🎓️ Vulnerable U | #041

Governments are monitoring people based on our Push Notifications, 23andMe hack update totals 6.9 million victims, Ex-Twitter exec claims X fired him for raising security concerns, Ransomware going after Roblox, Twitch, & more!

Read Time: 8 minutes

Howdy friends!

Time is a construct. Emails are going ignored. A few folks are rabidly trying to remain productive while “out of office” messages are popping up everywhere. Well, I’m glad that even though you’re most likely ignoring all your day job responsibilities until after the New Year, you’re here choosing to catch up on the news with me.

Been going through it lately, and I come back to my piece on Threat Modeling Depression. There are about 6,000 more of you here than when I wrote that, and I think it’s important to revisit going into the holidays. A lot of triggers are stacked into the next few weeks, so make sure you have your mental health mitigations in place.

Threat Modeling Depression:

Everyone is going to need a different mitigation cocktail. What works for me won’t necessarily be the best solution for the next person. The best approach is to start trying different things. See what sticks.

While I want to encourage people to befriend experimentation, the truth is trying can be hard. Depression makes everything hard. So my best advice is to put things in place on a good day. Doing things on the hard days is just not realistic.

Call your friends and family and tell them what to look for, what to do if they notice you spiraling, and then ask them to give you what you need.

Buy groceries on a good day. Do the cook up.

Join the group. Schedule the appointment. Set the screen time limits.

Or whatever combination of things you think might work for you.

ICYMI

🖊️ Something I wrote: 23andMe is in the spotlight again this week. I covered the story when it first broke, explored the concerns around the privacy of a DNA testing service, and asked, “Is credential stuffing a data breach?”

🎧️ Something I heard: I got sucked into this video docu-series on the state of San Francisco’s streets. Don’t start watching at midnight; you will stay up till 2 am to finish it. Or you’re wired differently than me and are normal.

🎤 Something I said: I’m not sure I’ve ever linked it, but I started doing quick news clips over on TikTok if that’s your jam.

🔖 Something I read: My good friend, whether he’ll admit that or not, Rich Mogull just launched his newsletter. It's hard even to call it a newsletter since he’s putting us all to shame with the amount of work he’s committed to. It’s a Cloud Security Lab a Week (S.L.A.W), all for free. He teaches cloud security training at BlackHat for …not free. So this is awesome! Congrats Rich!

Vulnerable News

If you’re interested in privacy or cybersecurity, it is crucial to take a second to learn how push notifications work under the hood. They don’t work the way you might think.

When an app sends a push notification, it doesn’t go directly to the user’s phone. It first goes through the phone’s operating system provider, namely Apple or Google for most people. The OS provider then queues up notifications to the users, which gives Apple and Google a ton of information about the push notifications.

In some cases, companies can collect unencrypted content, like the actual text displayed in the notification. This is where law enforcement sending warrants gets hairy.

  • Government Surveillance Tactics: The U.S. government requests push notifications data from companies like Apple and Google.

  • Identification Goals: This data is sought to identify specific user devices.

  • Privacy and Legal Concerns: Senator Wyden's letter highlights potential privacy invasions and legal issues with this surveillance method.

  • Ongoing Debate: There's an ongoing debate in the public and legal spheres about the balance between national security and individual privacy rights.

“That gives the two companies unique insight into the traffic flowing from those apps to their users, and in turn puts them "in a unique position to facilitate government surveillance of how users are using particular apps," Wyden said. He asked the Department of Justice to "repeal or modify any policies" that hindered public discussions of push notification spying.” (read more)

We have previously talked about a power struggle that is getting political about end-to-end encryption. Some dark money funds are paying serious dollars to fight against our right to encrypt our data. Apple has been the punching bag here as they’ve refused to weaken encryption in iCloud.

In a shocking event, they let one of their senior engineers write this piece. Ivan Krstić, the head of Apple’s Security Engineering and Architecture group, penned this piece. If you know anything about Apple employees, they can say, “Yes, I work at Apple,” that is about where the conversation has to end for them.

Apple also put out this article from their newsroom: Report: 2.6 billion personal records compromised by data breaches in past two years — underscoring need for end‑to‑end encryption so it seems to me they are on a press tour about encryption and positioning themselves as the secure and private option out there. They aren’t wrong, especially compared to Google, but seeing it take such a front seat in their messaging is interesting.

From Ivan’s piece: “End-to-end encryption is a pivotal capability that protects the privacy of journalists, human rights activists, and diplomats, and helps defend people around the world from surveillance, identity theft, fraud, and data breaches in the cloud.” (read more)

We covered this one extensively when it first broke. The big question back then was, “How the hell are they selling millions of users' data based on credential stuffing?” We now have some more answers to that. 14,000 user accounts were broken into using passwords they reused on other accounts leaked in previous data breaches. From those 14,000 compromised accounts, attackers were able to gather a ton of info shared:

“In an email sent to TechCrunch late on Saturday, 23andMe spokesperson Katie Watson confirmed that hackers accessed the personal information of about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature, which allows customers to automatically share some of their data with others. The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location.

