this week in security — october 28 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 1, issue 15.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Texas’ Long History of Problems With Hart eSlate Voting Machines (https://techcrunch.com/2018/10/26/texas-voting-machines-changing-votes-hart-eslate/) TechCrunch: Alarming news from Texas after several people reported that the ballot they cast on a state electronic voting machine was selecting the wrong candidate. (You had one job, little voting machine.) The Texas Secretary of State’s office said it was because people were voting while the page was rendering — so, not human error. Surely that’s fixable? According to the Texas government, not so much, which said it was a “very widespread misconception” that they can update the machines. What a hot mess. More: Associated Press (https://www.apnews.com/a8825810d10441f2ad828e95d6851d55) | Texas Secretary of State (https://www.sos.state.tx.us/elections/laws/advisory2018-35.shtml) | @kimzetter tweet thread (https://twitter.com/KimZetter/status/1055992420989452288)
Russian Malware Behind Attempt to Sabotage a Saudi Petrol Plant (https://motherboard.vice.com/en_us/article/9k74az/triton-malware-russian-government-saudi-arabia-petrol-plant) Motherboard: FireEye said this week that the Triton malware — linked by The New York Times (https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html) in a plot to blow up a Saudi power plant — likely originated from the Russians. Not too surprising to a lot of people but good to close the loop on these things. More: FireEye (https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html) | The New York Times ($) (https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html)
Google Mandates Two Years of Security Patches for Popular Android Phones (https://www.theverge.com/2018/10/24/18019356/android-security-update-mandate-google-contract) The Verge: From the “cool if true” department, Google will mandate two years of security patches on all Android phones that sell 100,000 devices or more, according to a document obtained by The Verge. The details are a bit janky, but the hope is that the contract can keep Android devices patched (ergo “more secure”) for longer. iPhones, by comparison, have historically seen about three or four years worth of updates before they’re bumped from receiving updates. Background: The Verge (https://www.theverge.com/2018/10/19/17999366/google-eu-android-licensing-terms)
Why the NSA Called Me After Midnight and Requested My Source Code (https://medium.com/datadriveninvestor/why-the-nsa-called-me-after-midnight-and-requested-my-source-code-f7076c59ab3d) Medium: I tweeted this out this week and got a stream of people claiming this was a “psyop” or a ploy by a foreign government. Just read the damn story. It’s not something I would do — give up my source code — in fact, I’ve written about government attempts (https://www.zdnet.com/article/us-government-pushed-tech-firms-to-hand-over-source-code/) in the past — but t’s an interesting read nonetheless. Alternative headlines included: “I saved the world and all I got was this crappy mug.” More: ZDNet (https://www.zdnet.com/article/us-government-pushed-tech-firms-to-hand-over-source-code/)
U.S. Begins First Cyberoperation Against Russia Aimed at Protecting Elections (https://www.nytimes.com/2018/10/23/us/politics/russian-hacking-usa-cyber-command.html) The New York Times ($): Cybercom launched its first offensive cyberoperation against Russian trolls last week, which we learned about this week. Instead of sending emails with dodgy .RTF files attached, my understanding is that the U.S. contacted Russian disinformation operatives and asked them to stop. It’s a pretty gutsy but diplomatic way of disarming threat actors who think their opsec is perfect. Definitely a less aggressive tactic than cyber pew-pew’ing. Background: TechCrunch (https://techcrunch.com/2018/10/23/first-cyber-operation-gentle-approach-russian-trolls/) | White House (https://www.whitehouse.gov/briefings-statements/statement-president-regarding-national-cyber-strategy/)
Bloomberg Spy Chip Story Still Implausible, Say Experts (https://www.servethehome.com/investigating-implausible-bloomberg-supermicro-stories/) Serve The Home: Researchers dug further into the Bloomberg story (yes, it’s still going) by doubling down on their belief that the spy chip story is wrong. This is a deep, technical breakdown trying to debunk the publication’s claims. Meanwhile, both Apple and Amazon (https://gizmodo.com/amazon-super-micro-join-apple-in-demanding-retraction-1829925889) took a rare step calling on Bloomberg to retract its report, which the news site signaled it has no plans of doing. More: Gizmodo (https://gizmodo.com/amazon-super-micro-join-apple-in-demanding-retraction-1829925889) | Another @kimzetter tweet thread (https://twitter.com/KimZetter/status/1054457602761838594)
Mirai Co-Author Gets Six Months At Home With His Parents (https://krebsonsecurity.com/2018/10/mirai-co-author-gets-6-months-confinement-8-6m-in-fines-for-rutgers-attacks/) Krebs on Security: And a $8.6 million fine. That’s going to be tough for Paras Jha, a 22-year-old Rutgers student, to pay off any time soon, but at least he’s young enough to make a dent in it before he eventually dies of old age. More: NH.com (https://www.nj.com/news/index.ssf/2018/10/former_ru_student_hacker_ordered_to_pay_86m_in_res.html)
Trump’s Secure iPhones Scuppered by Crappy Opsec (https://www.nytimes.com/2018/10/24/us/politics/trump-phone-security.html) The New York Times ($): Trump has three iPhones — two secured by the NSA and a third that’s his personal device and like every other. The problem is, inherent flaws in the cell networks — such as SS7 (https://motherboard.vice.com/en_us/article/598xyb/what-is-ss7-and-is-china-using-it-to-spy-on-trumps-cell-phone) — make it easy for foreign governments to listen in on his calls. (You can read my non-paywalled thoughts (https://techcrunch.com/2018/10/24/trump-has-two-secure-iphones-but-the-chinese-are-still-listening/) here.) The Times also found that Trump once left one of his secure phones on a golf cart, sending his staff (and presumably foreign spies) scrambling for it. China denied it was listening in, and suggested Trump bought a Chinese-built Huawei phone instead. More: Bloomberg (https://www.bloomberg.com/opinion/articles/2018-10-25/trump-s-iphone-is-a-warning-sign) | TechCrunch (https://techcrunch.com/2018/10/25/china-to-trump-dump-the-iphone-for-a-huawei/)
Here’s How Orlando Is Using Amazon’s Facial Recognition Technology (https://www.buzzfeednews.com/article/daveyalba/amazon-facial-recognition-orlando-police-department) BuzzFeed News: This is an incredibly well-researched story on how Orlando, Fl. uses Amazon’s facial recognition software — Rekognition — despite an unease about how the technology fits into the current legal framework. More: NPR (https://www.npr.org/2018/06/26/623545591/orlando-police-end-test-of-amazons-real-time-facial-rekognition-system) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
EFF Publishes Whitepaper On Protecting Security Researchers (https://www.eff.org/deeplinks/2018/10/canada-chile-security-researchers-have-rights-our-new-report) Electronic Frontier Foundation: This is a great resource for anyone in today’s tumultuous times. The paper aims to provide the legal and policy framework for hackers and researchers, which lawmakers and the judiciary alike can use as a basis to protect this valuable work.
Critical Flaw in Advantech WebAccess Makes ICS Damage Easy (https://ics-cert.us-cert.gov/advisories/ICSA-18-296-01) US-CERT: CERT published a particularly nasty set of bugs for a web-UI for a widely used ICS device, used across the world. Many of these are readily available (and easily pwnable) from a cursory search on Shodan.
X.Org Bug Gives Root Permission on Linux and BSD (https://www.bleepingcomputer.com/news/security/trivial-bug-in-xorg-gives-root-permission-on-linux-and-bsd-systems/) Bleeping Computer: Patch yo’ systems! A critical bug that’s easy to exploit has been found in most modern OpenBSD distros and other Linux systems. So small is the bug, in fact, that it can fit in a single tweet (https://twitter.com/hackerfantastic/status/1055518052081557504) . Controversy erupted though when an X.Org maintainer apparently knew of the bug but kept mum, angering other community members.
China Has Been ‘Hijacking The Vital Internet Backbone Of Western Countries’ (https://www.zdnet.com/article/china-has-been-hijacking-the-vital-internet-backbone-of-western-countries/) ZDNet: According to a new academic study (found here (https://scholarcommons.usf.edu/mca/vol3/iss1/7/) ), China Telecom has been hijacking BGP routes for years, funneling traffic overseas for nefarious reasons. That’s because the Beijing-owned network has long had a presence in the U.S., but nobody really seemed to care — compared to its own network in mainland China that’s largely off limits to the U.S. It’s a fascinating read — and @campuscodi (https://twitter.com/campuscodi) breaks this story down well.
This SIM Card Forces All of Your Mobile Data Through Tor (https://motherboard.vice.com/en_us/article/d3qqj7/sim-card-forces-data-through-tor-brass-horn-communications) Motherboard: This is interesting: a U.K.-based grassroots ISP (https://motherboard.vice.com/en_us/article/kb7gkz/brass-horn-tor-ISP-says-buzz-off-surveillance) is testing a SIM card that sends all a phone’s data through Tor via the cell network. “This is about sticking a middle finger up to mobile filtering, mass surveillance,” the project’s founder said. It’s early days but it seems to be a potentially game-changing project for activists who need anonymity on the go. ~ ~
** OTHER NEWSY NUGGETS
Windows Defender Antivirus now sandboxable: Good news! Windows Defender Antivirus can now run in a sandbox (https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) , making it easier to provide security to an isolated container while making it harder for any successful compromise to break into the entire system.
Government spyware maker left its goods on an open Google Drive: Yeah, not the smartest move ever from German spyware maker Wolf Intelligence, which exposed a ton of its own data (https://motherboard.vice.com/en_us/article/vbka8b/wolf-intelligence-leak-customer-victim-data-online) in a leaky Google Drive. It’s the same company that made headlines by sending a bodyguard to Mauritania, who was later arrested, sparking an international incident. @lorenzoFB (https://twitter.com/lorenzofb) , who covered the story, also uploaded a leaked company manual (https://www.documentcloud.org/documents/5017403-Wolf-2016-Brochure.html) .
Dems leaked a ton of political fundraising data: A Democratic fundraising firm dropped the ball on its server security, exposing a ton of data stored in an unprotected Buffalo NAS drive. Hacken’s Bob Diachenko (https://twitter.com/MayhemDayOne) found the data and blogged his findings (https://blog.hacken.io/more-than-just-a-data-breach-a-dem-fundraising-firm-exposure) . When reporters tried to contact Rice Consulting to warn about the leak, the company hung up (https://twitter.com/gregotto/status/1055192063745187841?s=21) on them. What a way to handle a data breach. ~ ~
** GOOD PEOPLE DOING GOOD THINGS
MG (https://twitter.com/mg/status/1054226145061699585?s=21) tweeted a photo of what could be the world’s smallest USB condom, used to prevent accidental data exchanges between a device and a non-trusted port. It looks like about a millimeter in size. Very impressive stuff.
A happy birthday to all-round good guy @DAkacki (https://twitter.com/DAkacki) this week, and shout out to his awesome pupper (https://twitter.com/DAkacki/status/1055642753667948545) who likes to sit up front.
And @Viss (https://twitter.com/viss/) took to Twitter to give us his hot takes (https://twitter.com/viss/status/1055202236853145600?s=21) on Finland. ~ ~
** THIS WEEK’S CYBER CAT
I was off last week, so sorry to anyone who missed out on last week’s newsletter — there wasn’t one, nor was there a cyber-cat. Also, our foster kittens were adopted this week after six months with us — so here’s some extra bonus content (https://twitter.com/zackwhittaker/status/1055983579942006784) on my Twitter feed to make up for it.
This week’s cybercat is Zuzu, an advanced persistent threat cat who loves to chew on flash drives. (You may need to enable images in this email.) If you want your cat featured in a future newsletter, email me: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) — and they’ll be featured in the coming weeks. ~ ~
** SUGGESTION BOX
That’s all I have for this week. Thanks as always for reading. If you have any feedback, please drop me a note here (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Back same time next week. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|
|REWARDS_TEXT|