this week in security — september 1 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 34.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Google says malicious websites were quietly hacking iPhones for years (https://www.vice.com/en_us/article/bjwne5/malicious-websites-hacked-iphones-for-years) Motherboard: This was no doubt the biggest bombshell story of the week. Google found evidence that a number of websites were quietly hacking into iPhones for at least two years using zero-day vulnerabilities to gain root access to iOS. The aim as to spy on messages, photos and near-real time location. Sources said the targets (https://techcrunch.com/2019/08/31/china-google-iphone-uyghur/) were Uyghur Muslims with China as the culprit. In total, 14 separate iOS exploits were used to target “thousands” of iPhones every week. Apple fixed the vulnerabilities in February, but news of the hacks came out this week. It’s unknown if Android was at risk of the same attacks. More: Google Project Zero (https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html) | @_DanielSinclair (https://twitter.com/_danielsinclair/status/1167287198984675328) | TechCrunch (https://techcrunch.com/2019/08/31/china-google-iphone-uyghur/)
U.S. officials fear ransomware attack against 2020 election (https://www.reuters.com/article/us-usa-cyber-election-exclusive-idUSKCN1VG222) Reuters: Voter registration rolls are the new target for foreign hackers, according to sources speaking to Reuters. Forget voting equipment, hackers are said to be directly going after voter data to “manipulate, disrupt or destroy the data.” Homeland Security’s CISA said they’re concerned these voter records might get hit by ransomware. More: @CISAgov (https://twitter.com/CISAgov)
Insurance companies are fueling a rise in ransomware attacks (https://www.propublica.org/article/the-extortion-economy-how-insurance-compa-are-fueling-a-rise-in-ransomware-attacks) ProPublica: Why are insurance companies happy to pay to get their ransomed files back? Because attacks are “good for business,” reports ProPublica in this deep-dive investigative report. Not only are insurance companies benefiting from paying the ransomware operators to get their files back. “The onus isn’t on the insurance company to stop the criminal, that’s not their mission,” said one insurance expert. “Their objective is to help you get back to business. But it does beg the question, when you pay out to these criminals, what happens in the future?” More: @raj_samani (https://twitter.com/raj_samani/status/1166350235830050816) | Archive: ProPublica (https://features.propublica.org/ransomware/ransomware-attack-data-recovery-firms-paying-hackers/)
You can now see if Amazon’s Ring partners with your local police (https://www.cnet.com/news/amazons-ring-reveals-405-cities-where-police-tap-into-its-cameras/) CNET: After months of reports uncovering the scale and scope of Amazon’s Ring working with local police, the company finally came clean and dumped an official map of police departments it works with. In short, the camera-equipped doorbell device maker has partnered with police across the U.S., giving them warrantless access to footage. Gizmodo (https://gizmodo.com/ring-discloses-over-400-partnerships-with-police-in-mos-1837669511) and Motherboard (https://www.vice.com/en_us/article/a35vy4/ring-says-its-partnered-with-405-police-departments-heres-what-we-still-dont-know) were also on this story for months, reporting off leaks and public records requests. There’s likely a lot more to come. More: Ring (https://blog.ring.com/2019/08/28/working-together-for-safer-neighborhoods-introducing-the-neighbors-active-law-enforcement-map/) | Vice (https://www.vice.com/en_us/article/mb88za/amazon-requires-police-to-shill-surveillance-cameras-in-secret-agreement) | Gizmodo (https://gizmodo.com/ring-discloses-over-400-partnerships-with-police-in-mos-1837669511)
How Twitter CEO Jack Dorsey’s account was hacked (https://www.wired.com/story/jack-dorsey-twitter-hacked/) Wired ($): Well that was embarrassing. @jack (https://twitter.com/jack) ‘s own Twitter account was hacked. Twitter kept details of the hack fairly vague, blaming the stream of unauthorized tweets on his compromised phone number “due to a security oversight by the mobile provider.” In other words, AT&T dropped the ball. The SIM swap attack let the hackers tweet on his behalf using text message codes. No need to break into his account if they could just tweet by text message. More: TechCrunch (https://techcrunch.com/2019/08/30/someone-hacked-jack-dorseys-own-twitter-account/) | @TwitterComms (https://twitter.com/twittercomms/status/1167548246618587137?s=21)
