One week to the U.S. presidential election and things are getting spicy.
It’s not just the rhetoric — hackers are actively working to disrupt the election, officials have said, and last week they came with a concrete example and an unusually quick pointing of blame.
On Wednesday night, Director of National Intelligence John Ratcliffe blamed Iran for an email operation designed to intimidate voters in Florida into voting for President Trump “or else.” Ratcliffe, who didn’t take any questions from reporters and has been accused of politicizing the typically impartial office, said Iran had used voter registration data — which is largely public in the U.S. — to send emails that looked like they came from the far-right group the Proud Boys. Google security researchers also linked the campaign to Iran, which denied claims of its involvement. It’s estimated about 2,500 emails went through in the end, with the rest getting caught in spam filters.
The announcement was lackluster in detail. But experts like John Hultquist, who heads intelligence analysis at FireEye-owned security firm Mandiant, said the incident is “clearly aimed at undermining voter confidence,” just as the Russians attempted during the 2016 election.
THE BIG PICTURE
Twitter was hacked using a fake VPN portal, New York investigation finds
The hackers who broke into Twitter’s network used a fake VPN page to steal the credentials — and two-factor authentication code — of an employee, an investigation by New York’s Department of Financial Affairs found. The state tax division got involved after the hackers then hijacked user accounts using an internal “admin tool” to spread a cryptocurrency scam.
In a report published last week, the department said the hackers called several Twitter employees and used social engineering to trick one employee into entering their username and password on a site that looked like the company’s VPN portal, which most employees use to access the network from home during the pandemic.
Twitter Hack Update: We knew the attackers used the phone & pretended to be IT Support, but now we know the criminals specifically said they were calling about VPN issues, taking advantage of COVID-19 remote work strain. Sadly, these pretexts work often. https://t.co/kKe8XO3MCJ pic.twitter.com/fpE6Afcij1
— Rachel Tobac (@RachelTobac) October 20, 2020
“As the employee entered their credentials into the phishing website, the hackers would simultaneously enter the information into the real Twitter website. This false log-in generated a [two-factor authentication] notification requesting that the employees authenticate themselves, which some of the employees did,” wrote the report. Once onto the network using the employee’s VPN credentials, the hackers used that access to investigate how to access the company’s internal tools.
Twitter said in September that its employees would receive hardware security keys, which would make it far more difficult for a repeat phishing attack to be successful.
Open-source YouTube download tool hit by DMCA takedown, but backfires
The RIAA, the recording industry’s trade group, filed a takedown request against YouTube-DL, a popular open-source tool for downloading videos from YouTube and other sites. The RIAA claimed the tool was used to get around copyright protections. But as Devin Coldewey reports, the RIAA is on shaky legal ground.
Complicating the matter, the code is open source, allowing anyone to take it, use it, and “fork” it — essentially making a copy to edit, modify and improve. In other words, it’s near impossible to take it down once it’s out there. The RIAA found out the hard way. Filing the notice to take down the code drew immediate attention and a lot of people noticed, prompting an explosion in efforts to fork the project, spreading the code across GitHub like wildfire. One user exploited a bug that GitHub reportedly declined to fix to attach the YouTube-DL code to GitHub’s own repo containing takedown notices.
“You two deserve each other,” said Lance Vick, a security engineer and open-source advocate.
Hey @GitHub. Remember that security bug where anyone can attach commits to repos they don't control? That bug you said you wont fix?
It was used to attach the "youtube-dl" source code to your own DMCA repo. Have fun @DMCA.
You two deserve each other.https://t.co/NzlFTAKytp
— https://mastodon.social/@lrvick (@lrvick) October 25, 2020
MOVERS AND SHAKERS
Last week saw two security heavyweights profiled.
The “unsinkable” Maddie Stone, a security researcher at Google’s elite bug-hunting team Project Zero, has shut down some of the world’s most dangerous exploits — and antiquated hacker stereotypes, writes Wired. Stone, 29, is a reverse-engineer, and spends much of her time finding vulnerabilities in Android, helping to protect close to three billion users from botnets and malware attacks. But she’s also been a major figure in breaking down what it means to be a hacker, paving the way for anyone to join the field regardless of gender or background.
Meanwhile, Moxie Marlinspike, the founder of the Signal end-to-end encrypted messaging app, told The New Yorker that he had a plan to “bring normality” to the internet. That is, privacy and security. This profile digs just slightly under the surface of what’s known about Marlinspike, who was careful not to reveal too much about his own private life and his work in building one of the most ubiquitous encrypted apps in the world. Signal has been used by the Trump administration, which, at the same time, has been hellbent on undermining encryption.
The US government should stop demanding tech companies compromise on encryption
$ECURITY $TARTUPS
Grayshift, an iPhone forensics startup favored by the U.S. government and law enforcement for cracking encrypted devices, has raised $47 million, reports Forbes. The round was led by PeakEquity Partners, as the startup claims to have doubled revenues and customer adoption in the last year alone.
Meanwhile, Cyberpion has raised $8.25 million in its seed round, led by Israeli venture firm Team8 and Hyperwise Ventures. Cyberpion, founded in 2017, helps to fight against security vulnerabilities stemming from third parties.
And, managed security startup Arctic Wolf has closed a massive $200 million investment, pushing the company into the coveted $1 billion valuation “unicorn” club. The company last raised $60 million back in March. Arctic Wolf acts like an outsourced IT and security provider, using its own cloud technology.
Send tips securely over Signal and WhatsApp to +1 646-755-8849.
Comment