this week in security — november 11 edition

|MC_PREVIEW_TEXT|

                November 11, 2018

            this week in security — november 11 edition

            |MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 1, issue 17.
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Voting Machine Manual Instructed Election Officials to Use Weak Passwords (https://motherboard.vice.com/en_us/article/kzvejx/voting-machine-manual-instructed-election-officials-to-use-weak-passwords)
Motherboard: Let’s face it, hackers aren’t going to shut down our power grids or hack the elections without much more than a default password, given how crap our nation’s security posture looks. Case in point: this week, on the eve of the midterms, @kimzetter (http://twitter.com/kimzetter) found that a voting machine manual guided election officials into using weak passwords, making obtaining unauthorized access easy. Forget Russian hackers — anyone with half a brain could rock up to a vulnerable machine and mess with the tally.
More: Gizmodo (https://gizmodo.com/voting-machine-hell-2018-a-running-list-of-election-g-1830261900) | Ars Technica (https://arstechnica.com/tech-policy/2018/11/are-elections-fixed-no-but-neither-is-election-security/)
Samsung, Crucial SSDs Vulnerable To Trivial Encryption-Busting Hacks (https://techcrunch.com/2018/11/05/crucial-samsung-solid-state-drives-busted-encryption/)
TechCrunch: Self-encrypting hard drives sound like a great idea — except, several popular SSD models have seriously screwed-up crypto. What’s worse is that BitLocker thinks hardware encryption is better than anything it can provide, so it doesn’t even bother! Seriously. Cryptography professor Matt Green almost unraveled on Twitter this week, calling the bugs “like jumping out of a plane with an umbrella instead of a parachute.” (Disclosure: I wrote this story.)
More: @matthew_d_green tweet thread (https://twitter.com/matthew_d_green/status/1059441372317581312) | Bill Buchanan (https://medium.com/asecuritysite-when-bob-met-alice/doh-what-my-encrypted-drive-can-be-unlocked-by-anyone-a495f6653581) | Radboud University (https://www.ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/radboud-university-researchers-discover-security/)
DJI Flaw Let Anyone Watch Live Drone Feeds (https://research.checkpoint.com/dji-drone-vulnerability/)
Check Point: Some good, methodical research here from Check Point. An XSS in DJI’s fan forum let any semi-skilled attacker grab a user account’s access tokens, pivot to the DJI login page, and break into the target account. The team also found bugs in its mobile apps, forcing the drone maker to reevaluate its entire line-up of apps and services. It only took DJI six months to fix the bugs…
More: The Register (https://www.theregister.co.uk/2018/11/09/dji_drone_xss_flaw/) | Wired ($) (https://www.wired.com/story/dji-drones-bugs-exposed-users-data/)
House of Representatives Left Sensitive Passwords On Its Own Website (https://www.databreaches.net/no-need-for-russia-to-hack-the-house-of-representatives-if-the-house-keeps-leaving-its-doors-open/)
DataBreaches.net: New Zealand-based data breach finder Flash Gordon (http://twitter.com/s7nsins) found a bunch of files purportedly belonging to House members, including configuration files for House member subdomains and passwords. The data was eventually secured after several attempts by Dissent Doe (https://twitter.com/PogoWasRight) to reach out.
More: Ctrlbox (https://www.ctrlbox.com/2018/11/07/housekeeping-issues-with-house-gov/)
DEA And ICE Are Hiding Surveillance Cameras In Streetlights (https://qz.com/1458475/the-dea-and-ice-are-hiding-surveillance-cameras-in-streetlights/)
Quartz: Great reporting here. Looks like the DEA and ICE are hiding cameras in overhead street lights with the help of a local Texas firm. Why? No idea. But it’s shady and sneaky a.f. The reporters pulled procurement data and called up the company — “Cowboy Streetlight Concealments LLC,” no less.
More: General Services Administration (https://www.fpds.gov/ezsearch/fpdsportal?s=FPDSNG.COM&templateName=1.4.4&indexName=awardfull&q=VENDOR_DUNS_NUMBER%3A%22085189089%22)
A Simple Hack Can Be Used To Break Into A Smart Home (https://www.cnet.com/news/how-you-might-be-setting-your-smart-lock-up-for-intrusion/)
