~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 33


The secret SIMs used by criminals to spoof any number
Motherboard: Criminals are using "Russian SIMS," or blank SIMs, to impersonate any phone number they want. These SIM cards aren't inherently illegal but are used by organized gangs to conduct their business largely under the radar. These SIMs likely rely on a virtual mobile network (MVNO), which piggybacks off another carrier. Many of these were used during the Encrochat days, which shuttered after police hacked in. The reporting is incredible. An absolute must read.
More: @josephfcox
Homeland Security details new tools for extracting device data at US borders
CNET: Homeland Security effectively controls who crosses into the U.S. and who doesn't — and whose devices get searched at the border. Any search is meant to be in offline mode so the border officer can't search data in the cloud — that requires a warrant. But now, a new privacy assessment says border officials can now search your phone's location history, social media information, and a lot more.
More: Nextgov | @alfredwkng tweets

Hackers can eavesdrop on mobile calls with $7,000 worth of equipment
Ars Technica: VoLTE, or voice-over-LTE, allows for better quality voice calls over the 4G network — and comes with security improvements over 3G. But researchers say a new attack that they call ReVoLTE can eavesdrop on phone calls. You just need $7,000 worth of hardware to pull it off. The attack is somewhat limited: the attacker has to be on the same cell tower as the victim — typically within a few hundred feet. @matthew_d_green explains more in his own blog post.
More: Cryptography Engineering | ReVoLTE Attack

NSA, FBI expose Russian intelligence hacking tool
Reuters: The NSA and FBI have exposed a new Russian GRU-built, Linux-based hacking tool, dubbed Drovorub, said to be a "Swiss Army knife" of capabilities, according to McAfee. The government's technical report was effectively a name-and-shame to raise awareness of the malware. Drovorub is — apparently — Russian slang for the word "drivers," according to @DAlperovitch, even if the term actually translates closer to "woodcutter."
More: NSA | @RidT

Election commission orders top voting machine vendor to correct misleading claims
Politico: The Election Assistance Commission has told ES&S, one of the largest voting machine makers, to stop using deceptive marketing that implied its voting machines are certified by the agency. In short, ES&S violated of the EAC’s testing and certification rules, per @kimzetter.
More: @kimzetter tweets | @SEGreenhalgh

Belarus has shut down the internet amid a controversial election
Wired ($): Human rights organizations are blaming the Belarusian government for widespread internet outages across the country after a controversial election saw Europe's "last dictator," Alexander Lukashenko, hold onto power after close to three decades in power. The main opposition leader, Svetlana Tikhanovskaya, is in exile. The internet outages even extended to VPNs, often a way to get around censorship. It's a common tactic used by governments to try to squash dissent — even if it rarely works.
More: Motherboard | Human Rights Watch | Amnesty International
~ ~

A huge thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to maintain its upkeep. You can contribute to the Patreon or send a one-time donation via PayPal or Venmo
~ ~


Boeing 747s get critical updates over 3.5" floppy disks
The Register: According to researchers at Pen Test Partners, some Boeing 747 planes still use 3.5" floppy disks to receive critical navigation database updates. The researchers were digging around ahead of a Def Con talk. That kicked off an interesting question about security.

PinePhone offers physical hardware kill-switches
Android Police: I don't really talk much about gadgets but this is an interesting one: the new Linux-based PinePhone comes with physical hardware kill-switches that disables certain parts of the phone: cameras, microphones, and networking. It's a really interesting concept, even if the rest of the phone leaves a lot to be desired — at least compared to the more polished mass-production phones.
Inside the courthouse break-in spree that landed two white-hat hackers in jail
Wired ($): This was a great, deep-dive read by @a_greenberg about the two Coalfire penetration testers, tasked by Iowa officials to test the security of several state courthouses. But the state disavowed the pair after they were arrested by a local sheriff. The storytelling here is excellent.
~ ~


SANS Institute, which drills cyber professionals in defense, hit by data breach
SANS confirmed some 28,000 records containing personally identifiable information were accessed in early August. A hacker got access after sending an employee a phishing email. SANS said the stolen data included names, email addresses, work phone numbers, company names, postal addresses and more.

Tor warns of exit relays running 'sslstrip' in May and June 2020
The Tor Project, which maintains the Tor anonymity network, said a group of Tor exit relays were "messing" with exit traffic — specifically, intercepting communications from a small number of cryptocurrency exchanges and stripping HTTPS from the connection, effectively allowing an attacker to snoop on sensitive web traffic. The exit relays were removed in May but found another attack underway in June.
~ ~


This week @IanColdwater slapped down a troll so hard it left jaws wide open and heads spinning. This was a truly beautiful moment. Chef's kisses all around. Get your commemorative sticker here.
Gizmodo took a novel approach to figure out their Wi-Fi password by simply asking the internet to figure it out.

And, next weekend is the Diana Initiative's 2020 virtual conference, starting Friday. As @RayRedacted notes, it's an incredible line-up of speakers and lots to get involved with. The Diana Initiative is a women-centric organization but open to all.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat Mr. Pilkington. You have hacked his defenses — you can now commence belly rubs. A big thank you to his anonymous human for the submission!
Please keep sending in your cyber cats! The more the merrier. Send them in!
~ ~


That's all for now. If you have any feedback, feel free to drop it in the suggestion box. Have a great week and see you next Sunday

You can update your preferences or unsubscribe from this list.