Top Security and Privacy News: Scrambled Bits Vol. 36
500K Pacemakers Recalled, Hurricane Victims Targeted, S3 Fails and More.
This is the Scrambled Bits weekly newsletter, a quick summary of the week’s most interesting news at the intersection of security, privacy, encryption, technology, and law.
Top Stories
Half a Million Pacemakers Recalled
Hearts can be hacked — if you have a pacemaker that is. On Tuesday, the FDA recalled 465,000 of the medical devices due to security issues. As you may recall from earlier Scrambled Bits stories, the pacemaker manufacturer Abbott, formerly known as St. Jude Medical, had some nasty security issues. The researchers who uncovered the flaws crossed into some ethical gray areas when they teamed up with a hedge fund to short St. Jude stock before announcing the security issues.
St. Jude denied there were any real issues at the time. Since then, other researchers confirmed the severity of the problems, and in January the FDA put out an advisory. Now, almost a year after the original flaws were published, the FDA ordered a massive recall.
For those who have pacemakers made by this company, the flaws are scary, though they’re mitigated by the need for proximity to the victim. The fix for the security issues is a firmware update that takes about three minutes and doesn’t require surgery, so if you know someone who has one of these, encourage them to make an appointment to get the fix installed.
Power Hacks
Hackers are becoming more and more powerful. A hacker group called Sandworm, thought to be operating out of Russia, gained operational access on multiple occasions to the U.S. power grid. These hacks could potentially stop the flow of energy to cities and homes.
Power grid attacks are reported to have taken place as far back as December. Since then there has been a severe uptick in the frequency of attacks, most notably in the first half of 2017.
The first known hacker blackouts occurred in the Ukraine in late 2015 and 2016. The discoveries of compromise in the U.S. grid mean we could be next.
Struck by Struts Vulnerability
A vulnerability in Apache Struts could affect as many as 65% of the Fortune 500. The vulnerability allows attackers to remotely execute code on servers that run applications using the REST plugin. Versions of Struts as far back as 2008 are affected.
Apache Struts simplifies the creation of web applications in Java front and back-end applications. Using only a web browser, attackers can remotely access server-run code and execute any command. The vulnerability could allow an attacker to access and exfiltrate sensitive data.
Apache released a full patch for the vulnerability on Tuesday, but companies will remain vulnerable until their systems are patched.
Scammers Target Hurricane Harvey Victims
Heartless scammers are attacking Hurricane Harvey survivors in an attempt to victimize them twice. As if record shattering rainfall, fatalities, chemical explosions, and destroyed homes weren’t enough, residents are getting calls warning that their flood premiums are past due and if not paid immediately, none of the damages will be covered. Needless to say, these calls should be ignored, and we hope the perpetrators get what’s coming to them.
Government
Law Enforcement Opposes Creation of Privacy and Appropriate-Use Policies
In California, two laws require law enforcement to create privacy and appropriate-use policies for license plate readers and cellphone intercepters. A proposed new law would expand the requirement to other surveillance technologies such as facial recognition, social media “scrubbers,” and biometric scanners. Unfortunately, law enforcement groups are opposing the common-sense measure and may be on their way to killing it.
UPDATE: Despite passing the Senate and two Assembly committees, the Appropriations Committee killed this bill.
A New Anti-Crypto Torch Bearer
Since Comey, the leading champion of crypto backdoors in Government, was fired, we haven’t heard a lot of noise about requiring backdoors in software for law enforcement use. Until now. Deputy Attorney General Rosenstein picked up the toxic torch.
“I hope that technology companies will work with us to stop criminals from defeating law enforcement. Otherwise, legislation may be necessary,” he said. He went on to call encryption a “novel threat to public safety,” which is funny since encryption is the only thing that keeps data secure online. It’s the thing that protects everything from online banking to the remote control of thermostats. Weakening encryption is not just bad for individual liberty, it’s bad for national security and a threat to the economic engine of the United States.
China Demands IP in the Name of “Security”
A new Chinese cyber security law grants the Chinese government the power to request source code and confidential data of any tech company operating within China’s borders. China has been known to steal intellectual property like source code from American companies and give it to Chinese companies in the past, so the move is highly suspect. It could also give their Government an edge on finding vulnerabilities in foreign software. Companies are left with two bad choices: give up one of the world’s biggest markets, or give the Chinese government unprecedented access to intellectual property and trade secrets.
Legal
Fifth Amendment Runaround
Providing a password and unlocking a device are not the same thing in the court of law. Under the All Writs Act, a US citizen must aide law enforcement. The FBI used the All Writs Act against Apple in the San Bernadino case, and again in this case.
A man who refused to decrypt his hard drive argued that the Fifth Amendment protects him from providing potentially self-incriminating information. But Prosecutors are circumventing the Fifth Amendment protections by:
- Asking him to unlock the device rather than share the password and compelling him via the All Writs Act.
