~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 4, issue 6


U.S. technology company Clearview AI violated Canadian privacy law
CBC: Canadian privacy commissioners say controversial facial recognition outfit Clearview AI violates the country's privacy laws by collecting faces of Canadians without their permission or knowledge. The company claims to have 3 billion photos in its database, scraped from public social media sites — which have objected and ordered the startup to stop. "What Clearview does, is mass surveillance and it is illegal," federal privacy commissioner Daniel Therrien told reporters Wednesday. "It is an affront to individuals' privacy rights and inflicts broad based harm on all members of society who find themselves continually in a police lineup."
More: New York Times ($) | Canadian Privacy Commissioner | Background: Slate
This powerful iPhone hacking tool can now break into Samsung Android devices
Forbes: Grayshift, the maker of iPhone-unlocking tech, can now unlock some Samsung Android devices, reports @iblametom. The Atlanta-based startup last year raised $47 million last year to build its phone hacking technology, known to be used by U.S. authorities, including the FBI, Secret Service, and ICE.
Background: ACLU | @iblametom

Bipartisan bill would help domestic abuse survivors bypass mobile surveillance
Cyberscoop: A bipartisan group of senators have introduced a new draft bill aimed at allowing domestic violence victims to safely extricate themselves from shared phone plans that could allow abusers to spy on them. The bill, the Safe Connections Act, would remove penalties and requirements normally associated with leaving a phone plan early. "The bill would also require the FCC to set up protections for survivors so that call logs don’t maintain records of calls or texts to domestic abuse hotlines."
More: Sen. Brian Schatz

Instagram unmasks high profile 'OG' account stealers, threatens to sue
Motherboard: A wild story from @josephfcox this week on what was effectively the doxxing of several members of the so-called OGUsers community, of which members hack and extort their way into high-profile and high-value usernames across social media sites. It's big business, as Motherboard has previously reported. Instagram said it's unmasking the real identities of those who trade these usernames, and sent cease and desist letters to demand they stop. "It is highly unusual for social media companies to publicly announce that it has identified the real names of pseudonymous users and to announce publicly that it has sent them legal threats." Facebook said it's taken similar actions before but this is the first time doing it publicly.
More: Motherboard | Wired ($) | @josephfcox

Minneapolis police tapped Google to identify George Floyd protesters
TechCrunch: Police in Minneapolis obtained a geofence warrant ordering Google to turn over the account data on George Floyd protesters, which police believe were involved in sparking violence across the city. According to footage from the day, there were hundreds of people in the nearby area at the time of the warrant. Geofence warrants (or reverse-location warrants) are controversial as they often ensnare innocent bystanders, and critics say they are unconstitutional. One person I spoke with for this story said they were only videoing the protests and had no involvement with the violence. The person retained a lawyer to fight the order. (Disclosure: I wrote this story.)
More: Search warrant (DocumentCloud) | @zackwhittaker tweets
Hackers post detailed patient medical records from two hospitals to the dark web
NBC News: Tens of thousands of patients' personal information from two U.S. hospitals hit by ransomware have been published online in an effort to extort them for money. Several files reviewed by @kevincollier reveal sensitive medical and health data. It comes as another wave of ransomware hits hospitals across the U.S. as they try to roll out COVID-19 vaccines.
More: Wall Street Journal ($)
~ ~

A big thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to cover the server and email costs. You can contribute to the Patreon or send a one-time donation via PayPal or Venmo
~ ~


Here’s a doorbell camera you don’t have to feel guilty about
Debugger: Ring doorbell cameras are pretty gross, thanks to the company's tight relationship with law enforcement agencies. But thankfully @ow has a solution: a self-hosted option that's relatively cheap to run. A good alternative for those who want a video doorbell with fewer privacy issues.
Police seize $60 million of bitcoin, but don't have the password
Reuters: It was a bad week for German police, who seized about $60 million worth of bitcoin but can't access it because the suspect, who was sentenced to jail and has since served a jail term for hacking into computers to secretly mine cryptocurrency, won't give them the password. "We asked him but he didn’t say," prosecutor Sebastian Murer told Reuters on Friday. "Perhaps he doesn’t know." Which, let's be honest, is a better response than, say, trying to push through anti-encryption or forced-password disclosure legislation. And no, the hacker can't get the bitcoin back, either.

