this week in security — october 20 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 40
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
U.S. carried out secret cyber strike on Iran in wake of Saudi oil attack (https://www.reuters.com/article/us-usa-iran-military-cyber-exclusive/exclusive-u-s-carried-out-secret-cyber-strike-on-iran-in-wake-of-saudi-oil-attack-officials-idUSKBN1WV0EK?il=0) Reuters: After the drone strike that almost blew up a Saudi oil facility last month, the U.S. carried out a “secret cyberstrike” on Iran for allegedly causing the blasts. Details are limited but the attack took aim at Tehran’s “ability to spread propaganda” involving physical hardware. It’s one of a handful of cyberstrikes taken by the U.S. in recent months (https://news.yahoo.com/pentagon-secretly-struck-back-against-iranian-cyber-spies-targeting-us-ships-234520824.html) , as the U.S. begins favoring disruptive cyber action than real-world and potentially fatal kinetic attacks. Background: Yahoo News (https://news.yahoo.com/pentagon-secretly-struck-back-against-iranian-cyber-spies-targeting-us-ships-234520824.html)
BriansClub hack rescues 26 million stolen cards (https://krebsonsecurity.com/2019/10/briansclub-hack-rescues-26m-stolen-cards/) Krebs on Security: Fraud bazaar BriansClub, named after the prolific cybersecurity reporter, has been hacked, liberating some 24 million stolen credit card details. It’s not known precisely how many are still valid, but it’s said to be about half. More: Krebs on Security (https://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/)
Malware that spits cash out of ATMs spread across the world (https://www.vice.com/en_us/article/7x5ddg/malware-that-spits-cash-out-of-atms-has-spread-across-the-world) Motherboard, Bayerischer Rundfunk: The two outlets found that a popular piece of malware, known as Cutlet Maker, is spreading across the world. The malware is designed to cause ATMs to spit out all of its money (yes, like the movies). This so-called “jackpotting” has become increasingly popular with some hackers, particularly in the U.S. More: Securelist (https://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/) | Kaspersky (https://www.kaspersky.com/about/press-releases/2017_atm-jackpotting-for-dummies-kaspersky-lab-identified-cutlet-maker)
Feds take down world’s ‘largest dark web child porn marketplace’ (https://www.nbcnews.com/news/crime-courts/feds-take-down-world-s-largest-dark-web-child-porn-n1066511) NBC News: NBC broke the news this week — the feds had seized and dismantled the “largest” child abuse site on the dark web. Hundreds of pedophiles were arrested and 23 children were rescued. This story ran a little personal for me. I knew that hackers broke into the site two years earlier, but couldn’t report on it at the time, fearing I would blow wide open an active investigation. Here’s my story (https://techcrunch.com/2019/10/16/dark-web-hacker-group-government/) . More: TechCrunch (https://techcrunch.com/2019/10/16/dark-web-hacker-group-government/) | Justice Dept. (https://www.justice.gov/opa/pr/south-korean-national-and-hundreds-others-charged-worldwide-takedown-largest-darknet-child) https://techcrunch.com/2019/10/16/dark-web-hacker-group-government/ Is your sex toy spying on you? (https://www.elle.com/culture/tech/a28846210/smart-sex-toy-dildo-butt-plug-hacking/) Elle: This report, featuring sex tech security experts Render Man (https://twitter.com/ihackedwhat) and Nicole Schwartz, looks at internet connected sex toys, or teledildonics. It’s a fascinating insight into the security research that’s underway at the moment — particularly in regards to how these devices balance the privacy of users. Spoiler alert: they often don’t. More: Internet of Dongs (https://internetofdon.gs/)
Anyone’s thumbprint can unlock Samsung’s Galaxy S10 phone (https://www.bbc.com/news/technology-50080586) BBC News: A bad week for smartphones. Samsung’s Galaxy S10 was found to be flawed out of the factory, allowing anyone to open the device by using a screen protector. A fix is expected (https://www.reuters.com/article/us-samsung-elec-smartphone/samsung-to-patch-galaxy-s10-fingerprint-problem-idUSKBN1WW0Q5) next week. In the same week, Google’s Pixel 4 had a similar unlock problem — its facial recognition could be used (https://www.bbc.com/news/technology-50085630) even when the person is asleep (or unconscious), and not when they’re alert. More: Reuters (https://www.reuters.com/article/us-samsung-elec-smartphone/samsung-to-patch-galaxy-s10-fingerprint-problem-idUSKBN1WW0Q5) | BBC News (https://www.bbc.com/news/technology-50085630)
