~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 28
View this email in your browser

~ ~


Hooking Candiru: Another mercenary spyware vendor comes into focus
Citizen Lab: Two words that hit any spyware maker where it hurts: Citizen Lab, which is back with a new report on Candiru, an Israeli spyware maker that sells to governments. Candiru, which was featured in a 2019 profile by Forbes, is under the spotlight again after Citizen Lab researchers found over 750 websites linked to Candiru's spyware infrastructure, which was used to target Amnesty International, the Black Lives Matter movement, media companies, and others. Their work with Microsoft found two zero-days used by Candiru, which are now fixed. Google also fixed a Chrome zero-day that was actively exploited by the spyware maker. The whole report into this Candiru campaign is worth the read. The Guardian has an explainer, as does @jsrailton.
More: The Guardian | Motherboard | Google Threat Analysis Group

Justice Department sought reporter records from security firm Proofpoint
Zero Day: Here's an interesting one from @kimzetter. Trump's Justice Department tried to (and succeeded in some cases) to obtain reporter's email and phone records as part of a classified leak investigation. In a recent effort to grab records from Washington Post reporters, the DOJ sought records from email security firm Proofpoint, which provides email protection services to filter out malware and phishing. The DOJ went to Proofpoint thinking it was an easier target, given the order would likely be challenged if served on Google or Microsoft, which many newsrooms use for their email. Proofpoint, which doesn't have a transparency report or a published policy on how it handles these government requests, confirmed that it basically gave the government the Washington Post's phone number to badger them about it instead. This case illustrates why companies in the middle — like Proofpoint — still need to do better at explaining their policies before efforts to grab reporters' information like this one.
More: Washington Post | @kimzetter tweets | @granick
Tweet from Kim Zetter with Proofpoint's response, which was effectively "go ask the Washington Post."
Inside the industry that unmasks people at scale
Motherboard: Mobile advertising identifiers — such as Apple's IDFA or Google's MAID — are supposed to be anonymous. These identifiers are collected from apps from your phone and can track your app activity, like their location and other personal information. But the illusion that these identifiers are anonymous was shattered this week after @josephfcox (who has a good tweet thread about his story) found a company that links these anonymous IDs to real people. Make no mistake, this is huge and undermines the foundational claims of mobile advertising that this collected data is anonymous. It just isn't.
More: @josephfcox tweets | @wolfiechristl

Pentagon tried to take down TrickBot, but it's regrouping
Daily Beast: Remember a few months ago when both Microsoft and Cyber Command tried to take down TrickBot, the notorious botnet responsible for stealing banking details on millions of victims? Guess who's back! (Not that it really ever went away.) Microsoft has been working with ISPs to go door-to-door across Latin America to replace routers compromised by the malware. But according to new intelligence, the group is updating its malware and gearing up for its next move — and capabilities.
More: @shanvav | Bleeping Computer

Facebook fired over 50+ engineers in 1.5 years for abusing access to user data
Business Insider: Facebook fired dozens of engineers over a 1.5 year period for misusing their access to obtain or view private user data. In one case, an unnamed engineer tapped into the data of a profile they were on vacation with and was "able to figure out her location at a different hotel." Another example given was an engineer who had access to "years of private conversations with friends over Facebook Messenger" and more, and stalked their real-time location. The revelations come from a new book called "An Ugly Truth," written by the incredible @sheeraf and @ceciliakang. Aware of the problem, Facebook CEO Mark Zuckerberg was against limiting the amount of data the company collected on users to limit the abuse, per the book.
More: The Telegraph ($) | @evacide | @doctorow tweets

Jen Easterly confirmed as CISA director
Rob Joyce: Well that took longer than was necessary. Jen Easterly was finally confirmed as CISA director in a voice vote on the Senate floor on Monday, as expected, after her nomination was held up for weeks by the Republicans. Easterly was Biden's nomination to run CISA, Homeland Security's cyber and advisory agency. Also, Chris Inglis was sworn in as the national cyber director, a new position to oversee all federal cyber strategies, on Monday. Wired ($) has a good explainer on who's running the cyber show (all five of them). Cyber team, assemble!
More: Washington Post ($) | @samsabin923
Eric Geller, with an equally hilarious and terrible tweet: "our cyber is now being nationally directed"
Inside Big Tech’s angry, geeky, often petty war for your privacy
Protocol: @issielapowsky wasn't kidding: this is by far one of her geekiest stories, but it's an incredible, deep-dive read on the W3C, a global body of web standards that's trying to improve privacy on the web, and the infighting that led to the organization grinding to a slow crawl. It's an interesting read, no doubt, but dense — and fascinating. I'd recommend some background reading first by @swodinksy, particularly for the skeptics of Google's Privacy Sandbox.
More: The Register | Gizmodo
~ ~

Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week, through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


Microsoft discovers critical SolarWinds zero-day under active attack
Ars Technica: Microsoft has discovered exploits targeting SolarWinds' Serv-U product line, used for file transfers, which SolarWinds is scrambling to fix. A hotfix was issued while the company tries to fully mitigate the issue. Disabling SSH also prevents exploitation. It comes less than a year after SolarWinds was targeted in a supply chain attack that was part of a Russian-led espionage effort. @likethecoins explains the mitigations.