23andMe also confirmed that another group of about 1.4 million people who opted-in to DNA Relatives also “had their Family Tree profile information accessed,” which includes display names, relationship labels, birth year, self-reported location and whether the user decided to share their information, the spokesperson said.” (read more)

I’m pretty sure this guy was only head of security because the rest of the team was fired or left. But even then, he brought up some security concerns, and he is alleging that they got him fired.

"Rosa claims in the complaint, filed in New Jersey federal court, that he was directed to cut the physical security budget by 50% after it had already been cut 50% and then shut down software that "enables Twitter to share details with law enforcement globally regarding time-sensitive and important legal matters.” (read more)

Citrix Bleed claims another victim! I’m kind of surprised I’m not reading more about this vuln, as every week, it seems to be popping up in significant breaches.

It seems a credit union technology firm named Trellance owned a cloud service provider named Ongoing Operations, the actual victim of the Citrix Bleed attack.

They’re saying no user info has been stolen yet. Still, the article is all over the place with different regional credit unions and other companies under this umbrella that are down. They can’t even email customer support for most of them. (read more)

I wrote a thread on Twitter about this one when I saw it happen. ALPHV announced they were targeting Twitch and Roblox using their accounting software firm Tipalti, which they pwned.

The firm's other clients include Twitter, GoDaddy, Business Insider, Canva, and others. I'm not sure what info from all of these companies is at risk at this point, but I’m guessing we’ll find out soon. (read more)

Just a little DFIR report to cozy up with a warm cup of joe. This is a really good writeup for those who want to see the guts of a ransomware attack soup to nuts.

Let me break it down in layman’s terms. Click the link if you want the expert-level deep dive.

  • Ransomware Attack on SQL Server: A public-facing MSSQL Server was attacked using brute-force methods, leading to the deployment of BlueSky ransomware.

  • Infiltration and Spread: Hackers gained access by brute-forcing the SQL “sa” (System Administrator) account. They enabled certain features to execute commands, allowing the ransomware to spread across the network.

  • Use of Cobalt Strike and Tor2Mine: The attackers used Cobalt Strike and Tor2Mine for post-exploitation activities, including deploying a Monero-mining campaign and establishing further control.

  • Quick Execution: Within just 30 minutes after accessing the network, the attackers deployed the BlueSky ransomware. (read more)

OwnCloud is a self-hosted version of something like Dropbox that is wildly popular and had two serious bugs drop this week. Greynoise even reports seeing exploits for one of them flying around in the wild.

Vulnerability Details: CVE-2023-49103 is a PHPinfo bug affecting OwnCloud on Docker, leading to potential data leaks. CVE-2023-49105, more severe, impacts multiple OwnCloud versions and allows file control and possible code execution. (read more)

A New Relic employee got socially engineered, and stolen creds let attackers into their staging environment. Luckily, New Relic does the good thing of not having staging attached to prod data. Be like New Relic.

From their disclosure:

“Two weeks ago, New Relic became aware of unauthorized access to our staging environment, an internal environment that provides visibility into how our customers are using New Relic and certain logs. Telemetry and application data sent to New Relic by our customers in their use of the New Relic platform does not reside in our staging environment.” (read more)

You know how you plug your phone into your car, and it syncs a bunch of data to its internal computer? Well, it turns out most auto manufacturers are not also great software companies.

Senator Edward Markey criticized automakers for their data privacy practices, describing them as "unacceptable." He expressed concerns over the excessive collection and sharing of personal data by automakers, including sensitive biometric data, which could potentially infringe on consumer privacy.

  • Senator's Concern: Markey is worried about the amount and type of data collected by cars, including biometric data.

  • Privacy Issues: There's a fear that automakers are freely sharing this data with third parties.

  • Automakers' Response Required: Markey has sent letters to 14 car companies asking about their data privacy policies.

  • Mozilla Foundation Report: The concerns are backed by a Mozilla Foundation report highlighting similar issues. (read more)

I almost went full nuclear on this one. Just read that headline. I jumped all over it, and some of the blurbs on Twitter said it was undetectable and many other bad words.

The thing is… You need to have access to the machine already. So, it's more of a privilege escalation or some sort of long-term compromise. It’s a severe bug. But not a 5-alarm fire like I thought.

“There are several ways to exploit LogoFAIL. Remote attacks work by first exploiting an unpatched vulnerability in a browser, media player, or other app and using the administrative control gained to replace the legitimate logo image processed early in the boot process with an identical-looking one that exploits a parser flaw. The other way is to gain brief access to a vulnerable device while it's unlocked and replace the legitimate image file with a malicious one.”

Remote. You keep using that word, but I don’t think you know what it means… Remote! But first, you use an actual remote vulnerability, and THEN you can use LogoFAIL.

Hey, excellent branding, though. (read more)

Miscellaneous mattjay

Just stick with something, and you’re bound to be in the top percentage of people about it

500 days seemed worth celebrating

This Security parody of Spotify Wrapped was the funniest thing I saw all week

Upcoming Appearances

I got to talk to Cyber Psychologist Dr. Stacy Thayer last week for her podcast. We had a great chat about mental health in our field and technology in general. Keep an eye on her feed, I am not sure of the publish date:

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay