~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 29


Biden, Gates, Musk and other Twitter accounts hacked to spread cryptocurrency scam
NBC News: This week saw one of the most high profile breaches of the year: at least one hacker known for hijacking high-profile Twitter usernames gained access to an internal "admin" tool on Twitter's network, hijacked a ton of celebrity accounts — Joe Biden, Bill Gates, and Elon Musk to name a few — to spread a cryptocurrency scam. The hacker made over $120,000 in just a few hours. But how the hacker got in and whether an employee helped remains a mystery, but it's likely the hacker found their way into Twitter's Slack where they found a set of credentials. Some 130 accounts were affected by the breaches. Twitter later said eight users had their data downloaded — including their DMs. But the company refused to say if the hacker read anyone else's DMs — even though they're believed to have had access. The breach could've been so much worse, even having serious implications for national security, given that this is an administration that frequently uses Twitter to dictate policy.
More: Motherboard | BBC NewsNew York Times ($) | @typeMRT
Russian government hackers targeting coronavirus vaccine research
Cyberscoop: Moving on to the second biggest story of the week: Russia is accused of sponsoring hackers to try to steal coronavirus vaccine research, according to the U.K., U.S., and Canadian governments. APT29, or Cozy Bear, was blamed for the malware-driven attacks that targeted research labs trying to find a vaccine for COVID-19. Russia, of course, denied the claims, but the Allied nations say they have enough evidence to draw a solid conclusion.
More: BBC News | The Guardian | National Cyber Security Centre 

Inside America's secretive $2B research hub, collecting fingerprints from Facebook, hacking smartwatches, and fighting COVID-19
Forbes: This was an incredible deep-dive feature on Mitre Corp, one of the most innovative nonprofits in the U.S., which gets $2 billion from U.S. agencies to national security and surveillance work, to name a few. One of its projects includes a $500,000 grant from Homeland Security to hack Internet of Things devices like smartwatches. It also built tech that let it pull fingerprints from photos shared on social media. But it's also put some of its other technology to help fight the ongoing pandemic. So many scoops in this story, it's impossible to pull them all out. Take the time to read this one.
More: @iblametom tweets | @willoremus

U.K. effectively bans Huawei from 5G rollout, ordering its kit removal
BBC News: The U.K. government has effectively banned Huawei from supplying equipment to the U.K.'s 5G phone network, citing apparent security risks amid fears that the equipment could be used to conduct espionage for the Chinese government — claims that Huawei has always denied. The U.K. came under intense pressure from its U.S. allies, which threatened to cut back intelligence sharing if the country kept using Huawei equipment. China responded angrily to the new ban, all but accusing the U.K. of creating a hostile environment for Chinese businesses.
More: Reuters | GOV.UK

Iranian spies accidentally leaked videos of themselves hacking
Wired ($): IBM researchers obtained five hours of videos of APT35 (also known as Charming Kitten), a hacking group associated with Iran, showing recordings of the hackers targeting their victims. The hackers exposed those videos through a misconfiguration of a private cloud. Many of the videos are training videos to help junior hackers handle breached accounts. Other video clips saw the hackers "working through a text document full of usernames and passwords for a long list of non-email accounts, from phone carriers to bank accounts, as well as some as trivial as pizza delivery and music-streaming services."
More: IBM X-Force | @a_greenberg

Secret Trump order gives CIA more powers to launch cyberattacks
Yahoo News: The CIA has launched several cyber operations against Iran and other targets after President Trump signed a secret authorization in 2018 that granted the agency "sweeping" new operational powers. The so-called "presidential finding" gives the agency new powers to authorize its own operations, instead of having to first go through the White House. These powers, write @kimzetter and @jennamc_laugh et al, are intended not for collecting intelligence but for causing disruption, such as cutting off electricity, similar to how the U.S.-Israeli attack in 2009 used the Stuxnet malware to target Iranian enrichment centrifuges. Incredible reporting.
More: @kimzetter tweets | @johnmdonnelly

MGM breach likely 10-times larger than originally reported, and it knew
ZDNet: The data breach at MGM Resorts earlier this year likely affected ten-times more customers — some 142 million guests — not the original 10 million first reported, according to a dark web seller. Worse, MGM said it was aware of the size of the breach, it just never bothered to correct the record when the news stories first hit with the significantly low figure, as @joetidy explained: MGM "chose" not to correct reports.
More: @joetidy

Does TikTok really pose a risk to U.S. national security?
Wired ($): Finally, a measured, reasoned, and logical rundown of whether (and how much) TikTok could be a threat to U.S. national security. @lmatsakis explains the issues from both sides, the side-effects of blocking TikTok, and why shutting down a platform used by tens of millions of Americans might be a major problem for the U.S. — and not just for China.
More: NBC News | TechCrunch
~ ~

A big thank you to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to maintain its upkeep. Contribute to the Patreon here!
~ ~


EFF launches searchable database of police agencies and their surveillance tools
Electronic Frontier Foundation: Atlas of Surveillance is the EFF's new searchable site that shines a light on police deployments of cameras, drones, license plate readers and more. Built from crowdsourcing over two years, the EFF found a "sprawling spy state" that reaches coast-to-coast.
EU-US Privacy Shield for data struck down by court
BBC News: An agreement that governed the transfer of EU citizens' data to the U.S. has been struck down by Europe's top court, arguing that U.S. surveillance laws did not protect the data from government snooping. It's been the obvious "well, duh" for many years — but now that a court has intervened, it looks like companies will have to move to non-negotiable legal contracts instead. @riptari explains more in detail, and the consequences this'll have on both continents.

NSO allegedly knows the targets of its spyware
Die Zeit: The popular German newspaper published an English translation of an interview with Shalev Hulio, chief executive of spyware maker NSO Group. According to the interview, Hulio admitted that NSO "is, in fact, able to discover who its customers spy on with the help of Pegasus," referring to its spyware tool. The company only sells its spying technology to customers who "agree to allow NSO to document its use." The interview adds: "Every step is recorded on company servers, he says, and NSO has access to those records." That's a huge admission. That could, potentially, mean NSO faces liability if targets find out and take legal action.

Phone of top Catalan politician 'targeted by government-grade spyware'
The Guardian: Onto more NSO news of the week: The Guardian reports that the phone of a top Catalan politician was hit with NSO's Pegasus spyware in what's likely a case of "domestic political espionage." Spain is said to be a government customer of NSO's. NSO allegedly used a flaw in WhatsApp to deliver the malware. WhatsApp is suing NSO for the alleged use. Citizen Lab's @jsrailton has a great tweet thread on the story. This happened in the same week that an Israeli court allowed NSO to keep selling its spyware outside the country.
~ ~


Chinese bank require clients to use tax programs laced with backdoors
A Chinese bank asked clients to install a specific tax software on their computers as a prerequisite to doing business. Little did the clients know that the software came with a backdoor, according to new research this week. @shanvav has more.

BlueLeaks hack exposes personal data of 700,000 cops
You've probably already heard of BlueLeaks, the police websites that were hacked last month. We covered it in this newsletter. @micahflee dug into the data, figured out who was affected, and what the files say.

Drug cartel ‘narco-antennas’ make life dangerous for Mexico’s cell tower repairmen
This is a really good read on how the Mexican cartels use encrypted cell phones and two-way radios to communicate over vast areas. The story opens with how one phone technician accidentally cut off the network when trying to make repairs. "The visitors let him off with a warning." Fascinating stuff, and incredibly good reporting.

FBI is secretly using a $2 billion travel company as a surveillance tool
A great scoop by @iblametom, who's been on fire this week. The FBI has been using the All Writs Act, an obscure law that the FBI tried to use on Apple to force it to build a backdoor in its iPhones several years ago, to compel Sabre, a massive travel company, to turn over real-time travel records on suspects. Probably one of the biggest scoops of the week that would've been noticed more had this week not been... so damn busy.
~ ~


OK, that's the news. Quite a week.

There's just one thing I wanted to flag this week. The FCC has approved a 3-digit number — 988 — as the new National Suicide Prevention number. Hopefully it will make it easier for those in distress to get in touch with someone. But also having a 3-digit number, like 911 for emergency services, sends a message that suicide prevention is as important as needing the police, fire service, or an ambulance. The rollout should be completed by 2022.
If you or someone you know is struggling with depression or has had thoughts of harming themselves or taking their own life, there is help. The National Suicide Prevention Lifeline (1-800-273-8255) provides 24/7, free, confidential support for people in distress, as well as best practices for professionals and resources to aid in prevention and crisis situations.
~ ~


This week's cyber cat is Bela. According to her human, here she is yawning after she spent all night trying to break a reduced round version of AES-128 using differential cryptanalysis. We admire the effort, though! A big thanks to Paulo for the submission!
Please keep sending in your cyber cats! We're low on supply! You can email them in here
~ ~


That's all we have for now. What a week. Hope you enjoyed this week's newsletter. Feel free to drop any feedback in the suggestion box. Take care, and see you next Sunday.

You can update your preferences or unsubscribe from this list.