Cybersecurity Roundup: July 23, 2019

This week we’ve got the Slack hack coming back to haunt its IPO, a contractor for Russia’s FSB got royally owned, the Con Queen of Hollywood is out of control and getting sexual, I’ve got some personal security alerts for you, the UK is peddling surveillance wares to Hong Kong authorities, Google evicts some stalkerware, and oh yes, there’s more.

Slack's hack is as bad as its new logo

Four weeks ago I was contacted by a source who had a tip about a suspected Slack breach. Separately on Twitter, a few other Slack users said they’d just been contacted by Slack notifying them “unique passwords for two different teams has been compromised. Either 1Password and Dropbox have been broken into, or it seems Slack isn’t correctly notifying of a data breach.”

This prompted 1Password to chime in saying, “There were a few folks getting these notifications from the Slack side a few weeks ago.” One user commented that older accounts seemed to be affected, citing affected accounts as 4 and 5 years old, respectively.

At the time, Slack said “This was not a Slack breach” and that “these credentials were sent to us anonymously by a third party” — causing confusion and a bit of panic on Twitter.

In this post from March 2015, Slack told users there had been “unauthorized access to a Slack database.” Slack stated: “We have notified the individual users and team owners who we believe were impacted and are sharing details with their security teams. Unless you have been contacted by us directly about a password reset or been advised of suspicious activity in your team’s account, all the information you need is in this blog post.”

Fast forward to now, when around 100,000 Slack users are getting a forced password reset and Slack is notifying the public there is “new information” about its 2015 security incident. That new info includes this little nuclear bomb: “The attackers also inserted code that allowed them to capture plaintext passwords as they were entered by users at the time.” That’s a keylogger.

The CEO of Keybase quite rightfully flipped the fuck out. His Slack account was accessed in January this year from someone in the Netherlands. (The same month Slack introduced its new logo). But for the CEO of Keybase,  Slack, “did not inform me of the directly related 2015 Security Incident but instead implied that I was messy with my security practices and was to blame.”

Further Keybase’s CEO notes:

Slack’s announcement seems to say 1% of accounts were still compromised (after 4 years), but we are wondering: how many were compromised then? And what percentage of messages did the compromised accounts have access to? 10%? 50%? Only the hackers know, but it’s likely much more than 1%.

Wondering what happened between Slack’s breach-and-keylogger pwnage of March 2015 and now is certainly the billion-dollar question. Well, I know one thing that happened! Slack filed for its IPO on April 26, 2019. (Actually it’s a DPO — Direct Public Offering — but you get the jist.)

“The company was valued at $7.1 billion by private investors last year, but in recent weeks investment firms have offered to buy its shares at a price that values Slack at $13 billion,” according to New York Times.

So did some twit finally crack the Slack data, and the company didn’t want to look like they were slacking mid-IPO? It is indeed the billion-dollar question.

Uncivil liberties

A couple days ago, BBC Russia/Reuters BBC reported that hackers broke in and did a snatch and grab with a contractor working for the Russian government’s FSB. The contractor, SyTech, was working on a lot of nasty shit for the FSB — and the attackers made off with 7.5TB of data. Then, they defaced SyTech’s website with a troll face and shared all the stolen docs with hacking org Digital Revolution, who last year popped the FSB’s Kvant research institute.

(In case you’re wondering, Russia isn’t a big fan of BBC Russia, and Russia’s government has threatened to ban it over the UK’s criticism of RT.)

BBC Russia said the recent hack is probably “the largest data leak in the history of the work of Russian special services on the Internet.” It revealed the FSB is into de-anonymizing Tor (no surprise there, who isn’t?) and working on about 20 different non-public hacking projects. One branch of SyTech’s project working on Tor also sells itself as collecting user data from “Facebook, MySpace and LinkedIn” for the purpose of using people’s data “for solving special tasks.” Tasks? Like, getting novichok stains out of the porcelain?

According to BBC Russia, SyTech had also been working on vulns for BitTorrent, Jabber, OpenFT and ED2K. ZDNet wrote, “Other files posted on the Digital Revolution Twitter account claimed that the FSB was also tracking students and pensioners.” They didn’t say if there was a team dedicated to gathering creepshots on the subway, but it’s only Tuesday.

