~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 46
View this email in your browser

~ ~


Former Ubiquiti dev charged for trying to extort his employer
Bleeping Computer: A former employee at Ubiquiti has been charged with data theft and trying to extort his employer after posing as a whistleblower. Nickolas Sharp allegedly hacked Ubiquiti by exploiting his access as an insider to steal gigabytes of confidential data, and sending a $2 million ransom demand, according to prosecutors. When Sharp's alleged extortion attempt failed, he went to the media. The company's stock price plummeted by about 20%, representing about $4 billion in losses, because of "misleading" news articles, prosecutors said. The indictment said they caught Sharp because a brief outage of his VPN connection exposed his real IP address, allowing the feds to hone in. Which, let's be fair, is only slightly easier than getting a subpoena.
More: Justice Dept. | Cyberscoop | The Record | @campuscodi tweets

Clearview AI told to stop processing UK data as ICO warns of possible fine
TechCrunch: The controversial facial recognition startup Clearview AI has been told to stop processing of U.K. citizens' data and delete any data it already holds, after the U.K. data protection watchdog, the Information Commissioner's Office (ICO), said the company's activities were "alleged serious breaches" of U.K. law. The ICO also said it plans to notify the company of its intentions to fine it £17 million (about $23M), which is a fancy British way of saying nothing is set in stone. As my colleague @riptari explains, tumult at the regulator suggests what might come of the proposed fine, and likely far less than what the ICO proposes. It's worth noting that every proposed GDPR fine by the ICO has been reduced from the time of notice to the final decision.
More: ICO | The Register

U.S. State Department phones hacked with Israeli company spyware
Reuters ($): Apple alerted close to a dozen U.S. State Department employees whose phones were hacked by an unknown operator of NSO Group's Pegasus spyware. The hacks happened in the past few months hit U.S. officials in Uganda. It comes a week after Apple said it would sue NSO to stop it from hacking its users, and would notify victims of NSO's hacking. The Washington Post ($) matched Reuters' reporting, but added that the number of State employees hacked went up to 11, at least. The U.S. officials were targeted with a new silent zero-click exploit known as ForcedEntry, which has the capability of breaking through Apple's new toughened security protections, dubbed BlastDoor, specifically the silent attacks that require no user interaction. Last month, NSO was put on a U.S. "entity" list, which prohibits the company from receiving U.S. tech.
More: Washington Post ($) | BBC News | @skirchy | @nakashimae
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


Thousands of AT&T customers in the US infected by new data-stealing malware
Ars Technica: Researchers from Qihoo 360 in China said they found a new botnet that's targeting thousands of networking devices belonging to AT&T internet subscribers in the U.S. The devices in question are the EdgeMarc Enterprise Session Border Controller, used by small businesses to manage phone calls, conferencing and other real-time communications. Because the flaw allows remote root access, it carries a 9.8 severity rating out of 10.

Hackers are spamming businesses' receipt printers with 'antiwork' manifestos
Motherboard: Someone, or some people, are blasting "antiwork" manifestos to receipt printers at businesses across the world. Screenshots show the manifestos ask, "ARE YOU BEING UNDERPAID?," which is a fair question since so many in the U.S. are massively underpaid — and encourage employees to discuss their protected legal rights, such as being able to discuss your pay with your co-workers. It looks like mass-scanning and spraying, but the person or people behind this aren't known (yet). Know your rights! Thank your friendly network-neighboorhood hacker for the reminder.
A photo of a hacked printer receipt that says: 'ARE YOU BEING UNDERPAID'
Big Tech is mandating MFA. Hackers have workarounds
Readme: Google plans to switch on multi-factor authentication for more than 150 million users before the end of the year, and Facebook/Meta said it will start requiring "highly targeted" users to enroll in MFA. We all know some level of MFA is better than none, but this looks at the ways attackers are trying to bypass and circumvent MFA.

Still paying for antivirus software? Experts say you probably don't need it
NBC News: Keep this one in your back pocket when you're home for the holidays. Antivirus software in this day and age is... just not something you need to pay for. @kevincollier takes a look at the free options, often built-in to the operating system, and drops some solid cybersecurity advice for the folks back home.
~ ~


Missouri officials planned to thank Post-Dispatch before threatening newspaper
St. Louis Post-Dispatch: Shortly before wrongly accusing a Post-Dispatch reporter of hacking when in fact they acted in good faith after discovering exposed state educators' Social Security numbers on a state government website, the Missouri state government was preparing to thank the reporter. That's according to emails obtained by the newspaper. In a hilarious twist, the state's cybersecurity specialist contacted the FBI, of which an agent responded — basically — saying there was nothing to investigate since it was the state's fault for misconfiguring its website. That's when Missouri governor Mike Parson went on live TV to criticize the paper for his own government's mistake.
Brad Heath tweet: "Missouri's government knew perfectly well that a newspaper reporter hadn't hacked its website by looking at its html. The FBI told it so. But the state publicly accused a reporter of being a hacker anyway."
Google Play apps downloaded 300,000 times stole bank credentials
Ars Technica: Researchers have found another batch of apps on Google Play, downloaded more than 300,000 times, before they were revealed to be banking trojans that siphoned off passwords and two-factor authentication codes, and took screenshots. ThreatFabric has more on its blog. Google removed the apps.
~ ~
Don't forget, if you have good news from the week, get in touch:
~ ~


This is Florence, this week's cyber cat. This is her favorite toy that she has torn all the stuffing from but she still guards with her life. Also, fabulous collar, Florence. A big thanks to her human @terpkristin for the submission!
Please send in your cyber cats and other fluffy non-feline friends. Drop an email here with their name and photo, and they will be featured in an upcoming newsletter.
~ ~


A short one this week... and no newsletter next week (sorry!). But regular service will resume after — promise. In the meantime, feel free to drop any feedback you might have in the suggestion box or email Have a good one.