U.S. warning says North Korea hacks threaten U.S. and global financial systems
Reuters: A joint advisory by State, Treasury, the FBI and Homeland Security says North Korean hackers are targeting U.S. and global financial institutions. The real reason for the alert remains unclear, however. The U.S. says the financially motivated hacks — from WannaCry to a Bangladeshi bank heist — are part of a money-making scheme to support its nuclear weapons program, according to a new U.N. report. This is probably something to keep an eye on.
More: US-CERT | Wall Street Journal ($)
New York investigating hack of state's computer network
Wall Street Journal ($): A breach dating back to January has just come to light, thanks to reporting by the Journal. More than 25 servers and networking appliances carrying encrypted traffic were compromised in the breach, per the report. The state said there's "no evidence" that personal data was taken. The report said the servers were primarily used by New York State Police and the state's environmental conservation unit.
More: Times Union
Does Riot Games’ new anti-cheat measure go too far?
Ars Technica: Game developers and cheaters are in a constant cat-and-mouse game. But Riot Games is upping the ante. Its new Vanguard anti-cheat system uses a kernel-level driver that has extremely deep and privileged access to a player's computer. That's obviously raised eyebrows among the security crowd. A single vulnerability could put the entire system at risk, experts say. Riot downplayed the risk, citing its bug bounty, but it's hardly going to make anyone who lived through the Sony rootkit DRM debacle years ago feel much better.
More: Riot Games | Kotaku | Archive: Schneier on Security
Microsoft fixes 3 zero-days, 15 critical flaws
Bleeping Computer: For its monthly Patch Tuesday, Microsoft released fixes for 113 vulnerabilities — including three zero-days, two of which for Adobe Font Manager are under active exploitation. Microsoft said one more zero-day was under attack but later corrected the listing.
More: @dustin_childs
The Pentagon hasn't fixed basic cybersecurity blind spots
Wired ($): Anyone who's worked in government can tell you that its IT systems are held together with glue and sticky tape. This week, the government's own watchdog issued a report detailing just how bad things are at the Pentagon. Turns out that the Pentagon long abandoned efforts to abide by dozens of cybersecurity hygiene goals. The Government Accountability Office was pretty scathing. "Most of the things they pinpointed in terms of what the department needs to do culturally are enduring things, they're basic cybersecurity practices," said the GAO's Joseph Kirschbaum, who oversaw the watchdog's report. The GAO gave the Pentagon seven new recommendations for it to inevitably ignore again (but hopefully won't this time).
More: GAO | Defense One
Hackers are selling a critical Zoom zero-day exploit for $500,000
Motherboard: Welp if true. Hackers have confirmed that there are at least two Zoom zero-days floating around. One of them could be used to remotely execute code on a Windows PC, but it requires being on a call with a person. The other exploit for macOS isn't a remote code execution bug, making it harder to use. Zoom just this week brought on @k8em0 to run its bug bounty.
More: Zoom
U.K. memo discussed giving ministers power to 'de-anonymize' users
The Guardian: Many countries are working on their contact-tracing apps. Google and Apple have also talked more about how their technology works. These contact-tracing apps are designed to alert individuals if they have been in contact with a confirmed COVID-19 case. The apps collect anonymous data to work. But a U.K. draft document seen by The Guardian said U.K. authorities want to be able to de-anonymize users by collecting device IDs if lawmakers "judge that to be proportionate at some stage." The U.K., for its part, denied the plan.
More: Wired ($) | @paullewis
|
|
SUPPORT THIS NEWSLETTER
A big thanks for reading this newsletter! Subscribers are going up, as are the monthly costs. If you can spare $1/month (or more for exclusive perks), it helps keep this newsletter going. You can contribute to the Patreon here.
|
|
|
THE STUFF YOU MIGHT'VE MISSED
|
|
U.S. judge blocks Twitter's bid to reveal government surveillance requests
Reuters: A U.S. federal judge has ended a six-year legal battle between Twitter and the Justice Department over an effort by the social media site to reveal the precise number of surveillance requests it's received. The judge dismissed the case, saying Twitter's request would "likely to lead to grave or imminent harm to the national security." The case went on for so long that it spanned four U.S. attorneys general.
China-linked ‘Electric Panda’ hackers seek U.S. targets, intel agency warns
Politico: Close to 40 U.S. contracting facilities with access to sensitive and classified information have been targeted by a Chinese-backed hacking group since February. A bulletin issued by the Defense Counterintelligence and Security Agency said the facilities have faced at least 600 inbound and outbound connections in the past couple of months. The suggestion, at least in regards to the outbound connections, is that the intrusions may have been successful. These warnings aren't uncommon but attribution is rare, reports Politico.
Pastebin made it harder to scrape its site and researchers are pissed off
Motherboard: Here's one way to piss off security researchers: Pastebin quietly changed its T&C's that allowed researchers to scrape its site to find leaked data and understand malware, which often uses code posted to Pastebin to run operations. By turning off search and the paid-for API, researchers say it's more difficult to do their work. @ItsReallyNick, for one, called out Pastebin for removing its search feature but not removing the harmful content on its site. Zing!
|
|
Hackers made the Snoo smart bassinet shake and play loud sounds
Wired ($) looked at Snoo's popular smart baby bassinet. The bassinet is meant to help prevent sudden infant death syndrome by using microphones and speakers to respond to a baby's sounds. But flaws allowed researchers to take control of the system if connected to the same Wi-Fi network. That reduces the risk, sure, but again — we've seen this so many times before and yet the companies just don't learn that not everything has to be connected to the internet.
|
|
Will Google and Apple's COVID-19 tracking plan protect privacy?
As mentioned earlier, Google and Apple this week discussed more about its plans to roll out a coronavirus contact-tracing service, which is meant to be privacy-focused. But The Markup, the new publication from @juliaangwin and others, dives into the murky details and explains what could go right and wrong. Notably, Angwin says, the system is vulnerable to spoofing and trolls — which, let's face it, is probably the most likely issue here.
Fake browser extensions are stealing cryptocurrency wallet keys
New research out this week looks at several browser extensions which say one thing but actually steal a user's cryptocurrency keys, including from Ledger, Trezor, and Electrum wallets. The fake extensions look and feel like the real-deal, but are siphoning off keys and private phrases, which can be used to raid a victim's cryptocurrency wallet. This research is surprisingly detailed and in-depth. A must read. ZDNet also has more.
|
|
A couple of things from the happy corner this week.
Zoom has been in the news a lot as of late thanks to security flaws and privacy problems. That's opened the way for alternatives and helped to improve competition, like with Jitsi, the open-source video calling platform that you can run on your own server. This week it said it's working to roll out end-to-end encryption, a feature Zoom claimed it had but actually didn't. Here's Jitsi's blog post. It's still a way away, but they're working on it. Good luck to the team.
|
|
|
And, since BGP related issues keep on happening — just this week, the U.S. said it wanted China Telecom out of the U.S. citing BGP issues — Cloudflare now lets you test your own internet provider for BGP security. Ars Technica has more, but simply put, it's a one-click checker tool, which lets you tweet at your internet provider after the fact. Let's see if the pressure works.
|
|
|
If you want to nominate some good news from the week, feel free to reach out.
|
|
|
This week's cyber cat is Cooper. When he's not lounging in the sunshine, he's reverse engineering malware like his dad. Thanks to @0xAmit for the submission!
|
|
|
Please send in your quarantine cyber cats! We're extremely low and need your submissions. Returning cats are still welcome! You can send them here.
|
|
|
That's all the news from the week. Thank you so much for reading and subscribing. Please continue dropping feedback in the suggestion box. I keep a close eye on it and appreciate the feedback! See you again next Sunday — take care and stay safe.
|
|
|
|
