this week in security — march 31 edition
THIS WEEK, TL;DR
Hackers Hijacked ASUS Software Updates to Plant Backdoors
Motherboard: This was a great scoop by @kimzetter. Hackers injected a backdoor in Asus' Live Update tool, which the computer maker installs by default on millions of computers. Not only that, they digitally signed the certificate with Asus' own certificate and replaced the file on Asus' download servers. The attack looks like a software supply chain attack. Asus knew for weeks but did nothing until a day after the story broke. More than a million computer are believed to be affected.
More: Motherboard | US-CERT
Tech Giants Reveal Wild Government Requests for Data
Forbes: Another great scoop: @iblametom reports a meeting of several tech companies — including Apple, Facebook, Google and Microsoft. The meeting was held under Chatham House rules so information can be used but nobody is named. Among the discussions, the companies described some of the overly burdensome data demands from governments. In one case, a company was asked to turn over the names of 58 million users to trace a suspected suicide bomber. The request was rejected. It's a pretty insightful look at how companies approach these issues.
More: @iblametom tweet thread
Europol Arrests Dozens Across 21 Dark Web Markets
Europol: The European police coalition targeted 19 vendors and 20 buyers who were "trading illicit goods such as narcotics, firearms, counterfeit money, documents and pharmaceuticals and child sexual abuse material." In all, 61 arrests were made, 51 firearms were seized, almost 300kg of drugs, and €6.2 million — including €35,000 in gold bullion. Dream Market said it would shut down as a result of the raid.
More: Cyberscoop | FBI
Android's Pre-Installed Apps Are A Privacy And Security Hot Mess
ZDNet: Android's preinstalled app ecosystem is a joke. Researchers found more than than 82,500 apps pre-installed on 1,742 Android smartphones sold by 214 vendors with security and privacy issues. Much of the so-called "bloatware" can't be removed. Many include ad kits and dodgy certificates, or are pushing too many permissions. Some apps included actual malware. The work was based off a paper set to be presented at the IEEE Symposium on Security and Privacy later this year.
More: Paper (PDF) | TechCrunch
Casino Screwup Royale: A Tale of “Ethical Hacking” Gone Awry
Ars Technica: You might've heard last month about a security researcher being allegedly assaulted by a company executive whose systems were exposed and flawed. What preceded it was a long string of screw-ups, NDAs, alleged attempted extortion and legal threats. This is exactly how things can go horribly wrong and why security disclosure has to be done properly. @thepacketrat has a tweet thread, too.
More: @thepacketrat tweet thread
Privacy Lawmakers Introduce Law To Stop NSA Phone Data Collection
Daily Beast: Four of Congress' biggest pro-privacy proponents — Sens. Rand Paul and Ron Wyden and Reps. Justin Amash and Zoe Lofgren — have introduced a new bill that they say would end the NSA's call records collection program for good. The NSA is said to have ended the program last year following the introduction of the Freedom Act. But experts like Marcy Wheeler say it may've just been moved under a different authority. Wyden — with his siren — hinted that was what happened. This new bill would — if passed — nuke the program from orbit.
Background: Emptywheel
HTTPS Isn't Always As Secure As It Seems
Wired ($): It turns out encryption is tough. Quelle surprise! According to a new analysis of the top 10,000 HTTPS websites as listed by analytics company Alexa, over 5 percent had exploitable TLS flaws. Cryptography expert @kennwhite said the bugs are difficult to exploit so don't worry too much but warned of how difficult web security can be — even for larger companies.
More: Postcards from the Post-HTTP World
~ ~
THE STUFF YOU MIGHT'VE MISSED
EU says no bloc-wide ban on Huawei as U.K. warns of 'long term risks'
Reuters, BBC: U.K. authorities warned this week of a long term risk of using Huawei equipment, fearing the Chinese might force the company to spy in the future once telecom networks are reliant on the technology. But the EU took a different approach and denied a ban across the 28 member states (soon to be 27, thanks Britain).
Host drops spyware company's leaking server
Motherboard: Good news! (Kinda.) The spyware company that @lorenzoFB couldn't tell you about finally had its exposed server shut off — so now he can talk a bit more freely about the leaking data. Sometimes a bit of public pressure helps — and works.
