~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 5, issue 33
View this email in your browser | RSS

~ ~


Twitter ex-security head blows the whistle, claims reckless and negligent cyber policies
CNN, Washington Post ($): Incredible news this week that stunned the cybersecurity world. Peiter Zatko, aka Mudge, Twitter's former head of security, blew the whistle on what he claims are negligent cybersecurity practices at Twitter, from vast internal access to Twitter's entire source code, laptops that weren't patched, servers that weren't licensed, and fears that Twitter was unable to protect itself from insider threats on January 6. Mudge is no stranger to cybersecurity, his credentials are impeccable and his reputation is pristine. He's worked in government, spent time at Google, and testified to lawmakers. Yet Twitter claims he's telling half the story and that he's a disgruntled ex-employee fired for poor performance — claims that just don't add up. Plus, some ex-Twitter employees piled on with their own security concerns, adding to Twitter's headaches. The Washington Post ($) has a great profile of Mudge, and CNN's coverage has been excellent too. Mudge is expected to testify about his whistleblower complaint to lawmakers later this year, per @b_fung. Don't expect this to blow over any time soon.
Archive: The Intercept | More: Time ($) | @kevincollier | @kimzetter | @ericgeller tweets
Nicole Perlroth tweet: "By reverting to 'disgruntled' and 'poor performance,' Twitter PR and [the Twitter CEO] grossly underestimated how well respected [Mudge] is at the highest levels of gov, cybersecurity, etc. Shot themselves in the foot big time."
Plex asks users to reset passwords after theft of 15+ million users' data
Ars Technica: Media streaming service Plex confirmed hackers stole data on the "majority" of its 30 million users, so some 15 million users had at least usernames, email addresses and scrambled passwords (hashed with bcrypt) were stolen, prompting Plex to ask users to reset passwords. That said, Plex's mass reset didn't go so well, with users unable to change passwords when attempted. In its initial email to users, Plex said only a "limited subset" of user data was accessed, which clearly isn't true.
More: The Verge | Plex

Twilio breach fallout: DoorDash, Authy, Okta
Group-IB: Let's look at new research from Group-IB, which investigated the mass breach of companies including Twilio. It says the hacking group it calls 0ktapus (for impersonating Okta login pages) has hacked over 130 organizations as part of its phishing campaign since March. Twilio's breach had knock-on effects for DoorDash, because one of its vendors was also compromised by the same hackers that hit Twilio. And things got worse for Twilio, because its own 2FA app, Authy, was targeted too. Twilio said 93 Authy users' apps were compromised, effectively allowing the attackers to generate 2FA codes on behalf of their victims. And finally, Okta confirmed some of its customers' data was visible in Twilio's console, marking Okta's second security incident this year. Don't expect this mass-hack to quieten down any time soon. There's still over a hundred companies yet to announce their own breaches.
More: DoorDash News | Okta | TechCrunch | @campuscodi
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week. The Patreon is here. You can also donate just one time via PayPal or Venmo.
~ ~


Hackers steal crypto from Bitcoin ATMs by exploiting zero-day bug
Bleeping Computer: Hackers are exploiting a zero-day bug in a popular General Bytes bitcoin ATM by targeting its crypto application server that allows an attacker to create an admin user. Using that admin account, the attacker can modify its settings and swap out a cryptocurrency wallet under their control. Sneaky! Here's the advisory.

Novant Health admits leak of 1.3M patients' info to Facebook
The Register: Novant Health confirmed it accidentally disclosed 1.3 million patients' sensitive information — including email addresses, phone numbers, financial information and even details of doctor's appointments — to Facebook because of a misconfigured tracking pixel. The Register explains how the breach happened — effectively an ad campaign that collected too much data by mistake.

Smartphone gyroscopes threaten air-gapped systems, researcher finds
The Register: Sticking with El Reg for a minute: A researcher known for discovering ways to siphon data from air-gapped computers is back with a new exploit [PDF] able to sniff acoustic airwaves from speakers on internet-isolated computers by using the gyroscope sensors in nearby smartphones. Another exploit uses green and amber lights on network interface cards to transmit data in Morse code. Wild research, even if it requires close proximity to the target device.
A photo of an airgapped computer showing a path of data flowing from the PC to the gyroscope of a nearby smartphone.
Meta, Twitter took down accounts engaging in pro-U.S. covert influence campaigns
The Record: Meta and Twitter took down accounts in recent weeks connected to a pro-U.S. influence network targeting the Middle East and Central Asia. Wait, what? Yes, you read that right. The data provided by the two social giants showed the campaign used "deceptive tactics, including computer generated profile images and fake news outlets, to promote an agenda aligned with Western policy priorities and opposing Iran, China and Russia." More from the Washington Post ($). It's believed to be the first pro-Western influence campaign taken down by the companies.

