White House mulls just banning strong end-to-end crypto. Plus: More bad stuff in infosec land
We'll be over there bashing our head on the wall while you read this
Roundup As June turns over to July, here are some additional bits of security news besides our regular infosec coverage.
Trump officials mull: Why not just ban strong encryption?
Haven't we done this before? The White House is said to be weighing a plan to force US tech giants, software and hardware makers, and other companies, to deploy only encryption, particular only end-to-end cryptography, that can be cracked by American law enforcement, or ban it outright.
A report by Politico claims Trump administration officials met this month and kicked around the idea of asking Congress to pass legislation that would effectively ban the use of strong end-to-end encryption – as used in Apple's iMessage, Facebook's WhatsApp, and Signal as well as other apps and protocols.
This threat reemerges despite repeated warnings from cryptographers and security professionals that any plan to weaken encryption would be a disaster – it weakens people's electronic security against criminals, hackers, and foreign agents, for one thing – and trying to ban it outright would have major consequences for data security.
The makers of dating app Jack'd that leaked people's private photos onto the web, via a misconfigured AWS S3 bucket, which we wrote about in February, must cough up $240,000 and shore up their online security, in a settlement with US prosecutors.
Excel PowerQuery could pose a security risk
Bug-hunters have found yet another way Microsoft Office documents could be used to sneak malware onto the PCs of careless users.
This time, it is researchers with Mimecast who have uncovered a vulnerability in the way Excel spreadsheets use a feature called PowerQuery. It turns out, when a document uses Power Query to pull data from another source (such as an external database) it does not do much in the way of checking or sanitizing that data.
By putting attack code into a data source and then calling it with Power Query, an attacker could tell the spreadsheet to download and run malicious code of their choosing. That poisoned file could then be sent out via spear-phishing or spam attacks to infect machines.
"The feature gives such rich controls that it can be used to fingerprint a sandbox or a victim’s machine even before delivering any payloads," says Mimecast.
"The attacker has potential pre-payload and pre-exploitation controls and could deliver a malicious payload to the victim while also making the file appear harmless to a sandbox or other security solutions."
Florida town hit with ransomware (again), agrees to make payout (again)
No, this is not a repeat from last week's roundup. Another city in Florida has been hit by ransomware and has opted to pay the demands rather than go through the arduous process of wiping and restoring all of their locked machines.
Lake City Mayor Stephen Witt told a local news station that his office made the "tough call" to cough up the $460,000 demanded by hackers after talking to the insurance company and learning that all but $10,000 of the ransom would be covered by its insurance policy.
While the FBI discourages people from paying ransomware demands, in this case Witt perhaps saved his city a significant amount of money by meeting the demands rather than undergoing a prolonged restoration effort. Remember, even if everything is safely backed up offline, wiping and restoring at scale, as well as preventing reinfection, is not something that can be done on a whim by a small IT department. It is a tough call.
As Ryan Weeks, CISO for security company Datto pointed out, things only stand to get worse before they get better with ransomware.
"2019 has seen a resurgence in ransomware attacks, as they have become more profitable for hackers with average demands often in the six-figure range," Weeks said in a statement to The Register/
"In fact, 92 per cent of managed service providers expect attacks will continue at current or worsening rates and 42 percent predict that ransomware attacks will significantly increase."
VLC could mean "virus loading code" for your PC if you don't get these updates
Anyone who runs the VLC media player software will want to be sure they have the most recent version, thanks to an extensive list of patched vulnerabilities.
The 126.96.36.199 update fixes two dozen different buffer overflow, integer overflow, use-after-free, and other serious security flaws that could potentially allow an attacker to get malware onto the machine of unsuspecting users who open poisoned video files.
Brave boasts support for Yubikey with iOS
Good news for iStuff owners that have opted to run the Brave browser: the Safari alternative now supports Yubikey on iOS. This means that Brave users on iPhone and iPad will now be able to use the Yubikey hardware with websites supporting U2F and WebAuthn.
"With Brave’s support for Yubico’s upcoming YubiKey 5Ci devices, with both a USB-C and Lightning connector on a single device, you will soon be able to use the same robust security key across multiple devices, including iPhones and iPads," Brave said.
"This allows for the removal of less safe login methods and greatly reduces the risk of phishing on protected accounts, no matter what device you’re logging in from."
What's Upguard? Oh, just another breach. What's up with you, guard?
Since repetition seems to be a theme in this week's news, why not have another instance of a company leaving its data sitting out on the internet in an unprotected storage bucket?
This time, it was the web crawlers at Upguard who found a trio of poorly configured AWS S3 buckets left set to public access by data management company Attunity. The exposed cache, totaling 750GB, includes email backups and internal files.
"Backups of employees’ OneDrive accounts were also present and spanned the wide range of information that employees need to perform their jobs: email correspondence, system passwords, sales and marketing contact information, project specifications, and more," Upguard noted.
Non-Google Googlers at Chronicle now Googlers
One of the companies under Google's Alphabet umbrella is coming back home to the chocolate factory. Chronicle, a cloud security outfit spun out as an "other bet" and headed up by former Oracle bigwig Thomas Kurian, will now be part of the Google Cloud brand.
"Our security offerings address important requirements customers have to protect their infrastructure and mission critical application workloads in the cloud," Kurian says, "to protect their data; to protect their users; and to give them transparency and auditability of their workloads running in Google Cloud."
In brief... There's a new strain of macOS malware, OSX/Linker, that attempts to exploit a Gatekeeper bug to infect Macs. And it's possible for rogue mobile phone masts to send out emergency alerts via 4G/LTE: the full research is here. There are insufficient checks between cell towers and handsets, so pirate masts can broadcast alerts in the US, and probably Europe and elsewhere, to nearby devices. ®