this week in security — september 29 edition

|MC_PREVIEW_TEXT|

                September 29, 2019

            this week in security — september 29 edition

            |MC_PREVIEW_TEXT|
~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 38
View this email in your browser (|ARCHIVE|)
~ ~
** THIS WEEK, TL;DR
Unpatchable bug in millions of iOS devices exploited, developer says (https://arstechnica.com/information-technology/2019/09/unpatchable-bug-in-millions-of-ios-devices-exploited-developer-claims/)
Ars Technica: The new “Checkm8” exploit published this week (https://github.com/axi0mX/ipwndfu) allows users to jailbreak their iPhone X and earlier devices. The bug is said to be unpatchable because the bootrom contains read-only memory inside a chip. It’s the biggest exploit for iPhones in years. Malwarebytes (https://blog.malwarebytes.com/mac/2019/09/new-ios-exploit-checkm8-allows-permanent-compromise-of-iphones/) said the bug can be exploited even on a locked device. Meanwhile, Trail of Bits (https://blog.trailofbits.com/2019/09/27/tethered-jailbreaks-are-back/) noted that the exploit doesn’t allow the phone contents to be decrypted. In a later interview (https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/) , the developer said the exploit may not be used to exfiltrate data but could still allow a backdoor to be installed.
More: ipwndfu on GitHub (https://github.com/axi0mX/ipwndfu) | Malwarebytes (https://blog.malwarebytes.com/mac/2019/09/new-ios-exploit-checkm8-allows-permanent-compromise-of-iphones/) | @chronic (https://twitter.com/chronic/status/1177612546787823616?s=20)
Some voting machines still have decade-old flaws (https://www.wired.com/story/voting-village-results-hacking-decade-old-bugs/)
Wired ($): Good news if you’re a fan of depressing facts about the state of our democracy. This year’s Def Con Voting Village results are out. They’re not good. Some voting machines still contain vulnerabilities dating back decades. Even worse, most of the six machines tested during the security conference are still in use today. What’s Congress doing about it? Not enough.
More: Voting Village report [PDF] (https://media.defcon.org/DEF%20CON%2027/voting-village-report-defcon27.pdf) | @mattblaze (https://twitter.com/mattblaze/status/1177420069846081536)
Russian national confesses to biggest bank hack in U.S. history (https://arstechnica.com/tech-policy/2019/09/russian-national-confesses-to-biggest-bank-hack-in-us-history/)
Ars Technica: A Russian national has admitted to carrying out the 2014 breach at JP Morgan Chase, which generated hundreds of millions of dollars in illicit revenue. Some 80 million banking clients were affected by the breach. The hacker could serve between 15 and 20 years in jail.
More: Justice Dept. (https://www.justice.gov/usao-sdny/pr/russian-hacker-pleads-guilty-involvement-massive-network-intrusions-us-financial) | Background: Ars Technica (https://arstechnica.com/information-technology/2014/08/jpmorgan-other-banks-hacked-and-fbi-looks-to-russia-for-culprits/)
What’s in Trump’s super classified server? (https://www.vice.com/en_us/article/zmjyky/whats-in-trumps-super-classified-server-and-why-is-he-hiding-things-there)
Motherboard: This was one hell of a messy week in Washington. First it started out with Crowdstrike trending on Twitter because Trump mentioned the cybersecurity company in a call with the Ukrainian president — for reasons not quite known (https://www.cyberscoop.com/donald-trump-crowdstrike-ukraine-phone-call/) — and ended with news of a secret server (https://www.vice.com/en_us/article/zmjyky/whats-in-trumps-super-classified-server-and-why-is-he-hiding-things-there) containing tons of highly classified presidential recordings. This Motherboard report (https://www.vice.com/en_us/article/zmjyky/whats-in-trumps-super-classified-server-and-why-is-he-hiding-things-there) dives into what Trump was doing with the codeword-level server based off former National Security Council officials, and why it matters — regardless of your political persuasions.
More: Cyberscoop (https://www.cyberscoop.com/donald-trump-crowdstrike-ukraine-phone-call/) | Wall Street Journal ($) (https://www.wsj.com/articles/computer-system-where-trump-document-was-reportedly-stashed-is-reserved-for-biggest-u-s-secrets-11569528065)
