~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 14
As coronavirus continues to lead the headlines, this newsletter will keep you up to date every Sunday with all the cybersecurity news from the week. Stay safe out there, folks. 
~ ~


Zoom uses 'rolls your own' crypto, sent calls and keys to China
Citizen Lab: When it rains, it pours. And this week, Zoom almost drowned in a sea of unflattering headlines over its privacy issues and security vulnerabilities. World-renowned researchers at Citizen Lab found Zoom, the popular video calling platform, was in some cases routing calls through China, which meant so were its non-end-to-end encryption keys, and therefore vulnerable to Chinese authorities. The researchers said Zoom shouldn't be used for anything sensitive. Zoom's CEO Eric Yuan apologized and said the company would do better on encryption, but didn't actually say what Zoom plans to do differently — or when.
More: Wired ($) | The Intercept | Objective-See | New York Times ($) | Zoom Marriott says

Marriott says 5.2 million guests exposed in new data breach

Reuters: Turns out Marriott had another data breach. This time it was just 5.2 million guest records and not the 382 million affected from the first breach. It looks like hackers used employee accounts, which weren't protected with two-factor authentication.
More: Marriott

Bugs that let sites hijack Mac and iPhone cameras fetch $75,000 bounty
Ars Technica: A security researcher scored a $75,000 bounty for finding a set of security bugs in Macs, iPhones and iPads that could've triggered improper access to the device's cameras without permission simply by visiting a malicious website.
More: Ryan Pickren
HackerOne cuts ties with mobile voting firm Voatz after it clashed with researchers
Cyberscoop: For the first time, bug bounty service HackerOne has booted a company from its platform. Voatz, the mobile voting firm, was kicked out after it last month criticized MIT security researchers for finding a ton of security flaws in Voatz's software. Then, Voatz took its safe harbor provisions out of its bug bounty policy, alarming researchers. Trail of Bits later confirmed the bulk of MIT's findings. Voatz, don't let the door hit you on your way out.
More: Washington Post ($) | @konklone

GoDaddy phish jeopardized and others
Krebs on Security: A successful targeted phishing attack against an GoDaddy employee allowed the attacker view and modify customer records belonging to, a website for brokering transactions online. GoDaddy confirmed the phish, and said that five other customer accounts were "potentially" affected. Just goes to show why you should two-factor all the things — even if you don't think you'd ever be a target.
More: | @briankrebs

Russia's planned coronavirus app is a state-run security nightmare
Gizmodo: Moscow officials have developed a smartphone app meant to be downloaded by Moscow residents that had contracted the virus as part of an effort to monitor their movements and track the spread of the disease. But the app, a researcher found, is a security nightmare. At its worst, the app cost about $228,000 but doesn't even transmit the collected data with encryption. Go figure. The researcher published his findings on GitHub.
More: GitHub | Telegram thread (Russian)
~ ~

A big thanks to you for reading this newsletter! As subscribers go up, so do the monthly costs. If you can spare $1/month (or more for exclusive perks), it helps to maintain the upkeep of this newsletter. You can contribute to the Patreon here.
~ ~


School closures due to coronavirus driving a new wave of student surveillance
Washington Post ($): Even now that schools are closed, students still don't get a free pass on their exams. Many schools are turning to "online proctor" companies that watch students through their webcam as they take their tests. Experts say students are forced to pick between their privacy or their grades. As someone who hasn't taken an exam in a decade or so (and before all this online proctoring became a thing), this was a pretty eye-opening story.

Court: Violating a site's terms of service isn’t criminal hacking
Ars Technica: And some slightly good news: a Washington DC federal court says violating the terms of conditions does not, from a criminal point of view, break the CFAA, America's hacking laws. "Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature," wrote the judge. It's the latest court to interpret the vague CFAA, which has for years limited and hindered computer security research across the world.

These are the best security key for multi-factor authentication
Wirecutter: @yaelwrites is back at the Wirecutter with another deep-dive on tech. This time it's multi-factor security keys. I won't spoil the surprise, but I'm personally a fan of the decision.
~ ~


FCC will enforce its robocall crackdown by June 2021
The FCC is giving cell carriers until June 2021 to implement STIR/SHAKEN, the cellular protocol that cryptographically authenticates each caller and thus helps to weed out spam and spoofed calls. It comes after lawmakers signed off on the TRACED Act, which forced the FCC to do something about the epidemic of spam calls.

Israeli spyware firm pitches to be coronavirus savior
NSO Group — yes, the same NSO Group that's being sued by WhatsApp for developing spyware that's been used to spy on journalists and activists — is now positioning its spyware as a way to "solve" the spread of coronavirus. It uses location data to show where clusters of the disease is. If that sounds alarming, it's also caught the attention of privacy experts, who decried the idea. Vice also got a closer look at the technology.

Twitter reveals bug may have exposed user's downloaded data
Twitter said this week that it "learned" the way Firefox stores cached data may have stored user data caches downloaded from the service. "This means that if you accessed Twitter from a shared or public computer via Mozilla Firefox and took actions like downloading your Twitter data archive or sending or receiving media via Direct Message, this information may have been stored in the browser's cache even after you logged out of Twitter." That's a pretty big mistake to find out after the fact. On the bright side, this issue "did not impact people using other browsers like Safari or Chrome."

Over 12,000 Android apps contain master passwords, secret keys and commands
A new comprehensive academic study found hidden 'backdoor-like' behavior in 6,800 Play Store apps, 1,000 apps from third-party app stores, and almost 4,800 apps pre-installed on user devices. In the case of NBC's Sports app, tapping on the version number 13 times and entering the Konami code would open up a debug menu. You can find the paper here.
~ ~


There wasn't much good news this week. Sorry. (You're still welcome to reach out and nominate some good news from the week!) 

There was one thing I wanted to flag:

@dugsong, who co-founded the Song Foundation with his wife, has donated $1 million to provide short-term emergency relief to small businesses in Washtenaw County. Song originally founded security firm Duo, which was bought by Cisco in 2018 for $2.35 billion.
~ ~


Meet Belle, this week's cyber cat. She likes it when her human works from home. Only problem is the "work" part. A big thanks to Belle's human, Sophia Xepoleas, for the submission.
If you, like me (and the rest of the world!) are still stuck in quarantine at home, please send in your cyber cat photos! Now's a better time than ever! Send them here
~ ~


That's it for this week. Thanks again for being a reader. As always, feel free to drop any feedback you may have in the suggestion box. Stay safe, stay indoors, be well. See you next week.

You can update your preferences or unsubscribe from this list.