entities-caught-foreign-cyber-espionage-efforts-last-year/)
Ransomware Exploits Oracle Zero-Day, No Clicking Required (https://arstechnica.com/information-technology/2019/04/zeroday-attackers-deliver-a-double-dose-of-ransomware-no-clicking-required/) Ars Technica: If you thought drive-by ransomware was a thing of the past, think again. @dangoodin001 (https://twitter.com/dangoodin001) reports of an Oracle WebLogic vulnerability is under attack. Oracle released a patch, but hackers were using the bug to deliver ransomware, locking down critical systems until the victim pays up. Researchers at Cisco Talos have more (https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html) . More: Cisco Talos (https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html) | SANS ISC blog post (https://isc.sans.edu/forums/diary/Update+about+Weblogic+CVE20192725+Exploits+Used+in+the+Wild+Patch+Status/24890/)
ACLU: Border Agents Violate Constitution In Searching Electronic Devices (https://www.npr.org/2019/05/02/719337356/aclu-border-agents-violate-constitution-when-they-search-electronic-devices) NPR: A new filing by the ACLU and EFF this week said border authorities are given wide ranging powers by Homeland Security to search electronics of visitors and Americans at the border without requiring a warrant — which they say is unconstitutional. Two of the plaintiffs are journalists and one is a NASA employee (https://www.theverge.com/2017/2/12/14583124/nasa-sidd-bikkannavar-detained-cbp-phone-search-trump-travel-ban) — who works for the government! The ACLU wants the government to get a probable cause warrant — like it is everywhere else in the U.S. More: TechCrunch (https://techcrunch.com/2019/04/30/unconstitutional-searches-border/) | ACLU (https://www.aclu.org/blog/privacy-technology/privacy-borders-and-checkpoints/we-got-us-border-officials-testify-under)
Dell PCs Vulnerable To Remote Hijacks (https://www.zdnet.com/article/dell-laptops-and-computers-vulnerable-to-remote-hijacks/) ZDNet: A 17-year-old security researcher found a bug in Dell’s Support Assist utility, which, if exploited would let a remote attacker execute code with administrative privileges — opening the door to complete system compromise. A simple snippet of malicious JavaScript on a webpage can trigger the bug, requiring no user interaction at all. Dell fixed the vulnerability, but if there’s ever been more of a reason to get rid of bloatware (especially after the recent Asus supply chain attack (https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers) .) More: Bill Demirkapi (https://d4stiny.github.io/Remote-Code-Execution-on-most-Dell-computers/) | Background: Motherboard (https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers)
U.K. Tax Authority Forced To Delete Five Million Voice Biometrics (https://www.bbc.com/news/business-48150575#) BBC News: U.K.’s Revenue and Customs (HMRC) had to delete five million voice prints from callers it used for authentication because it didn’t explicitly gain consent from taxpayers. The tax authority was accused of creating biometric records “by the back door,” and the U.K.’s privacy watchdog called it a “significant breach” of data protection laws. But the system will continue on, according to a letter (https://www.gov.uk/government/publications/letter-from-sir-jonathan-thompson-to-hmrcs-data-protection-officer) from HMRC’s data protection officer. The system itself is crap; the BBC showed years ago that the system can be easily spoofed (https://www.bbc.com/news/technology-39965545) . More: U.K. government (https://www.gov.uk/government/publications/letter-from-sir-jonathan-thompson-to-hmrcs-data-protection-officer) | Archive: BBC News (https://www.bbc.com/news/technology-39965545)
Twitch Streamers Take Security Into Their Own Hands (https://techcrunch.com/2019/04/30/twitch-account-hacks/) TechCrunch: Twitch streamers have been plagued with account hijacks in recent months. @Jaku (https://twitter.com/Jaku) and @J0hnnyXm4s (https://twitter.com/J0hnnyXm4s) say Russian-language bots are behind the automated efforts to log in to accounts, promote streamer accounts and cash in as part of a complicated but effective pump-and-dump scheme. But Twitch clearly doesn’t give a hoot — providing no comment by the time of publication. Jaku and Xmas want Twitch to do more to promote two-factor, which would all but kill the bot efforts. (Disclosure: I wrote this story.) More: Russian bot eport (https://medium.com/@johnnyxmas/report-monetization-of-compromised-twitch-accounts-1355f301e843) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Why every privacy activist should embrace DNS-over-HTTPS (https://medium.com/@alecmuffett/why-every-privacy-activist-should-embrace-dns-over-https-a361e727657f) Medium: A great short-read by @alecmuffett (https://twitter.com/alecmuffett/status/1122082064218644480?s=21) who wrote and tweeted about why DNS-over-HTTPS (or DoH) is important — even if that means giving over the controls to Cloudflare or Google for a short time. It’s especially important for those in the U.K., for one, whose DNS records are can be searched (https://nakedsecurity.sophos.com/2019/04/24/dns-over-https-is-coming-whether-isps-and-governments-like-it-or-not/) by police.
Citrix hackers went undetected for six months (https://techcrunch.com/2019/04/30/citrix-internal-network-breach/) TechCrunch: Hackers who broke into Citrix’s internal network were there for six months before anyone noticed, the company confirmed in a letter (http://www.documentcloud.org/documents/5983600-Citrix-letter-to-California-attorney-general.html) to California’s attorney general. Citrix confirmed the “business documents” stolen included files on current and former employees, and contained names, Social Security records and other financial data. It’s not a good look for a security software company that clearly doesn’t use two-factor authentication. (Note: I also wrote this story.)
Facebook bug leaked location data on marketplace sellers (https://www.7elements.co.uk/resources/blog/facebooks-burglary-shopping-list/) 7Elements: This was a great finding: researchers said they could obtain the real-world geolocation data of sellers on Facebook’s Marketplace. That could’ve made it easy for thieves to know exactly where items for sale are located. Facebook rejected the findings because of course it did.
Bloomberg screws up another backdoor spying story (https://www.theregister.co.uk/2019/04/30/huawei_enterprise_router_backdoor_is_telnet/) The Register: I know this sparked some heated words on Twitter this week — but it’s worth explaining. Bloomberg, after its dismal spy chip story (https://techcrunch.com/2018/10/04/bloomberg-spy-chip-murky-world-national-security-reporting/) , claimed Vodafone found a backdoor in Huawei’s equipment. Turns out it was a Telnet debug interface, which Vodafone later rebuffed saying it was fixed years ago and wasn’t accessible from the internet. This was nothing more than a failure to remove a diagnostic function after development,” said the phone giant. The Register digs into the reporting (https://www.theregister.co.uk/2019/04/30/huawei_enterprise_router_backdoor_is_telnet/) and why Bloomberg missed the mark. Not everyone agreed — sure. We get it, Huawei probably poses a risk, but clearly so does Bloomberg’s reporting.
How some ads think they know you (https://www.nytimes.com/interactive/2019/04/30/opinion/privacy-targeted-advertising.html) New York Times ($): Part of The Times’ ongoing privacy reporting effort, the newspaper digs into how ads think they know you. It’s an interesting and in-depth look at how targeted ads work. Actually, it’s more revealing than you might think. ~ ~
** OTHER NEWSY NUGGETS
Palo Alto researchers dig into leaked OilRig data (https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/) Cast your mind back a couple of weeks when an unnamed hacker was leaking (https://www.wired.com/story/iran-hackers-oilrig-read-my-lips/) Iranian hacker secrets. Now, Palo Alto Networks’ researchers have dug into the data dump and found credentials, backdoors, webshells and more. Their research unveils how the hackers operate and also where they’re operating.