A spyware vendor seemingly made a fake WhatsApp to hack targets
Motherboard: This is great reporting: Citizen Lab and Motherboard found a link between a fake version of WhatsApp and an Italian surveillance firm that works with police. The fake app uses a MDM profile as a crude way of pushing malware to a victim's device. It's not known who the surveillance firm was targeting.
Security firm Stormshield discloses data breach, theft of source code
ZDNet: Stormshield, a major provider of network security tech to the French government, said it was hacked, resulting in "unauthorized access to a technical portal used, in particular, by our customers and partners for the management of their support tickets on our products. About 200 accounts were affected out of 10,000. Here's the statement (et en français).

Apple launches an iCloud Passwords extension for Chrome users on Windows
TechCrunch: Apple has a new iCloud Passwords extension for Chrome users that aims to make it easier to use saved Mac and iOS passwords on Chrome. The extension also saves passwords and adds them back to your Keychain, so they're synced with your Apple devices. Pretty smart.
~ ~


How police took down Emotet
An interesting read from @riskybusiness on how law enforcement took down the Emotet botnet (via @joetidy). It turns out that some network operators in some countries weren't expected to respond well to formal efforts to take down the botnet, so some in the threat intel and malware analysis communities "were asked to reach out to peers working for network operators to enroll them in the operation on an informal basis." Cyberscoop also has a good story on how the FBI leaned on Dutch police for their hacking skills.

Apple rejects top iOS hacker access to security research device
@p0sixninja was denied access to Apple's security research device program in what appears to be a bureaucratic decision, despite being one of the top bug finders. "Apple denied my access to the security developer program because I haven't done enough work. Almost all my CVE's are credited to anonymous or my team name."
Google just booted The Great Suspender off the Chrome Web Store for being malware
A quick PSA for anyone who was using The Great Suspender, a popular Chrome extension that allowed users to suspend their tabs to save memory. This isn't news per se — it was announced in November that the extension may be running malicious code, after the old maintainer of the project sold it to an unknown party in June 2020. Now Google's pulled the extension altogether.

Senate confirms cybersecurity-focused Alejandro Mayorkas as DHS secretary
A new Homeland Security secretary just dropped. Alejandro Mayorkas is now the new DHS chief, who will oversee all things cyber across the agency. Apparently Mayorkas is quite the cyber hawk, and has pledged to strengthen the department's cyber work.

Iranian chat app gets its data wiped out in a cyberattack
An Iranian messaging app startup left a ton of user records exposed to the internet, which was subsequently wiped out by a bot attack. The app, Raychat, was founded in 2017. But its backend MongoDB database was left without a password. @mayhemdayone discovered the exposure.
~ ~


OK, onto the good news of the week.

Apple will push out an update in the coming weeks (iOS 14.5) that will make it easier to unlock your iPhone with Face ID while wearing your mask (finally!). You'll need an Apple Watch (nobody said it would be free), which it uses to authenticate the device owner when wearing a mask.

There are some hilarious responses to this @msftsecurity thread. (Same, @0Axmit, same.
@cyb3rops has a really cool set of custom search engines and shortcuts for accessing security resources — VirusTotal, RiskIQ, and Censys to name a few — from your browser omnibar. Here are the goods on GitHub.

And, bonus cat content from @jennamc_laugh, if you miss both cats and international travel. 
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat is Henry, who you can (just about!) see hiding under the Christmas tree. A classic case of security through obscurity. Thanks to Denise H. for the submission!
Please do keep sending in your cyber cats and kittens! (Yes, that also includes your non-feline friends.) Send them in here and make my day. 
~ ~


That's all for this week. As always, thanks so much for reading and subscribing. If you have any feedback, drop it in the suggestion box. Take care, and see you next week. Be well!