~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 35
View this email in your browser | RSS

~ ~


Ex-Twitter security head Mudge testifies to Congress after whistleblower report
CNN: A wild two-hour hearing with lawmakers on the Senate Judiciary Committee, Twitter's former security lead turned whistleblower testified on Tuesday on a range of topics, mostly about the company's security (or lack of), but there were a few interesting nuggets disclosed — not least that foreign spies were on (and could still be) on Twitter's payroll — including from China and India, and that engineers — some half of its staff — had broad access to user and company information. It comes in the same week that The New Yorker ($) reports that Mudge's friends and colleagues were offered money to dish the dirt on him. Wired ($) also looks at the protections a whistleblower has to take (think more than just Tor and Signal). @ericgeller had a running tweet thread from the testimony. Twitter denied and rebuked much of Mudge's allegations, but didn't provide any evidence of its own to the mix, which seems quite short-sighted given the circumstances.
More: Reuters ($) | The Verge | Cyberscoop | Associated Press

Iranians went on a U.S. ransomware rampage, DOJ says
Forbes ($): Three Iranian hackers with ties to the Iranian government, known as Charming Kitten or APT35, have been charged by U.S. authorities. APT35 attacked hundreds of organizations, including a domestic violence shelter and power companies in the U.S., and others around the world. The hackers broke in and used Microsoft's encryption tool, BitLocker, against victims' data. The DOJ says the hackers were seeking financial gain as a side hustle to their main activities supporting the Iranian government, which Secureworks detailed their activities and infrastructure in a lengthy blog post. The Treasury sanctioned the hackers, and the front businesses they worked for, and even the NSA got in on the announcement. See, isn't it nice when all of government works together nicely?
More: Reuters ($) | Daily Beast | @jseldin tweets

Uber investigating breach of computer systems
The New York Times ($): Oh, and on top of everything else, Uber was hacked, and it looks bad — "screenshots of sensitive internal dashboards posted on the internet"-style bad. Uber hasn't said much about the hack, only that it was "responding to a cybersecurity incident." It's not clear if this is a data breach, but the hacker's access appeared broad and extensive, gaining access to AWS and Google cloud dashboards (where Uber stores customer data), Uber's Slack (where the hacker announced the breach — no less), and its HackerOne account (which it uses for bug bounties and remediating serious vulnerabilities). The hacker, who claims to be an 18-year-old, according to several security researchers who spoke with them, basically got the keys to Uber's kingdom by spamming MFA prompts until an employee accepted. It's a fast-paced incident, so expect more to come in the next few days. As usual in cases like this, @billdemirkapi has an excellent thread on what went down, and Ars Technica has a timeline and a deeper dive.
More: Associated Press | Wired ($) | @iancoldwater
Lesley Carhart tweet: "There just isn’t a lot more to comment about the anatomy of the Uber hack. It wasn’t sophisticated or complicated and clearly hinged on multiple big systemic security culture and engineering failures. The thing we are all watching is how they respond, internally and externally."
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week. The Patreon is here. You can also donate just one time via PayPal or Venmo.
~ ~


Apple, Microsoft fix zero-days
SecurityWeek: Apple fixed two zero-days in macOS Big Sur that are known to be exploited in the wild. The bugs affected the operating system's kernel and could allow broad access to user data. Meanwhile, Microsoft fixed a mystery escalation of privileges zero-day in the Windows Common Log File System Driver, which allows an attacker root or system privileges on all supported versions of Windows — including the now-unsupported Windows 7. Not much is known about the bug, but Mandiant, one of four security firms that found the bug actively exploited by attackers, told my colleague @carlypage_ that the exploit is likely standalone and not part of an attack chain. So how did it get on targeted computers? An infected email, possibly. Update today!

How the feds identified and shut down massive ID theft marketplace
Jeff Stone: Remember SSNDOBCLUB, the marketplace for some 22-24 million people that was seized by U.S. authorities earlier this year? Exactly how the IRS, the lead agency on the case, identified its servers or the people behind it remained a mystery... until @jeffstone500 found an unredacted criminal complaint filed by an IRS agent that was somehow still on PACER. The filing detailed how the feds traced evidence to a Ukrainian national involved in the scheme, who's now awaiting trial in Florida. The full tweet thread is worth the read.

Researcher uses AI surveillance cameras to identify Instagram influencers
Dries Depoorter: Here's an interesting project: researcher Dries Depoorter built a project that uses cameras and artificial intelligence to identify where an Instagram influencer's photo was taken. Motherboard has a good writeup about the project. It highlights just how easy it can be to identify where photos were taken, and busting a person's opsec wide open. While it's something that could be easily abused, it's "a reminder that everywhere we go in the modern world, we’re being watched, even when we think we can curate and control what the world sees of us."
An animated GIF: left side shows a photo of an Instagram influencer stood outside a pub, and on the right is an open webcam that identifies where the photo was taken.
How Katie Nickels helped transform how we talk about cyber defense
Protocol: A profile of @likethecoins, aka Katie Nickels, and her unparalleled expertise in MITRE ATT&CK, the framework used for describing the stages of a cyberattack, for which few others come close (via @uuallan).

