~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 44


Top cybersecurity official Chris Krebs 'expects to be fired'
Reuters: Chris Krebs, one of the leading cybersecurity officials in the U.S. government, told colleagues he "expects to be fired" by President Trump because of his efforts to debunk election-related disinformation, much of which has come from inside the White House. Krebs was appointed by Trump in November 2018 to head the new CISA cybersecurity agency, where he's been since. In a statement this week, CISA doubled down on its assertion that there is "no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised," in what @alexstamos called the "most important subtweet in the history" of Twitter. Lawmakers, including Ron Wyden and Mark Warner — two members of the Senate Intelligence Committee — came to Krebs' defense this week, saying he was "respected by everyone on both sides of the aisle." But, Krebs hasn't yet been fired (that we know of) at the time of writing.
More: @bing_chris tweets | @kevincollier
Zoom lied to users about end-to-end encryption for years, FTC says
Ars Technica: Video calling giant Zoom has agreed to settle with the Federal Trade Commission, which accused the company of lying to its users by claiming for years that it offered end-to-end encryption. Zoom's usage rocketed from 10 million to 300 million meeting users during the pandemic while everyone was working from home, and the company's claims caught the attention of reporters — and later regulators. Zoom is now required to have a "robust information security program" as part of the settlement, and must roll out multi-factor authentication. Zoom can face heavy fines if it violates the terms of the order.
More: Cyberscoop | TechCrunch

Schools struggling to stay open get hit by ransomware attacks
Wall Street Journal ($): Schools around the U.S. are fighting a wave of increasingly aggressive ransomware attacks by hackers, reports the Journal, on what's already been a tough year for schools and their students. Some 700,000 students have been affected by ransomware attacks this year alone. Because ransomware attacks are now stealing data on top of just encrypting the network, these attacks pose an even bigger risk for students' private data. There have been several cases of students' data being posted to the dark web because schools have recovered from backups but paid the ransom.
More: @csstewart

Mysterious bugs were used to hack iPhones and Android phones, but nobody will talk about it
Motherboard: Google has found at least seven bugs in Android, Windows, Chrome and iOS that were being exploited by hackers in the wild, but the company still hasn't said anything about them — critically, who used them and against whom. Those are important details, and it's not the same time this has happened. Last year, a similar spate of bugs were revealed that were later pinned on the Chinese government spying on Uighur Muslims. One of the bugs dates back to the iPhone 6, which hasn't been supported in a while. "The fact that they updated iPhone 6 users means it was bad," said one security expert. "This feels like spy shit," said another.
More: ZDNet | @lorenzoFB

What’s all this about Europe wanting crypto backdoors?
TechCrunch: Earlier this week you might have seen a frenzy of tweets about a report that claimed the EU was hurtling towards a ban on end-to-end encryption. Turns out that's not strictly the case, @riptari reports. Actually, the draft resolution was merely suggesting a policy direction from the top down, and not "draft legislation" that would have to work its way through the many institutions of the EU before it would ever become law, which this policy is almost certainly not in any immediate danger of becoming. It's one to watch, but not one to panic over just yet.
More: @somospostpc

North Korea and Russia are still trying to hack coronavirus vaccine researchers
NBC News: And in some cases the hackers were successful. That's the assessment from Microsoft this week, which revealed nation-state hackers are targeting COVID-19 vaccine makers in seven countries, including the U.S. Three groups were involved — Fancy Bear from Russia, and Lazarus Group from North Korea — but there was also a third, a group that Microsoft calls Cerium, which is also backed by North Korea. The company wouldn't say more but the group used targeted spearphishing (similar to Lazarus) by masquerading as WHO officials to target their victims. Microsoft also didn't say what the point of the attacks were, but it's likely related to conducting espionage for their own vaccine-making efforts.
More: Wall Street Journal ($) | TechCrunch
~ ~

Thank you to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to maintain its upkeep. You can contribute to the Patreon or send a one-time donation via PayPal or Venmo.
~ ~


Privacy labels for iOS and macOS apps are coming
Decipher: Starting on December 8, all Apple developers must include privacy labels — similar to the nutrition information you get on the side of food items — describing how an app uses your data. There are no exceptions and must be added by the deadline or apps will be pulled. The idea is to help users know up-front exactly what kind of data an app collects on you.
Bug hunter awarded 'Researcher of the Month' award for DOD account takeover bug
ZDNet: A "critical"-rated bug discovered by Jeff Steinburg could have been used to hijack Dept. of Defense (read: Pentagon) accounts by modifying a few web parameters sent to DOD servers. The web server was missing security checks, which could have allowed an attacker to change the user's account password, leading to an account hijack.

Welcome back to the office. Please wear this tracking device.
OneZero ($): Now that offices are beginning to open in some places (despite lockdowns going into effect in others), some companies are employing the use of contact tracing tracking devices that employees have to wear — ostensibly for preventing the spread of COVID-19, but it can also be used to monitor the locations and activity of employees. The NFL, for instance, uses 25,000 trackers, which are "assigned to each player, coach, and staff member." How creepy. Makes you wish you could work from home for a bit longer.

Ticketmaster fined a measly £1.25M for credit card data breach
BBC News: Ticketmaster had a breach in 2018 via a third-party chat bot on its site that exposed the credit card details of tens of thousands of customers. The U.K.'s Information Commissioner's Office fined the company £1.25 million (about $1.6M) for the breach, which the company said it would appeal. It's the latest paltry fine issued by the ICO in recent weeks, after reducing its fine for British Airways down from $242 million to just $26 million, and reducing Marriott's data breach fine from $123 million down to just shy of $24 million. Sheesh.
~ ~


Ubuntu fixes bugs that standard users could use to become root
Several bugs in Ubuntu that could've allowed standard users to gain "root" level privileges have been fixed. "With a few simple commands in the terminal, and a few mouse clicks, a standard user can create an administrator account for themselves," wrote the researchers in a blog post.

The iOS COVID-19 app ecosystem has become a privacy minefield
Of the nearly 500 apps designed to track symptoms and contact trace, only 47 use the Google-Apple privacy-friendly exposure notification system, which restricts apps to Bluetooth data collection only. The rest of the apps are a nightmare of privacy permissions, with almost half asking for access to the camera and one-fifth asking for access to the microphone. "It's hard to justify why a lot of these apps would need your constant location, your microphone, your photo library," said one digital forensics expert.

Info of 27.7 million Texas drivers exposed in Vertafore data breach
Vertafore, an insurance software provider, this week disclosed a breach involving just 27.7 million Texas driver's licenses. The breach happened some time between March and August and was blamed on "human error" after three data files were stored on an unsecured external storage drive. Licenses issues before February 2019 are affected. Vertafore knew since August about the breach, but reportedly delayed notification "at law enforcement's request."
~ ~


And now, breathe. It's the happy corner.

This week we celebrated 10 years of HTTPS Everywhere, the browser plugin that defaults websites to load over HTTPS. The extension went from an "urgent recommendation" to a standard. According to Google's own data, more than 95% of the internet uses HTTPS. That's a huge step from half that more than five years ago.

Here's an interesting hacker project. Alexander Klöpping bought an e-ink frame that displays the front page of the New York Times by loading code in the e-ink display's CMS. The code is free, but the e-ink display is... expensive, about $2,700. An expensive, but very cool hacker project.
And, on December 10, @hacks4pancakes, @likethecoins and @DavidJBianco are hosting a SANS webinar for career advice. Sounds like a great opportunity to get some much-needed career advice for junior cybersecurity folks (as well as for managers who lead them). You can read more on the site.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat is Remy. As you can tell from his eyes, he's blue team all the way. A big thanks to @euphoricfall for the submission!
Keep sending in your cyber cats! They will be featured in upcoming newsletters. 
~ ~


That's all for this week. Thanks for reading! If you have any feedback, please drop it in the suggestion box. Take care, be safe, stay healthy, and see you next Sunday.

You can update your preferences or unsubscribe from this list.

~this week in security~ does not track email opens or link clicks.