this week in security — september 10 edition
THIS WEEK, TL;DR
Experts fear crooks are cracking keys stolen in LastPass breach
Krebs on Security: Last year, LastPass confirmed a catastrophic data breach that allowed hackers into its cloud storage and access to customers' encrypted password vaults. (You had one job!) Now, @briankrebs has a new story looking at why experts believe a string of cryptocurrency heists might be connected to the LastPass breach. According to Krebs, experts conclude that hackers "likely have succeeded at cracking open" some stolen LastPass vaults. LastPass updated its master password requirements in 2018, but vaults set up before this may not have updated their master passwords, making them vulnerable to password cracking down the line.
More: The Verge | @tayvano_ | @BushidoToken
U.K. government 'steers away' from encryption clash
TechCrunch: It seems — for now — that common sense has prevailed in the United Kingdom. A so-called "spy clause" in the U.K.'s Online Safety Bill, a draft law that among other things would require backdoors in E2EE communications so the regulators can scan for illegal content, was put on ice this week. It's no wonder both Signal and WhatsApp threatened to leave, and Apple got bolshy, too, fearing that it would undermine the security of their apps (it would!). My TC colleague @riptari has covered the bill — and its risks — since its debut, and explains how the events went down. The U.K. government basically kicked the "spy clause" down the road until it was "technically feasible" to enforce, which anyone who lived through the original Crypto Wars 1.0 and 2.0 knows that it is not. So why not just remove the spy clause altogether? Well, that would require British politicians admitting defeat. Some called the news a victory, others said removing the clause altogether "would be better."
More: BBC News | @mer__edith | @OpenRightsGroup | The Register
Microsoft solves mystery of how hackers stole its email signing key... kind of
Microsoft: Microsoft has revealed its best theory behind how China-backed hackers stole an email signing key that allowed them access to U.S. government inboxes. No less than five separate but cascading "issues" led to the key leaking outside of Microsoft's extremely restricted non-internet environment where the server storing the keys was located. After a system crash that unknowingly included the email key (whoops), the crash dump was taken to Microsoft's regular network for debugging. Microsoft said some time later the threat actors likely used "token-stealing malware" on a Microsoft engineer's device to access the debugging environment on the network. But since Microsoft doesn't keep logs for long enough, it can't be 100% sure this was how it went down. The full blog post is worth the read, and you can find my analysis here, with this closing thought. "It's both possible to be impressed by the security of a bank’s vault and still acknowledge the efforts by the robbers who stealthily stole the loot inside."
More: Reuters ($) | @malwaretech
U.S., U.K. announce fresh Trickbot and Conti charges
Wired ($): Another round of indictments targeting 11 alleged members of Trickbot (and the linked Conti ransomware gang) were announced this week by U.K. and U.S. authorities. These latest indictments include Maksim Galochkin, a Russian national who is believed to be a senior figure in the Trickbot group under the alias Bentley. Now, imagine the satisfaction of being able to say: "Wired identified Galochkin last week as part of an extensive investigation into Trickbot and its operations." If you haven't seen that piece already, go read — it was excellent work. The charges (and sanctions!) tighten the net around Bentley and others, effectively meaning their international travel is limited to countries with no extradition treaties.
More: Treasury | U.K. government | @dustinvolz
~ ~
THE STUFF YOU MIGHT'VE MISSED
Unpatched flaws expose defunct cameras made by defunct company Zavio
SecurityWeek: Insecure and buggy IoT devices are unfortunately commonplace, but the junk left behind by defunct companies like Zavio is just plain irresponsible. New bugs found in Zavio cameras, which are deployed across the U.S. and Europe, can allow for remote hijacking. Since there are no patches, users have to replace affected devices altogether. Also this week: Wyze users reported seeing other owners' webcam streams, due to an alleged "web caching issue." Remember, if it's not truly end-to-end encrypted, your webcam streams aren't just accessible to you.
Another North Korean campaign targeting security researchers
Google TAG: Meet Paul, who claims to be a security researcher on Twitter and Mastodon, but is actually working for the North Korean regime. Google Threat Analysis Group researchers (who investigate nation-state campaigns) say "Paul" tried to trick other security researchers into downloading a Windows tool that purports to be a debugging tool but actually has the ability to download arbitrary code. The goal? Hackers hacking hackers. TAG's disclosure saw Paul's Mastodon account shuttered, and their X (Twitter) account suspended. This isn't the first (or second) time DPRK hackers targeted security researchers, Google notes. Do you know this North Korean hacker? Tell Google!
How China demands tech firms reveal hackable flaws in their products
Wired ($): For the past two years, China has used a new cybersecurity law to demand that companies operating a network technology business in the country turn over any hackable flaw they find in their products. When a new bug is learned, the companies have to tell a Chinese government agency, which then shares the information with state-sponsored hackers. That's according to a new Atlantic Council report out this week. Given that flaws often take longer to patch than sending an email, that's basically a company sticking a target on its own back. Only two of six companies asked by Wired flatly denied giving unpatched flaws to China.
Cars are a "privacy nightmare," says Mozilla
Gizmodo: Browser maker Mozilla says connected cars these days are a "privacy nightmare" because of their broad privacy policies that allow the near unfettered collection of nearly every data type, including sexual activity, bizarrely. Is this a consequence of overly broad policies? Yes, absolutely. Are today's cars vacuuming up your sensitive and personal information anyway? Also yes. Mozilla said there's practically nothing you can do about it since most cars today have a modem in there somewhere. Another solid reminder that the U.S. has no data protection or privacy law that protects against this kind of near-mandatory collection. Good to know that California's privacy protection agency wants to know more about how car makers are (probably) flouting California's strict statewide privacy law, but the agency's review is expected to take some time.
Cops' bodycams are trackable and detectable, researchers find
Dataparty: Security researchers who presented their findings at Def Con last month have developed a new method for detecting BLE-enabled law enforcement bodycams. Many Axon/Taser bodycams have their own MAC address prefix, which can be used to detect their nearby presence. The full 23-minute video is worth it.
~ ~
~ ~
OTHER NEWSY NUGGETS
Apple device owner? Update today, but really: If you haven't updated your iPhone, Mac, or Watch in a while, today would be a great time to do it, as Citizen Lab confirmed a new Pegasus spyware infection on an iPhone running a fully-patched iOS 16.6 belonging to a Washington DC-based civil society organization. It's not clear exactly where the victim was physically located (though if stateside, this infection would be one of only a handful of known U.S.-based Pegasus infections). Citizen Lab found one of the bugs, and Apple found a second — thought to be part of the same exploit chain. Lockdown Mode blocks the attack. Still, you should update today! (via TechCrunch, Apple)
U.K. election commission failed cyber test before hack: In August, the U.K. organization that oversees elections announced it had been hacked more than a year earlier. According to a whistleblower speaking to the BBC, the Commission was given an automatic fail during a cybersecurity audit the same year it was hacked. A Commission spokesperson confirmed the fail — said to in part involve more than 200 staff laptops running obsolete Windows software and older iPhones without security patches — and that the commission did not apply for the same security audit in 2022. (via BBC News)
Minneapolis schools finally notify breach victims: Seven months after a ransomware attack resulted in more than 100,000 students having their highly sensitive and personal information stolen, Minneapolis Public Schools said it's finally notifying those affected by mail. Something is deeply wrong when any organization that was knowingly and very publicly hacked takes most of a year to inform those affected. (via ABC-KSTP)
Verizon company will pay $4.1M over poor cybersecurity: The Justice Department announced a $4.1M settlement with Verizon subsidiary Verizon Business Network Services (VBNS) over claims the company failed to meet several key cybersecurity standards in connection with a U.S. federal government IT system. (via Justice Department)
~ ~
THE HAPPY CORNER
Welcome to the weird wonderful very bizarre happy corner.
In this week's edition of What Doom Can Run On, we have a Tetris-playing McDonalds chicken nugget toy by @kevsmac. (And that's definitely the weirdest thing I've written in a while). Behold, the Doom-playing nug!
Hacker and former Twitter security head Peiter Zatko aka Mudge is now at U.S. cybersecurity agency CISA to help software makers bake in security from the start of development, as part of CISA's secure-by-design principles. Congrats, Mudge, and everyone who will benefit as a result. via Washington Post ($)
And finally, pour one out for Margaret Betts, one of the original Nazi hunters whose work at Bletchley Park was instrumental in deciphering enemy communications during World War II. Betts, who died aged 99, was one of the last surviving codebreakers to have helped crack the German's Enigma machine, but kept her work a secret for 40 years. The Guardian has Betts' obituary, and the BBC has more.
If you have good news you want to share, get in touch at: this@weekinsecurity.com.
~ ~
CYBER CATS & FRIENDS
Meet Larry, this week's cyber cat. Laugh all you want, but this is a genuine cat denial-of-service attack. You can't do much when your cat's paw is holding down the Escape key. A very modern "snow day." Many thanks to Alice B. for sending in!
Send in your cyber cats! Drop me an email with your cyber cat (or non-feline friend!) with their name and photo, and they'll be featured in an upcoming newsletter.
~ ~
SUGGESTION BOX
Well that was a busy one! Thanks for making it through! As always, please do send any feedback, thoughts or comments to my email. I'll be back on Sunday with the usual rundown, and more.
Be well, and enjoy your week.
—@zackwhittaker