Facebook Messenger backdoor demand, bail in Bitcoin, and lots more
If you're not already suffering from Black Hat/DEF CON overload
Roundup It's time for another rapid roundup of computer security news beyond what we've already reported.
US prosecutors want Facebook Messenger crypto cracked
Uncle Sam is demanding Facebook alter its Messenger software so that American g-men can easily snoop on suspected criminals, it is claimed.
The social network is said to be fighting off demands by the US government to deliberately hobble the strong encryption in its chat software, and allow voice conversations to be spied on by investigators. Prosecutors are trying to hold Facebook in contempt of court for failing to build a secret backdoor in its app and open it to the Feds, we're told.
The row centers on an investigation in California into suspected members of the infamous MS-13 crime gang, a particular target of President Donald Trump, and the Feds want to listen in on their encrypted Messenger conversations.
It is feared if the US Department of Justice is successful in force Facebook to insert a surveillance backdoor into Messenger, it will pave the way for other application developers to be pressured into providing agents and cops extraordinary access to people's private encrypted communications.
That will reignite concerns that miscreants and hackers will find and exploit these Feds-only backdoors to spy on victims. Facebook declined to comment.
Bitcoin bail bafflement
A bloke accused of hacking into video games giant Electronic Arts was told by a judge to pay his $750,000 bail in cryptocurrencies.
Martin Marsich, 25, a Serbian and Italian national who lives in Italy, was collared by the Feds after flying into San Francisco, and appeared in court in the US city this week.
Federal Judge Jacqueline Corley ordered him to cough up the fun bucks to be allowed to a halfway house while awaiting trial. He is due in court again on Monday to confirm whether or not the bail has been posted.
Android gets low-key security update
Lost in the talk of the Pie firmware update and the mass of Patch Tuesday fixes was another security bundle from Google. The August Android security update includes fixes for 43 different CVE-listed vulnerabilities.
Among the bugs addressed are two flaws in the Android system software and one in the media framework that would potentially allow for remote code execution.
Those with Pixel devices should already have the update – for everyone else, it will be up to your device vendor and carrier, where appropriate.
Red alert from Red Hat
Speaking of bugs, Red Hat put out an alert this week over a significant security flaw present in the Linux Kernel. The CVE-2018-13405 programming blunder would potentially allow a local user to achieve elevated privileges to root thanks to a bug in the way group permissions are set on files.
It's a real doozy, judging from Red Hat's advisory:
A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the Linux kernel that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not.
It was found by Google's Jann Horn – the same chap who helped uncover the Meltdown CPU design flaw – and a proof-of-concept exploit can be found here, and more technical info here.
It should be noted that Red Hat is not alone in this flaw – a number of other Linux distributions have had to deal with the kernel issue themselves. It affects kernel versions through 4.17.4, we're told.
Kaspersky asks to get out from under US government ban
Embattled Russian antivirus biz Kaspersky Lab continues to wrestle with Uncle Sam for the rights to once again flog its products to US government agencies.
Earlier this week, Eugene and Co filed an appeal with the Washington DC US Circuit Court of appeals in hopes of having the ban from Homeland Security lifted.
The appeal asks the court to overturn the May ruling from a lower court that upheld Homeland Security's decision to bar federal agencies from using Kaspersky products over fears it was being exploited by Russia's FSB to steal American intelligence from federal computer networks.
Kaspersky has challenged the government directives as unconstitutional.
Even if Kaspersky wins, this won't likely be the end of the case, as both sides seem willing to take this matter all the way up to the supreme court.
Animoto-no! Site says user details were lifted by hackers
Video editing outfit Animoto warned users this week that hackers snatched some of its customer information. The site sent out an email that sensitive profile info including email addresses, dates of birth, gender, and geolocation were taken by a network intruder last month.
"On July 10, 2018, we received an alert of unusual activity on our system. We immediately stopped all suspicious activity and launched an investigation with the support of outside forensics experts," Animoto said in the notice.
"On August 6, 2018, we confirmed that the activity was unauthorized, and that user data may have been obtained."
Animoto said it has called in infosec experts and law enforcement agencies to investigate the hack. The biz said passwords were lifted, but were hashed and salted at the time.
NATO bigs up new security measures
President Trump's ever-so-favorite international military organization NATO is pushing forward with various computer security projects. Earlier this month the outfit announced a set of plans that will include establishing its first-ever dedicated Cyber Operations Center, and a vow to use member nations' "full range of capabilities" to respond to cyber attacks.
According to former NATO cyber security head and ambassador Sorin Ducaru, this decision indicates that, for the first time, the org is willing to hack back hostile countries and groups that look to pwn its members.
"This reflects a fundamental shift away from securing cyberspace with purely defensive measures. The 'full range' of cyber capabilities means that both defensive and offensive capabilities can be deployed by NATO, in line with its defensive mandate and in accordance with international law," Ducaru wrote.
"Since NATO, as an organization, will not develop or acquire any offensive capabilities, it will rely, as in other operational domains, on voluntary contributions by allies. Therefore, NATO leaders also 'agreed how to integrate sovereign cyber effects, provided voluntarily by allies, into alliance operations and missions, in the framework of strong political oversight'."
Twitch glitch is a real… pain
Twitch, Amazon's live video-streaming biz that shifts more data in a day than you will over your entire lifetime, has been left red-faced after a bug in its messaging system resulted in some users getting messages that weren't theirs.
The service said in a notice to customers that a messaging feature it removed back in May had a bug in its archiving feature that resulted in a "small percentage" of people getting copies of strangers' private messages when they downloaded their message archives.
Twitch said the leaked messages weren't anything particularly salacious, but rather were promotional and mass-mailed messages from Twitch's marketing partners. Still, the service plans to notify all users who had their messages accidentally shared, and give them a full copy of the messages at issue. ®