After breach, Twitter hires a new cybersecurity chief

Following a high-profile breach in July, Twitter has hired Rinki Sethi as its new chief information security officer.

Sethi most recently served as chief information security officer at cloud data management Rubrik, and previously worked in cybersecurity roles at IBM, Palo Alto Networks, and Intuit.

In the new role at Twitter overseeing the company’s information security practices and policies, Sethi will report to platform lead, Nick Tornow, according to her tweet announcing the job move.

Sethi also serves as an advisor to several startups, including LevelOps and Authomize, and cybersecurity organizations, including Women in Cybersecurity.

Twitter had left the role of chief information security officer vacant since the departure of its previous security chief, Mike Convertino, who left in December to join cyber resilience firm Arceo.

In July, the company was hit by a very public cyberattack on the company’s internal “admin” tools that played out on the social media platform in real time, as hackers hijacked high profile Twitter accounts to spread a cryptocurrency scam. The hackers used voice phishing, a social engineering technique that involves tricking someone on the phone to hand over passwords or access to internal systems.

Earlier this month, the company said it bolstered its security following the attack, including rolling out security keys, which makes the kind of attack that targeted Twitter far more difficult.

Microsoft outage leaves users unable to access Office, Outlook, Teams

Microsoft said it’s investigating an authentication outage with Office 365, preventing users from accessing some of the company’s most widely used services, including Office.com, Outlook.com, and Teams.

The company’s status dashboard said the issue started at 2:25pm PT, and has impacted mostly consumer users across the globe for the last few hours. Some government users may also be impacted, the company said.

In a series of tweets, Microsoft said that it tried to fix the issue, but was forced to roll back its changes after the fix failed.

By 5:40pm PT, Microsoft said it was “seeing improvement for multiple services” after earlier “rerouting traffic to alternate infrastructure to improve the user experience while we continue to investigate the issue.”

But that leaves millions on the U.S. west coast and users in Australia still unable to access their online services.

TechCrunch will keep you posted with developments. In the meantime, feel free to catch up with some of the bigger stories of the day.

Read more:

Healthcare giant UHS hit by ransomware attack, sources say

Universal Health Services, one of the largest healthcare providers in the U.S., has been hit by a ransomware attack.

The attack hit UHS systems early on Sunday morning, according to two people with direct knowledge of the incident, locking computers and phone systems at several UHS facilities across the country, including in California and Florida.

One of the people said the computer screens changed with text that referenced the “shadow universe,” consistent with the Ryuk ransomware. “Everyone was told to turn off all the computers and not to turn them on again,” the person said. “We were told it will be days before the computers are up again.”

It’s not immediately known what impact the ransomware attack is having on patient care.

An executive who oversees cybersecurity at another U.S. hospital system, who asked not to be named as they were not authorized to speak to the press, told TechCrunch that patient medical data is “likely safe” as UHS relies on Cerner, a healthcare technology company, to handle its patients’ electronic health records.

UHS has 400 hospitals and healthcare facilities in the U.S. and the U.K., and serves millions of patients each year.

A spokesperson for UHS did not immediately respond to a request for comment.

The Ryuk ransomware is linked to a Russian cybercrime group, known as Wizard Spider, according to security firm Crowdstrike. Ryuk’s operators are known to go “big game hunting” and have previously targeted large organizations, including shipping giant Pitney Bowes and the U.S. Coast Guard.

Some ransomware operators said earlier this year that they would not attack health organizations and hospitals during the COVID-19 pandemic, but Ryuk’s operators did not.

Last week, police in Germany launched a homicide investigation after a woman died after she was redirected to another hospital following a ransomware attack.

We’ll have more on the UHS incident as we get it.


Send tips securely over Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: [email protected]

Trump administration’s TikTok ban has been delayed, court rules

A U.S. federal court has said a ban on TikTok will not go into effect on Monday as scheduled.

The move to delay the anticipated ban will allow Americans to continue using the app while the court considers the ban’s legality and whether the app poses a risk to national security as the Trump administration claims.

For weeks since President Donald Trump signed two executive orders in early August, the government has threatened to shut down the viral video sharing app over fears that its parent company ByteDance, headquartered in Beijing, could be forced to turn over user data to the Chinese government. TikTok, which has 100 million users in the United States alone, has long rejected the claims.

