~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 4, issue 14
View this email in your browser

~ ~


Hackers tried to backdoor PHP, used by 80% of all websites
Motherboard: From the "this could've been so much worse" department: hackers broke into the internal code repo for the PHP web programming language and tried to backdoor the source code. PHP is used across the web, 80% of sites use it, which would've been terrible had the backdoor code made it to prod. PHP said it was moving its infrastructure to GitHub after the attack, which may be because of a flaw in the server. The hack was a botch job — the code referenced Zerodium, the exploit broker, which denied any involvement.
More: The Record | @campuscodi | @official_php
A screenshot of the backdoor code in GitHub.
SolarWinds hack got emails of top DHS officials
Associated Press: Sources say the SolarWinds hackers (suspected to be Russian intelligence) grabbed emails belonging to then-DHS head and senior staff. The AP spoke to more than a dozen people with knowledge of the breach. It was known that DHS was one of the federal agencies affected, but it's believed classified networks were not compromised.
More: @tonyajoriley

These companies track millions of cars — and immigration authorities request the data
Forbes: CBP and ICE demanded location data from three companies who track the movements of tens of millions of cars every day — GM OnStar, Geotab and Spireon. Most modern cars are connected and are beaming out location data, and now immigration authorities are catching on. @iblametom digs into who gets access to your vehicle's location data and where it goes. Of course, none of this should be a surprise to anyone (read: no-one) who read GM's privacy policy.
More: @iblametom | @EFF

MobiKwik investigating data breach after 100M user records found online
TechCrunch: MobiKwik, an Indian mobile payments service, is investigating after an apparent data breach after 100 million records were found for sale online. The data also contained "know your customer" documents, like IDs, passports, and other government-issued papers. Turns out MobiKwik may have known about the breach for a while. A leaked screenshot shows a MobiKwik executive asking Amazon for logs after it "came to know that our S3 [cloud storage] data is downloaded by some other person outside the organization." Days alter, the MobiKwik breach seller claimed to delete the data and bid "adios!" Bizarre. (Disclosure: I edited this story.)
More: | Reuters | @rajaharia

America's digital defender is underfunded, outmatched and 'exhausted'
Politico: CISA is an agency that's tired. That's per @ericgeller, whose tweet thread also breaks down the story. The Homeland Security cybersecurity agency is underfunded and struggling to stay ahead of a deluge of overseas threats. "People are somewhat exhausted," said one staffer.
More: @ericgeller

Google caught North Korean trying to hack security researchers — again
Cyberscoop: Hackers linked with North Korea set up a fake security company to try to hack security researchers, according to Google, which poured cold water on the campaign this week. The fake firm, SecuriElite, set up fake social media accounts with names like Sebastian Lazarescue (I'm dying). This is the second time Google has exposed the hackers targeting security defenders after catching an earlier iteration of the campaign.
More: Google | @shanvav tweets | Archive: ZDNet
~ ~

Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks!), to help cover the server and email costs. You can contribute to the Patreon, or send a one-time donation via PayPal or Venmo
~ ~


Zero-click vulnerability in Apple's macOS Mail
Mikko Kenttala: Apple fixed a zero-click in Apple's email client that invisibly allowed an attacker to write arbitrary files inside Mail's sandbox to leak sensitive content from the victim's inbox.

Dutch watchdog fines €475k for keeping data breach quiet
The Register: The Netherlands Data Protection Authority slapped with a fine for notifying it too late that criminals had broken into its systems and stolen data on more than 4,100 customers. Just a friendly reminder that GDPR is still a thing.

Phone numbers for 533 million Facebook users leaked on hacking forum
The Record: A massive list of 533 million Facebook users' phone numbers — one-fifth of the site's users — has been publicly posted on a cybercrime forum. It comes from a bug which threat actors exploited prior to a Facebook fix in 2019. The large lists of data have been floating around for a while. Mark Zuckerberg and other Facebook founders' information was in the data set.
A screenshot of a tweet showing Facebook CEO Mark Zuckerberg's redacted phone number in the leaked dataset.
Feds indict Kansas man for allegedly hacking into water supply
Motherboard: A 22-year-old former employee of a Kansas district water authority was charged with hacking into a public water system in 2019. The former employee allegedly logged into the system and "shut down processes" at the facility, "with the intention of harming people," per the indictment. This is the latest case among recent reports of intrusions into the U.S. water supply.

Recovering a full PEM private key when half of it is redacted
Cryptohack: This is an incredible read on how a partially redacted PEM key could be recovered. There's some major math here and the details are largely lost on me. But, the very fact that they could recover a key is something. "If you find something private, keep it that way."
Image of a partially redacted PEM certificate key, which the researcher was able to recover.
Alleged Ubiquiti whistleblower claims recent breach was 'catastrophic'
Krebs on Security: An interesting development to the Ubiquiti security breach earlier this year. @briankrebs spoke to an employee, whose identity is not known, who said that the networking gear maker effectively covered up the breach after the hacker "obtained full read/write access to Ubiquiti databases," hosted on Amazon's cloud. The company said very little in a new statement, which said "no evidence that customer information was accessed." The employee alleges that this is true, but only because Ubiquiti allegedly "failed to keep records of which accounts were accessing that data." I'm sure this will be a story to watch...
~ ~


Australia investigates reported hacks aimed at parliament, media
Cyberattacks hit Australia's parliamentary email system and broadcaster Channel 9 this week. The attacks left the broadcaster unable to air for several hours on Sunday. One of Channel Nine's reporters said it was ransomware, which would make sense, but has not yet been confirmed. It's not clear if the two incidents were linked. The country's spy agency is looking into it.

Bug in how macOS handles .TXT files exposes private data
Great work by @PaulosYibelo, who found that macOS text editor TextEdit parses HTML even when it opens it as a .TXT file. That allowed him to remotely run code on a victim's machine.
Amazon tweets were so bad that IT thought its Twitter account was hacked
The headline says it all. Amazon went off on a bunch of lawmakers this week ahead of a crucial union vote. The tweets were "so aggressive that one of the company's own security engineers filed a support ticket." The support ticket warned that the "unnecessarily antagonistic" tweets "may be a result of unauthorized access by someone with access to the account’s credentials." That support ticket was published by The Intercept.

The little-known data broker industry is spending big bucks lobbying Congress
The Markup found 25 data companies spent $29 million in 2020, rivaling that of the big tech firms like Facebook, Amazon and Google, which spent $19M, $18M and $8M respectively. Just goes to show how big of a business data is — and how much some companies will spend to protect it, like Oracle, which spent $9M on lobbying last year.
~ ~


Just a couple of things this week. This is nice, but please, please use a password manager.
Tweet reads: "A neighbour approached me today to say that Natalie is his favorite name so he always uses it as his password, and I’m pretty sure the gods are just messing with me at this point."
And, this @simonw thread is definitely a fun read, and I'll leave you with just this tweet.
Simon's house has two ZIP codes. His tweet explains more. Follow the link.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat is Shiloh. If you're wondering why the side-eye, Shiloh knows you reuse passwords. Maybe don't do that? A big thanks to Gh0sti for the submission!
Please do keep sending in your cyber cats (and friends)!. You can drop them here, and feel free to send updates on previously-submitted friends!
~ ~


That's all! Please drop any feedback in the suggestion box. Take care and see you next week.