this week in security — september 22 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 37.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Russia carried out a ‘stunning’ breach of FBI communications system (https://news.yahoo.com/exclusive-russia-carried-out-a-stunning-breach-of-fbi-communications-system-escalating-the-spy-game-on-us-soil-090024212.html) Yahoo News: Remember in late 2016 President Obama expelled dozens of Russian diplomats seemingly out of nowhere, forcing the consulate in San Francisco to burn documents for days on end? Turns out it was because the Russians were running a “brazen counterintelligence operation” across the U.S., targeting an FBI communications system, making it almost impossible for the feds to track Russian spies in the country at the time and forcing the CIA to cut ties with some of its Russian assets. It’s an incredible story — I can’t do it justice in a few lines — from the same reporters who also broke (https://news.yahoo.com/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html) the CIA “catastrophic” compromise story. More: @YahooNews tweet thread (https://twitter.com/yahoonews/status/1173581291259867137?s=21) | @JennaMC_Laugh tweet thread (https://twitter.com/JennaMC_Laugh/status/1173994298020368388)
Millions of Americans’ medical images found online (https://www.propublica.org/article/millions-of-americans-medical-images-and-data-are-available-on-the-internet) ProPublica: Hundreds of servers around the world storing patient X-rays and MRIs are exposing patient data. In some cases anyone with a web browser or a few lines of computer code can view patient records. For the most part, doctor offices have no idea their systems are insecure. ProPublica estimated that 16 million patients had data exposed from 187 servers. More: Bayerischer Rundfunk (German) (https://www.br.de/nachrichten/deutschland-welt/millionenfach-patientendaten-ungeschuetzt-im-netz,RcF09BW)
U.S. cyber-offensive against ISIS continues — now with eyes on Afghanistan (https://www.cyberscoop.com/isis-jtf-ares-cyber-offensive-afghanistan/) Cyberscoop: The U.S. military is readying cyberoperations against a dispersed but still active membership of the so-called Islamic State group. The physical caliphate may have been crushed, but many still operate from across the region. Much of the efforts are focused on Afghanistan, where large portions of the terror group remain. More: Financial Times ($) (https://www.ft.com/content/ae7cd2c2-ce26-11e9-99a4-b5ded7a7fe3f) | @shanvav tweet thread (https://twitter.com/shanvav/status/1174043188518146052)
The mysterious death of the hacker who turned in Chelsea Manning (https://www.npr.org/2019/09/19/760317486/the-mysterious-death-of-the-hacker-who-turned-in-chelsea-manning) NPR: Words can’t describe how good this long-read is. It’s a deep-dive into the final years of Adrian Lamo’s life — and posits how he died, which has remained a mystery. Lamo was the hacker who shopped in Chelsea Manning to the feds after she handed reams of classified documents to WikiLeaks. I remember confirming his death (https://www.zdnet.com/article/adrian-lamo-hacker-dies/) . Many in my Twitter timeline had mixed feelings. From her jail cell, Manning said she had no ill will towards him and was “more mad” at the government for using him. This profile by NPR’s Dina Temple-Raston (https://twitter.com/NPRDina) , fills in a lot of the knowledge gaps many today still want — and need — to hear. More: @NPR tweet thread (https://twitter.com/NPR/status/1174767903532638209) | Archive: ZDNet (https://www.zdnet.com/article/adrian-lamo-hacker-dies/) Australia says China was behind parliament, political parties hacks (https://www.reuters.com/article/us-australia-china-cyber-exclusive/exclusive-australia-concluded-china-was-behind-hack-on-parliament-political-parties-sources-idUSKBN1W00VF) Reuters: Australian intelligence says China was responsible for a cyberattack on its national parliament and three largest political parties before the general election in May, according to sources with knowledge of a classified report. It comes after the Australian government said (https://www.bbc.com/news/world-australia-47274663) in February that “state-backed hackers” broke into its parliament’s network, prompting lawmakers to change their passwords. Background: BBC News (https://www.bbc.com/news/world-australia-47274663)
Documents reveal how Russia taps phone companies for surveillance (https://techcrunch.com/2019/09/18/russia-sorm-nokia-surveillance/) TechCrunch: Pretty excited to work on this story. Russia’s SORM surveillance system, similar to the PRISM system in the U.S., is highly secretive. But @VickerySec (https://twitter.com/vickerysec) found a stash of documents left exposed on a backup drive containing details of how Nokia Networks supplies surveillance equipment to Russia’s largest phone provider, allowing the authorities to snoop on millions of Russians’ data. Nokia denied any wrongdoing. (Disclosure: I wrote this story.) More: UpGuard (https://www.upguard.com/breaches/mts-nokia-telecom-inventory-data-exposure/#/security-lapse-russia/) | Gizmodo (https://gizmodo.com/exposed-files-leak-details-on-sorm-russias-pervasive-d-1838226387)
RCMP spy charged with theft of ‘devastating’ cache of classified documents (LINK) CBC: A senior intelligence official in Canada’s RCMP was charged this week for “allegedly… preparing to share with a foreign entity or terrorist organization” classified documents “so vital” to Canada’s national security that would cause “potentially devastating” to the country’s intelligence gathering efforts. BBC News said (https://www.bbc.com/news/world-us-canada-49720728) that the accused had “access to information” coming from Canada’s allies. Let’s not forget Canada is one-fifth in the Five Eyes nations of surveillance — the NSA and GCHQ being two other members. This is definitely a story to keep an eye on. More: BBC News (https://www.bbc.com/news/world-us-canada-49720728) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
A banking trojan database was left exposed (https://securitydiscovery.com/banking-trojan-database-exposed-millions-of-users-at-risk/) Security Discovery: @MayhemDayOne (https://twitter.com/mayhemdayone) is back with another set of exposed data. This time it’s a database running part of the GootKit malware network, an advanced banking trojan that injects itself into web sessions to steal credentials. The exposed data contained stolen records, including 1.4 million email addresses and 2.2 million passwords.
