this week in security — november 17 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 44
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
How a turf war and a botched contract landed 2 pentesters in Iowa jail (https://arstechnica.com/information-technology/2019/11/how-a-turf-war-and-a-botched-contract-landed-2-pentesters-in-iowa-jail/) Ars Technica: @dangoodin001 (https://twitter.com/dangoodin001) looks at the case of two Coalfire employees who were tasked with a physical pentest earlier this year. Things went south — badly. Ars’ deep-dive into the whole case is an interesting, if not infuriating read of how red teaming — even when done properly — can still go wrong. Trial is set for April. More: Coalfire (https://www.coalfire.com/News-and-Events/Press-Releases/Coalfire-Comments-on-Pen-Tests-for-Iowa-Judicial) | Documents [PDF] (https://cdn.arstechnica.net/wp-content/uploads/2019/11/rules-of-engagement.pdf)
House Democrats deal death blow to domestic NSA phone spying (https://www.thedailybeast.com/house-democrats-deal-death-blow-to-domestic-nsa-phone-spying?via=twitter_page) The Daily Beast: Looks like the phone dragnet is dead — and for real this time. With the Freedom Act set to expire in December, House lawmakers are planning to do sweet, sweet nothing, let the law expire, and cut the NSA off from its phone records program for good. Some of the news was first reported (https://www.nytimes.com/2019/07/30/us/politics/nsa-call-data-program.html) by The New York Times. Sen. Ron Wyden said in a letter (https://twitter.com/dnvolz/status/1195070633169817600) that since the NSA shut down its phone records collection program following a series of overcollection incidents (https://techcrunch.com/2019/06/26/nsa-improper-phone-records-collection/) , the government hasn’t restarted the program. More: @dnvolz (https://twitter.com/dnvolz/status/1195070633169817600) | TechCrunch (https://techcrunch.com/2019/06/26/nsa-improper-phone-records-collection/)
Soldiers with top secret clearances forced to use a vulnerable app (https://www.washingtonpost.com/national-security/2019/11/12/soldiers-with-top-secret-clearances-were-forced-use-an-app-that-could-endanger-them-they-say/) Washington Post ($): Soldiers of the 504th Military Intelligence Brigade were told to install a new app on their personal phones in October, which provided weather updates, training changes and other logistical updates. But the soldiers — many of whom have top secret security clearances — found the app could collect a ton of personal data on them, include reading their contacts, calendars, and their locations. One of the soldiers worried their “cover might be blown.” You can see the number of Android app permissions below. More: Task & Purpose (https://taskandpurpose.com/504-military-intelligence-app) | Army statement (Facebook) (https://www.facebook.com/504thMIB.AlwaysReady/photos/a.153154511509011/1490062057818243/?type=3&theater) ATM flaws could allow hackers access to cash and data (https://www.bloomberg.com/news/articles/2019-11-11/security-researchers-discover-flaws-in-u-s-cash-machines) Bloomberg ($): Two flaws in a widely used ATM can be used to steal data and cash, researchers have found. There are some 80,000 ATMs out of a total 150,000 deployed ATMs are vulnerable, the researchers said. One of the flaws would “allow a criminal to steal the data of any credit card or debit card entered into the ATM as a transaction takes place,” the report said. Motherboard has previously covered (https://www.vice.com/en_us/article/7x5ddg/malware-that-spits-cash-out-of-atms-has-spread-across-the-world) malware-infected, cash-spitting ATMs. More: Motherboard (https://www.vice.com/en_us/article/7x5ddg/malware-that-spits-cash-out-of-atms-has-spread-across-the-world)
Federal court says suspicionless searches at the U.S. border are illegal (https://www.aclu.org/press-releases/federal-court-rules-suspicionless-searches-travelers-phones-and-laptops) ACLU: Huge news for the privacy community. A federal court in Boston said “suspicionless” searches of electronic devices at the border are unconstitutional and are not in line with the Fourth Amendment. Now the government must have reasonable suspicion of wrongdoing — and get a warrant — before they can take your devices and search them. The minor downside is that the ruling only applies to U.S. citizens and permanent residents, per @jeffjohnroberts (https://twitter.com/jeffjohnroberts/status/1194473090954215424?s=21) . Or, as ZDNet put it, “conditions apply.” There’s still a lot of work to do. More: ZDNet (https://www.zdnet.com/article/clampdown-on-us-border-device-searches-not-such-a-big-deal/) | Electronic Frontier Foundation (https://www.eff.org/press/releases/federal-court-rules-suspicionless-searches-travelers-phones-and-laptops)
Transcription site Rev leaves customer data out in the open (https://onezero.medium.com/rev-a-transcription-service-used-by-police-and-journalists-leaves-customer-data-out-in-the-open-81fff9f16669) OneZero: This may not be much of a surprise for some but, surprise anyway! — transcription site Rev left open jobs for grabs to more than 40,000 transcribing contractors. That meant any one of the contractors could review any incoming transcription audio — some of which included personal data, sensitive health information, or even trade secrets. Clearly if you need something sensitive transcribing, do it manually (like I do). More: Rev statement (https://mailchi.mp/rev/restrict-access-to-customer-files) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Orvis leaked hundreds of internal passwords on Pastebin (https://krebsonsecurity.com/2019/11/retailer-orvis-com-leaked-hundreds-of-internal-passwords-on-pastebin/) Krebs on Security: Vermont-based fly fishing equipment seller Orvis exposed hundreds of internal system passwords on text sharing site Pastebin, including for its routers, Active Directory, database servers, and more. That was bad in itself, but what made it worse was Orvis’ response — or lack of. Orvis basically blacklisted Krebs’ email from its server, the reporter said. Two of his emails were returned as “blocked.”
Why Bluekeep exploits are causing patched machines to crash (https://arstechnica.com/information-technology/2019/11/solved-why-in-the-wild-bluekeep-exploits-are-causing-patched-machines-to-crash/) Ars Technica: BlueKeep is crashing some already-patched machines. Why? Turns out the patch for the Intel chip vulnerability Meltdown was causing a conflict and crashed. Ars has the technical run-down on how and why.
Alleged SIM-swappers charged in $550,000 cryptocurrency scam (https://www.cyberscoop.com/alleged-sim-swappers-charged-550000-cryptocurrency-scam/) Cyberscoop: Some would consider this good news: the Justice Department has filed charges against two men for running a SIM-swapping and cryptocurrency scam against at least 10 victims. The scheme involved convincing cell carriers to hand over a victim’s phone number to the attackers using social engineering techniques, then hijacking their phone to reset account passwords and steal funds. You can read the full indictment here (https://www.documentcloud.org/documents/6549697-Meiggs-Harrington-Indictment-0.html#document/p1) .
Here’s how Knightscope’s security robots surveil the public (https://onezero.medium.com/heres-how-knightscope-s-security-robots-surveil-the-public-c2c6d14ee2c2) OneZero: Another great OneZero scoop this week. Remember those robocop-style robots, one of which famously died by self-sabotage by falling into an office center pond? These Knightscope robots use facial recognition and license plate readers to track individuals. The robots also scan for wireless devices nearby, according to a presentation obtained by the publication. “This capability allows the robot to discreetly track individuals in its proximity, regardless of whether it can identify their faces.”
What the new Checkra1n jailbreak means for iOS security (https://arstechnica.com/information-technology/2019/11/what-the-newly-released-checkra1n-jailbreak-means-for-for-idevice-security/) Ars Technica: Checkra1n is the first jailbreak for iOS 13. There’s some good news for jailbreakers, but a raft of security problems associated with jailbreaking. Worse, experts say the jailbreak can undermine the trust of iOS’ secure boot chain. In other words, it’s possible to create a malicious jailbreak and use it as an exploit.
