Instagram Says Error Allowed Hackers to Obtain Celebrity Email Addresses, Phone Numbers (Aug 30, 2017)
The UK National Health Service and many other corporate and government systems around the world are being attacked by ransomware which is enabled by NSA hacking tools for targeting Windows leaked earlier this year. Though Microsoft issued a patch for the affected vulnerability in March, many organizations haven’t applied those patches, which is not uncommon especially in large distributed organizations with many computers not “owned” by a particular end user or subject to any blanket policy on such updates. Though the motive appears to be financial – the hackers are demanding bitcoin in return for unlocking the affected machines – its immediate impact has been disruption, as operations have been canceled and medical centers closed, among other things. It’s a salutary lesson on the importance for both individuals and business of applying OS upgrades and patches in a timely fashion, but also of the vast reliance on aging machines and software across the corporate world. It’s also the kind of thing that’s dramatically less likely to affect web-based or more locked down systems like ChromeOS, Apple’s iOS or macOS, or even Microsoft’s new Windows 10 S. But given the prevalence of older versions of Windows in enterprises and government departments, that’s not going to help much anytime soon.
Apple fans, Android world scramble to patch Broadcom’s nasty drive-by Wi-Fi security hole – The Register (Apr 6, 2017)
There are two interesting things here, both worth discussing briefly. Firstly, Broadcom, which provides chips for many popular smartphones including the iPhone, has a vulnerability in its WiFi element which can be hacked, allowing a way into the device. Apple issued a patch this week to deal with the issue, and Android vendors will be working to close the vulnerability too, though there’s no specific timeframe yet, highlighting yet another challenge with Android’s fragmented ecosystem. The second thing that’s interesting here is that the vulnerability was discovered by Google’s Project Zero team, which is set up to discover and fix vulnerabilities like this, and has been doing great work lately doing just that, including on non-Google devices like the iPhone. Vulnerabilities like this are always worrying, and it’s great to have Google out there with what seems like a strong team detecting these and notifying vulnerable vendors so they can patch the issues.
via The Register
Whereas the CIA / Wikileaks stories about Samsung smart TVs being hacked were somewhat overblown (they largely affected older TVs and required physical access to sets), this hack is more worrying because it would affect newer TVs and could be delivered remotely. However, for any kind of widespread effect, it would require hacking into a broadcast or IPTV stream, which in itself would be no mean feat, and of course would only work on TVs that happened to be accessing that stream during the time when it was compromised. Still, the broader worry here is, once again, that any device connected to the internet is at least theoretically vulnerable to hacking, and devices such as TVs with less sophisticated security systems than computers and smartphones are often the most vulnerable and hardest to patch.
This story has been somewhat misreported, although this article does a decent job. It appears a hacking collective is claiming to have lots of username / password sets for iCloud accounts, though it appears that the source of the data is a hack of some other site or sites rather than any of Apple’s own. That breach then seems to have allowed the hackers to take iCloud.com email addresses and the passwords used on other sites and use them to access iCloud services as well. In other words, this isn’t an Apple hack at all, and is only effective because people are reusing passwords on multiple sites. Using two-factor authentication and unique passwords is therefore still the best defense against this kind of thing, although Apple still has to deal with the headache of both false claims and threats from this hacking group.
This isn’t the worst example yet of an IoT / smart home vulnerability, but it’s bad enough, given that it allows burglars to defeat a security system if they happen to know how. More worrying, it appears the researcher who discovered the vulnerability shared findings with Nest back in October, but Nest didn’t notify customers or push out a patch until now, when it says it has a fix rolling out to customers soon. The more of these devices we have in our homes, the more potential points of vulnerability there will be for hacking of one kind or another, and makers of both systems and ecosystems need to bake really tight security in from the get-go to prevent as many of them as possible.
via The Register
US Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts (Mar 15, 2017)
The stories that broke immediately before this press conference and announcement from the US DoJ suggested only that Russian nationals were involved, but the formal announcement makes clear that these were Russian agents and not just citizen hackers. That’s a good reminder that state-sponsored attacks are among the biggest things all online service companies have to worry about in our day and age, whether the state behind the hacking is Russia, China, North Korea, or some other country. Yes, ordinary hackers will still try and occasionally succeed in breaching these systems, but state sponsorship can put massively more resourced behind a hack like this and often have more success. That, in turn, raises the bar for companies vulnerable to this kind of hacking in terms of their security defenses, but should also make users think about what information they’re entrusting to these systems.
