This week
Scale of 23andMe data breach increases: 6.9 million may be affected
- Rumours that genetic testing company 23andMe had suffered a data breach started circulating in October. First, the company said it was their user’s fault for reusing passwords (vol. 6, iss 41) despite the company not noticing significant, programmatic access to its user’s accounts. Then it filed with the SEC saying around 0.1% of user accounts (~14,000 people) were impacted (vol. 6, iss. 49). Now it seems the number might be closer to 6.9 million.
- The differences in the numbers are because of 23andMe’s DNA Relatives feature that allows users to share their DNA profile for potential matches with other users. The feature allows users to “find lost family members by willingly giving others access to information like their birth year, current location, and ancestors’ names and birth locations”
- 23andMe has also given users 30 days to opt out of new terms, including a prohibition on participating in class-action lawsuits against the company. The “important updates were made to the Dispute Resolution and Arbitration section” were notified to users via email. The practical impact is that, as details of the data breach come to light, users will not have the ability to participate in group legal action against the firm. Read more about how to opt out if you’re a 23andMe customer.
Surveillance notification
- US Senator Ron Wyden has revealed that government agencies are spying on targets through app push notifications.
- Apple and Google are “in a unique position to facilitate government surveillance of how users are using particular apps,” as the tech companies act as brokers, relaying the notifications between the app developer and their users. Many notifications are not encrypted and will contain snippets of content or message previews and are generated separately from the content or message itself loaded within the app.
- Wyden’s letter to the Department of Justice seeks for Apple and Google to be permitted to be transparent about these requests and if they have been legally compelled to handover this type of information.
Russia round-up
- The UK Foreign Office and Five Eyes allies say that Russia’s principal intelligence agency has been targeting lawmakers, civil services and journalists since 2015, and seeking to meddle in Britain’s politics. ‘Spies spying’ isn’t big news, but the overt calling out of covert operations and their techniques is. The FCO attributed the attacks to Russia’s Federal Security Service (FSB) Centre 18, or Star Blizzard (AKA SEABORGIUM, Callisto Group, TA446, and COLDRIVER). NCSC has published details of Star Blizzard’s spear-phishing campaigns, including ways to protect against them.
- Russian misinformation groups have also been abusing celeb video site Cameo to get Hollywood actors to record videos in support of ‘Vladimir’ and his battle against substance abuse. The videos are then edited and posted on Russian social media, giving the impression that the A-listers are in support of Russia’s invasion of Ukraine.
- Russia’s Fancy Bear have also been busy exploiting a vulnerability in on-prem Microsoft Exchange servers to gain unauthorised access to email accounts. Microsoft patched CVE-2023-23397 earlier this year. Palo Alto Networks says that the threat actor has used this technique to compromise at least 30 organisations in 14 different countries in the last two years.
Interesting reads
- Bruce Schneier on how the Internet enabled mass surveillance, and AI will enable mass spying. Schneier’s piece also features in this report on Ars.
- The story behind the seven years it’s taken Meta (neé Facebook) to add end-to-end encryption on Messenger and Instagram chat, which was finally enabled this week, amid backlash from law enforcement (though on that front, see push notifications, below).
- Former Uber chief security office Joe Sullivan’s interview with TechCrunch’s Carly Page, ahead of delivering his keynote at Black Hat Europe this week.
Interesting stats
$3 billion in cryptocurrency stolen by Kimsuky, Lazarus, Andariel, and other North Korean groups since January 2017, according to Recorded Future, who estimate the same groups have been behind 44% of all stolen cryptocurrency in the last year.
55% of insider threats involve exploiting escalation of privilege vulnerabilities, according to Crowdstrike, the remaining 45% download or misuse offensive security tools.
Other newsy bits / in brief
-
Reports this week that Sellafield, a UK nuclear site that processes and stores nuclear waste, suggests that IT systems were compromised by Russian and Chinese actors in multiple breaches dating back to 2015. The Guardian broke the story, and say that the site was placed into “special measures” by the Office of Nuclear Regulation and security services last year. However a UK Government statement denies the report, insisting “[w]e have no records or evidence to suggest that Sellafield Ltd networks have been successfully attacked by state-actors”
-
A novel Linux rootkit targeting telecommunications companies in Thailand has been discovered by researchers at Group-IB, who believe infections have gone undetected for two years. The malware, dubbed Krasue by the researchers, uses RTSP (Real-Time Streaming Protocol) messages to serve as a hidden ‘ping’ to command and control servers.
-
Binance, one of the world’s largest cryptocurrency exchanges, long maintained that it didn’t have to comply with US financial regulations. The exchange has settled with US regulators, and Finance executives have pleaded guilty to criminal money-laundering charges. The settlement is a big deal: as well as changing its practices, Binance will also conduct an unprecedented review of all its transactions from 2018 to 2022 and will file ‘suspicious activity reports’ (SARs) for anything that may violate US law. If you’re a cybercriminal trying to launder funds or a US resident who hasn’t disclosed taxable cryptocurrency earnings, you may receive some attention from US authorities.
-
Newag, a Polish train manufacturer has denied coding sabotages into its trains and claimed that it must have been compromised, after security researchers discovered code in its trains that cause their trains to fail under certain circumstances. One of Newag’s customers asked the researchers to investigate after their trains failed after being serviced by one of the manufacturer’s competitors. One of the researchers, Segiusz Bazański, told The Register “[w]e found that the PLC [programmable logic controller] code contained logic that would lock up the train with bogus error codes after some date, or if the train wasn’t running for a given time”. Bazański continues, “[o]ne version of the controller actually contained GPS coordinates to contain the behavior to third-party workshops.” (H/T Niall)
-
BLUFFS: A new research paper (PDF) describes vulnerabilities in Bluetooth forward and future secrecy guarantees that make it possible to reuse weak session keys across sessions to impersonate and carry out attacker in the middle attacks when establishing new Bluetooth sessions.
-
Cambridge University Hospitals NHS Foundation has handed over the data of 22,073 patients in two separate freedom of information requests in 2020 and 2021. The data, which was mainly of maternity patients, included names, hospital numbers, conception dates and birth outcomes. The data was left visible in worksheets and pivot tables in addition to the summary intended for release.
-
Nissan is investigating an attack targeting its systems in Australia and New Zealand, with customers being warned about an increased risk of scams in the coming days.
-
Active Directory domains may allow attackers to spoof DNS records without requiring any authentication when using Microsot’s DHCP server in its default configuration.
-
Atlassian has patched four critical remote code execution (RCE) vulnerabilities affecting its Confluence, Jira, and Bitbucket products. All four score at least 9.0/10.0 and if you run any of these products on-prem you should check and patch promptly, especially if they’re externally accessible.
-
Fleet management: Security researchers are warning that a vulnerability in Digital Communications Technologies’ Syrus4 IOT gateway has gone unpatched. CVE-2023-6248 allows unauthorised individuals to send commands to thousands of vehicles, potentially turning them off.
-
The December Android update addresses a critical ‘zero-click’ vulnerability that may allow code execution without any user interaction. This is the sort of bug that spyware companies use to compromise devices.
-
WordPress version 6.4.2 has been released to address a remote code execution vulnerability in WordPress Core when combined with some plugins and themes.
-
Known _UN_exploited vulnerability: CISA is removing a vulnerability from its Known Exploited Vulnerability catalogue (KEV) after it’s come to light that a remote code issue in D-Link routers wasn’t actually exploitable.
-
Extended support: Microsoft is to offer all Windows 10 customers the opportunity to purchase additional security updates through Redmond’s Extended Security Updates programme. The ESU will add three years of additional security support beyond the ‘end of support’ date (14th October 2025). For the first time, ESU will be available to home customers. I’m torn if this is a good thing for home customers or not. The best route would surely be a simple upgrade path.
-
Spam should be less likely to make its way through Gmail’s mail filters after an upgrade to Google’s resilient and efficient text vectoriser (RETVec), which now has much better support for homoglyphs (e.g. using unicode ‘bold’ characters). RETVec is also available as an open source project.
-
CISA and ENISA (the EU’s cyber security agency) have signed a cyber-intelligence sharing agreement.
-
Funding, Mergers & Acquisitions: ArmorCode has raised a $40 million Series B round to increase its product and engineering teams, and go to market efforts of its platform for collecting and standardising vulnerability data. Opal Security, an identity and access management vendor, has raised a $22 million Series B round to double the size of the team by the end of 2024.
And finally
- Communications integrity: Bravo to Louis Ashworth, the picture editor and folks at FT for their sassy write-up of a snafu at corporate comms specialist Investis Digital who sent a message purporting to be a regulatory news alert from Tesco Plc reading “GO FUCK YOURSELF” in big-ol’, bold, red font. I suspect it’s most likely a test gone wrong, but can’t rule out a disgruntled employee or unauthorised access. Still, they did deliver an “authentic online [experience]”.