this week in security — february 5 edition
THIS WEEK, TL;DR
Google Fi hack victim had Coinbase, 2FA app hijacked by hackers
TechCrunch: Not so great news for millions of Google Fi customers whose SIM card data was compromised following an upstream breach of 37 million customers' data at T-Mobile, which Fi relies on for its service. Hackers obtained some customers' account information, according to a notice sent to customers. But, at least one customer said that Google also told them that their Google Fi phone number was briefly hijacked during a SIM swap attack. The victim said this allowed the hackers to gain access to his Authy two-factor app and subsequently his Coinbase account. That's particularly troubling since Google Fi is seen as more secure, since the account is tied to a person's Google account (which can be two-factorered up to its eyeballs, unlike most cell companies...). @lorenzofb spoke with the victim and verified the email. Google isn't being particularly forthcoming regarding the breach, so anticipate more fallout to come.
More: TechCrunch | Wired ($) | @jsrailton | @filippo
Anker finally comes clean about its Eufy encryption claims
The Verge: Smart home maker Anker finally admitted this week that the claims it had made about its Eufy products being end-to-end encrypted aren't exactly true (which meant video footage could in theory be legally obtained by Anker or third-parties) — and haven't been for some time. That's the end result of months of work by The Verge trying to get answers to simple questions about why a researcher was able to access a seemingly unencrypted video stream via VLC media player (which shouldn't have been possible). Anker dug in for months, evaded questions (in some cases just ignoring reporters' emails), and then tried to cover up its tracks. But Anker finally came clean this week with a long statement, and apologizing, after the company clearly failed to handle its scandal.
Background: The Verge | More: Ars Technica | @seanhollister
GoodRx made money off your health data, now the FTC is making it pay
Recode: The FTC accused the data-gobbling startup GoodRx of collecting and sharing personal health information of consumers — including users to its website searching for medications and health conditions — with third-parties, like Facebook and Google, for advertising. The FTC slapped a $1.5 million fine on GoodRx and ordered it to stop sharing health data for advertising purposes. Why was this allowed to happen? Because America has no privacy laws, even still, so it's no surprise that GoodRx basically gave everyone the middle-finger in a lengthy rebuttal in an unbylined piece, the faceless cowards. If you're wondering how this ever came to be, well, the FTC never cites the journalists who do the hard work in uncovering these important issues, so major props to @swodinsky for first bringing the issue to light, and @thomasgermain for his extensive reporting.
More: New York Times ($) | Gizmodo | @TonyaJoRiley | @thomasgermain tweets
Ransomware Roundup: U.S. details takedown of Hive ransomware group
CNN: U.S. and European law enforcement's recent takedown of the Hive ransomware group was a huge blow to ransomware. CNN now has the details of how the months-long operation went down, under which prosecutors focused on victims, rather than prioritizing nabbing the cyber-crims. It sounds like the feds went public only after "exhausting" the intelligence they were going to get from Hive's servers. Sure, the criminals might come back with a new operation (and they might), but good for morale in the meantime. Meanwhile this week, Bloomberg ($) has a long feature on the ransomware attack that hobbled Ireland's health service for weeks — and how the hack helped expose major divisions in the Conti ransomware group; while Wired ($) looks at the long and slow recovery of one of London's busiest councils, which didn't fare nearly as well.
More: Wall Street Journal ($) | Bloomberg ($) | Wired ($) | @dustinvolz
~ ~
~ ~
THE STUFF YOU MIGHT'VE MISSED
Background check company confirms data breach affecting 20 million
Bleeping Computer: PeopleConnect, the owners of background check services TruthFinder and Instant Checkmate, have confirmed a data breach involving the theft of 20 million people's information from a 2019 backup database. It's incredible that in 2023 it's still entirely legal for a U.S. company to scrape gobs of information about you, without your permission or consent (or any discernible way to opt-out), and use it to make money and face little to know consequences. And it's not just background check sites doing this. Experian, Equifax, TransUnion, and so many more...
Microsoft says phishers using OAuth apps to infiltrate cloud environments
Proofpoint, Microsoft: Microsoft said in a blog post that it became aware on December 15 of a phishing campaign impersonating legitimate companies that try to trick employees into granting permission to fraudulent OAuth apps. Proofpoint discovered the campaign, which tries to infiltrate victims' cloud environments.
CISA executives write op-ed: Stop passing the buck on cybersecurity
Foreign Affairs: Top brass at U.S. cybersecurity agency CISA penned a piece about the (poor) state of cybersecurity, where we're failing, and why companies need to elevate cybersecurity to the executive and board level. CISA says cybersecurity is a safety issue — and it is, likening it to seatbelts and airbags and so on, all of which protect us when things unexpectedly go wrong. (As some have noted, those examples exist because of regulation and not corporate altruism.) Companies have to take responsibility, yes. But let's not forget the U.S. is still without federal cybersecurity, privacy, or data protection laws.
Netflix isn't cracking down on password-sharing... yet
Wired ($): It looks like the sweet days of Netflix looking the other way while we share our account passwords with friends and family will soon be over. Netflix has been experimenting with putting in account restrictions to limit sharing to households. The changes haven't fully come into effect (yet), but @lhn has more on what's to come down the line. (The Verge has more, too.) Panic ov...paused, for now.
Apple Maps bug may have exposed location without consent
9to5Mac: A privacy bug in Apple Maps may have allowed other apps on the same iPhone to collect user location without permission. Apple has said predictably very little about the bug, but @dangoodin notes the significance of this in a toot. It's not clear which app (or apps) triggered this bug, but one Brazilian food giant denied that it was to blame.
