this week in security — september 15 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 36.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Report reveals play-by-play of first U.S. grid cyberattack (https://www.eenews.net/stories/1061111289) E&E News: Regulators said a cyberattack earlier this year caused disruption to a U.S. power grid, though no blackouts were reported. The attack involved signal outages at the “low-impact” control center for more than five minutes. ICS security firm Dragos said the attack was likely not targeted but rather an automated bot attack scanning the internet for exposed devices. The case is nevertheless said to have “turned heads” at multiple federal agencies. More: Hacker News (https://news.ycombinator.com/item?id=20911441) | @HowellONeill tweets (https://twitter.com/HowellONeill/status/1171106841280909319)
Secret Service investigates breach at government IT contractor (https://krebsonsecurity.com/2019/09/secret-service-investigates-breach-at-u-s-govt-it-contractor/) Krebs on Security: A breach at a U.S. government IT contractor is under investigation after files allegedly stolen were put on the dark web for about $60,000 in bitcoin, including email correspondences and passwords for breached databases. The contractor works with USCIS and Homeland Security, among others. It comes just months after the Perceptics breach (https://www.washingtonpost.com/technology/2019/07/02/border-surveillance-subcontractor-suspended-after-cyberattack-misuse-traveler-images/?arc404=true) . Background: Washington Post ($) (https://www.washingtonpost.com/technology/2019/07/02/border-surveillance-subcontractor-suspended-after-cyberattack-misuse-traveler-images/?arc404=true) U.S. sanctions North Korean state-sponsored hacking groups (https://home.treasury.gov/news/press-releases/sm774) U.S. Treasury: The U.S. Treasury has thrown additional sanctions on several hacking groups associated with North Korea, including the infamous Lazarus Group, believed to have been behind the Sony hack in 2014 and the WannaCry attack in 2017. North Korea is said to have stolen billions through cyberattacks to fund its weapons programs. The government also posted 11 new malware samples (https://www.us-cert.gov/ncas/current-activity/2019/09/08/us-cyber-command-shares-11-new-malware-samples) associated with North Korea. More: US-CERT (https://www.us-cert.gov/ncas/current-activity/2019/09/08/us-cyber-command-shares-11-new-malware-samples) | Cyberscoop (https://www.cyberscoop.com/lazarus-group-us-treasury-sanctions-north-korea/)
Men arrested for breaking into Dallas County Courthouse (https://desmoinesregister.com/story/news/crime-and-courts/2019/09/11/men-arrested-burglary-dallas-county-iowa-courthouse-hired-judicial-branch-test-security-ia-crime/2292295001/) Des Moines Register: Two men arrested for breaking into the Dallas County Courthouse said they had permission as part of a vulnerability assessment, but authorities said the men were acting out-of-scope by breaking into the building. @kimzetter (https://twitter.com/KimZetter/status/1172526197839806464) suggested this was a misunderstanding. Charges have not been dropped and a further court appearance — this time not of their own volition — is scheduled for next week. This is definitely a case to keep an eye on. More: @kimzetter tweet thread (https://twitter.com/KimZetter/status/1172262563360444416) | @SwiftOnSecurity (https://twitter.com/SwiftOnSecurity/status/1172285706485604352) | @Viss (https://twitter.com/Viss/status/1172196418687094784)
Cloudflare may have provided service to terrorists, drug traffickers (https://www.cyberscoop.com/cloudflare-ipo-terrorism-narcotics/) Cyberscoop: Now that Cloudflare is a publicly traded company (https://www.cnbc.com/2019/09/13/cloudflare-stock-pops-20percent-in-first-day-of-trading.html) , the rules it has to follow are far stricter. So when the company said it admitted it may have provided service to terrorists and drug traffickers in violation of U.S. sanctions, our ears pricked up. In its S-1 filing, the company admitted it could be fined or lose export privileges — which would be bad news for the company’s health. Co-founder Michelle Zatlyn told TechCrunch (https://techcrunch.com/2019/09/13/cloudflare-cofounder-michelle-zatlyn-on-the-companys-successful-ipo-and-whats-next/) that it’s trying to remove bad actors from its service while balancing free speech. More: TechCrunch (https://techcrunch.com/2019/09/13/cloudflare-cofounder-michelle-zatlyn-on-the-companys-successful-ipo-and-whats-next/) | Wall Street Journal ($) (https://www.wsj.com/articles/cloud-services-company-cloudflare-discloses-potential-sanctions-violations-11568152033)
