~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 4, issue 9


Senate hearing on SolarWinds hack lays bare U.S. shortcomings and remaining mysteries
Cyberscoop: Senators grilled the three executives, including SolarWinds' CEO, at the center of the ongoing Russian espionage campaign targeting the federal government. Two months on, and questions remain. Cyberscoop walks you through the hearing, and the critical questions that still need answering. There was a lot of focus on the SolarWinds CEO blaming an intern for using "solarwinds123" as a server password. (Remember when Equifax's CEO pulled a similar stunt?) But really, it just shows poor leadership from the top down and inadequate security policies across the company. @thegrugq has a good post (refreshed from December) exploring why the password issue is only a small matter to consider.
More: CNN | The Register | The Grugq | @runasand | @hexadecim8
Hackers broke into 'biochemical systems' at Oxford University Lab studying COVID-19
Forbes: One of the leading biology labs researching COVID-19 has been hacked. Oxford University confirmed the breach on Thursday that its Division of Structural Biology was breached, shortly after Forbes revealed hackers were touting access to a number of systems. Screenshots were provided to Forbes revealing the access, though it's not known exactly who was behind the attack or their motives. The university said its research was not affected by the breach.
More: Reuters | @iblametom tweets

Kamacite, tied to Russia's GRU, targeted the U.S. grid for years
Wired ($): New research from Dragos has revealed a new group adjacent to the disruptive Russian intelligence hacker group known as Sandworm. Dragos calls the new group Kamacite, which has successfully targeted U.S. electric utilities, oil and gas facilities as far back as 2017. The group also serves as Sandworm's "access" team by breaking into networks and handing off the access to Sandworm. Kamacite uses spearphishing and brute-forcing cloud logins, like Office 365, to gain a foothold onto the victim's network and gains persistence. "If you see Kamacite in an industrial network or targeting industrial entities, you clearly can't be confident they're just gathering information. You have to assume something else follows," said @cnoanalysis.
More: Dragos | @a_greenberg

ICE used a private utility database to pursue immigration violations
Washington Post ($): ICE have tapped into a private database storing millions of utility bill records in order to probe immigration violations. ICE uses CLEAR, which has at least 400 million names, addresses, and records from more than 80 utility companies, and is updated daily. CLEAR is run by Thomson Reuters, which sells the platform as a "legal investigation software solution," but has allowed ICE to tap into the database under a $21 million contract. One rights defender said: "It puts people in a tremendously difficult situation. They have to decide whether to have electricity or subject themselves to having ICE get access to this information." Excellent reporting.
More: @drewharwell

Apple will make it harder to hack iPhones with zero-click attacks
Motherboard: Last year it was revealed that dozens of Al-Jazeera reporters had their iPhones hacked using zero-click exploits — the kind of hacks that require no user interaction at all. Now Apple is working to make it harder to launch these attacks with iOS 14.5 by signing ISA pointers, making it much harder to exploit corrupted memory that can be used to inject malicious code.
More: @lorenzoFB | @josephfcox
~ ~

Thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to cover the server and email costs. You can contribute to the Patreon or send a one-time donation via PayPal or Venmo
~ ~


A race to reverse-engineer Clubhouse raises security concerns
TechCrunch: There was a ton of chatter this week about Clubhouse having a security breach. Not the case in the strictest sense, but a matter of scraping audio content from the app's public APIs. Because Clubhouse is still only available on iOS, developers have started building their own apps to feed in Clubhouse streams so they can access from non-iOS devices. @ritacyliao explores the security and privacy ramifications, including China, where Clubhouse is banned. @lilyhnewman digs into the security issues in more detail on Wired ($) .

The 'real consequences' of ransomware against schools
Statescoop: Research shows there have been at least 130 ransomware incidents involving school districts across the U.S. since 2016, and it's getting worse. Some attacks have compromised personal and financial data, but others have disrupted the learning process altogether. The pandemic may have solved the snow day problem, but now schools have "cyber days."

Apple nukes 'Silver Sparrow' malware after revoking the developer's certificate
CNN: Last week, Red Canary researchers discovered a new Mac adware targeting the new Apple M1 chip, dubbed Silver Sparrow, which had infected close to 30,000 Macs in over 150 countries as of mid-February. Apple has now taken action and revoked the developer's certificate, preventing future infections.
~ ~


Treasury watchdog warns of government's use of cell data without warrants
A Treasury watchdog report says that law enforcement and intelligence agencies may not be on firm legal footing by buying access to location data without first obtaining a warrant, reports the Wall Street Journal ($). It comes as the IRS is under scrutiny for using a commercial database to track cellphones. Ultimately it's down to the courts to decide, but it's the strongest suggestion so far that the practice may not be constitutional — and therefore any case that uses warrantless access to location data may be built on shaky ground.

'Millions of people’s data is at risk': Amazon insiders sound alarm over security
Whistleblowers — two in the U.S. and one in the EU — say they were forced out of Amazon after raising privacy and compliance issues. The report is well worth the read: the former employees allege that the company "prioritizes growth over other factors, such as the security of customers' information, compliance with rules designed to safeguard that data and the careers of employees the company hired specifically to flag problems." Just last year, Amazon admitted it fired a *third* employee for leaking customer email addresses to an unnamed third party.
NASA, FAA named as federal agencies hit by SolarWinds hackers
We know that nine federal agencies have been hacked by the SolarWinds hackers (allegedly the Russians), which included State, Justice, Treasury, Energy, Commerce and Homeland Security, as well as the National Institutes of Health. Now we know that NASA and the FAA make up the remaining two agencies that weren't named, thanks to @nakashimae's reporting. It's worth noting that the two agencies weren't compromised because of the SolarWinds software, but through brute-force password cracking.
~ ~


Right. Now that's out of the way, onto the happy corner.

A big congratulations to @campuscodi, who leaves ZDNet after 2.5 years to join Recorded Future as its first cybersecurity reporter.

After the successful landing of the Mars Perseverance Rover, it was revealed that NASA coders hid an Easter Egg in the colored pattern of its parachute. It reads "Dare Mighty Things." Here's the explainer of how it works.
@micahflee has a new version of OnionShare out, a file sharing service that uses the Tor network. It's a fantastic tool that I've personally used several times and recommend. It's easy to use, and open source. More details on Micah's blog.

And, congrats to @Fox0x01, who joined Corellium this week as its chief product officer. It comes after the iPhone virtualization software maker scored a win over one of Apple's claims in its lawsuit against the company — that it infringed iOS copyright. @pwnallthethings will become Corellium's chief operating officer.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


Say hi to Meadow, who was featured a while back but returns with a Taco Truck. Cats get hungry when they're busy fighting hackers. A big thanks to @IDAccessGoddess for the submission!
Keep sending in your cyber cats (and your non-feline friends). You can send them in here.
~ ~


That's it for now. Thanks so much for reading. As always, drop any feedback you might have in the suggestion box. Have a great week, and see you next week. Be well.