Signal bugs, car hack antics, the Adobe flaw you may have missed, and much more
EFF wins another privacy battle, ICE chips off AI spy plan
Roundup Here's your guide to this week's infosec news beyond what we've already covered.
ICE's extreme vetting plan melts away
US Customs won't getting their massive terror predicting system after all. It's reported that America's immigration cops – ICE – have abandoned its call for the development of an artificially intelligent tool that would be able to predict whether a person entering the country was secretly a terrorist, based on social networking activity.
We're told it wasn't outcry over human rights or privacy concerns that killed the plan, but rather the onset of cold reality. Developers who looked into what ICE wanted concluded there was no way such a system could be viable due to the limitations of today's AI and data collection technologies. Or at least, that's what they told the agency.
Instead, ICE will continue to rely on good old fashioned meatware to do the job, as its agents will have to pore over online posts by hand to weed out the bad guys.
The Adobe zero-day you didn't hear about
Early this week, Adobe put out a set of patches for Reader, Acrobat, and Photoshop. As it turns out, at least one of the flaws had an exploit code floating in the wild for miscreants to potentially use.
That particular flaw, CVE-2018-4990, is a double-free() programming blunder that can be exploited to pull off remote code execution via booby-trapped document. More specifically, says Malwarebytes, it can be paired up with a Windows flaw, CVE-2018-8120, to create a particularly nasty exploit package attack.
"Those two combined zero-days were necessary to escape the Acrobat Reader sandbox protection, which to its credit has been improving the security of the software drastically, so much so that malicious PDFs that were once common as part of drive-by download attacks have all but vanished," Malwarebytes explains.
It goes without saying that you'll want to install those Reader and Acrobat updates, if you haven't already.
Links in brief
- Broadband modem maker DrayTek has urged people to upgrade the firmware on their gear – after malware was caught infecting home gateways and changing the DNS lookup server setting to 220.127.116.11, allowing miscreants to potentially redirect victims to counterfeit password-stealing websites.
- The Los Angeles County 211 service in the US – a service for health-and- human-related non-emergency calls – reportedly leaked online personal information and "3 million rows of call logs" including "200,000 [database] rows of detailed notes, including graphic descriptions of elder abuse, child abuse, and suicidal distress." It was stored, surprise surprise, in an unsecured Amazon S3 storage bucket.
- Enterprise storage biz NetApp apparently forgot to patch the Drupal publishing system for one of its websites, allowing miscreants to hack it to install coin-mining malware.
White House kills cyber czar role
Last week, we told you about fears within the security community that the White House was going to do away with its cyber security advisor role. Just days later, those fears were confirmed.
Rob Joyce will be the last person to service in the White House advisor role. Instead, John Bolton will delegate the roles of the job to others within the National Security Council. With mid-term elections months away, opponents of the move are worried the cuts could make the US government and its electorate more vulnerable to online attacks from both foreign governments and private hackers.
Que malo! Mexican bank hit by hackers
Out of Mexico City comes this story of a cyber-heist targeting one of the Mexican capital's largest banks.
An attack that used phony transfer orders was able to suck around $15m out of Banorte. The crooks were able to get into the bank's payments system to order the illicit withdrawals, possibly with help from tellers working within the bank locations themselves.
Banorte said no individual accounts were affected by the attack, and the banks have switched to a different system.
EFF prevails in border privacy battle
The Electronic Frontier Foundation says it has won a key decision in the Alasaad v Nielsen case as a federal court ruled the complaint can proceed to hearing.
The case concerns arguments from the EFF and ACLU that border patrol agents violated first and fourth amendment rights of citizens when they performed warrantless searches on 11 travelers' devices.
If successful, the suit could force border agents to obtain a warrant before they can search a device they encounter at a crossing.
"It is the latest and greatest of a growing wave of judicial opinions challenging the government’s claim that it can ransack and confiscate our electronic devices—just because we travel internationally," the EFF said of the decision.
"By allowing the EFF and ACLU case to proceed, the district court signaled that the government’s invasion of people’s digital privacy and free speech rights at the border raises significant constitutional concerns."
It has been a rough month for the Signal messaging platform, and things got a bit worse this week when researchers uncovered a pair of vulnerabilities in the desktop version of the client.
According to researcher Ivan Barrera Oro, the desktop software fails to properly sanitize HTML components and is vulnerable to tag injection attacks. Two variants on the technique were assigned CVE-2018-10994 and CVE-2018-11101.
In that attack, the bad guy would be able to slip malicious HTML code into a tag that would then be able to automatically execute on the machine of the target. In practice, this would most likely be used to conduct cross-site scripting attacks.
You will want to update Signal desktop to version 1.11, where both of the vulnerabilities are now patched.
Calamp makes smart cars do dumb stuff
Researcher Vangelis Stykas says bugs in a number of popular smart car alarms could leave them vulnerable to remote unlocking and activation.
Stykas says vendor Calamp was using an insecure server configuration to handle reports from devices running its smart alarm service. Because of this, an attacker who was able to forge a request to the server would be able to access the service's production database and, from there, be able to take over the accounts of users.
Having a compromised account would then let an attacker use the mobile app to interact with the car's smart alarm. From there, it's game over, as that app can control things like unlocking the car and starting the engine.
Fortunately, Stykas did the right thing and privately disclosed the issue to the vendor. The issue was patched well before the researcher went public with his findings.
Photographer hacks his way to landscape photo album
A globetrotting hacker-slash-photographer has found a novel way to conduct landscape photography – Marcus Desieno and his new photobook "No Man's Land".
The album consists entirely of photos Desieno shot through hijacked CCTV cameras. Because many cameras in the field are so poorly secured, he was able to use default credentials to get into a number of cameras and take some admittedly beautiful shots from compromised surveillance units around the world.
"Focusing on landscapes shows how far-reaching our surveillance state is," Desieno told the photo journal. "The camera could be high on a mountain, where it takes someone hours to climb to – you would think no one can watch you there." ®