Electrum DDoS botnet is rapidly growing in size (https://blog.malwarebytes.com/cybercrime/2019/04/electrum-ddos-botnet-reaches-152000-infected-hosts/) The Electrum DDoS botnet now has 152,000 infected hosts across the world and it’s growing at a rapid rate, stealing thousands of dollars in just a few weeks — some $4.6 million to date. Malwarebytes has more (https://blog.malwarebytes.com/cybercrime/2019/04/electrum-ddos-botnet-reaches-152000-infected-hosts/) — and a deeper dive (https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/) of how the botnet is targeting Electrum cryptocurrency wallets.
Hackers steal data on some of the world’s biggest companies (https://motherboard.vice.com/en_us/article/d3np4y/hackers-steal-ransom-citycomp-airbus-volkswagen-oracle-valuable-companies) Citycomp, an internet infrastructure company, was hacked and dozens of companies – Oracle, Airbus, Toshiba, and Volkswagen — had data stolen. That data has been put up for sale on a dark web .onion site. It’s still early days but this’ll definitely be a story to watch. At very least, it’s an embarrassing breach that once again highlights the issues with supply chain attacks.
U.K. plans IoT security law (https://www.bbc.com/news/technology-48106582) Good non-Brexit news! The U.K. is looking to follow in the footsteps of California (https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327) with new rules governing the security of IoT devices in the state. Now the U.K. wants to ensure all internet-connected devices don’t come with default passwords and are guaranteed to have security updates for a certain period of time. @theKenMunroShow (https://twitter.com/theKenMunroShow) praised the effort in a blog post (https://www.pentestpartners.com/security-blog/uk-government-gets-serious-about-consumer-iot-security-legislation-on-the-way/) .
Hacker takes over dozens of IoT botnets (https://www.zdnet.com/article/hacker-takes-over-29-iot-botnets/) This is what I call “Good Samaritan security”: In the past few weeks, a white-hat hacker has taken over 29 botnets, using dictionary attacks and other common words to break into the command and control infrastructure and shutting them down. In all, the 29 botnets accounted for 25,000 bots, but that’s still 25,000 bots off the internet streets. Security researcher Ankit Anubhav published an interview (https://www.ankitanubhav.info/post/c2bruting) with the hacker. ~ ~
** THE HAPPY CORNER
My favorite bit of the week: sharing some of the best of security.
This week, @emmataylorwords (https://twitter.com/emmataylorwords/status/1123840010711707651) had a really interesting tweet thread about how the Enigma code was cracked. (And it’s so much more interesting than the story you think you know.) It’s something like 30 tweets, so settle in. It’s well worth the read.
A few weeks ago I mentioned the IoT Inspector, a tool built by Princeton researchers (https://techcrunch.com/2019/04/13/spy-on-your-smart-home-with-this-open-source-research-tool/) , which lets you see exactly what’s going on in your internet-connected smart home. It was only available for macOS, but good news: it’s now available for Linux. Granted, there’s no Windows version yet but at least now you don’t have to buy a Mac just to run the damn thing. Thanks to @originalesushi (https://twitter.com/originalesushi/status/1124335593327071232) for spotting.
And lastly, in honor of World Password Day — which, look, we all know is a joke and basically a Hallmark holiday for infosec — @1Password (https://twitter.com/1Password) is giving all reporters a free subscription to its password manager. That’s awesome! 1Password, don’t forget, already integrates (https://blog.1password.com/finding-pwned-passwords-with-1password/) Have I Been Pwned. Just submit your work email (https://blog.1password.com/world-press-freedom-day-1password-journalism/) and you’ll get in. If you’re not using a password manager, now’s your chance. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Mingming, who loves to snooze about inventive ways to pop calc. Thanks to Mingming’s human @jowabels (https://twitter.com/@jowabels) for the submission! (You may need to enable images in this email.) Send in your cybercats! Drop me a note: submit your cybercats here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That’s it for this week. Please send in your good news and cybercats! If you have any other thoughts, drop a note in the anonymous suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a great week — see you next Sunday. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|