this week in security — october 7 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 1, issue 13.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
How China Used a Tiny Chip to Infiltrate U.S. Companies (https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies) Bloomberg: Yeah, like you missed this story. This was a highly complex story, but, in case you were living under a rock: China installed tiny chips on Supermicro motherboards that Apple and Amazon used in their datacenter servers. The chips reportedly phoned home to China. Apple and Amazon denied — and UK and US governments also seemed confused. Nobody knows if this story is true or not — it’s a real bizarre one. Analysis: TechCrunch (https://techcrunch.com/2018/10/04/bloomberg-spy-chip-murky-world-national-security-reporting/) | More: Bloomberg (https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond) | @thegrugq on Medium (https://medium.com/@thegrugq/supply-chain-security-speculation-b7b6357a5d05 ) | Reuters (https://www.reuters.com/article/us-china-cyber-dhs/dhs-says-no-reason-to-doubt-firms-china-hack-denials-idUSKCN1MH00Y)
Tinder, Pinterest, Others Don’t Know How Facebook Hack Affected Them (https://www.cnn.com/2018/10/01/tech/facebook-hack-tinder-pinterest/index.html) CNN: Great news for Facebook, which had its data breach effectively buried from the headlines after the “spy chip” story. CNN reported that after the breach of account access tokens, third-party sites that use Facebook Login. Facebook later said it found “no evidence” so far that the attackers accessed any sites or services with stolen tokens. More: Facebook Newsroom (https://newsroom.fb.com/news/2018/10/facebook-login-update/) | Slate (https://slate.com/technology/2018/09/facebook-hack-50-million-affected-apps-other-websites.html)
Facebook Breach Hit 5 Million EU Users, Faces GDPR Fines (https://techcrunch.com/2018/10/01/facebook-breach-europe/) TechCrunch: Five million EU citizens were affected by the data breach, out of the 50 million confirmed who had their access tokens stolen. Facebook faces a GDPR breach of up to $1.63 billion — though, it probably won’t be that high in the end. Facebook made $40.7 billion in revenue last year, so it won’t take too long to recoup that loss. More: @dpcireland tweet (https://twitter.com/DPCIreland/status/1046848583817994240) | CNBC (https://www.cnbc.com/2018/10/04/facebook-data-breach-top-eu-regulator-officially-opens-investigation.html)
Google Taking New Steps to Prevent Malicious Chrome Extensions (https://arstechnica.com/gadgets/2018/10/google-taking-new-steps-to-prevent-malicious-chrome-extensions/) Ars Technica: Chrome extensions are great, but many are garbage that open you up to data theft and other dodgy stuff. Soon, Chrome will give you granular control over what permissions each extension has, and monitor extensions that pull data from remote sites in the hope that’ll stop malware. More: Chromium Blog (https://blog.chromium.org/2018/10/trustworthy-chrome-extensions-by-default.html)
U.S. Charges Russian GRU Officers with International Hacking and Disinformation Operations (https://www.justice.gov/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and) Justice Department: “We got ‘em.” Well, at least the ones we know about. Seven Russian intelligence agents — hackers — were charged with cyberattacks, breaches, and disinformation campaigns attributed to Fancy Bear (APT28). Three of the hackers were previously charged by Special Counsel Robert Mueller. But, given they still live in Russia, the chances of their extradition are slim. More: CNBC (https://www.cnbc.com/2018/10/04/doj-charges-7-russian-intelligence-operatives-with-hacking.html) | The Verge (https://www.theverge.com/2018/10/4/17936442/russian-hackers-charged-hacking-anti-doping-mo-farah)
The Vigilante Who Hacked Hacking Team Explains How He Did It (https://motherboard.vice.com/en_us/article/3dad3n/the-vigilante-who-hacked-hacking-team-explains-how-he-did-it) Motherboard: Remember when Hacking Team was ironically hacked? The hacker, known as Phineas Fisher, finally comes clean on how and why he targeted the nation-state malware maker. A great write-up by @lorenzofb (https://twitter.com/lorenzoFB) . Archive: Motherboard (https://motherboard.vice.com/en_us/article/wnj9a5/hacker-claims-responsibility-for-the-hit-on-hacking-team)