Twitter trust and safety chief "has access to user DMs"
Platformer ($): It's worth repeating again and again. It's long been known that Twitter DMs are not encrypted and are accessible to Twitter staff. With that in mind, it was reported this week that Ella Irwin, Twitter's trust and safety chief under Elon Musk's leadership, "has access to user DMs as part of her position." This comes following Musk providing certain journalists access to internal company systems as part of the so-called "Twitter Files." Former Twitter employees told Platformer that "DMs are no longer secure, and have discouraged us from using them..." Not that they were ever secure per se, but now? ...I mean, yeesh. (via @anthony)
Greek opposition to boycott parliament over wiretap scandal
Associated Press: The latest from "Greek Watergate" — now, the Greek opposition said it won't participate in any parliamentary votes until an election is called after the Greek government was embroiled in a phone wiretapping and spyware scandal. The state's security service allegedly used Predator, a phone spyware, to target its opposition leader and journalists. Members of the European Parliament are also investigating use of spyware across the EU. More from Euractiv.
~ ~
OTHER NEWSY NUGGETS
Hey Google, download malware: Ars Technica not pulling punches: it's not safe to use Google to download software given the recent spike in malvertising — that's malware pushed as ads in search results. A recent surge has seen legitimate search results hijacked by ads, pushed by Google, that link to malware disguised as real apps. It's sneaky, and it's simple, that's why it's so dangerous. Also, folks — use an ad-blocker! (via Ars Technica)
JD Sports hacked, 10 million customers data stolen: U.K. sportswear chain JD Sports confirmed a data breach in a stock exchange filing this week, affecting some 10 million customers who have shopped at JD, Size?, Millets, Blacks, Scotts and MilletSport between November 2018 and October 2020. That includes order details, names, addresses, phone numbers and more. According to @BrettCallow, someone is claiming to be selling more than twice the amount of data on a known cybercrime site. (via BBC News, The Guardian)
U.S. investigating sale of No Fly list: Speaking of data ending up for sale, now it seems the U.S. No Fly list, which was exposed to the internet by Ohio-based airline CommuteAir, is now for sale on a cybercrime forum. The TSA said it was investigating, and now members of Congress are demanding answers from the TSA. (via Bleeping Computer)
Taiwan government intervenes in iRent data leak: iRent, the biggest car rental and ride-sharing company in Taiwan, was spilling customer data for months until it was found by security researcher @hak1mlukha last week. But there was a problem. iRent's parent, Hotai Motors, just would not respond to repeated efforts by yours truly (disclosure alert!) to get the data secured. We're talking at least 100,000 customer ID documents, personal data, and more, spilling out of a passwordless Elasticsearch database. After a week of silence — and on a Saturday no less — I contacted the Taiwanese government for help, thinking that might get someone's attention on Monday morning. No — instead, I got a near-immediate response from none other than Taiwan's minister for digital affairs, Audrey Tang, the government's top digital official. Tang emailed back saying she had flagged the exposed database to the country's TWCERT/CC team. Within an hour, the iRent database was pulled offline. I am really impressed by, and appreciate, the Taiwanese government's response. (There has to be points for that, right?) (via TechCrunch, CNA)
Google's Jigsaw unit cut to skeleton crew: Jigsaw, the Google company that produces tools to counter online hate speech, disinformation and government surveillance, has been gutted to a "skeleton crew" after layoffs. Its staff was cut by at least a third. Forbes cited former employees who say they "fear Google is phasing out an altruistic part of its business because it isn’t focused on turning a profit." (via Forbes ($))
0ktapus hackers return: Remember the hackers last year, dubbed 0ktapus (for their use of Okta-themed phishing pages), which hacked Twilio and 130 other organizations during a months-long hacking spree? Well, they're back, according to a leaked report. A list of domains used by the phishing crew show that they're now targeting video game makers — as well as other tech companies. (via TechCrunch)
~ ~
THE HAPPY CORNER
A bountiful happy corner awaits. First up:
Moving on. I don't think we need to vote on this, can we just make this toot a thing?
In some newsy-good-news, New York attorney general Letita James secured $410,000 in penalties from a New York-based phone 'stalkerware' maker, Patrick Hinchy, who was also ordered to notify victims whose phones are currently hacked. Shy of an outright ban (à la SpyFone), this is a pretty good result. Lawmakers, take note!
And, your final palate cleanser:
If you have good news you want to share, get in touch at: this@weekinsecurity.com
~ ~
CYBER CATS & FRIENDS
Well, it finally happened, a two-for-one puppy/kitty combo. Meet Luna Nymeria, a weeks-old puppy with the bluest eyes, and Pichu, one of three cats. Welcome to the fold, little one. You have a bright future as a cyber-pup ahead of you. Many thanks to Tom W. for sending in! I'm going to log off now before my heart explodes with rainbows.
Send in your cyber cats! (You can send in your non-feline friends too.) Email me a photo and their name, and they'll be featured in an upcoming newsletter.
~ ~
SUGGESTION BOX
Well that was a busy one, huh! Thanks so much for making it all the way through. As always, you can email me or drop your feedback in the suggestion box. I'll be back next Sunday with the usual roundup from the week. If you want to share this newsletter with a friend or colleague, hit those social buttons below.
Until next week,
—@zackwhittaker