Botswanan journalist says police used Cellebrite to hack her phone
Daily Beast: Another from @shanvav this week on a concerning story from Botswana, where police there used a Cellebrite device to hack into the phone of a journalist in an attempt to identify her newspaper's sources. Police didn't get the information they were looking for. But this is a perfect example of just how this kind of technology can be used by oppressive regimes to target reporters, because that has a major chilling effect on sources coming forward to reveal wrongdoing when it happens. The journalist in this story is just one of many reporters — both in and out of Botswana — whose phones have been hacked with Cellebrite devices, according to the report. Cellebrite is currently gearing up for an IPO.

U.S. government launches plans to cut cybercriminals off from cryptocurrency
Cyberscoop: The White House announced several actions launched by a new interagency taskforce on ransomware, including efforts to cut off groups like REvil (blamed for the Kaseya attack) from virtual and cryptocurrencies. Another one of those actions is to set up a $10 million bounty for any information that may lead to the identification of state-sponsored hackers targeting critical infrastructure, such as those who deploy ransomware. The State Department even set up a SecureDrop — a Tor-based tip box often used by news outlets — to solicit sources for information. But there's just one, tiny flaw with the logic on that multi-million dollar bounty: many ransomware groups aren't necessarily linked to a government.

WhatsApp has a secure fix for one of its biggest drawbacks
Wired ($): Finally. A WhatsApp beta launched this week no longer needs to route all your WhatsApp messages from your various devices through your phone, a major drawback of its design since its inception. WhatsApp finally figured out a fix — but with a catch: now you'll be able to use WhatsApp on your phone and up to four other devices at once, but those other four need to be "non-phone" devices.
~ ~


How to quickly and easily proxy Edge or Chrome through Burp
I don't know who needs to know this but you can easily proxy Edge (and other apps) using this Windows command line. You can do this with Chrome on Macs, too, using a shortcut. Great for when you're faffing around with Burp but can't be bothered to configure your browser each time.
A tweet explaining how to set up a proxy server shortcut for MITM'ing Chrome or Edge through Burp.
That 'Freedom Phone' that far-right leaders are hawking, is a security nightmare
Impressive reporting from @mikaelthalen who found that a new Freedom Phone, touted by prominent conservatives as a secure anti-censorship device, is actually a cheap Chinese smartphone that has a number of known security vulnerabilities by way of its MediaTek processor. The Freedom Phone's privacy policy is also a mess, and allows broad access to data collected by the phone for marketing and advertising.

iPhone Wi-Fi network name bug is actually an RCE zero-day
Remember that Wi-Fi network name bug that can briefly disable an iPhone's networking functionality, forcing users to reset their wireless and network settings? Turns out it was actually a lot worse and had RCE capabilities.

GSA blocks senator from reviewing documents used to approve Zoom for government use
Months after the GSA approved Zoom's FedRAMP authorization to allow the app to be used in government, a major security bug was found, forcing Apple to intervene. It's for that reason why Sen. Ron Wyden wants to know how and why GSA approved Zoom for use across federal agencies, and if it found the vulnerability before its approval. So, Wyden asked for Zoom's "security package," which Zoom objected to, and GSA ultimately denied. Wyden said this decision to block him from knowing more about Zoom's FedRAMP review "calls into question the security of the other software products that GSA has approved for federal use." (Disclosure: I wrote this story.)

Professor says being impersonated by Iranian hackers was stressful but good for networking
A seriously underrated headline: A professor who was impersonated by Iranian hackers using phishing emails trying to steal passwords from their victims said it was "stressful" but seemed to find the bright side in the whole thing, simply by learning about the attack from "a lot of interesting people." The hackers, known as APT35 (or Charming Kitten/Phosphorus), often use fake web pages and phishing emails to target their victims, often academics or think tank analysts, to steal information.
~ ~


And scene. Here's the happy corner.

For those who ever worry that some work isn't really "work," here's a friendly reminder that it is. It absolutely is. It's also worth mentioning that this is not unique to setting up a VM!
Runa Sandvik tweet: "I don’t know who needs to hear this, but setting up a VM, locating the right OS version, figuring out why things don’t work quite right is still productive, still progress, still work."
Major congrats to Dr. Michael Specter, who successfully defended his PhD. If you recall, Dr. Specter is one of several MIT researchers who carried out a detailed security analysis of Voatz, a blockchain-based internet voting app used in West Virginia and other states. This paper found many security vulnerabilities that could seriously compromise the integrity of an election.

Meanwhile, @mattjay posed a simple question this week that had both red teamers and network defenders having an opinion: "You find a Raspberry Pi plugged into a network switch at work. What do you do?" Some really interesting responses in the comments and quote tweets. Well worth the time to read.

And, amid a rather lively debate on Twitter about the use of the term "cyberweapons," I think we found a winner.
Coleman Kane tweet: "It's only cyberweapons if it is produced in the Weaponne region of France, otherwise it's just a sparkling offensive toolkit."
If you want to nominate some good news from the week, feel free to reach out.
~ ~


A rare two-for-one cyber cat and friend special. Meet Fatcat and Eddie (you can guess which is which), who are taking a nap break from their online cybercrime-fighting ventures. A very big thanks to their human Ben F. for the submission!
Eddie (dog) and Fatcat (cat)
Keep sending in your cyber cats (or their friends). Drop a photo with their name here. And of course you can submit more than one — or again!
~ ~


Phew, what a busy week! Hope you enjoyed this week's newsletter. As always, feel free to drop any feedback in the suggestion box, or feel free to contact me at I hope you have a great week, see you next Sunday.