Tibetans targeted with Android and iPhones hacks (https://www.forbes.com/sites/thomasbrewster/2019/09/24/whatsapp-fakes-hack-tibetan-iphones-and-androids-to-steal-facebook-data-and-more/#56b46a51713d)
Forbes: High-profile Tibetans have seen their Apple iPhones and Android devices targeted by one-click exploits delivered in messages sent over WhatsApp. A victim only had to tap on a link and the attacker would get access to their phone. Those are the latest findings from Citizen Lab. It’s the same hacking group, said to be China, that targeted Uyghurs, the researchers said.
More: TechCrunch (https://techcrunch.com/2019/09/24/tibetans-iphone-android-hacks-uyghurs/) | Citizen Lab (https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/)
DoorDash breach affects 4.9 million users, drivers, and merchants (https://blog.doordash.com/important-security-notice-about-your-doordash-account-ddd90ddf5996)
DoorDash: The food delivery giant is blaming an unknown third-party for a data breach affecting 4.9 million users, including users and merchants, as well as the theft of 100,000 driver’s licenses of delivery workers. Anyone who signed up before April 5, 2018 are affected. The company wouldn’t say why it took months to detect the breach, or answer even the most basic of questions. It comes a year after customers said their accounts had been hacked (https://techcrunch.com/2018/09/25/doordash-customers-say-their-accounts-have-been-hacked/) .
More: Motherboard (https://www.vice.com/en_us/article/vb5zjj/hackers-stole-data-on-nearly-5m-doordash-users-including-order-history)
How the NSA hacked the Islamic State (https://www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis)
NPR: Last week it was the Lamo story (https://www.npr.org/2019/09/19/760317486/the-mysterious-death-of-the-hacker-who-turned-in-chelsea-manning) , this week the same reporter took on how the NSA is targeting Islamic State fighters (https://www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis) . “ISIS routinely used encrypted apps, social media and splashy online magazines and videos to spread its message, find recruits and launch attacks.” This dives into how the NSA fights back using phishing emails to plant malware, open backdoors, conduct recon and then crash critical servers.
More: NPR (https://www.npr.org/2019/09/26/764790682/how-the-u-s-cracked-into-one-of-the-most-secretive-terrorist-organizations)
~ ~
** THE STUFF YOU MIGHT’VE MISSED
Busting open a smart lock in four seconds (https://www.pentestpartners.com/security-blog/drilling-open-a-smart-door-lock-in-4-seconds/)
Pen Test Partners: We all know smart locks aren’t so secure (https://techcrunch.com/2019/07/02/smart-home-hub-flaws-unlock-doors/) , but one Pineworld lock takes crappy security to a whole new level. By busting out a drill, the researchers at Pen Test Partners were able to crack the lock in just a matter of seconds. @cybergibbons (https://twitter.com/cybergibbons/status/1176419262325501953) has a good tweet thread on the case.
Dropbox Paper exposes document visitors’ names and email addresses (https://twitter.com/koenrh/status/1176523837866946561)
Koen Rouwhorst: Twitter user @koenrh (https://twitter.com/koenrh/status/1176523837866946561) found that Dropbox Paper publicly exposes the name and email address of any Dropbox user who has ever opened a document. Rouwhorst said this seems “problematic.” Yeah, that’s one way to put it. Dropbox said (https://twitter.com/DropboxSupport/status/1176956611434352641) it won’t fix the apparent issue.
https://twitter.com/koenrh/status/1176523837866946561
How Google Project Zero changes the secretive market for exploits (https://www.vice.com/en_us/article/59nyqb/how-google-changed-the-secretive-market-for-the-most-dangerous-hacks-in-the-world)
Motherboard: Vice looks at Project Zero, Google’s elite vulnerability finding unit. The hackers find bugs day in and day out, from Google and afar, as part of an effort to make the internet safer. @lorenzoFB (https://twitter.com/lorenzofb) looks at the current exploit market for some of the most dangerous flaws in the world — and how Project Zero plays its part.
California’s new labor law could impact bug bounty firms (https://www.cyberscoop.com/ab5-bug-bounty-companies-hackerone-bugcrowd/)
