Friday Five: 8/21 Edition
Saudi Arabia using stolen twitter data to target critics, a significant increase in vishing, and the Secret Service buying location data to bypass warrants- catch up on this week’s news with the Friday Five.
1. Spies in Silicon Valley: Twitter Breach Tied to Saudi Dissident Arrests by Ryan Gallagher
Saudi Arabia has been harassing and arresting critics of the government using data obtained from a 2015 Twitter breach. Prosecutors laid out the allegations when they charged the two men last November. They allege that two Twitter employees were acting as spies for the Saudi government when they allegedly accessed more than 6,000 Twitter accounts in 2015. The sister of Abdulrahman al-Sadhan, a Saudi national who ran an anonymous Twitter account that was critical of the Saudi government, alleges that al-Aadhan’s detention by the Saudi secret police can be tied directly to the 2015 breach. Various Middle East human rights organizations have identified at least six other Saudi citizens who have been arrested for running anonymous or pseudonymous Twitter accounts critical of the government. The implications are extremely alarming; the massive amount of personal data that social media sites collect on individuals makes them targets for nation-states who are trying to find and eliminate dissent.
2. For six months, security researchers have secretly distributed an Emotet vaccine across the world by Catalin Cimpanu
Over the last six months, an Emotet vaccine secretly distributed across the internet has prevented the malware from infecting new victims. In a world where experts often feel like they’re trying to play catch up and hit the constantly moving target that is malware code, the Emotet vaccine provides a welcome breath of good news. It’s especially good news as it disrupts Emotet, which is one of the most skilled malware groups believed to be operating out of the territories of the former Soviet states. The malware in question has been around since 2014. Once it infects a computer, it spreads quickly across the network and rents access for the infected hosts to other groups. James Quinn, a researcher at Binary Defense, who noticed the bug in Emotet’s code, wrote a PowerShell script called EmoCrash that exploited the bug and caused the malware to crash itself. For the last six months, Emotet’s malware has been significantly disrupted as EmoCrash has been quietly distributed to companies. Emotet was not able to fix the bug until August 6th, six months after the bug was discovered.
3. The Attack That Broke Twitter Is Hitting Dozens of Companies by Andy Greenberg
The technique of phone spear phishing, which was the mode of attack in the large Twitter hack a few weeks ago, has spiked in usage. Also known as “vishing," the technique is a form of social engineering in which hackers posing as IT staff call employees and try to trick them into giving up their passwords. For now, most of the vishing attacks seem to be coming from young hackers who can scrape together enough information from social media and company websites to convince new and inexperienced employees to give up their passwords. Experts worry that the success of vishing might incentivize nation states and other more advanced hacking apparatuses to get involved.
4. Secret Service buys location data that would otherwise need a warrant by Kate Cox
US law enforcement agencies, such as the Secret Service, have been buying location data to avoid having to seek a warrant. This follows reports from February of ICE and CBP buying cellphone location data for investigations. This alarming trend is not surprising - most mobile apps and service providers collect location data legitimately and illegitimately and then sell that data with few limitations. While law enforcement normally needs to get warrants to collect an individual’s mobile phone location data, there is currently no rule preventing them from buying that information from a private company. Senator Ron Wyden of Oregon is currently drafting legislation to close the loophole.
5. Marriott International faces class action suit over mass data breach by Joanna Partridge
Marriott is facing a class action lawsuit from millions of customers who are seeking compensation after their personal data was stolen in the massive breach of Marriot’s global guest reservation base. In September 2018, Marriott revealed that the passport numbers, credit card details, and dates of birth of more than 300 million people were stolen. Upon investigation, it was discovered that unauthorized access to the system had been going on since 2014. Those bringing the lawsuit to court hope that it will serve as a notice to data holders of their obligation to prioritize cybersecurity and protect data responsibly.