this week in security — september 27 edition
|MC_PREVIEW_TEXT|
~this week in security~ a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 3, issue 38
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
One of this year’s most severe Windows bugs is now under active exploit (https://arstechnica.com/information-technology/2020/09/one-of-this-years-most-severe-windows-bugs-is-now-under-active-exploit/) Ars Technica: Microsoft has said a critical vulnerability in Windows Server, dubbed Zerologon because it requires no passwords to escalate from an initial foothold to get to the “crown jewels” of the network, is under active attack. The bug is particularly nasty as it can allow an attacker to effectively hijack a network’s domain controller in a matter of seconds. In a series of tweets, Microsoft said (https://twitter.com/MsftSecIntel/status/1308941504707063808) it’s witnessed an unnamed threat actor using the vulnerability. Homeland Security’s cyber unit CISA also warned that an undisclosed federal agency was successfully infiltrated by attackers using the vulnerability, days after CISA’S own deadline (https://techcrunch.com/2020/09/19/homeland-security-emergency-alert-critical-windows-bug/) for federal agencies to patch. More: Bloomberg ($) (https://www.bloomberg.com/news/articles/2020-09-24/hacker-accessed-network-of-u-s-agency-and-downloaded-data?sref=gni836kR) | TechCrunch (https://techcrunch.com/2020/09/19/homeland-security-emergency-alert-critical-windows-bug/) | @msftsecintel (https://twitter.com/MsftSecIntel/status/1308941505730666496) | @kimzetter (https://twitter.com/KimZetter/status/1309227398408224768?s=20) A huge dark web drugs bust sees 179 arrests and $6.5 million seized (https://www.forbes.com/sites/thomasbrewster/2020/09/22/epic-dark-web-bust-sees-179-arrests-and-65-million-seized/) Forbes: Police have arrested 179 people for their involvement in selling drugs on a dark web marketplace. Most of the arrests were in the U.S., with several more across Europe. Europol said the bust meant that the “golden age of the dark web marketplace is over.” But Europol didn’t say how it identified the anonymized users hidden by the Tor network. More: BBC News (https://www.bbc.com/news/technology-54247529) | Wired ($) (https://www.wired.com/story/operation-disruptor-179-arrested-global-dark-web-takedown/)
Despite past denials, LAPD has used facial recognition software 30,000 times in last decade (https://www.latimes.com/california/story/2020-09-21/lapd-controversial-facial-recognition-software) Los Angeles Times ($): Los Angeles police have long denied using facial recognition, but records show that it’s used the technology close to 30,000 times since 2009. It turns out that some 300 LAPD officers didn’t have access in-house, but through the LA County Sheriff. Critics say facial recognition disproportionately discriminates against people of color. As @alfredwkng (https://twitter.com/alfredwkng/status/1308131196594008067?s=20) noted, the Sheriff obtains its data from DataWorks Plus, the same company that Detroit’s police chief said misidentifies people 96% of the time. More: @kevrector (https://twitter.com/kevrector/status/1308098552392904705?s=20) | @alfredwkng (https://twitter.com/alfredwkng/status/1308131196594008067)
Foreign hackers cripple Texas county’s email system, raising election security concerns (https://www.propublica.org/article/foreign-hackers-cripple-texas-countys-email-system-raising-election-security-concerns) ProPublica: An Emotet outbreak hit a Texas county’s email systems, which ProPublica looked at from an election security angle. While a lot of folks immediately think of election hacking as altering ballot counts, as ProPublica noted, “the vulnerability of email systems in county offices that handle the voting process from registration to casting and counting ballots.” That’s where some of the bigger problems are, because a lot of the smaller local municipalities don’t have the resources to take cybersecurity precautions. Emotet is often used as a delivery mechanism for more malware, like ransomware. That’s a problem since “such attacks could rattle voters’ confidence — or, at worst, bring down systems on election day.” More: @jessicahuseman (https://twitter.com/JessicaHuseman/status/1309167856018481159) | @jackgillum (https://twitter.com/jackgillum/status/1309098800502452230) | @alfredwkng (https://twitter.com/alfredwkng/status/1309171129286885378)
Shopify says ‘rogue’ employees stole customer data from merchants (https://www.bloomberg.com/news/articles/2020-09-22/shopify-says-rogue-employees-stole-data-from-merchants?sref=gni836kR) Bloomberg ($): Online marketplace Shopify says two “rogue” employees, since fired, stole customer data on somewhere between 100 and 200 merchants. The data included names, addresses, and order information. An email notification I got from a merchant also said the last four digits of payment cards was also taken (https://techcrunch.com/2020/09/23/shopify-data-merchant-breach/) . In that merchant’s case, more than a million customers had their information stolen. That’s probably why Shopify didn’t say how many actual customers were affected. Shopify said it brought in the FBI to investigate the data theft. More: Shopify (https://community.shopify.com/c/Shopify-Discussion/Incident-Update/m-p/888971) | ZDNet (https://www.zdnet.com/article/shopify-discloses-security-incident-caused-by-two-rogue-employees/)
Tribune Publishing out-evils itself with phishing email promising bonuses (https://www.vice.com/en_us/article/y3z8g5/tribune-publishing-out-evils-itself-with-phishing-email-promising-bonuses) Motherboard: Earlier this year Tribune Publishing, which owns the Chicago Tribune and the New York Daily News among others, furloughed workers and slashed the remaining workers’ pay because of the pandemic. Fast forward to this week and some bright spark sent a simulated phishing email informing executives (and not employees) “that we are providing targeted bonuses between $5,000 and #10,000 this year.” Those who clicked were told it was a phishing test. The Chicago Tribune Guild called it a “heartless, insulting and tone-deaf exercise.” More: @justin_fenton (https://twitter.com/justin_fenton/status/1308851669397053440) | @CTGuild (https://twitter.com/CTGuild/status/1308855843845296130?s=20) ~ ~ SUPPORT THIS NEWSLETTER
A huge thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks! (https://www.patreon.com/posts/mugs-are-on-way-32666051) ), it helps to maintain its upkeep. You can contribute to the Patreon (https://www.patreon.com/thisweekinsecurity) or send a one-time donation via PayPal (http://paypal.me/thisweekinsecurity) or Venmo (https://mcusercontent.com/e1ad6038c994abec17dafb116/images/9686ed69-9c8a-4787-9b13-758569be85e4.png) . ~ ~
** THE STUFF YOU MIGHT’VE MISSED
U.S. judge blocks Twitter’s bid to reveal surveillance requests (https://www.reuters.com/article/us-usa-twitter-lawsuit/u-s-judge-blocks-twitters-bid-to-reveal-government-surveillance-requests-idUSKBN2200CS) Reuters: In a case that’s gone on now for almost six years — or four attorney generals, if you’re counting — a court ruled this week that Twitter cannot reveal the number of surveillance requests it received from the U.S. government. The judge accepted the government’s arguments that the disclosure would “lead to grave or imminent harm” to national security,” while rejecting Twitter’s free speech argument. Twitter has long wanted to disclose the number of requests it receives. Under Justice Dept. rules, tech companies can only reveal the range of requests in bands of 250.
