Your two-minute infosec roundup: Drone arrests, Alexa bot hack, Windows zero-day, and more

Some last-minute wrapping of security-related tips from this week

Alexa photo via Shutterstock

Roundup If you're reading this while on-call for IT support, network security, or what have you, then we salute you. If you're reading this to avoid Christmas present wrapping or hobnobbing with awkward relatives, or similar, then, well, let us shake your hand.

For you, here's a rapid-fire roundup of infosec-related news to close out this week, in no particular order.

Gatwick drone arrests: Two people have been arrested by cops probing the "criminal use of drones" that caused chaos at Gatwick Airport for 100,000-plus air travelers this week. (Edit: They were released without charge and are no longer suspects. Meanwhile, the police say they've found a damaged drone near the airport, after earlier pondering whether there was any drone in the first place...)

No Russian vote hack: The US Director of National Intelligence, Dan Coats, concluded on Friday that no hackers "prevented voting, changed vote counts, or disrupted the ability to tally votes," although Russia, China and Iran "conducted influence activities and messaging campaigns ... to promote their strategic interests."

Amazon Alexa all bot and bothered: Since 2016, Amazon has dangled hundreds of thousands of dollars in prizes in front of computer-science students to encourage them to develop conversational bots, accessed via its voice-controlled Alexa personal assistant. When people want to talk to one of these experimental chat bots, they ask Alexa to put them in touch with the software, the bot is loaded up, Alexa takes a back seat, and the chat code starts nattering with the user.

Well, it's emerged those bots have been caught telling folks to "kill your foster parents," discussed sex acts, and so on, after the software went awry. At point, Amazon CEO Jeff Bezos ordered one of the errant bots to be shut down because it was too embarrassing, it is claimed.

Worse, hackers in China were able to break into one of the students' bots and extract transcripts of people's conversations sans usernames, according to Reuters.

"These instances are quite rare especially given the fact that millions of customers have interacted with the socialbots," an Amazon spokesperson said of the chat gaffes.

Windows zero-day drop: A bug-hunter this week popped online a proof-of-concept exploit for another Windows zero-day, in that there is no patch available for this hole. This one allows any user to read the contents of a file that a system administrator can access, and abuses a bug in the operating system's Readfile API call. It is confirmed to be a legit exploit.

The FBI is also apparently sniffing around the researcher, requesting her Google account records, perhaps in relation to earlier zero-day disclosures, or perhaps due to a tweeted threat against the US President.

Huawai, ZTE? Czech, mate: Software and hardware from Chinese tech giants Huawei and ZTE are a security threat, the Czech government has warned. "Issue of this warning concludes our findings and those of our allies and security partners," the Euro nation's cyber-agency added.

Mass phone snooping – EFF'ing hell: Following a long-running freedom-of-information lawsuit, the EFF has succeeded in obtaining documents detailing project Hemisphere: a system America's drug cops used to "tap into trillions of of phone records going back decades," with the help of AT&T.

FBI wanted poster of Zhu Hua and Zhang Shilong

Uncle Sam fingers two Chinese men for hacking tech, aerospace, defense biz on behalf of Beijing

READ MORE

Denial-of-service-for-hire denied: On Thursday, US prosecutors seized and shut down 15 websites that offered to launch distributed-denial-of-service attacks against companies and networks in exchange for dosh. These so-called booter for-hire sites would be tapped up by miscreants to take down stuff like gaming platforms and online retailers. Clobbering these booters means there's less chance scumbags will use them to cause mischief or chaos over Christmas.

In relation to this, charges have also been brought against Matthew Gatrel, 30, of St Charles, Illinois, and Juan Martinez, 25, of Pasadena, California, for allegedly conspiring to violate the Computer Fraud and Abuse Act, and against David Bukoski, 23, of Hanover Township, Pennsylvania, for allegedly aiding and abetting computer intrusions.

Mac spyware goes undetected: A strain of document-stealing macOS malware, dubbed Windshift, was detected by just two antivirus packages – Kaspersky and ZoneAlarm – four months after the lid was blown off the software nasty, according to Objective-See's Patrick Wardle. The spyware is being thrown at targets in the Middle East, but mind how you go, Apple fans elsewhere.

Hey Uncle Sam, reveal your device snoop rules: Rights warriors the ACLU and Privacy International, and friends, are suing the US government to discover the rules and procedures in place for agents authorized to hack into targets' computers, phones, and other devices.

"The lawsuit demands that the agencies disclose which hacking tools and methods they use, how often they use them, the legal basis for employing these methods, and any internal rules that govern them," law student Alex Betschen explained. "We are also seeking any internal audits or investigations related to their use."

'White hat' hacker's Nest beg: A bloke in Arizona, USA, says a hacker broke into his Nest security camera from afar and spoke to him, through the device, warning the fella his equipment was insecure. It appears the chap, Gregg, had secured his Nest using a password that he had reused on another website or service that had been hacked or spilled its credentials. Therefore, miscreants could reuse the leaked password to break into his Nest.

In short, use a unique password for your IoT gear, and activate two-step authentication where possible.

Hands off, St Jules: The UK government should let Wikileaks supremo Julian Assange walk free from Ecuador's London embassy without arrest or extradition, UN human rights gurus urged on Friday. The UN is essentially reiterating its 2016 declaration that Assange is being effectively detained unlawfully in Blighty.

Big trouble in big China: Watch out, if you're using ThinkPHP. Roughly 50,000 Chinese websites have been attacked after a proof-of-concept remote-code execution exploit for ThinkPHP versions 5.0.23 and 5.1.31 was made public this month.

And finally... Be aware that it is possible to phish your multi-factor authentication tokens, as phishing targets in the Middle East and North Africa found out. Make sure you're visiting the real website of your email provider, bank, and so on, rather than something dodgy like protonemail dot-com that will pretend to be a legit site, automatically snaffling your username, password, and token, as you enter them.

Keybase has fixed a local privilege escalation bug in its Linux software. And the Go programming language maintainers have patched a bunch of vulnerabilities – one allowed remote-code execution via go get -u.

Take care out there, and merry Christmas. ®




Biting the hand that feeds IT © 1998–2019