~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 32
View this email in your browser | RSS

~ ~


Twilio breach exposed phone numbers of 1,900 Signal users
Ars Technica: That Twilio breach announced last week really had a knock-on effect. The hackers who broke into Twilio's systems gained access to data on 125 customers. One of those customers is encrypted messaging app Signal, which this week said 1,900 users had their phone numbers exposed as a result. (Signal relies on Twilio for sending SMS verification codes to users registering their Signal app.) No messages or private content were compromised, but Signal said at least three user accounts were re-registered during that time, allowing the attackers to briefly send and receive messages as if they were those people. Motherboard reporter @lorenzofb was one of those targeted and gave an inside account of how the account hijack went down.
More: Signal | Twilio | @nohackme | @lorenzofb tweets

DigitalOcean customers affected by Mailchimp security incident
The Register: Staying with breaches... cloud giant DigitalOcean pulled the plug on its account with email marketing giant Mailchimp (now owned by Intuit) after it pulled DigitalOcean's email account without warning. DigitalOcean was told around the same time by one of its customers that their password was reset, and asked Mailchimp, which two days later disclosed another security breach (its first was in April) where some Mailchimp customers had their email addresses exposed. Mailchimp wouldn't say how many are affected — crypto and blockchain companies were mostly targeted — but that was enough for DigitalOcean to drop a scathing blog post detailing its decision to not use Mailchimp again. (FYI, this newsletter is delivered by Mailchimp, but I was not notified.)
More: DigitalOcean | TechCrunch | @0xdabbad00

Ransomware group claims access to water systems
SecurityWeek: Moving on. A case of mixed identity this week when the Cl0p ransomware group claimed a U.K.-based water company as its latest victim. But just one problem: they listed the wrong company. Cl0p said on its Tor leak site it hit Thames Water, which serves about a quarter of the U.K. population in the south of England. But actually, South Staffs Water, which serves 1.6 million people, released a statement saying it was targeted but only its corporate IT network was affected. Cl0p claimed to steal passports, driver's licenses, and credentials, as well as screenshots of systems.
More: The Record | @UK_Daniel_Card tweets | @malwrhunterteam tweets

TechCrunch launches tool to check for TheTruthSpy stalkerware
TechCrunch: On Wednesday at my day job (disclosure alert!), I launched a free lookup tool that lets anyone check if their Android device was compromised by a fleet of stalkerware apps, including TheTruthSpy, which all share the same infrastructure and the same security bug that's spilling the phone data of hundreds of thousands of victims. After receiving a leaked list of every device that was compromised earlier this year, we built the tool so anyone can check for themselves (since the data wasn't enough to identify or notify victims), and how to remove the spyware if it's safe to do so. The list contains about six years of compromised devices up to April 2022, presumably when the data was dumped from TheTruthSpy's internal network.
More: TechCrunch | @EFF | @zackwhittaker tweets
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week. The Patreon is here. You can also donate just one time via PayPal or Venmo.
~ ~


White House's three-headed cybersecurity team
Axios: For a time, it wasn't clear exactly who was doing what at the highest echelons of cyber in the U.S. government, even for the top cyber officials themselves — U.S. national cyber director Chris Inglis; CISA director Jen Easterly; and White House cyber advisor Anne Neuberger. Axios breaks down the roles and responsibilities of the three top U.S. cyber officials. (Thanks to @kimzetter for tweeting about it.) But Axios warns that the industry folks, former officials and lobbyists who regularly talk with the trio "are still trying to distinguish who does what."

Android 13 privacy settings you should update now
Wired ($): Google's new mobile OS has landed, and with it packs a ton of new features aimed at privacy and security, including greater notification controls and an updated privacy dashboard.