Cozy Bear kept going after 2016 election (https://www.cyberscoop.com/cozy-bear-return-espionage-russian-hacking/) Cyberscoop: New research this week shows Cozy Bear (also known as APT 29), linked to the Kremlin, continued hacking after the 2016 election. They targeted think tanks and European ministries of foreign affairs, which FireEye noted last year (https://www.cyberscoop.com/russian-hackers-apt-fancy-bear-cozy-bear-palo-alto-fireeye/) . More: ESET (https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/)
Baltimore blew off a ransomware demand, found its data wasn’t backed up (https://www.techdirt.com/articles/20191004/19564743128/city-baltimore-blew-off-76000-ransomware-demand-only-to-find-out-bunch-data-had-never-been-backed-up.shtml) Techdirt: Well this is awkward. After Baltimore was hit by ransomware earlier this year, the city’s IT director blew off the $76,000 ransomware demanded by the attackers, thinking the city had its data backed up. Turns out, none of the data was backed up in the cloud, and any local backups were scrambled by the ransomware. More: Ars Technica (https://arstechnica.com/information-technology/2019/09/whats-a-backup-baltimore-city-it-kept-data-on-local-drives/) | Baltimore Sun (https://www.baltimoresun.com/politics/bs-md-ci-audit-it-20190927-23hrwbtdyzcu7lmmwdqzbmzja4-story.html) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Mailing giant Pitney Bowes hit by ransomware attack (https://finance.yahoo.com/news/mailing-services-firm-pitney-bowes-132201261.html) Reuters, Pitney Bowes: For a sizable and damaging security incident, Pitney Bowes was surprisingly open and transparent. It was hit by ransomware on Monday, and took all week to recover to full capacity. The company’s status update page (https://maintenance.pb.com/pbcom/outage.html) was updated regularly, sometimes adding new information several times in an hour (I kept track!), to keep users informed. The company blamed the Ryuk ransomware (https://twitter.com/zackwhittaker/status/1184826821583523840) . Later, @2sec4u (https://twitter.com/2sec4u/status/1185242023940501506) found evidence that Emotet was found in its systems prior to infection.
French TV channel M6 hit by ransomware (https://lexpansion.lexpress.fr/high-tech/piratage-informatique-apres-m6-d-autres-medias-francais-alertes_2103513.html) L’Express: Keeping with the ransomware theme, @fs0c131y (https://twitter.com/fs0c131y/status/1183731367059873792) reported that M6, one of the largest TV channels in France, was also hit by an unknown ransomware strain. L’Express (en français), a large magazine in France, said email and phones were knocked offline, and the French agency for dealing with cyber incidents stepped in. But M6 remained on the air, which is more than what can be said for The Weather Channel, which was pulled from live broadcasting during its incident (https://www.wsj.com/articles/weather-channel-knocked-off-air-for-over-an-hour-11555611840) earlier this year.
Chrome rolls out new protections preventing password theft (https://arstechnica.com/information-technology/2019/10/chrome-rolls-out-new-protections-preventing-password-and-data-theft/) Ars Technica: Chrome’s new site isolation feature kicks in on Chrome 77, which aims to prevent the use of shared resources across sites, and potentially blocking side-channel attacks. “Even if a malicious site is able to bypass Spectre and Meltdown mitigations processor makers have added to their chips over the past 20 months, attacking websites won’t be able to access any data that’s worth stealing,” reports @thepacketrat (https://twitter.com/thepacketrat) .
‘Clinical computer security’ for victims of domestic abuse (https://www.usenix.org/conference/usenixsecurity19/presentation/havron) Usenix: Flagged from a tweet by @evacide (https://twitter.com/evacide/status/1183896674306904064) , Usenix published a paper that aims to help victims of partner and spousal abuse that are worried their devices are compromised. This is an excellent resource for those who think they’re infected with spyware. There’s also a video (https://www.youtube.com/watch?v=YsFZ3OxwWN0) of the presentation. Bookmark this page – you never know who might this useful.
