~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 25

~ 100th newsletter ~


CIA unit that developed Vault7 hacking tools failed to secure its own systems
Washington Post ($): A redacted internal CIA report obtained by Sen. Ron Wyden and given to the Post reveals that the elite CIA unit that developed the same hacking tools stolen in the Vault7 leak didn't properly secure its own systems, which in part allowed the theft to take place. WikiLeaks went on to obtain and publish the stolen files after what was described as the biggest breach of classified information in CIA's history. Just to give you a taste of how bad the CIA's own infosec was, the report said: "Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss." @emptywheel, who covered the trial of former CIA insider Joshua Schulte, accused of leaking the files, dives deeper into the story.
More: Ron Wyden | @nakashimae | @RidT thread

Microsoft pitched its facial recognition tech to the DEA while pushing for law change
BuzzFeed News: Microsoft last week said it would no longer sell its facial recognition technology to police, after advocating for the past two years for stronger federal laws covering the controversial face-scanning tech. But the tech giant conveniently didn't say anything about federal agencies. No wonder, given that new emails released this week show how Microsoft aggressively pitched its technology to federal agents at the DEA. Microsoft even let DEA agents trial the tech, but apparently fell short of a purchase after a government watchdog criticized the FBI's use of the technology.
More: ACLU | TechCrunch
Dating apps exposed millions of explicit photos, chats, and more
Wired ($): Data belonging to thousands of users across nine dating services that accommodate a number of sexual preferences was found exposed online. The data was found in a number of Amazon S3 buckets that were left open and unprotected. All of the services come from the same source, hence the mass exposure — and the data was quickly pulled offline.
More: @lilyhnewman

Oracle's BlueKai tracks you across the web. That data spilled online
TechCrunch: Oracle's BlueKai is a little-known but massive ad system that tracks millions of people across the web every day, scooping up detailed web browsing data, from purchases to unsubscribes — all for the sake of inferring your interests and tastes to serve you targeted ads. But that back-end system was left exposed. Zero password for at least four days. Five billion records were in the database — unencrypted — making this one of the biggest data incidents of the year. "There’s really no telling how revealing some of this data can be," said EFF's Bennett Cyphers. Oracle didn't say if it informed EU or U.S. regulators of the incident. If it didn't, Oracle could face a 4% revenue fine — or about $1.5 billion in fines — if found to have flouted GDPR rules. (Disclosure: I wrote this story.)
More: @profwoodward | @kennwhite

eBay executives charged for cyberstalking after sending cockroaches to critics
CBS Boston: This is one of the nuttier stories of the week. Six former eBay executives have been charged after allegedly engaging in a cyberstalking campaign — in which they (again, allegedly) sent threats, a bloody pig mask, a box of live cockroaches and a funeral wreath to a couple who wrote a online e-commerce newsletter that was critical of eBay. Those employees included eBay's former security chief. Wired later discovered that the cyberstalking campaign was ordered by "Executive 1," who was named as former eBay CEO Devin Wenig, though he wasn't charged.
More: Wired ($)

To evade detection, hackers are requiring targets to complete CAPTCHAs
Ars Technica: CAPTCHAs are a necessary pain in the ass for modern internet users to prove that they're a human and not a malicious bot. But Microsoft has spotted a threat group distributing booby-trapped Excel documents that requires a CAPTCHA to get through. It might sound counterproductive, but it's apparently working — the CAPTCHA acts as a barrier, making it far more difficult to scan for malicious files. And given that we're presented with so many CAPTCHAs in an average day, some may not think twice about it.
More: @msftsecintel
~ ~

Thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks), it helps keep the newsletter going. You can contribute to the Patreon here.
~ ~


Norway pulls the plug on its 'deeply intrusive' COVID-19 contact tracing app
TechCrunch: Amnesty International U.K. said it was the "right decision" for Norway's government to go back to the drawing board after critics slammed its COVID-19 tracing app. The app collected near-live location data of its users, which was stored in a central database, presenting a significant risk if the data is breached or exposed. As of June 3, the app had been downloaded 1.6 million times by some 600,000 active users — or around 10% of Norway's population.

IRS used phone location data to try to find suspects
Wall Street Journal: The IRS, the U.S.' tax collector, purchased access to a vast commercial database of millions of location data points to track potential criminal suspects, the WSJ reported this week. The IRS didn't need a warrant to buy access to the data, and reportedly let its contract with the data provider, Venntel, lapse after it failed to locate any targets. But it shows a growing effort by law enforcement to access privately collected data. Earlier this year the WSJ also reported that immigration authorities at ICE also accessed a commercial location database to track potentially undocumented immigrants.
FBI trawled Etsy, LinkedIn to track an arsonist
Philadelphia Inquirer: The FBI tracked down an arsonist who set fire to a car while peaceful protesters demonstrated in Philly by tracking her down using Etsy, Instagram and LinkedIn. Some might praise it as good investigative work but civil rights advocates said it raises questions over how much police should rely on social media data surveillance. NBC News also has a good story on this kind of surveillance.
~ ~


South African bank to replace 12m cards after employees stole master key
Postbank, the banking division of South Africa's post office, lost more than $3 million from thousands of fraudulent transactions and had to replace 12 million customer payment cards after its employees printed and stole its master encryption key, used to decrypt the bank's operations and generate keys for customer cards. The bank's employees are blamed for the breach.

Nobody reads privacy policies. This senator wants lawmakers to stop pretending we do
Here's one bill most can probably get behind: Sen. Sherrod Brown says people are giving up "far too much data" when they click through on a website's privacy policy notice, which "nobody reads," he said. His bill would allow companies to take our data only when it's "strictly necessary," he said. It's a bill that would likely face heavy opposition in Silicon Valley.
~ ~


And breathe. Here's some good news.

Everyone's favorite encryption defender @Riana_Crypto casually dropped some fantastic news this week: she got married to her long-term partner, @aaron_kimball. Great news! You can read their back story here. Absolutely thrilled for you both.

Also, what do you get when you mix cybersecurity and romance novels? This tweet says it all.
And, last week I borked a link to that great OSINT thread. Apologies for that. You can definitely read it here.

Oh, this is the 100th edition of ~this week in security~. A big thanks to everyone for all your support, messages, contributions, and — of course — cyber cat submissions. Speaking of which...
~ ~


This week's cyber cat is Gen. George S. Patton Cat, who helps his human do security consulting from home by keeping my shoulders warm during conference calls. What a good boy. A big thanks to Sam for the submission!
Send in your cyber cats! The more the merrier. They are always featured, first come first serve. And if you've sent in before, feel free to send in again! You can email them in here
~ ~


And we're out! Thanks again for reading, subscribing, and sharing. You can always reach out — the suggestion box is always open for feedback. Take care, see you again next Sunday.

You can update your preferences or unsubscribe from this list.