this week in security — september 12 edition
THIS WEEK, TL;DR
Hacking Team customer in Turkey was arrested for spying on police colleagues
Zero Day: We start with @KimZetter's latest, a complicated but compelling read about Hacking Team malware and Turkish police. In 2011, a Turkish journalist was arrested after faked documents were planted on his computer using the Ahtapot malware. @juanandres_gs found the malware, which had links to the Rad spyware. Rad stole data from victims' computers and sent to one of seven email addresses hardcoded in the malware, linked to an IT company in Istanbul called Datalink. This is known because Hacking Team was itself hacked and emails were published by WikiLeaks several years ago. The story follows the trail of a Turkish police inspector, who acquired the spyware using funds from Datalink and not the police, and was later arrested for siphoning off information about police investigations. The whole story is very in-depth. Great read.
More: @kimzetter | @daveaitel | @juanandres_gs
United Nations networks breached by hackers earlier this year
Bloomberg ($): Hackers breached the U.N.'s networks earlier this year and took a data trove that "could be used to target agencies within the intergovernmental organization," per cybersecurity company Resecurity. Hackers likely used credentials dumped on the dark web to access the U.N.'s network via its proprietary project management software, Umoja, since the account wasn't protected with multi-factor authentication. The U.N. confirmed the hack, and said "further attacks have been detected and are being responded to, that are linked to the earlier breach."
More: CNN | @snlyngaas
'Every message was copied to the police': the inside story of the An0m takedown
The Guardian: Remember a few months ago when An0m, the encrypted phone company used almost exclusively by criminals but was secretly run by the FBI, was shut down and hundreds arrested? The Guardian is back with a long read on how Australian police, which had the legal regime to run the honeypot, copied every criminal's message as part of a massive takedown effort. The piece is fascinating, and looks at how legally the FBI et al pulled off the operation.
More: @simonparkin | @1Br0wn
Wide-ranging SolarWinds probe sparks fear in Corporate America
Reuters ($): An investigation by the SEC into Russia's SolarWinds espionage campaign apparently has dozens of corporate executives "fearful" that unearthed evidence may expose them to liability. According to Reuters, the SEC is asking for records into "any other" breach or attack since October 2019, when the SVR-led espionage campaign began, since "the requests may reveal numerous unreported cyber incidents unrelated to the Russian espionage campaign." According to one person familiar, "Most companies have had unreported breaches since then." If companies have deliberately unreported breaches since then, they could face significant penalties. Cue the sound of the world's tiniest violin.
More: @thegrugq | @josephmenn
~ ~
~ ~
THE STUFF YOU MIGHT'VE MISSED
Phishing kit discovery tool Kit Hunter 2.0 released on GitHub
GitHub: @SteveD3 is back with a new version of Kit Hunter, a basic phishing kit detection tool built in Python that he's been working on for literally years. The kit scans directories for phishing kits using known markers and spits out a report at the end. The full documentation is extensive.
Apple pays hackers six figures to find bugs in its software. Then it sits on their findings
Washington Post ($): Apple is under fire (again) for its bug bounty efforts — or lack of. Bug finders and security researchers complain that Apple's "insular culture" has hurt its bug bounty program, in large part because Apple is slow to fix bugs and "does not always pay hackers what they believe they're owed." In some cases it just ignores vulnerabilities. It's widely known just how problematic Apple's bug bounty efforts have been. Recall @lorenzoFB's deeply reported piece on Apple's "double agent" from August. For context, Apple still has not said if it has or plans to patch current versions of iOS 14 to protect against the NSO zero-day that was reported more than two weeks ago. That's put thousands of human rights defenders who rely on iPhones at risk from surveillance, suppression, and death. Suffice to say it's not enough that Apple claims it cares about security when "the house always wins," per @k8em0.
Germany's BKA secretly bought NSO spy spyware
Zeit Online: Germany's federal police is an NSO customer, according to German media. That makes Germany the second European nation to use the Pegasus spyware, after Hungary. The German government admitted shortly after that it bought access to the spyware in 2020, and now joins one of several other nation states, including Rwanda, Bahrain, Qatar, which are known to use Pegasus. Given that other countries have used Pegasus to spy on journalists and human rights defenders, one journalists' union leader asked if journalists were targets of the spyware.
EFF releases APK downloader to counter spyware, stalkerware
Electronic Frontier Foundation: The EFF has released a new command-line tool that downloads Android APKs (apps) from the internet. The open-source tool, apkeep, makes it easier to scan and analyze Google Play apps that could contain tracking or malicious code.
~ ~
OTHER NEWSY NUGGETS
The other Sara Morrisons are ruining my inbox
Recode: @SaraMorrison has a prime piece of internet real-estate — her own name as an email address. But that's also made it the virtual dumping ground for many other Sara Morrison's out there, who keep emailing her personal information about themselves. The long of it is that email is broken and is not the unique identifier it once was. A solid weekend read.
A secretive Pentagon program that started on Trump’s last day in office just ended
Washington Post ($): Literally minutes before Trump left office in January, the Pentagon handed over a huge cache of 175 million IP addresses to a Florida company — for reasons that nobody can seem to figure out, though ostensibly for a cybersecurity project tasked with finding vulnerabilities and preventing unauthorized use of Defense Department IP address space. Now that IP space has been handed back to the federal government, according to the Pentagon. "But the Pentagon statement shed little new light on exactly what the pilot program was doing or why it now has ended."
Google handed user data to Hong Kong authorities despite pledge
Hong Kong Free Press: After Beijing pushed a new national security law on Hong Kong last year, tech giants said they wouldn't respond to Chinese government demands for user data. Instead, China has to go through formal diplomatic channels, known as a mutual legal assistance treaty. But new reporting shows Google did hand over user data in three cases — essentially through emergency disclosure — involving a "credible threat to life" and the other dealing with human trafficking. By comparison, Facebook denied an emergency request last year. Apple and Microsoft haven't published transparency reports (yet). A good tweet thread by @tomgrundy.
~ ~
THE HAPPY CORNER
Got some good news from the week? Get in touch: this@weekinsecurity.com. More next week.
~ ~
CYBER CATS & FRIENDS
Since there was no good news this week (sorry!), here's a rare two-for-one cyber cat special. Meet Cookie and George. Their human tells me that they were rescued in New Brunswick during the pandemic, and that they are best friends. Glad they have a forever home! A big thanks to MK for the submission.
Don't forget to send in your cyber cats (or their friends)! Email with their name and photo here!
~ ~
SUGGESTION BOX
A little short this week with Labor Day, so no doubt more next week. Thanks for reading! As always, the suggestion box is open or feel free to reach out directly at this@weekinsecurity.com. Take care and see you next week.