New tool checks if JavaScript is injected through in-app browsers
Felix Krause: @KrauseFx is back after last week's look at how Instagram and Facebook inject JavaScript code into third-party websites that could allow tracking within their in-app browsers. Turns out lots of other apps are doing it. If in doubt, use a browser you actually trust (as much as you can trust a browser) and not the in-app version, which largely exists just to keep you in the app.
A chart by Felix Krause showing which apps use in-app browsers, which inject JavaScript, and have the capability to modify the page.
New DOD budget bill would force military to disclose location data purchases
Gizmodo: An amendment to the U.S. military budget, known as the annual National Defense Authorization Act (or NDAA), would require the Pentagon to publish a report about its collection of location data from calls, texts and internet traffic — and would apply to DOD's intelligence offices. The amendment doesn't ask "why" the DOD is buying it, only what kind of data it buys. A declassified memo last year reported by The New York Times ($) showed the U.S. military bought app data that could be used to track Americans.
~ ~


Apple tries to quietly patch two zero-days: Apple released surprise security updates to patch two zero-day vulnerabilities found in macOS Monterey, iOS, and iPadOS. which are under active exploitation by hackers. The two bugs, affecting WebKit (the iOS browser engine) and the kernel, are believed to be linked and could allow for complete access to a user's device. Given the profile of the bugs, it certainly looks like it could be spyware of sorts. But despite the sense of urgency, Apple refused to comment.

Government-grade bull-s...martphone: MIT Technology Review ($) obtained the pitchdeck for Unplugged, a smartphone startup by Erik Prince — you know, the billionaire founder of the Blackwater "private security" firm that infamously killed Iraqi civilians. No surprise here that the pitchdeck is full of bold but mostly false claims, like how it's "impenetrable" to surveillance (whereas Apple, the $2.7 trillion company with 150,000 employees, isn't?) and how its infrastructure is in part hosted on a server farm located somewhere in international waters. Brilliant reporting (and tweet thread) by @HowellONeill, who announced this week that he's leaving journalism for something new. Congrats!
Patrick Howell O'Neill tweet: "Ambitions to build a more secure smartphone are good. Impossible claims and fiction pretending your phone is impenetrable are misleading at best and dangerous at worst. The vulnerable people who need a more secure phone most also need the truth about the threats they face."
Microsoft disrupts APT with ridiculous name: Hackers linked to the Russian government, which Microsoft calls Seaborgium (in line with its Periodic table-naming system), have spent the past five years conducting cyber-espionage and hack-and-leak efforts against military personnel, governments, think tanks and journalists in Europe and South Caucasus. Microsoft blocked the hackers' use of OneDrive and fake LinkedIn accounts and exposed the innards of the wider operation.

Microsoft staff exposed their own internal logins: Staying with Microsoft: Motherboard reports that a cybersecurity firm found Microsoft's own employees inadvertently exposing sensitive corporate login credentials in repos hosted on none other than Microsoft-owned GitHub. Microsoft confirmed the exposure but declined to say specifically what the credentials were protecting.
~ ~


In keeping with our theme of "what can Doom run on" — it now works on a John Deere tractor display. Nice work @sickcodes!
An animated GIF of Doom running on a John Deere tractor display. Doom has been modded to replace a gun with a steering wheel.
Moving on...

Here's more evidence that the kids are, in fact, alright, especially the ones preempting a Future Robot Takeover™.
Daphne Keller tweet: "My son built a Captcha that always says you’re a robot. You have to keep clicking to accept that you are a robot. And then you get Rickrolled."
Meanwhile, inside the White House's National Security Council plan to deliver babusias-as-a-service, apparently?
Kevin Collier tweet, says: "I enjoyed this typo in the subject of an NSC press email just now," with a screenshot attached with an obvious typo, saying: "New USAID announcement on additional funding to get Ukrainian gran to the world's most vulnerable"
And congrats to the Motherboard lads, @lorenzofb and @josephfcox, who this week announced their books looking at Hacking Team and the government spyware industry, and the inside story of the global Anom takedown, respectively. Can't wait to read!
If you have good news you want to share, get in touch at:
~ ~


This week's cyber cat is Finn. Unfortunately thanks to their extremely stealthy hacking skills, Finn appears to be invisible. Oh well! Many thanks to Jenn K. for the submission.
Don't forget to send in your cyber cats, or their friends. Email here with their name and photo, and they'll be featured in an upcoming newsletter!
~ ~


And that's a wrap for this week, thanks so much for reading and subscribing. Hope you liked this week's newsletter. Feel free to send to a friend or post to your social feeds by smashing those share buttons below. As always, the suggestion box is open for any feedback you might have, or feel free to drop me an email if you want to get in touch.

Given next week is Labor Day in the U.S. and that so many folks are away, I may take a rare week off (sorry!) to catch up on some much-needed Zzzz's. Well, assuming nothing too big happens in the week... I guess we'll find out.

See you again soon,
Share Share
Tweet Tweet
Share Share