Cyberscoop: An interesting twist in California’s new labor laws. AB5 (https://www.billtrack50.com/BillDetail/996562) will change how employers classify independent contractors, but some say it’ll also affect bug bounty companies — like Bugcrowd and HackerOne — which help other companies fix security flaws through crowdsourced bounties. “If a bug bounty company’s primary job is to test companies by hiring out that work to contractors, that work is now questionable,” said one expert speaking to Cyberscoop.
How TikTok censors videos that do not please Beijing (https://www.theguardian.com/technology/2019/sep/25/revealed-how-tiktok-censors-videos-that-do-not-please-beijing)
The Guardian: We all suspected it but now there’s proof. A leaked document confirms Chinese video app TikTok instructs its moderators to censor videos that mention Tibet, the banned religious group Falun Gong, and any mention of Tiananmen Square. China, if you recall, has one of the most restrictive internets in the world. TikTok said the rules are “no longer in use.” Uh-huh.
~ ~
** OTHER NEWSY NUGGETS
Emergency patch for Windows zero-day (https://www.bbc.com/news/technology-49809453)
A zero-day affecting Internet Explorer is under active exploitation. Microsoft issued out-of-band patches this week to all supported Windows versions to patch the vulnerability. Homeland Security issued its own advisory (https://www.us-cert.gov/ncas/current-activity/2019/09/23/microsoft-releases-out-band-security-updates) warning users of the issue.
Amazon’s Ring wanted to use 911 calls to activate its video doorbells (https://www.cnet.com/news/amazons-ring-wanted-to-use-911-calls-to-activate-its-video-doorbells/)
New documents received by @alfredwng (https://twitter.com/alfredwkng) show Ring was working on a system that would trigger the cameras on its video-enabled doorbells in the vicinity of incoming 911 calls. Ring, for its part, said the system was no longer being pursued.
Microsoft said it’ll continue to fight secrecy orders (https://blogs.microsoft.com/on-the-issues/2019/09/25/ensuring-secrecy-orders-are-the-exception-not-the-rule-when-the-government-seeks-data-owned-by-our-customers/)
Microsoft said this week it’ll continue to ask that the government allows it to inform customers when it comes for their data. The software giant said “sneak and peak” searches are unlawful, despite losing the case in federal court. This tweet thread from @dinabass (https://twitter.com/dinabass/status/1176976316660236288) runs through the issue simply.
~ ~
** THE HAPPY CORNER
And just a quick one in this week’s happy corner. A big shout-out to @InfoSecSherpa (https://twitter.com/infosecsherpa/status/1176123290089340930?s=21) , who started at the New York Times’ infosec team this week. Great news!
If you want to nominate some good news from the week, feel free to reach out (mailto:zack.whittaker@gmail.com?subject=Good%20news%20for%20your%20newsletter) .
~ ~
** THIS WEEK’S CYBER CAT
This is Louie, this week’s cybercat. He looks sweet and cuddly, but he’s crack social engineer. Just look at how much you want to rub his belly. A big thanks to @itspeterc (https://twitter.com/itspeterc) for the submission. (You may need to enable images in this email.)
Please keep sending in your cybercats. Send them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.) .
~ ~
** SUGGESTION BOX
That’s all for now. As always, feel free to drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . I’m off next week so I’ll be back the Sunday following.
~ ~
============================================================
 Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|)
 Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|)
 Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|)
 Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|)
 Share (http://www.linkedin.com/shareArticle?url=|URL:ARCHIVE_LINK_SHORT|&mini=true&title=|URL:MC_SUBJECT|)
 Share (http://www.linkedin.com/shareArticle?url=|URL:ARCHIVE_LINK_SHORT|&mini=true&title=|URL:MC_SUBJECT|)
This email was sent to |EMAIL| (mailto:|EMAIL|)
why did I get this? (|ABOUT_LIST|)     unsubscribe from this list (|UNSUB|)     update subscription preferences (|UPDATE_PROFILE|)
|LIST_ADDRESSLINE_TEXT|

Don't miss what's next. Subscribe to ~this week in security~: