~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 28


U.S. tech giants halt Hong Kong police help
Wall Street Journal ($): Google, Facebook, Microsoft, Twitter, and TikTok have all suspended processing government demands for user data from Hong Kong authorities, a week after the Beijing-imposed national security law went into effect. The law, among other things, gives Hong Kong police new powers to conduct warrantless searches of user data. But one noticeable outlier is Apple, which relies on China to build its phones and laptops. Apple said it was "assessing the new law." One might ask, what's to assess?
More: Fortune | TechCrunch

U.S. Cyber Command backs 'urgent' patch for F5 security flaw
Cyberscoop: Here's a major bug in widely used networking gear which, if you haven't patched your enterprise environment, you're probably already a victim, according to @CISAKrebs. A bug in F5 Networks' BIG-IP gear could result in a "complete system compromise," which also means a compromise of your network. Wired ($) called it a "five-alarm bug," indicating its severity.
More: Wired ($) | US-CERT | @CISAKrebs

Smartwatch hack could send fake pill reminders to patients
BBC News: Filed under "how a smartwatch could kill you" — seriously! One popular white-label smartwatch is designed to help elderly people and dementia patients, but the watch's back-end system was a hot mess and flawed in a number of ways. Worst case, anyone with access to the hardcoded token(!) in the source code and the API could send spoofed "take pills" alerts to the phone as many times as they wanted. The researchers got the bugs fixed amid fears that "an overdose could easily result."
More: Pen Test Partners
Police are buying access to hacked website data
Motherboard: In what's been described as an "end-run around the usual legal process," police are buying gobs of breached data — passwords, email addresses and more — to help investigative leads. The source of that data is SpyCloud, a company that claims it is "turning the criminals' data against them." SpyCloud claims the data can be used to "unmask specific criminals and their personas." Democratic senator Ron Wyden says he's planning to introduce a new law to make this kind of unwarranted access unlawful.
More: Motherboard

Microsoft seized domains used in COVID-19-themed cyberattacks
TechCrunch: A U.S. federal court has allowed Microsoft to seize and take over a number of malicious domains used in a large-scale business email compromise (BEC) attack targeting victims in dozens of countries. These BEC hacks are simple but effective — break into an email of someone important in a company and then send an email impersonating the email account owner to trick staff to reroute wire transfers or send along employee W-2 tax forms. It's a $1.7 billion business, according to the FBI. Microsoft took control of the domains and sinkholed them to collect information about the operation. (Disclosure: I wrote this story.
More: Microsoft | Complaint [PDF]

Police spied on protests using Twitter-owned startup Dataminr
The Intercept: Police used Dataminr, a startup owned and run by Twitter, which flags newsworthy tweets about current events, to snoop on protesters' tweets. Journalists use Dataminr all the time for spotting breaking news. But cops were also using the service, including the embattled Minneapolis Police Department, to track tweets from protests sparked in the wake of the death of George Floyd. Many of the tweets were flagged as "peaceful protests."
More: @matt_cagle
~ ~

A big thank you to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to maintain its upkeep. Contribute to the Patreon here!
~ ~


L.A. transport boss accused of hiding messages for controversial tracking program
Los Angeles Daily News: The general manager for L.A.'s transportation division is accused of using Signal, which has an option to auto-delete messages, while planning a controversial vehicle tracking program across the city, one that has Uber and the ACLU suing the city. The paper said the use of Signal, although secure, isn't compatible with the city's data retention and public records laws. It's a pretty interesting article and raises a lot of questions about public records — one that most folks don't think about.

Robocall ban stands, Supreme Court rules
Politico: The U.S. Supreme Court ruled this week that a ban on unsolicited robocalls to cell phones can stand, defeating political consultants and the debt collection industry who challenged the law. The Supreme Court said that the carveout that let debt collectors make unsolicited calls was unconstitutional, so the justices ripped that out of the law and kept the rest of the ban in place. Harsh, but fair.

The hidden trackers in your phone, explained
Recode: I know a ton of us know that our personal data gets sucked up by the apps on our phones and sent to advertisers, but do you really know how it works and what you can do to mitigate that massive data collection? Recode's @SaraMorrison has a great in-depth and detailed look at the hidden trackers in your phone and how those apps spy on you.

How to 'unc0ver' a zero-day in four hours or less
Google Project Zero: Within hours of the unc0ver jailbreak for iOS 13.5 dropping online, Google's elite hacking and security research unit pulled the vulnerability used to carry out the jailbreak apart. Within a few hours, the researchers reported it to Apple, which fixed it a few days later. This highly technical blog post details how the bug was found.

Signal's new PIN feature worries cybersecurity experts
Motherboard: Signal has a new PIN feature, which aims to help move Signal away from cellphone numbers as a means of contacting people. It also means that users can recover their contacts, settings, and conversations quicker. But cybersecurity experts say this is a bad move for privacy, and could potentially be used by police to extract data from Signal's servers. @lorenzoFB does a good job of dissecting the issue and what it means for users. Also check out Signal founder @moxie's tweets on the matter.
~ ~


Clearview AI bounces from Canada amid investigation
Controversial facial recognition startup Clearview AI is pulling out of Canada "in response" to an investigation launched by the Office of the Privacy Commissioner, which oversees the country's privacy legislation. The company had an existing contract with the Royal Canadian Mounted Police. But the Commissioner's investigation will continue on, as it looks into whether the company collected and used personal information without consent.

Dozens of experts and companies write open letter opposing anti-encryption bill
Over 75 global cybersecurity experts, civil society organizations, companies, and trade associations have signed on to an open letter against the new U.S. anti-encryption bill, the Lawful Access to Encrypted Data (LAED) Act, introduced a couple of weeks ago.

Another day, another Zoom security issue found
Zoom users on Windows 7 beware: a new, previously undiscovered bug that could allow a hacker to remotely take control of an affected computer. Details of the bug can be found here. Update your Zoom app, as a fix is available.
~ ~


Some good news from the week:

The Electronic Frontier Foundation (congrats on your 30th birthday, by the way) has announced new members to its Coalition Against Stalkerware, a group of companies that are fighting the mobile spyware industry. "The coalition is especially excited about adding organizations in India and Uganda, because stalkerware is a global problem that requires global solutions beyond the countries and regions represented by the coalition’s founding organizations," writes @evacide.

Four years ago, @Tarah wrote Women In Tech, a book with stories and advice on how to grow your career. It also came with a ton of hidden puzzles and codes, which have finally been cracked. She explains more (and the answers!) in her latest blog post.

Riot Games, which makes League of Legends, buried an Easter Egg in its anti-cheat system in an effort to try to recruit hackers.
And finally, if you ever wanted to learn (or needed to check) an HTTP status code but also like cats, HTTP Cats is the site for you. Pretty sure 408: Request Timeout is my favorite.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat is Misty. According to her human, Misty is still new to her family but certainly uses social engineering techniques to maximum effect when she wants belly rubs or treats. You make us proud, Misty. A big thanks to @NoTheOtherNick for the submission!
Please keep sending in your cyber cats! We're low on supply! You can email them in here
~ ~


And that's a wrap. A big thanks as always for reading. Please keep any feedback you might have — you can drop it in the suggestion box. Have a happy and healthy week, folks. See you Sunday.

You can update your preferences or unsubscribe from this list.