Copy

~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 43
View this email in your browser | RSS

~ ~

THIS WEEK, TL;DR

Twitter is already melting down, as security fears rise
Wired ($): With only a fraction of the staff it had just three weeks ago as a public company, the post-Musk Twitter is already showing signs of decay. Twitter's new CEO Elon Musk, the world's richest breaker-and-leaver-of-things, started pulling cables out of the wall, including some of the essential "microservices" he claims only few users actually need, like SMS two-factor authentication (which thousands of users have enabled). Not great when your users are both simultaneously locked out and locked in, unable to log out for fear of losing their access. Things bounced back, briefly, only as fears for the platform's security and integrity deepen. With few to protect the fort, what could happen in the event of a breach? Lawmakers are sounding the alarm over data security concerns. With no longer a comms department at Twitter, we might not even find out until it's too late.
More: Wired ($) | Associated Press | NBC News | @micahflee | @caseynewton
Joseph Menn tweet: "We appear well on the way to full self-driving Twitter."
Russian software disguised as American finds its way into U.S. government apps
Reuters ($): A U.S. Army mobile app used by soldiers and a mobile app used by the CDC contained code from a software company with links to Russia, which collects users data, like geolocations, and could allow tracking at scale. Pushwoosh, which doesn't say much to quell the claims, appears to be a U.S. company but is in fact Russian, Reuters found, sparking security concerns. The government removed the code from their apps, but it once again highlights how data siphoned from apps on your phone can be easily handed to potentially bad actors. @pearswick has a good tweet thread.
More: @thezedwards tweets | @kimzetter

Iranian hackers breached U.S. federal agency that failed to patch Log4Shell
TechCrunch: U.S. cybersecurity agency CISA announced this week that a U.S. federal civilian agency was compromised earlier this year by Iran-backed hackers, likely working on behalf of the regime. CISA didn't name the agency or say what, if anything, was taken. Washington Post ($) reports it was the little-known U.S. Merit Systems Protection Board, an agency that "adjudicates grievances from federal government employees in areas such as whistleblower retaliation" (which, sidenote: 👀). CISA said it learned of the compromise months later in April. The hackers broke in by exploiting Log4Shell, the zero-day bug in the ubiquitous Log4j open source software, found in a server on the federal agency's network. This happened just weeks after CISA ordered all federal agencies to patch their systems. A couple of key questions for the cyber agency: Did the breach agency ignore CISA's directive, or can CISA effectively enforce its directives?
More: CISA | CNN | FedScoop | @zackwhittaker

Researchers quietly cracked Zeppelin ransomware keys
Krebs on Security: @briankrebs with a story about a rare early win tackling the Zeppelin ransomware: researchers at Unit 221B discovered a vulnerability that ended up helping close to two-dozen victims recover their files without paying the ransom. The researchers kept their discovery quiet so as to not alert the ransomware actors, which was known for targeting nonprofits and charity organizations. The ransomware gang "appears to have stopped spreading their ransomware code gradually over the past year," possibly as a result of its failed encryption.
More: Unit 221B | @briankrebs
~ ~
SUPPORT THIS NEWSLETTER
 
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week. The Patreon is here. You can also donate just one time via PayPal or Venmo.
~ ~

THE STUFF YOU MIGHT'VE MISSED

Infosys leaked AWS keys for a year until researcher steps in
Tom Forbes: Infosys, one of the biggest IT and consulting giants on the planet, exposed its own IAM keys for Amazon's AWS on GitHub for more than a year. Forbes said the keys, which had "full admin access," allowed access to an S3 bucket storing what appeared to be very sensitive data. But without an easy or obvious way to inform Infosys of the still-exposed and still-active key, Forbes revoked it there and then. In remarks: "One of the golden rules is to not touch anything you find: just document and report. Except in this case the key had been public for over a year, there seemed to be sensitive data there and the key also appeared to be a non-critical user key rather than a key for a system... I opted to close the door."
A screenshot listing the contents of an S3 bucket using Infosys' AWS keys exposed on GitHub. showing AWS key permissions
Meta employees and security guards fired for hijacking user accounts
Wall Street Journal ($): More than two dozen Meta's own employees and contractors — including security guards, for some reason — were fired over the past year alone for improperly taking over user accounts, in some cases for bribes. Thousands of people get locked out of Facebook every day but Meta doesn't have a customer support option (you know, because the people are the product!) But some of those fired had access to internal systems that could help users who were having trouble with their accounts.

e-Tugra certificate authority exposing internal systems to the internet
Ian Carroll: Certificate authorities are important. They vouch for the legitimacy of websites that you visit online with HTTPS certificates and are trusted by the big browsers. But Carroll found e-Tugra, a Turkey-based certificate authority, had exposed internal administrative tools and systems to the internet with their default credentials published on the exposed pages themselves. Carroll received no response from the authority after privately disclosing the issue.

