this week in security — april 13 edition
THIS WEEK, TL;DR
Trump orders federal investigation into former CISA director Chris Krebs
Nextgov: Trump this week signed an executive order initiating a federal investigation into Chris Krebs, the first and former director of cybersecurity agency CISA. Trump also revoked Krebs' security clearance. Trump fired Krebs in 2020 when Krebs, a Republican, publicly debunked Trump's false claims of election irregularities, and apparently never got over it. News of the president retaliating against a former government official was in itself alarming (a separate executive order targets a former DHS whistleblower). But the reaction of the cybersecurity industry's top companies was, suffice to say, lackluster and disappointing. The response from SentinelOne, where Krebs currently works, was to release a statement shilling its AI product and saying it'll "actively cooperate" with the government inquiry that also stripped some of its other employees of their security clearances. Meanwhile, Reuters ($) did a great service by asking around and found absolute crickets from the wider cybersecurity industry. Out of more than 30 firms contacted, not a single company provided comment. One cyber executive was clear: "If they are willing to crush Krebs, what do you think they'll do to me or others like me?" Only the Cyber Threat Alliance denounced the move to investigate Krebs and pointed to numerous falsities in the executive order. As the folks at the EFF say, it's "critically important for us to speak up" — and the window is narrowly closing.
More: White House | CSO Online | Reuters ($) | TechCrunch | @briankrebs | @ddimolfetta | @razhael thread
Hackers intercepted bank regulators' emails for over a year
Bloomberg ($): From one government fustercluck to another, now we've got our umpteenth U.S. government breach of the year. This time it's the little-known Office of the Comptroller of the Currency, which oversees compliance and regulations with national banks. Hackers intercepted over a hundred bank regulators' emails for over a year (though the number is said to be higher, perhaps as many as 150,000 emails), including "highly sensitive financial information" of the financial condition of regulated financial institutions. The OCC notified Congress of a "major" cybersecurity incident. Per the letter seen by Bloomberg, the contents of the emails are likely to "result in demonstrable harm to public confidence." Wooof. Let's not forget the Treasury was hacked by China quite substantially earlier this year.
More: OCC | Reuters ($) | SecurityWeek | The Straits Times
U.K. court says Apple backdoor case cannot be heard in absolute secret
BBC News: A little early nugget of good news: A ruling by the U.K.'s surveillance court (known as the Investigatory Powers Tribunal) ruled that the U.K. government's efforts to demand a backdoor in Apple's cloud (allowing U.K. officials to access any users' encrypted data anywhere in the world) can be held at least in part in public. The U.K. government demanded secrecy over the order, but Apple appealed, and details of the case — though not all of them — will be heard in an open court. Probably for the best, since efforts to keep the demand a secret failed, and in the process prompted widespread criticism and anger at the move. The court (which by nature handles highly secretive cases) itself pointed out, "we do not accept that the revelation of the bare details of the case would be damaging to the public interest or prejudicial to national security."
More: UK Justice | Press Gazette | Open Rights Group | @AdamWagner1
~ ~
THE STUFF YOU MIGHT'VE MISSED
Oracle's annotated data breach notice
The Register: Oracle's hack (the cloud hack, not the separate healthcare hack) gets The Register treatment, which annotated and marked up Oracle's poorly written "we weren't hacked!" statement but then goes on to state just what the hacker stole.
Canadian cops say they are not safe from spyware
CBC: A pair of Canadian cops said they were targeted, per an ongoing court case, while they were serving officers amid an investigation into a high-ranking Canadian police official. The cops say that not even police are safe from spyware — which, weird flex, but sure — but this also raises the wider point about there not being any laws in Canada regulating the use of spyware by authorities, despite ample evidence pointing to Canada itself being a spyware customer. (via @tek)
Europol report looks at ways scammers skirt biometrics
Europol: European cop shop Europol has a report out this week detailing all the weird and wonderful ways that hackers and scammers are trying to bypass facial recognition and other biometric checks, featuring — yes — an array of grumpy-looking 3D-printed faces — see below. (Anyone else grow up during the '90s and get extreme GoldenEye N64 vibes?) This report looks at the tradeoffs of what you have (biometric) vs. what you know (password). This report reminds me of that time @iblametom 3D-printed his own head for Forbes ($) to defeat a facial recognition system. Chef's kiss, no notes. (via @campuscodi)
Why diversity, equity and inclusion is key for a cyber safe future
CSO Online: The folks behind #ShareTheMicInCyber explore in this new op-ed the growing risk of blind spots in cybersecurity and weaker national security because of a shrinking talent pool (and a wider industry unwilling to stand up for its workers). Cyber threats come from all over the world, so having a worldly team (think diversity) can help see things that homogeneous teams can miss.
Password spraying attacks exploiting lax MFA
Rapid7: Speaking of passwords... of course, they're not perfect, but passwords are still a major target for bad actors because all too often these passwords aren't protected with another layer of security (aka MFA/2FA). Passwords on their own simply are not enough to protect a system. Case in point: Rapid7 looks at one particular high-volume brute-force password campaign, and stresses the need for MFA.
~ ~
OTHER NEWSY NUGGETS
Five Four Eyes? Politico looks at the degrading Five Eyes alliance, the five nations (Australian, Canada, New Zealand, the U.K. and the U.S.) that share intelligence with each other — given, uhh, things don't look so hot in the U.S. right now. (Just last week saw the firing of the director of its top wiretapping agency, the NSA.) Can the remaining intelligence-sharing alliance, including the U.K., survive the increasingly unpredictable U.S.? For what it's worth, @metacurity asked around and the general response wasn't great! (via Politico EU)
Chinese spyware found in Android apps: A coalition of global governments, including the U.K., sounded the alarm with two new advisories detailing dozens of Android apps bundled with BadBazaar and Moonshine spyware, which have been linked to China's ongoing targeting of Tibetans, Uyghurs, and others. Lookout has been on these two spywares for years. (via TechCrunch)
China acknowledges Volt Typhoon link: Belter reporting by @dustinvolz this week, who confirmed with U.S. officials that China acknowledged its role in the Volt Typhoon affair (read: hacking U.S. infrastructure). The Chinese official's remarks in December with the then-Biden administration were "indirect and somewhat ambiguous," but referred to the U.S. support for Taiwan, which China claims as its own. (via Wall Street Journal ($))
CISA director's nomination on hold: Sen. Ron Wyden put an indefinite hold on Trump's nomination for CISA director, Sean Plankey, until CISA agrees to release an unclassified report detailing security vulnerabilities in U.S. telco systems. Wyden called the withholding of the report a "multi-year cover-up." (Disclosure: I wrote this story.) Wyden sits on the Senate Intelligence Committee and knows more than most about what's actually going on in intelligence and cybersecurity circles, so when he says the report "contains important factual information that the public has a right to see," I'm inclined to believe the guy. (via Reuters ($), TechCrunch)
Looking inside a prolific SMS phishing group: If you've had a toll road or shipping-related SMS phishing message in recent weeks, then you can probably blame the Smishing Triad, which in part relies on literal walls of iPhones and Android devices to support their cybercrime infrastructure. Here's an interesting inside look at the group's operations and how it works. (via Krebs on Security)
Microsoft flags zero-day: In this month's Patch Tuesday roundup of security fixes, Microsoft has disclosed one zero-day bug under active exploitation. This particular bug (aka CVE-2025-29824) is found in the Windows Common Log File System that can grant system-level privileges across affected Windows devices. Bleeping Computer reports the RansomEXX ransomware gang is exploiting the bug. (via Bleeping Computer, Microsoft)
Screenshotting hell back in Windows: Sticking with Windows, it looks like Microsoft's screenshot-capturing "feature" Recall will be rolled out more broadly this year. Recall came under heavy fire last year after it was initially announced because it was caught capturing credit cards, passwords, and other highly sensitive data from apps like Signal and others. Cue the sound of exasperated users. (via Ars Technica)
~ ~
~ ~
THE HAPPY CORNER
Welcome to the happy corner! Especially to whoever happened to hijack the Everest ransomware gang's dark web site this week with the most delightful message.
This Reddit /r/cybersecurity thread on cybersecurity myths is worth a read. Some will make you laugh; some might even sound eerily familiar...
I took time this week to watch @deviantollam and @tarah do their first security con talk together and it's absolute fire. You'll learn, you'll definitely laugh, and I think you'll love it. This talk is the perfect pairing of a physical pentester who breaks into places and a compliance executive who translates how and why, titled, "He is The One Who Knocks. I'm The One Who Makes You Comply." This talk doesn't disappoint!
And finally, this week. CatGPT.
If you have good news you want to share, get in touch at: this@weekinsecurity.com.
~ ~
CYBER CATS & FRIENDS
This week's cyber cat is Stevie, aka keeper of secrets and seeker of kitty treats. Thanks so much to Jen K. for sending in!
Please keep sending in your cybercats or non-feline friends! You can email at any time with a photo and name of your cyber cat (or friend) and they'll be featured in an upcoming newsletter. Sent in before? Send an update!
~ ~
SUGGESTION BOX
And that's it for a bumpy, mixed bag week in cyber, *breathes into paper bag*. Let's do this all over again next week and see what we have in store.
As always, please do get in touch by email. It's always nice to hear from you! Especially if there's a cyber cat attached. (Go on, it really makes my day!)
Ta ta for now,
@zackwhittaker