~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 3, issue 32


From Minecraft tricks to Twitter hack: A Florida teen's troubled online path
The New York Times ($): The Times looked at the life of the alleged "mastermind" behind the Twitter hack last month, Graham Ivan Clark, now 17, exploring his early years in hacking forums and the later theft of almost a million dollars worth of cryptocurrency by the age of 16, grabbing the attention of the Secret Service. The alleged hacker is charged with a 30-count indictment and prosecutors are pushing to try him as an adult. A brief court appearance this week was interrupted by Zoombombers, who hijacked the virtual court session with porn.
More: Motherboard | @kimzetter tweets

Insecure satellite Internet is threatening ship and plane safety
Ars Technica: This week at Black Hat, one researcher revealed how satellite-based internet puts millions of people at risk of attacks. The researcher, James Pavur, intercepted the streams of 18 satellites beaming to ships, people, and planes and found a ton of sensitive data in the streams, including session cookies, unencrypted data, and even an account reset for a billionaire's yacht.
More: Cyberscoop | @shanvav tweets

Canon confirms ransomware attack in internal memo
Bleeping Computer: Camera and printing giant Canon has confirmed a ransomware attack in an internal note to staff. The attack is blamed on the Maze data-stealing ransomware, known to publish stolen files in the event a company doesn't pay the ransom.
More: Canon
Voting machine makers are finally playing nice with hackers
Wired ($): ES&S, one of the major U.S. election machine makers, has long seen hackers as a thorn in its side by finding bugs that could compromise the security of their machines. Instead of embracing hackers, the company rebuffed them. Now, the company's decided to play nice. @lilyhnewman reports on its massive about-face and its new vulnerability disclosure policy. According to ES&S's security chief: "Hackers gonna hack." 
More: Washington Post ($) | Cyberscoop

Russian hackers stole trade papers from U.K. government minister's email
BBC News: Last year's U.K. general election was hit with controversy, involving leaked documents relating to U.K.-U.S. trade talks, which alleged that the U.K.'s National Health Service, a pillar of British society, would be at risk in a post-Brexit world. The documents were paraded by the opposition Labour party in an effort to gain votes from the ruling Conservatives, an effort that largely failed. It turns out those classified documents were stolen from the personal email account of a former U.K. government minister, reports Reuters. The Russians were blamed for the hack and trying to interfere in the election.
More: The Guardian | BBC News

Researchers warn of an Achilles' heel security flaw for Android phones
CNET: More than 400 vulnerabilities in Qualcomm Snapdragon chip could be exploited to bypass security checks and steal sensitive data, according to new research. The chips are widely used in Android devices, and as many as one billion devices could be at risk. Qualcomm acknowledged the flaws but ultimately it's up to device makers to push out software fixes.
More: Ars Technica | @alfredwkng

Hacker leaks passwords for over 900 enterprise servers
ZDNet: A hacker published a list of plaintext usernames, passwords and IP addresses for over 900 Pulse Secure VPN servers, which could allow an attacker to break into their networks. All of the servers are vulnerable to a known flaw, revealed last year. It's believed the hacker scanned the internet for vulnerable servers, then exploited and dumped the credentials from the server. The data was shared on forums frequented by ransomware gangs, since this bug has been used to infect networks with ransomware.
More: CERT-CC | @campuscodi tweets
~ ~

A huge thanks to everyone who reads this newsletter! If you can spare $1/month (or more for perks!), it helps to maintain its upkeep. Contribute to the Patreon here!
~ ~


Security researcher looks under the TikTok hood
Baptiste Robert: @fs0c131y is known for tearing down apps and looking under the hood. This time he dug into TikTok, accused by the U.S. government of being a national security threat. But he found the popular video app wasn't doing anything that Western apps weren't already doing. Anyone can follow his line-by-line analysis. But ultimately, he found TikTok doesn't present any suspicious behavior that other apps, like Facebook, Snapchat, and Instagram aren't also guilty of. That falls in line with what other researchers have found.
Twitter faces FTC probe, likely fine over use of phone numbers for ads
Ars Technica: Twitter faces an investigation by the Federal Trade Commission and a fine of up to $250 million after it was caught using phone numbers intended for two-factor authentication for advertising. Facebook was caught pulling a similar stunt in 2018 and was forced to settle in a $5 billion case with the FTC involving a ton of other privacy infractions.

Twitter says Android security bug gave access to direct messages
TechCrunch: Speaking of Twitter... the company said this week that a bug in its Android app may have allowed a malicious app on the same device to access a user's private Twitter direct messages by exploiting a bug in the underlying Android software. Google fixed the bug in October 2018, but Twitter was told only recently by a third-party researcher filing through Twitter's bug bounty program that its Android app was still vulnerable. But Twitter said in a blog post there was no evidence of exploitation. (Disclosure: I wrote this story.)

U.S. travel giant CWT pays $4.5 million after ransomware attack
Reuters: CWT is $4.5 million down after paying hackers who launched a successful ransomware attack on 30,000 of its systems. The hackers used the Ragnar Locker ransomware, which steals files before it encrypts a company's network, and originally demanded a $10 million ransom to restore its files (and delete the files it stole). Reuters' @jc_stubbs obtained a copy of the ransom negotiations and did a great tweet thread.
~ ~


Hackers target British dental organization
BBC News reports that the British Dental Association had a data breach involving dentists' bank account numbers, correspondence, and the possibility of patient data — though, the organization was vague about it, even though it doesn't store "full" patient records, the BBC reports.

State Dept. launches election interference bounty, sends 'confusing' text messages campaign
The U.S. State Dept. is offering up to $10 million for information leading to the "identification or location of any person who works with or for a foreign government" with the purpose of using cyberattacks and disinformation to interfere with the U.S. election. According to a wanted-style poster, State is looking for faceless black hoodie hackers (sigh). Within days, a flood of text messages promoting the bounty landed across Russia and Iran, causing confusion. State later admitted it was behind the massive unsolicited text message campaign.
One tweet tried to identify a cop — then five people were charged with felony harassment
Oh, now this is messed up. A New Jersey police department charged a person for tweeting a photo trying to identify a police officer for felony cyber harassment. Just as bad, four people who retweeted the tweet were also charged. The Verge had the story first. The charges were eventually dropped after a ton of media outlets picked up the story. I suspect this likely won't be the last time this happens.

U.S. government contractor embedded software in apps to track phones
Anomaly Six, a contractor for the U.S. government, embedded its software in more than 500 apps in order to obtain location data on millions of users' devices. According to the Journal ($), the contractor provides global-location-data products to the government and private-sector clients.

Capital One faces $80 million fine for data breach
A U.S. financial regulator has fined Capital One $80 million for its 2019 data breach, which by my math is less than 0.02% of the credit giant's 2019 revenue. @kmcquade3 had a really good tweet thread about the breach.
~ ~


OK, and now for some good news.

Portland, Maine has become the 13th city to ban face surveillance, joining San Francisco, Boston, Oakland and several other major cities. Great news for the privacy of millions who live in these cities.

Mozilla has announced that the latest version of Firefox has rolled out Enhanced Tracking Protection 2.0, including blocking redirect trackers by default. The anti-tracking technology will help battle tracking cookies and prevent sites from funneling users through a tracker's site before landing on the intended site.

And, here's one Imgurian accepting their $12 payout from the Google+ class action suit, which was sent out this week to affected former users.
If you want to nominate some good news from the week, feel free to reach out.
~ ~


A two-for-one cyber cat offering this week: meet Abby and Max, who as you can see are clearly exhausted after a hard week defending against hackers. Get some rest, there's more work to be done! A big thank you to @marciahofmann for the submission!
Please keep sending in your cyber cats! (These emails are the highlight of my week.)
~ ~


And we're out. Thanks for reading — and for those who participated in Black Hat & Def Con this week, I hope you had a great (virtual) time. As always, if you have any feedback, please drop it in the suggestion box. See you next week.

You can update your preferences or unsubscribe from this list.