Copy
~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 4, issue 22
View this email in your browser

~ ~

THIS WEEK, TL;DR

All of JBS' U.S. beef plants were forced shut by cyberattack
Bloomberg ($): First they came for gasoline, then they came for the meat supply. Ransomware is back in the news (not that it hasn't been of late.) JBS, the largest meat producer globally, shut down its U.S. beef plants after it was hit by ransomware, forcing output to slow to a crawl. Beef Central had solid reporting on the aftermath of the attack, including the massive impact on the supply chain. The FBI attributed the attack to REvil, a Russian-based ransomware crew. By the end of the week, JBS was making its way back online.
More: Beef Central | Cyberscoop | Wired ($)

Why the ransomware crisis suddenly feels so relentless
MIT Technology Review ($): If you're wondering why ransomware seems so unrelenting at the moment, it's largely due to a decade of inaction by the government, new tactics by ransomware actors, and countries providing safe havens for criminals. @HowellONeill breaks this one down well. It comes as the U.S. will give ransomware attacks the same priority as terrorism cases, as damage and fallout continues to mount. In doing so, the hope — at least — is that the federal government can do more to tackle the problem centrally and holistically. As @c_c_krebs said, there's "no silver bullet," but it will take the government and the private industry working together.
More: Cyberscoop | @c_c_krebs

Supreme Court reins in definition of crime under controversial hacking law
Ars Technica: Finally. In a 6-3 ruling, the Supreme Court has curbed the scope of the U.S. hacking law. The case centers on a former copy who accessed a license plate database for kickbacks, and was charged under the CFAA. Crucially, the case centered on what the law means by "unauthorized" access. (Read @OrinKerr's tweet thread for a tl;dr.) In short, the ruling limits what can now be considered a crime under the CFAA — it's a huge win for ordinary Americans but also security researchers. The ruling vindicates Aaron Swartz, a security researcher who was prosecuted under the CFAA for downloading over 4 million academic journals from JSTOR's network in 2013. He died by suicide soon after.
More: Politico | Gizmodo | @kimzetter | @orinkerr tweets
Tweet reads: "Supreme Court ruled that journalists & computing researchers who investigate online platforms aren't criminal hackers who exceed authorized access."
King County bans county use of facial recognition technology
Seattle Times: Another small but significant privacy victory: King County Council has banned the use of facial recognition by all Seattle-area county offices. The vote was unanimous, 9-0, in favor of the ban. It's the first county in the U.S. to ban facial recognition. Several cities have also banned facial recognition, including San Francisco, Boston, and Portland, Oregon.
More: @seattletimes

Alibaba's UC Browser found collecting incognito web browsing history
Forbes: Alibaba-owned app, UC Browser, has more than 500 million users around the world, mostly in Asia, making it one of the world's most popular browsers. But research shows both Android and iOS versions of the app are sending web browsing data and IP addresses (which can infer approximate location) to Alibaba-controlled servers that are registered in China.
More: Gabi Cirlig
A screenshot shows UC Browser sending incognito data to Alibaba-controlled servers.
U.S. seizes attacker domains used in USAID phishing campaign
Dark Reading: Last week it was reported that the SolarWinds hackers were targeting USAID with a loud spearphishing campaign. Microsoft disclosed the attack, and CISA said 350 organizations were hit but downplayed the impact, saying it "has not identified significant impact on federal government agencies resulting from these activities." The U.S. secured a court order this week to seize two command and control servers used by the attackers to shut down the operation.
More: Justice Department | NPR
~ ~
SUPPORT THIS NEWSLETTER

Thanks to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks!), to help cover the server and email costs. You can contribute to the Patreon, or send a one-time donation via PayPal or Venmo
~ ~

THE STUFF YOU MIGHT'VE MISSED

Faulty emailing tool prevented Accellion from notifying customers of attacks
The Record: Accellion, the maker of the FTA file-transfer application used by companies to share and host large files, was hacked last year. But when it came to emailing its customers alerting them of the breach, one customer — the Reserve Bank of New Zealand — said it wasn't notified for more than two weeks after the attack because Accellion email sending tool wasn't working.

