Task #155195
open
this week in security — january 26 edition
0%
Description
- this week in security
------------------------------------------------------------
a cybersecurity newsletter by @zackwhittaker (https://mastodon.social/@zackwhittaker)
volume 8, issue 4
View this email in your browser (https://mailchi.mp/weekinsecurity/this-week-in-security-january-26-2025-edition?e=9d10de3b61) | RSS (https://us18.campaign-archive.com/feed?u=e1ad6038c994abec17dafb116&id=a2457dc8ad)
~ ~
- THIS WEEK, TL;DR
------------------------------------------------------------
Trump cyber team disbands CISA advisory committees investigating big hacks (https://www.wired.com/story/big-interview-jen-easterly-cisa-cybersecurity/)
Wired ($): We're now week one into Trump term two and it's "all change" in government. Wired's @lhn (https://mastodon.online/@lhn/113877589757673685) scored the big exit interview with former CISA head @CISAJen (https://x.com/CISAJen) , who spoke of her time in government, the agency's successes, her concerns for the future, and more. It's a brilliant interview, plus video. Just as Easterly and the rest of the Biden cyber crew were emptying their desks and departing government service, the new administration has already brought in new people, changed the locks, and fired (https://x.com/ericgeller/status/1881804954547220650) the cyber committees investigating major breaches — including the China-backed Salt Typhoon hacks targeting major U.S. telcos and internet giants. Members of those committees, such as the Cyber Safety Review Board (CSRB), called the shutdowns "horribly shortsighted."
(https://techcrunch.com/2025/01/22/trump-administration-fires-members-of-cybersecurity-review-board-in-horribly-shortsighted-decision/) For its rationale, DHS said it would no longer tolerate committees that "push agendas that attempt to undermine its national security mission." Uhh....(??) ...so, not a great start, since getting to the bottom of what's been described as the biggest (and most serious (https://www.techdirt.com/2025/01/23/trump-disbands-cybersecurity-board-investigating-massive-chinese-phone-system-hack/) ) set of security breaches in recent history seems like it should be a priority, no? And that's not even getting into the ordered resignations (https://therecord.media/politicization-of-pclob-could-threaten-key-eu-us-data-transfer-agreement) of the members of PCLOB, the civil liberties board tasked with oversight of the intelligence agencies and a key data transfer agreement with Europe... all to say, there's been a lot of change this week and not all of it particularly
welcome.
More: TechCrunch (https://techcrunch.com/2025/01/22/trump-administration-fires-members-of-cybersecurity-review-board-in-horribly-shortsighted-decision/) | Techdirt (https://www.techdirt.com/2025/01/23/trump-disbands-cybersecurity-board-investigating-massive-chinese-phone-system-hack/) | Reuters ($) (https://www.reuters.com/world/us/us-department-homeland-security-firing-all-advisory-committee-members-letter-2025-01-21/) | @ericgeller (https://x.com/ericgeller/status/1881804954547220650) | @kevincollier (https://bsky.app/profile/kevincollier.bsky.social/post/3lgbqjt7fbc2t) | @k8em0 (https://bsky.app/profile/k8em0.bsky.social/post/3lgdy4kwots26)
PowerSchool hacker claims theft of 62 million students' data (https://www.bleepingcomputer.com/news/security/powerschool-hacker-claims-they-stole-data-of-62-million-students/)
Bleeping Computer: U.S. edtech software giant PowerSchool, whose school information system tech is used by thousands of school districts across North America, was breached, and the hacker claims to have stolen data on 62 million students and more than 9 million teachers. PowerSchool, for its part, has said very little (https://techcrunch.com/2025/01/22/what-powerschool-isnt-saying-about-its-massive-student-data-breach/) about the breach (gotta put those crisis comms dollars to work!) but schools are reporting breaches going back in some cases decades (https://techcrunch.com/2025/01/21/toronto-school-district-says-40-years-of-student-data-stolen-in-powerschool-breach/) . Cue Toronto's school district, which says data added to its system includes information on students dating back to 1985. We're still waiting on the final incident report from CrowdStrike — but so far, all signs point to a single stolen credential and no MFA that allowed access to reams of people's private data. If that
sounds familiar, that's exactly how hackers broke into Change Healthcare last year.
