~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 8


U.S. blames Russia's GRU for sweeping cyberattacks in Georgia
Wired ($): Last year Georgia (the country, not the state) was left reeling after a number of cyberattacks defaced websites and attacked television stations. Now the U.S. and its allies are blaming Russia's GRU unit. The State Dept. specifically blamed a sub-unit of the GRU, also known as Sandworm, which was also to blame for the shutdown of the Ukrainian power grid in December 2015 and NotPetya in 2017. @a_greenberg wrote a tweet thread explaining the developments. Handy, since he literally wrote the book on Sandworm.
More: Gov.UK | Cyberscoop | Archive: BBC

Nasty Android malware reinfects its targets, and no one knows how
Ars Technica: Here's a tricky one: how does this nasty Android malware reinfect its targets and maintain persistence even after the device is wiped clean? It's anybody's guess. This rootkit-like capability has researchers stumped. Malwarebytes found the backdoor malware, and called it xHelper. It's been installed on tens of thousands of devices.
More: Malwarebytes

How big companies buy credit card data on millions of Americans
Motherboard: From the slightly scary department: Yodlee, a major U.S. financial data broker, claims it sells anonymous credit card data on Americans. But really, it's not anonymous at all, according to @ncweaver. A leaked document shows that this data broker is selling vast amounts of what we buy. "The data includes a unique identifier given to the bank or credit card holder who made the purchase; the amount spent for the transaction; the date of the sale; the city, state, and zip code of the business the person bought from, and other pieces of metadata."
More: @josephfcox tweets

A ‘stalkerware’ app leaked phone data from thousands of victims
TechCrunch: Stalkerware app KidsGuard has been secretly installed on thousands of victims' phones without their knowledge or consent. But it also had, for quite some time, an unprotected backend storage server, which was entirely exposed and without a password, leaving its victims additionally at risk. The spyware siphoned off an entire victim's phone data to the cloud, which was downloadable by anyone with an internet connection. (Disclosure: I wrote this story.)
More: TechCrunch | @cooperq | @evacide

Pay up, or we'll make Google ban your ads
Krebs on Security: Here's a novel tactic: threatening to flood a publisher's ads with junk traffic so that they get kicked off the ad platform if they don't pay up in bitcoin. Brian Krebs has seen emails from victims demanding $5,000 in bitcoin to stave off attacks. It's no surprise it's got some publishers worried: Google is pretty aggressive with its ban hammer. Google said it has "extensive tools and processes" to protect against invalid traffic. But does that protect the publisher?
More: @briankrebs | @craigsilverman

Bluetooth-related flaws threaten dozens of medical devices
Wired ($): Hundreds of devices have Bluetooth flaws that can be exploited with relative ease. The bugs, collectively called "SweynTooth," exist in the Bluetooth software kids used in a variety of devices. The bugs can be exploited within radio range, and can be used to crash devices, disable their Bluetooth connections, and even take them over. Of the devices, medical equipment and implants — like pacemakers and blood glucose monitors — appear to be the worst affected.
More: @lilyhnewman | Asset Group | ZDNet

Rudy Giuliani's Twitter typos are a security fail
CNET: When Rudy Giuliani tweets, his frequent typos are a target for hackers, which register the inadvertent domains he creates by forgetting to leave a space before the period/fullstop. Hackers have been using those domains, knowing they light up as a link on Twitter to Giuliani's 655,000 followers, to spread malware. Just a friendly reminder that Giuliani is the Trump administration's "cybersecurity czar."
More: @walldo
~ ~


A fraud case in Charleston, S.C., shines light on web’s dark corners
Wall Street Journal ($): Here's an interesting one: Micfo and its founders have pleaded not guilty to wire fraud for allegedly obtaining 800,000 IPv4 addresses by deception — which would've been difficult otherwise, since there are basically none left. The company then allegedly leased them on to his clients, which were largely VPN providers, and many were used for the sending and receiving of illicit content. It's an interesting story — and very well told by newsletter regular @dnvolz as well as @ByronTau.

Trump also pardoned an ex-software maker turned hacker
The Register: On a list of those pardoned by the president this week was former Symplicity CEO Ariel Friedler, who years ago confessed to the FBI to hacking his competitor's systems to steal its contacts database and snooped on software features to gain a competitive advantage. Friedler admitted guilt and was jailed for two months. This might — just might — open the door to future hacker pardons. Or at very least, the precedent is there.

Dimitri Alperovitch to leave CrowdDtrike
Twitter: @DAlperovitch is out at CrowdStrike, he announced this week. The former co-founder and chief technology officer, he saw CrowdStrike go public last year on a multi-billion dollar valuation. He's leaving to "launch a non-partisan, non-profit policy accelerator," he tweeted. @MichaelSentonas will replace him, per a press release.
~ ~

A big thank you to everyone who reads and supports this newsletter! Subscribers continue to go up (great!) but as do the monthly costs. Please spare $1/month (or more for exclusive perks like stickers and mugs) to help maintain the upkeep of this newsletter. You can contribute to the Patreon here!
~ ~


US natural gas operator shuts down for two days ransomware attack
A lot of hubbub this week after a natural gas operator shut down for two days after it was hit by ransomware. The cause was a phishing email that spread to the operator's operational technology (OT) network, which controls the facility's physical processes. CISA revealed the incident, but details about where or what was affected remains largely unknown. But ICS security experts Dragos said this was not a "specifically targeted" towards ICS operations. In other words, crappy security and a lack of network segmentation was really to blame.

The spooky, loosely regulated world of online therapy
Mental health is super important and I'd recommend it to anyone. But what about those therapy apps? Predictably, although the conversations between a therapist and a user are encrypted, the apps are tracking users and sharing some data with third-party services, including social media networks. Merely the fact that these apps tell Snapchat and Pinterest that a user is signing up for therapy still feels extremely unnecessary.

Researchers can trick a Tesla into accelerating by 50 miles per hour
This report from MIT Technology Review ($) is fascinating: researchers took a bit of tape on a speed limit sign to manipulate Tesla's automatic cruise control setting, enough to make it speed up beyond the speed limit from 35mph to 85mph.
Brexit means no more EU data protections
Once the Brexit transition clock ticks down to zero at the end of the year, U.K. nationals will no longer be covered under EU's GDPR protections. Google said this week it'll move British users' accounts out of the EU and into the hands of the U.S., where protections are far, far less. Google denied that it'll change how it processes users' data. But now all eyes are on the U.K., which will have to figure out what data protection rules it'll want going forwards.

Dell sells RSA to a private equity firm for $2.1 billion
Dell has sold its RSA division, including the RSA conference, to a private equity firm for just over $2 billion, some five years after it paid $67 billion for its parent company, EMC. RSA's conference had a tough week — AT&T dropped out, as did Verizon. IBM also pulled out of the annual security show.
~ ~


An oldie but a goodie from @ryanaraine, looking back at a post he wrote back in January 2007. Pretty nice to look back with some hacker nostalgia. No major spoiler here: "So awesome to see them all still around, doing work moving the needle," Naraine tweeted. (And credit to Naraine, who remains one of the smartest security folks out there today.)

And @josephfcox says what everyone feels when we get back a less-than-useful FOIA response,.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


A rare two-for-one cybercats special this week. Meet Diane and Cooper, whose human Ilya Sachkov named after the Twin Peaks characters, Agent Cooper and Diane Evans. They're not sleeping, they're just resting their eyes after a hard day hacking. Thanks for the submission!
Please keep sending in your cybercats! You can send them here
~ ~


That's all for this week — thanks for reading! Please feel free to drop a dollar (or more) in the newsletter's Patreon — and keep the feedback coming in! I love to hear from you. You can always drop me a note in the suggestion box. See you next Sunday.

You can update your preferences or unsubscribe from this list.