~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 19


Zoom buys Keybase for reasons that aren't fully apparent yet
TechCrunch: Zoom bought encryption key service Keybase for an undisclosed amount. After months of security snafus, an acquisition seems like it'll help put Zoom back in good graces — and maybe even help to improve its security. But the reason for the acquisition remains largely unknown, unless it's an acqui-hire situation, which seems to be closer to the case. Not even Keybase seems to know what's happening next. In a blog post, Keybase said it the future of its service "is in Zoom's hands." Zoom, though, seemed more optimistic about its future.
More: Zoom | Keybase | TechCrunch | @mountain_ghosts

Def Con and Black Hat move online amid coronavirus pandemic
Def Con: Well, it's official. Both Black Hat and Def Con are not running in-person events this year. It was inevitable, really: coronavirus has taken a stranglehold on the world, and the events had been under threat for months already. Def Con, which has a running joke that it's been canceled, said it'll enter "safe mode" and run everything virtually. The show runner, The Dark Tangent, has more thoughts on the semi-cancellation. Black Hat will also run virtually because of the pandemic.
More: Def Con | Black Hat

US government plans to urge states to resist 'high-risk' internet voting
The Guardian: Here's @kimzetter with another election security scoop. Homeland Security said in draft guidelines, used to guide states on how to keep their election infrastructure secured, that it strongly advises against internet voting. It's the first time the U.S. has come out against online voting, fearing that the Russians might meddle with the election tally. No U.S. states currently use internet voting but a few states have looked at it as an option (we were looking at you, West Virginia!) Experts have long said internet voting isn't secure as the alternatives, like voting by mail or in-person. Problem is that you can't do the latter during a pandemic. @dnvolz had a follow-up scoop, noting that the final version omitted a line about "electronic ballot return technologies." Apparently the government doesn't want to get sued by election vendors.
More: Wall Street Journal ($)

Samsung patches zero-click flaw impacting all smartphones sold since 2014
ZDNet: Not a great week for Samsung, which scrambled to fix a zero-click bug that required no user interaction, on potentially over a billion phones sold since 2014. The bug, found by Google's elite flaw finding unit Project Zero, said the bug can be exploited by sending a malicious multimedia message (MMS) to a vulnerable device. The bug bypasses Android's memory randomization and can run malicious code on the device. Samsung rated the bug as "critical."
More: Google Project Zero | Samsung

India's coronavirus contact-tracing app could leak patient locations
Wired ($): Contact-tracing apps are helping governments understand the spread of COVID-19, but every nation's implementations are different and vary on the privacy spectrum. India's system is mandatory, and citizens have to use the app, called Aarogya Setu, which uses location data to help map out infection hotspots. But renowned security researcher @fs0c131y found a bug that leaks location data of users in a small area. Not good! Setu said this was "by design." 
More: Medium | TechCrunch | @SetuAarogya

GoDaddy reports data breach involving SSH access on hosting accounts
ZDNet: Hosting giant GoDaddy confirmed this week in a filing with California's attorney general that some users' hosting accounts were breached over SSH. The hosting giant said it discovered "suspicious activity" on its network and notified affected users. But the notice was scant on detail and didn't say how the breach occurred — whether it was an issue on GoDaddy's end or if it was credential stuffing — or how long the incident lasted. Threatpost said it affected 28,000 customers.
More: California attorney general's office [PDF]
~ ~

Thank you for reading this newsletter! As subscribers go up, so are the monthly costs. If you can spare $1/month (or more for exclusive perks), it helps keep this newsletter going. You can contribute to the Patreon here.
~ ~


Stealing your SMS messages with an iOS zero-day
Wojciech Regula: An iOS zero-day, patched in the recent iOS 13.5 beta, is a sandbox escape that can be exploited to steal a user's text messages. Regula explains in this short blog post.

Who is Dmitry Badin, the GRU hacker indicted by Germany over the Bundestag hacks?
Bellingcat: This week, German media reported that federal prosecutors have issued an arrest warrant for Dmitry Badin, accused of hacking into the German parliament in 2015. Investigative journalists Bellingcat look at Badin, and his connections to Russia — and its infamous APT28 group. Germany previously blamed Russia for the attacks.
Apple's copyright lawsuit has created a 'chilling effect' on security research
Vice: Speaking of Apple... the tech giant's lawsuit against Corellium has caused a chill among security researchers, who say they are scared to buy, use or even talk about Corellium's iPhone emulation software. Apple brought a case against Corellium, accusing the company of infringing its copyright. But several researchers have "expressed fear of retribution from Apple for using Corellium." Ultimately, if that means fewer bugs submitted as a result, that's going to hurt Apple's security posture.

A look at the tactics, techniques and procedures of the Maze ransomware
FireEye: Security firm FireEye did a deep-dive on the Maze ransomware, a data-stealing malware that's believed to be one of, if not the first ransomware strains that also exfiltrates data from a network. If a victim doesn't pay, the files are published. Maze has inspired a whole new kind of ransomware group. FireEye explains how the ransomware works, how it spreads, and what you can do to mitigate an attack.
~ ~


CAM4 adult cam site exposes 11 million emails and private chats
Adult live streaming website CAM4 exposed terabytes of personally identifiable data of its members and users, stored on a database with close to 11 billion records. The database wasn't protected with a password. Some records even contained payment data, a report said. This is one of the worst kinds of breach a consumer can face, given the blackmail factor.

Apple, Google ban use of location tracking in contact tracing apps
Apple and Google said governments and public health authorities are forbidden from building apps that use its joint-contact tracing API to also collect location data. Some U.S. states say they need access to location data, but the two tech giants are balking at the idea. Apple and Google's system, which uses nearby Bluetooth signals to match potential COVID-19 exposures, have already said that location tracking of coronavirus doesn't work and needlessly drains the battery.

WeChat, but they watch
Citizen Lab has a new report out looking at WeChat. The research shows that the millions of users outside China are secretly "training" its censorship system it uses inside China. Using file hash surveillance, the messaging app takes a digital signature from files or photos it thinks are politically sensitive inside China and blocks those messages from going through to Chinese users.
~ ~


A couple of good things this week:

Censys, the internet scanning search engine, has a new online home Wi-Fi network scanner, which quickly identifies any risks on your home network — like leaky ports or exposed devices. It's a perfect time to check, since so many are still working from home.

And while hacker summer camp was canceled this year, you can still feel like you're there.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


Meet this week's cyber cat, Reggie. Unlike the companies that get hacked, Reggie really does take your security seriously. Thanks to Tonya R. for the submission!
Send in your quarantine cyber cats! All cyber cats will be featured in an upcoming newsletter. You can always send them in here
~ ~


That's all for now. Thanks for reading! If you have any feedback, drop it in the the suggestion box. Have a great week — stay safe and healthy. See you next Sunday.

You can update your preferences or unsubscribe from this list.