~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 1
View this email in your browser

~ ~


LastPass confirms 'no indication' of compromised accounts after security alerts
ZDNet: A number of LastPass users had a security scare this week after some received email security alerts saying their master password had been used by someone else. Some reported that they used unique passwords, seemingly ruling out a credential stuffing attack that LastPass initially blamed (since how could they leak, if not a direct breach?). Someone else said they got an alert straight away after changing their master password. Turns out it was neither. LastPass owned up and apologized in a blog post, explaining that the email alerts were "likely triggered in error." Only a handful of users were affected, the company said, which added that it never stores user master passwords — presumably to prevent situations like this.
More: LastPass | @technology_greg | @campuscodi

Photography site Shutterfly is dealing with a ransomware attack
Cyberscoop: Bad news for photo printing site Shutterfly — at this time of year, no less — which was hit by a ransomware attack that interrupted portions of its business and internal systems. @shanvav first confirmed the news. The Conti ransomware group is said to be to blame, and is threatening to publish stolen files if the ransom isn't paid — including legal agreements, and banking and other enterprise logins.
More: @bleepincomputer tweets
Shannon Vavra tweet thread: "A bit of news: I’m told  @Shutterfly  has been hit w/ a ransomware attack in recent days."
Missouri Governor says he believes prosecutor will bring charges against reporter
St. Louis Post-Dispatch: Remember a few months ago when Missouri's governor claimed (wrongly) that a St. Louis Post-Dispatch reporter had hacked a state government website? The reporter found exposed state employees' Social Security numbers in the source code of a state government website and ethically reported it to the state. Even the state was getting ready to thank the reporter until Gov. Mike Parson came in and claimed it was an illegal act. He later used the claim as part of a political fundraising effort. Weeks on and Parson is still going at it, per the newspaper this week. Viewing the source of a web page is not a crime, but Parson seems to think so. Let's hope the prosecutor he's evidently trying to pressure doesn't think so.
More: @evacide | @iancoldwater | @pebonilla

Ransomware gang coughs up decryptor after realizing they hit the police
Bleeping Computer: The AvosLocker ransomware group offered a free decryptor to one of its victims after the group realized it had targeted a U.S. police department. According to a tweet, the group told the police department that it "will be allowing you to decrypt for free," after apologizing for having "realized this is US gov [sic]." When asked by the publication, the group said it wasn't out of altruism but that "tax payer money's generally hard to get." Clearly those U.S. sanctions are having mixed impact...
More: @pancak3lullz
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


Cloud security breaches and vulnerabilities: 2021 in review
Christophe Tafani-Dereeper: Here's a good look back at the cloud vulnerabilities and security breaches we've seen publicly disclosed this year. There may be a few in here that you've missed. (I certainly did.)

DoorLock vulnerability discovered and disclosed in HomeKit
Trevor Spiniolas: A new, unpatched vulnerability in HomeKit, Apple's smart home platform, can be exploited for a persistent denial of service attack affecting HomeKit devices — including users on the latest iOS 15.2. Changing the name of a HomeKit device to a string with 500,000 characters or more crashes the Home app altogether and can render a device practically useless. This bug could be triggered by sending Home invitations containing malicious data. Worse, "if the user restores their device and signs back into the previously used iCloud linked to the data, the bug will once again be triggered with the exact same effects as before." Apple has dragged its feet on fixing the bug (like so many others) and still hasn't rolled out a patch.
An animated GIF of a video showing an iPhone unresponsive to touch/input following the exploitation of an unpatched denial-of-service bug.
ShmooCon postponed until March 24-26
ShmooCon: One of the most loved hacker cons has been delayed until March 24-26 as a result of the rising spread of COVID-19, particularly the Omicron variant. Shmoocon is in-person this year after taking a year off during the first wave of the pandemic. Adjust your travel plans!
~ ~


Tokyo police lose 2 floppy disks containing residents' personal info
The Mainichi: Japanese media reports that Tokyo police lost two floppy disks containing personal information on dozens of residents. For those young enough not to know, floppy disks are long-obsolete removable storage that could hold about 1.5 megabytes of data (back in the day, that was a lot). Police said "no leaks or misuse of the information have been confirmed at this point." Probably because nobody can find a floppy drive in this day and age... but still, their data breach notification was better than what most U.S. companies put out.

A year in Microsoft bugs: The most critical, overlooked and hard to patch
Dark Reading: Here's some 2021 nostalgia to finish out the year — the year in Microsoft bugs, from Exchange flaws to the now-infamous PrintNightmare bugs that had Microsoft scrambling for a fix for weeks.

T-Mobile confirms SIM swapping attacks led to breach
ZDNet: T-Mobile has confirmed yet another breach — but wouldn't say much about it, not even how many customers are affected, only that it was a "small number of customers." (T-Mobile has over 100M subscribers.) The unspecified "cyberattack" involved SIM-swapping — a social engineering attack that allows scammers to take over a person's phone number. Some other customer proprietary network information (CPNI) also leaked. It's been a rough year for T-Mobile, which earlier this year saw at least 47 million records on current and former customers stolen in a breach. This is, by my count, the sixth data breach in the past three four. The news was first reported by The T-Mo Report
~ ~


Happy new year! Let's get this year going to a good start.

A few weeks ago, @TheKenMunroShow asked me to buy this newly released retro Fisher-Price Chatter 'toy' phone that now comes with Bluetooth, fearing it could be used to eavesdrop on nearby conversations. Suffice to say, it didn't fare well. This week, I ran a silent auction for this tiny piece of stupid infosec history and raised $1,200 for the Diana Initiative, a great non-profit that works to support underrepresented folk in infosec. The winning bid was $700, plus a separate donation matching the first $500. In the end, the winning bidder declined to take the phone(!) — but instead had one request: auction it again. (Am I ever going to get rid of this damn Chatter toy phone?) So here we are — again — with another chance to raise some money for a great cause.

Here's how it works: Drop me an email with your bid — bids start at $50 — and all bids are private. Bids close on January 5 at 9pm ET. The highest bid at the deadline wins the Chatter phone, and will be notified by email. The Chatter phone ships (U.S. only!) on confirmation of donation. I'll announce the winning bid in next week's newsletter.
A photo of the newly released Bluetooth-enabled Fisher-Price Chatter phone, which featured as part of a story I wrote a couple of weeks ago about how the device can be used to eavesdrop.
If you want to give but, like me, don't need a retro toy phone that's just going to gather dust, please consider donating to my local New York non-profit cat shelter and rescue group, Little Wanderers, since cyber cats are a thing here! Email me a confirmation of donation with your shipping address, and I'll send some  ~this week in security~ stickers as a personal thank you
If you want to submit good news from the week, reach out!
~ ~


This year's first cyber cat is Fenna, who as you can see is enjoying New Year's a bit little too much and doesn't want her human to ever get back to work. Many thanks to @raislallmohamed for the submission!
If your New Year's resolution is to send in a cyber cat (or friend), please get in touch! Drop me an email here with their name and photo, and they will be featured in an upcoming newsletter.
~ ~


A very happy new year to you. As always, the suggestion box is open, or feel free to reach out at Hope you have a great week — back same time next Sunday.