~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 43


Polls close on Election Day with no apparent cyber interference
NBC News: The election is done and a presidential winner is clear. And the whole thing went down without any significant cyberattacks or interference, reports @kevincollier. Gears quickly shifted to social media firms trying to halt the spread of misinformation that tried to cast doubt on the results. Looks like all that election preparedness and resilience training since 2016 paid off.
More: Cyberscoop | Wired ($)

California's Proposition 24 on consumer privacy passes
San Francisco Chronicle: Speaking of elections, California's Prop 24 also passed, which would expand the state's Consumer Protection Act (CCPA) to create a new state agency to enforce privacy rights. CCPA brought Europe's GDPR-style rights to California residents. It's far from perfect but better than what they had. Where Prop 24 got complicated was the pushback — not from tech companies, but privacy groups, who argued lower-income people could find it harder to exercise their privacy rights. @Gizmodo explains what the law does (and doesn't do).
More: Gizmodo | Vox

Justice Dept. says it's seized $1 billion in bitcoin from Silk Road
Motherboard: After seven years, some $1 billion worth of bitcoin (as of this week) changed hands. Who was behind the apparent theft? Mystery over — it was the U.S. government, the Justice Dept. confirmed. The bitcoin came from the Silk Road dark web marketplace, seized in 2013 and its founder, Ross Ulbricht, arrested and later jailed for two life sentences. The government said it seized the $1 billion in bitcoin this week after an unnamed hacker agreed to forfeit the wallet, after the hacker — identified only as Individual X — hacked into Silk Road before its shut down and stole the bitcoin. A wild story with a lot more to come, no doubt.
More: Justice Dept. | The Guardian | TechCrunch
FBI says hackers stole source code from U.S. government agencies and private companies
ZDNet: An FBI alert sent out last month but made public this week says hackers are abusing misconfigured SonarQube apps to access and steal source code belonging to the U.S. government and private businesses. SonarQube lets its users scan and check for security bugs before pushing source code to production. But these systems are frequently left unprotected and exposed or with default credentials. The FBI's IC3 alert said the hacks date back to April.
More: IC3 [PDF] | @mayhemdayone

Maze, a notorious ransomware group, says it’s shutting down
TechCrunch: The ransomware group known as Maze, which began the trend of stealing victim data before encrypting it, says it's shutting down. But security experts aren't so sure that they believe them, and are convinced the individuals involved in the group will likely reemerge under a different name. Maze hit major companies, including Cognizant, Canon, and Pitney Bowes. (Disclosure: I wrote this story.)
More: Bleeping Computer
~ ~

Thank you to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to maintain its upkeep. You can contribute to the Patreon or send a one-time donation via PayPal or Venmo.
~ ~


WhatsApp now lets you post ephemeral messages that disappear after a week
TechCrunch: WhatsApp, which sends some 100 billion messages a day, will now let user messages (including photos and videos) expire after seven days. There's little flexibility on that — it's a set time unlike Signal, which allows disappearing messages under more granular periods of time. Users can turn on the feature for direct messages, but in groups it’s the admin that has to enable disappearing messages for it to work. 
Apple patches iOS against three zero-days under active attacks
Ars Technica: Google's Project Zero has been busy this past couple of weeks. Following its latest disclosures, Apple fixed three zero-days found in iOS, affecting iPhone 6s and iPad Air 2s and later. The bugs could have allowed attackers to run malicious code, as well as steal data from an affected device. Worse, both Google and Apple confirmed that the bugs were under active attack. The attacks were unrelated to the election, but you should still update to iOS 14.2 as soon as possible.

Google patches third Chrome zero-day in two weeks
ZDNet: Google has patched its third zero-day vulnerability in Chrome in as many weeks. Google said little about the bugs, but said in a changelog that the bug was found in V8, the Chrome component that handles JavaScript, while the other only affected Chrome for Android users. Google's Threat Analysis Group, which focused on government-backed hacking, was involved — which @dangoodin said the flaws may be the work of a nation state. Don't delay, update today!
~ ~


Portland, Maine has voted to ban facial recognition
In more election news, Maine's largest city Portland has banned facial recognition. That means private citizens are entitled to a minimum of $1,000 in fines if they are subjected to facial scanning by police or another government agency. The private sector, however, can still use the technology. The measure passed after a city council vote, and Portland joins a ton of other cities across the U.S., including San Francisco, Boston, and the other Portland in Oregon.

Deloitte's "Test your Hacker IQ" site basically hacks itself
Well this is awkward. A website set up by global consultant Deloitte to quiz people on hacking tactics left a database configuration file exposed, allowing anyone to access the site's backend database. Classic.

Capcom hacked in latest cyber-attack on game-makers
The Japanese video games giant behind resident Evil and Street Fighter has been hacked. Capcom confirmed "unauthorized access" but said there was no sign "at present" that data had been accessed or stolen. It comes just days after Watch Dogs: Legion, a game about hacking no less, was itself targeted by hackers, after ransomware group Egregor claims to have leaked the game's source code.
~ ~


CERT/CC, the vulnerability disclosure center at Carnegie Mellon University, has launched a bot that assigns random bugs with neutral names. Some have turned their noses up at "branded" bugs, but having an assigned name can be helpful for remembering what's what. To be fair, you probably never would have heard of CVE-2020-4483 if CERT/CC didn't call it Tidal Pitchfork. (How metal is that?)

And — no matter who you voted for, I think we can all agree that the ballot counters, election officials, and the cyber-defenders in government did a pretty solid job this time around. It's an enormous, largely thankless job — and credit where credit's due. And @jkosseff said as much in tweets this weekend.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


Meet Space, this week's cybercat. Space is blind but her human tells me that she has a great memory. (She could be our hacker historian!) Big thanks to @ignacykas for the submission!
Keep sending in your cyber cats! They will be featured in upcoming newsletters. 
~ ~


That's it for now. Thanks for reading! It's been an intense week. I hope you stay safe and healthy. As always, please drop any feedback in the suggestion box. See you next Sunday. 

You can update your preferences or unsubscribe from this list.