this week in security — november 18 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 1, issue 19.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
World's Biggest Hacking Powers Are Sitting Out Efforts To End Hacking (https://www.buzzfeednews.com/article/kevincollier/hacking-geneva-convention-us-opposition-russia) BuzzFeed News: As the world's governments try to end nation state hacking amid the ever looming threat of all-out cyberwar, the biggest hackers — namely the U.S., Russia, China, Iran and North Korea — declined to take part. The effort came about after NSA hacking tools were exposed a couple of years ago by the Shadow Brokers, causing in part the spread of WannaCry and causing billions of dollars in damage. More:French government (PDF) (https://www.diplomatie.gouv.fr/IMG/pdf/1_soutien_appel_paris_cle4c5edd.pdf) | Brookings (https://www.brookings.edu/blog/order-from-chaos/2018/07/19/what-helsinki-agreements-this-is-not-normal/)
Tesla Owner Accidentally Became a Tesla Forum Admin (https://www.dansdeals.com/more/dans-commentary/went-tesla-delivery-hell-tesla-giving-control-site-forums-1-5-million-tesla-account-contacts/) DansDeals: A long-read but well worth it. The short version is that a frustrated Tesla owner called up the company's customer services to complain that he wasn't listed as a Tesla owner on the forums so he could post more than once a day. Instead, he was accidentally given "owner" permissions on the company's forums — letting him read, modify and delete people's posts. Whoops. More: Motherboard (https://motherboard.vice.com/en_us/article/7xy8ey/customer-complains-about-tesla-forums-tesla-accidentally-gives-him-control-over-them) | Forbes (https://www.forbes.com/sites/lianeyvkoff/2018/11/16/a-tesla-owner-complains-to-customer-service-gets-more-than-he-bargained-for/#17f936ab2e1b)
Inside The British Army's Secret Information Warfare Machine (https://www.wired.co.uk/article/inside-the-77th-brigade-britains-information-warfare-military) Wired UK: Thought it was only the Russians at it? Think again. Even the Brits are getting in on the information warfare scene. Carl Miller's (https://twitter.com/carljackmiller/status/1062643561513082880?s=21) deep dive on the 77th Brigade looks at how the British Army uses information in warfare — including military stabilization, psychological ops, and media operations — each aimed at fighting disinformation and the spread of propaganda. "Offence beats defence almost by design." More: Wired UK (https://www.wired.co.uk/article/sweden-election-polls-far-right)
CPAP Machine Owner Finds Device Spying on Sleep Habits For Insurer (https://www.propublica.org/article/you-snooze-you-lose-insurers-make-the-old-adage-literally-true) ProPublica: A CPAP machine user — and editor — found that his sleeping habits were being sent to his insurance company — which they used to deny payments. It's probably not a surprise to some, but — in true ProPublica fashion — this is a nevertheless insightful take on how companies are using your own data against you. More: @ericuman tweet thread (https://twitter.com/ericuman/status/1065255517507985408?s=21)
Instagram Bug Exposed Passwords In Plaintext (https://www.theverge.com/2018/11/17/18100235/instagram-security-bug-exposed-user-passwords-data-download-tool) The Verge: An unknown number of Instagram users had their passwords exposed in plaintext — in their browser address bar, no less — when obtaining a copy of their data from the site, as part of its efforts to be GDPR compliant. Instagram said it hashes and salts passwords on the backend, but security researchers have disputed that. More: The Information ($) (https://www.theinformation.com/articles/new-instagram-bug-raises-security-questions?shared=6cc196d735a0f678)
Brazil's Largest Professional Association Hit By Data Leak (https://blog.hackenproof.com/industry-news/brazilian-personal-data-exposure/) Hacken.io: A pretty substantial exposure from FIESP, Brazil's Federation of Industries of the State of São Paulo. Some 180 million records were found in an unprotected Elasticsearch database, including names, taxpayer information, dates of birth, addresses, phone numbers and email addresses. More: ZDNet (https://www.zdnet.com/article/brazils-largest-professional-association-suffers-massive-data-leak/) | Archive: TechCrunch (https://techcrunch.com/2018/11/13/kars4kids-data-breach/)
The Snowden Legacy: What’s Changed, Really? (https://arstechnica.com/tech-policy/2018/11/the-snowden-legacy-part-one-whats-changed-really/) Ars Technica: Ars takes a deep-dive in a two-part series (part two out at an undetermined date) at what NSA whistleblower Edward Snowden's disclosures have wrought politically and institutionally, including voices from his ACLU lawyer Ben Wizner, national security attorney Mark Zaid, and EFF staff attorney Mark Rumold on the good and the bad brought from the leaked files. More: Harvard Kennedy School (http://www.iop.harvard.edu/while-edward-snowden%E2%80%99s-legacy-may-be-open-question-among-millennials-collecting-personal-information) | PRI (https://www.pri.org/stories/2014-12-10/see-changes-edward-snowden-wrought-just-look-your-smartphone)
Correction: In last week's newsletter (https://mailchi.mp/6215fa02cf03/this-week-in-security-november-18-edition) , I misgendered Frederike Kaltheuner, who was featured for her work in obtaining lists of data from a web tracking company. I apologize for the error. ~ ~
** THE STUFF YOU MIGHT'VE MISSED
How Azure Active Directory can be vulnerable to brute-force and DoS attacks (https://hackernoon.com/azure-brute-farce-17e27dc05f85) Hacker Noon: An interesting read on the risks posed to Active Directory, used by more than nine out of ten companies in the Fortune 500. IT engineer Mitchel Lewis takes a technical look at how the system is vulnerable to brute-force attacks and other rudimentary exploits.
