~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 38
View this email in your browser

~ ~


Company that routes billions of text messages quietly says it was hacked
Motherboard: Without doubt the far-reaching security news of the week that you might've missed since it was during Facebook's epic outage. In late September, Syniverse, which handles billions of text messages and call records, was hacked — and the hackers had been inside its systems for years. The disclosure came in the form of an SEC filing. Syniverse is a critical part of the telecoms network since it acts like a major hub for major telcos, like Verizon, AT&T, and dozens more, to pass billing information with each other. One insider says it carries highly sensitive data like text message contents, usage records, and more. Washington is already alarmed by the news, but the company itself is not being very forthcoming with details. This will be one to watch.
More: U.S. Securities and Exchange Commission | @lorenzofb tweets

Twitch confirms massive data breach
BBC News: Streaming giant Twitch saw tens of gigabytes of files — including source code and creator payout figures — leaked online this week. The news was first broken by Video Games Chronicle. Twitch said a misconfigured server was to blame for allowing the leaker in, allowing them to take enormous caches of internal data. As high profile as the breach is, no user passwords or card numbers were exposed. The leak of creator payouts, though, has drawn greater attention to pay transparency among Twitch users. Per Wired ($), only three of the top 100 streamers by payouts are women.
More: ZDNet | The Record | Wired ($)

Dubai ruler used Pegasus spyware to hack princess’s phone, says U.K. court
Washington Post ($): A British court has found that Dubai's (and UAE's) ruler, Sheikh Mohammed bin Rashid al-Maktoum, used NSO Group's Pegasus spyware to surveil the phone of his ex-wife Princess Haya and her legal team. It's the first legal ruling since the Pegasus Papers, which detailed a leaked list of 50,000 numbers said to be under Pegasus' surveillance. NSO, which develops the phone spyware, reportedly dropped its contract with the UAE — a major Pegasus user in the region — for abusing the system, per Reuters ($) — but only after Citizen Lab researcher @billmarczak notified Haya of the hacks. Interesting reminder from this story: restarting your phone wipes Pegasus from its memory (though only patches can stop reinfection).
More: Reuters ($) | ZDNet

Hackers of SolarWinds stole data on U.S. sanctions policy, intelligence probes
Reuters ($): The hackers who exploited flaws in Microsoft and SolarWinds technology to target U.S. federal agencies as part of a Russian espionage campaign sought out information about counterintelligence investigations, policies on Russia sanctions, and information about the U.S. response to COVID-19. The mass hacking effort is believed to be a spying campaign, and not a destructive one, and it's the first time that we've learned in more detail the hackers' objectives. It comes as the U.S. government continues to beef up its cyber policies in the wake of the ransomware wave that appeared to peak earlier this year. Dark Reading has a good interview with FireEye's Kevin Mandia, who said he alerted NSA to the SolarWinds breach just before Thanksgiving 2020 (weeks before the breach was publicly disclosed) fearing national security concerns. Turns out he was right.
More: Cyberscoop | The Register | Dark Reading

Google to give security keys to ‘high risk’ users targeted by government hackers
TechCrunch: Google said it will give out security keys to 10,000 "high-risk" users (which is helpful since they're currently out of stock in Google's store). The news landed days after Google's Threat Analysis Group sent out some 14,000 notifications to Gmail users that they had been targeted by state-backed hackers, specifically APT28 (or Fancy Bear). According to TAG's @shanehuntley, the batch was "above average" in size than usual, suggesting an uptick in activity. Security keys make online accounts almost impervious against phishing attempts, making it significantly harder for remote hackers to hijack your email account. Interestingly, TAG sent out personalized security suggestions to targets, such as opening Word documents in Google Docs, or opening PDFs with Chrome. If you were targeted, you might want to check this Google help page for more.
More: Motherboard | @runasand tweets
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week, through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


How a student hacked and rickrolled their entire high school district
White Hood Hacker: The kids are alright — no, the kids are freaking awesome. Here's the full story of how student @WhiteHoodHacker 'rickrolled' their entire school district by finding vulnerabilities in the IPTV system used across the district. This entire post is worth the read; it's technical but well explained. Fortunately, the school administrators appreciated the work and remediated the flaws. An excellent result all round.
A student hacker rickrolled their entire school district's AV system.
Windows 11 is now out, what's new in security?
Dark Reading: Windows 11 is now out, and has a ton of security features packed in — though the new system requirements are likely to mean a lot of folk can't immediately upgrade. Windows 11 is supported until 2025, so it's got a fair bit of life in it yet.

