~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 41
View this email in your browser | RSS

~ ~


U.S. considers probe of Musk's Twitter deal fearing national security
Washington Post ($): So, that happened. Elon Musk bought Twitter after months of back and forth and several attempts to get out of it. About half of its staff were laid off, the remaining pushed out account verification to anyone who wants it (remember, it was a court case that spurred identity verification on Twitter in the first place). Several problems: the fact that anyone can get verified now just by signing up for the premium features wasn't built in time for its hasty weekend release, and cybercriminals are already capitalizing on the uncertainty and confusion with non-identity verified accounts by incorporating it into their phishing campaigns. Within hours of the news breaking that verification would be open for all, several phishing campaigns targeting Twitter users began near-immediately. (Disclosure: I wrote one of these stories.) Plus, according to the Washington Post ($), the U.S. is investigating if it even has the authority to review the deal, which it is considering, given the amount of foreign investment Musk took on (including the Saudis and Qataris) could concern U.S. national security.
More: TechCrunch | Bleeping Computer | @NicoleSganga | @zackwhittaker

NSA watchdog says one analyst's surveillance project went 'too far'
Bloomberg ($): The NSA's inspector general found that an "experienced" analyst working at the U.S. spy agency broke the rules and likely the law, according to a heavily redacted 2016 report that just became public after a lengthy FOIA battle. Details of the project aren't known but the program was centered on SIGDEV, or the ability to find and improve intelligence gathering, like eavesdropping, which may have scooped up Americans' communications (which is illegal under U.S. law, even if it's often violated). The project was concerning enough for two whistleblowers to come forward internally. For those asking "what's new" in all this? Even in a post-Snowden agency, new surveillance abuses are still being discovered, even today. @JasonLeopold explains more in his thread.
More: @dnvolz | @jeffstone500

Crime group hijacks hundreds of U.S. news websites to push malware
TechCrunch: Proofpoint dropped some light details of a mass media compromise in a tweet thread on Wednesday. With more details, my TechCrunch colleague @carlypage_ spoke with Proofpoint to learn more. An initial access broker, aka TA569, hacked an unnamed media content provider to deploy malware on hundreds of U.S. news outlet websites; the idea is to trick visitors into installing a fake browser update that eventually delivers malware, usually ransomware (given the links to WastedLocker). It's a spray-and-pay tactic using the media supply chain to target individuals, rather than the highly targeted efforts by some ransomware gangs by using zero-days and other vulnerabilities to break in. But clearly, it's having some effect.
More: Bleeping Computer | @gossithedog | @likethecoins
Proofpoint tweet: "Proofpoint observed TA569 injects within the assets of a media company used by multiple major news orgs. More than 250 regional/national newspaper sites have accessed the malicious Javascript. The actual number of impacted hosts is known only by the impacted media company."
States look to secure U.S. election 'weak points' ahead of midterms
NBC News: With just days before the U.S. midterms and Twitter is a free-for-all on verified accounts, there's concern (like always!) that bad actors will use this time for election interference. NBC News looks at some of the pressing issues ahead of election day, like election reporting websites — an easy target by cybercriminals for simple cyberattacks — that could sow discord and confusion about the vote count. NBC also says more than 100 state and local jurisdictions are still seeking help from the federal government to ensure that their election-related systems are secure, even if the risk of an attack by foreign hackers is practically impossible given most election infrastructure is offline. The federal "bandwidth issue" just goes to show this area needs more funding and resources (you know, so we can keep that wonderful place we call home!) Also, bonus @CISAJen was interviewed by CBS News last Sunday, the transcript is worth the read if you want a tl;dr of where we are in terms of election security today.
More: NBC News | CBS News | @ericgeller | @kevincollier

FTC takes action against Chegg for several data breaches
Federal Trade Commission: The cogs of government turn slowly, but the FTC seems to be chugging along — dare I say it, even gaining pace as the quartet of commissioners ramp up their enforcement action of companies doing, well, bad things. The latest is book rental and online learning giant Chegg, which had four security breaches since 2017, per the FTC this week, which was the result of "careless" security practices that exposed 40 million users' personal information, including sexual orientation and religion. The complaint [PDF] is eye-watering. It's the latest action by the regulator this year and specifically for data security issues, including Drizly, Vonage, and a U.S. data company that exposed millions of Americans' mortgage and financial files.
More: New York Times ($) | @natashanyt | @frankcatalano
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week. The Patreon is here. You can also donate just one time via PayPal or Venmo.
~ ~


Dropbox phishing attack exposed some GitHub-stored code
Dropbox: Cloud giant Dropbox confirmed a data breach this week affecting its development environment. Dropbox said in a post-mortem that no customer data, content, passwords or payment info was taken. While limited in nature and contained, the disclosure explains what went wrong and why. (Yes, even in this day and age that's rare; credit where it's due.) It seems similar in nature to LastPass' breach earlier this year, and in terms of disclosure — detailed and transparent. Remember, it's not that companies get breached. It's how they handle the aftermath that matters... Uber, DoorDash, Mailchimp, Okta, Samsung — oh, there are just so many.

How two-factor works in Antarctica
Brr: If you've ever wondered how two-factor works in one of the most remote, networkless places on earth, wonder no longer, as this blog explains how. The challenge is real: there are lots of different types of two-factor, all supported by different sites, and that can be difficult when you absolutely have to rely on near non-existent cell service. Fascinating.

Fizz threatened to sue student security researchers after finding bugs
The Stanford Daily: Fizz (previously Buzz), a Stanford startup that bills itself as an "anonymous" social network, was riddled with security bugs that allowed three security researchers, who are Stanford University students, to deanonymize users' posts. The trio responsibly disclosed the bugs to the app's founders Ashton Cofer and Ted Solomon, who then threatened to sue them if the researchers disclosed the bugs. The EFF defended the team pro bono, and they went forward and published their findings — and the lawyers' letter (brilliant!). More from @Riana_Crypto in the tweets.
R. Miles McCain tweet: "Last year [we] discovered serious vulnerabilities in Fizz, an "anonymous" social app built by our classmates. We responsibly disclosed the issues to the founders… and they responded with legal threats. @EFF had our backs and we didn't give in."
The most vulnerable place on the planet
Wired ($): From one extreme environment to the next... It's no secret that the internet is just a series of tubes — well, specifically undersea cables — that connect the world together. (If that just blew your mind, check out the submarine cable map.) But cables are vulnerable to a raft of issues. Fishing trawlers, earthquakes, and terrorism all damage cables, and sometimes for weeks at a time, like Tonga and Liberia, which have only one cable each — and Egypt, which features in this Wired story.

Greece's spyware scandal deepens
Politico EU: Greece's ongoing spyware scandal got worse over the past week, as now 33 people are thought to have had their phone's tapped by the Cytrox-developed Predator spyware, likely at the behest of the Greek government. That includes several members of the Greek cabinet, opposition lawmakers, and journalists. "It is unthinkable and dangerous to suggest that the prime minister was tapping the foreign minister," an official close to the foreign minister said. Absolutely wild.
~ ~


Australian military 'social network' compromised: In our latest "WTF is going on in Australia" update: a ransomware attack on an Australian defense contractor exposed the communications between military personnel, according to The Guardian ($). A data set of 40,000 records from the platform ForceNet, described as an internal social media platform, may have been taken.

Vitali Kremez has passed: The Record pays tribute to Vitali Kremez, aka @VK_Intel, who died this week while scuba diving off the Florida coast, according to the U.S. Coast Guard. Kremez was widely known and respected for his malware reverse engineering and intelligence analysis.

Anxiously awaited OpenSSL bug downgraded: The OpenSSL Project announced OpenSSL 3.0.7 this week (via SecurityWeek) with a fix for a previously-"critical" security flaw, which the project developer's downgraded to "high." The bug could create a denial-of-service condition, or in some cases, remote code execution on an affected client. @pwnallthethings has a good tweet thread explaining more, while @MalwareTechBlog deep-dives in a blog post.

U.K. scans IP space for vulnerabilities: Did you know that the U.K. National Cyber Security Centre scans the U.K. internet space for known serious vulnerabilities? Well now you do. The idea is to help to alert network defenders to vulnerabilities by determining if internet-facing systems are at risk of known flaws. The U.K. isn't the only government to do this; still, the NCSC's blog post has more if you're interested.
~ ~


This week, Cyberscoop looks at how spy-cy memelord @NSA_CSDirector is spreading the cybersecurity awareness message through the medium of dance memes. Sure, it's funny, but it might just work. (via SuzanneMSmalley.)
A collage of different memes tweeted out by NSA cybersecurity director Rob Joyce.
Thanks to @Eliyahu_Tal_ for building and sharing a long list of cybersecurity conferences, from the giants to the smaller cons, in a handy, updating GitHub post.

And, finally. Insider reports that Facebook has a little-known feature that lets you check if your email address or phone number has been uploaded by someone to the social network, delete it, and then block it from being uploaded again. That's because Facebook lets users upload their phone contacts, and many don't realize that this means uploading other people's information without their consent. Here is the Facebook tool, for users and non-users.
If you have good news you want to share, get in touch at:
~ ~


This week's cyber cat is Tippi, who as you can see is demonstrating the most effective way of blocking attackers from getting physical console access... I wonder how effective Tippi is against a treat bypass attack? Many thanks to Grant L. for sending in!
Tippi, a black cat sitting on a laptop keyboard and looking at the camera.
Send in your cyber cats (or their friends)! You can email here with their name and photo, and they'll be featured in an upcoming newsletter. Submitted before? Send me an update!
~ ~


What a week. And this coming week will be... interesting. Don't forget to vote (if you are in the U.S. and able to!). In the meantime, feel free to drop any feedback in the suggestion box or send me an email.

As always, hit those social buttons below to share this week's newsletter. Otherwise, have a great week and see you next. I'm off to get some brunch... 

Share Share
Tweet Tweet
Share Share