Customs officials have copied Americans’ phone data at massive scale
Washington Post ($): Incredible reporting here by the Post, which reports that U.S. border authorities collect and save the contacts, call logs, messages and photos from up to 10,000 travelers' phones to a government database every year. While we know phones are frequently checked at the border (which U.S. authorities have long argued they're allowed to because the Fourth Amendment doesn't apply at the border — which doesn't count as U.S. soil), it's now known that thousands of CBP officers are allowed to access this database without a warrant, and that the data is stored for 15 years. Sen. Ron Wyden, a privacy hawk on Capitol Hill, who discovered and disclosed the program, has a bill that would require U.S. border officials to first obtain a probable-cause warrant before searching someone's phone.

Hotel giant hacked by 'vindictive' couple
BBC News: Remember the hotel giant IHG, which owns thousands of Holiday Inn, Crowne Plaza and Regent hotels around the world, was hacked a few weeks ago? The hackers, who claim to be a couple from Vietnam, told the BBC's @joetidy that they broke into the hotel giant's systems, deployed wiper attacks, and deleted gobs of data. Tidy saw screenshots, which IHG confirmed were genuine, showing access to IHG's Microsoft Teams account, Outlook emails and server directories. According to Tidy, the hackers accessed the company's most critical databases by finding the login for the company's password vault — "Qwerty1234". A FTSE 100 company, everybody.

U-Haul breach leaked driver's licenses, customer IDs
The Record: Moving truck service U-Haul confirmed a months-long data breach that spanned from November 2021 through this April, which saw hackers make off with names, driver’s license and state identification numbers. U-Haul said it only identified the breach in July, and only sent notification letters out earlier this month.
~ ~


Two thieves to tap Teslas: With the help of a friendly hacker friend, it's possible to unlock and start a Tesla Model Y in a matter of seconds, thanks to a new attack. It requires the two thieves working together — one near the owner, with a NFC keycard or phone with a Tesla virtual key, and another thief near the car. @kimzetter reporting for The Verge.

LastPass breach limited to development environment: A few weeks ago LastPass disclosed a network intrusion. Now with more details, the password manager company said the attacker "gained access to the development environment using a developer's compromised endpoint." It's not clear how the attacker broke in to the developer's device — an endpoint could be anything from antivirus to a home router — but the attacker "utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication." Since the company doesn't store master passwords, they're safe. Not bad as breach notifications go.

Montenegro, Albania cyberattacks test Nato's collective defense: NPR looks at the two cyberattacks targeting Nato countries: a ransomware attack in Montenegro, and an Iran-linked cyberattack targeting Albania. Both countries are Nato members, for which a critical component is Article 5, the collective defense clause that states "an attack on one is an attack on all." Article 5 has only been invoked once — in the aftermath of 9/11. It's less clear what happens in the event of a cyberattack, but we may soon find out.

Airplane Wi-Fi tech vulnerable to root bug: Researchers found two potentially serious flaws in wireless LAN devices often used in airplanes for Wi-Fi access points that allow passengers to use the internet. "One of the security holes, CVE-2022-36158, is related to a hidden webpage that can be used to execute Linux commands on the device with root privileges. The device’s web-based management interface does not provide a link to this hidden page." More in a blog post. Japan's CERT also has more.
~ ~


Right, now onto the fun stuff. 

I got a laughably bad phishing email this week. See if you can spot the obvious mistake.
A screenshot of a email subject line that says, "Unwanted sing-in detected." Yes, that said "sing."
Meanwhile, how to alarm your kids:
Josh Yavor tweet: "My 11yo couldn’t sleep, so I taught her about BGP. Now she really can’t sleep." The joke is that BGP is the string and sticky tape that holds the internet together... just.
And finally: Luta Security founder @k8em0 was featured in Motherboard this week about making cybersecurity more equitable for all — and with some wise words and guidance for founders (via @elinormills).
If you have good news you want to share, get in touch at:
~ ~


This week's cyber cat is Pee-wee, who is more interested in naps and music than hearing about more malware and attacks. Big thanks to Paula B. for the submission!
Send in your cyber cats (or their friends)! You can email here with their name and photo, and they'll be featured in an upcoming newsletter. Repeat submissions welcome!
~ ~


What a busy week (and weekend for some folks). Thanks for reading! As usual, the suggestion box is open for your feedback or drop me an email for anything else. If you liked this week's dispatch, smash a share button below. 

Enjoy your week, back next Sunday with more from what is likely to be a wild... wild week.

Until then, bye for now.
Share Share
Tweet Tweet
Share Share