~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 46
This week's newsletter is shorter than usual because of the Thanksgiving holiday in the United States. We'll be back to our usual full steam next week when there's more news to share. 
~ ~


This Bluetooth attack can steal a Tesla Model X in minutes
Wired ($): Security researcher Lennert Wouters found a bug in the Bluetooth keyless fobs used to unlock Tesla Model X cars that could be exploited to hijack the car and drive away. The attack involves grabbing a Tesla's identification number (visible from the car's dashboard by looking through the window) and using $300 worth of hardware that can extract a radio code from a victim's keyfob to unlock the car door. Another vulnerability let the researcher pair the cloned keyfob to the car, allowing him to drive off after just a minute's work. Tesla is still reportedly rolling out a fix, so Wouters hasn't published the exploit code yet. Wired does a great job (as usual) of breaking down how the bug works.
More: ZDNet | IMEC
Suspected North Korean hackers targeted COVID vaccine maker AstraZeneca
Reuters: North Korean hackers tried to break into the systems of British drugmaker AstraZeneca in the past few weeks, according to sources speaking to Reuters, as the company continues its push to deploy its COVID-19 vaccine. The attackers used LinkedIn and WhatsApp to send spoofed job offers laced with malware. The efforts were not successful. It's the latest attempt by North Korea, which only earlier this month was blamed for trying to steal vaccine research.
More: Microsoft | @jc_stubbs

A bug allowed hackers to get anyone's email address on Xbox Live
Motherboard: Microsoft has now patched a bug that allowed hackers to reveal the email address used to register any Xbox gamertag. Initially the bug wasn't serious enough for Microsoft to fix. But as noted by Motherboard, it was feared that the bug could be used to dox or harass gamers, which has led to fatal "swatting" incidents.
Background: Vice News

U.K. networks breaking new law face big fines
BBC News: A new security law unveiled this week in the U.K. would allow the government to fine telecoms giants up to 10% of their global revenue if they fail to tighten up their security. The bill, if passed, would also ban Chinese telecoms giant Huawei from involvement in the country's 5G network. It's part of a wider effort to improve the country's national security by instructing telecom companies how they use "high risk" vendors in their networks. The U.K. is one of several countries that fears Huawei's links to China's military because of the perceived risk that the company could be compelled to spy for the Chinese government.
More: Quartz

Networking giant Belden says hackers accessed data on employees, business partners
Cyberscoop: Belden, which manufactures networking and industrial cables, said an attacker broke in and stole information on current and former employees, as well as its business partners. The company's statement didn't say how many people's information was compromised, but warned it may include bank account information and Social Security numbers. Belden also owns Tripwire, which makes data integrity software, which it bought for $710 million in 2014.
More: Belden
~ ~

Thank you to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to maintain its upkeep. You can contribute to the Patreon or send a one-time donation via PayPal or Venmo.
~ ~


Manchester United silent over cyberattack
BBC Sport: Manchester United, one of the most famous soccer clubs in the world, has confirmed a cyberattack that knocked much of its systems offline. It's believed to be a ransomware attack, but the club has refused to say if it's received a ransom of "millions" of British pounds as reported in some of the U.K. press. This will be one to watch, especially if the ransomware exfiltrated data (as many do), given the potential financial penalties (no pun intended) under GDPR.

COVIDSafe data 'incidentally' collected by Australian intelligence agencies
ITNews: The Australian intelligence community's watchdog confirmed that the nation's spy agencies "incidentally" collected data from the country's COVIDSafe contact tracing app, but said the data was not decrypted, accessed or used. This particular app uses Bluetooth to contact trace, but requires Australians to submit some personal information, like their name and address, in order for health authorities to reach out in the event of a positive COVID-19 test. This is precisely what some people were afraid of: governments acquiring COVID-19 app data (even if the information wasn't used).

U.S. Fertility says patient data was stolen in a ransomware attack
TechCrunch: One of the largest networks of fertility clinics in the U.S. has been hit by data-stealing ransomware. The company has refused to say specifically what data was stolen beyond names, addresses, in some cases Social Security numbers, but admitted that protected health information may have been taken. The fear is that the ransomware operators may have taken health records and other sensitive medical information. U.S. Fertility has 55 locations across the U.S.(Disclosure: I wrote this story.)
~ ~


Right, onto the fun stuff.

@gabsmashh has a rolling tweet thread of Black Friday and Cyber Monday deals (as in past years). There are a ton of deals in here, from laptops to subscriptions. Go check them out. (Most deals are online because of the pandemic.)

And, enjoy this blast from the past.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This is Tiger, who featured in the early days of the newsletter, and I'm thrilled to welcome Tiger back. A big thanks to Shanni for the submission!
You can send in your cyber cats here. They're featured first come, first serve.
~ ~


That's all for this week (a very short one). I'll be back next Sunday with the usual goods. If you have any feedback please drop it in the suggestion box. See you in a week!

You can update your preferences or unsubscribe from this list.

~this week in security~ does not track email opens or link clicks.