~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 4, issue 2


U.S. concludes hack of federal agencies 'likely Russian in origin'
Associated Press: The NSA and FBI concluded this week that the hacks against several government agencies — less than 10, we are told — was "likely Russian in origin." It comes less than a month since the SolarWinds breach first broke. Of course we know it's probably Russia already from the stream of headlines, citing unnamed government officials with knowledge, that Russia's Cozy Bear (or APT29), is likely to blame. New victims came to light this week: the DOJ says 3% of its unclassified email inboxes were raided. Also, PACER, where all the court records are kept, was also infiltrated — including sealed court filings, which are deliberately kept secret. The NSA-FBI joint statement said that the compromises were "ongoing."
More: Reuters | Fedscoop | @carlmalamud

Riot in the Capitol is a nightmare scenario for cybersecurity professionals
Washington Post ($): This week saw a nightmare scenario play out for the Capitol's IT staff: after hundreds of pro-Trump supporters stormed the Capitol building, lawmakers' offices were ransacked and some devices were stolen. Just how big of a cyber risk did the attack leave? Folks are generally mixed, erring on the side of "it could be a lot worse." It's not to say the risk isn't there, but most of what Congress handles is unclassified. Even the classified stuff is kept under lock and key, and there was "no indication" that classified networks or devices were breached. That said, Congress is exempt from FOIA, so emails and documents may be "more candid" than on federal networks. @ericgeller had a good thread explaining the risks and why they are low.
More: Motherboard | @MiekeEoyang | @ericgeller

Telegram feature exposes your precise address to hackers
Ars Technica: Right, moving on. Telegram, the not-so-secure messaging app, has a vulnerability that exposes users' precise geolocation — but Telegram has no plans to fix it. The "People Nearby" feature is by default turned off, but when enabled it can show geographically nearby Telegram users. As explained by Ars: "By using just three different locations and measuring the corresponding distance reported by People Nearby, he is able to pinpoint a user’s precise location." Ouch.
More: Ahmed Hassan
Anti-secrecy activists publish a trove of ransomware victims' data
Wired ($): WikiLeaks successor DDoSecrets has amassed a new collection of data — corporate secrets stolen in data-stealing ransomware attacks. The group "has made available about 1 terabyte of that data, including more than 750,000 emails, photos, and documents from five companies." DDoSecrets cofounder Emma Best said that the dumped data "deserves to be scrutinized," even if "there's too much data for DDoSecrets to comb through on its own," which drew ire from some.
More: @a_greenberg | @josephfcox

U.K. mass hacking ruled illegal by High Court
Privacy International: The U.K. High Court has ruled that the security and intelligence services are not allowed to use "general warrants" to search the computers and phones of millions of devices. U.K. law states that a warrant has to target an individual, and broad-scope warrants aren't permitted. Privacy International said it brought the case five years ago in response to the Snowden leaks, which revealed that U.K. authorities were using "bulk hacking" techniques that could collect intelligence across large sections of society.
More: ComputerWeekly
~ ~

A big thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to cover the server and email costs. You can contribute to the Patreon or send a one-time donation via PayPal or Venmo
~ ~


SolarWinds hires former Trump cybersecurity chief Chris Krebs
Financial Times ($): Former CISA director Chris Krebs, who was fired by President Trump for refuting false election claims, has joined ex-Facebook CSO Alex Stamos to found a new consulting firm. The pair already have their first client, SolarWinds. Krebs and Stamos will help the Texas-based technology company respond to its supply chain breach. The pair told the FT, which first reported the news, that it will likely take years to remediate the security threat completely. @snlyngaas reports without the paywall.

How the FBI tracked down Ghislaine Maxwell
Daily Beast: The feds may have tracked down and busted Jeffrey Epstein's alleged accomplice using a stingray. According to the Daily Beast (and the BBC, which also has more), feds secured a search warrant a day before her arrest on July 1 last year to "receive GPS and historical cell site data for Maxwell's cellphone account—which had a northeastern Massachusetts area code—within one square mile of her location. But the feds didn’t know the particular New Hampshire building in which she lived." The warrant asked for an "investigative device" that could "function in some respects like a cellular tower." Stingrays, or IMSI catchers, are portable suitcase-sized devices that can impersonate a cell tower and capture a suspect phone's precise location.

