~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 34


Inside NSO, Israel’s billion-dollar spyware giant
MIT Technology Review ($): NSO Group is one of the most secretive private surveillance companies in the world. Maker of the Pegasus mobile spyware, NSO has embroiled itself in a number of cases involving human rights abuses and governments spying on their most vocal critics — just by supplying the spyware. @HowellONeill looks at NSO — and some of its victims. It's an interesting two part long-form on different sides of the same coin. A fascinating read, with new details on how NSO chooses (and monitors) its customers. You can find part two here.
More: MIT Technology Review | @HowellONeill | @jsrailton

The threat to vote by mail isn't fraud. It's disinformation and sabotage
CNET: The big U.S. election is coming up (don't forget to register to vote!) but exactly how many Americans will vote this November remains a bit of a mystery — and a mess. Many will be voting by mail — many more will also vote by mail thanks to the pandemic. But USPS is being hobbled. Trump has argued mail-in voting fraud is easy. CNET found that actually, it was pretty tough and the payoffs are extremely limited. What's easier, though, is disinformation and spreading lies on social media. In what could've been titled "How to Get Away With Vote-By-Mail Fraud," this really well-done guide explains how it can be done.
More: @alfredwkng | CenDemTech

The attack that broke Twitter is hitting dozens of companies
Wired ($): "Phone spearphishing" attacks are on the rise. It's the same attack that saw hackers get access to Twitter's internal admin tool earlier this year. But what exactly is phone spearphishing (also known as vishing)? It's a social engineering attack involving voice calls. The attacker calls a victim using a spoofed phone number and tricks them into handing over passwords or access to internal tools. @a_greenberg reports that vishing attacks have hit banks, cryptocurrency exchanges, and web hosting firms. The FBI and CISA put out warnings about the rise of vishing attacks.
More: ZDNet | Background: Motherboard
Former Uber security chief charged with concealing hack
The New York Times ($): Joe Sullivan, Uber's former security chief who currently serves as Cloudflare's security head, was charged this week with attempting to conceal a massive data breach that saw hackers steal 57 million user accounts of Uber drivers and passengers. The charges are "believed to be the first against an executive stemming from a company’s response to a security incident," reports @kateconger. Sullivan negotiated a $100,000 "bug bounty" payout to the hackers, which later cost him his job. The hackers were later charged by U.S. prosecutors. Uber didn't disclose the breach until a year later in 2017, after which Uber was forced to pay $148 million to settle an investigation brought by several attorneys general.
More: Wired ($) | NPR | @quentynblog | @hacks4pancakes

Cruise operator Carnival hit by ransomware
Cyberscoop: Remember earlier this year those cruise ships full of passengers with coronavirus? That same cruise company, Carnival, has just been hit by a data-stealing ransomware attack. Some of the company's data was downloaded by the ransomware actors, the company confirmed in a regulatory filing. Earlier this year the company's Princess Cruises brand admitted a data breach involving names, addresses, Social Security numbers and government IDs — including passport numbers and driver license numbers — along with financial and health information.
More: Bleeping Computer | Archive: TechCrunch

Fearing coronavirus, a Michigan college is tracking its students with a flawed app
TechCrunch: One university in Michigan has required all students to install an app that tracks their location around the clock. Students can't opt-out — they face suspension if they do. Worse, the app had two major security flaws that exposed private data, including the ability to infer students' COVID-19 test results. The bugs are fixed, but the app maker — and the school — has remained silent on the matter. (Disclosure: I wrote this story.)
More: Washington Post ($) | Ars Technica | @zackwhittaker tweets | @doctorow

Google fixes major Gmail bug seven hours after exploit details go public
ZDNet: A bug in Gmail (and its enterprise-focused G Suite) email servers could've let an attacker send spoofed emails impersonating any Gmail or G Suite customer — even those protected with basic email security features like DMARC and SPF, designed to protect against spoofing attacks. Google had over four months to patch the bug but delayed patches until September. Then, details of the bug were made public and a bug fix went into effect. See? It didn't need much after all.
More: Allison Husain

Microsoft put off fixing Windows zero-day for two years
Krebs on Security: Speaking of slow bugs to fix... Microsoft has finally fixed a two-year-old code signing bug that, despite the CVE number, was first spotted in attacks in August 2018. There's more details on the bug here. The bug, once exploited, could've allowed improperly signed files to be loaded by Windows. "While Microsoft’s security team validated his findings, the company chose not to address the problem at the time."
More: VirusTotal
~ ~

A huge thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to maintain its upkeep. You can contribute to the Patreon or send a one-time donation via PayPal or Venmo
~ ~


Firebase takeovers netted researcher over $30,000 in bounties
Abss: A security researcher, @absshax, found a number of vulnerable Android apps (including Google's own!) with hardcoded keys for Firebase, which provides in-app notifications. In an email, the researcher told me that a malicious hacker could "send malicious push notifications to a billion users at will." Great work here.

