~this week in security~
a cybersecurity newsletter by @zackwhittaker

volume 4, issue 21
View this email in your browser

~ ~


Malware breaks macOS security to take sneaky photos
Forbes: The XCSSET malware has been targeting Mac users, allowing it to bypass macOS' privacy protections and secretly take screenshots of a victim's display. The exploit allowed the malware to inherit screen recording permissions from other apps, like Zoom. Apple has fixed the vulnerability and confirmed it was exploited in the wild. Jamf, which discovered the malware's new technique, said the bug wasn't limited to taking screenshots and easily could have abused other access, such as the microphone and webcam. The bug was recorded as CVE-2021-30713.
More: The Record | Jamf | Apple security updates

Court rules encrypted email provider Tutanota must monitor messages in blackmail case
Cyberscoop: A federal court in Germany has told encrypted email provider Tutanota must monitor for three months the messages of accounts implicated in a blackmail case. The case impacts just two accounts but Tutanota said it shouldn't be required to monitor accounts as it's not a telecoms provider. "We consider this decision to be absurd," said Tutanota. The decision will only impact unencrypted incoming and outgoing emails of the affected accounts, as Tutanota can’t decrypt data that has already been encrypted, per Cyberscoop. But it's feared that the court ruling could open the door to action against other encrypted providers.
More: @ilumium

Microsoft finds SolarWinds hackers targeted USAID
Microsoft: The Russian hackers behind the SolarWinds attack, which Microsoft calls "Nobelium," was found targeting USAID and other agencies with an aggressive (and rather "loud") phishing campaign, targeting around 3,000 individuals across 150 organizations. Was it bad? Yeah, not great! But Microsoft said a couple of days later to, basically, chill out. CISA, too, said it has "not identified significant impact" at the federal level. Wired ($) has a measured look at what happened and why this isn't an escalation of tactics. @dangoodin001 has a good tweet thread, as does @johnhultquist, who said the hackers in this case "won't all be Ocean's 11." Harsh, but fair.
More: Volexity | BBC News | @nakashimae | @dnvolz
Tweet from Ellen Nakashima: "Folks just need to take a breath and not assume every SVR operation is a major new cyber aggression." More at the link.
U.S. towns are buying Chinese surveillance tech tied to Uighur abuses
TechCrunch: Towns and municipalities across the U.S. are buying Hikvision and Dahua technology, such as surveillance cameras and thermal imaging sensors (which doesn't work that well), despite bans at the federal level, because of the companies' links to human rights abuses against Uighurs and other ethnic minorities in China. The municipalities aren't banned from buying this equipment like federal agencies are, but some local governments simply glossed over the human rights abuses and told me that Hikvision was the only manufacturer "with a viable solution that was ready for delivery." Some municipalities spent close to $500,000 on this technology to put in public schools and correctional facilities. (Disclosure: I wrote this story!) It comes in the same week that a BBC report showed police in Xinjiang, where most Uighurs live, tested technology from an unnamed company that was tested on Uighurs to "reveal states of emotion."
More: IPVM | BBC News

Clearview AI hit by wave of European privacy complaints
Bloomberg ($): The controversial surveillance and facial recognition startup Clearview AI has been hit with several complaints filed with data watchdogs across Europe, including France, Greece, Italy and the U.K., arguing Clearview AI has "no place in Europe." The startup boasted it scraped 3 billion public profile photos from the web, but has been ruled illegal in Canada. Clearview AI says it doesn't have any EU contracts. Still, it will be interesting to see if Europe takes action — regardless of whether it's used there or not, as the company claims.
More: BBC News | Gizmodo
~ ~

Thank you to everyone who reads or subscribes to this newsletter! If you can, please spare $1/month (or more for perks!), to help cover the server and email costs. You can contribute to the Patreon, or send a one-time donation via PayPal or Venmo
~ ~