Google, Facebook Join Rights Groups To Fight Australia’s Encryption Bill (https://www.theguardian.com/technology/2018/oct/03/google-and-facebook-join-rights-groups-to-fight-australias-encryption-bill?CMP=share_btn_tw) The Guardian: You know what’s exhausting? Trying to convince governments again, and again, and again that you can somehow break encryption and still keep people’s data safe. Australia’s up next with its ridiculous proposal, which will force companies to decrypt data upon request. More: Alliance for a Safe and Secure Internet (https://digitalrightswatch.org.au/2018/10/03/slow-down-stop-and-listen-consumers-human-rights-groups-industry-telcos-and-technology-companies-join-forces-to-sound-alarm-at-governments-spyware-legislation/) | ZDNet (https://www.zdnet.com/article/australias-anti-encryption-law-will-merely-relocate-the-backdoors-expert/)
Apollo Breach Exposed Billions of Data Points (https://www.wired.com/story/apollo-breach-linkedin-salesforce-data/) Wired ($): I reported last week that Apollo, a sales engagement (effectively data scraping) startup, had been hacked. Turns out, per @lilyhnewman (https://twitter.com/lilyhnewman) ‘s additional reporting that the data had not only been hacked but also exposed — thanks to a public Amazon S3 bucket. I’d heard similar but couldn’t confirm it. Apollo also wouldn’t answer my questions, but I’m glad Wired dug further and got to the bottom of it. GDPR fines for everybody! More: TechCrunch (https://techcrunch.com/2018/10/01/apollo-contacts-data-breach/) | Krebs on Security (https://krebsonsecurity.com/2018/10/when-security-researchers-pose-as-cybercrooks-who-can-tell-the-difference/) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
FBI vs. Facebook Messenger: What’s at stake? (https://arstechnica.com/tech-policy/2018/10/fbi-vs-facebook-messenger-whats-at-stake/) Ars Technica: Now, if you thought the FBI vs. Facebook Messenger wiretap debacle was over — well, it is. But don’t let that stop you from reading this interesting op-ed from Marc Zwillinger et al. He’s a top national security lawyer who’s advised the FISA Court. Their op-ed argues why backdoors are dangerous — which, we all know is obvious, but it’s a good read nonetheless.
How A $500 Million Central Bank Heist Was Foiled (https://www.wsj.com/articles/the-500-million-central-bank-heistand-how-it-was-foiled-1538578897) Wall Street Journal ($): A fascinating read — use incognito if you can’t! — about how a teller at an HSBC London branch helped to foil a massive half-billion heist from an Angola bank. It’s a little heavy on the detail — which, because it’s such a complex matter can be a bit off-putting — but it’s still a really good read.
Experian Flaw Just Revealed PINs Protecting Credit Data (https://www.nerdwallet.com/blog/finance/security-flaw-at-experian-allows-easy-access-to-pin-to-unlock-credit-freeze/) NerdWallet: For once, it’s not Equifax screwing something up. This time, it’s Experian that exposed credit freeze PINs, thanks to a flaw in its site, allowing a fraudster to unlock someone’s credit and apply for a bunch of loans or credit cards without permission. The bug was fixed fairly quickly but it’s not known for how long these PINs were available.
83 Percent of Routers Contain Vulnerable Code (https://threatpost.com/threatlist-83-of-routers-contain-vulnerable-code/137966/) Threatpost: We all know how horribly insecure routers are, but the number is far higher than some might have ever thought. Researchers blamed outdated and buggy open source libraries that are almost never updated — which is a little unfair on open source, which is generally pretty good, because it shifts the blame away from device makers that should either maintain it or build something better. ~ ~
** OTHER NEWSY NUGGETS
@Guccifer2 is an Ohio woman called Cassandra: But she’s not that Guccifer, the Russian hacker and troll. This @kevincollier (https://twitter.com/kevincollier) deep-dive into her part-joke, part-experimental Twitter account (https://www.buzzfeednews.com/article/kevincollier/trump-russia-mueller-probe-guccifer-graduate-student-cleared) explains how she caught the attention of the FBI and the Special Counsel’s investigation.