More: The Register (https://www.theregister.com/2025/01/22/powerschool_canada_lawsuits/) | TechCrunch (https://techcrunch.com/2025/01/22/what-powerschool-isnt-saying-about-its-massive-student-data-breach/) | K-12 Dive (https://www.k12dive.com/news/powerschool-data-breach-lawsuits-negligence/737900/) | Ars Technica (https://arstechnica.com/security/2025/01/students-parents-and-teachers-still-smarting-from-breach-exposing-their-info/) | @zackwhittaker (https://mastodon.social/@zackwhittaker/113889490267756163)
https://bsky.app/profile/tarah.org/post/3lgjdjoirpc2e
UnitedHealth confirms 190M Americans affected by Change Healthcare data breach (https://techcrunch.com/2025/01/24/unitedhealth-confirms-190-million-americans-affected-by-change-healthcare-data-breach/)
TechCrunch: ...speaking of Change Healthcare, it's the worst medical data breach in history that somehow inexplicably keeps getting worse. Yes, the ransomware attack on the UnitedHealth-owned health tech giant last February now affects 190 million people in America, almost double the previous estimate given in October. It's an absolutely abhorrent and horrendous breach that will affect the majority of people in America for life. Even if you haven't interacted with UnitedHealth, there's a good chance Change still handled your data, thanks to its size — in large part thanks to unchecked corporate consolidation over the years. Per its HIPAA notice (https://www.changehealthcare.com/hipaa-substitute-notice.html) , the stolen data includes patients' health data, billing and insurance information, diagnoses, medications, test results, and more. All the while, UnitedHealth made $400 billion (yes, with a b) in revenue in 2024 — but couldn't seem to bother with basic cybersecurity practices, like
MFA. Change said it'll notify the U.S. government's health department formally at a later date. (Disclosure: I wrote this story.)
More: Fierce Healthcare (https://www.fiercehealthcare.com/payers/unitedhealth-estimates-190m-people-impacted-change-healthcare-cyberattack) | WSJ Pro ($) (https://www.wsj.com/articles/unitedhealth-estimates-change-healthcare-hack-impacted-about-190-million-people-9564533c) | Reuters ($) (https://www.reuters.com/business/healthcare-pharmaceuticals/unitedhealth-confirms-190-million-americans-affected-by-hack-tech-unit-2025-01-24/)
~ ~
- THE STUFF YOU MIGHT'VE MISSED
------------------------------------------------------------
AI tool helps cops (or stalkers) geolocate photos in seconds (https://www.404media.co/the-powerful-ai-tool-that-cops-or-stalkers-can-use-to-geolocate-photos-in-seconds/)
404 Media ($): Prepare to get freaked out: a new closed-access AI tool dubbed GeoSpy can examine photos and geolocate where they were captured within seconds, based on surrounding information — including landmarks, architecture, and more. Some open-source intelligence (OSINT) tools exist like this in a very basic form to geolocate photos but GeoSpy seems to massively soup up those capabilities. Think twice before you take that photo... (or any photo, really).
https://infosec.exchange/@josephcox/113861090742371502
Fake ads target Mac users with malware (https://www.bleepingcomputer.com/news/security/fake-homebrew-google-ads-target-mac-users-with-malware/)
Bleeping Computer: As if we need any more reasons (https://techcrunch.com/2022/12/22/fbi-ad-blocker/) to use an ad-blocker (https://techcrunch.com/2024/04/13/government-spyware-use-ad-blocker/) , but here we are. Malicious Google ads caught masquerading as Homebrew ads are directing Mac users to download malware, tricking victims into thinking they're downloading the legitimate open-source package manager. (Per @JTParker09 (https://x.com/JTParker09/status/1881754775819374664) , here's the VirusTotal link (https://www.virustotal.com/gui/file/b329b32fa3e87f2e8ff7dc3d080e2d042a5484d26f220028b556000389a437c5) ). Malicious ads are a common way for attackers to target people searching for certain software. Use an ad-blocker! uBlock Origin (https://github.com/gorhill/uBlock) is one of the best (Wipr (https://kaylees.site/wipr.html) , too); and if your browser doesn't support it, change your browser.