Amazon devices will soon automatically share your Internet with neighbors
Ars Technica: Amazon devices, like Echo speakers and some Ring cameras, will soon share your internet connection with your neighbors as part of Sidewalk, Amazon's new wireless mesh service. Amazon has a paper out explaining how the service will (try to) stay secure, but given the raft of Wi-Fi and Bluetooth flaws, you might still want to opt-out. Do it soon, because after June 8 you won't be able to.
This screenshot (follow the link) explains how to opt-out of Amazon Sidewalk
New York's MTA breached by hackers using Pulse Secure zero-day
New York Times ($): Hackers gained access to MTA's systems earlier this year by exploiting a zero-day vulnerability in Pulse Connect Secure, a widely used VPN appliance. The attackers struck in the second week of April, according to documents, but the mass transit system said no employee or customer information was taken. One of the working theories is that the hackers broke in, found little of interest, and moved on.

Encryption laws puts billions at risk
Internet Society: An economic analysis shows Australia's encryption-busting law, TOLA, which allows police and intelligence agencies to compel access to encrypted data, poses a significant economic threat to businesses, in some cases to the tune of billions of dollars. The research was carried out by the Internet Society to understand the financial impact of the law on Australian businesses. The report is well worth the read, as is @JoeBeOne's detailed thread.

Hackers breached Colonial Pipeline using a compromised password
Bloomberg ($): A single password was used to compromise Colonial Pipeline's network, according to Mandiant, which was hired to do the pipeline's incident response. How the hackers got the password, though, remains a mystery. Colonial eventually paid a $4.4 million ransom.
~ ~

OTHER NEWSY NUGGETS

Code published that could crash 'big portions' of Hyper-V
Security researchers have published proof-of-concept code that allows a guest to crash a Microsoft Hyper-V host, and in some cases compromise the host's security. The critical-rated bug was patched on May 11. The researchers are presenting the vulnerability to Black Hat this year.

FireEye to sell products business for $1.2B to Symphony-led investor group
FireEye is (finally) splitting itself into two: FireEye, the products business (and the FireEye brand), will be sold to a group of investors led by Symphony Technology Group, and Mandiant, the incident response unit, will remain as is. The deal will unlock the "high growth" Mandiant business. The deal is likely to close by the end of the fourth quarter.

The all-seeing eyes of New York's 15,000 surveillance cameras
Amnesty International says the 15,000 cameras used in the NYPD's mass surveillance program are most commonly found in non-white neighborhoods, like Brooklyn's East New York, which has 577 cameras, more than any other neighborhood recorded so far. (The project is still collecting data for Queens and Staten Island.) Motherboard also covered the story.
A screenshot of a map by Amnesty that shows most NYPD cameras are in non-white neighborhoods.
Venmo will now let you hide your friend list after Biden's account was found
Apparently all it takes is for Venmo to care about users' privacy is for reporters to find the president's account. That's what BuzzFeed did. Now, in response, Venmo will let you hide your friend list so that it's private and can't be searched. @RMac18 explains how you can switch on this setting in a video.

U.S. withdraws FBI subpoena seeking data of those who read USA Today story
The FBI earlier this year tried to obtain data associated with readers who accessed an article on USA Today's website about the killing of two FBI agents. Politico reported that the FBI demanded IP addresses and mobile identification data of anyone who read that February 2 story over a 35-minute window — the reason for that window is not yet known. The subpoena has been withdrawn after USA Today resisted the order. It's also not the first time this has happened.
~ ~

THE HAPPY CORNER

First of all, a big congrats to @mikko, who celebrated 30 years at F-Secure this week.

Meanwhile:
Zetter: "what if it was vegans who hacked the beef company?" Tweet reply: "Not-PETA"
And, it turns out XKCD follows just one Twitter account, and that's @choochoobot, a bot train that trundles through the internet. I had no idea this bot existed until this week, and already love it.
If you want to nominate some good news from the week, feel free to reach out.
~ ~

CYBER CATS & FRIENDS

Meet Dexter, who features this week. Dexter isn't with us anymore but still loved very much by his human, @goretsky. Thanks so much for the submission. 
Dexter, a black dog.
Putting out a call for cyber cats (and their friends) — so please send them in! Drop a photo, their name, and email it here. (If you've submitted before, you're welcome to send in an update!)
~ ~

SUGGESTION BOX

That's all this week. As always, feel free to drop any feedback in the suggestion box. Hope you have a great week. See you next Sunday!