Despite indictments, Iranian phishers are still targeting universities (https://arstechnica.com/information-technology/2019/09/18-months-after-indictment-iranian-phishers-are-still-targeting-universities/) Ars Technica: Nine Iranians criminally charged with hacking continue to hit universities. Security researchers say 60 institutions have been targeted so far in an effort to steal credentials through spoofed emails. Many of the phishing sites used HTTPS and pre-populated content to appear legitimate. Once again it’s proof that two-factor authentication (done right) is an effective mitigator. More: Secureworks (https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again)
Report on election security gains attention — and rebuke (https://www.propublica.org/article/report-on-election-security-gains-attention-and-a-sharp-rebuke) ProPublica: A risk scorecard company has taken flak for allegedly providing states with reports full of errors that overstated security threats on their voting infrastructure. The company posted its report this week — several news sites like Axios (https://www.axios.com/elections-officials-flub-some-basic-security-tasks-f7fb2fb4-0292-4ef1-a2d2-ad9799f07784.html) and Politico (https://www.politico.com/newsletters/morning-cybersecurity/2019/09/10/states-still-not-up-to-snuff-on-election-security-researchers-warn-735904) also ran the story — but many election officials said the company was trying to profit “from a country on edge.” This ProPublica expose runs down the issues with the report. More: @dnvolz (https://twitter.com/dnvolz/status/1172517309413494786) | @JessicaHuseman (https://twitter.com/JessicaHuseman/status/1172494966628802570) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
DMVs are selling your data to private investigators (https://www.vice.com/en_us/article/43kxzq/dmvs-selling-data-private-investigators-making-millions-of-dollars) Motherboard: Filed under “didn’t want to know but glad you now know”. You turn over gobs of data for a driver’s license, but DMVs make millions of dollars in selling it on to private investigators who spy on people for a profit. Some of the data is sold in bulk but some states allow the lookup of specific individuals’ data. But apparently they don’t sell citizens’ license photos or Social Security numbers. Oh well that’s fine then, he says sarcastically.
9th Circuit says scraping public data isn’t illegal (https://twitter.com/orinkerr/status/1171116153948626944?s=21) Orin Kerr: Some interesting news from the 9th Circuit: scraping a public website isn’t a violation of the CFAA, the U.S.’ hacking laws. That strongly suggests that the CFAA is much more focused on bypassing authentication. In other words, if it’s public — like a data leak or an exposure (https://twitter.com/Viss/status/1171168956343652352) — it’s fair game. But using or bypassing passwords that aren’t yours, well that’s where things get messy. https://twitter.com/jeffjohnroberts/status/1171092010515804161 Analyzing Wikipedia’s DDoS attack (https://blog.thousandeyes.com/analyzing-the-wikipedia-ddos-attack/) Thousand Eyes: Wikipedia was hit by a significant DDoS attack on September 6, grinding the global encyclopedia to a halt (https://wikimediafoundation.org/news/2019/09/07/malicious-attack-on-wikipedia-what-we-know-and-what-were-doing/) . ThousandEyes has a great write-up on what happened. Just days later, Wikimedia Foundation — which owns the site — took in $2.5 million from Craigslist founder Craig Newmark to beef up (https://techcrunch.com/2019/09/10/the-wikimedia-foundation-taps-2-5m-from-craig-newmark-to-beef-up-its-security/) its security.
Hundreds arrested in coordinated takedown of email scammers (https://www.justice.gov/opa/pr/281-arrested-worldwide-coordinated-international-enforcement-operation-targeting-hundreds) Justice Department: Operation reWired, a coordinated law enforcement operation, saw 281 people arrested over a four-month period, including in the U.S., Nigeria, Turkey and Ghana. Some $3.7 million was seized in the process. The operation was part of a massive business email compromise scheme, which sought to cheat people out of millions of dollars. Cyberscoop said (https://www.cyberscoop.com/business-email-compromise-arrests-fbi/) prosecutors found more than 250,000 stolen identities in the scam.
Accessing two million Verizon Pay Monthly contracts (https://daleys.space/writeup/0day/2019/09/09/verizon-leak.html) Daley Bee: A simple flaw in a Verizon endpoint allowed @Daley (http://twitter.com/daley) to access two million pay monthly Verizon Wireless contracts, containing the full names, addresses, phone numbers and more. He was able to brute force the agreement number in each contract. Verizon took a month to fix the vulnerability. ~ ~
** OTHER NEWSY NUGGETS
T-Mobile has a secret ‘no port-out’ feature (https://www.vice.com/en_us/article/ywa3dv/t-mobile-has-a-secret-setting-to-protect-your-account-from-hackers-that-it-refuses-to-talk-about) T-Mobile has a feature — ‘NOPORT’ — which prevents SIM swappers from hijacking your SIM card using the carrier’s port-out feature. That makes it far, far more difficult for hackers to steal someone’s phone number on the phone with customer service, instead requiring a photo ID in person. But T-Mobile refuses to talk about it, let alone document the feature on its website.
New York payroll company vanishes with $35 million (https://krebsonsecurity.com/2019/09/ny-payroll-company-vanishes-with-35-million/) MyPayrollHR, a now defunct cloud-based payroll processing firm based in upstate New York, has vanished — with $35 million worth of payroll and tax payments in legal limbo, reports @briankrebs (https://twitter.com/briankrebs) . In what looks like an exit scam, “many of those employees found their accounts had been dinged for two payroll periods — a month’s worth of wages — leaving their bank accounts dangerously in the red.” Ouch.
Unencrypted patient medical information broadcast across Vancouver (https://openprivacy.ca/blog/2019/09/09/open-privacy-discovers-vancouver-patient-medical-data-breach/) Open Privacy (https://twitter.com/openpriv/status/1171058991306133507?s=21) has discovered patients at Vancouver hospitals are having their medical information broadcast — unencrypted — across the Canadian city. The data includes name, age, gender marker, diagnosis, attending doctor and room number. This is because of a lack of encryption across hospital paging systems interceptable by anybody nearby. Here’s a tweet thread (https://twitter.com/SarahJamieLewis/status/1171148964264992768) from the group’s executive director @SarahJamieLewis (https://twitter.com/SarahJamieLewis) . ~ ~
** THE HAPPY CORNER
Some fun news for the happy corner.
@jason_koebler (https://twitter.com/jason_koebler/status/1171459880168722438) , Motherboard’s editor-in-chief, tweeted this week about a laser tripwire that can automatically minimize your computer’s workspace when it’s triggered. @samleecole (https://twitter.com/@samleecole) has the story. That’s particularly helpful for those who actively look at NSFW content for their jobs — think red teamers. And finally, the Tor Browser has raised $86,000 in funds for its bug bounty, the project announced (https://blog.torproject.org/tors-bug-smash-fund-86k-raised) this week. That’s going directly to bug bounty payouts to keep the anonymity browser safe from bugs and security flaws. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
This is Darjeeling, this week’s cyber cat, who loves to watch as you enter your password for maximum judgment. A big thanks to Darjeeling’s human, Philip Menchaca, for the submission. (You may need to enable images in this email.) Please do keep sending in your cybercats. Submit them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) ! ~ ~
** SUGGESTION BOX
And that’s a wrap for this week — thanks for reading! As usual, feel free to drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . I tried a slightly different layout this week so hopefully it should be slightly easier to read on your phone. Let’s hope it works out. Have a great week — see you next Sunday. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|