~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 36
View this email in your browser | RSS

~ ~


Uber says Lapsus$ hackers to blame for breach; London police arrest suspect
Reuters ($): Uber provided more details about its uber-breach last week, which saw a hacker boast about vast, near-limitless access to its network. In an update, Uber said the hacker compromised a Uber contractor's account, which gave them a foothold on the company's network. Still no details about how the hacker got access to everything from there, though. Uber said the hacker was linked to Lapsus$, the crime group that previously broke into Microsoft, Samsung, T-Mobile, and others this year. Another victim came to light, Grand Theft Auto VI-maker Rockstar Games was hacked with footage for the company's latest game leaked online. Uber said the two hacks were linked. In both cases, the hacker socially engineered employees into turning over access, including MFA fatigue (aka MFA bombing), which relies on spamming MFA requests to a target's phone until they eventually accept. By the end of the week, London police charged a 17-year-old on suspicion of hacking — the same police force that nabbed (some of) Lapsus$ to begin with. But U.K. reporting restrictions means U.K. journalists can't say much about them — for now.
More: Uber | The Verge | BBC News | TechCrunch | Reuters ($)
Whitney Champion tweet with a screenshot of Stewie from Family Guy with Lois on the bed with a laptop, saying "Accept accept accept it accept accept accept accept accept my MFA accept it" — as a joke, referencing MFA fatigue.
Microsoft issues out-of-band security patch; vulnerability disclosed
SecurityWeek: Microsoft released an out-of-band security patch this week for its Endpoint Configuration Manager to fix a flaw that could've made it easier for attackers to move around an organization's network, which attackers find useful when trying to deploy ransomware. The bug is tracked as CVE-2022-37972 and discovered by @TechBrandon. Admins use the Endpoint Configuration Manager as a device deployment tool, such as pushing apps and updates to employees over the network. You can probably see why a ransomware actor would find that level of access helpful.
More: Prajwal Desai | @thepacketrat | @TechBrandon

Australia's second-largest telco Optus was hacked
Bank Info Security: Aussie telco giant Optus was recently hacked (date unknown but discovered September 14) with an attacker claiming to have stolen 11.2 million sensitive customer records. The hack is messy, not least thanks to Optus' crappy communications. But a dump of sample data posted online looks legit, according to @jeremy_kirk, who's covered this story from the very beginning. According to the hacker, an unauthenticated API allowed access to the customer databases, which the hacker then took by accessing records sequentially — eventually enough to trigger alerts. Kirk validated some data, including speaking to a local resident who lives nearby. Stellar reporting here, even as the story develops. This could be one of the country's biggest breaches to date.
More: ABC Australia | Reuters ($) | @jeremy_kirk tweets | @agarner tweets
Jeremy Kirk tweet: "The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use."
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week. The Patreon is here. You can also donate just one time via PayPal or Venmo.
~ ~


American Airlines discloses employee email breach
Bleeping Computer: Following an undated breach of a number of employee emails accounts discovered in July, American Airlines confirmed that employees' and customers' names, dates of birth, mailing addresses, phone numbers, email addresses, driver's license numbers, passport numbers, and/or certain medical information may have been stolen. According to Maine's attorney general, which requires organizations to disclose the number of individuals affected by each breach, about 1,700 people are affected.

How U.S. schools use AI to monitor student protests
The Dallas Morning News ($): Incredible reporting from Texas about colleges and universities that use an AI system built by a company called Social Sentinel, which reporters say allows staff to monitor student protests. Many of these colleges have their own police departments (pretty standard for America), which use taxpayers dollars to monitor what students say — in dozens of cases without telling the students. Documents seen by the reports show Social Sentinel promoted the tool for "forestalling" and "mitigating" protests by monitoring social media and scanning student email accounts. Great threads by authors @ArijitDSen and @DKproduxion.

Malwarebytes accidentally blocks all Google sites, chaos ensues
Motherboard: Ever wondered what it's like to be completely cut off from Google? Malwarebytes customers had a fairly good idea this week when the antivirus engine blocked all Google sites. Not just search, but Gmail, Google Play — everything. The issue was quickly fixed, but not before plunging millions into a Google-less void. Whoops. And to think, just a few weeks ago I flagged this simple tool that makes a noise every time your computer sends data to Google, which presumably went silent for affected users.
Malwarebytes tweet: "We are aware of a temporary issue with the web filtering component of our product that may be blocking certain domains, including google dot com. We are actively working on a fix and will update Twitter as soon as we have more information."
Microsoft learns a lesson from its TrickBot sting
Bloomberg ($): Bouncing to Bloomberg's newsletter for a moment: @jeffstone500 reports and reflects on Microsoft's not-quite-takedown of the TrickBot botnet in 2020 ahead of the U.S. election, fearing ransomware attacks designed to mess up critical voting systems. But TrickBot lives on, thanks to a shadow botnet network that it activated in the event of a coordinated assault by law enforcement. The takedown attempt failed, leaving one senior Microsoft executive "still a little angry" two years on. The back story, which hasn't been told before, is well worth reading, as well as his tweet thread.