Bioweapon detectors data left online outside a government firewall (https://www.latimes.com/science/sciencenow/la-sci-biowatch-20190402-story.html) Los Angeles Times ($): An anti-terror program, BioWatch, which samples the air and checks for biochemicals or traces of bioweapons, mistakenly left sensitive program data outside the government firewall — on a dot-org domain, no less. That has since changed. But it’s not known if hackers gained access to the system. Officials said they have no idea. The leaked data exposed “the locations of bio-agent detectors across the U.S., test results, a list of pathogens it could detect, and response plans in the event of an attack.” More: @latimes tweet thread (https://twitter.com/latimes/status/1165655099278077952) | @Emily_Baum tweet thread (https://twitter.com/Emily_Baum/status/1165686225614696448)
Apple is turning Siri audio clip review off by default (https://techcrunch.com/2019/08/28/apple-is-turning-siri-audio-clip-review-off-by-default-and-bringing-it-in-house/) TechCrunch: Some less bad news this week: Apple is backtracking on its Siri audio review and turning it off by default. Any opt-in review will be done by staff in-house and not contractors as it was before. Apple caught heat for hiring contractors to manually review Siri recordings to improve the voice assistant. Although the recordings were meant to be anonymous, some audio clips contained personally identifiable information. More: Apple (https://www.apple.com/newsroom/2019/08/improving-siris-privacy-protections/) | Background: The Guardian (https://www.theguardian.com/technology/2019/jul/26/apple-contractors-regularly-hear-confidential-details-on-siri-recordings)
Feds ordered Google location dragnet to solve Wisconsin bank robbery (https://www.theverge.com/2019/8/28/20836855/reverse-location-search-warrant-dragnet-bank-robbery-fbi) The Verge: Another case has emerged of police asking Google to turn over a dragnet of location data from devices in the vicinity of a crime. This time it was a bank robbery. Unsure of who was behind the heist, police asked Google to hand over all the location records of phone owners in the area surrounding the bank at the time of the robbery. It’s not the first time this has happened. Forbes (https://www.forbes.com/sites/thomasbrewster/2018/10/23/feds-are-ordering-google-to-hand-over-a-load-of-innocent-peoples-locations/#d9450ab5a0dc) has covered these “reverse location” search warrants for the past year. More: MPR News (https://www.mprnews.org/story/2019/02/07/google-location-police-search-warrants) | Slate (https://slate.com/technology/2019/02/reverse-location-search-warrants-google-police.html) | Forbes (https://www.forbes.com/sites/thomasbrewster/2018/10/23/feds-are-ordering-google-to-hand-over-a-load-of-innocent-peoples-locations/#d9450ab5a0dc) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
NSA-approved cyber law and policy course now available online (https://www.cyberscoop.com/online-cybersecurity-law-course-penn-state-nsa/) Cyberscoop: Anyone who is interested in cybersecurity law and policy can now take an online course that was partly shaped by National Security Agency, reports Cyberscoop. The course is aimed at introducing students to cyber law and to offensive and defensive cyber operations.
Microsoft to allow some to get extended Windows 7 security fixes (https://www.zdnet.com/article/microsoft-is-offering-some-enterprise-users-a-one-year-windows-7-extended-security-update-promo/) ZDNet: Windows 7 will fall out of support starting January 2020 — just a few months away. With that, consumers and enterprises alike will no longer receive much-needed security updates. Some enterprises, however, will be able to get a year’s worth of free extended updates. Everyone else will have to pay. ZDNet has the breakdown (https://www.zdnet.com/article/microsoft-is-offering-some-enterprise-users-a-one-year-windows-7-extended-security-update-promo/) of who can get extended updates, and here’s the Microsoft document [PDF] (https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE342zV) for reference.
