IEEE Computer Society Cipher --- Items from security-related news (E146)
Summary:
By targeting the accounts of privileged Reddit employees,
hackers got access to two stores of user data and were not detected
for a few days. The cellphone accounts of the employees had been
compromised so that the SMS messages for Reddit's two factor
authentication were intercepted. Users of Reddit should consider
changing their passwords.
Summary:
Ahead of the Black Hat conference, a team of researchers at IBM talked
about their use of machine learning to develop defense-evading
malware. Industry experts interviewed for the story claimed that AI
designed hacking tools would become a real threat in the next few
years. One claimed that "Whoever you personally consider evil is
already working on this." [Editor's Note: The top rank of the Cipher Editor's
personal evil list does not include any cybersecurity experts.]
Summary:
In a sealed decision in U.S. District Court in Fresno, a federal and
state task force were rebuffed in their effort to compel Facebook to
wiretap calls made with the Messenger app. In monitoring the MS-13
gang, the task force had been able to tap all ordinary phone calls,
but not Messenger. At issue were 3 Messenger calls made by indicted
gang members.
Summary:
Despite Apple's attempts to keep its App Store clean, a very popular
app called Adware Doctor appeared to be a double-agent. In addition
to its main function of blocking unwanted ads, the app also collected
information about what other apps the user ran and sent that
information regularly to a server in China. Researchers complained
that Apple did not respond forcefully to their concerns, and that the
app is, in fact, a reincarnation of an app that was previously banned.
Summary:
Facebook noticed a large surge in use of the "view as" feature that
let's a user see his page as though he were an ordinary user, not the
owner of the page. After some deep diving into the code, Facebook
engineers found that three logic errors combined to open a gaping
security hole that let hackers steal the private data of some tens of
million of users. It was a "complex" bug with huge implications.
Summary:
On further examination, Facebook came up with the cheerful news that
only 30 million accounts had been impacted by the "complex" bug, and
of those, only 14 million were subjected to examination of personal
user data. [Editor's note: Facebook recently purged a billion
"fake" accounts. Perhaps some of them were in the "hacked" category.]
Summary:
New Zealand has new legislation affecting incoming travelers that
"balances the protection of New Zealand with individual rights" by allowing
custom's agents to demand all passwords necessary to examine a
traveler's digital devices. Failure to comply would risk seizure of
the items and subjecting them to forensic analysis. Not to worry,
this can only be done if the customs officers have reason to suspect
wrongdoing.
Summary:
The possibility of adding secret functionality to computer chips, in
order to allow the operation of malware, is a problem that has been
bothering security experts for a long time. This Bloomberg story says
that that day has arrived, and it shows pictures of a tiny bump of
metal on a computer board that may have been shipped to many US
companies through a trustworthy third party. The board orginated in
China, and the chip, it is said, compromised the boot process and
allowed malware to exfiltrate data to some remote site.
There is a great deal of argument about whether or not any US companies used the compromised boards. They may have only used them during an evaluation period, or the boards might not exist at all. In the weeks after the story was published, all the named companies denied it, and the FBI announced that it had no open investigation and knew nothing about the boards.
Summary:
Google found a serious privacy bug in its Google+ service, but it did
not inform government regulators or users for several months. At that
time, it announced that it would be winding down the Google+ service,
it would impose new privacy limits on developer's for Android apps,
and it would limit the sharing of information about Gmail users.
Google said it could not notify users about the bug when it was first
discovered because it was not sure which users were affected.