~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 4, issue 1


Microsoft says Russians hacked its network, viewing source code
Washington Post ($): Hackers believed to be working for the Russian government broke into Microsoft's network and viewed its proprietary source code, but were unable to modify it. We knew that Microsoft was one of the companies that was using compromised and backdoored SolarWinds software, the original target for the hacks that swept across the federal government. But the company has reiterated that the intrusion hasn't put customers at risk. Microsoft says it uses an "inner source" approach — so it doesn't rely on the secrecy of its source code for security, but the software giant didn't say what kind of code was accessed, only that the intruders used a employee's account. Reuters, which first reported on the breach two weeks earlier (which Microsoft had frostily rejected), asked some of those outstanding questions. In any case, it suggests that this could have been the prelude to a "much more ambitious offensive."
More: Reuters | @razhael

Police turn to car data to destroy suspects' alibis
NBC News: Car infotainment systems are a goldmine of evidence for police, and have been used to crush alibis and prosecute suspects. Many might think of cars as "cellphones on wheels" with the amount of data they collect. It's not just the usual stuff when you connect your phone to the system — call logs, text messages, emails and the rest of it. Actually the amount is far greater than you'd imagine — think about it, the sensors in your car can figure out how much you weigh. "In a criminal case, the sequence of doors opening and seat belts being inserted could help show that a suspect had an accomplice." This is a fascinating look at the data that infotainment systems have on you, and how police are using this new field of forensics to solve crime.
More: @oliviasolon tweets | @wmb312 | @kashhill

NSO used real people’s location data to pitch its contact-tracing tech, researchers say
TechCrunch: From the debunk department: Remember a few months ago when notorious spyware maker NSO Group was touting its new contact tracing tool, Fleming, by giving governments and media outlets demos using "simulated" location data? Turns out it wasn't simulated data at all — as NSO had claimed. A few weeks after NSO gave the demos, Fleming's back-end data was left exposed on the internet. So I sent that exposed data off to researchers at @ForensicArchi at Goldsmiths in London, who analyzed the data. By mapping the location points across time and space, they found plausible movements and errors they'd only expect to see in real data. They concluded that NSO had used tens of thousands of unwitting people's location data — which NSO used to drum up business for its contact tracing tech. NSO, as you might expect, denied the allegations. (Disclosure: I wrote this story.)
More: Forensic Architecture | @ForensicArchi | @zackwhittaker
Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways
ZDNet: More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers have a hardcoded admin-level backdoor which, frankly, is about as bad as it gets for tech that's supposed to — well, control access to the entire network. The backdoored account was discovered by Dutch security firm Eye Control. The risk of hijack is pretty huge, now that the backdoored account has been made public. On the plus side, there are patches available. You'd figure the company would've learned the mistake from its 2016 backdoor incident but, alas, clearly not.
More: Eye Control | @campuscodi

Ticketmaster will pay $10 million for hacking rival ticket seller
The Verge: Who had "Ticketmaster hacking into a rival to spy on their business" on their 2020 bingo card? The ticket selling giant has agreed to pay $10 million after admitting to hiring a former employee from rival seller CrowdSurge and using passwords he knew to log back into old systems and learn more about the rival's business. The charges date back to 2013 but only really emerged this week. Ticketmaster executive Zeeshan Zaidi and the employee in question were fired after their conduct came to light in 2017. The judgment defers prosecution under the CFAA, which the Supreme Court is examining that very question of unauthorized access right now.
More: @KlasfeldReports | Background: Cyberscoop
~ ~

A big thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to cover the server and email costs. You can contribute to the Patreon or send a one-time donation via PayPal or Venmo
~ ~


The worst hacks of 2020, a surreal pandemic year
Wired ($): 2020 was a garbage year for everyone — except for threat actors, who saw unprecedented opportunities to see their goals through. @lilyhnewman walks us through the worst of the worst breaches, hacks and espionage campaigns — including some you may not have known (or forgotten). You should also read Ars Technica's list, which has a little overlap but also features some impressive vulnerability research.

U.K. arrests suspects tied to WeLeakInfo, a site seized for selling breached data
Cyberscoop: Some 21 people have been arrested across the U.K. for using data bought from WeLeakInfo, a site that sold breached data until it was taken down in an international sting operation almost a year ago. The people arrested, all men, included nine charged with hacking offenses, nine for fraud, and three for both. Some used the purchased data to buy RATs and other trojans. And another 69 were served cease and desist notices, warning them that they're in the government's crosshairs. The @NCA_UK put out on Christmas Day a video of a British police officer very politely making an arrest.
~ ~


The most dangerous people on the internet in 2020
From the Wired ($) staff: meet the most dangerous people on the internet this year. Some of these names you'll know, and others you might never have heard of — and that's all the more why you need to know who's who.

Corellium, the tiny startup driving Apple crazy, leads Forbes Cybersecurity Awards
Corellium this week won Forbes' best cybersecurity product award, in the same week that the company prevailed (in large part) in a legal case brought by Apple. Corellium lets security researchers and developers emulate iPhones and Android devices to test their apps (and hunt for security bugs) instead of having to buy expensive hardware. Apple hates that, and sued the startup earlier this year. The judge ruled that Corellium's technology developing virtual iPhones was not a copyright infringement, but a DMCA claim remains. Also, Greynoise also gets a mention in Forbes' awards, as does Dragos and @Fox0x01.
~ ~


A quick look at the happy corner. Saying goodbye to 2020 gets an obvious honorary mention. Onwards and upwards, as they say. 

@DAkacki found a shell in the wild.
Also a big congrats to @kimzetter for winning this year's @defcon truth speaker award. Kim (you don't need me to tell you this) is one of the sharpest cyber reporters, who brought us solid election security coverage throughout the year when we needed it most — and, on top of that, her recent coverage of the SolarWinds breach. Absolutely earned and deserved.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat is Moe, who recently went through some health stuff but is now back to full speed and back to his usual kitten self. Thanks to Moe's human @__runal___ for the submission!
Don't forget to send in your cyber cats to be featured in an upcoming newsletter. Yes, you can now send in your non-feline friends too. Send them in here.
~ ~


That's it for this shorter-than-usual week, thanks to the holiday. Happy New Year! Thanks as always for reading. Feel free to drop any feedback in the suggestion box. See you next Sunday.