“Hey Siri, I’m getting pulled over.” An interesting feature in iOS 12 — Siri Shortcuts — which can be programmed to do pretty much anything at a voice request. @mondobytes (https://twitter.com/mondobytes/status/1043400214839619584?s=12) figured out a way to send a text with your location if you’re ever pulled over by the police. That’s particularly useful if you’re a security professional (or reporter!) traveling across a border, for example.
How hackers stole $3M from a UK bank: Pretty interesting read by @dannyjpalmer (https://twitter.com/dannyjpalmer) on how hackers stole $3 million (https://www.zdnet.com/article/this-is-how-cyber-attackers-were-able-to-steal-2-26m-from-tesco-bank-customers/) from 9,000 customers at UK’s Tesco Bank by exploiting a string of security issues. This is an excellent walk-through of what happened and when.
MySpace worm becomes a teenager: Another @lorenzofb (https://twitter.com/lorenzofb) story — this time, a look back at the MySpace worm, Samy, developed by Samy Kamkar, which spread across the web (https://motherboard.vice.com/en_us/article/wnjwb4/the-myspace-worm-that-changed-the-internet-forever) like wildfire — and got him a visit from the FBI. And that was 13 years ago this week! ~ ~
** GOOD PEOPLE DOING GOOD THINGS
It’s DerbyCon (https://twitter.com/search?q=%23DerbyCon&src=tyah) week — which means it’s time to get your resume’s in check (https://twitter.com/mzbat/status/1048245263247265793) . As usual, @mzbat (https://twitter.com/mzbat/) and @hacks4pancakes (https://twitter.com/hacks4pancakes) offer their help and advice at the Resume Workshop — and anything else you might need (https://twitter.com/mzbat/status/1048244975203471362) if you’re talking to a potential employer. It’s an incredibly thoughtful service that they offer — and they’ve helped close to 50 people (https://twitter.com/giveinfosec/status/1048321434290999296) at this con alone.
Also at DerbyCon, the usual trio — @thepacketrat (https://twitter.com/thepacketrat) , @steveD3 (https://twitter.com/SteveD3) and @snd_wagenseil (https://twitter.com/snd_wagenseil) gave their “how hackers can talk to reporters” talk. Thanks to @frankMcG (https://twitter.com/FrankMcG/status/1048574508406386689) for tweeting out some of the slides. I’ve known these guys for years and they’re fantastic infosec reporters. They care so much about hackers and researchers, which is why they want you to know how to talk to reporters properly. There is some top advice in these tweets.
And, a last word about the Bloomberg story. I said before — and tweeted out (https://twitter.com/zackwhittaker/status/1047994660982022144) , too — “The real problem is that some of the smartest, brilliant minded, rational people who are experts in this field have no idea who to believe on this story.” But, I have to say — there were some really smart, balanced, thoughtful and measured responses out there from a lot of people. I get we still don’t know the truth, but, without sensationalizing or alarming, some people really contributed some value-add to the conversation this week. Just to name a few — @MalwareJake (https://twitter.com/MalwareJake/status/1047848635977949184) , @d_obrien (https://twitter.com/d_obrien) , @k8em0 (https://twitter.com/k8em0/status/1048902719019372545) , @KimZetter (https://twitter.com/KimZetter) , @mattblaze (https://twitter.com/mattblaze/status/1048677169264771072) , @securelyfitz (https://twitter.com/securelyfitz/status/1047943065074204672) , and @kennwhite (https://twitter.com/kennwhite) — and so many more as well. You did a real service by cutting through the bullshit — and it not only helped reporters like me, but also everyone else following the story.
~ ~
** THE CORNER OF SHAME
This dumbass (https://twitter.com/officialmcafee/status/1047585232831041536) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is one of mine — this is Ziggy. He just heard about your company’s crappy password requirements and is giving you the stink eye. But he loves you really. (You may need to enable images in this email.) I’m in a cyber cat drought — I need more submissions! If you want your cat featured in next week’s newsletter, email me: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That’s all for now. I hope you have a great week — and thanks as always for reading. If you have any feedback, please drop me a note here (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|
|REWARDS_TEXT|