Wire confirms $8.2M raise, moves holding company to the U.S. (https://techcrunch.com/2019/11/13/messaging-app-wire-confirms-8-2m-raise-responds-to-privacy-concerns-after-moving-holding-company-to-the-us/) TechCrunch: End-to-end encrypted messaging app Wire confirmed a $8.2 million fundraise but that it also moved its company from Luxembourg to the U.S., which the company’s chief said was for “simple and pragmatic” reasons. But that’s worried some over fears that the U.S. could swoop in and demand data. Wire is keeping its operations in Luxembourg. But the whole move of silently moving to the U.S. was a bad and un-transparent move, some have said. @Snowden (https://twitter.com/Snowden/status/1194799288678830080) accused Wire of having “little concern” for the individual users that made the venture round possible to begin with. ~ ~ WHILE YOU’RE HERE…
This weekly newsletter is growing by the day — it’s now at 4,800 subscribers, more than double where it was a year ago! As costs increase, I’ve set up a Patreon (https://www.patreon.com/thisweekinsecurity) for anyone who wants to support this newsletter for as little as $1/month — or more for exclusive perks. Thanks for your continued support. ~ ~
** OTHER NEWSY NUGGETS
Google’s ‘Project Nightingale’ gathers health data on millions (https://www.wsj.com/articles/google-s-secret-project-nightingale-gathers-personal-health-data-on-millions-of-americans-11573496790) Bombshell reporting from the Wall Street Journal ($): Google began working with healthcare giant Ascension to “collect and crunch” the personal health data on millions of Americans across half of the U.S. But neither patients nor doctors gave their consent, the Journal reports. Google put out a statement (https://cloud.google.com/blog/topics/inside-google-cloud/our-partnership-with-ascension?mod=article_inline) saying, basically, that everything is fine, but didn’t escape criticism (https://arstechnica.com/tech-policy/2019/11/google-you-can-trust-us-with-the-medical-data-you-didnt-know-we-already-had/) for essentially sneaking around. The news worried one Google employee who worked on the Nightingale team so much that they blew the whistle (https://www.theguardian.com/commentisfree/2019/nov/14/im-the-google-whistleblower-the-medical-data-of-millions-of-americans-is-at-risk?CMP=share_btn_tw) to The Guardian. U.S. manufacturing group hacked by China amid trade talks (https://www.reuters.com/article/us-usa-trade-china-cyber-exclusive-idUSKBN1XN1AY) As trade talks intensified between Washington and Beijing earlier this year, Chinese hackers broke into a U.S. manufacturing industry group, the National Association of Manufacturers, according to sources. The group has helped the government shape manufacturing policy. It’s not known what kind of data was stolen but it was evident that China may have been trying to get a step-up in the negotiations.
L.A. officials warn about using public USB charging stations (https://www.zdnet.com/article/officials-warn-about-the-dangers-of-using-public-usb-charging-stations/) The Los Angeles district attorney warned residents of a USB charger scam, known as “juice-jacking,” in which public USB outlets are allegedly packed with malware, waiting for unsuspecting victims to plug in so they can break in and steal data. A big ‘but’ here: the L.A. district attorney hasn’t actually seen any cases (https://techcrunch.com/2019/11/15/los-angeles-juice-jacking-usb/) . In fact, nobody’s seen an actual real-world non-proof-of-concept yet. It’s not an impossible attack, though. @MG (https://twitter.com/MG/status/1195092728314355712) said it’s good timing regardless given the recent iOS jailbreak.
Klobuchar to voting vendors: Don’t turn your back on good hackers (https://www.cyberscoop.com/klobuchar-voting-vendors-election-security/) Sen. Amy Klobuchar, who is running for president, has warned some of the biggest election equipment vendors not to turn their backs on white hat hackers who try to report security vulnerabilities. It’s part of an effort by the Democratic senator to help improve election security, which many have said in recent years is woefully insufficient. The full letter can be read here (https://www.documentcloud.org/documents/6550653-Senator-Amy-Klobuchar-IT-ISAC-RFI-Comment-Signed.html#document/p2) . ~ ~
** THE HAPPY CORNER
Just a couple of things in the happy corner this week.
You might have heard of Let’s Encrypt, the free TLS certificate provider, but have you seen letsdecrypt.org? I won’t spoil the surprise but… very funny, folks.
And, finally: a new iOS app called iVerify (https://apps.apple.com/us/app/iverify/id1466120520) built by the security experts at Trail of Bits (https://blog.trailofbits.com/2019/11/14/introducing-iverify-the-security-toolkit-for-iphone-users/) , aims to help users understand if their iPhone or iPad has been compromised. Motherboard has a full write-up (https://www.vice.com/en_us/article/bjw474/this-app-will-tell-you-if-your-iphone-gets-hacked-iverify) on the $4.99 app. To date, there’s been no real way to know if your device has been hacked. This app is especially helpful, given some of the recent spate of silent exploits targeting iPhone users. @dguido (https://twitter.com/dguido) , who founded Trail of Bits, has a great tweet thread (https://twitter.com/dguido/status/1195095138009305092) on the new app. If you want to nominate some good news from the week, feel free to reach out (mailto:zack.whittaker@gmail.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This is Minnow, this week’s cyber cat. She likes to knock the phone off the receiver when her human gets spam callers. Good job, Minnow. A big thanks to @IDAccessGoddess (https://twitter.com/IDAccessGoddess) for the submission! (You may need to enable images in this email.) Thanks for sending in your cybercats. Keep them coming in! Send them in here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . Im always looking forward to featuring them. ~ ~
** SUGGESTION BOX
That’s it for now. A big thanks to everyone who has signed up to my Patreon (http://patreon.com/thisweekinsecurity) . I really appreciate your continued support. As always, the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is always open. Have a great week!
============================================================ ~ ~
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|