~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 41


U.S. indicts Sandworm, Russia's most destructive cyberwar unit
Wired ($): The Justice Dept. announced this week charges against six alleged Russian intelligence officers for their role in a number of high-profile hacks, including the downing of the Ukrainian power grid during Christmas in 2016 and the release of the NotPetya worm in 2017. The group of hackers, known as Sandworm, was also accused of targeting the 2018 Winter Olympics and targeting organizations investigating the Novichok poisoning in the U.K. in 2018. FireEye's @johnhultquist called the group the "most aggressive actor" he's encountered. Bellingcat researchers later found the hackers in plain sight. Now on the FBI's most wanted list, the hackers remain in Russia. The indictments are expected to serve to "name and shame" not just the hackers themselves, but also their tactics and techniques.
More: Justice Dept. | Ars Technica | @johnhultquist tweets
U.S. government concludes Iran was behind threatening emails sent to Democrats
Washington Post ($): The U.S. government also accused Iran this week of spoofing emails from a far-right group, the Proud Boys, to intimidate voters in the upcoming presidential election. In a bizarre and hurried press conference on Thursday, U.S. chief spy John Ratcliffe accused Iran of stealing voter registration records (which are largely public in the U.S.) with menacing emails that urged them to "vote for Trump, or else." The video included a video that claimed it was possible to cast fraudulent ballots — even if the scheme was unlikely to work. Iran denied involvement.
More: Motherboard | NBC News

The unsinkable Maddie Stone, Google's bug-hunting badass
Wired ($): A double-whammy from Wired this week. @lilyhnewman dropped her profile of @maddiestone just as this newsletter went to print. Stone, for those who don't know (where have you been?) is one of Google's security bug-hunting powerhouses and a member of its Project Zero team, which finds, reports and discloses some of the world's most dangerous bugs. Not only as an incredible hacker, she's breaking ground on the perceptions of who can be a hacker. This profile is well worth the read.
More: @lilyhnewman

Adblockers installed 300,000 times are malicious and should be removed now
Ars Technica: Two ad-blockers with more than 300,000 uses should be removed as soon as possible, as they were quietly scraping browsing data and tampering with users' social media accounts. The extensions, Nano Adblocker and Nano Defender, were bought by new developers which added malicious code. Google removed the extensions from the Chrome Web Store.
More: Nano Adblocker (Github) | ZDNet

Moxie Marlinspike has a plan to take back our privacy
New Yorker ($): A long read this week on the founder of Signal, Moxie Marlinspike. The profile focuses on the end-to-end encryption app's founder who wants to bring "normality" back to the internet by bringing security and privacy to messaging and conversations. The story focuses on Signal's claim to fame, it's rise to prominence during the Trump administration (many of whom are also users) as the government continues to push back against "warrant-proof" encryption.
More: @marciahofmann | @yaelwrites

Twitter hack investigation says hackers spoofed VPN page
New York Dept. of Financial Affairs: You might not think that New York State's tax department would have anything enlightening to say about the Twitter hack back in July but, turns out it did a full investigation (because the hackers used the attack to spread a cryptocurrency scam, putting the incident in its purview). The hackers stole credentials and used a spoofed VPN page to trick an unsuspecting Twitter employee into entering their password — and two-factor notification. The hackers scraped the two-factor code and logged in as the employee. This is one of the most comprehensive insights into what actually went down on that July afternoon.
More: @zackwhittaker
~ ~

A huge thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to maintain its upkeep. You can contribute to the Patreon or send a one-time donation via PayPal or Venmo.
~ ~


Face ID and Touch ID coming to the web
WebKit: Face ID and Touch ID, Apple's biometric unlocking feature, is coming to the web. First announced at its WWDC conference in June, the fingerprint and face unlocking feature will allow users to login to websites without entering passwords.
Researcher founds remote code execution bug in Discord Desktop
Masato Kinugawa: @kinugawamasato found a RCE in Discord Desktop, built on Electron, by chaining together several vulnerabilities. In this detailed writeup, Kinugawa said he received over $5,000 for the vulnerabilities.
~ ~


NSS Labs shuttered due to COVID-19
Security testing firm NSS Labs has "ceased operations," per a notice in its site, due to the ongoing coronavirus pandemic. The company was sold to a private equity firm last year for an undisclosed sum, and has reportedly been struggling since. Former employees told me that they had been laid off as a result of the company's closure. @kjhiggins first broke the news.

Mysterious 'Robin Hood' hackers donating stolen money
Here's an interesting one. Why is a hacker group donating stolen money to charity? To say that the move is "strange and troubling" is an understatement — and it's left several charities wondering if they should keep the money. The hackers allegedly target big profitable companies with ransomware attacks and share some of the proceeds of those ransom payments to charities.

The police can probably break into your phone
At least 2,000 law enforcement agencies in the U.S. have access to phone-cracking equipment, allowing police into encrypted devices, reports The New York Times ($), based on new findings from a Washington non-profit. These tools have "served as a kind of a safety valve for the encryption debate," per @Riana_Crypto, yet police continue to demand more tools and access to encrypted devices.
~ ~


And now for some good news.

Last week, @jaysonstreet, @thestump3r, @adam_915 and @grifter801 casually saved a bloke from a burning truck. Absolute heroes. 
A big congrats to @InfoSecHoudini, who joins Dragos as its director of R&D. Great company — a frontrunner in ICS research.

And this BSOD face mask is perfect and where can I get one?
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat is Mao, unwinding after a long day defending against hackers. We're proud of you Mao. Thanks to Freek d.M. for the submission!
Please keep sending in your cyber cats! They will always be featured.
~ ~


That's it for this week. Back next Sunday as usual. If you have any feedback or comments, please drop it in the suggestion box. Thanks for reading and see you next week!

You can update your preferences or unsubscribe from this list.