Cyber Command’s bug bounty program uncovers dozens of flaws (https://www.cyberscoop.com/cyber-command-bug-bounty-hacker-one/) Cyberscoop: Ethical hackers found 30 “high severity” and “critical” vulnerabilities in the Defense Dept.’s networks, paying out over $33,000. The effort hopes to help the Pentagon fix a slew of issues in VPNs, proxies, and virtual desktops across its networks, amid ongoing concern that hackers could be exploiting these issues. Just this week, Homeland Security warned (https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn) of flaws in Pulse Secure’s VPN (again). ~ ~
** OTHER NEWSY NUGGETS
UK’s controversial ‘porn block’ plan is scrapped (https://www.bbc.com/news/technology-50073102) The U.K. government has dropped its plan to force adult sites to roll out mandatory age verification checks to stop under-18s from accessing porn. In what was one of the most ill-conceived ideas to date, the government said it would reconsider the proposal in the future. Just be glad there’s no central database for all your data to get stolen. @MalwareTechBlog (https://twitter.com/MalwareTechBlog/status/1184562184229015557) ‘s hot take was very on point. https://twitter.com/MalwareTechBlog/status/1184562184229015557 How to report on a data breach (https://www.cjr.org/tow_center/data-breach.php) If any security writers or reporters out there need some helpful tips on how to report on a data breach, @lorenzoFB (https://twitter.com/lorenzofb) has you covered. As one of the best security reporters out there, he walks you through how to report, confirm and verify a breach is real. And given you can’t log in with someone’s stolen credentials, you’d be surprised at how difficult verifying data can be.
Teens find circumventing Apple’s parental controls is child’s play (https://www.washingtonpost.com/technology/2019/10/15/teens-find-circumventing-apples-parental-controls-is-childs-play/) This Washington Post ($) story is interesting: teenagers are circumventing Apple controls that are meant to prevent kids from spending too much time on their phones. “Intrepid youngsters have exploited bugs and workarounds,” the Post reports. It’s an interesting read. Can’t help but think of the positives, though. This could be spurring on a whole new generation of hackers. ~ ~
** THE HAPPY CORNER
Here’s some really good news from this week:
I’m a huge fan of OnionShare (https://github.com/micahflee/onionshare) , a free “SecureDrop-light” file sharing app that uses the Tor network for anonymity and encryption. It’s a really solid app, and great for moving files from one place to another securely and privately. @micahflee (https://twitter.com/micahflee) has released a new version, which now lets users use the tool to upload uncensorable websites with ease. It’s a great addition (https://micahflee.com/2019/10/new-version-of-onionshare-makes-it-easy-for-anyone-to-publish-anonymous-uncensorable-websites/) to the tool, which lets users host their own sites on the dark web with just a few clicks of a button. A great idea for bypassing censorship very quickly and easily.
In other news, @Timcammm (https://twitter.com/Timcammm/status/1183782929614409729) lost his wallet. The person who found it send four payments of 1 penny with a reference of 18 characters each, spelling out their phone number so they can get the wallet back. Brilliant.
@IanColdwater (https://twitter.com/IanColdwater/status/1184624771243368448) is back with a thread on how to pick a conference talk. This tweet thread will help you decide what you want to talk about.
And, for anyone interested, I sat down with @DAkacki (https://twitter.com/DAkacki) (albeit over the internet) for a 40-minute chat about life, journalism, security and more. So if you’ve never put a name to the face, feel free to have a watch (https://twitter.com/DAkacki/status/1184874887040688133) . (We start about 17 minutes in.) If you want to nominate some good news from the week, feel free to reach out (mailto:zack.whittaker@gmail.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CATS
This week’s cybercats are Emma (left) and Lucy (right). The more the merrier, I say! A big thanks to @shanvav (https://twitter.com/shanvav) for the double submission. (You may need to enable images in this email.) Make sure you send in your cybercats! They’ll always be featured. Send them in here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . ~ ~
** SUGGESTION BOX
That’s it for this week. Thanks again for reading — we’re very close to the 4,000 subscriber mark! If you have any feedback, please drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you next week. ~ ~
============================================================ Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.linkedin.com/shareArticle?url=|URL:ARCHIVE_LINK_SHORT|&mini=true&title=|URL:MC_SUBJECT|) Share (http://www.linkedin.com/shareArticle?url=|URL:ARCHIVE_LINK_SHORT|&mini=true&title=|URL:MC_SUBJECT|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|