Wyden, Cotton introduce bill to help secure senate staff
Ron Wyden: Another bill from Wyden's office, co-signed by Sen. Tom Cotton, which would instruct the Senate Sergeant-at-Arms, whose role is to protect senators and offer cybersecurity protection, to provide voluntary cybersecurity assistance to senate staff. The bill would extend to personal accounts and devices. Right now, the Sergeant-at-Arms is limited to providing help to work accounts. It makes sense, given they the ones who are often the targets of state-sponsored attacks.
FCC fined robocallers $208 million. It's collected less than 0.01%
Wall Street Journal ($) Well this is embarrassing. The FCC has fined spammy robocallers more than $208 million but only collected $6,790 — which by crappy math is about 0.003 percent. Apparently the FCC can issue fines but "lacks the authority" to enforce its orders. Unpaid fines go to the DoJ — but they're too busy dealing with terrorists or something.
Security researcher pleads guilty to hacking Microsoft, Nintendo
The Verge: Parts of this weird story has been quietly making the rounds for years but came to a head this week after the security researcher pleaded guilty to several hacking efforts. Zammis Clark admitting to breaking into a Microsoft server to download confidential pre-release versions of Windows. The security researcher was also involved in the Vtech breach, which later landed the company a $650,000 fine.
~ ~
OTHER NEWSY NUGGETS
Thousands caught up in Toronto stingray
Toronto police and the RCMP deployed a stingray, ensnaring thousands of innocent bystanders over a two-month period. Some 20,000 had their information collected — including the 11 suspects who police were after. The move sparked anger from Canadian civil liberties groups. The police later said it "recently" acquired the surveillance technology, but didn't say when, or how it handles data. This is a pretty crazy story — it's well worth the read.
NSA thief pleads guilty
Harold Martin, a former NSA contractor, pleaded guilty this week to stealing and withholding classified information. Martin's case was linked to the so-called Shadow Brokers, the group of hackers that released dozens of classified hacking tools, but the government has not said how Martin is involved with the group — if at all.
Aussie law turning it into a pariah state for data
Microsoft's chief legal officer Brad Smith said Australia needs to relax its encryption laws, which the government rolled out in a panic last year. Smith said the law is pushing customers away from the country. The laws allow the country to force providers to decrypt data — or create a way that allows the data to be decrypted. Smith said people have told him, "'We are no longer comfortable putting our data in Australia', so they are asking us to build more data centres in other countries."
UC Browser hit by man-in-the-middle flaw
Dr. Web said it's found a man-in-the-middle vulnerability in the popular UC Browser, with some 500 million-plus users. The app doesn't require HTTPS, allowing an attacker can download new modules from malicious server instead of its own command and control server. "Since UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification," said the Russian antivirus company. There's a video of the bug in more detail.
10-month long credit card breach at Planet Hollywood
Brian Krebs reports on the latest restaurant breach: a two million credit card breach lasting almost an entire year affecting Buca di Beppo restaurants — including Earl of Sandwich and Planet Hollywood. The data was put up for sale on the dark web.
~ ~
THE HAPPY CORNER
This week, one of @matthew_d_green's students ended up giving NGINX security advice after the server maker's instructions were to download its signing key over HTTP. "NGINX has called him on the phone," he later tweeted. So that's a start. But will NGINX update the page? Tune in next week when... probably not.
Ben Halpern also has a great short video explainer on client-side validation, which had me laughing way more than it should've done.
And here's a very happy @chronic running and skidding across a slippery floor in just his socks. (Because yes, security researchers are allowed to have fun, too.)
If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com.
~ ~
THIS WEEK'S CYBER CAT
Meet Andromeda, this week's cybercat. She just found out that bug bounties don't pay out with real bugs. A big thanks to her human Georges-Antoine Assi for the submission. (You may need to enable images in this email.)
You can submit your cybercats here by dropping me an email.
~ ~
SUGGESTION BOX
That's all for this week. My suggestion box is always open to... suggestions. Hope you have a good week. Back same time next Sunday.
~ ~