this week in security — september 8 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 35.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
Revealed: How a secret Dutch mole aided the Stuxnet cyberattack on Iran (https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html?soc_src=hl-viewer&soc_trk=tw) Yahoo News: Finally! A major Stuxnet mystery has been solved. @kimzetter (https://twitter.com/kimzetter) reports that a Dutch mole was used to get the specialized Stuxnet malware on the network of an Iranian uranium-enrichment plant. This new information comes out more than a decade after the attack. The mole, an Iranian engineer, was recruited by the Dutch to help aid the U.S.-Israeli mission get insider access to the network. The attack, also aided by the French and the Germans, modified the speed of the centrifuges needed to enrich the uranium to sabotage the effort, setting Iran’s nuclear program back several years. More: @kimzetter tweet thread (https://twitter.com/KimZetter/status/1168556313120370690) | Volkskrant (Dutch) (https://www.volkskrant.nl/nieuws-achtergrond/aivd-speelde-cruciale-rol-bij-sabotage-kernprogramma-iran~ba24df9f/)
Amateurs identify U.S. spy satellite behind Trump’s tweet (https://www.npr.org/2019/09/02/756673481/amateurs-identify-u-s-spy-satellite-behind-president-trumps-tweet) NPR: Somewhat hilarious, somewhat depressing. Amateur satellite trackers said a tweet (https://twitter.com/realDonaldTrump/status/1167493371973255170?s=20) this week from President Trump of an aerial image is from one of America’s most advanced spy satellites — likely USA 224, run by the National Reconnaissance Office. It’s a highly classified satellite but the amateur buffs were able to discern various facts about the space object. One blog could figure out where it is in the sky. Why did Trump tweet an image that was highly classified? Terrible opsec. More: SatTrackCam (https://sattrackcam.blogspot.com/2019/09/image-from-trump-tweet-identified-as.html) | @Marco_Langbroek tweet thread (https://twitter.com/Marco_Langbroek/status/1167806249121013760)
Apple confirms Uyghurs were targeted in iPhone hacks (https://www.buzzfeednews.com/article/ryanmac/apple-uighurs-hack-google-china) BuzzFeed News: Apple has confirmed reports (https://techcrunch.com/2019/08/31/china-google-iphone-uyghur/) that Uyghur Muslims were the target of the iPhone exploits recently documented and disclosed by Google’s Project Zero. Apple’s statement was widely panned (https://www.apple.com/newsroom/2019/09/a-message-about-ios-security/) by the security community. But Google also took flack over claims it hid that Android was also affected (https://www.cnn.com/2019/09/04/politics/china-uyghur-hack/index.html) . Reuters reported that China hacked (reuters.com/article/us-china-cyber-uighurs/china-hacked-) into Asian telcos to track Uyghurs, who remain a highly oppressed group of people who reside in China’s Xinjiang province. More than a million have been incarcerated in the past year. More: CNN (https://www.cnn.com/2019/09/04/politics/china-uyghur-hack/index.html) | TechCrunch (https://techcrunch.com/2019/08/31/china-google-iphone-uyghur)
Exploit sellers say there are more iPhone hacks than ever (https://www.vice.com/en_us/article/7x584y/exploit-sellers-say-there-are-more-iphone-hacks-on-the-market-than-theyve-ever-seen) Motherboard: On that note — two exploit brokers say they’re seeing a spike in the number of iPhone exploits out there, despite Apple’s claims that iPhones are more secure than their Android counterparts. That’s pushed the price of Android zero-days up, Motherboard said. “We believe that the time has come to pay the highest bug bounty for Android exploits until Apple re-improves the security of iOS components such as Safari and iMessage,” said one seller. Archive: Motherboard (https://www.vice.com/en_us/article/evek9z/phones-harder-to-hack-crowdfense-zerodium-buy-router-zero-days-exploits)
Brave claims it found Google’s GDPR ‘workaround’ (https://brave.com/google-gdpr-workaround/) Brave: Privacy browser maker Brave said it has discovered how Google circumvents GDPR’s privacy protections — by using “push pages” to share profile identifiers about a person when they load a webpage. “This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible.” An interesting development, if not helpful for Brave, a Google rival. Google denied the claims. More: Irish Times (https://www.irishtimes.com/business/technology/google-accused-of-secretly-feeding-personal-data-to-advertisers-1.4007629)
Scammer deepfaked CEO’s voice to steal $243,000 (https://gizmodo.com/scammer-successfully-deepfaked-ceos-voice-to-fool-under-1837835066) Gizmodo: A U.K.-based energy firm lost $243,000 after a scammer deepfaked the voice of the chief executive to trick an employee into transferring funds to the scammer’s bank account. Deepfake technology imitates people — both video and audio — making it look like people are doing or saying things. More: Wall Street Journal ($) (https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402) | Background: Medium (https://medium.com/dessa-news/real-talk-speech-synthesis-5dd0897eef7f) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
How do you build an internal red team? (https://medium.com/@prsecurity_/how-to-build-an-internal-red-team-7957ec644695) Medium: Here’s a great look at how to build an offensive security team — the people who hunt for security flaws before bad actors find them. It looks at operations and infrastructure, and how the two work together. It’s an interesting look at how red teams should work.
