~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 31


Police arrest 17-year-old suspect in massive Twitter hack
Motherboard: So, let's talk about the 17-year-old who broke into Twitter. This is a nuts story. The so-called "mastermind" of the breach was a 17-year-old Florida teenager, whose access got him hands-on with Twitter's internal account tools. With two other accomplices, they took over dozens of high-profile accounts and spread a cryptocurrency scam, netting hundreds of thousands of dollars in funds. The teenager broke into Twitter's network using a phone spearphishing attack on an employee — details of which are light — but it was enough to get through the company's corporate two-factor protections. Wired ($) and ZDNet breaks down the timeline pretty well.
More: NBC WFLA | Wired ($) | Justice Dept.
A cyberattack on Garmin disrupted more than workouts
Wired ($): After its massive ransomware attack, Garmin's consumer services hobbled back to its feet after a rough week of downtime, compounded by its lack of communication on the incident. Users complained for days that their fitness and workout data wasn't recorded. But worse, as @lilyhnewman reports, countless pilots relied on Garmin's separate air-mapping system. Garmin flickered back online on Monday after reportedly obtaining the ransomware's decryption key. How it apparently got the key will be under intense scrutiny, given that Evil Corp. — the operator of the ransomware that hit Garmin — was sanctioned by the U.S. Treasury last year, making any ransom payment illegal (*cough*). Garmin said the incident won't have any material impact on its earnings. We'll see in the coming quarter if that's true.
More: BBC News | Sky News

Police dragnet requests for location data faces scrutiny
Wall Street Journal ($): Police are increasingly using controversial dragnet "reverse location" warrants, but potentially not for much longer. These warrants instruct Google (or any other geolocation-heavy service) to turn over records belonging to anyone who enters a location grid on a map within a particular timeframe. Police argue this helps narrow down suspects accused of a crime. And they're popular: these such warrants have gone up 1,500% from 2017 to 2018, and 500% a year later. Privacy advocates have pushed back on the use of these dragnet warrants because they can (and have) ensnared innocent people. Now, two criminal cases are challenging this use of data requests.
Background: NBC News | Forbes

This bumbling startup helps conservative websites store postal addresses of anonymous readers
Jezebel: This was an interesting read: a startup called is helping conservative websites like the Daily Caller turn anonymous visitors into names, email addresses and postal addresses associated with that user — all without their explicit knowledge. Take the politics out of the equation and that's still incredibly creepy! The startup does this by amassing tons of data — some 350 million records so far. And yet it's all entirely legal, because of course it is.
More: @molly_o

New bug in PC booting process could take years to fix, researchers say
Cyberscoop: New research reveals how a flaw in UEFI Secure Boot, which protects against malicious code from slipping into a system, can be exploited — even when Secure Boot is turned off. The flaw affects almost every Linux-based system, and increases the risk of infections from ransomware and other malware. The research is interesting but requires administrative access to the computer already. Still, planting code for persistent access is a spy's dream, reports @snlyngaas. NSA also has a guide on how to mitigate the threat.
More: @ESETresearch | NSA

EU sanctions Russian hackers, Chinese firms over cyberattacks
Reuters: The European Union has imposed financial and travel sanctions against hackers associated with Russian intelligence, as well as firms in China and North Korea accused of involvement in a spate of cyberattacks. The sanctions were imposed in (very late) response to the WannaCry attack, blamed on North Korea; the NotPetya attack, attributed to the Russians; and Operation Cloud Hopper, which was linked to the Chinese. The sanctions will make it near-impossible for the hackers to travel anywhere other than their homelands.
More: European Council
~ ~

A huge thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to maintain its upkeep. Contribute to the Patreon here!
~ ~


This billion dollar company considers privacy laws a threat to its business
Motherboard: ZoomInfo is a massive data broker that collects users' contact information by harvesting data from inboxes. It's big business: ZoomInfo went public in June, raising nearly a billion dollars. So it's no wonder it sees privacy legislation a threat to its business, specifically Europe's GDPR and California's CCPA, according to a recent government filing. (Clearly a big week for massive email data scrapers...)

Zoom didn't rate-limit private meeting passcodes, making breaking-in easy
Tom Anthony: Zoom meetings protected by default with a 6-digit passcode have some 1 million passcode permutations. But Zoom wasn't rate-limiting how frequently you could enter a wrong passcode, making it possible for an automated attack to break into a meeting in a matter of minutes. (Remember when the U.K. government held a Cabinet meeting over Zoom? Yeah.) The bug was reported and a fix was put into place. The bug finder forewent a bounty to get the bug fixed quicker. Nice.
How cops can secretly track your phone
The Intercept: @kimzetter is back at The Intercept with a primer on stingrays and dirtboxes, these briefcase-sized mobile devices used almost exclusively by law enforcement to snoop on phones within its range by imitating legitimate cell towers. This is an excellent read, and breaks down the jargon.

Rite Aid deployed facial recognition systems in hundreds of U.S. stores
Reuters: This is an incredible read. Reuters reports in a deep-dive investigative piece that Rite-Aid has been using facial recognition in some 200 stores across the U.S. over the past decade, including in New York and Los Angeles, in largely lower-income and non-white neighborhoods, using a system with links to China. If you thought this had "nothing to do with race," per Rite-Aid's statement, think again. The system kept mixing up Black people, which is a common problem with biased facial recognition systems that frequently fail to pick up accurate matches of people of color. As a result, innocent people were accused of shoplifting thanks to the system. One victim said Rite-Aid "only identified me because I was a person of color. That’s it." Prepare to get very angry reading this story.
~ ~


U.S. files fresh indictment against former Twitter employees accused of spying for Saudi Arabia
Prosecutors have filed a superseding indictment against two former Twitter employees who were fired and later charged with allegedly spying for the Saudi kingdom. The Justice Dept. accuse the pair of abusing their internal access to collect sensitive information about Saudi dissidents — including their location, email addresses, and phone numbers. @shanvav has a good tweet thread on the story.

Hackers broke into real news sites to plant fake stories
Disinformation is getting deeper and more convincing. But spreading it to journalists, who are wising up to the practice, is getting tougher. Now, some are skipping the reporter altogether and focusing on news outlets' content management systems to post disinformation directly to the reader. That's what FireEye says is going on. A new disinformation-focused group, known as Ghostwriter, has targeted European news outlets to spread false information about U.S. military aggression and NATO soldiers spreading coronavirus, and more.

The College Board is sharing student data (again)
An investigation by Consumer Reports shows that the College Board is sending information to tech companies in contradiction of its own privacy policy. The education giant is tracking students and sending data about their online activity to ad giants, including Facebook, Google, and more. @thomasgermain explains more in his tweet thread. Also read the Medium post where the reporters explain their working. Fascinating stuff.
~ ~


At last, some good news from the week.

A big happy birthday to @HackingDave, who this week donated $5,000 to @InnocentOrg, a non-profit organization dedicated to online child protection.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat is Tugboat, who like any good firewall knows how to keep hacker dinosaurs at bay. Good boy, Tugboat. A big thanks to his human, Nancy Austin, for the submission!
Please keep sending in your cyber cats! They will always be featured — first come, first serve! Email them in here
~ ~


That's all for now. It's virtual hacker summer camp this coming week — so enjoy watching all your favorite talks. If you have any newsletter feedback, please drop it in the suggestion box. Have a great week, and see you next Sunday. Take care.

You can update your preferences or unsubscribe from this list.