FBI boss: We went to the Moon, so why can't we have crypto backdoors? – and more this week
The good, the bad, and the ugly from infosec
Roundup There has been a bumper crop of security news this week, including another shipping giant getting taken down by ransomware, Russian hackers apparently completely pwning US power grids and a sane request from Senator Wyden (D-OR) for the US government to dump Flash. But there has been other news bubbling under.
Useless action please! While Wyden might know what he's talking about his colleagues seem set on useless posturing.
On Tuesday Senators Pat Toomey (R-PA) and Chris Van Hollen (D-MD) sent a letter [PDF] to US Treasury Secretary Steven Mnuchin asking him to implement financial sanctions against the 12 Russians accused of hacking the servers of the Democratic Party. Given the president's confused attitude towards Russia they shouldn't hold their breath.
The two are depressingly vague about what exactly they would like to see done, but we can't imagine the accused are trembling in their Afoor boots. But it got the senators a bit of publicity, which is probably the point of the exercise.
FBI goes Facepalm on encryption: There had been signs that FBI Director Chris Wray might actually start listening to the technically adept about backdooring encryption. But no, he has come out with another idiotic zinger.
Speaking at the Aspen Security Conference Wray returned to the tired old theme that criminals were "going dark" thanks to encryption and thus the government needs access. Despite it being a mathematical impossibility to introduce a backdoor that no one else can find, Wray was sure there must be a way, as he explained on camera:
"We're a country that has unbelievable innovation," he said. "We put a man on the Moon. We have the power of flight. We have autonomous vehicle. The idea that we can't solve this problem as a society -- I just don't buy it."
It's an argument that has been used before, so often in fact that Matt Blaze, professor of Computer and Information Science at the University of Pennsylvania and Tor Project board member, came up with this pithy comeback.
"When I hear 'if we can put a man on the moon, we can do this' I'm hearing an analogy almost saying 'if we can put a man on the moon, surely we can put a man on the sun,'" he said.
Samsung's Internet of S**t: We're getting a little tired of the persistent failings in Internet of Things devices – and Samsung is the latest manufacturer to be caught with its digital pants down.
Researchers at Cisco's Talos security team examined the Samsung SmartThings Hub and found a stunning 20 exploitable vulnerabilities. Given this device is supposed to act as a central control unit for all the gadgets in the home, potentially controlling security cameras, door locks and climate control, this isn't good news.
Thankfully Talos are big on responsible disclosure, and a firmware fix is now available. If you have a so-called SmartThings Hub then you'd be advised to download and install the latest updates for your device. But it does make you wonder – if a massive manufacturer like Samsung can't get security right, what are the odds your Kickstarter funded device has?
Lifelock irony overload: Lifelock likes to describe itself of a guardian of online identities, but the firm showed it can't even protect its own data.
The company's website was so poorly designed that any visitor could access any of the email addresses of Lifelock's 4.5 million customers. The flaw, discovered by freelance security researcher Nathan Reese, could have seen those email addresses scraped with a simple script.
As bugs go it could have been worse. No passwords, ID information or credit card data could have been swiped. But it did make the Lifelock people, and their owners Symantec, look very silly indeed.
Dropbox – It's not a bug, it's a feature: Cloud data dump site Dropbox had a grisly week involving a panic over it potentially pulling a Facebook and sharing private customer data without permission.
A paper published in the Harvard Business Review by the Northwestern Institute on Complex Systems detailed the way 400,000 academics in 1,000 university departments collaborate, by studying their use of Dropbox.
Crucially, the paper seemed to suggest that Dropbox user records had been handed over to the institute's researchers to study without being properly anonymized. For instance, it was claimed the researchers were able to inspect individual file and folder names in the Dropbox accounts.
Naturally the excrement hit the air-con unit, and people started to to ask questions. Dropbox put out a statement insisting the data was fully anonymized before being passed over to the institute to pore over. It appeared Dropbox had quite possibly done nothing technically wrong: it was all in the terms and conditions of their cloud accounts.
In short: check the fine print of any online service you rely on – and if you host people's files on the internet, it's not a good look to let outside eggheads scrutinize your customers' behaviors, anonymized or not.
Beware Big Star Labs apps: While we're on data slurping it appears that a group calling itself Big Star Labs has been pumping out mobile apps and browser extensions that are collecting a lot of user data.
A study by AdGuard Research found that as many as 11 million people may have had their private information slurped taken by Labs' software. They note that, while Big Star Labs claims to only take anonymized data, it doesn't appear to be too rigorous about it.
If you want to avoid this code, AdGuard has a full list of stuff built by Big Star Labs.
Microsoft bugs exploited to spread malware: Microsoft Office vulnerabilities were used to distribute the Felixroot backdoor, a strain of malware previously slung against Ukrainian banking customers.
Supposed environmental protection seminar documents actually came loaded with exploits targeting Microsoft Office vulnerabilities (CVE-2017-0199) and (CVE-2017-11882) and geared towards dropping the Felixroot backdoor. Security firm FireEye reports that the same backdoor abused last September in a campaign involving malicious Ukrainian bank documents.
The malware is distributed via Russian-language documents, in the latest green concerns-tinged account.
The hackers are going after a pair of fashionable exploitation targets, FireEye concludes.
"CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing, a blog post on the threat from FireEye explained. "Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organisations must ensure they are protected."
Leafminer in the Levant: Symantec has issued a warning to Middle East computer users that there's a new hacking squad in town.
The Leafminer crew use a mixture of watering hole websites, vulnerability scans of network services on the internet, and brute-force/dictionary login attempts and it appears they are primarily after emails and database logins.
The researchers found a list of 809 targeted organizations, two thirds of which were in Saudi Arabia, the Lebanon, Israel and Kuwait also targeted. Occam's Razor would suggest that maybe the Iranian hacking teams have a new subgroup that's going to work.
Stop paying sextortion scumbags: A couple of weeks ago we covered the story of a Reg reader who had received a sextortion email, claiming to have video of the recipient pleasuring themselves to porn.
Of course, it's bollocks, but the social engineering was quite clever, using a stolen password to convince the recipient that the threats were real. Now research suggests that there are quite a few people got suckered into this scam.
An analysis of the Bitcoin wallets used in some of the emails suggests the scumbags have netted at least $250,000 and possibly over a million in cryptocurrency. As someone who has been approached by these scumbags my advice remains the same – tell them where to stick their blackmailing demands. ®
Sponsored: Becoming a Pragmatic Security Leader