Sign in Subscribe
7 min read

this week in security — july 3 edition

THIS WEEK, TL;DR

Tech companies scramble after the overturning of Roe v. Wade
Associated Press: This week saw the fallout from the Supreme Court's decision to overturn Roe v. Wade became clearer as more than a dozen U.S. states activated laws to criminilize abortion. At this time, there are no substantial privacy laws protecting Americans' personal information. Understandably so, much of the focus has remained on period trackers and their data collection (and sharing) policies, and how they can be used against people seeking or helping those get an abortion. Vice has a great piece on which company collects what. (Also, if you saw the viral TikToks of a new "encrypted" period app called Stardust, it's a privacy disaster.) The most comprehensive read on privacy and period trackers this week came from @maggied et al — I absolutely recommend the read, plus its prequel piece, so to speak. Of the few companies that did say something this week, Google said it's going to delete the location entries of those visiting sensitive places, like medical facilities and abortion clinics. It'll go into effect "in the coming weeks." Not fast enough! Facebook said its encryption, which rolls out next year, will help protect users. Also not fast enough! Meanwhile, lawmakers are "exploring" ways to limit data collection in reproductive health apps. Sounds great, but as @swodinsky rightfully notes the big flaw here, "What about other apps?" Big Tech (and everyone else) had weeks of warning to start planning for a post-Roe country, thanks to an unprecedented leaked court opinion, but have done little to protect more than half of the United States whose constitutionally protected human rights for decades were suddenly stripped from them.
More: Forbes ($) | EFF Deeplinks | Medium (@maggied) | Cyberscoop | Google | Washington Post ($) | @CatherineNCrump

How mercenary hackers sway litigation battles
Reuters ($): Wild reporting from Reuters this week after years of investigating and researching Indian hack-for-hire groups that target lawyers and litigants on behalf of Western private investigators. The aim is to hack into email accounts, obtain sensitive information, and use it to win lawsuits and arbitration battles. The reporters @razhael and @bing_chris obtained a huge cache of emails from two unnamed email providers used by the espionage groups to carry out their hacks. That allowed the reporters to understand who was targeted, when, and in some cases how. Some 1,000 attorneys at 108 law firms were targeted, Reuters found.
More: Google TAG | @razhael | @hatr

Massive trove of gun owners' information exposed by California AG
The Reload: An embarrassing security lapse for the California attorney general's office, which *checks notes* is the state agency for reporting data breaches. So, huge surprise when gun owners found their information on the attorney general's website after a new dashboard went live this week, exposing names, race, home address, date of birth and permit information, such as if the owner is law enforcement or a judge. It's not the sort of thing you want exposed, since that information can be used by criminals to steal registered weapons and more. A similar data exposure happened in the U.K. last year, where firearms are mostly outlawed and access is highly regulated and restricted.
More: @StephenGutowski | @Patterdude

Cyberattack forces Iran steel company to halt production
Associated Press: A major Iranian steel company said it was hit by a cyberattack, forcing it to halt production. Two other plants were also said to have been targeted. The government in Tehran did not acknowledge the incident, though Cyberscoop notes that Iran's state media seemingly confirmed the attacks, saying the incident was caused by unspecified "foreign enemies." However, an unvetted CCTV video hit the internet a short time after the alleged incident, tweeted out by the group that calls itself "Gonjeshke Darande." This is the same group that reportedly caused chaos on Iran's railways last year. If this steel mill incident is confirmed to be cyber (outside of the steel company's own statements), this would be the most recent case of a cyberattack causing physical harm.
More: Cyberscoop | BBC Persian

An animated GIF of a steel processing facility in Iran suddenly exploding, allegedly caused by a cyberattack.

~ ~

~ ~

THE STUFF YOU MIGHT'VE MISSED

Canada's national police force admits use of spyware to hack phones
Politico: Canada's national police, the RCMP, said for the first time it can use mobile spyware to collect evidence from a suspect's phone. RCMP said it needs the capabilities (though it didn't say from which spyware maker it acquired such tools) because traditional wiretaps — allowing for real-time interception of calls and messages — are less effective than they once were, in large part thanks to an increased use of encryption. Meanwhile, across the border, the annual U.S. Wiretap Report came out, which details how many wiretaps were issued by the courts during the year and for what reason — and found that some 16% of wiretaps were unable to capture evidence because of encryption.

China lured graduate jobseekers into digital espionage
Financial Times ($): This was great reporting on Hainan Xiandun, a company used as a cover for the notorious APT40, a China-based espionage group known for infiltrating government agencies, companies and universities (like Johns Hopkins) across U.S., Canada, Europe and the Middle East under orders of China's state security ministry. The FT obtained a leaked list of 140 candidates compiled by security officials in Hainan, a small Chinese province in the south where the APT group is based, allowing the reporters to ask some candidates about their hiring process.

FBI wanted poster for four Chinese individuals associated with the APT40 espionage group.

Canadian admits to hacking spree with Russian cyber-gang
BBC News: Staying with Canada for a hot second... a former Canadian government IT worker admitted to working as a high-level hacker with a Russian ransomware group, known as NetWalker. After he was arrested, the suspect, Sebastien Vachon-Desjardins, was found with $27M in bitcoin. Vachon-Desjardins worked for several Canadian government departments from 2010 onwards, including responding to cybersecurity incidents. @jeffstone500 broke the news this week using DOS, apparently.

Half of 2022's zero-days are variants of previous flaws
SecurityWeek: Here's an interesting tidbit: of the 18 zero-day vulnerabilities found in the wild, half were flaws that were previously patched in some way, according to Google. The short lesson is, we need better patches, please. The longer version, courtesy of @maddiestone, is far more eloquent — but a solid reminder that patching isn't just to fix a flaw, it's to make the attacker go back to square one.

From Maddie Stone's blog post: "When 0-day exploits are detected in-the-wild, it’s the failure case for an attacker. It’s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can’t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that effectively, we need correct and comprehensive fixes."

Cybersecurity experts question Microsoft's Ukraine report
Cyberscoop: Microsoft's recent report looking at the first few weeks of Russia's war in Ukraine, examining how cyber was (and wasn't) used, got a lot of media play. But experts doubt some of the claims in the tech giant's report. Cyberscoop spoke with a dozen experts who all called Microsoft's report into question, saying among other things, that the report "didn't contain either the technical underpinning or evidence to back up its points." A reminder to "trust, but verify" even the biggest companies in cyber.

~ ~

OTHER NEWSY NUGGETS

Wegmens settles over massive data exposure: Reuters ($) reports Wegmans, the New York supermarket chain, accepted a $400,000 settlement with the state's attorney general's office this week after a historical data exposure, lasting more than 30 months over 2018 through spring 2021, involved more than 3 million consumers nationwide, including account information like passwords, mailing addresses, and data tied to driver's licenses. The chain's cloud-stored Azure data was misconfigured and left wide open for anyone to access.

OpenSea email vendor breached: The popular NFT marketplace OpenSea said an employee at its email vendor, Customer.io, misused their access to download and share email addresses of OpenSea users. OpenSea is warning users of email phishing attempts in the wake of the breach.

Routers under attack by unusually sophisticated malware: Ars Technica reports an unusually advanced hacking group has spent two years targeting Cisco, Netgear, Asus, and DrayTek routers in North America and Europe with malware that takes control of connected devices running Windows, macOS, and Linux. Dubbed ZuoRAT, the remote access Trojan is part of a hacking operation, likely by a nation state, and is "intentionally complex" to conceal what's happening. Lumen has more in a blog post.

Investigating my own data breach: This week I wrote (disclosure alert) about how a rental startup I had never heard of obtained and leaked my home address, and of thousands of other residents, thanks to a leaky website API. On my journey to understand how my home address was allowed to be shared directly by my landlord, no less, I fell down a rabbit hole of why America's privacy laws are so far behind, and why where we're headed isn't exactly much better.

~ ~

THE HAPPY CORNER

Here's what's good in the world this week.

Firefox 102 is now out with a new feature that strips parameters from URLs that are used to track you around the web. (It's why I don't include tracking links in this newsletter.) Bleeping Computer tried it out and it seems to work pretty well.

The EFF has a great piece on how to keep your smart home secure and private. Of the smart home vendors, some are more private and security-minded than others — Apple's HomeKit is fairly good on the scale. But with (natural) fears about IoT attacks and reliance on cloud services that might one day suddenly shut down (ahem, Insteon), there is a way to run a smart home locally and take back control of your smart devices.

And finally. @AlecMuffett has published "A Civil Society Glossary and Primer for End-to-End Encryption Policy in 2022," a very long but incredibly detailed guide on the technical aspects of end-to-end encryption. The aim was to help civil society organizations and other groups better understand the realities and nuances of end-to-end encryption when considering and writing policy. Muffett has an explainer here, with links, and the afterword is definitely worth the read.

To send in good news for the happy corner, please reach out to: this@weekinsecurity.com

~ ~

CYBER CATS & FRIENDS

This week's cyber cat is Hoa. According to his human, Hoa is fast but can't catch birds very well because he starts his run too far away. Sounds like the sort of cat you'd want on your threat hunting team, though! A big thanks to Kenneth I. for the submission!

Keep sending in your cyber-cats! Drop me an email here with their name and photo, and they'll be featured in the newsletter. Repeat submissions are always welcome.

~ ~

SUGGESTION BOX

And... I'm out for now! A big thank for reading. A shout-out to all those who are celebrating (or otherwise recognizing) July 4. As always, the suggestion box is open or drop me an email. If you like this week's newsletter, consider sharing with a friend or on your feeds. I'll be back next Sunday as usual with the round-up from the week.

Peace,
@zackwhittaker

Published by:

Zack Whittaker