Though the CIA leaks from Wikileaks earlier this week are worrisome in their scope and bad news for the vendors whose devices and platforms have been compromised, there’s at least some comfort in the knowledge that these tools have at least theoretically been subject to due process in the past. However, Wikileaks claims that it has the code for the hacking tools themselves and is debating releasing that code, which would make it available to any hacker who wanted to use it, dramatically increasing the potential for misuse for hacking regular individuals. Again, Apple has said (and Google also confirmed this evening finally) that most of the vulnerabilities have already been patched in recent versions of their respective software, so that should be some defense. But as I’ve said already this week, what a vindication of Apple’s refusal to cooperate with the FBI a year ago over hacking an iPhone.
via USA Today
I suggested this was the case in my coverage of the leak yesterday, but Apple has now issued an official statement to that effect as well. I would guess Apple is still digesting all the information leaked – there’s a lot of it – but it has said that most of the vulnerabilities outlined have already been patched in the latest versions of its software, and fixes for the rest should be coming soon. Samsung has also issued a statement on its TV vulnerabilities, but it’s far less reassuring – it only says it’s aware of and is looking into these hacks. In fairness, though, the Samsung hack appears to require a USB stick plugged into the TV to install it, which means that if you’re a victim you likely have far bigger things to worry about than your TV listening to you – this isn’t a large-scale remote hack that would affect the population as a whole.
via USA Today
Cellebrite director says firm now doing ‘lawful’ extraction of data through iPhone 6 – AppleInsider (Feb 23, 2017)
This is the same firm that was recently hacked, supposedly exposing some of the tools it uses to crack iPhones, and now it’s boasting that it can crack iPhone 6 models in addition to the earlier models it has long been able to crack. I’ve still never seen any kind of official commentary on the hack of Cellebrite itself, but if that really did happen the fact that the company is getting ever better at hacking iPhones while leaving itself open to hacking should be worrying to lots of people. And if US law enforcement is still regularly paying Cellebrite to do this work without ensuring that it is able to keep the hacks secure, then it shares part of the blame by funding this work which ultimately puts regular users at risk.
There was some reporting around this last week, though with several different figures for the discount on the original deal price, so I decided to wait until the new agreement was official to comment on it. The $350 million discount is not actually all that significant, which likely reflects the fact that security breaches like this don’t end up having all that much long-term impact on customer satisfaction or usage. It’s interesting that the two companies will split the cost of any future fallout other than SEC and shareholder investigations and lawsuits – I would have thought Yahoo would have picked up the tab for all costs relating to the breaches, but I guess it must have balked at that. Ironically, now the big question once again becomes whether Verizon can actually craft something compelling out of these various bits of yesteryear’s Internet. Verizon is said to be aiming to go head to head with Google and Facebook, which is a real stretch when it comes to well-targeted advertising, and I’m still very skeptical that these assets combined can ever be more than a second tier player in the online advertising market.
Given that Apple argued precisely that security backdoors almost always make their way into the hands of evildoers, this news is great validation of Apple’s refusal to cooperate with the FBI early last year, even if it’s a private firm rather than the government that’s been hacked in this case. Indeed, that seems to have been the hacker’s motivation in this case. It’s also worrying from an Apple perspective that a provider like Cellebrite should have had such lax security that a hacker could breach its systems and access these tools, assuming the claims being made here are in fact legitimate.
Hacker Steals 900 GB of Cellebrite Data – Motherboard (Jan 12, 2017)
Cellebrite was in the news about nine months ago because Bloomberg reported it was the security firm the FBI used to hack the San Bernardino shooter’s iPhone after Apple refused to help, though the Washington Post contradicted those reports. Whether or not its technology was used in that particular case, that’s exactly the sort of work Cellebrite regularly does for US and other government agencies, and it appears that it has itself now been hacked. It’s not clear that the hack goes beyond some user data, though there’s a vague reference to technical data in the article, but this sort of thing reinforces the sense that no hacks of encryption or other security technologies, even for apparently noble reasons, can ever be deemed 100% safe from being hacked themselves. That, of course, was one of several arguments Apple made in the FBI case.
The specifics of this story aren’t as important as the trend that’s emerging ever more clearly – almost any device that’s connected to the Internet is potentially susceptible to hacking, and the more critical the device’s intended function is, the more serious any potential breach can be – in this case, life threatening. The challenge is that most of these devices – along with cheap web cams and many others – were not designed with watertight security built in, and it’s almost impossible to add that on after the fact. So we’ll see lots more of these stories in the coming years, which will put off potential customers, while giving an advantage to IoT and smart home vendors who prioritize security.