Cybersecurity Roundup: September 11, 2018
This week I got a sextortionist email, a Tor exploit was dropped on Twitter, a fascinating second look at the Steele dossier, Republicans won’t agree to hacked materials ban, that Tesla keyfob hack is wack, and much more…

Can you rate sextortionists on Yelp?

So, anyone else been following the low-key coverage on a wave of “sextortion” emails that hit the public a couple months back? I’ve been following these with a bit more interest than usual … because I received one when they first went out.

And I loved it! I rate the extortionist 10/10, would be extorted by them again. The first thing I enjoyed about the extortion email was that they opened with “my” password … which really was my password! Man, the memories it brought back. You know how passwords are like personal ice-core samples, going back through time? I mean before we all got password managers and made passwords we can’t remember. Admit it: You look at old passwords and remember where you lived and what music you listened to and all those things that make you feel old now. Our old passwords carbon-date us.

Anyway, the sextortionist opened with a password that must’ve come from the 2001 Second Life hack and dump of Ye Olde Internet Days. I was hooked by their style! Then the sextortionist tried to shame me for masturbating to pornography on a computer and I was absolutely delighted. I mean, it’s been so long since anyone tried to shame me for porn. I immediately wanted to email them back and ask which videos I watched! It never hurts to go retro, mix it up a little. I hoped it was something cool with my friends in it. What a bonus to introduce my sextortionist to some quality ethical feminist porn.

So, my extortionist said they’d taken dirty videos of me through my camera — they weren’t precise about which camera. I assumed it was the one on my laptop, which I always keep covered with a sticker. The extortionist said that if I didn’t pay them in the coin of the realm, they would upload videos of me they recorded to some websites. That was when I knew I had to email them back. Which sites were they thinking of using? I have a few opinions on this. Also, I was going to have to let the sextortionists know that this might be a problem for them, considering the trademark on my name and all.

I got distracted by internet porn and never emailed them back. Anyway, I saw this past week that I wasn’t the only one fascinated by the sextortionists: Digital Shadows ran some data on this campaign and “analyzed a sample of emails sent over a two-month period, in which 8,497 email addresses were bombarded with over 60,000 emails.”

Sadly, “Of all the Bitcoin addresses detected in this sample, 26 transactions matching the demands were made, totaling $28,000 … by tracking one Bitcoin address, we can see the same one targeted 49 email addresses with demands ranging from $1,100 to $11,000. Eventually the attacker got lucky with a payment of $1,100 (0.1512 BTC).”

Anyway, if anyone writes a book about the business and profits of sexual shame, the sextortionists should definitely get their own chapter. 

I guess GOP still <3 WikiLeaks

Surprise, surprise: Democrat and Republican House campaign committees tried make an agreement banning the use of hacked or snatched information in campaigns, but the talks (begun in June) imploded into nothingness when no one would agree. The agreement would’ve specifically prohibited the “use known stolen or hacked information, or promote or disseminate hacked materials to the press, regardless of the source.”

The draft’s other provisions included a pledge not to aid hacking efforts, not to seek out hacked or stolen materials, and to report any contacts with foreign actors to law enforcement authorities.

The deal fell apart, according to media reports, after the National Republican Congressional Committee accused the Democrats negotiating in bad faith, and of breaking a confidentiality agreement by talking about the negotiations publicly. Except, as NYT pointed out, “Representative Steve Stivers of Ohio, the Republican committee chairman, had publicly acknowledged the negotiations at an event in June.”

Before Roger Stone could say “hold my beer” NYT concluded, “Without a deal, the parties will be left to more or less set their own standards, as they have in past election cycles.”

Onion router was peeled

Vuln broker Zerodium dropped a Tor Browser exploit in a tweet Monday afternoon, which was nice of them I guess, and they didn’t even ask for a bounty. “The exploit was part of Zerodium’s portfolio and worked for Tor Browser 7.x,” wrote BleepingComputer, explaining “The bug worked when the user configured NoScript to block out all JavaScript by selecting the add-on’s “Safest” security level.”

The new Tor Browser 8 didn’t inherit the hole, but we have to wonder if Zeroduim burned its exploit because it has the new release covered.

