~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 42
View this email in your browser | RSS

~ ~


Twitter's CISO departs after Musk takeover
The Verge: Twitter's security chief Lea Kissner has departed Twitter, the latest in a series of high level executives to depart the social media giant after Elon Musk, the world's richest ruiner of things, took over the company for $44 billion. @CaseyNewton and The Verge broke news of Kissner's unexpected (but not unsurprising) departure. Kissner then confirmed the news in a tweet. Yes, bad for Twitter as an ecosystem, but bad for Twitter legally. Let's not forget Twitter is still under a 2011 consent decree with the FTC, which just fined the company $150 million a few months ago for violating that same decree by using emails and phone numbers intended for two-factor instead for targeted advertising. If Twitter thinks its engineers can just "self-certify" as it claims, it can't, per @Riana_Crypto tweets: "That's not how any of this works." The FTC said in a statement that, "no CEO or company is above the law, and companies must follow our consent decrees." Always read Techdirt for the deep dive on the potential ramifications. Guess we'll ultimately have to wait to find out which is more powerful, a billionaire or the U.S. government's chief consumer regulator. If anyone's left at Twitter, please keep the lights on for as long as you can...
More: Washington Post ($) | Techdirt | @BNODesk | @LeaKissner | Riana_Crypto tweets
Lea Kissner tweet: "I've made the hard decision to leave Twitter. I've had the opportunity to work with amazing people and I'm so proud of the privacy, security, and IT teams and the work we've done. I'm looking forward to figuring out what's next, starting with my reviews for @USENIXSecurity 😁"
U.S. seizes $3.36 billion in cryptocurrency from second Silk Road hacker
Justice Department: Remember a few years ago how "Individual X" stole 70,000 bitcoins, worth about $1 billion, from the notorious Silk Road dark web marketplace and held onto it for seven years, only to apparently give it back to feds and no charges were publicly filed? Turns out someone did it again, this time stealing more than $3.3 billion worth of bitcoin from Silk Road, but this time was caught. James Zhong pled guilty to stealing the 50,000 bitcoins from Silk Road before it was busted by the feds. Zhong exploited a bug in Silk Road's payments system that allowed him to siphon bitcoin to his wallets. @a_greenberg has the full story at Wired ($). The feds said they found the bitcoin on storage devices left in popcorn tins around Zhong's house. Imagine just having a literal billion dollars casually stashed in your bathroom closet for years...
More: Wired ($) | Ars Technica | BBC News

Australia faces consequences of standing up to ransomware
Data Breach Today: Back to our regular ongoing series of "WTF is going on in Australia." This week, the Australian government accused cybercriminals believed to be in Russia for the breach at Medibank, the country's largest private health insurer after some of the stolen data was published online. The ransomware attack is a major incident for Australia, with close to 10 million people's information stolen, including health data. The data includes some personal information and diagnosis codes. The incident is extremely compromising for about half of the population for years, potentially. The Australian company didn't pay the ransom (per the government's advice), which seems to be the only thing it did right, even if it did result in the most damaging data leak in Australia's recent history. @Jeremy_Kirk, who has been following this incident closely, has more in the tweets.
More: The Guardian ($) | @Jeremy_Kirk tweets | @joshgnosis
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week. The Patreon is here. You can also donate just one time via PayPal or Venmo.
~ ~


LockBit ransomware suspect nabbed in Canada, faces charges in the U.S.
Ars Technica: U.S. federal prosecutors landed another win this week following the arrest of Mikhail Vasiliev, a 33-year-old from Ontario, Canada, who they accuse of involvement with the LockBit ransomware group. LockBit is one of the most notorious ransomware operations, with more than 1,000 targets to date, and a proponent of double-extortion, where data is published if a second (or any) ransom isn't paid. The suspect is to be extradited to the U.S. to face trial. Both Thales and automotive manufacturing giant Continental were both listed by LockBit's leak site this week.

Home truths about macOS
The Eclectic Light Company: macOS is used by millions of people around the world (myself included, shocker), but the big question for many is when to upgrade to the newer operating system version. The security bug fixes (and security support!) is worth it, but there is a tradeoff for those who delay upgrading, because newer versions of macOS are so often full of bugs. This is worth the read if you're trying to decide if the cost/benefit of immediate upgrades is right for you.

Security researcher lands $70,000 for Google Pixel lock-screen bypass
David Schütz: A vulnerability in all Google Pixel phones allowed anyone to easily bypass the lock screen, according to @xdavidhu. The bug was fixed on November 5 in an Android security update and tracked as CVE-2022-20465. The bug can be exploited with physical access to a phone, and by swapping in a new SIM and entering its PUK code.
~ ~


Irish health system ransomware victims to be contacted: More than 100,000 people whose personal information was stolen during Ireland's health service ransomware attack last year will soon be contacted by authorities, per The Irish Times. Ireland's health service was breached in 2021 by the Russia-based Conti ransomware gang, prompting the Irish government to task its military to help with the response. Thousands of appointments were forced to be canceled and some hospitals had to rely on paper records.

Bulletproof hosting meets web3: Even malware campaigns are jumping on the web3 train. Cisco's Talos says it's observed several campaigns that rely on hosting their malicious payloads on IPFS, or the InterPlanetary File System, a web3 technology that works as distributed, peer-to-peer storage. SecurityWeek has a quick explainer on how it works. Per @b4n1shed: "While these technologies have legitimate uses in a variety of practical applications, they also create opportunities for adversaries to take advantage of them within their phishing and malware distribution campaigns." Here's an example of a phishing page hosted on the IPFS network. IPFS traffic is also legitimate so this makes it more difficult for network defenders to identify malicious use.
A phishing page that looks like Microsoft's login page but is hosted on IPFS.
Russia behind Ukraine, Poland ransomware attacks: Microsoft said this week that ransomware attacks targeting transportation and logistics companies in Ukraine and neighboring Poland back in October were launched by Russian military hackers, with the aim of causing disruption of the flow of goods and materiel into Ukraine. Microsoft dubbed the attack Prestige, and its threat intelligence unit says "Iridium," aka Sandworm, or Russia's GRU Unit 74455, which is known for its offensive and destructive cyberattacks. Cyberscoop has good context.

Why is this root certificate authority's address a UPS mailbox? A fascinating story taking a closer look at TrustCor Systems, a web root certificate authority that's trusted by big browsers Chrome, Firefox and Safari to vouch for the legitimacy of websites, which has unusual connections to contractors for U.S. intelligence and law enforcement, per documents, and security researchers speaking to Washington Post ($) reporter @josephmenn. It's a long (and complicated) read but brilliantly explained. It's quite strange that such an important component of the internet is shrouded in so much secrecy and mystery, such as why its physical office is just a UPS Store mail drop in Toronto. "They have this position of ultimate trust, where they can issue encryption keys for any arbitrary website and any email address," said one researcher. "It’s scary this is being done by some shady private company." More from Menn in his tweet thread. Plus, this infuriating lack of response from the browser vendors until after the story came out suggests there's more to come on this down the line.
This text is the final two paragraphs of the story, which says: "Reardon and Egelman alerted Google, Mozilla and Apple to their research on TrustCor in April. They said they had heard little back until Tuesday. After publication of this story, Mozilla gave TrustCor two weeks to respond to a series of questions, including about its relationships with Measurement Systems and Packet Forensics, the shared officers, and how the banned spyware code from Measurement Systems got into an early MsgSafe app."
~ ~


Huge news for @josephfcox whose forthcoming book, Dark Wire, is coming to Netflix. Cox's book uncovers the story of how the FBI launched one of the biggest sting operations in history by running an encrypted phone company used by organized criminals all over the world. Extremely excited to read, and soon to watch.

Check out @wendynather's bajillion conference stickers. You just know she has the air miles to prove it. (It's well worth zooming in on the photo, you'll be here for a while.)
Wendy Nather tweet: "Never leave the contents of your sticker drawer intact when the desk is being moved. Now I have to sort it all out again."
Speaking of cons, this week I was in Washington DC for the second CYBERWARCON, a one-day security conference exploring where cyber meets warfare. Keynote speaker @CISAJen spoke about how she was "encouraged" by the lack of nefarious cyber activity during the 2022 elections. Plus, Wired ($) has coverage of talks about Russia's cyberwar waged in Ukraine, and the Kremlin's criminal ransomware connections. A personal highlight was @arawnsley's brilliant talk on how Iran-backed hackers used fake Mossad sites to catch moles — even if it was briefly interrupted by an unexpected building-wide power outage (not attributed to Sandworm).

With that, let's end on this excellent (and well-deserved) humblebrag.
CYBERWARCON tweet: "Three #CYBERWARCON speakers have been sanctioned by Russia."
If you have good news you want to share, get in touch at:
~ ~


Meet Molly, this week's cyber cat, whose anonymous human tells me that she adds an extra layer of non-permissive security to their laptop. "Cat on my laptop" is the new "snow day." Thanks so much for sending in!
Molly, a brown and orange patched kitten sitting on a laptop keyboard and trackpad, looking into the camera.
Send in your cyber cats (or their friends)! You can email here with their name and photo, and they'll be featured in an upcoming newsletter. Submitted before? Send me an update!
~ ~


Thanks so much for reading this week. Feel free to share this newsletter with your friends and social feed; hit those social buttons below. In the meantime, feel free to drop your feedback in the suggestion box or send me an email.

Take care, be well, and I'll be back again next Sunday. 
Share Share
Tweet Tweet
Share Share