TikTok first filed a lawsuit against the administration on September 18, and on Thursday this week filed a last minute injunction in an effort to stop the ban going into effect Sunday night. On Friday, the government asked the court to reject the injunction in a sealed motion, which the government later refiled as a public motion with some redactions. A public hearing on the injunction was set for Sunday morning. The case is being heard in DC District Court presided by judge Carl J. Nichols.

In its ruling on Sunday, the court gave just its decision, with the formal opinion handed over privately to just the two opposing parties. Due to sensitive material included in the government’s motion, the parties have until Monday to ask for any redactions before the final opinion will be published.

The decision is just the latest episode in the continuing saga of the sprawling fight over the future of the fastest-growing social app in America. A deal reached between ByteDance and the U.S. government last weekend was believed to have resolved the standoff between the two parties, but the deal has frayed over disputed details between buyer Oracle and ByteDance.

The administration first launched an action against TikTok on August 6, with President Trump arguing in an executive order that the app posed an unreasonable national security risk for American citizens. That order mirrored a similar one published the same day that put restrictions on the popular Mandarin-language messenger app WeChat, which is owned by China-based Tencent.

Last weekend, a federal magistrate judge in San Francisco put in place an injunction on the Commerce Department’s ban on WeChat, pending further court deliberations. TikTok, whose arguments mirror those in the WeChat lawsuit, was hoping for a similar outcome in its own legal proceedings.

One difference between the two lawsuits is the plaintiffs. In WeChat’s case, a group of WeChat users filed a lawsuit arguing that a ban would hurt their expression of speech. TikTok is representing itself in its own fight with the government.

The court case is TikTok Inc. et al v. Trump et al (1:2020-cv-02658).

This is how police request customer data from Amazon

Anyone can access portions of a web portal, used by law enforcement to request customer data from Amazon, even though the portal is supposed to require a verified email address and password.

Amazon’s law enforcement request portal allows police and federal agents to submit formal requests for customer data along with a legal order, like a subpoena, a search warrant, or a court order. The portal is publicly accessible from the internet, but law enforcement must register an account with the site in order to allow Amazon to “authenticate” the requesting officer’s credentials before they can make requests.

Only time sensitive emergency requests can be submitted without an account, but this requires the user to “declare and acknowledge” that they are an authorized law enforcement officer before they can submit a request.

The portal does not display customer data or allow access to existing law enforcement requests. But parts of the website still load without needing to log in, including its dashboard and the “standard” request form used by law enforcement to request customer data.

The portal provides a rare glimpse into how Amazon handles law enforcement requests.

This form allows law enforcement to request customer data using a wide variety of data points, including Amazon order numbers, serial numbers of Amazon Echo and Fire devices, credit cards details and bank account numbers, gift cards, delivery and shipping numbers, and even the Social Security number of delivery drivers.

It also allows law enforcement to obtain records related to Amazon Web Services accounts by submitting domain names or IP addresses related to the request.

Assuming this was a bug, we sent Amazon several emails prior to publication but did not hear back.

Amazon is not the only tech company with a portal for law enforcement requests. Many of the bigger tech companies with millions or even billions of users around the world, like Google and Twitter, have built portals to allow law enforcement to request customer and user data.

Motherboard reported a similar issue earlier this month that allowed anyone with an email address to access law enforcement portals set up by Facebook and WhatsApp.

Twitter warns developers that their private keys and account tokens may have been exposed

Twitter has emailed developers warning of a bug that may have exposed their private app keys and account tokens.

In the email, obtained by TechCrunch, the social media giant said that the private keys and tokens may have been improperly stored in the browser’s cache by mistake.

“Prior to the fix, if you used a public or shared computer to view your developer app keys and tokens on developer.twitter.com, they may have been temporarily stored in the browser’s cache on that computer,” the email read. “If someone who used the same computer after you in that temporary timeframe knew how to access a browser’s cache, and knew what to look for, it is possible they could have accessed the keys and tokens that you viewed.”

The email said that in some cases the developer’s access token for their own Twitter account may have also been exposed.

The email sent by Twitter to affected developers. (Screenshot: TechCrunch)

These private keys and tokens are considered secret, just like passwords, because they can be used to interact with Twitter on behalf of the developer. Access tokens are also highly sensitive, because if stolen they can give an attacker access to a user’s account without needing their password.

Twitter said that it has not yet seen any evidence that these keys were compromised, but alerted developers out of an abundance of caution. The email said users who may have used a shared computer should regenerate their app keys and tokens.

