this week in security — october 27 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 41
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Avast, NordVPN breaches tied to phantom user accounts (https://krebsonsecurity.com/2019/10/avast-nordvpn-breaches-tied-to-phantom-user-accounts/#more-49296) Krebs on Security: Two major breaches on the same day. Avast disclosed a months-long intrusion while NordVPN said a server was hacked but denied that user data was affected. Both attacks were tied to “phantom” accounts, or user accounts that granted remote access but were not removed or locked down from access. The breach at NordVPN is an interesting one (https://arstechnica.com/information-technology/2019/10/hackers-steal-secret-crypto-keys-for-nordvpn-heres-what-we-know-so-far/) — Ars Technica has a great explainer on what happened. @dguido (https://twitter.com/dguido) had some interesting comments. More: Avast (https://blog.avast.com/ccleaner-fights-off-cyberespionage-attempt-abiss) | Ars Technica (https://arstechnica.com/information-technology/2019/10/hackers-steal-secret-crypto-keys-for-nordvpn-heres-what-we-know-so-far/)
Alexa and Google Home abused to eavesdrop and phish passwords (https://arstechnica.com/information-technology/2019/10/alexa-and-google-home-abused-to-eavesdrop-and-phish-passwords/) Ars Technica: Turns out your voice-controlled can be used to spy on you. Who knew? Malicious apps developed by Germany’s white hat hackers Security Research Labs posed as horoscope and random number generating apps, but were silently eavesdropping. “The apps quietly logged all conversations within earshot of the device and sent a copy to a developer-designated server,” wrote @dangoodin001 (https://twitter.com/dangoodin001) . Both Amazon and Google said they are strengthening their review of potentially malicious third-party apps. More: Smart Spies: YouTube (https://www.youtube.com/watch?v=X2gddqD1wUI) | Security Research Apps (https://srlabs.de/bites/smart-spies/)
Inside the phone company secretly run by drug traffickers (https://www.vice.com/en_us/article/wjwbmm/inside-the-phone-company-secretly-run-by-drug-traffickers) Motherboard: Literally was on the edge of my seat the whole time reading this. Motherboard looks at MPC, ostensibly an encrypted phone maker, but was really run by a violent gang of drug traffickers from the U.K. Two of them are likely somewhere in South America. More: @josephfcox tweets (https://twitter.com/josephfcox/status/1186641956044189698) https://twitter.com/josephfcox/status/1186665640096141313 Why did Cybercom back off plans to call out North Korea? (https://www.cyberscoop.com/cyber-command-north-korea-lazarus-group-fastcash/) Cyberscoop: U.S. Cyber Command was on the verge of publicly calling out North Korean hackers (again) for targeting the financial sector in late September, but ultimately backed off the plan by October. It comes as the offensive cyber-ops division uploaded malware samples to VirusTotal, but hours later talks between Washington and Pyongyang resumed. More: Cyberscoop (https://www.cyberscoop.com/lazarus-group-hacking-malware-cyber-command/) | TechCrunch (https://techcrunch.com/2019/08/15/cyber-command-north-korea-malware/) | ZDNet (https://www.zdnet.com/article/a-ddos-gang-is-extorting-businesses-posing-as-russian-government-hackers/)
White House kicks infosec team to curb in IT office shakeup (https://arstechnica.com/information-technology/2019/10/white-house-guts-infosec-team-posturing-itself-to-be-compromised-again/) Ars Technica: A memo published this week revealed changes that gutted the White House IT and security shop, but not without the swift rebuke of one senior official — that staffers were “systematically targeted” for removal by the administration. More: Axios (https://www.axios.com/scoop-cyber-memo-warns-of-new-risks-to-white-house-network-9aa19c6c-77a3-485b-919b-1dd9bd691514.html)
NSA cyber chief: We need to declassify more intel (https://www.cyberscoop.com/anne-neuberger-nsa-threat-intelligence-cyber-talks-2019/) Cyberscoop: Another strong story from Cyberscoop this week. Anne Neuberger, who runs NSA’s new cybersecurity directorate, said NSA needs to “work” on getting more threat intelligence declassified to help the private sector. At least there’s the admission, but the wheels of government turn slowly. That’s one government promise many will want to keep their eyes on. More: TechCrunch (https://techcrunch.com/2019/10/03/lack-cybersecurity-professionals-threat-dhs/)
New York Times abruptly eliminates Runa Sandvik’s infosec position (https://boingboing.net/2019/10/23/sitting-ducks-r-us.html) Boing Boing: Runa Sandvik, a highly respected security expert, was fired (https://twitter.com/runasand/status/1186775481615605760) from The New York Times this week, where she worked at for more than three years securing the newsroom and protecting journalists from cyber-threats. It comes as the new CISO sent an email saying there’s no need for a cybersecurity director “dedicated solely” to the newsroom. Many reporters (https://twitter.com/gabrieldance/status/1186791175434526720) — some of which aren’t (https://twitter.com/a_greenberg/status/1186786727530323970) at the Times — praised (https://twitter.com/josephfcox/status/1186778165798166531) her work. More: @runasand tweets (https://twitter.com/runasand/status/1186775481615605760) | @micahflee (https://twitter.com/micahflee/status/1186782003317923841) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Comcast lobbying against encryption that would protect browsing histories (https://www.vice.com/en_us/article/9kembz/comcast-lobbying-against-doh-dns-over-https-encryption-browsing-data) Motherboard: A leaked presentation shows Comcast is actively lobbying lawmakers against DNS-over-HTTPS (DoH), a more secure and encrypted DNS service, which the internet provider says will make it more difficult to sell users’ private browsing histories — which they’re allowed to do (https://www.vice.com/en_us/article/538kqn/heres-the-data-republicans-just-allowed-isps-to-sell-without-your-consent) (thanks FCC (https://www.zdnet.com/article/fcc-chairman-browsing-history-freedom-of-information/) ). Apparently Cloudflare, a major DoH provider, doesn’t pay (https://www.zdnet.com/article/mozilla-cloudflare-doesnt-pay-us-for-any-doh-traffic/) browser maker Mozilla for any DoH traffic.