Puff puff password password

“KU Leuven researchers have detailed a technique that let them bypass the encryption on Tesla’s key fob for the Model S, making it trivial to clone the key, get inside and start the vehicle,” wrote my colleague at Engadget, adding “Model S cars made from June onward have tougher encryption that won’t fall prone to the attack, and a software update lets customers with older cars switch to more secure fobs if they want.”

Interestingly, one of the researchers commented on twitter, “Just one more thing. Everybody is making fun of Tesla for using a 40-bit key (and rightly so). But Tesla at least had a mechanism we could report to and fixed the problem once informed. @McLarenAuto, @KarmaAutomotive, and @UKTriumph use the same system and ignored us.”

Message to Trump: Urine trouble

There was an interesting nugget in Politico’s Morning Cybersecurity newsletter about Bob Woodward’s new book “Fear” and Trump’s attitude about US cybersecurity, which is:

(…) essentially, “Go away, stop getting me into cyber wars while I’m watching golf.” One section goes into the evidence of Russia’s meddling in the 2016 election. The CIA believed it had six human sources that supported the conclusion Russia interfered, but another official that reviewed the intelligence estimated that only two of them were solid, Woodward reported.

Well, we expected Trump to care more about TV golf than whatever disastrous cyberwar John Bolton is probably getting us into. But the bit about intelligence sources dovetails nicely into this item, a new deep-dive into the Steele Dossier by former member of the CIA’s Senior Intelligence Service, John Sipher.

Overall, he finds it a credible starting point for connecting all the dots and reminds us how prescient the dossier really was. “Well before any public knowledge of these events, the Orbis report identified multiple elements of the Russian operation including a cyber campaign, leaked documents related to Hillary Clinton, and meetings with Paul Manafort and other Trump affiliates to discuss the receipt of stolen documents,” Sipher wrote. “Mr. Steele could not have known that the Russians stole information on Hillary Clinton, or that they were considering means to weaponize them in the U.S. election, all of which turned out to be stunningly accurate.”

This caught my eye in particular:

In late fall 2016, the Orbis team reported that a Russian-supported company had been “using botnets and porn traffic to transmit viruses, plant bugs, steal data and conduct ‘altering operations’ against the Democratic Party leadership.” 
Hackers recruited by the FSB under duress were involved in the operations. According to the report, Michael Cohen insisted that payments be made quickly and discreetly, and that cyber operators should go to ground and cover their tracks.

Bita and pieces:

Trend Micro tools tossed from Apple’s Mac App Store after spewing fans’ browser histories (The Register)
Mikko Hypponen on Twitter commented:

”Bad day for Trend Micro. Most of their Mac OS X apps have been kicked out by Apple after it was discovered they were collecting and sending out private information.”

Introducing an open-source browser extension that helps you thwarts targeted advertising on Facebook (Chupadados)

”Once these steps are done, starts to assemble a running list of the Facebook ads you have been exposed to. You can now see the bigger picture: how Facebook sells you to advertisers, and how Facebook has categorized you. Is that you? Do you want to be seen as that person?”

U.S. charges North Korean operative in conspiracy to hack Sony Pictures, banks (Washington Post)

”He and other unidentified operatives are accused of being members of the Lazarus Group, which also has been implicated in the audacious attempt to steal $1 billion from the Bangladesh Bank in 2016, and to the WannaCry 2.0 virus that affected more than 230,000 computers in 150 countries last year.”

Russian accused of hacking the data of 80M people extradited to US (CNN)

”Andrei Tyurin … targeted American financial institutions, brokerage firms and financial news publishers, among other US companies, according to a statement from the Manhattan US attorney’s office. Tyurin allegedly hacked one financial institution in Manhattan and came away with the personal data of more than 80 million people, officials said. In all, more than 100 million customers had their information stolen as part of the extensive hacking Tyurin is suspected of engaging in from about 2012 to 2015, officials said.”


Become a patron! For as little as $1 show your support for independent voices in hacking and cybersecurity — plus, you’ll get these posts delivered to your inbox the minute it’s published. Don’t wait! You won’t find news and opinion like this anywhere else.