It is not immediately known how many developers were affected by the bug or exactly when the bug was fixed. A Twitter spokesperson would not provide a figure.

In June, Twitter said that business customers, such as those who advertise on the site, may have had their private information also improperly stored in the browser’s cache.

Free VPNs are bad for your privacy

VPNs are in high demand as Americans scramble to keep access to TikTok and WeChat amid a looming government ban. There are dozens of free VPNs out there that promise to protect your privacy by keeping you anonymous on the internet and hiding your browsing history.

Don’t believe it. Free VPNs are bad for you.

The internet is a hostile place for the privacy-minded. Internet providers can sell your browsing history, governments can spy on you and tech titans collect huge amounts of data to track you across the web. Many have turned to VPNs, or virtual private networks, thinking that they can protect you from snoopers and spies.

But where VPNs try to solve a problem, they can also expose you to far greater privacy risks.

TechCrunch’s Romain Dillet has an explainer on what a VPN is. In short, VPNs were first designed for employees to virtually connect to their office network from home or while on a business trip. These days, VPNs are more widely used for hiding your online internet traffic, and tricking streaming services into thinking you’re another country when you’re not. That same technique also helps activists and dissidents bypass censorship systems in their own countries.

VPNs work by funneling all of your internet traffic through an encrypted pipe to the VPN server, making it more difficult for anyone on the internet to see which sites you are visiting or which apps you are using.

But VPNs don’t inherently protect your privacy or give you anonymity. VPNs simply divert all of your internet traffic from going to your internet provider’s systems into the VPN provider’s systems instead.

That begs the question: Why should you trust a VPN that promises to protect your privacy more than your internet provider? The answer is that you can’t, and you shouldn’t.

By far, some of the worst offenders are the free VPNs.

As the old adage goes, if it’s free then you are the product. What that means is that they make money off you — specifically, your data. Like any service that costs nothing, VPNs are often supported by ads. That means taking your internet traffic and selling it to the highest bidder to serve you targeted ads while you’re connected to the VPN. Other free VPNs have been accused of injecting ads into the websites that you visit.

While there are paid and premium VPNs that are generally more mindful about your privacy, they aren’t anonymous, as they can be linked to your billing address. Paid VPNs also don’t solve the problem of funneling all of your internet traffic to a potentially untrustworthy company.

Some VPN providers also claim to protect your privacy by not storing any logs or track which websites you visit or when. While that may be true in some cases, there’s no way you can be completely sure.

In fact, some VPN providers have claimed they don’t store any logs — but were proven completely false.

Take UFO VPN, which at the time had about 20 million users. It claimed to have a zero-logging policy. But security researchers found the company’s logging database exposed to the internet, no password needed. The database was packed with logs of user activity, including which websites users were visiting.

Former NYPD director of cyber intelligence and investigations Nick Selby, now the chief security officer at fintech startup Paxos, said he only uses VPN providers that he knows do not store any logs. During his time as a police officer he would serve search warrants and know which providers were “the best at giving me nothing,” he told TechCrunch.

It’s not to say that all VPNs are unscrupulous or invading your privacy. Much of the problem with VPNs is that you can’t look under the hood and see what’s going on with your data. Standalone VPNs, like Algo and WireGuard, let you create and control your own VPN server through a cloud service, like Amazon Web Services, Microsoft Azure, Google Cloud or Digital Ocean. But remember: your encrypted data is stored on another company’s cloud, making it potentially susceptible to being grabbed by the authorities.

VPNs can be useful, but it’s important to know their limitations. Just don’t rely on them to protect your privacy or your anonymity.

Shopify says two support staff stole customer data from sellers

Shopify has confirmed a data breach, in which two “rogue members” of its support team stole customer data from at least 100 merchants.

In a blog post, the online shopping site said that its investigation so far showed that the two employees, who have since been fired, were “engaged in a scheme to obtain customer transactional records of certain merchants.”

Shopify said it had referred the matter to the FBI.

The employees allegedly stole customer data, including names, postal addresses, and order details, from “less than 200 merchants,” but financial data was unaffected.

Shopify said that it does not have any evidence to suggest that the data was used, but that it had notified affected merchants of the incident.

One merchant shared a copy of Shopify’s email notification with TechCrunch, which said the company first became aware of the breach on September 15, and that the two employees obtained data that was accessible using Shopify’s Orders API, which lets merchants process orders on behalf of their customers. The email also said that the last four-digits of the customers’ payment card was also taken in the incident.

Shopify did not say how many end customers were affected by the theft of data from merchants, but the email sent by Shopify contained the specific number of customer records taken in the breach. In this merchant’s case, over 1.3 million customer records and over 4,900 were accessed.

A spokesperson for Shopify didn’t respond to a request for comment.

Just last month, Instacart admitted two of its third-party support staff improperly accessed the information for shoppers, who deliver grocery orders to customers.

Senate’s encryption backdoor bill is ‘dangerous for Americans,’ says Rep. Lofgren

A Senate bill that would compel tech companies to build backdoors to allow law enforcement access to encrypted devices and data would be “very dangerous” for Americans, said a leading House Democrat.

Law enforcement frequently spars with tech companies over their use of strong encryption, which protects user data from hackers and theft, but the government says makes it harder to catch criminals accused of serious crime. Tech companies like Apple and Google have in recent years doubled down on their security efforts by securing data with encryption that even they cannot unlock.

Senate Republicans in June introduced their latest “lawful access” bill, renewing previous efforts to force tech companies to allow law enforcement access to a user’s data when presented with a court order.

“It’s dangerous for Americans, because it will be hacked, it will be utilized, and there’s no way to make it secure,” Rep. Zoe Lofgren, whose congressional seat covers much of Silicon Valley, told TechCrunch at Disrupt 2020. “If we eliminate encryption, we’re just opening ourselves up to massive hacking and disruption,” she said.

Lofgren’s comments echo those of critics and security experts, who have long criticized efforts to undermine encryption, arguing that there is no way to build a backdoor for law enforcement that could not also be exploited by hackers.

Several previous efforts by lawmakers to weaken and undermine encryption have failed. Currently, law enforcement has to use existing tools and techniques to find weaknesses in phones and computers. The FBI claimed for years that it had thousands of devices that it couldn’t get into, but admitted in 2018 that it repeatedly overstated the number of encrypted devices it had and the number of investigations that were negatively impacted as a result.

Lofgren has served in Congress since 1995 during the first so-called “Crypto Wars,” during which the security community fought the federal government to limit access to strong encryption. In 2016, Lofgren was part of an encryption working group on the House Judiciary Committee. The group’s final report, bipartisan but not binding, found that any measures to undermine encryption “works against the national interest.”

Still, it’s a talking point that the government continues to push, even as recently as this year when U.S. Attorney General William Barr said that Americans should accept the security risks that encryption backdoors pose.

“You cannot eliminate encryption safely,” Lofgren told TechCrunch. “And if you do, you will create chaos in the country and for Americans, not to mention others around the world,” she said. “It’s just an unsafe thing to do, and we can’t permit it.”

Homeland Security issues rare emergency alert over ‘critical’ Windows bug

Homeland Security’s cybersecurity advisory unit has issued a rare emergency alert to government departments after the recent disclosure of a “critical”-rated security vulnerability in server versions of Microsoft Windows.

The Cybersecurity and Infrastructure Security Agency, better known as CISA, issued an alert late on Friday requiring all federal departments and agencies to “immediately” patch any Windows servers vulnerable to the so-called Zerologon attack by Monday, citing an “unacceptable risk” to government networks.

It’s the third emergency alert issued by CISA this year.

The Zerologon vulnerability, rated the maximum 10.0 in severity, could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers, the servers that manage a network’s security. The bug was appropriately called “Zerologon,” because an attacker doesn’t need to steal or use any network passwords to gain access to the domain controllers, only gain a foothold on the network, such as by exploiting a vulnerable device connected to the network.

With complete access to a network, an attacker could deploy malware, ransomware, or steal sensitive internal files.

Security company Secura, which discovered the bug, said it takes “about three seconds in practice” to exploit the vulnerability.

Microsoft pushed out an initial fix in August to prevent exploitation. But given the complexity of the bug, Microsoft said it would have to roll out a second patch early next year to eradicate the issue completely.

But the race is on to patch systems after researchers reportedly released proof-of-concept code, potentially allowing attackers use the code to launch attacks. CISA said that Friday that it “assumes active exploitation of this vulnerability is occurring in the wild.”

Although the CISA alert only applies to federal government networks, the agency said it “strongly” urges companies and consumers to patch their systems as soon as possible if not already.