No more Let's Encrypt expiry emails (https://letsencrypt.org/2025/01/22/ending-expiration-emails/)
Let's Encrypt: Everyone's favorite free TLS certificate issuer Let's Encrypt will soon no longer send out email notifications for expired domains beginning June 2025. Let's Encrypt certs expire after 90 days (and can be automatically renewed), but found that sending emails cost the nonprofit-run organization thousands of dollars each year in emails. On the flip side, by not emailing people, the organization no longer has to store email address information that isn't necessary — so that's a win for privacy. Nice! (via @campuscodi (https://bsky.app/profile/campuscodi.risky.biz/post/3lgetbfyiwc2k) )
FortiGate config leaks now reveal victim email addresses (https://www.theregister.com/2025/01/23/fortigate_config_leaks_infoseccers_list_victim_emails/)
The Register: If you recall, someone recently released around 15,000 configuration files for FortiGate firewalls used by enterprises across the globe. These config files contain credentials, IP addresses — and now email addresses (https://www.theregister.com/2025/01/23/fortigate_config_leaks_infoseccers_list_victim_emails/) — which at least makes it somewhat easier to identify individuals at affected organizations. Cyber weatherman @GossiTheDog (https://cyberplace.social/@GossiTheDog/113874064792010448) (with a Medium ($) (https://doublepulsar.com/2022-zero-day-was-used-to-raid-fortigate-firewall-configs-somebody-just-released-them-a7a74e0b0c7f) blog post on the issue) also published the known email addresses (https://raw.githubusercontent.com/GossiTheDog/Monitoring/refs/heads/main/Fortigate-Config-Dump-emails.txt) for visibility, and is now reporting a slightly clearer forecast for affected orgs to take action.
Web bugs exposed Subaru's system for tracking millions of cars (https://samcurry.net/hacking-subaru)
Sam Curry: I can't remember who first said modern cars are trackers on wheels, but it's absolutely true. No more so than Subaru vehicles, thanks to a buggy Subaru web portal used by employees. Sam Curry (https://x.com/samwcyo) , the incredible car hacker of today's times, along with Shubham Shah (https://x.com/infosec_au) , found bugs in the portal allowing anyone to track Subaru vehicles — including their historical location data(!). He proved this by asking his mum for permission to access her Subaru's location across Omaha over a year! (supportive parents, ftw!). The bugs also allowed anyone to take control of the vehicle, like unlocking the car and honking its horn. Wired ($) (https://www.wired.com/story/subaru-location-tracking-vulnerabilities/) digs in with its own reporting. (Car makers: please make a "stupid" car. No internet connections wanted!)
https://samcurry.net/hacking-subaru
New Android anti-theft security feature lands (https://www.bleepingcomputer.com/news/security/new-android-identity-check-locks-settings-outside-trusted-locations/)
Bleeping Computer: Google has a new Android "identity check" feature that locks sensitive device and account settings behind a biometric lock (like your fingerprint or face scan) when outside of a trusted location, such as home or work. This is meant to prevent device thieves from taking control of your unlocked but snatched device. It's a similar (if not almost identical) feature rolled out by Apple (https://support.apple.com/en-us/120340) last year. It's a good idea, but so far limited to Google Pixel devices running Android 15 and Samsung Galaxy phones running One UI 7.
Almost phished using a crafty Google short-URL attack (https://gist.github.com/zachlatta/f86317493654b550c689dc6509973aa4)
Zach Latta: Here's a detailed walkthrough of how Zach Latta almost got phished by a pretty complex attack involving Google's official g.co URL shortcut. This attack almost resulted in Latta granting access to his Google account hijacked. Of course, a big part of this is to stop picking up the phone (https://techcrunch.com/2024/09/07/for-security-we-have-to-stop-picking-up-the-phone/) (and manually checking for signs of improper account activity yourself), but this walkthrough might help save you — or someone else — from this crafty hack attempt. (I will add, though: this comment (https://gist.github.com/zachlatta/f86317493654b550c689dc6509973aa4?permalink_comment_id=5406650#gistcomment-5406650) cracked me up. "The first evidence that it was a scam was that you received a call from Google support. Google's lack of customer support is legendary.")
