~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 4, issue 12


Foreign operatives were active in 2020 but did not alter vote, U.S. officials say
Cyberscoop: A joint DHS-Justice report says foreign actors were active ahead of the 2020 U.S. presidential election but that there was no effect on the vote. It's largely what we knew already, with a few extra points thrown in. Russian and Iranian actors were active, but China was less so — apparently Beijing "considered, but did not deploy" influence efforts as it sought a less fractious relationship with the West. It comes after months of breathless allegations that the vote was somehow (but wasn't) altered. @shanvav has a good tl;dr thread on the report's findings.
More: NBC News | @RidT
Shannon's tweet says China didn't want to get involved in efforts to meddle in the U.S. election in 2020.
A hacker got all my texts for $16
Motherboard: A gaping hole in the telecommunications infrastructure allowed @Lucky225, co-founder and CIO at Okey Systems, to hijack all incoming SMS messages to @josephfcox's phone. There was no SIM swapping or bribing of telecoms staff. Instead, he used Sakari, a SMS marketing tool that rerouted SMS messages to him, simply by claiming he had the permission to do so. It's a fascinating if not eye-opening story on just how vulnerable SMS is — and why we should probably not rely on it. That kicked off a whole conversation on Twitter, but read this story and judge for yourself.
More: @Lucky225 on Medium | @josephfcox

America's drinking water is surprisingly easy to poison
ProPublica: Last week, CISA's cybersecurity chief Eric Goldstein described February's attempted water poisoning incident in Florida as "the gravest risk that CISA sees from a national standpoint." He's not wrong, in large part because we've done so little to protect these water systems. Despite warnings but with little funding to protect against cyberattacks — including at the U.S. Environmental Protection Agency — an attack was almost bound to happen. "As they turned to digital systems and monitors to boost efficiency while saving money and staff, they failed to install the safeguards and carry out employee training needed to secure the resulting vulnerabilities."
More: @propublica

Your face is not your own
New York Times Magazine ($): @kashhill is back with another long read on Clearview AI, the controversial startup she first reported on last year. It's a wild story, and worth the read. Clearview AI exploited a glaringly obvious market position by throwing legal and ethical considerations to the limits. "The more society-changing aspect of facial recognition in the United States may be how private companies deploy it: Americans’ right to privacy is relatively strong when it comes to the federal government but very weak when it comes to what corporations can do."
More: @shiraovide | @kashhill

"Expert" hackers used 11 zero-days to infect Windows, iOS, and Android users
Ars Technica: Hackers have used at least 11 zero-day flaws over a year-long campaign to compromise websites and infect devices running Windows, iOS, and Android, according to Google's Project Zero. The hackers chained together the flaws to get full access to vulnerable devices. But Google still hasn't said who is behind the attacks or offered any suggestion as to the motives of the attackers (or saying who are the victims). But clues suggest that the vulnerabilities may have been exploited by more than one threat actor.
More: Google Project Zero | @lorenzofb
~ ~

Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks!), to help cover the server and email costs. You can contribute to the Patreon, or send a one-time donation via PayPal or Venmo
~ ~


WeLeakInfo leaked customer payment info
Krebs on Security: WeLeakInfo can't be accused of not being true to its name, after it ironically began leaking info after one of its domains used for emails and payments lapsed. Flashpoint said the leaked data contained "partial credit card data, email addresses, full names, IP addresses, browser user agent string data, physical addresses, phone numbers, and amount paid." WeLeakInfo was a for-profit service that sold access to stolen and breached passwords and was — if you recall — seized by the feds last year for being extremely illegal. (Who would've thought?) @haveibeenpwned, the best-known legit data breach notification service, said 12,000 email addresses were leaked as a result.

Researcher finds a one-click RCE in TikTok for Android
Sayed Abdelhafiz: Multiple bugs discovered by @dPhoeniixx and chained together allowed for remote code execution in TikTok's Android app. He explains how he did it in his writeup. TikTok fixed the vulnerability.

Proctorio banned at the University of British Columbia
William Bowman: Proctorio, the remote exam proctoring company at the center of several scandals, including suing an academic and filing DMCA complaints to take down a student's critical tweets, has been banned at UBC (with some exceptions). The decision was made in response to complaints by students. Here's the full tweet thread. Motherboard recently detailed how students could still cheat despite using Proctorio.
a tweet from a UBC professor saying that Proctorio is banned from the school.
New global model needed to dismantle ransomware gangs, experts warn
Cyberscoop: Security experts and former diplomats are in the early stages of urging governments to figure out a way to work together against ransomware, whose victims have paid close to $350 million to hackers last year alone. Sanctions alone aren't enough. But tackling ransomware actors at the source — their infrastructure — may be one possible solution.

Russian who tried to hack Tesla last summer pleads guilty
The Record: @campuscodi with the scoop: Russian hacker Egor Kriuchkov, who tried to plant malware on Tesla's network using a recruited employee but fell flat when the employee told the feds, has pleaded guilty. The DOJ confirmed his report a short time later.

Swiss hacker’s indictment spotlights ethics of activist attacks
Bloomberg ($): Tillie Kottmann, the Swiss hacker at the center of the Verkada surveillance camera breach, has been indicted by the Justice Department. Kottmann (they/them) remains in Switzerland and likely won't be extradited, but could face legal reprisals at home. The charges stem from Kottmann's involvement in previous leaks at major companies and government entities, per @WilliamTurton, who scooped this story and covered it extensively from the beginning.
~ ~


Rising encrypted app Signal is down in China
The good times might be over, as Signal is now blocked in mainland China. The ban happened a day after the non-profit secure messaging app's website was blocked by the country's so-called Great Firewall. The app had reached more than 100 million downloads, but it was a matter of time before Beijing cracked down.
Great Fire says in a tweet that Signal was blockedon March 15, but remains in the app store. Follow the link.
With Spectre still lurking, Google looks to protect the web
Wired ($) looks at Google's efforts to guard against Spectre, the speculative execution bug in Intel chips. Google has developed a proof-of-concept exploit that "shows the danger Spectre attacks pose to the browser in hopes of motivating a new generation of defenses," reports @lilyhnewman.

Tampa Twitter hacker agrees to three years in prison
Graham Ivan Clark, a 17-year-old at the time of the Twitter hack last year, has pleaded guilty to fraud charges after he broke into Twitter and got access to an "admin" console, which he used to break into high profile accounts and spread a cryptocurrency scam. He netted some $117,000 in bitcoin before the scam was shut down. He will serve three years in prison.

Mimecast says SolarWinds hackers breached its network and spied on customers
Email management giant Mimecast confirmed that its network intrusion, which was used to spy on its customers was carried out by the same hackers who hit the SolarWinds supply chain. In other words, it's likely the Russians were behind the attack. The U.S. previously said the SolarWinds hackers were "likely Russian in origin." The hackers "accessed a Mimecast-issued certificate that some customers use to authenticate various Microsoft 365 Exchange web services."
~ ~


This week's good news has to start with @C_C_Krebs flashing a much earned bottle of champagne live on MSNBC following the government report this week that showed there was no election hacking in 2020. If you recall, Krebs was fired as the of CISA by President Trump for pushing back against Trump's false election claims.
chris krebs showing a bottle of champagne on live TV.
A big congrats to @kimzetter who has launched a new Substack called — appropriately — Zero Day, focusing on hackers, spies, and the intersection of cyber and national security. Zetter's first post is a deep-dive on how the government's network monitors would not stop a SolarWinds-style attack, in part because of "blind spots" in the government's legal authorities. Sign up!

And @redteamwrangler's JIRA nightmare is an absolute mood.
a metal cabinet's doors sticky-taped together badly, and next to it a JIRA ticket marked as "fixed."
If you want to nominate some good news from the week, feel free to reach out.
~ ~


Meet this week's cyber cat, Fortuna, who is helping her human with his OSCP lab. Fortuna had her right ear removed due to cancer last year, but that doesn't keep her from cybering. What a trooper! A big thanks to her human, Simon H., for the submission.
Fortuna is a very lovely cat with one ear, standing next to her dad's computer screen.
We're running low on cyber cats and their friends! Please keep sending them in! (And yes, that includes your non-feline friends). You can drop them here. The more the merrier!
~ ~


Thanks for reading this week! To make this newsletter more accessible, I am adding alt-text to images to support screen readers, and will make an effort to do this going forwards. I'm also experimenting with font size and compatibility for dark mode, but that's proving somewhat tricky. Please drop any feedback in the suggestion box. See you next Sunday!