this week in security — october 13 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 39
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Secret court says FBI warrantless searches were illegal (https://www.thedailybeast.com/secret-court-fbi-warrantless-searches-were-illegal) The Daily Beast: The FISA Court (FISC) has ruled that the FBI’s warrantless searches of Americans data collected by the NSA were illegal. These so-called “backdoor searches” are highly controversial as they allow the FBI to snoop on incidentally collected data on Americans, who are largely protected under the Fourth Amendment. On one day in December 2017, the FBI searched NSA databases over 6,800 times. @LizaGoitein (https://twitter.com/LizaGoitein/status/1181967404403957760) has a great tweet thread on why this matters. More: Wall Street Journal ($) (https://www.wsj.com/articles/fbis-use-of-foreign-surveillance-tool-violated-americans-privacy-rights-court-found-11570559882) | @LizaGoitein (https://twitter.com/LizaGoitein/status/1181967404403957760)
‘Kicking out the adversary’: The mission of NSA’s new cyber division (https://www.cyberscoop.com/nsa-cybersecurity-directorate-paul-nakasone-anne-neuberger/) Cyberscoop: The NSA’s new Cybersecurity Directorate is charged with defending sensitive government computers by providing insights on foreign hackers, according to the NSA. That lifts a small-ish mystery on what the new division, which opened on October 1, will do. “It’s about preventing but also kicking out the adversary,” said the NSA. More: @shanvav (https://twitter.com/shanvav/status/1182686035593043968) | Nextgov (https://www.nextgov.com/cybersecurity/2019/10/inside-nsas-new-cybersecurity-directorate/160566/)
Toms Shoes’ mailing list hacked to tell users to log off (https://www.vice.com/en_us/article/a35434/toms-shoes-mailing-list-hacked-hacker-says-log-off) Motherboard: Some friendly advice from a friendly-ish hacker — “log off.” That’s the message thousands of customers received last weekend when a hacker broke into Toms’ email marketing software and sent out a message to customers. No customer data is believed to have been taken. More: @SallyAKaminski (https://twitter.com/SallyAKaminski/status/1180814909862502400) https://twitter.com/SallyAKaminski/status/1180786962896211968 CISA wants to subpoena ISPs to identify vulnerable systems (https://techcrunch.com/2019/10/09/cisa-subpoena-powers-isp-vulnerable-systems/) TechCrunch: DHS’ cybersecurity unit CISA wants new subpoena powers to demand information from internet providers that would identify the owners of vulnerable systems. The idea goes that if CISA finds something vulnerable, they want to know who to contact to warn them of the threat. But some are worried the powers could be abused amid questions over how much responsibilty the government should have in protecting private businesses. (Disclosure: I wrote this story.) More: Washington Post ($) (https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/10/10/the-cybersecurity-202-there-s-a-fight-brewing-over-homeland-security-s-push-for-subpoena-power/5d9e146888e0fa747e6d520b/) | Politico (https://www.politico.com/newsletters/morning-cybersecurity/2019/10/10/dhs-wants-legal-powers-to-locate-vulnerable-systems-780126)
Twitter misused two-factor numbers and emails for targeting ads (https://help.twitter.com/en/information-and-ads) Twitter: The social media giant used email addresses and phone numbers — used for two-factor — to target ads against users. Twitter said it was inadvertent but still kicked off a storm of angry users. Facebook was first to be caught out (https://techcrunch.com/2018/09/27/yes-facebook-is-using-your-2fa-phone-number-to-target-you-with-ads/) doing this, now it’s Twitter’s turn to face the music. More: Wired ($) (https://www.wired.com/story/twitter-two-factor-advertising/) | @lilyhnewman (https://twitter.com/lilyhnewman/status/1182005612634415104) | @matthew_d_green (https://twitter.com/matthew_d_green/status/1182007809539489794)
E-commerce provider hack hit Sesame Street, and more (https://www.cyberscoop.com/sesame-street-website-hacked-magecart/) Cyberscoop: Sesame Street is one of 6,500 websites hit by Magecart hackers, whose aim it is to infect websites with credit card stealing malware. The research (https://medium.com/@marcelx/sesame-street-volusion-customers-are-comprised-how-the-cookie-monster-is-stealing-cc-numbers-21eb51ec613b) shows credit card numbers were skimmed, though the total number of affected users remains unknown. Sesame Street’s store was shuttered following the incident. More: Medium (https://medium.com/@marcelx/sesame-street-volusion-customers-are-comprised-how-the-cookie-monster-is-stealing-cc-numbers-21eb51ec613b) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Senator proposes mandatory labeling for products with mics, cameras (https://arstechnica.com/tech-policy/2019/10/senator-proposes-mandatory-labeling-for-products-with-mics-cameras/) Ars Technica: A new senate bill would mandate that all devices with a microphone or camera should be labeled as such, in order to avoid any privacy breaches or other surprises down the line. Sen. Cory Gardner (R-CO), who co-chairs the Senate Cybersecurity Caucus, said the full disclosure approach would help protect consumer privacy.
Smaller medical providers get burned by ransomware (https://www.wsj.com/articles/smaller-medical-providers-get-burned-by-ransomware-11570366801) Wall Street Journal ($): Smaller healthcare providers, like doctors offices and dentists, are struggling in the face of ransomware attacks. The Journal said it’s because they don’t have the resources to fend off attacks. Some are solo practitioners. Just earlier this month, a smaller U.S. healthcare provider went out of business (https://twitter.com/GossiTheDog/status/1179144748449304577) after it was hit by ransomware.
FBI warns of major ransomware attacks (https://arstechnica.com/information-technology/2019/10/fbi-warns-of-major-ransomware-attacks-as-criminals-go-big-game-hunting/) Ars Technica: Speaking of ransomware… the FBI is warning (https://www.ic3.gov/media/2019/191002.aspx) businesses of major ransomware attacks as criminals go “big-game hunting.” There’s no specific threat of a ransomware attack incoming but supporting data from Crowdstrike suggests a rise in big-name attacks over the past 18 months. https://twitter.com/GossiTheDog/status/1179144748449304577 A controversial plan to encrypt more of the internet (https://www.wired.com/story/dns-over-https-encrypted-web/) Wired ($): There’s a storm brewing over DoH — DNS over HTTPS (or DoT for the “TLS” crowd) — a way of encrypting DNS queries, which many say will help make the internet safer and more secure. The other side — mostly internet providers — aren’t happy at the idea of encrypted DNS queries as it makes selling your data (https://www.usatoday.com/story/tech/news/2017/04/04/isps-can-now-collect-and-sell-your-data-what-know-internet-privacy/100015356/) to other companies much harder. Others are worried that it’ll also make it more difficult to detect malware on a network, a far more valid concern, though critics say is still overblown.
Newsrooms, let’s talk about G Suite (https://freedom.press/training/blog/newsrooms-lets-talk-about-gsuite/) Freedom of the Press Foundation: There isn’t a reporter out there who doesn’t love Google Docs for collaborative writing and editing. But a new blog post warns of the risks posed by enterprise users. “Documents within your G Suite domain are not end-to-end encrypted, meaning that Google has everything they need to read your data,” writes @mshelton (https://twitter.com/mshelton) . “This insight into user data means that U.S. agencies have the ability to compel Google to hand over relevant user data to aid in investigations.” It’s a friendly reminder to be mindful of your use cases. ~ ~
** OTHER NEWSY NUGGETS
A hacker stole 250,000 user details from a Dutch sex work site (https://www.vice.com/en_us/article/d3a5gy/hacker-stole-user-account-details-from-a-dutch-sex-work-site-hookers-nl) Bad news if you’re one of 250,000 Dutch sex workers: a hacker stole thousands of user account details by exploiting a flaw in vBulletin, a popular forum software. The breach could be used to identify users on the platform, the report says. The news was first reported by the Dutch Broadcast Foundation (https://nos.nl/artikel/2305470-e-mailadressen-bezoekers-prostitutieforum-uitgelekt-en-te-koop-aangeboden.html) .
Amazon workers may be watching your Cloud Cam (https://www.bloomberg.com/news/articles/2019-10-10/is-amazon-watching-you-cloud-cam-footage-reviewed-by-humans) Not a major surprise for anyone who read that contractors are listening to their Echo recordings (https://www.bloomberg.com/news/articles/2019-04-10/is-anyone-listening-to-you-on-alexa-a-global-team-reviews-audio) , but it’s a major privacy invasion nonetheless. Amazon auditors are said to annotate some 150 video recordings a day as part of Amazon’s efforts to improve its AI algorithms. But as Bloomberg notes: “Nowhere in the Cloud Cam user terms and conditions does Amazon explicitly tell customers that human beings are training the algorithms behind their motion detection software.”
Bruce Schneier slams Australia’s encryption amid speaker bans (https://www.zdnet.com/article/schneier-slams-australias-encryption-laws-cybercon-speaker-bans/) Well-known cryptographer and computer security expert Bruce Schneier was this week highly critical of the Australian government for its “draconian” laws forcing companies to break encryption. He was speaking at CyberCon, amid claims that the conference dumped two speakers — including an NSA whistleblower — just days before they were set to attend.
Multiple D-Link routers vulnerable to unauthenticated security flaw (https://www.fortinet.com/blog/threat-research/d-link-routers-found-vulnerable-rce.html) Several D-Link routers are at risk of an unauthenticated remote code execution vulnerability, which D-Link has no plans to fix as the devices are end-of-life, despite the flaws being considered a high security risk. This flaw can be used to retrieve the router’s admin password or install a backdoor on the router. ~ ~
** THE HAPPY CORNER
Two nuggets of good news this week:
You have to read this excellent example of why you should be mindful when you talk in airport lounges (or anywhere for that matter). Hackers are everywhere. Here’s @deviantollam (https://twitter.com/deviantollam/status/1181331235957657601?s=21) with a tweet-thread on how talking your mouth off can get you into trouble. https://twitter.com/deviantollam/status/1181331235957657601?s=21 And for anyone interested in the innards of a credit card, @dcuthbert (https://twitter.com/dcuthbert/status/1181522099887906818) has you sorted. In this tweet thread, he dives into how the card works — and what the future holds for NFC-enabled cards. If you want to nominate some good news from the week, feel free to reach out (mailto:zack.whittaker@gmail.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is Dimple. Looks cute, but can social engineer their way into your bank accounts as you sleep. Many thanks to @ali_crockford (https://twitter.com/ali_crockford) for the submission. (You may need to enable images in this email.) Please keep sending in your cybercats. Send them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
And that’s a wrap for another week. There was no newsletter last week (I was off). Feel free to drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Back in the saddle next Sunday. Have a great week. ~ ~
============================================================ Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.linkedin.com/shareArticle?url=|URL:ARCHIVE_LINK_SHORT|&mini=true&title=|URL:MC_SUBJECT|) Share (http://www.linkedin.com/shareArticle?url=|URL:ARCHIVE_LINK_SHORT|&mini=true&title=|URL:MC_SUBJECT|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|