~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 7


U.S. charges Chinese military hackers with massive Equifax breach
Politico: Justice Dept. prosecutors have blamed China for the Equifax hack — the latest in a long line of breaches, including the OPM, Anthem, and now the Marriott hotel breach, which wasn't linked to China until the DOJ casually brought it up this week. "At the FBI we’ve been saying for years that China will do anything it can to replace the United States as the world’s leading superpower," said deputy FBI director David Bowdich. The attribution is largely new — much of the "how" was already covered by a 2018 House committee, but there were some interesting new details in there that revealed just how the hack went down. The four named hackers work for the Chinese military, and were named in the DOJ's indictment.
More: Justice Dept. | Cyberscoop | Background: Reuters
App used by Netanyahu's Likud party leaks Israel's entire voter registry
Haaretz: A buggy app used by Israeli prime minister Benjamin Netanyahu's political party exposed the entire country's voter registry. Some 6.4 million voters had their information exposed as a result. Simply right-clicking and hitting "view source" was enough to reveal the passwords for the system admins. It's not known if any foreign adversary accessed the voter data.
More: The Daily Beast | @reglash | @micahflee

'Sloppy' mobile voting app has ''elementary'' security flaws
Motherboard: Researchers at MIT said an attacker could easily intercept and alter votes from Voatz, a mobile voting app that's already been used in four states. The MIT research is worth reading. @kimzetter has a good tweet thread on the story. Voatz clearly didn't like the research — calling it a "flawed report," and accused the researchers of using an old version of the app. That's when MIT released its FAQ and dropped some truth bombs on Voatz even more.
More: @kimzetter tweets | MIT

Facebook repeatedly warned of security flaw that led to its 'biggest data breach'
The Telegraph ($): Facebook last month settled a lawsuit into its largest data breach — some 29 million users had account tokens stolen in 2018. But it turns out Facebook employees knew about the bug and actively believed the hack "could have prevented" had the flaw been properly prioritized. In fact, some employees warned of a possible future issue as far back as December 2017. The story itself is behind a paywall but @lfdodds, who wrote the story, has a good tweet thread explaining it all.
More: @lfdodds

'The intelligence coup of the century'
Washington Post ($): Words can't really do this story justice. For decades, the CIA read the encrypted communications of allies and adversaries by selling it technology from Crypto AG, a company that the CIA secretly owned. The devices were rigged so that they the spies could easily decode messages, a plot that was dubbed the "intelligence coup of the century." The story goes way further and deeper than any other reporting done previously. This is a weekend long-read (and I'm telling you, it's long).
More: @mattblaze | @attackerman | @jeffstone500

Why the feds are raiding tech companies for medical records
Forbes: U.S. law enforcement has been secretly obtaining citizens' private medical histories for years. In some cases, the feds have targeted smaller companies with vast amounts of health information, like DrChrono, a Sunnyvale electronic health records company. With one warrant, police obtained over 8,300 files to investigate two doctors. And it's not something the feds are doing just here and there. "Investigations using DrChrono data appear to be ongoing."
More: BuzzFeed News | @iblametom
~ ~


Meet the guy selling wireless tech to steal luxury cars in seconds
Motherboard: Motherboard reports on a car hacker (and hijacker), EvanConnect, who uses wireless tech to perform replay attacks on cars — that's when you take the signal to unlock a car and "replay" it using your own tech. That lets him break into luxury cars in mere seconds. EvanConnect also sells the signal repeater for as much as $12,000. Pretty interesting stuff.

How the JPL works to secure its missions from nation-state adversaries
TechCrunch: This was a good read by my TechCrunch colleague, @rezendi, looking at how NASA's Jet Propulsion Laboratory keeps its systems (largely) safe. NASA has been hit by a handful of breaches over the past few years — most recently in June, which saw a Raspberry Pi used to steal internal data. "JPL has an interesting threat model to say the least."

A dark web tycoon pleads guilty. But how was he caught?
MIT Technology Review ($): Eric Marques was caught by way of an FBI hacking tool targeting the Tor network, but the feds kept details of the hacking tool a secret. That's concerning lawyers and activists who use Tor, which say the tool can be used against others.
~ ~

Thanks to everyone who reads and supports this newsletter! Subscribers are going up, as are the monthly costs. Please spare $1/month (or more for exclusive perks) to help maintain the upkeep of this newsletter. You can contribute to the Patreon here!
~ ~


DNSSEC ceremony delayed after they got locked out of a safe
The Register reports on a delayed DNSSEC root key signing ceremony because the "internet's safe-keepers" got locked out of a safe. Oh, the irony. The key ceremony happens every three months to cryptographically sign a key part of the secure DNS system. But apparently there's been no impact on the internet itself, which is (somewhat) reassuring.

Pentagon, FBI, DHS jointly expose a North Korean hacking effort
The feds joined forces this week to stage an intervention for North Korea, which the U.S. accuses of hacking it through at least seven malware samples. In a brief posting, CISA published the malware samples under the umbrella of North Korea's cyber activity, which it calls HIDDEN COBRA.

Emotet can now spread to nearby Wi-Fi networks
Emotet, a nasty malware that's quickly become one of the top threats on the internet, can now infect devices connected to nearby Wi-Fi networks by running through lists of insecure passwords. ZDNet also has more on the capabilities.

How Apple 'intercepts' and reads emails when it finds child abuse
More interesting stuff from Forbes about how Apple detects child abuse by scanning emails for hashes associated with known child abuse imagery. A court filing gives a rare insight into how the system works.
~ ~


Time to send off @thepacketrat, who leaves a long and distinguished career in infosec journalism to work in threat research. In a blog post (yes, that's it's a .ru domain), he said he's going to work for Sophos Labs. Sean has always been a great journalist and a good friend to me. I wish him all the best.

Signal, the encrypted messaging app, is finally hitting the mainstream, per an interview with Wired. The company has seen $50 million injected into the project, it now has 20 employees, and a ton of new features are on the way — like ephemeral images and emoji reactions. That may not seem like much to the more privacy-aware person but this is precisely what Signal needs to hit the masses.

And, Dicebreaker has a really interesting story on how the U.S. Secret Service once mistook a cyberpunk RPG game for a hacker's "handbook."
If you want to nominate some good news from the week, feel free to reach out.
~ ~


Meet Abby, this week's cybercat. Don't be fooled by her charm, she's a key player in any organization's advanced threat detection program. A big thank you to her human, @patcable, for the submission!
Please keep sending in your cybercats! You can send them here
~ ~


And that's it for now! As always, a big thanks for reading and subscribing. If you can, feel free to drop a dollar (or more) in the newsletter's Patreon. Keep the feedback coming in — you can always drop me a note in the suggestion box. Have a good rest of your weekend.

You can update your preferences or unsubscribe from this list.