~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 4, issue 23
View this email in your browser

~ ~


Justice Department seized $2.3 million in cryptocurrency paid to Darkside
Justice Department: The FBI managed to recoup $2.3 million in bitcoin that Colonial Pipeline paid in ransom to get online after its recent ransomware attack. That's 63 bitcoin, down from 75 bitcoins paid, and after some depreciation in the market. The feds are believed to have grabbed the private key for the wallet used by Darkside to store the bitcoin. Decrypt has the likely answer: the wallet's private key was likely stored on a cloud server run by Digital Ocean. Follow the money, see where it lands, and grab it while it's in U.S. jurisdiction — at least that's the theory going. But this successful attempt to get the money back may be the carrot/stick that gets victims to at least report ransomware incidents, even if the government can't help all the time.
More: New York Times ($) | Wall Street Journal ($) | Motherboard | @ericgeller tweets

The hard truth about ransomware
Double Pulsar: Probably one of the best reads on ransomware in the past year by @GossiTheDog, who has spent years following ransomware. His conclusion is that this is new normal because we're not prepared (and haven't been for years), there are few rules of engagement, and the worst is likely yet to come. This 5,000-worder explains what we need to do next, and what happens if we don't. It's clear that there's pressure on these groups. Bleeping Computer reported this week that the Avaddon ransomware is shutting down and has released its decryption keys. Also don't miss @kimzetter's fascinating interview with Bill Siegel, CEO of Coveware, which negotiates ransomware payments for victims.
More: @brianhonan | Zero Day

How the FBI secretly ran a phone network for criminals
Motherboard: This is a wild read. Newly released court records show how the FBI secretly ran Anom, the encrypted app used almost exclusively by criminals, to collect more than 20 million messages from close to 12,000 devices. The operation, dubbed Trojan Shield, allowed Australia's federal police to monitor the network's communications by quietly attaching a master key to each communication, allowing police to intercept and decipher the messages. Europol officially announced the news of more than 800 criminals arrested. This was a win for police, but @granick rang the civil liberties alarm bell, since it almost looks like the FBI was trying to avoid U.S. law.
More: New York Times ($) | BBC News | @theage | @granick tweets
Good tweet thread from ACLU's Jennifer Granick on the FBI-Anom operation.
Hacker known as Max is a 55-year-old woman, prosecutors say
Bloomberg: Alla Witte, a 55-year-old Latvian woman, has been detained in Miami after she was arrested and detained on federal charges that she's allegedly one of the seven alleged members of the notorious TrickBot botnet, which prosecutors say has infected tens of millions of computers and stole hundreds of millions of dollars. It'll be curious to see how this case shakes out, since Witte will almost certainly have a ton of knowledge into how TrickBot survived an attempted takedown by Microsoft and Cyber Command earlier this year.
More: ZDNet

How hackers used Slack to steal a ton of data from EA Games
Motherboard: Bad news for EA, after it had to admit that source code for FIFA 21 and the Frostbite engine were taken from its servers after hackers broke in and stole other code and internal tools. User data wasn't believed to have been taken. The stolen source code data was put up for sale on a hacking forum. Turns out the hackers bought a cookie for $10, getting the hackers into a Slack channel as if they were an employee, and tricked the company's IT support into turning over a MFA token after the hackers claimed they "lost our phone at a party last night."
More: Motherboard | BBC News | @josephfcox
~ ~

Thanks to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks!), to help cover the server and email costs. You can contribute to the Patreon, or send a one-time donation via PayPal or Venmo
~ ~


Hackers can mess with HTTPS connections by sending data to your email server
Ars Technica: A vulnerability called ALPACA (or Application Layer Protocol Confusion-Analyzing and Mitigating Cracks in TLS Authentication, if we're going to be fancy) is an application layer protocol content confusion attack, which allows attackers under very certain conditions to redirect traffic one subdomain to another, resulting in a valid encrypted TLS connection (which shouldn't be possible). Around 114,000 servers are exploitable because they use software known to be vulnerable to this attack. It's an interesting read, but as the authors note, you probably don't have to drop everything and fix this right now.
A diagram explaining how the Alpaca attack on TLS connections works.
Onewheel sent thousands of customers' private data to a random customer
Motherboard: Onewheel, the makers of that omni-wheel skateboard-kinda thing (I honestly don't know how else to describe it) mistakenly shared a spreadsheet with a random customer containing thousands of other customers' private data, including their full names, email addresses, and home addresses. Whoops.

Protonmail gets a long-overdue facelift
TechCrunch: Protonmail has a new user interface and some much-needed new features. The encrypted email company now has over 50 million users and got a much needed lick of paint, including filters and keyboard shortcuts.
Protonmail's new user interface, and it also comes with new features.
Europe’s AI rules open door to mass use of facial recognition, critics warn
Politico Europe: A coalition of digital rights and consumer protection groups across the globe are calling for an international ban on biometric recognition technologies by both governments and companies. The letter has 170 signatories, arguing that this surveillance "goes against human rights and civil liberties." It comes as the EU is putting forward an AI bill, which restricts the practice but doesn't outright ban it.
~ ~


CISA launches platform to allow hackers to report flaws in federal tech
CISA has launched a vulnerability disclosure program to allow participating federal agencies receive, triage and fix security flaws from the wider security community. The VDP comes about a year after CISA issued a directive mandating that civilian federal agencies must set up VDP policies for reporting cybersecurity flaws.

Apple's new private browsing feature won't be available in China, others
Apple has a new private browsing feature bundled with iCloud+, which is basically Oblivious DNS-over-HTTPS, which decouples DNS queries from the internet user, effectively making it far more difficult to track which websites a user is going to. But some countries, like China and Saudi Arabia, won't get the feature, given their hostile laws there. A ton of new security and privacy features were also announced at Apple's WWDC this week.
A diagram explaining how iCloud's private relay works
Ring won't say how many users had video footage obtained by police
It's a simple number that most other tech companies have published in their biannual transparency reports, but Ring — like its owner Amazon — won't break out how many users have their doorbell video footage obtained by police. When asked repeatedly, Ring refused to disclose that figure, in what I call "transparency through obscurity." (Disclosure: I wrote this story.) It comes as Ring's partnerships with police and fire departments continue to grow, despite concerns from civil liberties groups. CNBC this week did a deep-dive on how companies have responded to facial recognition with regards to police. While many tech companies are putting the brakes on their facial recognition tech, Congress still hasn't passed any laws or regulations regulating their use. We're once again at the mercy of Big Tech and their moratoria, which can end anytime.

Apple and Google refuse to say whether Citizen bounty hunt violated policies
Speaking of being at the mercy of Big Tech — guess what Apple and Google have done in response to Citizen, an app on both of their app stores, whose CEO put a bounty on the head of an entirely innocent person thought to have started a wildfire in California? Absolutely nothing. Neither Apple or Google would say if Citizen violated their policies, which can see apps banned from the app store.
~ ~


After that week, time to cool down with some good news from the happy corner.

Five years ago, @johnlatwc tweeted a line of code that can block remote use of PSEXEC. Last week, that same tweet was used to stop an ongoing ransomware attack. Incredible. "File under: this tweet flapped its butterfly wings and 5 years later it stopped a ransomware attack," he said.
How one line of code in a tweet five years ago helped stop a ransomware attack today.
Getting a lot of spam calls recently? Here's your new voicemail greeting.

And, this Pi-Hole has the most wonderful and authentic casing: a real Spam can.
A Raspberry Pi board running Pi-Hole in a traditional Spam meat can.
And finally. This might be my favorite Easter egg of all time! You can see for yourself.
The pretend code on the laptop screen in the stock photo at is user-editable.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat is Click, who is doing everything possible to not just walk all over their human's keyboard. The struggle is real. Big thanks to @bustedsec for the submission!
Send in your cyber cats (and their friends)! Drop a photo, their name, and email it here
~ ~


That's it from this very busy week. If you have any feedback, feel free to drop it in the suggestion box. Thanks again for reading and subscribing. Hope you have a great one — see you next week.