~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 30


A data breach exposed over a million DNA profiles on Gedmatch
BuzzFeed News: Genealogy site Gedmatch confirmed a data breach that exposed more than 1.45 million DNA profiles. The site became famous after police used Gedmatch to catch the Golden State Killer without first warning the company. Afterwards, Gedmatch put in new controls to prevent cops from snooping on user's profiles without a warrant. But users last week found that their settings had suddenly changed to allow police access to their profiles. (A company spokesperson told me that no law enforcement requests for data were made during the incident.) Another alarm bell went off when a day later, Gedmatch-associated email addresses were used in a phishing attack on another genealogy site, MyHeritage. Gedmatch took a few days but eventually emailed to warn its users of the incident.
More: TechCrunch | Gedmatch statement

Apple will start sending special devices to iPhone hackers
Motherboard: Apple's new iPhone security research device program will get special hacker-friendly devices into the hands of Apple's most trusted security researchers. What makes them special is that they're basically pre-jailbroken on the latest iOS version so they can find bugs deeper in the operating system. Users will have access to SSH, root shell, and more. Bugs found in the program, per the agreement, must be reported to Apple, but are still eligible for a bug bounty payout. Those terms irked Google's elite bug finding unit, Project Zero, which said it won't sign up to the program because of the strict vulnerability disclosure process.
More: ZDNet | Apple
U.S. charges two Chinese spies for a global hacking campaign that targeted COVID-19 research
TechCrunch: Two Chinese hackers were indicted this week for allegedly breaking into a ton of U.S. and European companies over the past decade as part of a massive cybercrime spree. The hackers, allegedly working for China's state intelligence, stole terabytes of data from victim companies, including defense contractors in the U.S. The hackers even allegedly stole code from a number of video game companies, and tried to steal COVID-19 vaccine research. U.S. prosecutors claimed China used the hackers to "rob, replicate and replace" non-Chinese companies. (Disclosure: I wrote this story.)
More: Motherboard | Indictment (DocumentCloud)

Garmin global outage caused by WastedLocker ransomware
Bleeping Computer: Garmin was hit by a days-long outage (and still going at the time of writing this newsletter) caused by a ransomware attack. (I've also confirmed this.) The entire company appears down, including its internal email systems and its consumer-facing internet services, meaning fitness tracking isn't being logged or recorded. The WastedLocker ransomware is to blame, per sources, which is operated by Russian hacking group Evil Corp. The hacking group was sanctioned by the U.S. Treasury last year after its alleged founder was indicted by U.S. prosecutors. That's going to make paying the ransom (if Garmin chooses) very difficult as it's now highly illegal. Let's hope Garmin has backups.
More: ZDNet | @zackwhittaker

NSO Group pitched its spyware to the Secret Service
Motherboard: Emails obtained by @josephfcox show that the U.S. arm of Israeli spyware outfit NSO Group, known as Westbridge, pitched the Secret Service its phone-hacking technology as recently as 2018. Westbridge's phone hacking tech is the same as NSO's Pegasus (albeit renamed "Phantom") and, according to a brochure, can extract messages from a victim's phone and intercept voice calls.
More: @josephfcox tweets | @razhael

Universities lose data in Blackbaud ransomware attack
BBC News: At least a dozen universities in the U.K. and several U.S. institutions that are customers of education admin software Blackbaud have lost data after a data breach in May. BBC reports that the company paid an undisclosed ransom — a move that law enforcement strongly recommended against. Blackbaud is now facing the regulators after it allegedly failed to disclose the breach until July. GDPR gives companies about three days to disclose an incident.
More: BBC News | Blackbaud

Over 1,000 people at Twitter had tools to modify accounts
Reuters: About one-in-four staff at Twitter, as well as some third-party contractors, had access to internal tools that hackers last week used to hijack user account settings, according to Reuters. Both Twitter and the FBI are continuing to investigate the account breaches that saw hackers break into Twitter's network to use those same tools to hijack accounts in order to spread a cryptocurrency scam. Coinbase, which had its Twitter account hacked in the incident, quickly jumped in to block over 1,000 would-be transactions to the scammer's cryptocurrency wallet.
More: BBC News
~ ~

A big thank you to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to maintain its upkeep. Contribute to the Patreon here!
~ ~


Reuters reporter explains how to spot a deepfake
@razhael: This is a great thread by Reuters journalist @razhael, who last week wrote about a "student activist" who didn't actually exist. In this tweet thread, Raphael Satter explains how to spot a deepfake using a number of tips he's picked up over the course of his reporting. 

