~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 23


DEA given permission to 'conduct covert surveillance' on protesters
BuzzFeed News: The Justice Dept. this week gave the Drug Enforcement Administration, a federal agency typically tasked with enforcing federal drug-related law, the right to "to "enforce any federal crime committed as a result of the protests over the death of George Floyd." The DEA is one of the most tech savvy agencies, with access to stingrays, billions of cell phone records, facial recognition tech and more. According to BuzzFeed, even some at the DEA are uneasy about the move, saying the Justice Dept. is "potentially abusing" its power to smear the protesters. The ACLU said that drug enforcement agents should "not be conducting covert surveillance of protests and First Amendment protected speech."
More: Emptywheel | ACLU Protesters' Rights | @josephfcox
Exploit code for wormable flaw on unpatched Windows devices published online
Ars Technica: A researcher has published exploit code for a potentially 'wormable' Windows bug, which if exploited could allow a malicious actor to spread code from one machine to another, like WannaCry or NotPetya. The exploit, called SMBGhost, is unreliable and crashes frequently but could still be used to install malware and spread it across the network. "Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die," the Github user writes. The bug affects Windows 10 (versions 1903 and 1909) and Microsoft patched back in March, so update today.
More: MSRC | GitHub | SMBGhost scanner

How cyber pros are confronting racism in their own ranks, and beyond
Cyberscoop: This week saw massive nationwide (and global) protests after the murder of George Floyd, an unarmed black man killed by a white police officer, who is now in custody. Cyberscoop looked at how the cybersecurity sector is confronting and challenging racism. "Too many people, especially in the infosec community have remained silent."
More: Washington Post ($)

Israeli cyber chief says major attack on water systems thwarted
Associated Press: Israel's national cybersecurity chief said the country had thwarted a "synchronized and organized attack" aimed at its water systems. If successful, the cyber chief said it could have caused "very big damage" to the civilian population — even cutting off the water supply, he said. According to the AP, chlorine or other chemicals "could have been mixed into the water source in the wrong proportions and resulted in a 'harmful and disastrous' outcome." Israel is said to have blamed Iran for the near-incident but allegedly launched its own cyberattack against an Iranian port in response.
More: Cyberscoop | @lukOlejnik

Trump and Biden campaigns were targeted by foreign hackers, Google says
NBC News: @shanehuntley, the director of Google's Threat Analysis Group that's tasked with investigating nation-state hacking, said Chinese hackers were targeting the Biden campaign just as Iranian hackers were targeting the Trump camp (again). Both campaigns were alerted to the unsuccessful intrusions. "No sign of compromise," said Huntley. It just goes to show that foreign actors are still interested in meddling with the upcoming U.S. election.
More: @ShaneHuntley tweets 

Apple fixes bug that could have given hackers full access to user accounts
Ars Technica: Sign In With Apple lets users sign in to a site without having to give over their email address or other data. When users hide their email, Apple generates a web token that contains a user-specific relay to pass along important email messages. But a bug made it possible for an attacker to obtain those tokens and gain access to those private email accounts. The researcher was given $100,000 for reporting the bug. You can read his full research here.
More: Bhavuk Jain | Threatpost
~ ~

Thanks to everyone who reads and subscribes to this newsletter! Subscribers are going up, as are the monthly costs. If you can spare $1/month (or more for perks), it helps to keep the newsletter going. You can contribute to the Patreon here.
~ ~


Cyberattacks since the murder of George Floyd
Cloudflare: Networking and security giant Cloudflare said that in the week since the murder of George Floyd it was "clear" there were more cyberattacks than during the same period a year earlier. Cloudflare said it blocked 116 billion malicious HTTP requests. That amounts to about ten-times Google's entire search volume every single second. Many of the attacks were targeted against government websites and anti-racism organizations.

Tor improves .onion domain names in Tor Browser 9.5
Tor Project: Some great updates to the Tor Browser in version 9.5, out this week. It comes with a new feature to tell you if a website has a .onion address and if you want to visit that site, as well as an improved URL bar security indicator. The new version also comes with .onion error pages for better diagnostics, and onion names — which shorten the long, difficult to remember .onion addresses with shorter, clearer domain names — like lucyparsonslabs.securedrop.tor.onion instead of http://qn4qfeeslglmwxgb.onion.
Signal rolls out face blurring tools
Signal: End-to-end encrypted messaging app Signal has rolled out a face blurring feature to help protesters (and anyone else for that matter) to mask their faces. It also helps to thwart privacy-invasive facial recognition systems. The feature rolled out to iOS and Android, so update today. (There are a few of these face-blurring tools: I compiled a few together this weekend. Some are better than others: be mindful of your threat model.)
~ ~


Zoom to exclude free calls from end-to-end encryption to allow FBI cooperation
In its latest earnings call, Zoom CEO Eric Yuan said: "Free users for sure we don’t want to give [end-to-end encryption] because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose." That kicked off a week of debate. @alexstamos, a Zoom advisor, broke down Zoom's point of view on the matter. Others disagreed, saying that it's not fair to give stronger encryption to those who can afford it. EFF's @jenuhhveev laid out the argument that it makes it more difficult for cash-strapped activists and non-profits to do their work — and protect their sources from governments (and companies like Zoom).

White House says security incidents at US federal agencies went down in 2019
In its annual report to Congress, the White House's Office of Management and Budget (OMB) reported that the number of cybersecurity incidents recorded at U.S. federal agencies in 2019 went down by 8%. The report said there was a reduction in phishing attacks, compromises of websites and web apps, and staff losing devices. But the report saw a rise in brute-force attacks and incidents involving removable storage, like flash drives.
~ ~


A couple of things this week:

Signal saw a massive spike in the number of downloads in the past week, reports Quartz, rocketing from about 9,000 downloads a day to over 26,000 downloads a day as of the start of June. It's great that Signal is going mainstream, given that security experts have long called Signal the gold standard of end-to-end encrypted messaging apps.
And, if you're going out to protest, make sure you're aware of your rights, from photography and recording to what to bring to stay safe. CNN has an easy-to-understand explainer. And, if you can't go out, there are plenty of things you can do at home, per this Wired article. CNET explains how to keep your personal privacy safe while you protest. Motherboard also refreshed its guide. Stay safe out there.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


Meet Alex, this week's cyber cat, who wants to remind you to keep your apps and devices up to date! A big thanks to @elandrieu for the submission!
Please keep sending in your cyber cats! You can email them in here
~ ~


That's all for now. As always, thanks for reading and subscribing. The suggestion box is always open for feedback. Stay safe, be well. See you next Sunday.

You can update your preferences or unsubscribe from this list.