SMS phishing is getting out of control
Motherboard: Text message scams — known as SMS phishing, or simply "smishing" (yes, that's really what it's called) — is on the rise. According to Proofpoint, text message phishing went up by over 300% in the third-quarter of last year, "probably because they are so successful." @lorenzoFB investigates the recent deluge.
Singapore police can access COVID-19 contact tracing data for criminal probes
ZDNet: The headline alone doesn't tell the full story: Singapore's authorities previously said that COVID-19 contact tracing data in the country would "never be accessed unless the user tests positive." Now it's being used for police investigations. Later, ZDNet reported that the country's police defended the decision, saying it was crucial in helping to assist a murder case. What a way to undermine confidence in the system! Worse, given that Singapore's contact-tracing system will soon be mandatory in 2021, there's not much recourse for its citizens either.

JPMorgan Chase hacker gets 12 years in prison
Cyberscoop: Russian citizen Andrei Tyurin has been sentenced to 12 years in prison for his role in the theft of data on more than 100 million U.S. consumers — including the theft of 80 million records from JPMorgan Chase alone. Tyurin operated from his home in Moscow, and collected some $19 million in proceeds. He was extradited to the U.S. last year.
~ ~


A cross-platform cryptocurrency stealer went undetected for a year
ElectroRAT, a nasty cryptocurrency miner that's been active since at least January 2020, went largely unnoticed throughout the year. During that time it was likely installed by thousands of victims, per security firm Intezer. "Once an app is installed, ElectroRAT...then allows the crooks behind the operation to log keystrokes, take screenshots, upload, download, and install files, and execute commands on infected machines. In a testament to their stealth, the fake cryptocurrency apps went undetected by all major antivirus products." Impressive, especially since bitcoin is now worth some $40,000 each.
Microsoft says it's fighting back on secrecy orders
In a blog post this week, Microsoft said it's successfully fought two orders that the government imposed to prevent it from disclosing an investigation relating to obtaining data from an enterprise customer. The two cases are now unsealed, but a third case is still ongoing and has received support from Amazon, Apple, Google, and several privacy and rights groups. Microsoft said it's challenging the secrecy orders because it says they are "not necessary in cases where the data belongs to large and sophisticated organizations where someone can be notified without creating significant risk to the government’s investigation."

WhatsApp has shared your data with Facebook for years, actually
Panic spread this week after end-to-end encrypted messaging app WhatsApp told users in a pop-up that it would share more data with Facebook, its parent company, prompting @elonmusk to tweet about it, causing a ton of people to sign-up, so much so that @signalapp initially struggled to keep up with demand. Users have to accept the new terms to continue using WhatsApp. But @lilyhnewman drops a truth-bomb: it's been this way since 2016. "WhatsApp emphasized to Wired that this week's privacy policy changes do not actually impact WhatsApp's existing practices or behavior around sharing data with Facebook." Ouch.
~ ~


Terribly sad news from the security community. Yonathan Klijnsma, whose efforts to uncover Magecart was some of his defining work, died this week. His wife Nady confirmed his passing on Twitter. Yonathan was a fantastic bloke who always had the time to chat and share his knowledge. A truly nice guy who will be deeply missed. May his memory be a blessing. 
~ ~


@cglyer runs us through 2020 in security research. Some of these I'd forgotten about. This was a really good look back at the year and some of the biggest security bugs, vulnerabilities and findings.

Next time someone throws you some nonsense about how law enforcement need encryption backdoors to fight terrorism, just remind them about this perfect @matthew_d_green tweet.
And, after that hellish week, @Microsoft had our backs.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat is Bebby, an elusive-feral-turned-cuddly (but still semi-feral) kitty who first appeared last October. A little bit of social engineering later (and hissing, I'm told), Bebby is now an established resident of her lockdown household. A big thanks to Klara K. for the submission!
Please send in your cyber cats (and friends) to be featured in an upcoming newsletter. Yes, you can also now send in your non-feline friends too. Send them here.
~ ~


That's all from Hell Week. Feel free to drop any feedback in the suggestion box. See you again next week. Take care.