U.K. Home Office forced to deny 'breach' after password disclosure
Justin Clarke-Salt: The U.K. Home Office, responsible for all of U.K.'s domestic affairs, confirmed that a flip chart with "Passw0rd1" written in big letters and visible from a window was, in fact, a password used by staff at the government department. But, the Home Office "fiercely refuted" that a breach had taken place. I'm just amazed Armando Iannucci didn't think of this one first.
Grant Schneider steps down as federal CISO, heads to private sector
Cyberscoop: The exodus continues. The U.S. is now without a federal CISO after Grant Schneider, who sat on the National Security Council, stepped down from the gig this week. He was also head of the Vulnerabilities Equities Process, the government process for deciding whether to horde software bugs for intelligence purposes or disclose them to the private sector so they can be fixed, explains Cyberscoop. Schneider is heading to the private sector where he'll join the Washington D.C. office of law firm Venable.

This map lets you report landlords using tech to screw over tenants
Motherboard: Finally — renting tenants can fight back against surveillance-hungry landlords. The site, Landlord Tech Watch, lets anyone report the use of "landlord tech," such as privacy-invading and surveillance heavy tech used by landlords. That includes access systems that replaced keys with facial recognition and more.
~ ~


US government built secret iPod with Apple’s help, former engineer says
@dangoodin001 looks at a secret project to build the U.S. Department of Energy a special iPod — with Apple's help. Only four people inside Apple knew of the project. Tony Fadell, who ran the iPod division, confirmed the report on Twitter. The special iPod had custom hardware and software, which — the theory goes — may have been used as a Geiger counter to help detect stolen uranium.

A popular fertility app shared data without user consent, researchers say
Fertility app Premom was collecting a ton of private information from its Android app and sharing it with at least one Chinese company. The Android app can track users' location, log which other apps they have installed, and collect unique identifiers from people’s devices that could allow other companies to trace their activity across other websites, the Washington Post ($) reports.

How a new federal policy for telling election officials about cyber-intrusions got put to use
@snlyngaas reports on how a new CISA and FBI policy on informing election officials about intrusions was put to use. In March, a hacker spoofed an email account of a voting equipment maker and phished a local Missouri official. The official took the bait and the hacker compromised their email account. The breach seemed opportunistic, rather than targeted and no lasting damage was done. Still, it shows how proactive the feds are getting on election-related intrusions and threats ahead of the presidential vote in November.

Two big ATM makers fix "deposit forgery" flaws
Two of the biggest ATM makers, Diebold Nixdorf and NCR, have rolled out patches that mitigate "deposit forgery" attacks, where fraudsters tamper with ATM software to modify the amount of money being deposited on a payment card. Carnegie Mellon released two write-ups of the two flaws — for Diebold and NCR — which are basically identical flaws.
~ ~


In keeping with last week's spicy tweets theme, @k8em0 dropped a virtual cluster bomb on this hapless recruiter. You really have to see the full tweet.
In other good news, take a look at DiceKeys, a $25 bit of kit that helps you generate master passwords on the fly. It's a really interesting bit of kit that takes what looks like a Boggle kit but is "designed to serve as a permanent, offline key to regenerate that master password, crypto key, or U2F token if it gets lost, forgotten, or broken." Each arrangement has about 196 bits of entropy. There are more combinations than all the atoms in "four or five thousand solar systems." Incredible.

And, here's what you get if Bob Ross worked in infosec.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week is a two-for-one cybercat special: meet PJ and Pablo, two incredibly cute five-month-old void floofs. They're up for adoption, so get in touch if you're in the tri-state New York area and are interested in adopting them as a pair. (Who wouldn't want two cute hacker cats?)
Please keep sending in your cyber cats! The more the merrier. Send them in!
~ ~


And that's all for this week. Thanks for reading! As always, if you have any feedback, feel free to drop it in the suggestion box. As a reminder for Patreon subscribers, the next wave of perks are going out this week (and thanks for your patience). Take care and see you next week.

You can update your preferences or unsubscribe from this list.