How a high-school dropout hacked a million devices (https://www.thedailybeast.com/how-a-high-school-dropout-hacked-a-million-devices) The Daily Beast: The teenager behind notorious Satori botnet has pleaded guilty after ensnaring hundreds of thousands of Internet of Things devices to launch distributed denial-of-service attacks against vulnerable targets, including 700,000 Huawei devices. The botnet was far more powerful than the Mirai botnet, which took down Dyn in 2017, the networking provider relied upon by Spotify, Twitter, and other web giants.
Let’s Encrypt supports close to 30% of all web domains (https://www.leebutterman.com/2019/08/05/analyzing-hundreds-of-millions-of-ssl-connections.html) Little Short Bulletins: Let’s Encrypt, the free web SSL certificate provider, now supports close to 30% of all internet domains — some 47.2 million certificates, based on new data. Digicert is in a distant second with 28.9 million certificates. ~ ~
** OTHER NEWSY NUGGETS
Supermicro bug put corporate servers at risk (https://www.wired.com/story/supermicro-bug-virtual-usb/) From @lilyhnewman (https://twitter.com/lilyhnewman) : a bug in how Supermicro hardware handles “virtual” USB devices could put corporate networks at risk. No need to physically gain access to the system. If exploited, a malicious actor could replace the server with a backdoored version — or pull it offline in a denial-of-service attack.
Popular Android phones vulnerable to ‘provisioning’ messages (https://www.zdnet.com/article/samsung-huawei-lg-and-sony-phones-vulnerable-to-rogue-provisioning-messages/) Hackers can fake a network carrier provisioning message and trick unsuspecting victims into accepting malicious device settings, allowing them to reroute email or web traffic through a malicious server. Samsung, Huawei, and LG phones were vulnerable. But Sony hasn’t patched their customers’ devices. Check Point has a more detailed (https://research.checkpoint.com/advanced-sms-phishing-attacks-against-modern-android-based-smartphones/) write-up. An interesting attack vector — if not a little farfetched.
Over 600,000 GPS trackers are using a really basic default password (https://arstechnica.com/information-technology/2019/09/600000-gps-trackers-for-people-and-pets-are-using-123456-as-a-password/) A popular GPS tracker used for kids and pets has a default password of ‘123456,’ according to Avast researchers. The researchers contacted the company behind the tiny location trackers but never received a response. Avast has its own blog post (https://decoded.avast.io/martinhron/the-secret-life-of-gps-trackers/) on the flaws.
Rapid7 releases Metasploit exploit for BlueKeep (https://blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/) Researchers at Rapid7 have rolled out a new Metasploit exploit module for BlueKeep, the wormable RDP vulnerability that had everyone from Homeland Security to the NSA warning users to patch. @malwaretechblog (https://twitter.com/malwaretechblog/status/1170086291603509248?s=21) said the attack module uses a heap spray method but still achieves remote code execution. ~ ~
** THE HAPPY CORNER
Who knew a cat could launch (https://twitter.com/n0rm/status/1169901032102457348) its own DDoS attack? When it’s got an internet-connected cat flap — that’s when.
And if you need some password advice, here it is (https://twitter.com/catesish/status/1169347831670497280) . Curious to hear what people think of this. Instead of passphrases, this system involves using the first letter of each word in a phrase. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CATS
Meet Mahi (left) and Sharky (right), who are brothers and fosters who are up for adoption. Will red team for tuna and treats. A big thank you to Andrew Gardner (https://twitter.com/AndrewKGardner) for the submission, (You may need to enable images in this email.) Feel free to keep sending in your cybercats. Submit them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) ! ~ ~
** SUGGESTION BOX
That’s it for now. Thanks for reading. As usual, feel free to drop any feedback in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . See you soon — have a great rest of your weekend. ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|