Copy

~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 30
View this email in your browser | RSS

~ ~

THIS WEEK, TL;DR

Taiwanese websites hit with DDoS attacks as Pelosi begins visit
NBC News: Let's start this week in the Taiwan Strait, where Chinese armed forces are conducting military exercises, timed not-so-coincidentally with the arrival of U.S. House Speaker Nancy Pelosi, the first U.S. official to visit the self-governing island in some 25 years. Pelosi's visit was met with immediate DDoS attacks targeting Taiwan's presidential office, which it confirmed after its near-immediate recovery, citing a 200-fold increase in network traffic. While that might roll some eyes (and remind some of this prescient XKCD comic), all eyes remain on a very pissed-off China, which claims the breakaway democracy as its own, amid fears that Beijing could retaliate with force, kinetic or otherwise. If China uses this opportunity to take Taiwan, like Russia is trying to take Ukraine, it will have massive implications for global relations and on technology, including chip supply chain security (at a time when there's already shortages) and wider tech, and U.S. security.
More: Washington Post ($) | NBC News | @tingtingliutvbs tweets

'Chaotic' exploit drains $200M from buggy wallets
The Washington Post ($): A spate of web3 security incidents rattled the space this week. A "chaotic" hack this week saw some $200 million in crypto (not that crypto, the other crypto) drained from the Nomad bridge, which allows users to send and receive crypto assets from one blockchain to another. A simple coding bug led to a "free for all" smash and grab on the network, allowing some 41 blockchain addresses to drain 80% of the funds. Then, hot wallets on the Solana blockchain (including Slope and Phantom) connected to the internet were drained of their funds because of a bug that appears to stem from a backend event logging server storing seed phrases — essentially, the wallet's backup password. The whole space seems like a hot mess.
More: TechCrunch | Bleeping Computer@samczsun | @MalwareTechBlog
Zellic tweet: "The Slope Wallet for iOS and Android uses Sentry for event logging. Any interaction in the app would trigger an event log. Unfortunately, Slope didn't configure Sentry to scrub sensitive info. Thus, mnemonics were leaked to Sentry."
FEMA says emergency alert systems could be hacked to transmit fake messages
CNN: Remember a few years ago when Hawaii residents were sent a flash alert warning of an inbound ballistic missile? "This is not a drill," the message said. It was, but for half an hour over 1.5 million Americans thought — at the height of tensions with North Korea — that the end was nigh. Now, FEMA is warning that bad actors could exploit easily hackable devices that make up the U.S. national emergency alert system, which broadcasts everything from weather alerts, missing kids, or, in the wrong hands, panic. The device flaws are found in the encoders and decoders used for issuing alerts over the TV and radio networks. Ken Pyle, who discovered the flaws, said some of the bugs he reported weren't properly fixed by the manufacturer even years later. More details about the bug are expected to be released during the Def Con hacking conference.
More: SecurityWeek | Ars Technica | FEMA warning

Greek intelligence service boss quits after spying on journalist,
Reuters ($): Wild reporting from Greece this week, as the head of the country's intelligence service stepped down after reportedly telling a closed-door Greek parliamentary hearing that his agency spied on CNN Greece journalist Thanasis Koukakis. "He admitted the surveillance, absolutely," according to one of two lawmakers who were in the room and spoke to Reuters. The admission comes after Greek opposition leader Nikos Androulakis said his phone was targeted (though not hacked) with the Predator spyware, developed by Cytrox. The government, meanwhile, denied allegations that the spy agency used mobile spyware. But for how long will that denial stand up?
More: Reuters ($) | @jsrailton tweets

Illuminate Education hit by massive cyberattack attack, affecting over 1M students
New York Times ($): Privacy and data practices of school and education technology firms are under fresh scrutiny after Illuminate Education, a major provider of school and student-tracking software, was hit by a cyberattack that saw the personal information of a million students taken by hackers, including names, dates of birth, ethnicities, and test scores — as well as more intimate data, like student tardiness rates, migrant status, behavior incidents and descriptions of disabilities. @natashanyt follows a trail of incompetence — no CISO, no apparent encryption, and no basic security standards, like two-factor authentication on its Amazon S3 buckets storing sensitive student data.
More: The74 | GovTech | @natashanyt tweets
~ ~
SUPPORT THIS NEWSLETTER
 
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week. The Patreon is here. You can also donate just one time via PayPal or Venmo.
~ ~

THE STUFF YOU MIGHT'VE MISSED

Hijacking email with Cloudflare Email Routing
Albert Pedersen: @AlbertSPedersen found a bug in Cloudflare's emailing routing that allowed anyone to read user emails, scoring him a bug bounty of $6,000. The bug, at its worst, could have allowed a bad actor to read email sent to a targeted domain by forwarding it to a rogue destination email. That's a major privacy (and security) issue, taking into account things like password reset links that are often sent by email. Cloudflare said, however, that the bug was never exploited.

Post-quantum encryption contender cracked by single-core PC
Ars Technica: A prototype post-quantum encryption algorithm designed to withstand a range of potential future attacks involving quantum computers that could theoretically crack today's existing encryption standards has buckled at the first hurdle. SIKE, or Supersingular Isogeny Key Encapsulation, was broken using the processing power of a single-core PC allowing mathematicians to recover its encryption key. Or, as @dangoodin001 put it, "Leave it to mathematicians to muck up what looked like an impressive new algorithm."
Kenn White tweet: "Reading this @dangoodin001 piece & it occurs to me what a strange path we've taken: In 10-20 yrs (or 50, or never) we *might* have practical quantum computers, so let's roll out replacement PQ crypto now. Which could be trivially broken today, on a laptop."
Thieves are stealing Hyundais and Kias with just a USB cable
The Drive: Interesting findings on how a low-tech hack targets specific Korean cars that use a physical key. Peeling back the steering column and dismantling the key slot in some Hyundais and Kias reveals a USB port that can allow a thief to "turn the ignition tumbler, start the vehicle, and release the steering lock." According to the news site, "the thieves specifically target Korean vehicles with a physical key slot as push-button start models can't be bypassed as easily."
An animated GIF showing a hacker wearing black latex gloves inserting a USB cable into a USB port on a vulnerable Hyundai.
Spanish police arrest hackers who broke into radioactivity alert system
Policía Nacional España: Spanish police arrested two former government employees who broke into and shut down a large portion of Spain's Radioactivity Alert Network, which maintains hundreds of radiation sensors across the country to detect bursts or high levels of radiation in the event of a nuclear accident. About a third of the 800 sensors were incapacitated for months, preventing their connection to the wider network, and therefore reducing the overall system's detection capabilities.

A Slack bug exposed some users' hashed passwords for 5 years
Wired ($): Slack said it exposed some users' hashed (scrambled) passwords because of a five-year-long bug — April 2017 through July 2022 — in how Slack generated shared invite links. When a link was generated, Slack inadvertently (and invisibly) transmitted the hashed password of the link creator to every other member of the same workspace. But anyone, say, running Burp Suite or analyzing network traffic may have seen the scrambled passwords. Although the passwords were scrambled, it's not clear how — specifically, what algorithm was used because Slack declined to say. That matters because some are stronger than others, while others have been cracked altogether, rendering those algorithms — and anything they protect — useless.
~ ~

OTHER NEWSY NUGGETS

Wiseasy to break into: Bad news for Wiseasy, a major Asia-Pacific maker of Android-based payment terminals — and not for the reason you might think. It turns out Wiseasy employee credentials (including an "admin" account) were stolen by malware and later sold on a known cybercriminal forum. Those credentials allowed access to Wiseasy's cloud dashboard that is used to control 140,000 payment terminals worldwide — no two-factor at all. A dark web monitoring firm found the credentials on the cybercriminal forum and tried to alert Wiseasy to the breach, which took its sweet time and only confirmed it remediated the breach after I contacted the company. (Disclosure: I wrote this story.)

Real-time facial recognition found in... a mall: Unchecked capitalism meets unchecked surveillance: a mall in Louisville has given local police "real-time" access to its facial recognition system (what could possibly go wrong?), believed to be the first documented U.S. case of law enforcement using real-time face detection. Several U.S. cities, municipalities and states have banned facial recognition, with exceptions, often for police.

280 million India records exposed: Bob Diachenko found two Elasticsearch instances exposed containing some 280 million records, apparently belonging to Indian pension fund holders. It's not clear who the data actually belongs to, but the data is now secure after Diachenko tweeted out carefully redacted details of the exposure.

Agent Tesla reporting in: CISA's list of top malware strains for 2021 are Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND (who comes up with these names?], NanoCore, Qakbot, Remcos, TrickBot and GootLoader — you know, the usuals. Qakbot and Ursnif have been around for more than a decade, often by Eurasian cybercriminals, while TrickBot remains strong, giving access to ransomware actors like Conti.

[ 0 ] days since Twitter's latest security incident: Another security lapse at Twitter. This time, Twitter said it fixed a security flaw that allowed threat actors to compile information of 5.4 million Twitter accounts, which were later listed for sale on a known cybercrime forum. In simple terms, the bug let anyone figure out if a phone number or email address was associated with a known Twitter user account. As you can imagine, that breach could compromise the identities of pseudonymous accounts.

NHS Wales knocked offline by cyberattack: A software outage caused by a cyberattack knocked Wales' digital health services offline. According to the BBC, the attack "targeted the system used to refer patients for care, including ambulances being dispatched, out-of-hours appointment bookings and emergency prescriptions." It's not clear what happened. The government contractor said the incident caused a "loss of service," which seems to be not-so-subtle code for a ransomware attack, it's suggested.
~ ~

THE HAPPY CORNER

This week, @RachelTobac lightened the week with new musical security awareness videos — a logical extension from last year's infosec sea shanties.

Meanwhile, @troyhunt gets his own back on spammers by wasting their time, not his. (A truly terrible thing to do to spammers... and I love it.)

And finally. On this day in history...
A still photo from a historical episode of Sesame Street, with a person using a vintage computer with the Cookie Monster captioned as saying, "You deleted cookies?!" in alarm.
To send in good news for the happy corner, please reach out to: this@weekinsecurity.com
~ ~

CYBER CATS & FRIENDS

This week's cyber cat is Pumpkin. Cute and friendly on one hand, but already swiped your passwords while you weren't looking. You definitely deserve treats, Pumpkin. A big thanks to Runa S. for the submission!
Pumpkin
Keep sending in your cyber cats or your other friends! Email here with their name and photo, and they'll be featured in an upcoming newsletter!
~ ~

SUGGESTION BOX

And that's that after a busy week, thanks so much for reading. As we head into Hacker Summer Camp season, don't forget to mask up, stay hydrated, be safe, and have fun. (I won't be making it to Vegas this year due to other obligations.) Still, the newsletter will be back next week as usual.

As always, the suggestion box is open if you have any feedback, or feel free to drop me an email any time. 

See you next week.
@zackwhittaker
Share Share
Tweet Tweet
Share Share