~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 4, issue 13
View this email in your browser

~ ~


Google's top security teams unilaterally shut down a counterterrorism operation
MIT Technology Review ($): Bombshell of the week. Google shut down a nine-month counterterrorism operation by an unknown Western government. The government was using 11 zero-day vulnerabilities targeting Chrome, Android, but also iOS and Windows. Google's logic to shut down the operation was that the vulnerabilities "will eventually be used by others," and took action. But the move sent alarm bells ringing in both Google and the U.S. intelligence community. This was a monster scoop, and one that will likely have ramifications for a while.
More: Google Project Zero | @chronic | @thegrugq

Ransomwared bank tells customers it lost their Social Security numbers
Motherboard: The Accellion breach is getting bigger and costlier. Now it's directly hitting consumers too. Flagstar, a bank in Michigan, told customers that hackers took their SSNs, @lorenzofb reports. The bank did not say how many customers were affected, but pointed the blame at a file transfer service it uses by Accellion, which earlier this year admitted it had been hit by data-stealing ransomware. This week Cyberscoop reported oil giant Shell was also impacted by the Accellion hack.
More: Cyberscoop | @fbajak

FatFace criticized for telling customers to keep data breach 'private'
The Register: Clothing giant FatFace forgot the first rule of data breach notification — don't try to cover it up. In a letter to victims this week, the company told its customers to keep the data breach notice "strictly private and confidential." Obviously that's not how it works. Names, email and postal addresses, and partial card data was taken in the breach, which the company first detected in January. Employees were also affected, with the hacker making off with employee National Insurance numbers (British SSNs) and banking information. FatFace reportedly paid $2 million to the Conti ransomware group to get its files back.
More: TechCrunch | Computer Weekly| @theregister
A screenshot of FatFace's email to customers warning of a data breach, which says to keep the email "strictly private and confidential"
Software vendors must disclose breaches to U.S. government users, per draft order
Reuters: The Biden administration may require software vendors to warn the federal government if they've been hit by a security breach, according to a draft executive order seen by Reuters. It comes after the SolarWinds hack saw (believed to be) Russian hackers break into at least nine federal agencies and over 100 private companies using the ubiquitous SolarWinds software as a foothold. The order seems like an effort to elevate similar state-level data breach notifications to the federal level, in the hope — at least — of preventing a similar government-wide attack.
More: @johnwetzel

Facebook caught Chinese hackers using fake personas to target Uyghurs abroad
TechCrunch: Facebook caught a group of China-based hackers dubbed "Earth Empusa," "Evil Eye" or "Poison Carp" targeting about 500 people on Facebook, including in the U.S., through fake accounts posing as activists and journalists. Once hoodwinked, the hackers would send their targets to compromised websites with malware-laden prayer apps and keyboard downloads, designed to target Uyghur Muslims, an oppressed ethnic group in China's Xinjiang region. (Beijing is accused of forcing over a million Uyghurs into detention camps.) Facebook fell short of attributing the campaign to the Chinese government. But these are the same hackers that were spotted by Google hacking similar Uyghur targets in 2019 using iPhone zero-days.
More: Reuters | BBC News

Privacy protections and accessibility on state COVID-19 vaccine sites are not great
The Markup: The U.S. COVID-19 vaccine rollout has been, quite frankly, a mess. Anyone eligible at this stage faces a shortage of first-dose appointments, and every state and county has a different rollout protocol — and scheduling website. It turns out many aren't so great for privacy. The Markup found that while many sites had no cookies at all, many did — Nevada's, Utah's, and Hawaii's websites had "substantially" more than the average number of cookies than other sites.
More: @alfredwkng | @juliaangwin

This is what happens when ICE asks Google for your user information
Los Angeles Times ($): @JmBooyah has a deep dive on what happens when ICE demands Google for your private information (en español). "It may seem like a phishing scam or an update to Gmail’s terms of service. But it could be the only chance you’ll have to stop Google from sharing your personal information with authorities." This is an important read on what to know and how to protect yourself, because Google sure as hell isn't going to help.
More: @JmBooyah tweets
~ ~

Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks!), to help cover the server and email costs. You can contribute to the Patreon, or send a one-time donation via PayPal or Venmo
~ ~


New York's Covid-19 vaccine passport leaves users clueless about privacy
The Intercept: New York's blockchain-based vaccine "passport" is supposed to help the state open up again as the pandemic enters its second year. But when asked about privacy, the state government didn't bother publishing a privacy policy and basically just said "blockchain" again and again in the hope that it'll wear out critics, when in reality there is "zero reason" for blockchain to be involved, per @matthew_d_green.

Credit card hacking forum hacked, exposing 300,000 hackers' accounts
Motherboard: Credit card hacking forum Carding Mafia was ironically pwned, spilling close to 300,000 user accounts according to @haveibeenpwned. Emails, IP addresses, and passwords — stored in MD5(!) — were breached.

APT encounters of the third kind
Igor Bogdanov: This is an incredible read on how @IgorBog61650384 found something weird in a network capture that turned out to be a really advanced and highly-developed Linux malware. This is a wild ride and worth the read for DFIR folks. (via @attrc). Below is a snippet from his post.
An excerpt from Igor's post, describing how the malware collected PII from an incoming HTTPS connection.
FBI paid an anti-child predator charity $250,000 for hacking tools
Motherboard: @josephfcox reports on how the FBI paid a non-profit organization focused on unmasking child predators $250,000 for a series of hacking tools (known as network investigative techniques — or NITs). This is particularly interesting since it's the first known time of a charity either building or obtaining hacking tools. (Facebook previously bought a hacking tool for the FBI.) The charity would not say whether the charity developed the NITs itself or sourced them from another party, however. Still, this shows the private surveillance industry goes far further than many would think.

Ransomware gang leaks data from US military contractor the PDI Group
The Record: A major military supplier has fallen victim to a ransomware attack. PDI Group is based in Ohio and manufactures transporting equipment for weapons and airplane parts. The criminal group behind the file-stealing Babuk Locker ransomware has claimed responsibility for the breach after listing the company's stolen files on its leak site. When @campuscodi contacted the company, a spokesperson hung up the call. Sheesh.
~ ~


Insurance giant CNA hit by ‘sophisticated cybersecurity attack’
CNA, a cyber-insurance giant that made close to $11 billion in revenue last year, was itself hit by a cyberattack that caused a "network disruption" that took down several systems, including its email. The company disclosed the incident on March 21 and it's still offline as of the writing of this newsletter. All signs point to ransomware, but the company remains mum on the cause or the malware.
CNA's holding page for its website, which is down after a suspected ransomware attack.
Thoughts on selling to security leaders
Netflix's infosec chief @chanjbs wrote a blog about how not to pitch security gear or tech to security leaders. None of these are unreasonable, and are clearly designed to push back against some of the more aggressive (and unethical) sales tactics. (Thanks to @ryannaraine for the spot.)

A new Android spyware masquerades as a 'system update'
Security researchers say a powerful new Android malware masquerading as a critical system update can take complete control of a victim’s device and steal their data. The app is called "System Update" and was installed outside of Google Play. But Zimperium, which discovered the malware, said this was "easily the most sophisticated" malware it's seen. "We believe that there are other apps out there like this, and we are trying our very best to find them as soon as possible," said CEO Shridhar Mittal. (Disclosure: I wrote this story.)
A screenshot of the Android malware disguised as a "system update" app.
~ ~


Right, now onto the good news.

Google will make https:// by default in the address bar come Chrome 90. It'll replace http:// for the first time, since HTTPS has become practically ubiquitous across the web. The news came in a blog post this week. "For sites that don’t yet support HTTPS, Chrome will fall back to HTTP when the HTTPS attempt fails (including when there are certificate errors, such as name mismatch or untrusted self-signed certificate, or connection errors, such as DNS resolution failure)."

A quick dash across the pond (or "the land that raised me" as I call it) because the Bank of England has unveiled its new £50 note featuring WW2 codebreaker Alan Turing, whose work helped to shorten the war. He died by suicide at 41 after he was convicted under anti-LGBTQ+ laws in 1952, but posthumously pardoned in 2013. Then-PM Gordon Brown also issued an apology for the government's "inhumane" treatment of Turing. It's great to see Turing acknowledged after all these years.
The new design of the British £50 cash note with Alan Turing's face on it.
@US_CYBERCOM made me laugh this week with this entirely predictable response to @cybersecmeg's tweet thread. Some more great responses here.
Meg asks to describe your cyber job without using any terms related to cyber. Cybercom responds: "We can neither confirm nor deny that."
And, this @gcluley tweet is submitted without further comment.
There's a boat stuck in the Suez canal. Graham's tweet described it as a "denial of Suez attack."
If you want to nominate some good news from the week, feel free to reach out.
~ ~


Meet Peanut, who features this week. His human told me that there's definitely a joke in here about perimeter security or insider threats, since Peanut is very eager to find the bunny (in the back) but not as great at locating said bunny. You're doing the best you can, Peanut! Many thanks to @margaretvaltie for the submission!
Thanks for sending in your cyber cats (and their friends!) Please do keep sending them in. You can drop them here, and feel free to send updates on previously-submitted friends!
~ ~


That's all for this week. As usual, feel free to drop any feedback in the suggestion box. Have a great week, and see you next Sunday. Be safe, and be well.