Twilio confirms hacker added code to its SDK after bucket break-in
The Register: A hacker was blamed for sneaking in code to one of Twilio's customer SDKs after the company left one of its Amazon S3 cloud storage buckets open by mistake. Twilio said it was "non-malicious code" (which is up for interpretation) but that it was quickly pulled down.

Slack credentials abundant on cybercrime markets
ZDNet: The hacker who targeted Twitter allegedly gained access to its internal tools using exposed Slack credentials. As it turns out, there are thousands of Slack credentials all over the dark web. But hackers apparently aren't too keen on using them, possibly because Slack is a standalone product and doesn't easily open any doors to a company's internal network. Creds associated with Google and Microsoft, on the other hand, could.

Hundreds of thousands of Instacart customers' personal data is being sold online
BuzzFeed News: More than 270,000 partial Instacart user records, including names, addresses, and last four-digits of their payment card, are for sale on a dark web marketplace. In an email to customers, Instacart blamed credential stuffing — and its users — for reusing the same passwords on different sites. Maybe if Instacart gave its users the ability to use two-factor, neither Instacart or its customers would be in this mess? Food for thought.

Researcher drops Tor zero-day after frustrations over efforts to fix
Hacker Factor: Here's a frustrating read for any seasoned security researcher. It took one bug finder three years to try to close a bug, but eventually gave up. In some cases reporting bugs can be so difficult and arduous that researchers are pushed to public disclosure. Lower the bar to report issues, folks (especially Tor, which people rely on) — you'll be thankful when you're not scrambling to fix a zero-day.
~ ~


Major security flaws found in South Korea quarantine app
From The New York Times ($), security flaws in the country's coronavirus quarantine app have now been fixed, but could have exposed the private details of people in lockdown. The bug could have also allowed tampering with data, the report says. An official at the South Korean's Interior Ministry admitted that the government "could not afford a time-consuming security check on the app that would delay its deployment." A refreshingly honest statement, if not incredibly rage-inducing at the same time.

U.S. House votes to ban TikTok on federal devices
As part of the House's $741 billion defense policy bill, lawmakers have moved to ban TikTok from U.S. federal devices amid national security concerns about the app. TikTok has long said it has not, nor would ever hand data to Chinese authorities, but that hasn't quelled U.S. fears that it could one day.

How to survive a ransomware attack without paying the ransom
This is a really good read by @williamturton about how Norsk Hydro, an aluminum manufacturer hit by a massive ransomware attack last year, recovered without paying the ransom. IT staff used Post-it notes and fax machines to get back on its feet. This is probably the best insider story to how Norsk Hydro got back to business without having to pay the hackers a penny.
~ ~


That's the news over with. Now, onto some happy things.

NBC's new streaming service Peacock launched this week, with a brand new privacy policy and terms and conditions. Nothing new or exciting in there — except, the lawyers slipped in a cake recipe without telling anyone. Seriously! (I'm going to try to make it later today and will report back.)
And, if you want a blast from the past and want to recreate the in-person hacker summer camp feel, take a look at some of the best historical Black Hat and Def Con talks, most of which are available to stream.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This is Lewis, this week's cyber cat, who's keeping his eyes open for hackers. Good boy, Lewis, we're proud of you. Big thanks to @colincampbell for the submission!
Please keep sending in your cyber cats! They will always be featured — first come, first serve! Email them in here
~ ~


And we're out! Thanks for reading. As always, if you have any feedback, please drop it in the suggestion box. Have a good week, and hope to see you again Sunday. 

You can update your preferences or unsubscribe from this list.