Security

OpenSSL patches, Apple bug fixes, Hilton's $700k hack bill, Kim Dotcom raid settlement, Signal desktop app, and more

And Microsoft dude installs Chrome during Azure talk


Happy weekend, everyone, except those of you on call, of course. Let us catch you up on all the IT security bits and pieces besides what's been reported this week.

Down in New Zealand, Kim Dotcom, the bête noire of Hollywood, reached a settlement with the New Zealand authorities over a rather dramatic raid in 2012 on his home. Cops flew in with guns and dogs to arrest Dotcom and found him hiding in his panic room.

The terms of the settlement haven't been announced, but Dotcom's lawyers said the police have promised to review their tactics. Dotcom said he hopes to make his permanent home in New Zealand. Maybe Peter Thiel will be a neighbor?

Email ennui

As seems to be so often the case these days, emails became news items this week. First off, President Donald Trump's daughter Ivanka came under the spotlight for using her personal email for US government business. This isn't the first time she's been warned on this, and details emerged from a freedom-of-information request that she was still using her personal inbox for conversations with treasury department officials.

However, it was Hillary Clinton's emails that sparked the bigger headlines. An investigation into the hacking of the Democratic Party revealed some interesting snippets, notably that Guccifer 2.0 actually edited the contents before passing them on to WikiLeaks for dissemination.

The infiltration of the party's computer systems began on March 10 last year, and at first weren't that well targeted. The hacker, or hackers, impersonated Gmail's technical support personal to trick party officials into handing over their account passwords, and, as we all know, it only takes one cockup for a hacking campaign to take hold.

But Hillary and the Democrats weren't the only target of the hackers. Kremlin-linked miscreants also reportedly went after foreign journalists, US military contractors, and even the Pope's personal envoy to the Ukraine.

In addition, Twitter announced it has identified 2,752 accounts [PDF] on its milliblogging platform that were fakes set up to cause mischief by Russia's Internet Research Agency – aka Putin's troll central. Some of the handles amassed thousands of followers, who are presumably feeling somewhat red-faced over being duped. Among them was Jenna Abrams, a master troll princess who duped journos and the rest of the world.

Fatal flaws

On the flaws front, it has been a busy week – thanks in part to the mobile phone version of the Pwn2Own competition run in Japan. Hackers fly in from around the world to win big money compromising gear by exploiting zero-day vulnerabilities, and weren't disappointed - $515,000 was paid out in bug bounties.

Biggest Tor overhaul in a decade adds layers of security improvements

READ MORE

The contest saw some innovative hacks, including the longest attack chain ever seen in the competition. MWR Labs linked together 11 bugs in six different apps to harvest data from a Samsung Galaxy S8, and several iPhones also fell to the infosec gurus. The good news is that all the exploited bugs have been reported privately to the affected software and hardware makers, so look out for patches coming soon for these leveraged holes.

Separately, Apple released a big pile of security updates for its shiny gear. In all, seven patches were released, fixing multiple issues with macOS, iOS, Safari and iTunes. You can review the whole list here – download and install them as usual.

Google had its own software cockups. A cunning hacker managed to find flaws in Google's internal bug tracker, which it uses to manage issues and vulnerabilities with its vast sprawling empire of code. Security researcher Alex Birsan found out about the system and went digging. He not only found enough coding errors to allow him to get into the confidential database, but also to win him $15,600 in rewards from a grateful Google, which has traditionally been a strong supporter bounties.

(Speaking of Google, Pixel 2 XL handsets shipped with no operating system installed. Oops!)

OpenSSL also had its own issues this week. A moderate, but still important, flaw has been found in how the code handles encryption, to the extent that if it was applied an attacker with enough computing power, it could get some serious hacking done.

Hacking the home

The week began with the FBI warning of a new type of hacking that can earn the criminal scum big money and leave people with serious losses. The scammers are now targeting home buyers.

It works like this. The hacker gets onto the network of the realty agent selling a house – a profession not known for its IT prowess. When someone buys it, the hackers change the details of the payment account receiving the funds to one they control and then make their getaway, leaving everyone out of pocket.

Lovesense, the manufacturer of a mobile-phone operated vibrating butt plug, took issue with stories of how it can be hijacked and set off remotely because it's so easy to hack. On a reconnaissance mission in Berlin, the hackers found an open device that could have been activated.

Now the manufacturer has hit back, saying that it's almost impossible to hack into its devices. The company pointed out that it was Bluetooth at fault, not the device, the attacker would have to be within 30 meters of their target, and that if they had connected it to their phone then there was no chance of the device becoming a pain in the arse.

As for the consequences of hacking, Hilton Worldwide agreed to settle with the authorities for allowing not one but two hacking attacks to take place. The hotel group agreed to pay a total of $700,000 to New York State for allowing customer's credit cards to be stolen, and for not reporting it in time.

Finally, good news for fans of the secure messaging service of choice for hackers and those that work in the field – Signal. The service had a brief outage last week, and this week announced that it has a desktop app now.

This is welcome news, but you do have to have the mobile app on your phone for it to work. That said, it's the most secure messaging app out there and it's run by people who won't sell you out to the highest bidder. ®

PS: Don't miss the Microsoft staffer who, during an Ignite presentation on Azure, stopped to install Google Chrome because Edge just wasn't working properly with the Redmond cloud. Oops. It's 37 minutes in from this vid below...

Send us news
60 Comments

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

Beijing-backed cyberspies attacked 70+ orgs across 23 countries

Plus potential links to I-Soon, researchers say

US critical infrastructure cyberattack reporting rules inch closer to reality

After all, it's only about keeping the essentials on – no rush

US charges Chinese nationals with cyber-spying on pretty much everyone for Beijing

Plus: Alleged front sanctioned, UK blames PRC for Electoral Commission theft, and does America need a Cyber Force?

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Don't be like these 900+ websites and expose millions of passwords via Firebase

Warning: Poorly configured Google Cloud databases spill billing info, plaintext credentials

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

Vans claims cyber crooks didn't run off with its customers' financial info

Just 35.5M names, addresses, emails, phone numbers … no biggie

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

The device that makes it possible is required in all American big rigs, and has poor security