this week in security — october 14 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 1, issue 14.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Google Exposed User Data, Feared Repercussions of Disclosing to Public (https://www.wsj.com/articles/google-exposed-user-data-feared-repercussions-of-disclosing-to-public-1539017194?mod=e2twd) Wall Street Journal ($): Another major tech company hit by a security incident. Although this wasn’t a breach (https://www.theverge.com/2018/10/9/17957312/google-plus-vulnerability-privacy-breach-law) like Facebook, it was serious enough to affect 500,000 Google+ users. But it was only disclosed after the WSJ dug around, once Google said it wasn’t going to disclose the flaw. Some accused (rightfully) of Google trying to cover up the incident, sparking another debate (https://www.eff.org/deeplinks/2018/10/google-bug-more-about-cover-crime) about who gets told what when data isn’t taken. More: The Verge (https://www.theverge.com/2018/10/9/17957312/google-plus-vulnerability-privacy-breach-law) | EFF (https://www.eff.org/deeplinks/2018/10/google-bug-more-about-cover-crime)
Arrest of Top Chinese Intelligence Officer Sparks Fears of New Chinese Hacking Efforts (https://www.zdnet.com/article/arrest-of-top-chinese-intelligence-officer-sparks-fears-of-new-chinese-hacking-efforts/) ZDNet: After a deterioration in diplomatic relations, it looks like China might be ramping up its hacking operations once again, coinciding with the extradition of a senior Chinese spy earlier this week. More: Justice Dept. (https://www.justice.gov/opa/pr/chinese-intelligence-officer-charged-economic-espionage-involving-theft-trade-secrets-leading) | Recorded Future (https://www.recordedfuture.com/chinese-mss-behind-apt3/) | @alexstamos tweet thread (https://twitter.com/alexstamos/status/1050097838649106432)
Bloomberg Source Casts Doubt on Story’s Veracity (https://appleinsider.com/articles/18/10/08/security-researcher-cited-in-bloombergs-china-spy-chip-investigation-casts-doubt-on-storys-veracity) AppleInsider: If anyone’s still following the Bloomberg “spy chip” brouhaha, AppleInsider surprisingly had a decent breakdown of recanted claims by the only source named in the original story, which still has so many scrambling for more answers. Patrick Gray (https://twitter.com/riskybusiness?lang=en) ‘s Risky Business podcast this week (https://risky.biz/RB517_feature/) had on Joe Fitzpatrick, who said once he read the published report following his commentary that it “didn’t make sense.” More: Risky Business (https://risky.biz/RB517_feature/) | Motherboard (https://motherboard.vice.com/en_us/article/qv9npv/bloomberg-china-supermicro-apple-hack)
Supermicro Boards Were So Bug-Ridden, Hackers Never Needed Implants (https://arstechnica.com/information-technology/2018/10/supermicro-boards-were-so-bug-ridden-why-would-hackers-ever-need-implants/) Ars Technica: Speaking of that Bloomberg story, Dan Goodin (https://twitter.com/dangoodin001) is back(!) after a hiatus with a look at Supermicro boards — the same implicated by Bloomberg’s report. Hackers had “easier” options than implants because the boards were so buggy — questioning why China ever focused on implants (if at all). More: Cyberscoop (https://www.cyberscoop.com/rob-joyce-bloomberg-story-supply-chain/)
U.S. Government Finally Rolls Out Two-Factor for Federal Domains (https://www.washingtonpost.com/technology/2018/10/08/government-is-rolling-out-factor-authentication-federal-agency-gov-domains/?noredirect=on&utm_term=.352e31d20f34) Washington Post ($): About time! This new policy means that administrators for dot-gov domains will get stronger security for their accounts to prevent domain takeovers. There’s still no word on why the State Dept. doesn’t have two-factor (https://www.fedscoop.com/state-department-multi-factor-cybersecurity-senators-wyden-gardner-paul-markey-shaheen/) across the board, though. More: Fedscoop (https://www.fedscoop.com/gsa-2fa-authentication-dot-gov-websites/) | Dot.Gov (https://home.dotgov.gov/2step/)
Facebook Breach Still Bad, But Not As Bad As First Thought (https://newsroom.fb.com/news/2018/10/update-on-security-issue/) Facebook: It turns out that 30 million, not 50 million were affected by last month’s data breach — in which hackers stole user account tokens. But the scope of data taken was far wider (https://www.reuters.com/article/us-facebook-cyber/facebook-trims-data-breach-to-29-million-users-as-fbi-probes-idUSKCN1MM297) than believed — including location data and other sensitive profile data. Some are pissed that Facebook wasn’t as forthcoming about the exposed data points when it first revealed the breach. More: Reuters (https://www.reuters.com/article/us-facebook-cyber/facebook-trims-data-breach-to-29-million-users-as-fbi-probes-idUSKCN1MM297) | BuzzFeed News (https://www.buzzfeednews.com/article/ryanmac/facebook-data-breach-fbi-investigation) | Quartz (https://qz.com/1422792/heres-how-to-find-out-if-you-were-one-of-the-unlucky-hacked-facebook-accounts/)
DNA Profiling Is Putting People’s Privacy In Jeopardy (http://www.latimes.com/science/sciencenow/la-sci-sn-dna-genealogy-privacy-20181012-story.html) LA Times: A really interesting in-depth report on how learning about our DNA and our ancestry by way of third-party services is putting others’ privacy at risk. It follows the capture of the so-called Golden Gate Killer earlier this year (https://www.vox.com/2018/4/27/17290288/golden-state-killer-joseph-james-deangelo-dna-profile-match) after investigators ran his DNA through a public repository. Background: Vox (https://www.vox.com/2018/4/27/17290288/golden-state-killer-joseph-james-deangelo-dna-profile-match) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Weapons Systems Are A Hot Mess Of Security Flaws (https://techcrunch.com/2018/10/09/watchdog-pentagon-weapons-hack/) TechCrunch: The GAO found major vulnerabilities in the Pentagon’s weapons systems, including default passwords, unpatched systems, and a lack of encryption. In one case, the watchdog’s testers did the old “insert coin” trick just to screw with DOD officials. (Disclosure: This was one of my stories.)
Leaked Transcript Contradicts Google’s Official China Story (https://theintercept.com/2018/10/09/google-china-censored-search-engine/) The Intercept: It was The Intercept that first revealed that Google was bringing a censored-version of its search engine to China. Since then, crickets from the company — until an executive confirmed its existence in a Congressional hearing last month. Google’s chief privacy officer Keith Enright said that the censored search engine was still a way out. Turns out, that wasn’t strictly true.
No-One Can Get Cybersecurity Disclosures Right (https://www.wired.com/story/cybersecurity-disclosure-gdpr-facebook-google/) Wired ($): The U.S. is a patchwork of state laws and the EU’s GDPR looks appealing for anyone who wants to reclaim their privacy. With a federal law on the cards, it’s looking likely. @lilyhnewman (https://twitter.com/lilyhnewman) digs into the complexities of reporting breaches to authorities in a short disclosure window.
Mysterious Grey-Hat Is Patching People’s Outdated MikroTik Routers (A mysterious grey-hat is patching people’s outdated MikroTik routers) ZDNet: MikroTek routers are a new target for cryptojackers and botnet operators, with hundreds of thousands of vulnerable routers online today. The hacker, who goes by the name of Alexey, reportedly works as a server administrator and “claims to have disinfected over 100,000 MikroTik routers already.” ~ ~
** OTHER NEWSY NUGGETS
Kanye’s password is 000000. Better go to jail: The artist formerly known as Kanye West (now just “Ye,” apparently) was filmed in the Oval Office typing in his iPhone passcode — 000000. Not a great code but better than nothing. But legally speaking (https://www.buzzfeednews.com/article/kevincollier/password-phone-kanye-cfaa-violation-twitter?bftwnews&utm_term=4ldqpgc#4ldqpgc) , anyone sharing it on Twitter would be violating the CFAA — including me for this newsletter. Just goes to show that the law is in desperate need for a change. Thanks for being such a buzzkill, @kevincollier (https://twitter.com/kevincollier/status/1035574619556769792?s=21) .
Twitter in GDPR’s crosshairs: When one academic asked Twitter for information on its t.co tracking service (https://t.co/) , the social network said no. Now the Irish authorities are looking into the matter (http://fortune.com/2018/10/12/twitter-gdpr-investigation-tco-tracking/) as a potential GDPR violation. Power to the people.
Cyberscoop’s Leet List is out: Cyberscoop’s top-list of cybersecurity experts and researchers (https://www.cyberscoop.com/2018-cyberscoop-leet-list/) is out — including interviews and profiles on some well-known and famous names — if not a little lackluster in the diversity department.
Apple in anti-encryption rebuke: Apple sent a letter (https://www.documentcloud.org/documents/5001477-Apple-comments-to-Australian-parliament.html) to Australia’s parliament this week on the closing day of responses for its anti-encryption bill. Apple called the bill “dangerously ambiguous” and “alarming to every Australian.” Some strong words there — arguably some of the most critical in years. ~ ~
** GOOD PEOPLE DOING GOOD THINGS
Just one this week because this had me howling with laughter.
@kennwhite (https://twitter.com/kennwhite/) gave us a rare insight (https://twitter.com/kennwhite/status/1051135155539140610) into how his teenage daughter/hacker thinks. Grounded for undisclosed reasons and disallowed from technology, she managed to bypass the lock screen on Kenn’s hardened Chromebook. You should read the whole thread (https://twitter.com/kennwhite/status/1051135155539140610) for the punchline.
There’s a lesson here for everyone — you can spend your days defending against Russia, yet still not consider how badly your kid just wants to watch Netflix. ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is Panky, a handsome kitty who loves hiding from people except his human, Cynthia Brumfield (https://twitter.com/metacurity) . (You may need to enable images in this email.) Thanks to your submissions this week. Plenty in the bank for more weeks to come. If you want your cat featured in an upcoming newsletter, email me: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That’s all for now. I hope you have a great week — and thanks as always for reading. If you have any feedback, please drop me a note here (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|
|REWARDS_TEXT|