CNET: Audio transducers are a smart home’s worst enemy. Stick one to a window, tell an Amazon Echo to “unlock the front door” and presto, you’re in. Render Man (https://twitter.com/ihackedwhat) got a name check in here for finding the vulnerability. It’s not a perfect hack, but it doesn’t have to be — just, make sure you set a PIN on your smart locks.
Archive: Gizmodo (https://lifehacker.com/we-asked-five-security-experts-if-smart-locks-are-ever-1797910643)
China Telecom’s Internet Traffic Misdirection (https://internetintel.oracle.com/blog-single.html?id=China+Telecom%27s+Internet+Traffic+Misdirection)
Oracle: Here’s more evidence that China was rerouting U.S. internet traffic to its shores by using BGP routing attacks. (I covered it in this newsletter a few weeks back.) Oracle’s Doug Madory spent most of 2017 trying to stop these attacks, and wrote up his findings on the company’s blog. It’s a short but fascinating insight into what happened.
More: Military Cyber Affairs (academic paper) (https://scholarcommons.usf.edu/mca/vol3/iss1/7/) | Ars Technica (https://arstechnica.com/information-technology/2018/11/strange-snafu-misroutes-domestic-us-internet-traffic-through-china-telecom/)
This Tool Shows Exposed Cameras Around Your Neighbourhood (https://motherboard.vice.com/en_us/article/59vm4x/tool-exposed-cameras-map-shodan-python-github)
Motherboard: File under “crazy creepy.” A newly published tool called Kamerka relies on Shodan to find exposed public surveillance cameras, and geolocate them on a map.
More: Medium (https://medium.com/@woj_ciech/%EA%93%98amerka-build-interactive-map-of-cameras-from-shodan-a0267849ec0a)
~ ~
** THE STUFF YOU MIGHT’VE MISSED
Cybercom will shares malware samples with VirusTotal (https://www.cybercom.mil/Media/News/News-Display/Article/1681533/new-cnmf-initiative-shares-malware-samples-with-cybersecurity-industry/)
U.S. Cyber Command: Cybercom will upload some of its APT findings to VirusTotal (https://www.virustotal.com/en/user/CYBERCOM_Malware_Alert) , the military wing said this week. Don’t expect anything breathtaking — it’ll keep most of its findings a closely guarded secret — but has already shared a few samples said to be linked to the Russian government.
New virtual reality tool will help you spot surveillance (https://www.eff.org/press/releases/eff-unveils-virtual-reality-tool-help-people-spot-surveillance-devices-their)
Electronic Frontier Foundation: Now this is cool. The EFF has a virtual reality mashup experience (https://www.eff.org/spot-the-surveillance/) that helps to train people into spotting surveillance on the street — from police bodycams and drones. It’s best using a virtual reality kit, but also works fairly well in the browser, too.
FCC wants phone companies to crack down on robocalls (https://www.reuters.com/article/us-usa-wireless-fcc/fcc-demands-companies-take-action-to-halt-robocalls-idUSKCN1NA2KH)
Reuters: This caught my eye because the FCC’s chief shitbag Ajit Pai wants phone companies to use call authentication to prevent caller ID spoofing by cryptographically signing phone numbers. Dare I say it — it’s not a bad idea…
Canadian Government’s reporting of computer vulnerabilities and exploits (https://christopher-parsons.com/accountability-and-the-canadian-governments-reporting-of-computer-vulnerabilities-and-exploits/)
Christopher Parsons: Citizen Labs’ Christopher Parsons (https://twitter.com/caparsons) has a new draft paper out, in which he talks about the Canadian VEP process. While everyone was looking at the U.S. to fix its vulnerability reporting process, everyone forgot about Canada (https://christopher-parsons.com/accountability-and-the-canadian-governments-reporting-of-computer-vulnerabilities-and-exploits/) . “It is of high importance that the government of Canada formally develop, publish, and act according to an accountability regime that would regulate its agencies’ exploitation of computer vulnerabilities,” he says.
The New Illustrated TLS Connection (https://tls13.ulfheim.net/)
Michael Driscoll: This is a really interesting creation by Michael Driscoll (https://twitter.com/xargsnotbombs) that walks you through a TLS 1.3 connection step by step — from the key exchange to the handshake and more. Not very newsy, but it’s a very well done visual guide that explains exactly how the process works.
~ ~
** OTHER NEWSY NUGGETS
Busting SIM swapper myths: Cybersecurity reporter Brian Krebs has a detailed write-up (https://krebsonsecurity.com/2018/11/busting-sim-swappers-and-sim-swap-myths/) , citing interviews and meetings with law enforcement, about SIM swapping — in which he lays out some truths and busts some myths. It’s a long read but worth it — and offers insight into how to keep your accounts safe from phone number hijackers.
U.S. deputy spy chief wants friends in Silicon Valley: An interesting mini-profile on Sue Gordon, deputy director of national intelligence, in Wired ($) (https://www.wired.com/story/sue-gordon-us-intelligence-public-private-google-amazon/) this week. As the de facto “chief operating officer” of the U.S. intelligence community, she’s tried to cozy up to Silicon Valley in recent years, citing a similar mission — to use data for good — despite hesitance in the wake of the Snowden revelations.
Fake Elon bitcoin scammer earns $180,000 in one day: This headline (https://www.bleepingcomputer.com/news/security/fake-elon-musk-twitter-bitcoin-scam-earned-180k-in-one-day/) depresses me. I wish journalism paid this much.
Healthcare.gov breach worse than we thought Remember a few weeks ago when a Healthcare.gov system was hacked, affecting 75,000 people? The government came clean this week on what data spilled (https://techcrunch.com/2018/11/09/hackers-stole-income-immigration-and-tax-data-in-healthcare-gov-breach-government-confirms/) : in short, it’s a lot of highly sensitive data, including tax, immigration, and income data. (This was also one of my stories.)
Steam API bug dished out activation keys like candy: A flaw in Steam’s activation key API let anyone retrieve product keys (https://www.zdnet.com/article/steam-bug-could-have-given-you-access-to-all-the-cd-keys-of-any-game/) on any game they wanted. In the researcher’s tests, he pulled 36,000 keys for Portal 2. Valve fixed the bug and paid out through its bug bounty.
~ ~
** GOOD PEOPLE DOING GOOD THINGS
Just one this week.
@tarah (https://twitter.com/tarah) wrote a long tweet thread (https://twitter.com/tarah/status/1061263454357483525) marking the sixth anniversary of Aaron Swartz’s death. Widely considered one of the smartest people in security, he died by suicide after he was aggressively pursued by prosecutors for downloading academic papers from JSTOR, stretching U.S. hacking laws way beyond its original intentions. (More from the EFF here (https://www.eff.org/deeplinks/2018/11/join-us-sixth-annual-aaron-swartz-day-and-international-hackathon-weekend) .) Her thread is a thoughtful read about the hot mess of a situation that academic publishing is, and that the draconian system and costs harms academia and education.
That thread, and a call to donate to the EFF who supported Aaron, raised over $3,000 for the non-profit, thanks to many submissions and matched donations.
~ ~
** THIS WEEK’S CYBER CAT
One from the archives: this is JB, one of the kittens we fostered last year. She hates APT attribution, but loves belly rubs. (You may need to enable images in this email.)
The cyber cat situation is starting to look a bit thin on the ground, so please submit your favorite feline floofs.
Drop me an email here: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20)  — and I will feature your cyber cat in an upcoming newsletter.
~ ~
** SUGGESTION BOX
That’s all for now. If you have any feedback, please drop me a note here (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Be good to one another.
~ ~
============================================================
 (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|)
 Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|)
 (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|)
 Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|)
 (|FORWARD|)
 Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|)
why did I get this? (|ABOUT_LIST|)     unsubscribe from this list (|UNSUB|)     update subscription preferences (|UPDATE_PROFILE|)
|LIST_ADDRESSLINE_TEXT|
|REWARDS_TEXT|

Don't miss what's next. Subscribe to ~this week in security~: