this week in security — november 24 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 45
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Notorious Iranian hackers are targeting industrial control systems (https://www.wired.com/story/iran-apt33-industrial-control-systems/) Wired ($): Iran’s APT33, one of the most well-resourced hacker groups, is now targeting industrial control systems, the devices that keep industrial processes working. Microsoft’s research shows the group is carrying out password spraying attacks on about 2,000 organizations per month, likely in efforts to gain a foothold to carry out cyberattacks from within. Let’s not forget these kinds of attacks have previously resulted in near-catastrophic incidents, including a power blackout in Kyiv and the near-destruction (https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html) of a Saudi oil refinery. More: Cyberscoop (https://www.cyberscoop.com/apt33-iran-botnet-trend-micro/) | Axios (https://www.axios.com/iran-hacker-industrial-control-apt33-elfin-6b4a48f8-4736-42a7-ae47-45131ab0b519.html)
Why was Russia so set against this hacker’s extradition? (https://krebsonsecurity.com/2019/11/why-were-the-russians-so-set-against-this-hacker-being-extradited/) Krebs on Security: Aleksei Burkov, a Russian national, was extradited from Israel earlier this month for allegedly running a massive carding site. But why was Russia so against his extradition? Russia even detained an Israeli-American woman as leverage to try to get Burkov sent back to Russia. According to Krebs, it’s because Burkov may be one of the “most connected and skilled malicious hackers” ever nabbed by U.S. authorities. And that’s rightfully got the Kremlin rattled. More: Justice Dept. (https://www.justice.gov/usao-edva/pr/russian-national-extradited-running-online-criminal-marketplace) | NBC News (https://www.nbcnews.com/news/world/suspected-hacker-s-extradition-focuses-attention-israeli-american-russian-jail-n1079781) | Haaretz (https://www.haaretz.com/israel-news/.premium-the-russian-hacker-who-just-became-one-of-israel-s-most-famous-prisoners-1.7972490) Burglars really do use Bluetooth scanners to find devices (https://www.wired.com/story/bluetooth-scanner-car-thefts/) Wired ($): It turns out criminals really are using Bluetooth scanners to find and steal phones, laptops and other electronics. San Jose police told Wired that it knows thieves are “utilizing” these scanners in some cases, which was once believed to be nothing more than an urban myth. The police advice is to place them on airplane mode or power them down rather than leaving them in any type of sleep or standby mode, because Bluetooth can still give off signals in many cases. More: @MerrittBaer (https://twitter.com/MerrittBaer/status/1184637149402021888)
Interpol plans to condemn encryption spread, citing predators (https://www.reuters.com/article/us-interpol-encryption-exclusive/exclusive-interpol-plans-to-condemn-encryption-spread-citing-predators-sources-say-idUSKBN1XR0S7) Reuters: Interpol is said to have prepared a statement condemning strong encryption, saying it helps to protect child sex predators. The condemnation — as silly as it is — was backed by some 60 countries. Most accept that encryption is a good thing and, as a neutral technology and can be used for both good and bad. Interpol later denied (https://twitter.com/nicoleperlroth/status/1196502885883756544) it was releasing any such statement, despite at least one other reporter (https://twitter.com/thepacketrat/status/1196518484383092741) backing up Reuters’ report. More: @nicoleperlroth (https://twitter.com/nicoleperlroth/status/1196502885883756544) | @thepacketrat (https://twitter.com/thepacketrat/status/1196518484383092741)
Homeland Security’s Jeanette Manfra to leave government (https://techcrunch.com/2019/11/21/jeanette-manfra/) TechCrunch: Jeanette Manfra, one of the most senior cybersecurity officials in the U.S. government, is to leave for the private sector at the end of the year. She hasn’t announced her next job yet. She gave me her exit interview (https://twitter.com/CISAManfra/status/1197626484883673089) , and spoke of several wake-up calls the government had to face, including the OPM breach, the Sony hack, and the WannaCry attack. (Disclosure: I wrote this story!) More: Cyberscoop (https://www.cyberscoop.com/jeanette-manfra-dhs-resigning/) | @CISAManfra (https://twitter.com/CISAManfra/status/1197584638115504128)
Official Monero website hacked to deliver currency-stealing malware (https://arstechnica.com/information-technology/2019/11/official-monero-website-is-hacked-to-deliver-currency-stealing-malware/) Ars Technica: Hoo-boy. The official site of Monero, a digital coin, was hacked to deliver currency-stealing malware. It was only discovered when someone was checking the hash for a command-line interface wallet against the hash on the site. One person is already claiming to have lost around $7,000 in cryptocurrency as a result. Always check the hashes! More: @bcrypt (https://twitter.com/bcrypt/status/1197335723759718400) | Monero (https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Project Zero looks at Bad Binder, an NSO Group exploit (https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html) Google Project Zero: Google’s elite security research group looks at Bad Binder, an in-the-wild exploit targeting Android devices, allegedly created by NSO Group, a mobile malware maker that created the notorious Pegasus spyware. The exploit, which had the capability to be delivered via a browser bug (https://twitter.com/LukasStefanko/status/1197816576717705216) , was used to install Pegasus. But Project Zero said the bug fix was “never included” in any Android security bulletin and was “never patched” in many popular phones, including the Pixel and Pixel 2. Ouch.
Google and Samsung fix Android spying flaw (https://arstechnica.com/information-technology/2019/11/google-samsung-fix-android-spying-flaw-other-makers-may-still-be-vulnerable/) Ars Technica: Flaws in Android camera apps built by Google and Samsung made it possible for rogue apps to take control of the camera and microphone without needing access to special permissions. Checkmarx researchers said the only permission needed was access to storage, which nearly every app has and often doesn’t raise any eyebrows. Both Google and Samsung fixed the flaws, but other device makers might also be vulnerable.
Lenovo caught paying cybersecurity ‘influencers’ for marketing tweets (https://www.axios.com/influencer-marketing-comes-to-cybersecurity-1a89489e-657b-4bc8-a42b-d1b9000ae2c0.html) Axios: VizSense, working on behalf of Lenovo, was caught paying so-called cybersecurity “influencers” to promote one of its endpoint security products for paid tweets. Nobody actually examined the product or validated (https://twitter.com/MalwareJake/status/1196127277760884736) Lenovo’s claims, but still took Lenovo’s money. The vast majority of those they asked turned down the request — including myself (https://twitter.com/zackwhittaker/status/1196122137674862592) — on ethical grounds. Ironically, most people had never heard of these so-called “influencers”. Twitter finally lets users disable SMS as default two-factor option (https://www.zdnet.com/article/twitter-will-finally-let-users-disable-sms-as-default-2fa-method/) ZDNet: Twitter will now let users enable two-factor authentication without having to first sign up using SMS, an insecure way of sending security codes. It only took the hack (https://www.zdnet.com/article/jack-dorseys-twitter-account-got-hacked/) of its CEO to get fixed and a breach (https://twitter.com/dellcam/status/1197636230126718976) of two-factor phone numbers to advertisers, but it’s welcome nonetheless.
The myth of the sophisticated hacker (https://www.axios.com/sophisticated-hacker-cybersecurity-labour-party-f2137c08-0dec-4413-94d8-8f6729b6ec96.html) Axios: This week, the U.K.’s Labour Party said it was targeted by a “sophisticated” cyberattack. Yes, cue everyone’s eyes rolling at the thought. So many companies and organizations use the “sophisticated” claim all the time. @joeuchill (https://twitter.com/joeuchill) looks at why this happens. “No one is going to say they were breached by average hackers,” said IBM’s Chris Scott.
Warning lights for airplanes were exposed to the open internet (https://www.vice.com/en_us/article/7x5nkg/airplane-warning-lights-hacked) Motherboard: Filed under “things you really don’t want on the internet.” A security researcher found a control panel for warning lights, used to help aircraft avoid tall structures, connected to the internet and reported them to the U.S. federal aviation authority.
