~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 45


Trump fires election security chief who corrected voter fraud disinformation
NPR: Chris Krebs, one of the most senior cybersecurity officials in the U.S. government, was fired this week after Trump, who appointed him in 2018, disagreed after a CISA statement said that there was "no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised." Dozens of academics also signed onto an open letter stating the same. Reuters first reported his impending firing last week. Krebs, who headed Homeland Security's CISA agency since its founding, quickly reemerged after his government Twitter account was archived. "We did it right," tweeted Krebs. But his firing leaves the agency without a permanent chief at a time when the presidential transition should be under way. CISA deputy Matthew Travis was expected to take over but the White House had other plans. Cyberscoop says Sean Plankey, a former BP cyber advisor, is expected to take the helm but questions remain about his clearance.
More: NBC News | Cyberscoop | @c_c_krebs | Matt Blaze
Biden team lacks full U.S. cybersecurity support in transition fracas
Wall Street Journal ($): Speaking of transitions (or lack thereof), Biden won the election but the government has yet to trigger the transition rules because the incumbents refuse to accept the result, per the WSJ. That means Biden's transition team isn't under the protective wing of the federal government — including cybersecurity assistance. Normally, the president-elect and their team move over to a government "" domain. That hasn't happened yet. But that means cyber is now in the hands of, effectively, private citizens until they make it into the White House. That's a problem since Biden's team has been targeted by nation state hackers several times in the past few months. So much for the smooth continuity of government...
More: @dnvolz tweets

How the U.S. military buys location data from ordinary apps
Motherboard: Several apps, including a Muslim prayer app with close to 100 million users, was found sending ordinary users' personal data to brokers, contractors, and to the U.S. military, @josephfcox found. Through two parallel streams, location data would be funneled through Locate X and X-Mode. The U.S. military bought access to Locate X, and X-Mode also sells to contractors and, by extension, the military. It's a complicated read but so is the supply chain of location data, deliberately so to obfuscate where the data goes. The app, Muslim Pro, quickly removed the code after the story went out.
More: Motherboard | @guardianiosapp

Famed hacker Mudge joins Twitter as head of security
Reuters: Peiter Zatko, better known as Mudge, is the new head of security at Twitter, giving him broad power to make changes to the company's security practices. Zatko answers directly to CEO Jack Dorsey. Mudge requires no introduction to most who worked in security circles through the 1990s, which saw hacking and security research hit the mainstream. Mudge was hired after a series of security incidents at Twitter, including one very high profile hack, in the past year.
More: @josephmenn | @robertmlee

Microsoft reveals its new Pluton security chip
ZDNet: Microsoft has a new security chip design, the Pluton chip, which will integrate into future Intel, AMD, and Qualcomm processors. Think of Pluton as an advanced TPM, or Microsoft's answer to Apple's T2 chip. It's hoped the chip will prevent a range of hardware attacks that have emerged in the past two years since Meltdown and Spectre. Plus, it'll allow Microsoft to update the processor's firmware on millions of future computers, which should hopefully take the complicated process of patching microcode out of the user's hands.
More: Microsoft | TechCrunch
~ ~

Thank you to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to maintain its upkeep. You can contribute to the Patreon or send a one-time donation via PayPal or Venmo.
~ ~


Bumble flaws put locations and pictures of 95 million daters at risk
Forbes: Security researchers accused Bumble of ignoring vulnerabilities in the API that allowed them to pull approximate location data of users. The API didn't have the proper checks to prevent misuse, the researchers said. The bugs were filed with Bumble in March but the app maker only started fixing the issues this month after being open for at least 200 days.

Firefox 83 introduces HTTPS-Only Mode
Mozilla: Great news! Firefox 83 now has an HTTPS-Only Mode, which lets users browse exclusively to HTTPS sites. The feature will ask users before they want to access non-HTTPS sites. The feature comes a decade after the EFF launched HTTPS Everywhere, an extension that force-loaded HTTPS pages, back when SSL-enabled sites weren't as common.
A Facebook Messenger flaw could have let hackers listen in
Wired ($): A bug in Facebook Messenger could have allowed a hacker to call you and start listening before you picked up, reports @lilyhnewman. The bug was found by Google's Project Zero researcher @natashenka, netting $60,000 (which she donated to charity). It's a similar bug to the FaceTime bug that Apple scrambled to patch last year.
~ ~


Some Apple apps on macOS Big Sur bypass content filters and VPNs
Filed under "not good!" Some Apple apps are bypassing content filters and VPNs. That's because macOS Big Sur has an "undocumented exclusion list, which allows Apple apps to directly connect to the internet. Researchers say this bug could give hackers a way in to run malware on a victim's Mac. Apple has not yet responded to the apparent vulnerability.

More than 245,000 Windows systems still remain vulnerable to BlueKeep RDP bug
It's been a year and a half since the wormable BlueKeep vulnerability was disclosed. Although we haven't seen a cyberattack on a scale of NotPetya or WannaCry, some 245,000 Windows systems remain unpatched and still vulnerable to the bug. BlueKeep abused a flaw in the Remote Desktop Protocol to allow attackers to remotely run malware at the system/root level.

U.K. to invest in AI and cyber as part of major defense spending hike
The U.K. is spending close to $22 billion in the next four years to modernize the U.K.'s cybersecurity position, including launching the new National Cyber Force, a joint unit of intelligence officials and military staff running cyber operations to target terrorism, foreign state actors, and organized criminals.
~ ~


This week, @micahflee launched a new version of OnionShare, the file sharing service that uses the Tor anonymity network. It now includes anonymous chat, tabs, and a new design. OnionShare is a really great tool for researchers and journalists.

Next up, this tweet from Microsoft lawyer @christingoodwin about "Windows support" scam calls absolutely wins the week.
The Senate has passed a new cybersecurity bill aimed at securing Internet of Things devices used by the federal government. The House passed the bill earlier this year, so now it just needs Trump's signature. The bill is designed to make IoT devices, which have long been plagued by security problems like weak or default passwords, comply with minimum security standards. Industry leaders hope that the bill will allow the government to "lead by example."

And, who can relate to this?
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat is Peaches. Here she is brushing up on her cyber skills. A big thanks to @crunchycontext for sending her in!
You can send in your cyber cats here. They're featured first come, first serve.
~ ~


That's it for now. Thanks so much for reading! As always, drop any feedback you might have in the suggestion box. See you next week — stay safe out there.

You can update your preferences or unsubscribe from this list.

~this week in security~ does not track email opens or link clicks.