Dropbox finds a major macOS zero-day bug (https://blogs.dropbox.com/tech/2018/11/offensive-testing-to-make-dropbox-and-the-world-a-safer-place/) Dropbox: Like many companies, Dropbox has an offensive security ("red") team to try to hack the company from the inside. When its security partner Syndis found a bug in Apple software used at Dropbox, it found that it affected every single macOS user. The bugs were reported to Apple, which fixed the vulnerabilities within a month. "Not only did we get to test our defensive posture, we also made the internet safer by identifying and reporting vulnerabilities in macOS."
Alaskan city admits to paying off ransomware infection (https://www.zdnet.com/article/city-of-valdez-alaska-admits-to-paying-off-ransomware-infection/) ZDNet: City officials in Valdez, Alaska, paid $26,623.97 — or roughly four bitcoin — to get access to their systems back after a suspected Emotet infection. That means the entire city of just 4,000 people spent about $6.60 each to get the city's systems up and running again. Well, kids have to learn someday what their pocket money goes to...
Saudi Dissidents Hit With Stealth iPhone Spyware Before Khashoggi's Murder (https://www.forbes.com/sites/thomasbrewster/2018/11/21/exclusive-saudi-dissidents-hit-with-stealth-iphone-spyware-before-khashoggis-murder/) Forbes: Some great reporting by Thomas Brewster (https://twitter.com/iblametom) on linking the Saudi regime to malware on dissidents' phones. Friends of the murdered Washington Post reporter say the Saudi government targeted his friends prior to his murder. "His conversations with Khashoggi were almost certainly snooped on in the lead up to his companion's death," he wrote, likely with the Pegasus malware developed by the Israeli spyware maker NSO Group. ~ ~
** OTHER NEWSY NUGGETS
USPS takes a year to fix API exposure bug: Cybersecurity reporter Brian Krebs (https://twitter.com/briankrebs) on his latest scoop (https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/) this week: "U.S. Postal Service just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf." Just, you say? That's because it took USPS more than a year to fix the exposed API — and only did so after he reached out. Companies do this all the time (https://twitter.com/zackwhittaker/status/1065354808557748225) and it pisses me off: they ignore researchers, but only act when they think they're about to get exposed by a reporter.
Another dark web hosting provider busted: Daniel Winzen, the owner of Daniel's Hosting — a major dark web hosting provider — was hacked, taking all its 6,500-plus sites down with it. "Unfortunately, all data is lost and per design, there are no backups," Winzen told ZDNet (https://www.zdnet.com/article/popular-dark-web-hosting-provider-got-hacked-6500-sites-down/) Winzen said a PHP zero-day was likely to blame. ~ ~
** GOOD PEOPLE DOING GOOD THINGS
Black Friday is over, but the sales are still going. @Oscaron (https://twitter.com/oscaron) compiled a list of Black Friday and Cyber Monday deals — most of which are running until Monday (November 26) and beyond. And they're all in a handy Pastebin format (https://pastebin.com/aLBfQT6H) so you're not drowning in ads or affiliate links.
I've covered China's "social credit" scoring system before in this newsletter. James Palmer, Foreign Policy's Asia editor, knows this space better than anyone, and has written extensively on China (https://foreignpolicy.com/2018/03/21/nobody-knows-anything-about-china/) in particular. This week, he offered anyone who wants to know about the country's surveillance situation and other tech matters to reach out (https://twitter.com/beijingpalmer/status/1066327944920993794?s=21) . (His email is here (https://twitter.com/BeijingPalmer/status/1066329816327168000) .) I expect a lot of people will — given his expertise in the space. A giant Google Hangout to save time, maybe?
And, this week saw New York's Fulton Street station effectively crash after it BSOD'ed pretty hard (https://twitter.com/qrs/status/1065736656265900032?s=21) . The MTA should probably upgrade to Windows 10 one of these days, mind you... ~ ~
** THIS WEEK'S CYBER CAT
This is Tiger, who — as you can see — sometimes falls for phishing traps. Thanks for the submission, Shanni Prutchi! (You may need to enable images in this email.) Want your cybercat featured in an upcoming newsletter? Drop me an email here: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That's everything for this week. Hope you had a great Thanksgiving. Don't forget to drop me your cybercat submissions! you have any feedback, please drop me a note here (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Take care and be well. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|
|REWARDS_TEXT|