~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 34
View this email in your browser | RSS

~ ~


Encrypted app Signal just hired one of Big Tech's sharpest critics
Washington Post ($): Former Google manager Meredith Whittaker (no relation) is Signal's first president. It comes after co-founder of the end-to-end encrypted messaging app Moxie Marlinspike stepped down earlier this year. According to the Post's profile, the two first met in the open-source community exploring privacy tech. Whittaker's appointment comes at a critical time for Signal, which needs money to survive for the long term. It costs millions of dollars per year to develop and maintain Signal. "The only way to escape technology that makes money off your data is by paying for products that don’t," Whittaker remarked. Prior to Signal, she is known as a vocal critic of Silicon Valley and her research into the social implications of artificial intelligence, and was tapped by the FTC as a senior adviser on AI.
More: @mer__edith | @drewharwell | @signalapp

L.A. school district hit by ransomware
NBC Los Angeles: The Los Angeles Unified School District, or LAUSD, is the second largest school district in the U.S., and this week ahead it was hit by ransomware as its 6,000 students were preparing to go back after the long Labor Day holiday. Students returned but IT systems were down and a mass password reset was initiated — though students struggled to access basic learning tools. Vice Society, a Russian-language extortion group, claimed responsibility for the attack, two days after CISA put out an alert warning that the group primarily targets the education sector. The FBI and DHS have joined in LAUSD's investigation, per the Los Angeles Times ($). It's not known what data, if any, was taken, but employee payroll and healthcare are not impacted. This is an incident that will likely spill into the coming week, if not longer, as remediation continues.
More: Associated Press | CISA | @jeremy_kirk

Holiday Inn hotels hit by cyberattack
BBC News The international hotel giant behind Holiday Inn, Crowne Plaza and Regent hotels has confirmed a cyberattack, but little else. Intercontinental Hotels Group, or IHG, issued a statement via the London Stock Exchange saying its systems "have been subject to unauthorised activity." Vague; how helpful. IHG has more than 6,000 hotels in more than 100 countries, and has 150 million guests each year — so these aren't small numbers. Customers were left without answers while Holiday Inn's social media was posting on autopilot. IHG said it was "working to fully restore all systems," with customers reporting that its booking systems were inaccessible. IHG declined to say what the cyberattack was, but it is reportedly ransomware. It's not the first time IHG has been hacked; it confirmed a months-long cyberattack in 2016 that allowed hackers to steal credit card data, which the company settled for $1.55 million.
More: London Stock Exchange | TechCrunch | The Register
Kim Sweat tweet: 'What is going on with your system?  For at least 19hrs.  Phones and apps not working-  afraid to book anything. No customer service at all"
Patreon lays off security team
Cyberscoop: Patreon, the site that lets content creators offer monthly payment subscriptions (like this newsletter!), has laid off its "entire" security team, according to a former Patreon security engineer, who posted to LinkedIn (via @wbm312) saying that she "and the rest" of the security team were let go. I've also heard from others who told me that this is accurate, despite a claim presented without evidence by Patreon's U.S. policy head, who declined to share the number of employees on the security team prior to the layoffs. Patreon intimated that the roles would be outsourced, but the move still resulted in considerable backlash from the creator community, especially given Patreon had a breach back in 2015. (It's also something that I'm putting some thought into, including alternatives to Patreon, given this week's news.)
More: TechCrunch | @wbm312
~ ~
Thanks for reading the newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week. The Patreon is here (but totally understand if you'd want to pass). There's always the option to donate one-time via PayPal or Venmo. Thanks for your support!
~ ~


IRS mistakenly made public data for about 120,000 taxpayers
NPR: Confidential data from some Form 990-Ts, a business tax return used by tax-exempt organizations, was accessible from the IRS website's search engine for about a year before it was spotted by an employee (of the month, or at least they should be). The IRS is obliged to notify Congress of the data lapse. Turns out data security is difficult, even when you're a federal agency. The Wall Street Journal ($) first reported the lapse.

Parsing Samsung’s data breach notice
TechCrunch: Last Friday, just hours before the long holiday weekend began, Samsung dropped scant details of a data breach of customer data over a month earlier. The timing wasn't a coincidence — just very bad PR — but the notice itself was incredibly barebones. I spent the weekend parsing the data breach notice and annotating it with analysis to see what Samsung didn't say. Turns out the breach of data may be a lot more sensitive than it let on, especially if demographic data — i.e. information used for targeted advertising — was compromised. (Disclosure: I wrote this!)
Zack Whittaker tweet: "What we know: Names, DOBs stolen in a July data breach, product registration & demographic data stolen, Demographic data includes precise location data. What we don't know: How many users affected, or why Samsung took a month to disclose?"
Greece wiretap and spyware claims circle around PM Mitsotakis
BBC News: BBC has the latest in the ongoing scandal involving the Greek government and its use of the Cytrox-developed Predator spyware to spy on the phones of journalists and opposition politicians, a scandal that threatens to engulf the country's current administration. The scandal has been likened to Greece's Watergate, and for good reason — it's already resulted in the resignation of the country's top spy chief and one of the prime minister's top aides, with allegations that go to the very top of the government. The European Parliament is investigating.
~ ~


Albanian cuts ties with Iran: Tirana no longer has diplomatic ties with Tehran after expelling its embassy over a major cyberattack some two months ago that the southeastern European country blames on Iran, per the Associated Press. Albania's government websites were downed by the attack. Iran denied any involvement, despite Microsoft, Mandiant, the White House and the U.K.'s Foreign Office pointing their collective fingers all at Iran. The cyberattack is likely linked to Albania's sheltering of 3,000 Iranian dissidents. Albania is a NATO member, but Article 5 — an attack on one is an attack on all — has not been invoked. The only time it was invoked was following the 9/11 attacks in 2001. But, the White House did say it vowed unspecified retaliation for the hack and leak operation regardless.

Darktrace plummets after takeover shelved: U.K. cybersecurity company Darktrace crashed 30% in value after the U.S. private equity firm Thoma Bravo, known for snapping up cybersecurity companies, dropped its takeover bid in the company. Details of the collapse of the talks are not known, but the news comes after a string of controversies involving its co-founder Mike Lynch, who is fighting extradition to the U.S. over fraud charges, and well-documented concerns over Darktrace's toxic workplace culture.

Hackers with ties to Conti targeting Ukraine: A new Google report out this week shows financially motivated hackers with ties to the Russian-backed Conti ransomware group are reusing their tools to target hotels, NGOs and other targets in Ukraine. Ars Technica has more on the group, known as UAC-0098.
~ ~


That's the news, now onto the good stuff.

From a couple of weeks ago, the latest in our running series of "what can Doom run on," you can now run Doom on the Flipper Zero, a device that acts like a hacker's toolkit. If you have a Flipper Zero, you can check out the Doom code on GitHub.
A short animated GIF showing Doom running on the small orange display of the Flipper Zero hacking device.
As if that wasn't exciting enough, there's now a Quake clone for Apple Watch.

Via the EFF, Slack is now giving free workspace admins the ability to automatically delete all messages older than 90 days as part of a new data retention policy. This is particularly welcome for at-risk free users, like activists and unions, who use Slack for organizing activities. Here are the details from Slack.

And finally. Congratulations to the 14-year-old kid in Tasmania who cracked one of Australia's intelligence agency's codebreaking challenges in "just over an hour." The Australian Signals Directorate minted a commemorative 50-cent coin with four layers of encryption that were progressively harder to solve. You know, except for a teenage wonderkid. "We're hoping to meet him soon... to recruit him," said ASD's chief. No kidding!
An Australian 50 cent piece minted by the Australian intelligence agency, with encrypted ciphertext around the coin.
If you have good news you want to share, get in touch at:
~ ~


This week's cyber cat is Pesya. According to her human, Pesya keeps a watchful eye on the cyber-command activity. If you're slacking at work this picture of the sentinel Pesya is sure to whip you back into focus. Many thanks to her human, Shira K. for the submission!
Keep sending in your cyber cats or their friends! Email here with their name and photo, and they'll be featured in an upcoming newsletter.
~ ~


And we're clear. Thanks for reading! As always, the suggestion box is open for any feedback, or feel free to drop me an email to get in touch.

See you again next Sunday, have a peaceful rest of your weekend.
Share Share
Tweet Tweet
Share Share