Cosmetics giant Sephora settles customer data privacy lawsuit
PBS: The first CCPA case is in: make-up giant Sephora settled a lawsuit claiming it sold customer information without proper notice in violation of California's landmark privacy law. The company agreed to pay $1.2 million, the state's first enforcement action, even if the wrist-slapping was on the lighter side. According to the AP's yarn, "Sephora allowed third-party companies to install tracking software that allowed them to build detailed consumer profiles that allowed them to better target customers," according to the California attorney general Rob Bonta. "But on its website it promised 'we do not sell personal information,' according to the lawsuit." Yuck.
~ ~


Charming Kitten scraping inboxes: Google's TAG says it's uncovered a software tool developed by Iran-backed hackers known as Charming Kitten used to retrieve downloaded emails and other data from Gmail, Yahoo and Outlook accounts, dubbed "HYPERSCRAPE." It's not a particularly sophisticated tool but is notable for its "effectiveness in accomplishing Charming Kitten’s objectives," which mostly targets high-risk users.

Lockdown Mode? We know: A researcher's proof-of-concept website can identify if your iPhone is in Lockdown Mode, the new ultra-secure mode in iOS 16 that blocks certain features to protect it from spyware attacks. Lockdown Mode also blocks things like remote fonts, which can contain malware, which is how the website knows (or infers) when a device is in Lockdown Mode, reports Motherboard. That can be used for profiling or fingerprinting, which may help identify at-risk users.

Spilled docs show $8M iOS, Android exploits: Leaked documents appear to show a little-known spyware company called Intellexa allegedly offering exploits for iOS and Android devices for around $8 million. The screenshots, obtained by malware researchers @vxunderground on Wednesday, appear to show a browser-based exploit able to remotely extract data from iPhones and Android devices, though @maddiestone believes the docs show exploitation-as-a-service, rather than exploits for sale. (The difference matters, since one requires the maintenance of infrastructure.) Interestingly, the exploits on offer target recent releases of iOS 15.4.1 (released in March) and Android 12.
A screenshot of a listing for a remote data extraction exploit for iOS and Android, listed at about 8 million euros.
NATO classified docs stolen: BBC News reports that NATO is assessing the impact of a data breach including classified military documents and blueprints of weapons used by NATO allies in Ukraine. The documents are said to be linked to a major European weapons maker. @joetidy does a great job of breaking this one down.

95% of iCloud users have 2FA: Actually some early good news here: Apple says 95% of iCloud users are protected with two-factor authentication. That news lands ahead of the wider rollout of Passkeys, which replace passwords with "digital keys" that are unique to your accounts and stay on your device, and authenticate using your face or fingerprint.

LastPass breached, says user data safe: Password manager LastPass says it detected "unusual activity" in its development environment two weeks ago (so around mid-August) and booted attackers from its network. It blamed a single compromised developer account that allowed the theft of some source code and technical information. No customer action needed, LastPass says, since master passwords aren't stored by the company.
~ ~


Breathe in and out. That's the news, and this is the happy corner. A short one this week:

My day-job colleague @diceborbon, our -in-house illustrator, is now taking commissions for his Twitter egghead-style portraits (of which I am honored to be a recipient). I love mine, and you can get yours for $25.

And finally. I can't confirm the veracity of this tweet, but I'm hoping it's real. Hackers reportedly hijacked dozens of IP cameras with speaker outputs across Russia to play patriotic Ukrainian music to mark Ukraine's Independence Day on August 24.
@internetofshit tweet: "Finally, a good reason for the internet of things," quote tweeting a video (linked) with a tweet that says: "Today, to celebrate Ukraine’s Independence Day, dozens of IP cameras with speaker outputs have been hacked to play patriotic music in Russia as well as occupied Crimea and Donbas."
If you have good news you want to share, get in touch at:
~ ~


Meet this week's cyber cat, Sweetpea, who's long-running campaign urging organizations to consider the use of hardware security keys just geared up a notch this week since physical keys can't be phished. Thanks @FlyingBlueMonki for the submission!
Keep sending in your cyber cats or their friends! Email here with their name and photo, and they'll be featured in an upcoming newsletter.
~ ~


That's it for now! As always, the suggestion box is open for any feedback you might have, or feel free to drop me an email if you want to get in touch.

And... now I'm taking a vacation. Turns out this week isn't Labor Day as I thought — it's next, and so I'm taking the week off to recoup and catch up on some cocktails and sleep. 

Be well! Back in a couple of weeks.
Share Share
Tweet Tweet
Share Share