Secret FBI subpoenas scoop up personal data from scores of companies (https://www.nytimes.com/2019/09/20/us/data-privacy-fbi.html) The New York Times ($): Here’s some interesting reading on the expansion of national security letters. These letters are subpoenas that can be issued by the FBI without a judge signing off, but can obtain tons of metadata and other non-content information. They also come with a gag-order provision, making it almost impossible to disclose them. Only a handful of tech companies have fought to confirm they’ve received one. But new documents obtained by the EFF show they’re being used on a far wider number of companies than first thought, including banks, credit agencies, and even universities.
State employees urged sheriff not to make burglary arrests (https://www.desmoinesregister.com/story/news/crime-and-courts/2019/09/18/iowa-courts-dallas-county-courthouse-coalfire-contract-judicial-branch-test-security-ia-crime-arrest/2356047001/) Des Moines Register: More from last week’s “break-in/not-break-in” by a team of pen testers. The short version is that two pen testers were hired to test a courthouse’s defenses. They broke in after dark under what they believed was “in-scope.” That’s still up for debate (though it’s looking like they were). Now, emails show the county’s sheriff arrested the two, but when a state official ordered their release the sheriff ignored them. The case continues.
Huawei suspended from global cybersecurity forum (https://www.wsj.com/articles/huawei-suspended-from-global-forum-aimed-at-combating-cyber-security-breaches-11568805324?shareToken=stecca5ce83f7541b995b5b05491ff95ba) The Wall Street Journal ($): Embattled technology giant Huawei has been excluded from a global cybersecurity forum aimed at tackling security breaches and sharing information on vulnerabilities. The so-called “First” forum includes members from Cisco, Siemens, Juniper and more. Huawei wouldn’t comment on the suspension, but it means the Chinese giant will no longer have access to sensitive information within the forum. Huawei has been accused of being ready to spy for the Chinese, a charge both the company and Beijing have denied. ~ ~
** OTHER NEWSY NUGGETS
This company built a private surveillance network (https://www.vice.com/en_us/article/ne879z/i-tracked-someone-with-license-plate-readers-drn) A database with more than 9 billion license plates, dubbed DRN, can be used to track the locations of vehicles across the U.S., a new report by Motherboard shows. Repo men are passively scanning and uploading the locations of every car they drive by into DRN. “The system could see photos of the car parked outside the owner’s house; the car in another state as its driver went to visit family; and the car parked in other spots in the owner’s city. Each was tagged with the time and GPS coordinates of the car.” Terrifying. All to think this is happening with almost zero oversight.
Justice Dept. sues Edward Snowden over his new book (https://www.justice.gov/usao-edva/pr/united-states-files-civil-lawsuit-against-edward-snowden) Edward Snowden has his memoirs out. Spoiler alert: there’s nothing classified in here that hasn’t been posted before, but the Justice Dept. doesn’t want Snowden getting a penny from his book’s proceeds because the book didn’t go through pre-publish review, which is mandated for all employees and contractors of the intelligence community. The ACLU, which represents Snowden, said (https://www.aclu.org/press-releases/aclu-comment-edward-snowden-lawsuit) the review process should end as it leads to “unexplained censorship decisions.” Oh — by the way — the book went from ~#25 in the store charts to #1 overnight. Nice work, government. https://twitter.com/Snowden/status/1174105969179189251 A clever new DDoS attack emerges (https://www.wired.com/story/ddos-attack-ws-discovery/) A new type of DDoS attack has been found in the wild. By exploiting the little-known WS-Discovery, attackers get a lot more bang for their buck — a 15,000 percent rate of return, according to Wired ($) (https://www.wired.com/story/ddos-attack-ws-discovery/) . Akamai has the full research (https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps.html) . ~ ~
** THE HAPPY CORNER
This week, we saw an interesting twist in election system security. The U.S. Election Assistance Commission said it’s not going (https://www.cyberscoop.com/microsoft-windows-voting-machines-elections-assistance-commission/) to decertify voting machines that use Windows 7, which by the time of the election wouldn’t have received security updates for almost a year (https://techcrunch.com/2019/08/26/microsoft-enterprise-windows-7-security-updates/) . Ordinarily that would be bad, but combined with the news that Microsoft will provide security updates (https://www.cyberscoop.com/microsoft-windows-7-elections-2020/) to election systems during that first year of no support. That’s a little more reassuring, I’d say.
And if anyone in the crypto(graphy) world needs a good laugh, read this long tweet thread from @thepacketrat (https://twitter.com/thepacketrat/status/1175017645097328640) . Suffice to say, Crown Sterling (of “being mocked mercilessly at during Black Hat” fame) is back. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CAT
Meet Ripley, this week’s cybercat. Ripley doesn’t need any advanced hacking tools or exploits — with one bellyrub you’ll turn over your passwords without even knowing it. A big thanks to Garrett (https://twitter.com/garrett_oh) for the submission! (You may need to enable images in this email.) Please keep sending in your cybercats. Submit them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) ! ~ ~
** SUGGESTION BOX
That’s it for this week. Thanks for reading — I always appreciate it. As usual, feel free to drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . Have a great week! ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|