~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 36
View this email in your browser

~ ~


Recode: If you're one of the millions of people who has taken a COVID-19 test at Walgreens, your information is likely at risk. A vulnerability in Walgreen's website exposed names, dates of birth, phone numbers, addresses and more, because Walgreen's doesn't authenticate users properly. With just an order ID number, anyone can access someone else's test results. What makes this even worse is the sheer number of trackers on the site that could be ingesting patient data. And then the kicker: "Walgreens did not fix the issues before the extended deadline Recode provided to the company, nor would it tell Recode if it planned to do so." Actually, Recode gave the company time to fix the bug and it didn't. I verified the bug myself, and it still works. @thezedwards explains more on the technicals.
More: @saramorrison | @profcarroll
A screenshot of the author's own exposed COVID-19 test data, but with redactions.
Apple patches an NSO zero-day flaw, users should update
Citizen Lab: New findings from Citizen Lab show an NSO exploit used earlier this year against a Bahraini activist actually works on all Apple devices (iPhones, iPads, Watches and Macs), and not just older versions of iOS 14. Remember, Apple gave no indication that it was patching the vulnerability at first, instead it suggested better fixes would land in iOS 15. but Citizen Lab obtained the full attack chain, passed details to Apple, which then fixed the flaw to everyone's surprise. The exploit, which is used to deliver the Pegasus spyware, effectively triggers a bug in how Apple devices handle PDFs (masquerading as GIF files). @billmarczak explains more in this tweet thread. The latest findings prompted a response from the United Nations, calling on a pause on the spyware industry to allow states to work on export and control regimes. Looking at you, Israel! Anyone curious if they were hacked by Pegasus, you can use the MVT tool and run this grep command on the CSV that the tool spits out.
More: TechCrunch | NBC News | Motherboard

Update Chrome now as hackers attack two major flaws
Forbes: Speaking of updating your things, add Chrome to your list if you haven't already. Two "high"-rated security zero-day flaws were fixed this week. The updates will roll out over "the coming days/weeks." Per @ryannaraine, there have been 7 Chrome zero-days this year, compared to 4 Android zero-days, 15 Apple zero-days, and 20 for Microsoft.
More: Chrome Blog | The Record

Ex-U.S. intel operatives admit hacking American networks for UAE
Reuters ($): A lot to unpack here. Three former NSA operatives, one of which now serves as ExpressVPN's CIO, have admitted to violating U.S. hacking laws under a deal to avoid prosecution. The three men were members of Project Raven, a clandestine team that helped the UAE spy on its enemies — including activists, human rights defenders, and Americans — through a domestic firm called DarkMatter. (For background, read The Intercept's story from 2016.) The three will avoid charges if they accept responsibility, repay money made from the operations, and never seek a U.S. national security clearance again. Suffice to say, the Justice Department seemed pissed. "Left unregulated, the proliferation of offensive cyber capabilities undermines privacy and security worldwide," said one U.S. attorney about the hackers-for-hire.
More: Daily Beast | @jsrailton tweets | @bradheath tweets

This U.S. company sold iPhone hacking tools to UAE spies
MIT Technology Review ($): Sticking with Project Raven for a minute. The court docs implicating the three former NSA operatives also revealed that an unnamed U.S. company sold zero-day exploits to the UAE. Turns out that was Accuvant, a prolific Denver-based firm that specialized in iOS exploits, per excellent reporting by @HowellONeill. Accuvant is now part of Optiv, which isn't subject to the DOJ investigation. It comes in the same week that @iblametom reports on another U.S. company, Exodus Intelligence (known as Moses to Kaspersky) believes the Indian government (or a contractor) handpicked a Windows exploit from the company's feed (akin to "a Facebook news feed of software vulnerabilities, sans exploits") to target computers at government and telecom entities in China and Pakistan. That was ultimately "beyond the pale" for Exodus — even though it didn't limit what its customers could do. Read to the end to discover what the FBI is trying to pull off with doorbell cameras...
More: Forbes | @lorenzofb
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week, through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


An inside look at the spy tech that followed kids home for remote learning — and won't leave
The 74 Million: Here's a great (but chilling) read on the kinds of surveillance that kids in school are subject to. It's no secret that schools monitor the devices they give out to kids for harmful content, but the effect it's having on those kids is telling. One company alone subjects millions of children to constant surveillance, including after classes.

Former AWS executive Charlie Bell to head new Microsoft cyber org
ZDNet: AWS bigwig Charlie Bell is heading to Microsoft to head up a new engineering organization that will oversee security, compliance, identity and management. Bell will report to CEO Satya Nadella, "once a resolution is reached with his former employer." (Yep, that's non-competes for you.) In a post on LinkedIn, Bell described his desire to break down "digital medievalism," where companies and individuals focus only on their own "castles."

Customer care giant TTEC hit by ransomware
Krebs on Security: Not a good week if you're a customer of Bank of America, Best Buy, Credit Karma, Dish Network, Kaiser Permanente, USAA and Verizon. TTEC, which helps companies manage customer support and sales online and over the phone, had a ransomware attack. It's looking like an attack by Ragnar Locker (or one masquerading as it), which steals files, encrypts them, and threatens to publish if the ransom isn't paid. This will be something to keep an eye on. The fallout could be considerable.

How U.S. police mine Google for your location and search history
The Guardian: @JMBooyah looks at geofence warrants and keyword warrants, two kinds of legal requests that allow police to ask Google to return information about who was at a particular location or searched for a keyword at a given time. But it turns out that these kinds of requests are so new that some lawyers don't know how to defend against them.
~ ~


ZDNet: Bad news if you're running a Linux VM in Azure. You may not be aware that you're vulnerable to a major flaw found in the management software silently installed by Microsoft on new virtual machines, which can be exploited "in an incredibly surprising and equally stupid way," per @dobes. Researchers at Wiz found the vulnerability in Microsoft's Open Management Infrastructure project that allows an unauthenticated attacker to gain root access if they send a single packet with the authorization removed. Yeah — that simple! As always, read @gossithedog on this, and more from MSRC. Microsoft fixed the vulnerabilities but there's no automatic patching mechanism, so users have to update manually.
An animated GIF explaining how the OMIGOD bug works in Azure.
Ransomware gang threatens to wipe decryption key if negotiator hired
Bleeping Computer: Ransomware groups are upping the ante again. From encrypting networks for ransom, then to stealing data and threatening to release it if the ransom isn't paid — now one ransomware group, Grief, says if you call in the negotiators (often a stalling tactic, they claim), the group will delete the victim's decryption key. Meanwhile, the U.S. is looking to target ransoms paid as cryptocurrency with sanctions, per the Wall Street Journal ($) to make it harder for ransomware groups to use digital currency to profit from such attacks. More on that next week, it's expected.

The FTC wants to rein in your health app's privacy problems
Gizmodo: The Federal Trade Commission is putting apps on notice: in a new policy statement, apps that collect health information must report breaches or unauthorized disclosure of health data or face fines of over $43,000 per violation per day if they don't. That also seems to apply to apps sharing personal data with third-parties that users didn't expressly agree to.

Google will extend Permission Auto-Reset feature to older Android versions
The Record: Google will extend its Permission Auto-Reset feature to older versions of Android. The feature will withdraw user permissions from apps that haven't been opened or used for a few months. The feature aims to prevent dormant apps no longer in active use from silently sending user data, and will extend to users running Android 6.0 (running API level 23) and later.
Permissions auto-reset if an Android app hasn't been used for a while.
How the Epik hack reveals every secret the far-right tried to hide
Daily Dot: Controversial web host Epik, home to many far-right sites like Gab and Parler, which were booted from mainstream web services, was hacked. After an initial denial, Epik CEO Rob Monster (yes, you read that correctly) emailed customers confirming an "apparent" data breach. Hacktivists associated with Anonymous took domain records, customer payment histories, domain purchases and transfers, passwords, credentials and employee mailboxes. The breach appears to date back to February. On top of that, (disclosure alert!) I reported this week that a security researcher warned Monster weeks before the hack of a severe vulnerability in Epik's website that allowed anyone to remotely run code directly on an internal Epik server without authentication, such as a company password. Monster told me that he ignored the message. "Do you answer all your LinkedIn spams?" he said. Well, actually...
~ ~


Just a couple of things this week. When the machines inevitably take over, they should probably do better than this poor Roomba.
A Roomba robot getting stuck on a square-patterned rug.
And, a totally normal Friday for @hacks4pancakes. The replies are amazing:
Lesley Carhart tweet: "Good morning, advice Twitter. I am in a complete Victorian ball gown and I need to take a customer video call in one hour, then return to wearing the Victorian ball gown promptly, afterwards."
Got some good news from the week? Get in touch:
~ ~


This week's cyber cat is Sage. Sure, she looks cute now, but she's already stolen your passwords and you don't even know how. A big thanks to @Lucky225 for the submission!
Please send in your cyber cats (or your other fluffy non-feline friends)! Send them in by email with their name and photo here!
~ ~


That's it for now! Thanks for reading. The suggestion box is always open or feel free to reach out directly at Be well, and see you next week.