The Markup built a tool to scan websites for trackers (https://themarkup.org/blacklight) The Markup: @asankin (https://twitter.com/asankin) and @suryamattu (https://twitter.com/suryamattu) built an incredible tool called Blacklight, which tells you how many trackers on some of the most popular websites. Out of the top 80,000 sites on the internet, some 69,000 sites sent user data to a third party. Sometimes this data turns up in vast data pools to serve targeted ads at you. That’s the price of visiting “free” websites: your privacy. Think twice before using Facebook or Apple to sign-in everywhere (https://www.wired.com/story/single-sign-on-facebook-google-apple/) Wired ($): An important PSA from @lilyhnewman (https://twitter.com/lilyhnewman) this week on the risks of using single sign-on providers, like Facebook and Apple, to log into websites. Read this and you’ll jump down the rabbit hole of why these systems might not be so great for your security in the long run.
German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed (https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/) Amnesty International: FinSpy, a commercial spyware suite of tools developed by German company FinFisher, has been found in Egypt targeting human rights defenders and journalists, according to new findings from Amnesty. The human rights organization said it found previously undisclosed versions of the spyware for macOS and Linux computers. Here’s more from @botherder (https://twitter.com/botherder/status/1309459284913254400) .
Britain has offensive cyberwar capability, top general admits (https://www.theguardian.com/technology/2020/sep/25/britain-has-offensive-cyberwar-capability-top-general-admits) The Guardian: Britain’s most senior military cyber chief, Gen. Sir Patrick Sanders, who heads U.K.’s strategic command, has confirmed that the U.K. has the capacity to “degrade, disrupt and destroy” its enemies’ critical infrastructure in a future cyber conflict. It’s a rare admission of what most have suspected for years. ~ ~
** OTHER NEWSY NUGGETS
LokiBot, the malware that steals your most sensitive data, is on the rise (https://arstechnica.com/information-technology/2020/09/lokibot-the-malware-that-steals-your-most-sensitive-data-is-on-the-rise/) CISA is back with a new advisory: LokiBot, a malware that steals passwords and cryptocurrency wallets, is on the rise. The cyber agency said it’d seen a “notable increase” in the use of LokiBot since July.
How Arkady Bukh has become one of the go-to cyber defense lawyers (https://www.cyberscoop.com/story/arkady-bukh-man-in-the-middle/) Here’s a great, highly detailed profile on Arkady Bukh by @jeffstone500 (https://twitter.com/jeffstone500) . Bukh, originally from the former Soviet Union, is a New York-based defense lawyer who’s known for taking on some of the toughest cybercrime cases, including the case of Yevgeniy Nikulin, accused of stealing over 117 million usernames and passwords from LinkedIn, Formspring and Dropbox in 2016. This is a long read, so grab a coffee and get comfy.
Government services firm Tyler Technologies hit in apparent ransomware attack (https://krebsonsecurity.com/2020/09/govt-services-firm-tyler-technologies-hit-in-apparent-ransomware-attack/) @briankrebs (https://twitter.com/briankrebs) reports on a ransomware attack at Tyler Technologies, a government software and technology provider. The company later confirmed the attack in a statement. ~ ~
** THE HAPPY CORNER
Scraping the bottom of the barrel this week. Take a look at this hacker wine I found on my day off. If you want to nominate some good news from the week, feel free to reach out (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) . ~ ~
** THIS WEEK’S CYBER CAT
Karma is this week’s cybercat. As you can see, Karma is very much a keyboard cat. (Bonus points for the cyber cat mug!) Thanks so much to Kerstin for the submission. Keep sending in (mailto:this@weekinsecurity.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) your cyber cats! ~ ~
** SUGGESTION BOX
That’s it for this week. Hope you had a great one. As always, the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) is open for feedback and, well, suggestions. Have a great rest of your weekend, and see you next Sunday.
============================================================ |IFNOT:ARCHIVE_PAGE| |LIST:DESCRIPTION|
Our mailing address is: |LIST_ADDRESS| |END:IF| You can update your preferences (|UPDATE_PROFILE|) or unsubscribe from this list (|UNSUB|) .