this week in security — november 4 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 1, issue 16.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
CIA’s Comms Suffered A Major Compromise, Thanks To Terrible Opsec. (https://www.yahoo.com/news/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html) Yahoo News: A blockbuster report by JennaMC_Laugh (https://twitter.com/JennaMC_Laugh) and zachsdorfman (https://twitter.com/zachsdorfman) , one that took months in the making. CIA’s covert comms system — used by informants around the world — was compromised by Iran, because the CIA didn’t “noindex” the pages. The sites were subsequently indexed by Google. Iran “tracked who was visiting these sites, and from where, and began to unravel the wider CIA network,” according to the report. Incredible work. More: Ars Technica (https://arstechnica.com/tech-policy/2018/11/how-did-iran-find-cia-spies-they-googled-it/)
U.S. Election Integrity Depends On Security-Challenged Firms (https://apnews.com/f6876669cb6b4e4c9850844f8e015b4c) Associated Press: A long AP read — one that delves into the security of machines used in the upcoming election. Three electronic voting machine manufacturers make up 90% of the voting machine market. “They cobble things together as well as they can,” one expert said. And yet when it comes to answering basic questions about security, they stonewalled the AP at every chance they got. More: Bloomberg (https://www.bloomberg.com/news/articles/2018-11-03/private-equity-controls-the-gatekeepers-of-american-democracy) | Background: Motherboard (https://motherboard.vice.com/en_us/article/mb4ezy/top-voting-machine-vendor-admits-it-installed-remote-access-software-on-systems-sold-to-states)
Chinese Spies Orchestrated Hack That Stole Aviation Secrets (https://arstechnica.com/tech-policy/2018/10/feds-say-chinese-spies-and-their-hired-hackers-stole-aviation-secrets/) Ars Technica: Another day, another attempt by China to steal U.S. intellectual property. Except this time, the DOJ woke up from its long slumber and jumped into action. Thirteen companies were hacked over a five year period to steal aviation secrets. The Chinese were reportedly schooled by the Syrian Electronic Army — remember them? Ten Chinese nationals were charged in the indictment. More: Justice Dept. (https://www.justice.gov/opa/pr/chinese-intelligence-officers-and-their-recruited-hackers-and-insiders-conspired-steal) | DOJ Indictment (https://www.justice.gov/opa/press-release/file/1106491/download) | Wall Street Journal ($) (https://www.wsj.com/articles/u-s-restricts-state-owned-chinese-chip-maker-from-doing-business-with-american-firms-1540837561)
Google’s reCAPTCHA v3 Detects Bad Traffic Without User Interaction (https://www.zdnet.com/article/google-launches-recaptcha-v3-that-detects-bad-traffic-without-user-interaction/) ZDNet: Arguably the worst thing about CAPTCHA is — well, any human interaction whatsoever. “Does that square count as a motorcycle? How many store fronts is that?” They’re a pain in the ass, and Google knows it. The third iteration of its reCAPTCHA web-plugin doesn’t require user interaction at all. That should cut down on the frustration levels. More: Google (https://webmasters.googleblog.com/2018/10/introducing-recaptcha-v3-new-way-to.html) | Google Developers (https://developers.google.com/recaptcha/docs/v3)
Signal Has A Clever New Way To Shield Your Identity (https://www.wired.com/story/signal-sealed-sender-encrypted-messaging/) Wired ($): Signal’s end-to-end encrypted messenger is a god-send for anyone in security. It retains almost no metadata — as proven by an old subpoena (https://arstechnica.com/tech-policy/2016/10/fbi-demands-signal-user-data-but-theres-not-much-to-hand-over/) — but now the app is reducing its metadata resistance even further. Signal will soon mask the sender of a message — even from Signal — so that it’s another data point that they can’t be forced to give over (should that ever happen). More: TechCrunch (https://techcrunch.com/2018/10/29/signal-sealed-sender-feature-messaging-security/) | Signal Blog (https://signal.org/blog/sealed-sender/)
Sen. Wyden’s New Bill Will Jail Reckless CEOs Who Lose Customer Data (https://gizmodo.com/wyden-unveils-new-plan-to-protect-private-data-restore-1830153516) Gizmodo: Fines and jail time for the idiot CEOs who don’t protect their customers’ data from hackers. Sounds like a winner, right? That’s the latest plan from Sen. Ron Wyden, who’s frankly pretty sick of their shit. The bill isn’t likely to pass the committee stages (a real shame, but that’s Washington for you), but it’s a nice idea. Jake Williams had a great thread (https://twitter.com/malwarejake/status/1058130922552389632?s=21) on this, too. More: Ron Wyden’s Office (https://www.wyden.senate.gov/news/press-releases/wyden-releases-discussion-draft-of-legislation-to-provide-real-protections-for-americans-privacy) | @MalwareJake tweet thread (https://twitter.com/malwarejake/status/1058130922552389632?s=21)
Cell Phone Security and Heads of State (https://www.schneier.com/blog/archives/2018/10/cell_phone_secu_1.html ) Schneier on Security: Bruce Schneier drops a few truth bombs on the state of presidential opsec in a recent blog post. “Unfortunately, there’s not much you can do to improve the security of your cell phone,” he wrote. That’s because SS7 flaws in the cell networks make it easy to intercept calls and messages — of your phone, and the president’s. Fin. End of. Happy now? But no, really — read his column. More: New York Times ($) (https://www.nytimes.com/2018/10/24/us/politics/trump-phone-security.html) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
‘Stalkerware’ Site Let Anyone Intercept Texts of Thousands of People (https://motherboard.vice.com/en_us/article/pa97g7/xnore-copy9-stalkerware-data-breach-thousands-victims) Motherboard: A hacker exposed the awful security of two companies that sell spyware for consumers, writes @josephfcox (https://twitter.com/josephfcox) and @lorenzoFB (https://twitter.com/lorenzofb) . “By simply viewing the HTML of a particular website, anyone could log in and rummage through Facebook messages, texts, and phone call data.” You’d think spyware companies would be better at securing their victims’ data better. Apparently not!