Miquel Camps Orteza: @vivirenremoto made a Doom CAPTCHA. It's not as strict as a regular CAPTCHA, and is "it's pretty easy to break the security of this." But it's an impressive build. You can find the project here. It reminds me of the time @Foone put Doom on a digital pregnancy test.
A CAPTCHA that looks like Doom and requires you shoot aliens before you can proceed.
M1racles bug found in Apple M1 chip
M1racles: A new covert channel vulnerability (CVE-2021-30747) in Apple's new silicon, M1, allows any two legitimate apps running under the same operating system to covertly share data between them. It's believed to be a design flaw that can't be easily fixed without a change to the actual hardware chip. But the bug isn't that bad and "can't be used by exploits or malware to steal or tamper with data stored on a machine," per Ars Technica

How Russian dark net market Hydra made more than $1 billion in 2020
Cyberscoop: They say crime doesn't pay... well, clearly it does. Hydra, a notorious Russian-speaking dark net market that specializes in narcotics, has netted more than $1.4 billion according to researchers. That makes up about three-quarters of all dark web marketplace activity.

It’s ransomware, or maybe a disk wiper, and it’s striking targets in Israel
Ars Technica: An interesting new wiper — well, what looks like a wiper, disguised as ransomware — is targeting victims in Israel, according to security firm SentinelOne. The malware is believed linked to the Iranian government, which has an affinity for disk wipers (remember Shamoon?).
~ ~


Crime app Citizen exposed users' COVID data
Bad week for Citizen, thanks in large part to @josephfcox's dogged reporting on the company, but really because of its own security failings that let exposed users' personal COVID-19 exposure data, including self-reported test data and symptoms, and allowed a hacktivist to scrape the company's entire cache of app data on over 1.7 million incidents. While you're here, you should read how Citizen operates — by cashing in on vigilantism (which isn't far off from the company's original name).

Privacy advocate explains how real-world ad tracking works
You know that long running trope that Facebook (or Google) listens to your microphone to serve more targeted ads? No evidence has ever shown that's really happening. It turns out that ads are (sometimes) that smart. Here is a really great thread by @RobertTGreeve on how ads know what you might want, even if you've never spoken about a product or searched for it. It's a good primer for anyone who doesn't really get how the real-world and digital worlds blend together to guess what ads you might be interested in. This is one of the best explainers I've seen.
A great tweet thread on how advertising tracks you in the real-world as well as online.
DHS to issue first cybersecurity regulations for pipelines after Colonial hack
Homeland Security is moving to regulate cybersecurity in the pipeline industry to prevent a repeat of the ransomware attack that resulted in the Colonial Pipeline outage (and fuel shortages) a couple of weeks back. TSA, better known for violating your privacy at U.S. airports, will require pipeline companies to report cyber incidents to federal authorities.

A rise in opportunistic hacks and info-sharing imperil industrial networks
Speaking of critical infrastructure... Mandiant researchers say recent high-profile hacks, including incidents at local water supply systems, have been far more rudimentary and simple than other, widely known attacks — the Stuxnet's and the Triton's out there. In many cases, inadvertently exposed systems to the open internet have been a hacker's entry point. @kjhiggins has more.
~ ~


Quiet week, but couldn't help share this incredible headline. The "s" in OPSEC stands for stilton.
BBC News headline says: "Cheese photo leads to Liverpool drug dealer's downfall."
If you want to nominate some good news from the week, feel free to reach out.
~ ~


This week's cyber cat is Miette, who will absolutely trade belly scritches for cybersecurity advice... but you have to pay up front first. A big thanks to @theemmazaballos for the submission!
This week's cyber cat, Miette.
Keep sending in your cyber cats (and their friends). You can always drop them here.
~ ~


And we're outta here. Thanks so much for reading. The suggestion box is always open for any feedback. Hope you have a peaceful and restful weekend (and Memorial Day, for the folks in the U.S.). See you next Sunday.