this week in security — october 11 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 40
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Cyber Command has sought to disrupt the world’s largest botnet (https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html) Washington Post ($): Incredible reporting this week by @briankrebs (https://twitter.com/briankrebs) and @nakashimae (https://twitter.com/nakashimae) on disrupting TrickBot ahead of the election. Krebs reported (https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/) that the notorious botnet, often used for delivering ransomware, was targeted by an unknown entity aimed at neutering the malware on more than 2 million infected PCs by pushing a phony update designed to prevent the malware from communicating with the bot operators. Turns out it was Cyber Command that did it, as part of an effort to make it harder for the TrickBot operators to use its infrastructure to target election systems with ransomware. Incredible stuff. More: Krebs on Security (https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/) | @briankrebs (https://twitter.com/briankrebs/status/1314792038500626434)
CBP bought ‘global’ location data from weather and game apps (https://www.vice.com/en/article/n7wakg/cbp-dhs-location-data-venntel-apps) Motherboard: U.S. Customs and Border Protection bought access to “global” location data collected from ordinary apps downloaded to people’s phones — like weather apps and games — allowing U.S. border authorities to track devices outside of the United States. CBP obtained the data from Venntel, a data broker. The data could be used to identify individuals, the report said, though how much work CBP would have to put in appears to vary. The Wall Street Journal ($) (https://www.wsj.com/articles/federal-agencies-use-cellphone-location-data-for-immigration-enforcement-11581078600) previously reported that agencies like ICE used Venntel data to pinpoint border crossings and arrest individuals. But the practice is questionable and under investigation by Congress. More: Bloomberg Law (https://news.bloomberglaw.com/privacy-and-data-security/irs-use-of-cell-phone-location-data-falls-in-legal-gray-area) | Background: Wall Street Journal ($) (https://www.wsj.com/articles/federal-agencies-use-cellphone-location-data-for-immigration-enforcement-11581078600)
Apple’s T2 security chip has an unfixable flaw (https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/) Wired ($): Just what you want to hear: an unfixable flaw in your iPhone’s security chip. A new vulnerability, discovered by jailbreaking crew Pangu, can bypass Apple’s T2 security chip and gain deep access to the operating system. The T2 is used as a secrets store for your Touch ID and Activation Lock features. But because the bug is in the low-level and unchangeable firmware of the chip, it’s not believed to be fixable. (@chronic (https://twitter.com/chronic/status/1313476691184947200) has a great explainer tweet thread on this.) It’s not a “full-blown security crisis,” as Wired explains. There are limitations to the jailbreak, and requires physical access to a device, and the jailbreak isn’t persistent following a reboot. More: @chronic (https://twitter.com/chronic/status/1313476691184947200) Google is giving data to police based on search keywords, court docs show (https://www.cnet.com/news/google-is-giving-data-to-police-based-on-search-keywords-court-docs-show/) CNET: Court records show that Google will give over data on people who searched for specific keywords. In one recent arson case, an unsealed court filing shows investigators asked Google for data “in reverse,” by asking the company to turn over records on anyone who searched a specific keyword rather than providing information on a known suspect. The use of the warrants were first revealed by @robertsnellnews (https://twitter.com/robertsnellnews/status/1313560399556509698) . It’s not the first time (https://www.forbes.com/sites/thomasbrewster/2017/03/17/google-government-data-grab-in-edina-fraud-investigation/#7d2e50cf7ade) it’s happened, but the use of so-called “keyword warrants” is controversial and could be unconstitutional, per one expert speaking to CNET. These warrants are similar to geofence warrants, also known as reverse location warrants, which police use to identify who visited a specific geographic area, like a crime scene before the crime was committed. More: @robertsnellnews (https://twitter.com/robertsnellnews/status/1313560399556509698) | @ncweaver (https://twitter.com/ncweaver/status/1314965849590042624?s=20) | @zittrain (https://twitter.com/zittrain/status/1314902773373317120)
Security flaw left ‘smart’ chastity sex toy users at risk of permanent lock-in (https://techcrunch.com/2020/10/06/qiui-smart-chastity-sex-toy-security-flaw/ ) TechCrunch: Just because a device has an internet connection doesn’t mean it should — and the same can be said for anything you attach to your genitals. Some found out the hard way (no pun intended) after the Qiui “smart” chastity lock had a vulnerability, discovered by Pen Test Partners (https://www.pentestpartners.com/security-blog/smart-male-chastity-lock-cock-up/?=october-5-2020) , that meant anyone could easily and remotely lock in anyone — permanently — to the device, requiring a trip to the emergency room to remove. The API bug also exposed real-time locations and messages between users. @alexlomas (https://twitter.com/alexlomas/status/1313445442886283266) explains more. (Disclosure: I wrote this story.) More: Pen Test Partners (https://www.pentestpartners.com/security-blog/smart-male-chastity-lock-cock-up/?=october-5-2020) | Internet of Dongs (https://internetofdon.gs/qiui-chastity-cage/) | @zackwhittaker (https://twitter.com/zackwhittaker/status/1314409070439411712) A China-linked group repurposed hacking team’s stealthy spyware (https://www.wired.com/story/hacking-team-uefi-tool-spyware/) Wired ($): Chinese-speaking hackers using UEFI malware apparently repurposed from the leaked Hacking Team files, which were leaked online some five years ago. The malware is particularly powerful as it affects one of the deepest parts of a computer, and can retain persistence even after a computer reboots or is wiped, making it harder to remove. No wonder it’s described as the “Holy Grail” (https://www.zdnet.com/article/chinese-hacker-group-spotted-using-a-uefi-bootkit-in-the-wild/) of attacks. The malware was used as a foothold to install a second stage payload, dubbed MosaicRegressor. The malware was found on PCs used by diplomatic staff and NGOs in Asia and Europe, to give you an idea of the kinds of targets involved. More: ZDNet (https://www.zdnet.com/article/chinese-hacker-group-spotted-using-a-uefi-bootkit-in-the-wild/) | Kaspersky (https://securelist.com/mosaicregressor/98849/)
Sandvine tech is used to censor the web from Algeria to Uzbekistan (https://www.bloomberg.com/news/articles/2020-10-08/sandvine-s-tools-used-for-web-censoring-in-more-than-a-dozen-nations?sref=gni836kR) Bloomberg ($): U.S. tech giant Sandvine’s equipment is used by Jordan, Azerbaijan and many other Middle Eastern countries to censor the internet — whether it’s LGBTQ+ websites or news organizations. Its website blocking technology has enabled politically motivated filtering of news and social media, reports Bloomberg, and used to block social media sites and messaging apps. The company recently abandoned its business in Belarus after criticism. Its technology is “not intended to thwart human rights or block the broad, free flow of information,” the company said in a statement, fooling precisely nobody. More: Cyberscoop (https://www.cyberscoop.com/sandvine-belarus-contract-censorship-human-rights/) | @rj_gallagher (https://twitter.com/rj_gallagher/status/1314125692163043335) ~ ~ SUPPORT THIS NEWSLETTER
A huge thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to maintain its upkeep. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Five hackers found 55 bugs in Apple products in three months and made $288,500 (https://www.vice.com/en/article/v7g5ea/hackers-found-55-bugs-in-apple-productsmade-dollar51500) Motherboard: A team of five hackers found 55 flaws in Apple’s online services, netting some $288,500 in bug bounty rewards in just three months. One of the worst bugs could’ve allowed an attacker to download data from a victim’s iCloud account. The hackers could also access Apple’s source code repository. @samwcyo (https://twitter.com/samwcyo) blogged the team’s findings (https://samcurry.net/hacking-apple/) in a highly detailed write-up.
Robinhood users say accounts were looted, but had no one to call (https://www.bloomberg.com/news/articles/2020-10-09/robinhood-users-had-accounts-looted-say-there-s-no-one-to-call) Bloomberg ($): Users of stock trading app Robinhood said they had fraudulent transactions on their accounts and balances stolen, but struggled to get in contact with the company. Robinhood said it wasn’t breached, but users said they had two-factor on their account and unique passwords, and hadn’t been duped by malware. One to keep an eye on… ~ ~
** OTHER NEWSY NUGGETS
Breach at food delivery service Chowbus affects hundreds of thousands of customers (https://www.cyberscoop.com/chowbus-breach-personal-data-customers-linxin-wen/?category_news=technology) Well that was awkward: a hacker broke into the systems of food delivery service Chowbus, collected 800,000 rows of customer data, and emailed the data to its customers from the company’s own SendGrid account. Brazen. The data included customer names, email and postal addresses, and more. Later in the day, Chowbus emailed its users — without (https://twitter.com/Johnny___Wang/status/1313006385198624768) an apology. @haveibeenpwned (https://twitter.com/haveibeenpwned/status/1313364264346808320?s=20) loaded the data — and it contained about 444,000 unique email addresses, 58% of which were already in its database. Facebook debuts bug-bounty ‘loyalty program’ (https://threatpost.com/facebook-bug-bounty-loyalty-program/159993/) Facebook bug and bounty hunters will now be categorized in tiers analyzing their score, signal and number of bugs submitted to dictate new bonus percentages. In effect, the more “loyal” you are to breaking Facebook’s platform, the greater the rewards. Facebook’s full post is here (https://www.facebook.com/BugBounty/posts/3964073313606865) .
Tyler Technologies paid ransomware gang for decryption key (https://www.bleepingcomputer.com/news/security/tyler-technologies-paid-ransomware-gang-for-decryption-key/) Tyler Technologies, a software giant for the public sector, allegedly paid a ransomware group to get the decryption key for their files, reports Bleeping Computer (https://www.bleepingcomputer.com/news/security/tyler-technologies-paid-ransomware-gang-for-decryption-key/) . Tyler initially downplayed (https://www.zdnet.com/article/suspicious-logins-rats-reported-after-ransomware-attack-on-us-govt-contractor/) the incident. But Tyler’s customers later reported suspicious logins and malware on their networks. ~ ~
** THE HAPPY CORNER
Now, it’s time for something a little lighter.
There wasn’t much in the good news bin this week. But @vaitor (https://twitter.com/vaitor/status/1314057167012421632) found an instruction manual for a generator, which really has the answer to everything (https://twitter.com/vaitor/status/1314057167012421632) .
And, this tweet says it all, really. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
Meet this week’s cyber cat, Meow the Lord. (It’s not often we have feline aristocracy in the newsletter but here we are.) As you can see here, Meow the Lord is listening for hackers. Because that’s how it works. A big thanks to Tapas S. for the submission! Please keep sending in (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) your cyber cats! They will always be featured. ~ ~
** SUGGESTION BOX
And that’s a wrap for this week. I’m off next week, so no newsletter (sorry!). The suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is always open for feedback. See you in a couple of weeks. Stay safe and healthy out there!
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .