this week in security — november 10 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 43
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Former Twitter employees charged with spying for Saudi Arabia (https://www.washingtonpost.com/national-security/former-twitter-employees-charged-with-spying-for-saudi-arabia-by-digging-into-the-accounts-of-kingdom-critics/2019/11/06/2e9593da-00a0-11ea-8bab-0fc209e065a8_story.html) Washington Post ($): Incredible reporting here. Four years ago, some Twitter users were told (https://www.vice.com/en_us/article/bmvxza/twitter-told-a-bunch-of-users-they-may-be-targets-of-a-state-sponsored-attack) their accounts were targeted by a “state” actor. Now we know why: two former Twitter employees were charged for spying on behalf of the Saudi kingdom on dissidents who used the platform. One of them was “accused of accessing the personal information of more than 6,000 Twitter accounts in 2015 on behalf of Saudi Arabia.” He’s said to have been one of “a limited group of trained and vetted employees” with access to sensitive account data. Saudi crown prince Mohammed bin Salman, who’s accused of ordering the murder of Saudi journalist Jamal Khashoggi last year, was also implicated in the court papers. More: NPR (https://www.npr.org/2019/11/06/777098293/2-former-twitter-employees-charged-with-spying-for-saudi-arabia) | @anthony (https://twitter.com/Anthony/status/1193277766902407173) | Middle East Eye (https://www.middleeasteye.net/news/exclusive-twitter-ceo-met-mbs-six-months-after-saudi-spy-discovered) | Background: Motherboard (https://www.vice.com/en_us/article/bmvxza/twitter-told-a-bunch-of-users-they-may-be-targets-of-a-state-sponsored-attack)
Researchers hack Siri, Alexa, and Google Home by shining lasers at them (https://arstechnica.com/information-technology/2019/11/researchers-hack-siri-alexa-and-google-home-by-shining-lasers-at-them/) Ars Technica: Well this is novel — turns out you can hack smart speakers with lasers. The lasers can be used to inject commands as far away as 360 feet. Even if commands are locked with a PIN, the laser can cycle through each permutation. It’s an interesting attack — if not difficult to carry out — but fun findings nonetheless. Forbes suggested (https://www.forbes.com/sites/thomasbrewster/2019/11/05/amazon-alexa-google-home-hacked-with-a-laser/#da39b1827d2c) that it might be wise to hide your Echo, just as one might want to remove their home router from access in their homes. More: Wired ($) (https://www.wired.com/story/lasers-hack-amazon-echo-google-home/) | Forbes (https://www.forbes.com/sites/thomasbrewster/2019/11/05/amazon-alexa-google-home-hacked-with-a-laser/#da39b1827d2c)
These machines can put you in jail. Don’t trust them (https://www.nytimes.com/2019/11/03/business/drunk-driving-breathalyzer.html) The New York Times ($): This is a story that is close to me. Two years ago I wrote about a defective breathalyzer (https://www.cbsnews.com/news/researchers-say-a-breathalyzer-has-flaws-casting-doubt-on-countless-convictions/) and its capacity to improperly prosecute those who drink and then drive. This week, the Times picked up the baton and ran with a new story about the human cost. It was an incredible follow-on about how unreliable they are. @TProphet (https://twitter.com/TProphet/status/1191421148354904065) , who was mentioned in both mine and the Times’ stories, spoke out about the case. “We were subject to a gag order, and a Fortune 500 company had threatened to sue us,” he said. “Today, it’s on the front page and in the center spread of the New York Times.” More: CBS News (https://www.cbsnews.com/news/researchers-say-a-breathalyzer-has-flaws-casting-doubt-on-countless-convictions/) | @TProphet tweets (https://twitter.com/TProphet/status/1191421148354904065) | @zackwhittaker tweets (https://twitter.com/zackwhittaker/status/1191044534655844352)
Documents show how the U.S. military’s facial recognition system works (https://onezero.medium.com/exclusive-this-is-how-the-u-s-militarys-massive-facial-recognition-system-works-bb764291b96d) OneZero: A great scoop by OneZero: documents show how the U.S. military obtains biometric data from “anyone who has come in contact with the U.S. military abroad.” It’s been used to identify non-U.S. citizens on the battlefield thousands of times in the first half of this year alone. The databases have faced little scrutiny, despite having some 7.4 million records and the fact that the database can be used for “lethality,” More: @davegershgorn tweets (https://twitter.com/davegershgorn/status/1192101055384952837) Russia steps up efforts to shield its hackers from U.S. extradition (https://www.wsj.com/articles/russia-steps-up-efforts-to-shield-its-hackers-from-extradition-to-u-s-11572949802) Wall Street Journal ($): This @dnvolz (https://twitter.com/dnvolz) and @felschwartz (https://twitter.com/felschwartz) look at how Russia is protecting its own hackers from extradition to the U.S. and the lengths it will go to in order to get their citizens back is fascinating. “Russia has relied on a variety of techniques — whether leveraging the legal system or resorting to more coercive means, such as bribery — to pressure other countries to impede U.S. extradition efforts, current and former U.S. officials said.” Background: Wall Street Journal ($) (https://www.wsj.com/articles/indicted-yahoo-hackers-case-shows-pitfalls-of-extradition-efforts-11572949801?mod=article_inline)
Mozilla says ISPs lied to Congress about DNS-over-HTTPS (https://www.vice.com/en_us/article/zmj5p9/mozilla-firefox-asks-congress-to-investigate-internet-service-providers-data-selling-collection) Motherboard: Motherboard obtained a Comcast slideshow last month (https://www.vice.com/en_us/article/9kembz/comcast-lobbying-against-doh-dns-over-https-encryption-browsing-data) detailing how the internet provider tried to lobby against DNS-over-HTTPS, an encrypted DNS service which many say will help protect users’ privacy. Now, Mozilla has fired back, saying Comcast lied to Congress and tried to spread disinformation about the technology. More: Ars Technica (https://arstechnica.com/tech-policy/2019/11/isps-lied-to-congress-to-spread-confusion-about-encrypted-dns-mozilla-says/)
Shadow Brokers data tipped researchers off to a mysterious hacker group (https://www.cyberscoop.com/darkuniverse-kaspersky-apt-shadow-brokers/) Cyberscoop: DarkUniverse, a mysterious APT group, has been uncovered after researchers found clues about the group in the data dump published by the Shadow Brokers, an equally elusive group that dumped stolen NSA hacking tools two years ago that resulted in the WannaCry ransomware outbreak. DarkUniverse is said to have breached “around” 20 victims ranging from military agencies to private sector organizations like telecoms firms and medical institutions. More: SecureList (https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/)
An infamous neo-Nazi forum just got doxxed (https://www.vice.com/en_us/article/a359q8/an-infamous-neo-nazi-forum-just-got-doxxed) Motherboard: A massive cache of data from a defunct neo-Nazi forum exposed the logins, emails, and IP addresses of users on IronMarch, considered the birthplace of several militant organizations. It’s believed the data cache could help identify (https://www.theguardian.com/us-news/2019/nov/07/neo-nazi-site-iron-march-materials-leak) hundreds of extremists worldwide. Several members have been identified as serving military officers in Western countries. More: Bellingcat (https://www.bellingcat.com/resources/how-tos/2019/11/06/massive-white-supremacist-message-board-leak-how-to-access-and-interpret-the-data/) | @Jake_Hanrahan thread (https://twitter.com/Jake_Hanrahan/status/1192094120493359105?) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Here’s all the security stuff Microsoft announced at Ignite (https://www.microsoft.com/security/blog/2019/11/04/microsoft-announces-new-innovations-in-security-compliance-and-identity-at-ignite/) Microsoft: Microsoft’s annual developer conference Ignite kicked off this week, with the software giant announcing ten new security tools and services, including Azure Sentinel and Microsoft Compliance Score to name just a couple. @pwnallthethings (https://twitter.com/pwnallthethings/status/1192076260438106112) said it was part of Microsoft’s effort to “kill off low-hanging” security attacks.
Every U.S. national security leader is warning about election meddling (https://www.buzzfeednews.com/article/claudiakoerner/2020-election-meddling-warning-russia-china-iran) BuzzFeed News: A rare joint statement from the NSA, U.S. Cyber Command, Homeland Security, CISA and the FBI warned that U.S. foes — namely “Russia, China and Iran” — are gearing up to meddle in the 2020 presidential elections by seeking “to interfere in the voting process or influence voter perceptions.” It’s the strongest message yet that the election could see a repeat of the 2016 disinformation tactics.
Why is Signal a hit app with the NBA, NFL and NCAA? (https://sports.yahoo.com/why-has-the-ci-as-preferred-privacy-app-hit-the-nba-nfl-and-ncaa-061242791.html) Yahoo Sports: Here’s an interesting one: turns out the end-to-end encrypted messaging app Signal is a major hit in sports. “In an environment where tampering issues loom over professional sports and a widespread federal investigation still lingers over the NCAA landscape, the desire for privacy, encryption and even disappearing messages has increased.” Some are even using the auto-delete feature to avoid scrutiny by the sporting authorities.
Boeing allegedly threatened security researcher over her findings (https://www.csoonline.com/article/3451585/boeings-poor-information-security-posture-threatens-passenger-safety-national-security-researcher-s.html) CSO Online: Chris Kubecka (https://twitter.com/SecEvangelism) said Boeing tried to push her into signing an NDA — which she refused — over a talk (https://aviationcybersecurity2019.sched.com/event/NTOa/more-than-turbulence-aviation-software-vulnerabilities-exploitation) she was about to give this week. Her talk was to reveal Boeing’s poor infosec practices. The aviation giant couldn’t even get its vulnerability disclosure program working properly. “Boeing’s internet facing infrastructure, web applications and email systems in general do not appear to have undergone basic to generally accepted security testing,” Kubecka’s vulnerability report said. As @DAkacki (https://twitter.com/DAkacki/status/1193226886102605825) remarked, threatening security researchers is a “great way to amplify your own stupidity.”
Facebook says 100 developers had improper access to group data (https://arstechnica.com/tech-policy/2019/11/facebook-groups-api-flaw-exposed-data-to-100-developers-company-says/) Ars Technica: Facebook quietly published a blog post (https://developers.facebook.com/blog/post/2019/11/05/changes-groups-api-access/) this week without any fanfare, disclosing yet another data exposure — this time, 100 developers had access to an API that should’ve been shut off some time ago. Facebook said it would “ask” the developers to delete any data they may have collected. Sound familiar? That’s exactly what Facebook did with Cambridge Analytica — and they lied about it (https://www.theguardian.com/uk-news/2018/may/06/cambridge-analytica-kept-facebook-data-models-through-us-election) .
Google’s moonshot cybersecurity company Chronicle is dead (https://www.vice.com/en_us/article/9kej3e/chronicle-is-dead-and-google-killed-it) Motherboard: Remember Chronicle, the cybersecurity division in Google? Now it’s been rolled into Google Cloud, Motherboard reports. It came after an implosion at the company — bad management, high-profile departures, and a toxic work culture. This is a great deep-dive looking at how one of the internet’s most promising companies failed to take off. ~ ~ WHILE YOU’RE HERE…
In just a year, this newsletter has doubled in readership to over 4,700 subscribers — and it’s rising by the day. This newsletter will always be free.
As costs increase, I’ve set up a Patreon (https://www.patreon.com/thisweekinsecurity) for anyone who wants to support this newsletter for as little as $1/month — or more for exclusive perks. Thanks for your continued support. ~ ~
** OTHER NEWSY NUGGETS
Inside the Microsoft team tracking the world’s most dangerous hackers ($) (https://www.technologyreview.com/s/614646/inside-the-microsoft-team-tracking-the-worlds-most-dangerous-hackers/) Microsoft’s threat intelligence center (MSTIC) tracks nation state hackers around the world. @howelloneill (https://twitter.com/howelloneill) looks at how the team works, who they’re tracking, and why. By getting ahead of the threats, the team can push out signatures that block attacks from spreading.
Browser bug is sending Firefox users into a tizzy (https://arstechnica.com/information-technology/2019/11/scammers-are-exploiting-an-unpatched-firefox-bug-to-send-users-into-a-panic/) “Tizzy.” A great word — and perfectly describes this browser bug, which scammers are actively exploiting with their fake tech support pages. The bug takes advantage of a website login bug which effectively freezes the page and makes it impossible to navigate away. Mozilla said it’s actively working (https://bugzilla.mozilla.org/show_bug.cgi?id=1593795) on a fix. Inside the FBI’s quiet ‘ransomware summit’ (https://www.cyberscoop.com/fbi-ransomware-summit/) The FBI’s closed-door “ransomware summit,” held in September, saw the FBI ask industry executives to “fill in some of the gaps” on ransomware threats. It’s part of the feds’ effort to do more about the growing threats, but knowing that “their ability to better investigate and prosecute ransomware cases hinges on the private sector sharing more data with them.”
Should we trust the Chinese social-media video app TikTok (https://www.bbc.co.uk/news/technology-50319690) Normally I wouldn’t include something like this but it was really well done. BBC News (https://www.bbc.co.uk/news/technology-50319690) looks at the arguments for and against TikTok posing a “national security threat,” after last month lawmakers asked the U.S.’ top spy to investigate (https://techcrunch.com/2019/10/24/tiktok-lamakers-national-security-threat/) the app. It may just be a video app, but lawmakers think the platform — like its Western counterparts — could be used for spreading disinformation or be targeted by a foreign-influence campaign. Can’t fault the Beeb for explaining this stuff in an easy-to-understand way. ~ ~
** THE HAPPY CORNER
This week’s happy corner sees a new, very sweary data breach notification site. Why The F**K Was I Breached (https://whythefuckwasibreached.com/) has a one-button click data breach excuse generator for the hapless CISO who’s lost all their company’s data. My personal favorite is: “But we have since watched a YouTube video on cyber security, so it will never happen again.” Yes, there’s a lot of strong language.
Also this week: Yubico revealed its first biometric security key. The YubiKey Bio is a USB-A fingerprint-enabled key that lets you log in without a password with a touch of a sensor.
And, LinkedIn has become the latest member (https://twitter.com/troyhunt/status/1192927973432627200) of the security.txt club, which allows websites to find vulnerability disclosure details in a simple, easy-to-find way. It’s a really great project (https://securitytxt.org/) run by @EdOverflow (https://twitter.com/edoverflow) and @nightwatchcyber (https://twitter.com/nightwatchcyber) . If you want to nominate some good news from the week, feel free to reach out (mailto:zack.whittaker@gmail.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Newton. When he’s not hunting adversaries, he’s looking for mice. A big thanks to his human @0xAmit (https://twitter.com/0xamit) for the submission! (You may need to enable images in this email.) Thanks to everyone who sent in cybercats last week. Keep them coming! Send them in here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . Always excited to feature them. ~ ~
** SUGGESTION BOX
Thanks again for reading, and I appreciate you for subscribing. As always, if you have any feedback, please drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a fantastic week. ~ ~
============================================================
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|