this week in security — november 18 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 1, issue 18.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Credit Card Fraud On The Rise Despite Move To Chips (https://arstechnica.com/information-technology/2018/11/why-arent-chip-credit-cards-stopping-card-present-fraud-in-the-us/) Ars Technica: Remember when chip-and-PIN was heralded as the be-all and end-all to credit card fraud? Turns out that was hogwash: credit card fraud is on the rise. Three-quarters of all stolen card numbers were obtained from a point-of-sale machine (often running Windows — take a look next time!). The reason? More often than not, you’re still asked to swipe and not use the PIN at all. Well no wonder then. More: Threatpost (https://threatpost.com/u-s-chip-cards-are-being-compromised-in-the-millions/139028/) | Background: Ars Technica (https://arstechnica.com/information-technology/2014/08/chip-based-credit-cards-are-a-decade-old-why-doesnt-the-us-rely-on-them-yet/)
Google Takes Over DeepMind For U.K.’s NHS, Despite Privacy Fears (https://www.bbc.com/news/technology-46206677) BBC News: DeepMind, an AI firm used by the U.K.’s National Health Service, will be taken over by Google, catching the eye of the U.K. data protection regulator. The AI firm first sparked controversy last year when it gathered data on 1.6 million patients (because of course it did) without informing them. Now the data is going to Google, and when has Google ever let you down? More: TechCrunch (https://techcrunch.com/2018/11/14/uk-watchdog-has-eyes-on-google-deepminds-health-app-hand-off/) | DeepMind blog post (https://deepmind.com/blog/scaling-streams-google/)
Phineas Fisher Has Gotten Away With It (https://motherboard.vice.com/en_us/article/3k9zzk/hacking-team-hacker-phineas-fisher-has-gotten-away-with-it?utm_source=mbtwitter) Motherboard: The hacker behind the Hacking Team breach has so far evaded the authorities, @lorenzoFB (https://twitter.com/lorenzoFB) reports, despite a manhunt for the malware software house hacker. Nobody knows who the hacker, named Phineas Fisher, is, but they haven’t been shy about how they did it (https://motherboard.vice.com/en_us/article/3dad3n/the-vigilante-who-hacked-hacking-team-explains-how-he-did-it) . Archive: Motherboard (https://motherboard.vice.com/en_us/article/3dad3n/the-vigilante-who-hacked-hacking-team-explains-how-he-did-it)
I Asked An Online Tracking Company For All Of My Data (https://privacyinternational.org/feature/2433/i-asked-online-tracking-company-all-my-data-and-heres-what-i-found) Privacy International: This was pretty eye-opening. He obtained pages on pages on pages of links and web addresses — nearly everywhere Frederike Kaltheuner had been online in the past few months, thanks to tracker firms that you mindlessly watch where you go after you hit “I accept” on any website you visit. By filing a data request under GDPR, Kaltheuner got a unique insight into how these companies work. More: Financial Times ($) (https://www.ft.com/content/afef327a-e291-11e8-8e70-5e22a430c1ad)
How ZTE Helps Venezuela Create China-Style Social Control (https://www.reuters.com/investigates/special-report/venezuela-zte/) Reuters: This incredibly deep-dive story describes how the embattled Venezuelan president took China’s national ID card system — used for measuring “social scores” — and rolled it out across his own country, with help from Chinese tech giant ZTE, banned in some countries for links to the country’s military. But some have accused the government of using the card system as an “attempt to control me via my needs,” one 76-year-old person explained. More: Slate (https://slate.com/technology/2018/11/venezuela-china-zte-authoritarian-surveillance-social-control-tech.html)
Millions of SMS Text Messages, Including Two-Factor Codes, Exposed (https://techcrunch.com/2018/11/15/millions-sms-text-messages-leaked-two-factor-codes/) TechCrunch: A massive database, ingesting hundreds of text messages per minute — including two-factor codes, banking password reset links, and more — were viewable in real-time thanks to an exposed Kibana front-end, sitting on an Elasticsearch server. This was by far one of the worst breaches I’ve seen covering security. (Disclosure: I wrote this story.) More: Techmeme (https://www.techmeme.com/181115/p42#a181115p42) | Archive: TechCrunch (https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/)
MiSafes’ Child-Tracking Watches Are ‘Easy To Hack’ (https://www.bbc.com/news/technology-46195189) BBC News: Or, “tracking and snooping on a million kids” as the alternate headline. This was a great bit of research — these GPS tracking watches can be easily spied on, obtaining real-time geolocation and more — all because the traffic wasn’t encrypted. The work that @TheKenMunroShow (https://twitter.com/TheKenMunroShow) et al do is incredible, and you should follow them if you don’t already. “It’s probably the simplest hack we have ever seen,” Munro told the BBC. More: Pen Test Partners (https://www.pentestpartners.com/security-blog/tracking-and-snooping-on-a-million-kids/)
Japan’s Cybersecurity Minister Admits He’s Never Used A Computer (https://www.theguardian.com/world/2018/nov/15/japan-cyber-security-ministernever-used-computer-yoshitaka-sakurada) The Guardian: Well, you can’t get hacked if you’ve never used a computer — but maybe someone in high office should be more aware of the threats. But does that make him the first airgapped cybersecurity minister? “Yoshitaka Sakurada also seemed confused by the concept of a USB drive when asked in parliament.” Oh dear… More: BBC News (https://www.bbc.com/news/technology-46222026) | The New York Times ($) (https://www.nytimes.com/2018/11/15/world/asia/japan-cybersecurity-yoshitaka-sakurada.html) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Malware with 5,000 installs on Google Play was downloadable for a year (https://lukasstefanko.com/2018/11/malware-discovered-on-google-play-with-over-5000-installs-was-available-to-download-for-almost-a-year.html) Lukas Stefanko: Pretty embarrassing for Google — it seems time and again, the biggest threat to Android in its walled-garden state are malicious apps that sneak into the app store. This time, “Simple Call Recorder” was downloaded thousands of times but had code that let it download a second-stage malware payload. It only took 11 months for Google to pull the link.