New NSA center opens up to outside researchers
Cyberscoop: "No guns, no guards, no gates." That's the NSA's new cybersecurity collaboration center, a largely unclassified but new space to make it easier for the agency to work with private sector security researchers. The so-called CCC now works with over 250 partner organizations to collaborate against foreign cyber threats. It seems to be working, with researchers taking notice. "It's not a one-sided conversation. It's not the usual government bullshit of, 'Give us everything and go away, please,'" @juanandres_gs.

Amazon poaches top U.K. cybersecurity official
Sky News: Ian Levy, the former technical director at the U.K. National Cyber Security Centre, will join Amazon in an unspecified role. The move was reportedly vetted by the so-called U.K. Advisory Committee on Business Appointments (ACOBA), which "scrutinises applications about new jobs for former ministers and senior civil and crown servants." There's going to the private sector after more than two decades in government, and there's going to the dark side. Then, there's Amazon.
~ ~

OTHER NEWSY NUGGETS

Google settles location tracking suit: Search and ads giant Google has agreed to pay a record $392M settlement with 40 states over allegations it tracked people's devices even after they had turned location tracking off. It follows reporting by the Associated Press in 2018, which first found Google tracked users even when logged out of their apps. If you were wondering how little the settlement will affect Google, @1Br0wn calculated that it's about 0.15% of Google's $257 billion in revenue last year. (via NPR)
Ian Brown tweet: "Wikipedia says Google’s 2021 revenues were $257.6bn, so this fine is… roughly 0.15% of that."
China-backed hackers targeted certificate authority: Well, not the best week for certificate authorities, clearly. Now, Chinese government-backed hackers have been caught targeting an unnamed authority, per Symantec. The threat group it calls Billbug also targeted government defense agencies, a satellite communications operator, and three different telecom companies. (via Ars Technica, The Record)

ID.me, but in four hours or more: Identity provider ID.me "inaccurately overstated" its ability to conduct verification services to the IRS when it was contracted to take over for the federal agency last year. ID.me said it took only about two hours to authenticate taxpayers using its verification service. Turns out that was "misleading" (and the rest...) and it was only discovered when everything for the company started melting down. The IRS later suspended the service, though ID.me is still used by some agencies. (via Cyberscoop)

Wickr nukes free version: Wickr Me, the consumer end-to-end encrypted messaging service, will cease operating as of the end of 2022. Amazon, which bought Wickr in 2021, will keep its AWS enterprise version running. Wickr had a major problem with child abuse materials but did little to stop it. (via Amazon)
~ ~

THE HAPPY CORNER

With Twitter quickly spiraling, many are finding home on Mastodon, which is like Twitter but federated. And instead of tweeting, you toot, though apparently we don't do that anymore. For those, like me, also new to this:
Alan James toot: "If you're new at this," followed by an image of a sign that says "Welcome to Tooting."
And if you want to find me on Mastodon, I'm @zackwhittaker@mastodon.social.

Speaking of, thanks to @mmasnick's musical take on Musk's Twitter takeover, I've had 'Come on Eileen' stuck in my head for the past week.

And finally. Look, it's only November, it's not even Thanksgiving yet! But it looks like the nerdy Clippy holiday sweaters are already out in force. Keep 'em coming.
If you have good news you want to share, get in touch at: this@weekinsecurity.com
~ ~

CYBER CATS & FRIENDS

This week's cyber cat is Thor, who has just one question for you. "Your password is what?" Thor knows you can do better than that. A big thanks to Madelyn C. for sending in!
Orange tabby cat called Thor.
Keep sending in your cyber cats (or their friends)! Email me with their name and photo, and they'll be featured in an upcoming newsletter. Submitted before, send in an update!
~ ~

SUGGESTION BOX

And that's it for another week. For those still on the hellsite, catch my tweets before the lights inevitably switch off, or follow me on Mastodon for continuity. I'll be back next Sunday with a probably shorter, post-Thanksgiving (in the U.S.) update. In the meantime, drop any feedback in the suggestion box or email me.

Catch you next week,
@zackwhittaker
Share Share
Tweet Tweet
Share Share