The queen is back (and horny)

Hackers around the globe are prepping to pile into the car with no brakes known as DEF CON and punch the gas pedal, where they’ll learn about and share info on a very wide variety of hacking topics. One popular area of interest is “social engineering” (also called “SE”) — the study and practice of hacking systems through cons and social hacks, often combined with other physical, standard hacking tools and tricks.

And right now, one mysterious woman is writing a new chapter in the hallowed halls of SE infamy by conning the pants off actors angling to become Marvel superheroes — with the FBI chasing her tailwind.

The FBI calls her the Con Queen of Hollywood, and for the past couple of years she’s been “impersonating prominent producers, studio executives and other members of the entertainment industry as part of an elaborate financial scam.” The money hasn’t been enough to satisfy the Con Queen; she has recently upped her game by seeking increasingly sexual encounters from her targets.

“This ongoing transnational fraud scheme targeting U.S citizens began in approximately 2013,” says the FBI. “To date,” wrote The Hollywood Reporter, “nearly two dozen prominent executives in Hollywood have been impersonated, including Lucasfilm president Kathleen Kennedy and former Paramount chair Sherry Lansing. Several dozen more, including up-and-coming actors, photographers, stunt performers, military veterans, makeup artists and others, have been targeted for potential sexual or monetary exploitation.”

“The scam has affected hundreds of people on at least four continents,” says THR, and she’s raked in hundreds of thousands of dollars — sometimes convincingly impersonating multiple people in one go, female and male. She’s also apparently extremely familiar with not only the business of A-list film, the Con Queen knows uncanny details down to the personality quirks of people she alleges to work with, and extensively researches her targets.

“While the sexual component of the scam has appeared before, the frequency appears to have ramped up recently. In mid-March, using a fake email account, the imposter sent emails to at least half a dozen people, including several aspiring actors, pretending to be prominent casting director Sarah Finn, who worked on Avengers: Infinity War and Black Panther.”

A few things you should know about:

Use caution until the fix is rolled out: VLC player has a critical flaw – and there’s no patch yet (We Live Security)

I can’t wait for this, I think media sites who punish people for using Incognito Mode violate the very principles of privacy: Chrome 76 blocks websites from detecting incognito mode (Naked Security)

This is written for businesses, but I think individuals need to know how their privacy rights are about to expand (and be tested): California Consumer Privacy Act (CCPA): What you need to know to be compliant (CSO Online)

If you used FaceApp, I’d recommend that every few months between now and the 2020 election you should reverse-image search your FaceApp images to see if they’re being used anywhere (like for disinfo-troll ops): FaceApp denies storing users’ photographs without permission (Guardian)

Odd and ends:

Eeeew: Huawei reportedly helped build North Korea’s wireless network and everyone’s freaking out (Android Police)

Well it’s about damn time — though despite my crankiness, this is a really good thing: Google has booted seven “stalkerware” apps off its Play Store (MIT Technology Review)

A drop in the bucket for Equifax, much like Facebook’s pointless privacy settlement: Equifax’s $700 million data breach settlement spurs criticism, calls for new rules (Reuters)

Hong Kong authorities have not only been using gas grenades from the UK on protesters, the UK approved and sold HK’s government “telecommunications interception equipment” (probably, stingrays) to use on citizens: Anger at UK spy tech sales to Hong Kong (Guardian)

Well pal, that makes exactly one of you: Trump’s Pentagon pick ‘confident’ in 2020 election security (Cyberscoop)

Google snarfed up wi-fi data from people in 30 countries when it rolled out Street View, and used the “it was just sitting there” excuse in trying to get out of a massive privacy lawsuit. I remember it took them a while to even admit it, too. Now, a wee bitty slap on the wrist: Google Agrees To Pay $13 Million In Street View Privacy Case (San Francisco | CBS Local)

Don’t forget to tip your server

Each section you read in this week’s roundup is an article; each curated bit of links above is what gets published as a roundup post on commercial news websites. And I do freelance for those websites — but what you see here is not for them (their advertisers, their content constraints), it’s for us. I do it because it’s what I want to see, and what I want to bring my experience to without corporate purse-holders holding me back. And I want it to be free so anyone can get informed about all these issues.

If you can, please become a patron. If you’re already a patron, thank you.

Become a patron to

Unlock 138 exclusive posts
Listen anywhere
Connect via private message