Top Security and Privacy News: Scrambled Bits Vol. 25
Exploit Sales, Fingerprint Foibles, Rewriting Rules, and More
This is the Scrambled Bits weekly newsletter, a quick summary of the week’s most interesting news at the intersection of security, privacy, encryption, technology, and law.
Top Headlines
Inside the World of Exploits for Sale
Cellebrite, an Israeli company that hacks locked phones for Governments and law enforcement, has been hacked. Some 900 GB of data was taken, and there’s a steady stream of revelations hitting the news. Here are some of the highlights so far, courtesy of Motherboard and Joseph Cox:
- Cellebrite customers include Turkey, United Arab Emirates, and Russia.
- Not just for law enforcement and Governments, Cellebrite sells to private companies, too, such as large banks like Bank of America and Barclays.
- U.S. agencies have spent millions on Cellebrite hacking.
- Cellebrite can extract data from thousands of devices, but not the iPhone 4s and above.
Peace Out, Hackers
Taking a selfie and flashing the peace sign isn’t such a good idea these days. That finger you’re exposing to a camera may also be your password for your phone and other devices. And hackers can use that nice hi-res photo your friend posted on Instagram to create a fake thumb that unlocks your devices.
We humbly recommend these soon to be fashionable finger gloves as a precaution:
Mirai Botnet Victim Unmasks Mirai Creator
Attribution is hard. Uncovering the criminals behind specific strains of malware or anonymized attacks like those recently coming from networks of compromised IoT devices is even harder. The Mirai botnet has made headlines over the last several months for its ability to knock major websites and Internet infrastructure offline. briankrebs’ website was one such victim. But as an investigative reporter focused on cyber crime, Krebs started digging. In a long report, he details the chain of evidence he followed to find the creator of the Mirai Botnet: Paras Jha, a resident of New Jersey and the President of an anti-DDoS company. If he’s smart, he’s on his way to Mexico right now, because people Krebs identifies have a habit of going to jail.
Privacy
FCC Says AT&T’s “Zero-Rating” Violates Net Neutrality
AT&T’s plan would exclude AT&T video streaming from data caps while making consumers pay for competing services. The FCC concluded that this was anti-competitive and that there’s, “a substantial possibility that some of AT&T’s practices may violate the General Conduct Rule.”
Unfortunately, the FCC waited too long to act and is now punting to the new administration, which is against net neutrality. The anticipated next commissioner of the FCC, Ajit Pai, said, “I am confident that this latest regulatory spasm will not have any impact on the Commission’s policy-making or enforcement activities following next week’s inauguration.” In other words, kiss net neutrality goodbye.
NSA Privacy Rules Loosened
NSA’s collected data is supposed to be focused outside of U.S. borders, and it isn’t supposed to be used for domestic law enforcement purposes. So much for that. The Justice Department has relaxed rules requiring the NSA to filter personal information of Americans from surveillance data before sharing it with other agencies. Now the FBI, DEA, and 14 other agencies can search NSA’s mass surveillance data directly in an unfiltered form.
Politics
- Russia Targeting French Elections — Russia’s not slowing down on election manipulations, but they’re now targeting France.
- Fixing “The Cyber” with Experts — Rudolph Giuliani was named cybersecurity advisor to the Trump administration. Although many had hoped an expert would be named to that role, instead we have a politician. Now actual experts are poking holes in Giuliani’s woefully insecure website.
- Russians Hacked State GOP Too — James Comey, Director of the FBI, testified that some state GOP campaigns, as well as some legacy RNC domains, were also compromised by Russian hackers.
- Election Systems as “Critical Infrastructure” Could Reverse — DHS designated election systems as “critical infrastructure” in a common sense effort to bring more support to the security of these systems. Unfortunately, that designation is at risk of reversal.
Notable Breaches and Vulnerabilities
- Hello Kitty — 3.3 million customer accounts were stolen in December 2015 but are now being widely circulated. Parent company Sanrio previously claimed that no data was stolen as part of the breach. Apparently, they stored the customer data in a MongoDB database that didn’t require credentials to access from inside the firewall.
- Ansible — Software widely used by sysadmins to manage clusters of servers has a flaw that allows one compromised server to exploit the master controller and then to compromise all of the servers under management.
- Juniper Firewalls — Juniper SRX firewalls have an issue on upgrade that leaves the system in a state where root access is not password protected. Luckily, simply rebooting fixes the issue. If you know you should do it.
- St. Jude — After aggressively denying that their pacemakers had serious security flaws, St. Jude is backtracking. This week, the FDA published an advisory about problems with the device, third party researchers confirmed the allegations of poor security, and St. Jude released patches for some of those issues.
- Nexus 6 & 6P — Physical access to the Google phones could allow an attacker to take over the on-board modem and persistently snoop on all communications, GPS, voice data, and text messages. Google has released a fix for the issue.
- Escape from Docker — Docker has fixed a serious bug that could allow an attacker to gain access to the host machine. Upgrade to 1.12.6 or above ASAP. Note: other container software may also be affected.
Bottom of the News
- TheShadowBrokers Exit Stage Left — The anonymous person or group who published stolen NSA exploits and tried to auction off more says they’re done. “So long, farewell peoples.” For those who believe that the group is another front for state-sponsored Russian hackers, the timing of the exit coincides suspiciously with a Russian-friendly administration taking office in the U.S.
- StopDaddy — Starting on July 29th, GoDaddy had an issue in its certificate issuance process that could have allowed an attacker to get an SSL certificate for a domain that they didn’t own, such as google.com. As far as they can tell, this wasn’t exploited, but GoDaddy has revoked all certificates issued since the bug was introduced as a precaution.
- New Drone Swarms Test — The Pentagon has revealed a test of fighter jet-deployed drone swarms that occurred successfully in October. The drones could be used for anything from reconnaissance to highly targeted mini bombs.
- Stop Using Windows 7 — Microsoft is warning users to stop using Windows 7. “[It] does not meet the … high security requirements of IT departments,” according to the head of Windows in Germany. Other reasons cited by Microsoft: outdated security, reliability issues, compatibility issues, and upcoming end-of-life.
- Squirrels are the New Russia — With the false news of Russia attacking the U.S. grid and the likely real news of Russia hacking the Ukrainian power grid, a bigger threat has been overlooked: rodents. In 2017 so far, squirrels have caused four power outages in the U.S.
- Opt Out of FamilyTreeNow — An aggregator of public records is posting a lot of information on people online, but you can opt out. The Washington Post breaks it down.
If you liked this, please click the💚 below. If you’re reading this in an email, please go to the article on the web first. Liking the article will help other people see it on Medium. You might also be interested in last week’s summary compliments of IronCore Labs.
Subscribe to our email digest to avoid missing another update.
