this week in security — september 30 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 1, issue 12.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Facebook Security Incident Exposes 90 Million Accounts (http://newsroom.fb.com/news/2018/09/security-update/) Facebook Newsroom: Three bugs chained together allowed hackers to steal as many as 50 million account tokens, and 40 million more had other data exposed. Facebook Logins to third-party sites were also affected, like Spotify and Tinder. This just months after the Cambridge Analytica scandal doesn’t look good, but many praised Facebook for its quick response. More: Techmeme (https://www.techmeme.com/180928/p13#a180928p13) | @mikeisaac tweet thread (https://twitter.com/MikeIsaac/status/1045744603717033989) | @ihackbanme counterpoints (https://twitter.com/ihackbanme/status/1046072813289902082?s=19)
Chrome Update Includes Forced Login, Google Later Backtracks (https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/amp/) Cryptographic Engineering: Matthew Green (https://twitter.com/matthew_d_green) said in a blog post that he would quit using Chrome after Google put in a “forced login” feature. Even though browser data and histories wouldn’t automatically sync, Chrome’s “dark design” made it possible to trick users into syncing, he said. Google later reneged on the plan, making it opt-in by default. More: HackerNoon (https://hackernoon.com/what-the-heck-google-part-4-cff837952d7) | ArsTechnica (https://arstechnica.com/gadgets/2018/09/google-backtracks-a-bit-on-controversial-chrome-sign-in-feature/ )
United Nations Accidentally Exposed Passwords To The Whole Internet (https://theintercept.com/2018/09/24/united-nations-trello-jira-google-docs-passwords/) The Intercept: A security researcher found dozens (https://twitter.com/xkushagra/status/1044268769999302656?s=21) of Trello boards containing public information. That data could’ve let an attacker into Jira instances, G-Suite accounts, and more. The UN dragged its feet in getting the systems secure — taking weeks to pull the data down. More: @xkushagra tweet thread (https://twitter.com/xkushagra/status/1044268769999302656?s=21) | freeCodeCamp (https://medium.freecodecamp.org/discovering-the-hidden-mine-of-credentials-and-sensitive-information-8e5ccfef2724) | The Register (https://www.theregister.co.uk/2018/09/25/un_trello_jira_leak_vulnerability/)
Mobile Websites Can Tap Into Your Phone’s Sensors Without Asking (https://www.wired.com/story/mobile-websites-can-tap-into-your-phones-sensors-without-asking/) Wired ($): Just when you thought apps were the creepiest thing on your phone, it turns ordinary mobile sites can be just as bad. Researchers found thousands of popular sites grab data from your device’s sensors — like proximity and motion data — which can be used for mobile ad tracking and browser fingerprinting, according to @lilyhaynewman (https://twitter.com/lilyhnewman) ‘s reporting. More: Sensor-JS (https://sensor-js.xyz/)
The Crisis of Election Security (https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html ) New York Times Magazine ($): Grab some coffee for this @kimzetter () long read. This is by far the most in-depth assessment of where we are in terms of election security. It’s over 6,000 words detailing how the US hasn’t given a toss about election security in decades. More: Wall Street Journal ($) (https://www.wsj.com/articles/widely-used-election-systems-are-vulnerable-to-attack-report-finds-1538020802)
Facebook Is Giving Advertisers Your Shadow Contact Information (https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-shadow-co-1828476051 ) Gizmodo: Facebook has been using the phone number you upload for two-factor for targeting advertising. While not a security issue per se, it’s definitely damaging to opsec. The lesson for Facebook is to stop being so damn shady. For the rest of us, app-based authentication is better. More: Paper (PDF) (https://mislove.org/publications/PII-PETS.pdf) | TechCrunch (https://techcrunch.com/2018/09/27/yes-facebook-is-using-your-2fa-phone-number-to-target-you-with-ads/)
Decade-Old Flaw Found in Widely Used Ballot-Counting Machine (https://www.cyberscoop.com/def-con-voting-village-report/) Cyberscoop: Another report from the Def Con voting village: a widely used voting machine is vulnerable to a flaw that’s been around for more than a decade. Worse, the voting machine is used by half of all US states. “Disclosing vulnerabilities does not seem to be enough to get them fixed, even years later,” said the report. More: Ars Technica (https://arstechnica.com/information-technology/2018/09/e-voting-researchers-warn-of-hack-that-could-flip-the-electoral-college/) | Report (PDF) (https://defcon.org/images/defcon-26/DEF CON 26 voting village report.pdf)
Uber Pays $148 Million Over Yearlong Cover-Up Of Data Breach (https://www.npr.org/2018/09/27/652119109/uber-pays-148-million-over-year-long-cover-up-of-data-breach) NPR: $148 million is a record fine for Uber’s data breach of 57 million Uber riders and 600,000 drivers. As is often the case, the cover-up was worse than the crime. The company’s CSO departed and the breach wasn’t reported to authorities. Other companies out there harboring news of a data breach should take note… More: BBC News (https://www.bbc.com/news/technology-45666280) | Uber blog (https://www.uber.com/newsroom/2016-data-breach-settlement/) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Watchdog Says Face Scanning At US Airports Is Plagued With Technical Problems (https://techcrunch.com/2018/09/25/watchdog-says-face-scanning-at-us-airports-is-plagued-with-technical-problems/) TechCrunch: A bunch of airports now scan your face before you check-in to your international flight — that’s so Customs & Border Protection can spot people who overstay their visas. Aside from the privacy consequences, now a government watchdog says the system is already broken — with 15 percent of scans failing to recognize the subject. (Disclosure: I wrote this story.)
Former NSA Worker Sentenced to 5.5 Years After Taking Secret Documents Home (https://www.usatoday.com/story/news/2018/09/25/former-nsa-worker-nghia-hoang-pho-prison-taking-secret-documents-home/1425087002/) USA Today: Five years in the slammer for an ex-staff at the NSA’s Tailored Access Operations, who took exploits built by his unit home. It’s widely believed that the staffers lapse in security (and judgment) by using his home computer resulted in Kaspersky vacuuming up classified hacking tools (https://www.thedailybeast.com/nsa-coder-jailed-for-smuggling-secrets-that-wound-up-in-russian-hands) — though, the government has not yet admitted this.
Conservative Party Conference App Reveals MPs’ Numbers (https://www.bbc.com/news/uk-politics-45693143) BBC News: You know what any nation state hacker would love? A politician’s phone number. How do you get it? By using the politicians’ party’s own conference app. This was a remarkable bungle from the UK government’s ruling party, especially since now it has to face the GDPR music…
News Sites That Take on Big Tech Face Legal Peril (http://fortune.com/2018/09/27/facebook-research-censorship/ ) Fortune: We all know reporters are just as subject to the CFAA as hackers are (which makes verifying data breaches harder but oh well). But in a new world of investigative journalism, Facebook and other tech giants that ban scraping could leave reporters in legal peril. The result? Chilling research — and journalism. ~ ~
** OTHER NEWSY NUGGETS
Facebook wins wiretap case: If you were hoping for a retake of Apple v. FBI, you’re hot out of luck. The government lost its bid to force Facebook (https://www.reuters.com/article/us-facebook-encryption-exclusive/exclusive-in-test-case-u-s-fails-to-force-facebook-to-wiretap-messenger-calls-sources-idUSKCN1M82K1 ) to wiretap its Messenger app (which isn’t end-to-end encrypted for voice calls, by the way!). That’s because internet companies are exempt from wiretap statutes that target phone companies — for now.
Fancy Bear using rootkits to target governments: Also known as APT28, now the Russia-backed hackers are targeting governments with rootkits, which ESET said is proabbly the first time (https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/) it’s seen a rootkit used in the wild. It also marks an escalation in Fancy Bear’s hacking activities.
WD fixes leaky cloud It took more than a year (https://www.securify.nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html) but Western Digital finally fixed an “admin” password bypass flaw in its range of My Cloud products. The compay released the patch (https://support.wdc.com/knowledgebase/answer.aspx?ID=25952&s) this week. WD only responded after reporters (including myself) asked “WTF?” In the meantime, stop using crappy tech products.
~ ~
** GOOD PEOPLE DOING GOOD THINGS
Just a couple this week.
@MalwareJake (https://twitter.com/malwarejake/status/1043652010061520896?s=21) dished out some sage advice for any frequent (and occasional) flyer. Opsec also applies at 35,000 feet. Also, you never know when you’re sat next to a hacker. Here’s his top five tips (https://twitter.com/malwarejake/status/1043652010061520896?s=21) .
And, if you haven’t heard of The Markup (https://twitter.com/team_markup) yet, you will soon. It’s a new publication by @JuliaAngwin (https://twitter.com/JuliaAngwin) et al, focused on the societal harms brought by tech. As if you need any other reason to read it, it’s (to my knowledge) the only news site that doesn’t contain a ton of trackers (https://twitter.com/douglevin/status/1044317573083541504) and other privacy-busting bullshittery.
~ ~
** THE CORNER OF SHAME
This week — and starting in October — is Cybersecurity Awareness Month. Are you aware of cybersecurity? Of course you are, it’s your damn job. Are you not? You’re fired! Cybersecurity Awareness Month is like the Valentine’s Day of infosec (https://twitter.com/thepacketrat/status/1042571048972181515) . It’s a bit of a slap in the face to anyone who’s spent the past 11 months trying to convey the importance of good cybersecurity. Granted, if one person changes their cyber-habits as a result, we can call it a success. Otherwise, we should call Cybersecurity Awareness Month exactly what it is — the Hallmark holiday of hackers. ~ ~
** THIS WEEK’S CYBER CAT
This week’s cyber cat is a kitten named Griffin. At just ten weeks old, Griffin wants to remind you to always practice safe cybers. Thanks to Baret Yahn for the submission. (You may need to enable images in this email.) If you want your cyber cat featured in next week’s newsletter, email me: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20suggestion&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) . ~ ~
** SUGGESTION BOX
That’s all for this week. In case you were wondering, I switched to Mailchimp, since it supports DKIM. Hopefully this newsletter shouldn’t land in your spam anymore. If you have any feedback, please drop me a note here (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . It’s anonymous, but you’re welcome to leave your email if you want. I’m open to feedback, and always want to improve this newsletter. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|
|REWARDS_TEXT|