A plethora of patches, Kaspersky hits back, new hope for Wannacry Brit hero – and more

Everything you also need to know in security

security

Roundup IT admins aren't always fond of patching. It's like going to the dentist – it needs to be done but it can be a pain to do. Sadly, this week there was a lot of patching to be done.

The Wi-Fi WPA2 weakness dubbed KRACK burdened Android, Linux and macOS users at work and home with patch installation responsibilities, and Cisco added to the load with a bumper crop of four worryingly fixes for various security bugs, ranging from denial-of-service to authorization bypasses: two patches for its IP phones, one for FXOS and NX-OS users, and a critical fix for its Cloud Services Platform.

There is at least some good news on the patching front. Samsung users will have got their latest Android patches sent through automatically, and Huawei has said it is getting tighter about sending out updates to its handsets. And Debian fixed up a little embarrassing oversight in its ftpsync tool used to mirror the Linux distro.

If you have a Lenovo Android tablet, VIBE, Moto or ZUK phone, please grab and install this patch to avoid being hacked over the air: the mechanism Lenovo uses to push updates to devices can be hijacked by malicious code to install malware.

And if you use an Axalto or Gemalto .NET v2 smartcard, be aware the Infineon TPM cryptography screw up may well affect the security of your devices.

Meanwhile, there were some rather breathless headlines this week about a secret silo of un-patched security vulnerabilities in Microsoft products that Redmond was keeping all to itself, which hackers obtained in 2013. This led to much wailing about how could nasty old Microsoft be allowed to get away with this.

Yet, virtually every software company has the same sort of silo: it's called a bug database, and contains all the things engineers are planning to fix and is usually kept confidential. Yes, it appears Microsoft did get hacked, meaning details of exploitable bugs potentially fell into the wrong hands, and the IT giant said as much at the time. Its Apple Mac computers, how ironic, were among its corporate machines compromised by the intruders, who then scoured other parts of Redmond's internal networks for valuable information. However, the biz claims it all led to nothing.

“In February 2013, we commented on the discovery of malware, similar to that found by other companies at the time, on a small number of computers including some in our Mac business unit," a Microsoft spokesperson told The Register. "Our investigation found no evidence of information being stolen and used in subsequent attacks.”

Eugene throws shade but IT bosses are the worst snoops

It's clear that Eugene Kaspersky isn't going to back down over claims that his antivirus giant was helping Russian intelligence spy on millions of computers around the world. In a lengthy blog post he offered an update in the situation.

"The past year has seen concerns about KL change from ‘what if their technology could be a tool for cyber-espionage by nation states’ to ‘they were hacked and used as a vehicle to spy on spies’," he wrote. "And while it’s hard for us to keep up with the constantly evolving narrative, ask yourself one thing: ‘if these recent allegations are true, where’s the evidence?’"

One thing he didn't mention, but we were wondering about, is that if the NSA staffer who was apparently taking work home is such a specialist, it's rather interesting that the AV system this person chose for their home PC was Kaspersky. That's quite an endorsement when you think about it.

While we're on the topic of spying, a survey out this week from governance group One Identity found out the biggest snoops on IT networks are the IT bosses themselves. Some 56 per cent of IT security staffers admitted to looking at other people's data on the network, but that rose to 71 per cent with IT management.

As for actual data theft, there appears to be trouble brewing for South Africa. Troy Hunt, who runs the Have I Been Pwned website, claims to have found an archive online containing the personal data of millions of people in South Africa.

Hunt said that the archive is a 27.2GB backup file and that he found names, gender, ethnicity, home ownership records, people’s identity numbers and contact information. The data also contained and other information like their estimated income and details of their employer.

After opening it up, Hunt found 31.6 million records, but then the archive folder crashed. He estimated there could be 47 million records in all and this archive is just sitting out on torrenting sites for anyone to see.

Hutchins moves closer to freedom

So as not to end on a downer there's some great news for Marcus Hutchins, the Brit malware researcher who stopped the Wannacry ransomware outbreak by discovering and activating its kill switch, and then got pinched by the Feds in the US and accused of being a black hat hacker himself.

After a short sojourn in jail, Hutchins was bailed, and is now living in Los Angeles, California, while he awaits trial and fend off claims he helped developed malware that targeted online bank accounts back in the day. He's under a strict curfew, can't really do his day job of security research due to restrictions placed on him, and has to wear a GPS ankle bracelet at all times.

The downside of the latter condition is that the GPS unit isn't waterproof. Hutchins is a keen surfer and is living near some of the most iconic surfing spots in the world, but can't get in for fear of the GPS tracker dying in the sea and him being arrested.

But now a judge has ruled [PDF] that he can take it off and doesn't have to be at home promptly at 9pm each night – thus allowing him a measure of normality and the chance to catch some breaks. Sadly though it's not that simple. The US government has appealed the decision so he's stuck on shore for the moment, but it's a hopeful step. ®




Biting the hand that feeds IT © 1998–2018