Macy’s customer payment info stolen in Magecart data breach (https://www.bleepingcomputer.com/news/security/macys-customer-payment-info-stolen-in-magecart-data-breach/) Bleeping Computer: Retail giant Macy’s had another data breach — for a second year (https://fortune.com/2018/07/11/macys-data-breach/) in a row, no less — after it found malicious card-skimming code on its website. The code was there for about a week. Last year the retail outlet had a separate data breach involving credit card data, which resulted in a class action suit launched against the company. ~ ~ SUPPORT THIS NEWSLETTER
This newsletter continues to grow — close to the 5,000 subscriber mark. Costs are going up, so I’ve set up a Patreon (https://www.patreon.com/thisweekinsecurity) for anyone who can support this newsletter, starting at $1/month — or more for exclusive perks. Thanks for all your support. ~ ~
** OTHER NEWSY NUGGETS
Google will pay $1.5M for the most severe Android exploits (https://arstechnica.com/information-technology/2019/11/google-will-pay-1-5-million-for-the-severest-android-exploits/) Just as modern Android-iOS security seems to be almost neck and neck (https://twitter.com/saleemrash1d/status/1197588534519095296) after years of Android gains and slip-ups by Apple, Google is capitalizing on that by improving its bug bounty payouts. A critical Titan M hack, such as a full chain remote code execution exploit with persistence on a developer preview build, could fetch up to $1.5 million. Data exfiltration or a lockscreen bypass on a developer preview could earn $750,000. Google has a full breakdown (https://security.googleblog.com/2019/11/expanding-android-security-rewards.html) of the security rewards.
T-Mobile breach affected over a million prepaid subscribers (https://www.t-mobile.com/customers/6305378822) T-Mobile said it has shut down “malicious, unauthorized access” to prepaid data customer data, which included a subscriber’s name, phone number, account number, billing address, and plan and calling features. More than a million customers are affected (https://techcrunch.com/2019/11/22/more-than-1-million-t-mobile-customers-exposed-by-breach/) , according to my TechCrunch colleague who eked out a smidge more than what T-Mobile said in its disclosure. In fact, T-Mobile’s disclosure was so bad (https://twitter.com/zackwhittaker/status/1197951458836123648) , it barely said anything at all.
Former Twitter employees charged with spying on critics of Saudi Arabia (https://www.cyberscoop.com/twitter-saudi-arabia-spies-jamal-khashoggi/) U.S. prosecutors have charged two former Twitter staffers with spying on users at the request of the Saudi government. One such victim is said to be Omar Abdulaziz, a dissident who worked closely with Washington Post columnist Jamal Khashoggi, who was murdered by Saudi operatives last year at the direction of the kingdom’s crown prince. ~ ~
** THE HAPPY CORNER
Here’s a small set of happy nuggets from the week:
@HackingDave (https://twitter.com/HackingDave/status/1196503646428639232) released his security firm’s legal documentation used for pen-testing. It comes in response to the ongoing threats against security researchers, and the recent arrest (https://arstechnica.com/information-technology/2019/09/iowa-officials-claim-confusion-over-scope-led-to-arrest-of-pen-testers/) and court case of two pen-testers in Iowa. You can find the documents here (https://twitter.com/TrustedSec/status/1196503244685684738) .
The EFF, Malwarebytes, and several other security companies have formed a coalition to stop stalkerware. That’s the mobile software often used by spouses to spy on their partners. You can see more about the coalition here (http://www.stopstalkerware.org/) , which includes legal information and how to spot and remove it.
And, something I think is really great — a security.txt (https://securitytxt.org/) equivalent for Apple apps. The idea, security.plist (https://twitter.com/ivrodriguezca/status/1197541454991638529?s=21) , is a proposed standard that allows iOS applications to define security policies, including security contact information (https://ivrodriguez.com/introducing-security-plist/) . If people like @chronic (https://twitter.com/chronic/status/1197703814393909248) think it’s a good idea, it clearly is. If you want to nominate some good news from the week, feel free to reach out (mailto:zack.whittaker@gmail.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Frida, whose human says is as skittish and sneaky a cybercat as they come. Sounds like the perfect adversary… for mice. Many thanks to @misterburton (https://www.instagram.com/misterburton/) for the submission! (You may need to enable images in this email.) Please keep your cybercats coming in! Send them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . The more the merrier. Thanks! ~ ~
** SUGGESTION BOX
That’s all for this week. Another round of thanks for everyone who has signed up to my Patreon (http://patreon.com/thisweekinsecurity) . I can’t wait to start sending out the perks. The suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is still open. Have a good one.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .