~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 36


Microsoft says Fancy Bear hackers also targeted Biden campaign firm
Reuters: Microsoft said this week that hackers working for Russia, China and Iran targeted the Trump and Biden campaigns and more than 200 other organizations, including political consultants. One of those companies is SKDKnickerbocker, according to Reuters, and was targeted by the same group of hackers — known as Fancy Bear — that targeted the Clinton presidential campaign in 2016. This time around there was no breach at SKDKnickerbocker, the report said. "They're well defended," according to a source. But not all of the attacks were unsuccessful, said Microsoft. Russia and China (of course) denied the allegations.
More: Microsoft | @joel_schectman
How the U.S. is keeping hackers from disrupting COVID-19 vaccine research
Cyberscoop: For the past six months, the Pentagon's Defense Digital Service, NSA, FBI, HHS and Homeland Security have been working to help defend pharmaceutical giants making the COVID-19 vaccine from hackers. NSA has already detected Russian and Chinese hackers trying to steal research. The U.S. government's program is primarily concerned with hackers trying to "manipulate, delete, or steal vaccine trial data," reports @shanvav.
More: @shanvav tweets | Background: Reuters

Portland, Oregon passes toughest ban on facial recognition in U.S.
CNET: Cities like San Francisco, Boston and Oakland have facial recognition bans, but only for government uses. Now, Portland, Ore. has passed the toughest ban on facial recognition in the U.S. — including for the first time a ban on the technology's use in private businesses. Casinos, airports, and restaurants all use facial recognition, but the technology has repeatedly come under fire for inaccuracies and disproportionately affecting people of color. 
More: TechCrunch

AI-powered 'female only' app gets in Twitter kerfuffle over breach notification
The Register: Giggle, a new app, had a bug that spilled user data, including a user's location. But the company responded to the breach notification with a threat to sue the researchers. The whole ordeal blew up on Twitter. The issue was resolved and in the end everyone apologized to each other. Lesson: be good to each other, and don't threaten to sue security researchers.
More: DI Security | @troyhunt tweets | @_LittleBobby_

Equinix datacenter giant hit by Netwalker Ransomware, $4.5M ransom
Bleeping Computer: Datacenter and colocation giant Equinix was hit by Netwalker ransomware, and the threat actors are demanding $4.5 million for the decryption keys. Netwalker is ransomware-as-a-service, so anyone can rent or buy into existing infrastructure and launch attacks. Netwalker also steals network data, allowing the threat actors to hold the stolen data for an additional ransom. Equinix confirmed the attack and said that the attack had "no impact" on its customers' data.
More: Equinix | ZDNet
~ ~

A huge thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to maintain its upkeep. You can contribute to the Patreon or send a one-time donation via PayPal or Venmo.
~ ~


YubiKey 5C NFC is finally here
ZDNet: Good news for fans of security keys! There's a new YubiKey out, the YubiKey 5C NFC. As the name suggests, it comes with USB-C and NFC, making it one of the most compatible security keys on the market for modern devices. It works on newer iPhones and Android devices, and Windows computers and Macs. It's priced at $55.
San Diego’s 'smart streelights' turned off until surveillance law in place
San Diego Union-Tribune: San Diego residents, rejoice. The city is switching off the cameras attached to some 3,000 "smart streetlights" in the city, which the police have tapped into to try to solve crimes. The city was going to hand over camera management to police, but that drew immediate anger and pushback. The city dropped the plans, as well as another surprise: it would switch off the cameras altogether until it completes a surveillance ordinance — a process that could take months.

The IRS is offering a bounty of $625,000 to crack Monero
Decrypt: The IRS has offered a bounty of $625,000 to break Monero, a cryptocurrency known for its privacy. The IRS' criminal investigations division, known for investigating child abuse sites and hacker groups that use cryptocurrency for anonymity, says it needs help "tracing and attribution of privacy coins." Unlike bitcoin, there's no public record of Monero transactions.
~ ~


Hackers are trying to break into a bitcoin wallet allegedly holding $690 million
Speaking of breaking into cryptocurrency... hackers are trying to break into an encrypted bitcoin wallet allegedly containing over $690 million, the seventh largest amount of bitcoin in circulation. But nobody knows the password. And because the wallet is encrypted with two very strong algorithms, it may well be near impossible to access. One crypto expert called it a "longshot."

Chinese ambassador demands investigation after his Twitter account liked embarrassing posts
China's ambassador to the U.K., Liu Xiaoming, who was left speechless live on the BBC when presented with evidence of China's gross abuses of human rights against the Uighur Muslim minority, has called for an investigation after his Twitter account 'liked' a porn video. (I'm reliably informed that was a foot fetish video — so now you know.) The ambassador denied involvement and called on Twitter, which is banned in China, to investigate. Xiaoming claimed his account was hacked — otherwise known as the Ted Cruz defense.

U.S. company Sanvine faces backlash after Belarus uses its tech to block the internet
Sandvine, a U.S. company you might not have heard of, has been blamed for helping the Belarusian government block access to the internet across the former Soviet nation. Protesters took to the streets after President Alexander Lukashenko was accused of rigging the recent general election. Sandvine's CTO Alexander Haväng said in a recent call that the company's equipment may have been used to block access to websites and apps in the country but that Sandvine concluded that internet access was not a human right. Wow. Try telling that to the United Nations, which declared internet access a human right almost a decade ago.
~ ~


And time for some good news.

Wired ($) this week published its list of people who are making things better in the world. On that list is Google Project Zero's @maddiestone and CryptoHarlem founder @geminiimatt for their contributions to cybersecurity. Also featured is Ohad Zaidenberg, Nate Warfield, and Marc Rogers, who formed the CTI League of volunteer hackers helping to defend the healthcare sector from cyberattackers exploiting the COVID-19 pandemic. Congrats to everyone. Absolutely deserved.

Meanwhile, @joncallas has joined the Electronic Frontier Foundation as its director of tech projects. Callas is well known for co-founding PGP, and he has previously served at Apple and the ACLU. Congrats, Jon!

And, finally. The pandemic has hit a lot of folks pretty hard. @marcusjcarey has a running list of open vacancies in cybersecurity. Go check it out, and feel free to contribute.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's two-for-one cyber cat special is Pepper and Smokey. According to their huan, they’ve been together since they were kittens, and can usually be found sleeping on top of each other (or wrestling — classic!). A big thanks to @darkuncle for the submission!
Please keep sending in your cyber cats! The more the merrier. Send them in!
~ ~


That's all for now. In case you missed it, there was no newsletter last week due to Labor Day. As always, if you have any feedback, please drop it in the suggestion box. Have a great week!

You can update your preferences or unsubscribe from this list.