Reasonable security with GPG (https://dev.to/davidk01/reasonable-security-with-gpg-455a) Dev.to: A great write-up by David Karapetyan (https://dev.to/davidk01) on how to use PGP/GPG safely and securely. We all know it can be fiddly — it’s why Signal is so popular for end-to-end encrypted messages. Karapetyan gives a great primer on how the basics for the few who might have skipped the GPG days altogether.
Kraken Cryptor Ransomware Gains Popularity Among Cybercriminals (https://www.recordedfuture.com/kraken-cryptor-ransomware/) Recorded Future: Here’s a great tear-down of the Kraken ransomware malware that’s going around town. This was a detailed, line-by-line explanation of how it works (no C2 servers and minimal infrastructure!) and images. If more security research was as detailed as this, we’d all be better for it. I think the only person who does published research as detailed as this is @0xAmit (https://twitter.com/0xAmit) . ~ ~
** OTHER NEWSY NUGGETS
Congress to rein in Google, Facebook. Eventually: The Verge examined all of the bills and draft legislation (https://www.theverge.com/2018/10/31/18041882/congress-data-privacy-google-facebook-gdpr-markey-klobuchar) in Congress right now, aimed at reeling in the leaky tech giants — like Facebook and Google — which have been far too fast and loose with users’ data for too long. In short, the lawmakers working on it, but expect lobbyists to get in the way.
School surveillance: Sometimes this feels like the Motherboard (http://twitter.com/motherboard) newsletter (they do good work) but this has to go in, too. In the wake of deadly, horrific mass shootings, some schools are installing facial recognition in schools across the U.S. An extremely detailed, deep-dive and a must-read (https://motherboard.vice.com/en_us/article/j53ba3/facial-recognition-school-surveillance-v25n3) this week. But maybe we should be focusing on common sense gun laws instead. Just a thought. Don’t @me.
Passcodes are Fifth Amendment complaint: Another step in the right direction for U.S. privacy rights. A Florida court says passcodes are compliant with the Fifth Amendment (https://nakedsecurity.sophos.com/2018/11/01/passcodes-are-protected-by-fifth-amendment-says-court/) . That means police can’t compel you to turn over your passcode if the contents are going to incriminate you. That’s not the same as the Fourth Amendment, mind you, which requires a warrant for your device data. Trust me, it’s a good thing — but read the story (https://nakedsecurity.sophos.com/2018/11/01/passcodes-are-protected-by-fifth-amendment-says-court/) for more.
Feds told to delete data from the border: And another privacy victory this week, after am American Muslim woman won her case to force U.S. border authorities to delete the data (https://arstechnica.com/tech-policy/2018/10/feds-agree-to-delete-data-seized-off-womans-iphone-during-border-search/) they swiped from her phone. The border authorities didn’t say why they seized her phone. ~ ~
** GOOD PEOPLE DOING GOOD THINGS
Ming Chow (https://twitter.com/0xmchow/status/1057413278706622464) , a Tufts academic, set up a security lab asking people to hack it. It’s for his class, he told me in a DM. “I decided to make this lab publicly available because of the amount of interest and need in real Cyber Security training exercises.” He said it didn’t take too long (https://twitter.com/0xmchow/status/1057668333041053697?s=21) — thanks to a good ol’ trusty SQL injection.
And, everyone’s favorite zero-day hunter @taviso (http://twitter.com/taviso) wrote a script that lets you delete all of your Twitter DM’s — just by pasting a few lines of code (https://gist.github.com/taviso/64b5ea85a31ef612bf940fd3c2f3f43b) into your Chrome browser console. Instructions within. Practice safe opsec: delete your DMs regularly. ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Fluffasaurus Rex, who, as you can see, is huge fan of sandboxing (get it?). Thanks to Erin Johnson for the submission. (You may need to enable images in this email.) If you want your cat featured in a future newsletter, email me: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) — and they’ll be featured in the coming weeks. ~ ~
** SUGGESTION BOX
That’s all for this week Thanks as always for reading. If you have any feedback, please drop me a note here (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you next week — have a good one. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|
|REWARDS_TEXT|