~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 22


After a tumultuous week, House Democrats pull FISA vote
Roll Call: A vote that would have reauthorized the Foreign Intelligence Surveillance Act, the basis of U.S. spying laws that allows the NSA to collect vast amounts of web and phone data, was scrapped this week after the president threatened to veto the bill. Last week's Senate amendment, which failed but would have compelled authorities to obtain a warrant before getting access to web browsing and search data, was taken up by the House in the Lofgren-Davidson amendment. But Rep. Adam Schiff weakened the language, effectively rendering the amendment dead after lawmakers pulled their support for the weakened version. In the end, the final FISA bill failed to make it to a vote. It's not immediately clear when another vote will be held.
More: Washington Post ($) | CNET | Ars Technica | @danielschuman | @dellcam
Russian hackers are exploiting a bug that gives over control of U.S. servers
Ars Technica: The notorious Sandworm hacker group, linked to power outages in Ukraine and other major cyberattacks, is actively exploiting a security flaw in efforts to break into computers run by the U.S. government. The hackers are exploiting a bug in Exim, an open-source mail transfer agent, for Unix-based operating systems. NSA said in an advisory [PDF] that Sandworm has been launching attacks since at least August 2019. The advisory was to warn both businesses and government agencies, but also as an effort to "name and shame" the Sandworm hackers.
More: Wired ($) | ZDNet

'Turla' spies have been stealing documents from foreign ministries in Eastern Europe
Cyberscoop: New research this week shows another Russian hacking group, Turla, is building custom malware to achieve "long-term persistence in their target's network," according to ESET. The attacks started two years ago, targeting ministries in Eastern Europe, using booby-trapped PDF and Word documents. Interestingly, the group uses Gmail as a command and control server to receive commands and exfiltrate data, making it less conspicuous than a custom domain.
More: ESET

Arkansas calls the person who discovered a breach a criminal
Arkansas Times: So, this happened. Arkansas' unemployment assistance website had a bug that was exposing Social Security and bank account numbers. A computer programmer found the bug and got in touch with a reporter, who flagged the issue to the state's governor's office. So far so good — I've done this countless times before. Fix the bug, job done. But that's where things got messy: the governor's office called the person who found the breach a criminal, claiming the website had been "exploited." The governor called in the FBI to investigate. Cue the reporter's (rightfully) critical article on the matter. Another day, another good-faith researcher facing the backlash of a confused and reactive politician.
More: Techdirt | @Andrew_Morris tweets

A massive database of 8 billion Thai internet records leaks
TechCrunch: Thailand’s largest cell network AIS pulled a database offline that was spilling billions of customers' real-time internet records on millions. These internet records, including DNS logs and Netflow data, can "quickly paint a picture" about what an internet user does. It's particularly egregious in Thailand, where web censorship and surveillance is through the roof. @xxdesmus found the exposed data. Between us, it took about a week to get the database pulled offline — and another few days for the ISP to respond. (Disclosure: I wrote this story.)
More: Rainbow Tables

DHS wants access to 300 million more facial recognition photos
OneZero: U.S. Homeland Security is linking its facial recognition database to the FBI, the Department of Defense, and the Department of State, which will allow DHS staff vast access to other departments' facial recognition databases. That will help DHS access records on more passport and visa holders, and correlate names against those who have fallen into the criminal justice system. DHS already has 250 million people's biometric data from border crossings. But State and the FBI have much bigger databases, and DHS wants in.
More: FCW | @davegershgorn tweets
~ ~

Thanks to everyone who reads and subscribes to this newsletter! Subscribers are going up, as are the monthly costs. If you can spare $1/month (or more for perks), it helps to keep the newsletter going. You can contribute to the Patreon here.
~ ~


Feds arrest member of Fin7, a group tied to $1B dollars worth of hacks
Motherboard: U.S. authorities have arrested a Ukranian national, Denys Iarmak, an alleged member of the Fin7 hacking group, accused of breaking into systems belonging to Chipotle, Whole Foods, Trump Hotels, and more. The group is a prolific credit card stealer, taking as much as $1 billion in illicit and stolen revenue since it first emerged on the hacking scene. Despite the indictment, the Fin7 group remains "incredibly active," according to one of the FBI agents who wrote the Iarmak complaint.
Dangerous SHA-1 crypto function will die in SSH linking millions of computers
Ars Technica: Developers of two open-source code libraries for SSH, used by millions of computers to create encrypted connections to each other, are finally retiring the SHA-1 hacking algorithm, months after researchers found it was possible to create a "collision" that costs as little as $45,000. In other words, it's possible to spend that amount on impersonating a target, rendering the algorithm largely useless. The decision to move away from SHA-1 to stronger algorithms is late, but better now than never.

Zoom plans to roll out strong encryption for paying customers
Reuters: Two steps forward, one step back with Zoom. Just when you thought things were on the up for Zoom after its calamitous few weeks during the pandemic, it gained ground by promising to invest in actual end-to-end encryption. Now it seems, per Reuters, that only paid customers will get the end-to-end encryption features. @alexstamos said, though, the plan was subject to change. Meanwhile, @micahflee reviewed Zoom's new end-to-end encryption protocol and walked through it in a tweet thread. It seems like the new encryption will work well — but it's just a shame that you may have to pay to use it (for now).
~ ~


ACLU sues Clearview AI over privacy "nightmare scenario"
The New York Times ($) reports that the ACLU is suing controversial surveillance startup Clearview AI in Illinois for collecting facial biometric data without permission. The ACLU says that's a violation of Illinois' biometric privacy law, which stung Facebook only a few weeks earlier to the tune of $550 million.

Qatar's mandatory contact tracing app fixes major security flaw
Amnesty International found a critical vulnerability in Qatar's mandatory-to-use Ehteraz contact-tracing app, which had it not been reported and fixed, could've allowed attackers access to highly sensitive data, "including the name, national ID, health status and location data of more than one million users." The bug allowed the researchers to pull users' data from the server, which didn't have security measures in place to protect the data.
~ ~


Ars Technica's @dangoodin001 did a deep-dive looking at two-factor authentication apps. You might not think there's much of a decision, but there is! Which apps let you backup? Which apps restore your two-factor accounts if you lose your phone? Goodin breaks it down in detail.

And, especially for the reporters and threat intel workers out there, a new web mashup lets you upload photos, remove metadata, and blur photos — without having to upload the photo or it leaving your browser. You can find the tool here. It's really easy to use, and works on your phone. A big thanks to @everestpipkin for making this!
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat is Tippi, who likes to help out by generating secure random passwords — even if that means rolling around on his human's keyboard. Thanks to @gl0ck for the submission!
Please keep sending in your cyber cats! You can email them in here
~ ~


And I'm out. Thanks for reading (as always). The suggestion box is open for feedback. Stay safe out there. See you next week. 

You can update your preferences or unsubscribe from this list.