~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 42
View this email in your browser

~ ~


Biden administration orders federal agencies to fix hundreds of cyber flaws
Wall Street Journal ($): The federal government has been told to go on a security patching spree. Thanks to a new CISA directive out this week, agencies have six months to fix hundreds of bugs across their networks — and just two weeks to fix bugs from 2021. Each agency patches their own stuff, so some agencies may have fewer bugs to fix than others. The full catalog of vulnerabilities are here (which might also be useful for folks in the private sector).
More: CISA | Bloomberg | The Verge | @ericgeller

Commerce Department blacklists controversial spyware company NSO Group
Cyberscoop: Major news this week: NSO Group, the maker of the Pegasus spyware, has been blacklisted by the U.S. Commerce Department, along with spyware maker Candiru. The companies will be added to the entity list, which contains companies that pose a threat to national security and a foreign policy risk. Russia's Positive Technologies, which was hit by Treasury sanctions earlier this year, is also now on the economic blacklist. The entity list will make it far harder for U.S. companies to export technology (hint: zero-days and cloud infrastructure). Amazon already put a stop on NSO using AWS, and Dell said it was going to "take all actions necessary" to comply with the order. NSO doesn't target +1 phone numbers for fear of poking the big American bear, but this is a pretty big step for the U.S. to take regardless. NSO said in a statement that it's trying to reverse the decision. Not sure how much luck it'll have though.
More: Federal Register | Motherboard | @skirchy thread | @lorenzofb tweets
Stephanie Kirchgaessner tweet: "NSO has always said it does not target US-based users. But I think it was very significant that the phone number of a major US diplomat, the US Envoy to Iran, was on our leaked list."
Cyber Command hijacked REvil ransomware site site, resulting in its shut down
Washington Post ($): U.S. Cyber Command, the NSA sister agency that carries out offensive cyber operations, hijacked the servers of the REvil ransomware group earlier this year. But the compromise wasn't detected until Cybercom blocked its website traffic a month ago. The operation wasn't a hack or a takedown but crucially "deprived the criminals of the platform they used to extort their victims." Well that's one way to make sure they don't get paid. One of the group's leaders confirmed domains were "hijacked from REvil," and that the authorities were looking for them. "Good luck everyone, I’m off," the hacker wrote. REvil was behind the ransomware attacks on JBS, Travelex, and Kaseya. The AP has a detailed interview with deputy attorney general Lisa Monaco, who said following the U.S.-Russia tensions over cyberattacks that the U.S. has "not seen a material change in the landscape."
More: TechCrunch | Associated Press | @nakashimae
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week, through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


U.S. Supreme Court declines to hear challenge to FISA court secrecy
Knight Institute: The Foreign Intelligence Surveillance Court, the secretive court in Washington DC that hears the government's cases (largely one-sidedly) on conducting surveillance, including on Americans. The court operates largely in secret because surveillance is often, well, secret. That's why so many of the court opinions that are released are redacted to high heaven. But the Supreme Court says that there's no public right to hear its opinions, and it's up to the executive branch to determine what should be public. Which, if you think about it, doesn't seem right since the executive branch ordering the surveillance gets to decide if it ever becomes public. All this comes almost a decade after the Snowden affair. "Secret court decisions are corrosive in a democracy, especially when they so often hand the government the power to peer into our digital lives," said the ACLU's @patrickctoomey. Here's a short tweet thread by @jameeljaffer with more.

House approves massive infrastructure plan that includes $1.9 billion for cybersecurity
The Record: So, some good news. The House has passed a massive $1.2 trillion (or $550 billion depending on who and how you ask) infrastructure bill, which puts $1.9 billion into the federal cybersecurity wallet. That includes $1 billion devoted to a new grant program aimed at improving state, local and tribal governments, as well as $100 million over five years to respond to federal cyber incidents. Oh, and $21 million to set up the National Cyber Director's office — which, currently, is this cyberhouse for some reason. The Senate passed the bill in August so it'll now go to Biden's desk to be signed.
A photo of the so-called White House "cyber house", a brownstone building in Washington DC and home to the new office of the National Cyber Director.
Thousands of geofence warrants are missing from a California database
The Markup: More great work by the formidable team of @tenuous and @alfredwkng. Since 2015, California law has mandated all government agencies to publicly report unsealed warrants that don't have a known subject — often things like seized property and the like. But that should also include geofence warrants, since by their very nature they scoop up everyone in a particular area. Earlier this year, Google broke out its geofence numbers. That includes 1,909 geofence warrant requests from California in 2020. Turns out, surprise surprise, that law enforcement agencies only reported 186 warrants that mentioned Google during that same period. The numbers in 2019 look similar: 1,537 warrants per Google but only 168 warrants in the public database. Great reporting here.