Denied entry to the U.S. over others’ social media (https://techcrunch.com/2019/08/27/border-deny-entry-united-states-social-media/) TechCrunch: Travelers visiting the U.S. are increasingly turned away from the border because of material found on their phones — but sent by other people. You read that right. One would-be Harvard student was recently told he couldn’t enter the U.S. because of someone else’s social media posts seen by officers during a phone inspection. The same applies to WhatsApp, which automatically downloads photos and videos — even unsolicited messages — to a person’s camera roll. (Disclosure: I wrote this story.)
Cybersecurity firm Imperva discloses data breach (https://krebsonsecurity.com/2019/08/cybersecurity-firm-imperva-discloses-breach/#more-48736) Krebs on Security: Internet firewall firm Imperva said this week it was hit by a data breach. Only problem is that Imperva’s post was about as clear as mud (https://twitter.com/GossiTheDog/status/1166368077195464706) . Security reporter Brian Krebs said some customers using Imperva’s web firewall (WAF) had their accounts breached after mid-September 2017. That includes API keys and customer-provided SSL certificates. Ouch. You can read Imperva’s blog post here (https://www.imperva.com/blog/ceoblog/) . ~ ~
** OTHER NEWSY NUGGETS
NYPD uses sealed mug shots for facial recognition (https://onezero.medium.com/exclusive-the-nypd-is-using-sealed-mug-shots-in-its-facial-recognition-program-bd5678ad5632) Sealed cases should stay… well, sealed. But it turns out New York police are using supposedly using off-limits mug shots for its massive facial recognition database. Privacy advocates claim that feeding sealed mug shots into facial recognition databases violates state law, reports @michaelhayes (https://twitter.com/michaelhayes) .
What happens when you launch Google Chrome for the first time? (https://twitter.com/jonathansampson/status/1165493206441779200) Here’s a fascinating thread on what happens when you load Chrome for the first time on a Windows 10 machine. @jonathansampson (https://twitter.com/jonathansampson) also did several other tweet threads (https://news.ycombinator.com/item?id=20806176) looking at other web browsers. It’s a pretty interesting read — and one likely to stress out the privacy minded. Mozilla said it will look into it (https://twitter.com/mozdeco/status/1166042350453497856) .
Cops hijack botnet and remotely wipe malware from 850,000 computers (https://www.vice.com/en_us/article/wjwd7x/cops-hijack-retadup-botnetwipe-malware-from-850000-computers) An interesting story: Motherboard reports French police took down a near million-strong cryptocurrency mining botnet with help from Avast (https://decoded.avast.io/janvojtesek/putting-an-end-to-retadup-a-malicious-worm-that-infected-hundreds-of-thousands/) after its security researchers found a design flaw in the malware’s command and control server. By seizing and swapping out the malicious C&C server with one reverse engineered by the researchers, they were able to disinfect 850,000 computers without having to remotely run code on those infected computers. French police said (https://twitter.com/Gendarmerie/status/1166603249664897025) they took down one of the largest botnets in the world today. ~ ~
** THE HAPPY CORNER
Just time for one nugget of fun news this week.
@cillic (https://twitter.com/cillic/status/1166921006067458048?s=21) had a great tweet thread on the best thing working in infosec. The only caveat is that he asked for “wrong answers only.” Well that kicked off hundreds of tweets. It’s a great read. Put the coffee on.
If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
This week’s cybercat is Thor. A very handsome cat. Extremely regal. Would definitely let him on my CTF team. A big thanks to his human, @markeldo (https://twitter.com/markeldo) , for the submission! (You may need to enable images in this email.) Send in your cybercats — we’re running low You can submit them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . They’re always featured — it’s first come first serve! ~ ~
** SUGGESTION BOX
That’s it for this week — and thank you for reading. I’m off next week — I’ll be traveling — so very unlikely that a newsletter will go out. As always, feel free to drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you in a couple of weeks. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|