A 100,000-strong botnet turns home routers to spammers (https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/) Netlab 360: Fascinated by Netlab’s continued findings on botnets (in particular): a new botnet with more than 100,000 ensnared home routers — a full list is here (https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/) — are connecting to Outlook, Hotmail, and Yahoo servers and sending spam. Naked Security has a better tl;dr version (https://nakedsecurity.sophos.com/2018/11/12/botnet-pwns-100000-routers-using-ancient-security-flaw/) of the story.
EFF, MuckRock release ALPR data (https://www.eff.org/deeplinks/2018/11/eff-and-muckrock-release-records-and-data-200-law-enforcement-agencies-automated) EFF, MuckRock: ALPR, or automatic license plate readers, are big in the U.K. but are becoming more popular with police departments in the U.S. — where it’s more controversial given the elements of the Fourth Amendment. The EFF, with MuckRock’s help, now has a ton of data that lets you drill down to your local PD.
Google goes down after major BGP mishap routes traffic through China (https://arstechnica.com/information-technology/2018/11/major-bgp-mishap-takes-down-google-as-traffic-improperly-travels-to-china/) Ars Technica: @dangoodin001 (https://twitter.com/dangoodin001) spent much of this week debunking the bullshit on Google’s BGP mishap (Cloudflare had a technical write-up (https://blog.cloudflare.com/how-a-nigerian-isp-knocked-google-offline/) , too). Suspicion quickly fell on China for an apparent BGP hijack that pulled parts of Google offline, but a Nigerian internet provider later admitted fault. Goodin, as usual, did good reporting on this — as others jumped to conclusions. Later, it seemed that ThousandEyes, which first sounded the BGP alarm on Google, struggled with its own embarrassing networking blunder (https://arstechnica.com/information-technology/2018/11/network-intel-providers-domain-served-fraudulent-content-for-2-weeks/) . Not a good look. ~ ~
** OTHER NEWSY NUGGETS
Russian hackers on the midterms: Meh, maybe next time: Per @dnvolz (https://twitter.com/dnvolz) and @bobmcmillan (https://twitter.com/bobmcmillan) , Russians largely skipped out on midterm meddling this time around. “Voting largely came and went without major incident, according to U.S. officials and cybersecurity companies looking for evidence of Russian interference,” their report in The Wall Street Journal ($) (https://www.wsj.com/articles/russian-hackers-largely-skipped-the-midterms-and-no-one-really-knows-why-1542054493) said. Officials speaking to the duo have some theories as to why…
ICS security giant Dragos to open Riyadh office: Dragos secured a $37 million funding round (https://www.cyberscoop.com/dragos-saudi-arabia-office/) to open an office in Riyadh, Saudi Arabia, to better serve clients in the Middle East. I was at Dragos HQ last week when CEO Rob Lee discussed the controversial move, in light of the murder of Jamal Khashoggi. “For Dragos, Lee said, as long as the infrastructure is serving civilians and not military purposes, the company wants to protect it.,” Cyberscoop wrote (https://www.cyberscoop.com/dragos-saudi-arabia-office/) .
Apple mum on “deleted” phone photos bug: From Forbes (https://www.forbes.com/sites/thomasbrewster/2018/11/14/apple-warned-about-iphone-x-hack-that-stole-deleted-photo/#6ce5fc30623d) : Apple was warned about a bug that allowed white-hat hackers to remotely steal deleted photos from an iPhone X. It was a great exploit — but Apple hasn’t yet rolled out a patch — nor has it said when to expect fixes to land. ~ ~
** GOOD PEOPLE DOING GOOD THINGS
A couple of quick ones this week:
@TinkerSec (https://twitter.com/TinkerSec) , everyone’s favorite physical pentester, wrote a substantial tweet thread (https://twitter.com/TinkerSec/status/1063423110513418240) (I saw 40+ tweets and stopped counting) on a recent pen test he was asked to carry out. A fantastic read — you’ll need some coffee going into it — and hit a near 1,000 point count on Hacker News (https://news.ycombinator.com/item?id=18475438) . You can read it off Twitter in full here (https://threader.app/thread/1063423110513418240) , if it’s easier. Fascinating stuff.
Also, for anyone who hates the new Gmail user interface, @shellscape (https://twitter.com/shellscape) has a CSS hack (https://github.com/shellscape/gmail-classic/blob/master/README.md) that’ll get you the classic view back. Like drinking a cold glass of water on a summer’s day in Hell. ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is from Leroy Terrelonge, the human to Marsha (left) and Ruffian (right). Like the good cats that they are — yes, they’re judging you — they know you reuse your passwords across sites. (You may need to enable images in this email.) Want your cybercat featured in an upcoming newsletter? Drop me an email here: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That’s your lot for this week. Keep the cybercat submissions coming! If you have any feedback, please drop me a note here (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a good week — and Thanksgiving. (I’m traveling to Berlin on Thursday but should have some time in transit to finish up next week’s newsletter.) ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|
|REWARDS_TEXT|