Hours-long Facebook outage caused by BGP misconfiguration
Facebook Engineering: I'm throwing this in even though it's only tangentially security related. Facebook had a massive outage this week. (Two, actually.) What was initially seen as a DNS outage, the root issue was actually BGP, the internet protocol that figures out how to get your data across the internet from one network to the other in the fastest way possible. A BGP configuration change accidentally cut Facebook off from the outside world, and itself, so not only could users not access Facebook, WhatsApp or Instagram (which billions of people rely on every day), but employees were locked out too — in some cases from their own buildings, since employee badges rely on Facebook's network. But the outage did give way for this epic shade:
Josh Taylor tweet: "Was my personal data at risk because of the outage? Answer: No more than when Facebook is up and running."
Google is about to turn on two-factor authentication by default for millions of users
The Verge: Google plans to enable two-factor authentication on more than 150 million accounts by the end of this year, giving the company less than two months to reach that goal. Turns out only 10% of active accounts (as of 2018) were using 2FA, but now the company is doing a little more than just nudging. Some two million YouTube creators will also see 2FA pushed to their accounts.
~ ~


U.S. orders Google to identify anyone who searched keywords prior to assault
Forbes: This is a really important story: U.S. investigators have secretly ordered Google to turn over information about users who searched a particular keyword at a particular time. Similar to a geofence warrant, these so-called "keyword warrant" (here's a good explainer) try to uncover possible criminal suspects by asking Google to search through its databases for clues. This latest warrant asks Google to turn over records on who searched a sexual assault victim's name, address and phone number prior to the incident. The idea is that this might help investigators identify the person searching for that victim's information. But it's an untried First Amendment case waiting to happen, given that Google's vast data stores enable police to "identify people merely based on what they might have been thinking about, for whatever reason, at some point in the past," per @granick.

Ashkan Soltani appointed head of California's new privacy protection agency
Twitter: Congratulations to @ashk4n, who was appointed the executive director of the CPPA, California's new dedicated agency to consumer privacy protection. The agency was founded through Prop. 24, which saw voters push for a state agency to enforce CCPA, California's GDPR-style law enacted two years ago. Soltani is one of the sharpest minds in the privacy and security space, previously serving in the White House and at the Federal Trade Commission. He also worked on the Washington Post's coverage of the Snowden leaks, which saw him recognized as part of the 2014 Pulitzer Prize winning team. Techdirt editor @mmasnick had this to say on the announcement, which landed on the same day as Facebook's outage:
Mike Masnick tweet: "If you thought Facebook was having a bad day before..."
Yubico releases a new fingerprint-reading YubiKey
Yubico: There's a new security key in town. Yubico announced this week the YubiKey Bio, which comes with a fingerprint reader, allowing users to sign into their accounts without a password. They come in two form factors: USB-A ($80) and USB-C ($85).
~ ~


OK, onto the fun stuff. First up, @alfredwkng spotted an 0-day in the wild.
Alfred Ng tweet: "suddenly very worried that the restaurant i'm at has been hacked". The receipt in the photo has a typo that says "Have 0 day."
And, I can't resist putting this one in. @_ckosmic brought Super Mario 64 to iOS. (If there's no newsletter next week, I'm probably still stuck in Whomp's Fortress.) The project is here, and building the iOS file looks like a weekend project. Now, if only someone could bring N64's GoldenEye to my iPhone...
Got some good news from the week? Get in touch:
~ ~


This week's cyber cat is Leo. His human tells me that Leo is blind, but that doesn't stop him from judging your inadequate access controls. He can sense a backdoor from a mile away. Thanks so much Alex G. for the submission! (He definitely deserves extra treats.)
Keep sending in your cyber cats (and your other fluffy non-feline friends). You can send them in with their name and photo by email here
~ ~


And that's it for now. Thanks for reading! As always, the suggestion box is always open or reach out directly at Take care, and see you next week.