- The wording of the Fifth Amendment is, “[No person] shall be compelled in any criminal case to be a witness against himself.” So prosecutors here avoided calling him a “witness” to skirt the protections. If he doesn’t have to bear witness, the Fifth Amendment doesn’t, theoretically, trigger.
The case is on its way to the Supreme Court. The defendant has been in jail two years for contempt of court. The usual sentence is 18 months. And the whole question is colored by the strong likelihood that the defendant has child pornography on the hard drive in question.
CA Police Must Disclose License Plate Data
A request from the ACLU and EFF for license plate data collected in mass surveillance by the LA Police Department was denied by the department. ACLU and EFF appealed, lost, appealed again, and won in the California Supreme Court. The ruling is that mass surveillance data doesn’t deserve a broad exception to public records requests in California because it doesn’t relate to a specific investigation and because the data can be anonymized.
More S3 Fails
Another Massive Data Leak via S3
600GB of sensitive data on Time Warner Cable customers was found exposed in a public Amazon S3 bucket. Please, for pity’s sake, if you have an AWS account at your company, read our article on how to check for public buckets.
Tigerswan Military Contractor Exposes Resumes
Remember the surveillance of Standing Rock activists? That story got weirder when the contractor was accused of breaking the law. Now that same contractor has exposed around 9,400 resumes belonging to ex-military, law enforcement, and Government employees looking for jobs. The data included home addresses, phone numbers, email addresses, driver’s license numbers, passport numbers, and social security numbers. Surprising no one: it was all found in a public S3 bucket.
Notable Vulnerabilities and Breaches
- DolphinAttack — All of the major voice assistants, including Siri, Alexa, and Google, respond to voice commands played at ultrasonic frequencies that are undetectable to humans. Attackers can tell your devices to do any number of things without you knowing it.
- Instagram Issues — Claims that 6 million Instagram accounts were hacked are slightly exaggerated, but not entirely false. An Instagram API allowed attackers to retrieve the email address and sometimes phone number of specific Instagram accounts. Those attackers have extracted the data for many celebrities and are selling it for $10 per record. Accounts were not taken over as part of the attack, although owners are at increased risk of phishing now.
- BootStomp Finds Android Flaws — Researchers at UC Santa Barbara created a tool they call BootStomp that found six new flaws in a variety of Android BootLoaders. The flaws circumvent the chain of trust and could allow attackers to execute arbitrary code.
- Gift Card Guessing — It turns out that many gift cards use predictable number sequences with short verification codes appended. Attackers can guess the numbers of other cards and find out which ones have money on them. The attacks are simple, and the defenses are mostly ineffective bandaids.
- Siemens’ “LOGO!” Logic Controller — Siemens’ LOGO! is a logic module designed for use in industrial automation projects such as gate control systems, air conditioning systems, and rainwater pumps. These controllers have a pair of serious flaws, one of which has been fixed. Users should update their firmware immediately and keep an eye out for more updates.
Bottom of the News
- Mongo Messups — The insecure default settings of MongoDB’s earlier versions continue to bite users of the popular database software. A new wave of attacks has led to the compromise of over 26,000 new databases. Attackers are ransoming the data for bitcoin. One of the databases contained three years of leukemia patient data.
- Police Radio Frequency Hijacked — A pirate broadcaster posing as a police officer caused a police chase to be terminated in Australia last week. Police captured the car chase suspects later but are still hunting for the radio pirate.
- Marcus Hutchins (“MalwareTech”) Update — Marcus Hutchins, aka MalwareTech, has been a white hat security researcher for the past several years. His arrest in Nevada when leaving the DEF CON conference to head back to the UK sent ripples through the security community. Many didn’t believe the charges and even donated to a defense fund. Now, security reporter Brian Krebs found that Hutchins, at the very least, spent some time as a black hat hacker while in his teens.
- Hotel Room Hacker Caught — Usually when researchers notify companies about vulnerabilities, those companies release fixes. But in the case of widely used key card locks on hotel doors, the manufacturer couldn’t conceive of a way to update the device. Consequently, an enterprising burglar who followed some directions on the Internet was able to steal over $500k in goods from hotel rooms across the U.S.
- Worst Copyright Ruling Ever — The Fair Use Doctrine took another hit in a ruling that defies logic. A woman took a 9 second video of Dr. Phil to use as supporting evidence in a lawsuit alleging poor conduct. Dr. Phil copyrighted the 9 seconds of content (after the fact) and sought to prohibit the evidence on the grounds of copyright infringement. A patent-troll-friendly court ruled the video was not protected by fair use and infringes the copyright.
- Free RAT with a Catch — A remote access trojan (RAT) is a hacking tool used to access webcams, grab screen captures, and run code on infected systems. A hacker is giving away a full featured RAT with one caveat — the original author retains access to any infected machines.
If you liked this, please click the 👏 below. If you’re reading this in an email, please go to the article on the web first. Liking the article will help other people see it on Medium. You might also be interested in last week’s summary compliments of IronCore Labs.
Subscribe to our email digest to avoid missing another update.
