Security News This Week: There’s Plenty of Phish in the Sea
This week, China and the US reached a historic agreement to not spy on each other for commercial gain. The Office of Personnel Management admitted that 5.6 million fingerprints were stolen over the summer, more than five times as many as originally estimated. Surveillance in Britain is worse than we thought, and the US has some ideas for how to get around encryption. The “Snowden Treaty” was announced, and is asking countries around the world to call for an end to mass surveillance. An authentication bypass vulnerability was found in a popular remote management system. Security industry firm Zerodium began offering a $1M bounty for an iOS 9 zero-day exploit. Apple removed 300 infected apps from the app store. Google published a research paper with lessons on crippling the online crime economy. The Volkswagen scandal raged on. And if you want to be allowed to tinker with your Wi-Fi router, you better tell the FCC soon.
But that’s not all. Each Saturday we round up the news stories that we didn’t cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted, and stay safe out there!
A federal trial court in Pennsylvania ruled that the government can’t force a person to give up the passcode to their smartphone, because doing so would violate the Fifth Amendment, which protects against compelled self-incrimination. The case centered around two former Capital One data analysts accused of insider trading who refused to turn over the passcodes of their locked devices to the Securities and Exchange Commission. SEC regulators suspect that the mobile devices contain evidence of insider trading.
The South Korean government mandates a child surveillance app for smartphones sold to minors in the city of Seoul. It’s too bad that the most popular child surveillance app, Smart Sheriff, is riddled with security vulnerabilities that put children at risk. Both internet watchdog group Citizen Lab and a German software auditing firm Cure53 uncovered security weaknesses in the app, which has been promoted by the Korean Communications Commission. (Parents have even received letters from schools encouraging them to download the app, which allows them to snoop on their kids’ web history, monitor how much time they’re on their phone, and even receive alerts if their kids send or receive messages with words like “bully” or “pregnancy.”) Although the association of South Korean mobile operators behind the app said the vulns had been fixed, researchers say the data is still at risk. The app’s authentication weaknesses mean it could be easily hijacked or disabled, that sensitive information such as birth dates, phone numbers, web browsing history, and more was being sent unencrypted and therefore trivial to intercept, and that these bugs could be exploited at scale.
The prolonged vetting process for government clearances seems a bit silly if federal employees are easily susceptible to social engineering, but if Department of Homeland Security chief information security officer Paul Beckman has his way, feds who repeatedly fail phishing tests would lose their TS/SCI (top secret/sensitive compartmentalized information) security clearances. Beckman plans to raise the issue with Homeland Security’s chief security officer Luke McCormack to see if there are ways phishing tests can be included in broader evaluations judging government workers’ abilities to handle sensitive data. No word on whether those responsible for weaknesses in government networks and systems will also be held accountable.
All it took was Mark Zuckerberg hinting at the possibility of releasing a dislike button for scammers to offer early access to the non-existent feature for survey takers. Time to warn your friends and family members who are less computer-savvy than you to avoid clicking on that link!
It had to happen sometime. Bitcoin payments processor BitPay was hacked three times in December of last year, with more than 5000 bitcoins stolen. The attacker gained unauthorized access to BitPay CFO’s login credentials through phishing, and was able to transfer unauthorized transactions and request transfers from BitPay’s CEO to deposit bitcoin into a compromised account. BitPay’s insurer, Massachusetts Bay Insurance Company has declined to pay due to a technicality. Now they’re battling it out in the courtroom. Bitcoin startups take note: investing in security is the best insurance.
The Memphis Police Department may be the latest law enforcement agency to start using stingray tracking devices, though it did not confirm or deny its present or planned use of the powerful surveillance technology. When asked, MPD spokesperson Karen Rudolph simply stated that they “are not at liberty to discuss how technology is used to enhance our ability to address crime.”
Google: 2, Anti-Virus Companies: 0
It’s been a bad couple of weeks for anti-virus companies. First, Google caught security company Symantec issuing rogue Google certificates during an internal testing process. The employees responsible were fired. Next, Google Project Zero security researcher Tavis Ormandy revealed more Kaspersky zero day vulnerabilities he had dug up. The bugs disclosed have been fixed, but Ormandy has found more remote code execution vulnerabilities which he will reveal once the fixes are released. Kaspersky clearly did not follow industry best practices. It had even disabled /GS, which if enabled would have prevented some buffer overflows (a frequent attack vector) , and it did not run its unpacker in a sandbox, so vulnerabilities in its unpackers led to full compromise.
The copyright to the actual “Happy Birthday” melody expired in 1949, but Warner/Chappell Music has been demanding licensing fees for the use of the lyrics, despite the fact that they’re literally just repeating “happy birthday” over and over again. But on Tuesday, a judge ruled that the music publishing company doesn’t actually hold copyright for the words. Although “Happy Birthday” still isn’t in the public domain, it’s considered an orphan work, so the lyrics are still copyrighted by an unknown owner. As long as a new purported owner doesn’t pop out of the woodwork, we can sing the words to “Happy Birthday” without paying anything. Whew.