Hello and welcome to TSD, your weekly blog post with top of mind security issues. TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.
Check back here every Tuesday for more TSD or sign up below to stay in the loop!
Please reach out to us directly, via firstname.lastname@example.org or on Twitter at @dant24 if you have any questions, concerns, tips or anything else!
- As expected, Christopher Krebs, the director of CISA under DHS was fired by President Trump. The president attributed the firing (“! This claim about election fraud is disputed”) to a statement from CISA saying “The November 3rd election was the most secure in American history” via NPR. CISAKrebs has a posse though.
- Over at the other KrebsOnSecurity, Brian is reporting about fraudsters that used internal GoDaddy employees to redirect domains in YACS (Yet Another Cryptocurrency Scam). This YACS® attack is only the latest use of voice phishing or “vishing” scams that ensnared Twitter in July and GoDaddy in March. Feel free to use YACS as you see fit.
- Meanwhile, Twitter hired Mudge as head of Security and will report directly to Jack via Reuters.
- Given everything that is happening, the Biden team had not gained any cybersecurity resources either during the transition until likely today. According to The Verge, the team is using Google workspaces with both the Advanced and Enhanced Protection Programs and physical security keys. I’m curious if they are using / were given Titan keys or went with Yubico or similar.
- Project Zero’s Natalie Silvanovich found a flaw in Facebook messenger that could have let attackers listen in. The bug was one of those highlighted in Facebook’s 10 year review of their bug bounty program. The program rewarded Natalie $60,000 which was then donated to GiveWell and Facebook matched. Read more about this at Wired and read the full technical details at P0.
- And finally in our weekly roundup of surveillance tech, the IRS is the latest to be found using warrantless location databases gleaned from mobile phone usage. Venntel is again the data broker of choice here and the IRS queried the database at least 10,000 times. Read more about Venntel at Motherboard.
Owl fun and facts:
The most 2020 Rockefeller Christmas Tree ever had a surprise in it, a tiny Northern Saw-Whet owl. This tiny owl was found after it was trapped in the tree for 3 days. The owl was brought to Ravensbeard Wildlife Center where “Rockefeller” has been nurtured and determined just today that she is female and has been cleared for release! Ravensbeard has setup a GoFundMe for donations for this wonderful wildlife center. According to Gothamist, an owl was found in the 2018 tree as well. The Northern Saw-Whet is tiny, about the size of a robin with a max height of just 8 inches and weighing a mere 5 ounces. They can be found across the United States and even in parts of Mexico. They are nocturnal and if they do migrate will also migrate at night. Read more at All About Birds.
A Shout Out:
In advance of Kubecon, the CNCF Security Special Interest Group released a brand new Whitepaper on all things cloud native and security. As the chair of SIG Security Emily Fox put it so well, “Developers, operators, and security teams must collaborate to continue to move the field and industry forward.” Read more about how you can participate in SIG Security here.
Download the whitepaper from GitHub today.
That’s owl for now!