Iranian hacking group targeted satellite industry nerds (https://www.thedailybeast.com/iranian-hacking-group-targeted-us-satellite-companies?source=twitter&via=desktop) The Daily Beast: Court documents show that the FBI believes Iranian hackers — known as MRSCO and N3O — have targeted and breached computers of the American satellite technology industry. The group sent poisoned emails in an effort to “hack people in the U.S. satellite industry.”
How American schools spy on millions of kids (https://www.theguardian.com/world/2019/oct/22/school-student-surveillance-bark-gaggle) The Guardian: Here’s a deep but also terrifying dive at how schools spy on their students, an effort fueled by a fear of mass shootings. From monitoring emails to online chats, schools have little idea how wide the surveillance goes, “even though there’s no evidence that it will positively impact the problem.” Here’s a really good tweet thread (https://twitter.com/Iwillleavenow/status/1186633650995023874) by @iwillleavenow (https://twitter.com/Iwillleavenow) , a privacy and data security attorney, who annotated the story. ~ ~
** OTHER NEWSY NUGGETS
Georgia Supreme Court says police need warrant for in-car systems (https://twitter.com/NateWessler/status/1186307804702871554) A win for Fourth Amendment advocates: the Georgia Supreme Court said cops now need a warrant to obtain the information from in-car systems, such as data generated in the event of a crash. “This is the first state supreme court to recognize the danger of warrantless access to the unprecedented types and quantities of personal data collected by modern cars,” said @NateWessler (https://twitter.com/NateWessler/status/1186309173644017664) , an ACLU attorney. The ACLU has a blog post (https://www.aclu.org/blog/privacy-technology/surveillance-technologies/our-cars-are-now-roving-computers-fourth-amendment) from May on the topic.
Microsoft has a new secured-core PC initiative to prevent firmware attacks (https://arstechnica.com/gadgets/2019/10/microsoft-secured-core-pc/) Microsoft has a new hardware security initiative — the so-called secured-core PC. The aim is to prevent against firmware-level attacks. Although uncommon, they can be considerably damaging when they’re successful, remaining persistent after reboots and operating system reinstalls. Ars has a technical writeup on how this extension of root-of-trust works.
FTC bans company from selling ‘stalkerware’ (https://www.vice.com/en_us/article/7x5m5a/ftc-bans-retinax-from-selling-stalkerware) The FTC has banned a stalkerware company from selling its spouse-spying software unless they take measures to ensure it’s being used only for legitimate purposes. The FTC’s announcement (https://www.ftc.gov/news-events/press-releases/2019/10/ftc-brings-first-case-against-developers-stalking-apps) said it was the “first action” its taken against a stalkerware app-maker, Retina-X, which is “designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses,” according to the agency. ~ ~
** THE HAPPY CORNER
From the department of good news:
BBC News has taken to the dark web (https://www.bbc.com/news/technology-50150981) to help circumvent censorship. BBC is banned in several countries, but can now be accessed using the Tor Browser. The main website’s dark web address is bbcnewsv2vjtpsuy.onion (https://www.bbcnewsv2vjtpsuy.onion/) but the news portion of the site runs under a different URL. According to @EdOverflow (https://twitter.com/edoverflow/status/1187054336104390656?s=21) , the site also has a security.txt file for reporting security vulnerabilities. Great!
NBC reporter @adielkaplan (https://twitter.com/adielkaplan/status/1186301745238085633) got a FOIA request back with an explicable redaction. Somehow this watermelon contains “commercial confidential information.” https://twitter.com/adielkaplan/status/1186301745238085633 The Freedom of the Press Foundation, which was the fiscal sponsor for the encrypted messaging app Signal, announced that the Signal Technology Foundation is now a non-profit, and can accept tax-deductible donations directly. That’ll help keep the messaging app secure (ba-dum-tssk) (https://signal.org/donate/) down the line.
And finally. I was in a documentary about @MalwareTechBlog (https://twitter.com/MalwareTechBlog) , and how he stopped the WannaCry ransomware and his subsequent arrest and court battle. It’s a really well-made story, which features Hutchins himself. You can watch it here (https://twitter.com/zackwhittaker/status/1187809734243639296) . If you want to nominate some good news from the week, feel free to reach out (mailto:zack.whittaker@gmail.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Iggly. You’ll never have a rogue device on your network again — Iggly watches everything. A big thanks to @oldengold (https://twitter.com/@oldengold) for the submission. (You may need to enable images in this email.) We’re in a cybercat drought. Please send in your cybercats today! They’ll always be featured — first come, first serve basis. Send them in here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) . Looking forward to featuring them! ~ ~
** SUGGESTION BOX
That’s all for now. A big thanks for reading. As always, if you have any feedback, please drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you same time next Sunday. ~ ~
============================================================ Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.linkedin.com/shareArticle?url=|URL:ARCHIVE_LINK_SHORT|&mini=true&title=|URL:MC_SUBJECT|) Share (http://www.linkedin.com/shareArticle?url=|URL:ARCHIVE_LINK_SHORT|&mini=true&title=|URL:MC_SUBJECT|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|