Clearview AI ordered to stop collecting Australians' photos
Josh Taylor: The Australian government's data and privacy commissioner has ruled [PDF] that Clearview AI, the controversial facial recognition and surveillance startup, must stop collecting images of Australians and remove their photos. Remember, the startup allegedly scraped 10 billion images from the web, including Facebook, Venmo and LinkedIn, without their permission. Still, Australian police used Clearview to search for suspects, victims, and themselves, per this @joshgnosis thread. BBC News has more.

Labour Party members' data hit by cyber incident
BBC News: The current U.K. opposition party, Labour, has reported a cyber incident in which a "a significant quantity" of party members' data was "rendered inaccessible on their systems." The party blamed a third-party, which it didn't name, but all signs point to ransomware. Curiously, those who aren't members (or haven't been members for years) were still notified of the breach because "affiliated supporters" may have been included, too. Some have asked why that data was retained for so long.
~ ~


Ukraine discloses identity of Gamaredon members, links it to Russia’s FSB
The Record: Ukraine's security service just doxxed the Gamaredon hacking group as a Crimea-based branch of the Russian FSB. According to the Ukrainian SSU, the five members are behind over 5,000 cyberattacks since 2014, including cyberattacks against Ukraine's government agencies. Cisco's Talos team previously said the group is quite "noisy" for an APT actor and "lacks the fluency and eloquent techniques we see in some of the most advanced operations." It's no surprise then that the SSU intercepted and then published the hackers complaining about their pay, among other things.
AJ Vicens tweet: "This Ukrainian government video outing FSB hackers attacking Ukrainian targets is wild, but also very human. Here the Russian hackers are complaining to each other about pay."
Facebook shuts its facial recognition system — with a catch
New York Times ($): Facebook will shut down its facial recognition system and delete the scanned face data of more than a billion users, citing societal concerns. Which is a nice way of saying, "we've sucked every bit of use out of it and now want some good headlines." But Meta, the company that Mark Zuckerberg rolled Facebook into as part of a massive but largely unsuccessful effort to detoxify the social conglomerate's image, won't be held to the same promise. As @swodinsky notes, Meta said it reserves the right to deploy facial recognition on future products in its so-called metaverse. Facial recognition has already cost Facebook over $650 million so far in fines for violating Illinois' biometric law.

U.S. offers $10 million bounty in hunt for DarkSide ransomware group
SecurityWeek: The U.S. State Department has put a bounty on the cyber-heads of the DarkSide ransomware group, accused of the Colonial Pipeline hack that resulted in panic buying and fuel shortages earlier this year. State is offering the bounty for information leading to the identification or location of the group. It's an interesting approach to take, and potentially inviting DarkSide insiders or affiliates to drop their colleagues in hot water.
~ ~


There's not much in the happy corner this week. But if you ever needed proof that kids are alright, @semibogan has you covered. Turns out kids are easily bypassing child monitoring software, much to the annoyance of their parents. Problem solving skills, check.
Fenrir tweet: "My guilty pleasure is reading parents reviews of parental child monitoring apps." And then a photo of a review of a parent who's angry because their kid bypassed the child monitoring software.
Got some good news from the week? Get in touch:
~ ~


This week's cyber cat is Rubble, who as you can see here is trying (badly) to sneak into his human's work bag. Bring your hacker cat to work day is next week, Rubble. A big thanks to his human @terpkristin for the submission!
Please keep sending in your cyber cats (and your other fluffy non-feline friends). You can send them in with their name and photo by email here
~ ~


That's all for this week. Cheers for reading. The suggestion box is always open for feedback, or feel free to reach out at Have a great week, and see you next Sunday.