Artist finds private medical record photos in popular AI training data set
Ars Technica: A very modern privacy nightmare, finding your private medical records in a dataset used for training AI models. Well that's what happened to an AI artist who goes by the name Lapine, who found that their medical files from their doctor, who died in 2018, somehow ended up in the LAION dataset. While scraping data is legal under U.S. law, it's less clear how legal or ethical it is to contain personal or private information of others. LAION said since it's not hosting images, "the best way to remove an image from the Internet is to ask for the hosting website to stop hosting it."
~ ~


Congress probes Meta over health data collection: Meta is under pressure from Congress about its access to sensitive medical data after an investigation by The Markup discovered that the company's pixel tracking tool was found collecting patient data — including doctor's appointments, prescriptions, and health conditions — from dozens of U.S. hospital websites, including in some cases password-protected patient portals. Now lawmakers want Meta (aka Facebook) to provide an account for the medical information it keeps on its users. These pixels are tiny — literally pixel-size — so can't be easily seen on websites, but are used to transmit information back to Facebook, data that is then used to learn more about website visitors.

New Windows just dropped: Windows 11 22H2 (love that catchy name, rolls right off the tongue) arrived this week with new security features, including Smart App Control, a cloud-powered security feature that checks to see if an app should run. ZDNet has more.

Twitter discloses another security incident: Flip that "days since last security snafu" counter back to zero, Twitter's back with another incident disclosure. The company said it wasn't properly logging Android or iOS users out of their apps when changing their passwords. When you change your password, it's meant to nuke all other active sessions so that it logs every other device out. It's the whole point of changing your password, to stop access that might be in progress. But Twitter wasn't doing that, so it logged a bunch of folks out as a precaution. As my TechCrunch colleague @sarahintampa and I wrote (disclosure alert!) this week, it's the latest disclosure in a long string of security issues at Twitter, not least the most recent $150 million settlement with the FTC after it used phone numbers and email addresses ostensibly for setting up two-factor authentication for targeted advertising. Probably enough to fill a loyalty rewards punch card at this point... If you needed an ELI5, @runasand has your back:
Runa Sandvik tweet: "This also means it’s not enough to reset your password if your Twitter account is hacked, support needs to close all active sessions for you."
Wintermute hacked, $160 million stolen: The only thing more frequent than a Twitter security incident is a web3 security incident. This week's heist landed at Wintermute's door, with $160 million in crypto funds stolen. Per The Record, Wintermute is a "market maker" for cryptocurrency platforms, an organization that holds a large inventory of a particular asset to keep the market liquid by ensuring that traders have someone to buy and sell with.

Morgan Stanley settles after customer data auctioned: You couldn't make this up: banking giant Morgan Stanley settled charges with the SEC this week for "astonishing failures" over a five-year span, reports Ars Technica. The SEC says Morgan Stanley failed to properly wipe decommissioned hard drives packed with customer data, which ended up flogged for resale on internet auction sites. You know, like eBay. Morgan Stanley will pay $35 million to settle the charges that exposed millions of customers' personal information. Breathtakingly negligent.

Cameras coming to NYC subway cars: New York governor Kathy Hochul, whose office in Albany oversees New York City's subway system — for reasons that make little sense — announced this week a new plan to roll out surveillance cameras in every New York City subway car by 2025. The effort was billed as "awful" by privacy advocates, so Hochul doubled down further. "You think Big Brother's watching you on the subways? You're absolutely right," she said. Yet MTA's chair said the subway crime is down 9% and "among the safest places in New York." So maybe make up your minds before you subject millions to additional unwanted surveillance? Or, maybe scrap the idea altogether? Just a thought.
~ ~


Happy Sunday to those who read this newsletter in reverse. Let's start with a friendly reminder to always lock your computer — even when you're working from home. And adjust your threat models accordingly for your biggest hazard — pets.
Bree tweet, with a photo of a cat on a desk in front of a display that's been significantly magnified, with the caption: "i will be locking my PC from now on 🥲"
Meanwhile, @nathanblawrence figured out how to make an Apple Watch honk! You know, for emergencies... obviously.

How do you screw with your civilian friends when you work at one of the world's top intelligence agencies? I won't spoil the punchline, but @RobertMLee's tweet thread has the goods.

Also, I don't know who needs to hear this but please change your crosswalk's password.

And finally, @gordoncorera got a rare look inside the CIA's secret in-house museum, which is closed to the public because most of what's in there is incredibly classified. Go check out his BBC News feature.
If you have good news you want to share, get in touch at:
~ ~


Meet Lou, this week's cyber cat. According to her human, Lou is committed to zero trust, denying all requests to come near her tower. How fitting after this week's news. A big thanks to her human John M. for the submission!
Please send in your cyber cats (or their friends)! You can email here with their name and photo, and they'll be featured in an upcoming newsletter. Repeat submissions welcome.
~ ~


That's all for this week — a big thanks as always for reading! The suggestion box is open, or feel free to drop me an email with any feedback. Share the newsletter on social below!

It's getting chillier on the east coast as the fall weather slowly rolls in. But don't worry, I have no plans for a pumpkin spiced newsletter any time soon. 

Back next week,
Share Share
Tweet Tweet
Share Share