A phishing email that looks almost like a perfect Google Workspace spoof, saying "Your Google Account has been reset," using the g.co subdomain.
~ ~
THANKS FOR READING!
this week in security is my free weekly cybersecurity newsletter supported entirely by donations from readers like you. As a working journalist (https://techcrunch.com/author/zack-whittaker/) , I don't run ads or accept sponsors for this newsletter. Donations help reduce the costs of sending this newsletter while keeping it free, weekly, and without tracking.
To support this newsletter, check out my Ko-fi (https://ko-fi.com/thisweekinsecurity) to drop a one-time donation, or sign up from $10/monthly to get cool swag (https://ko-fi.com/thisweekinsecurity/tiers) shipped worldwide.
~ ~
- OTHER NEWSY NUGGETS
------------------------------------------------------------
Cloudflare issue leaks chat app users' broad location: Really impressive work here by security researcher Daniel (https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117) , a 15-year-old high school junior, who discovered an impressive information disclosure bug that allows anyone to determine someone's broad location (like a person's city) by sending an image (or emoji) to a target — using a friend request push notification on Discord, for example. The issue at hand is that the image is cached in one of Cloudflare's datacenters closest to the intended target, which can be used to infer roughly where a person is located. As noted by 404 Media ($) (https://www.404media.co/cloudflare-issue-can-leak-chat-app-users-broad-location/) , this shows the importance for at-risk users "to protect not just their message contents, but their network activity as well." (via @hackermondev (https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117) )
https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117
Court reconsiders Pompompurin sentence: Conor Fitzpatrick, aka Pompompurin, a prolific hacker behind the notorious BreachForums (https://www.justice.gov/opa/pr/justice-department-announces-arrest-founder-one-world-s-largest-hacker-forums-and-disruption) and accused of other major hacks (and CSAM charges (https://infosec.exchange/@nixonnixoff/113869199862962950) ), will be re-sentenced after a court found the hacker's previous punishment was not sufficient. Cyberscoop (https://cyberscoop.com/conor-fitzpatrick-resentenced-pompompurin-breachforums/) has more on the case. In short, the judge was quite un-thrilled by the hacker's lack of remorse and persistent violations of his probation by using a VPN to access the internet. (via @PogoWasRight (https://infosec.exchange/@PogoWasRight/113869199601653766) , @nixonnixoff (https://infosec.exchange/@nixonnixoff/113869199862962950) )
To Pyongyang via North Carolina: The DOJ threw charges at a North Carolina-based laptop farm this week, which prosecutors accuse of enabling North Korean IT workers to gain unauthorized employment at big U.S. firms and earn a wage (and stealing data) for the purposes of funding the regime's nuclear weapons program. The scheme allowed the North Koreans to earn around $866,000 over six years(!). Remember, these fake IT workers are everywhere — they could even be in your company. The scale of this operation is absolutely huge, and has been able to generate billions in illegal revenue (https://techcrunch.com/2024/11/28/north-korean-hackers-have-stolen-billions-in-crypto-by-posing-as-vcs-recruiters-and-it-workers/) for making nukes. Yeah, not great! (via Cyberscoop (https://cyberscoop.com/doj-indicts-five-in-north-korean-fake-it-worker-scheme/) )
U.S. spies withheld a bunch o' bugs before 2023: Sometimes when the U.S. government (or a close ally — a country or private company) finds a bug that its spies reckon could be used for, well, spying, the feds will keep hold of these bugs and use them in offensive cyber operations – all the while without telling the affected vendor. The feds make this decision through a process called VEP, or the vulnerabilities equities process. This week, the U.S. government revealed during 2023 that it informed companies of 39 bugs — but that it previously withheld 10 bugs discovered in "prior years" from disclosure. In other words, 10 of those bugs were probably used to actively hack people. (via @joemenn (https://bsky.app/profile/joemenn.bsky.social/post/3lgj5ecwpz22p) , Ron Wyden (https://www.wyden.senate.gov/imo/media/doc/fy23_unclassified_vep_annual_reportpdf.pdf) )
Govtech giant Conduent hacked: Conduent, a major tech contractor for state and local governments, such as providing the tech that allows states to provide child support and other state benefits, was hacked. Conduent danced around the issue for most of the week, but eventually came clean (https://techcrunch.com/2025/01/22/conduent-confirms-outage-was-due-to-a-cybersecurity-incident/) that its ongoing outage was caused by a cyberattack. Several U.S. states were affected by the outage caused by Conduent's hack. Conduent was hit by Maze ransomware in 2020, by the way, so something to keep in mind. (via TechCrunch (https://techcrunch.com/2025/01/22/conduent-confirms-outage-was-due-to-a-cybersecurity-incident/) )
~ ~
- THE HAPPY CORNER
------------------------------------------------------------
Welcome once again to the happy corner. Take a breath. (Paper bags available upon request.) Let's check in and see how our good friend Hello Kitty is..
https://www.instagram.com/p/DFGoNwhR4Eh/?img_index=5
...well, I guess that answers that.
There are a couple of scrapings from the barrel of good news this week. First up, the U.S. Second Circuit Court of Appeals ruled that backdoor searches by U.S. spy agencies of Anericans' private communications collected under the authority known as Section 702 are — in fact — illegal. This means that U.S. authorities cannot search this massive database of NSA-collected data for Americans' communications without first obtaining a warrant. That's a huge deal, actually. The EFF — which has argued the unconstitutionality of warrantless access to Americans' data for more than a decade — has a good blog post (https://www.eff.org/deeplinks/2025/01/victory-federal-court-finally-rules-backdoor-searches-702-data-unconstitutional) on the decision, and so does Cato (https://www.cato.org/blog/federal-court-rules-fisa-section-702-back-door-searches-unconstitutional) .
And, lastly. I really hope this Reddit post (https://old.reddit.com/r/csMajors/comments/1i7v7hg/my_teams_intern_just_found_a_critical_bug_by/) is real... this young'un intern may have saved an entire company by discovering a bug in their legacy authentication system that's as old as the kid who found it. I'm not entirely sure what it means to call token validation "kinda thicc," and their Jira ticketing could probably do with some work ("Auth be acting mad sus"), but this is... absolutely excellent work. Hats off to the kid, and I hope they get a full-time job out of this. Plus, per the post, now the company has to explain to the CEO what "no cap frfr" means.
If you have good news you want to share, get in touch at: this@weekinsecurity.com (mailto:this@weekinsecurity.com?subject=Good%20news%20for%20your%20newsletter) .
~ ~
- CYBER CATS & FRIENDS
------------------------------------------------------------
This week's cybercat is Cow, who can be seen here taking it easy after a long day hacking. Many thanks to Keegan P. for sending in! (Apparently, cybercats can be exchanged for extra credit in cybersecurity class — that's so cool! A+ cybercatting.)
Cow is a very fluffy white kitty with big paws and rolling on their back on the carpet by the garden door.
Keep sending in your cyber cats! (mailto:this@weekinsecurity.com?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) (or a non-feline friend). Drop me an email at any time with their name and a photo, and they'll be featured in an upcoming newsletter!
~ ~
- SUGGESTION BOX
------------------------------------------------------------
And that's it for this week... hope everyone is doing OK and sending my best to you from a very, very chilly U.S. east coast. As always, feel free to get in touch if you have anything you want to share for the newsletter — drop me an email (mailto:this@weekinsecurity.com) any time.
Catch you next Sunday,
@zackwhittaker (http://mastodon.social/@zackwhittaker)
============================================================
You are receiving this email because you opted in.
this week in security doesn't track email opens or clicks.
($) indicate sites with paywalls or logins. Please support journalism!
Our mailing address is: this week in security
Zack Whittaker
PO Box 415
Jersey City, NJ 07303-0415
USA
You can * update your preferences (https://social.us18.list-manage.com/profile?u=e1ad6038c994abec17dafb116&id=a2457dc8ad&e=9d10de3b61&c=2ec731902e)
or * unsubscribe from this list (https://social.us18.list-manage.com/unsubscribe?u=e1ad6038c994abec17dafb116&id=a2457dc8ad&t=b&e=9d10de3b61&c=2ec731902e)
.
No data to display
Also available in: Atom PDF Tracking page
.