Feds Give Kaspersky Security Products the Boot, and Other Security News This Week
Apple finally announced the iPhone X this week, complete with a facial recognition system that Apple calls FaceID. Preliminary impressions are that FaceID will be difficult to trick, and should be secure for the average user, but researchers are eager to test its robustness. Consumer facial recognition has been around, but not yet at this scale, inviting questions about what its implications will be, particularly for privacy. Apple’s new iOS 11 mobile operating system does have more crucial privacy protections against muggers and government officials alike but researchers detailed doubts this week about the “differential privacy” techniques Apple uses that are meant to aggregate and analyze customer data without invading their privacy.
Over at the astounding, ongoing dumpster fire that is the Equifax data breach, Equifax admitted that hackers accessed its network through an Apache Struts web application vulnerability that had a patch available for two months before the initial intrusion. In other words, Equifax could have prevented the breach by patching the bug. US residents rushed to find ways to protect themselves against potential identity theft, while officials scrambled to determine possible recourse against Equifax and looked for ways to prevent similar crises in the future.
WIRED examined the future of warfare and how the US can handle emerging threats like automation and international information-sharing to build weapons. And a new set of vulnerabilities in Bluetooth implementation were a forceful reminder to keep that wireless connectivity off when you’re not using it. But on the bright side, Hope Hicks’ Twitter account was never actually suspended, so that’s one less thing to worry about.
And there’s more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories.
In a long-anticipated move, the Department of Homeland Security this week banned the US government’s use of all software sold by the Russian security firm Kaspersky, citing the company’s potential ties to the Russian government. That order follows another decision months earlier by the General Services Administration, which regulates US spending on IT, to remove Kaspersky from a list of approved sellers. This new directive goes further, giving agencies 90 days to pull all Kaspersky products out of their networks. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security,” reads a statement from the DHS. In the wake of Russian hacking operations targeted at compromising the 2016 US presidential election, Kaspersky’s ties to Russian intelligence have come under new scrutiny, including its founder Eugene Kaspersky’s military background and association with some Kremlin officials. Kaspersky—and Eugene Kaspersky himself—have repeatedly denied any accusations of collusion with the Russian government and pointed to a lack of proof, even open-sourcing their software in an attempt to clear suspicion of a backdoor in its code. But the security community has remained wary, and noted that Kaspersky’s antivirus, like many similar products, does have the ability to upload specific files from its users’ machines back to Kaspersky’s servers. That suspicion has impacted Kaspersky’s consumer business as well as its government sales: Earlier this week, retail giant Best Buy abruptly pulled the company’s products from its shelves, too.
For a device that controls practically every packet of data that enters or leaves your domestic life, home Wi-Fi routers have long been understood to be notoriously insecure. But a new analysis this week enumerated a depressing plethora of flaws in the popular D-Link 850L home router, adding up to 10 distinct hackable vulnerabilities. “Basically, everything was pwned,” wrote South Korea-based security researcher Pierre Kim. “The D-Link 850L is a router overall badly designed with a lot of vulnerabilities.” The bugs Kim found would allow anyone within wireless range to fully control the router, intercepting data and uploading their own firmware to the device. Kim exposed those bugs without forewarning D-Link—an unorthodox move that he justified by writing that he’d previously warned the company about vulnerabilities that it never patched. Judging by that track record, don’t hold your breath for D-Link to quickly patch these security flaws either. Little wonder that the FTC sued D-Link for the insecurity of its routers and IP-based cameras earlier this year.
Not so long ago, hacker group OurMine limited its activities to hijacking the Twitter feeds of tech executives and celebrities. These days, it’s going after far bigger game, most recently hacking into the network of video firm Vevo and dumping more than three terabytes of its internal information online. Gizmodo reviewed the leaked files and couldn’t immediately determine what sensitive data might be included, but multiple terabytes of data would make the leak one of the largest in history. It’s not clear exactly what OurMine’s motives were in pulling off that damaging breach, but in the past the hackers have used their high-profile attacks as advertisements for a purported security-testing service. Late last month, the same group hijacked the DNS of WikiLeaks, defacing the site with its own taunting message. In this case, the hackers wrote in a post accompanying their data dump that they’d leaked the files after they approached a Vevo staffer with claims of the breach, and were purportedly told to “fuck off.”
A new strain of Android malware, discovered by researchers at the security firm Check Point, is able to charge users for fake in-app purchases and services without them even knowing. Called “ExpensiveWall,” the malware is carefully packaged to encrypt sinister data such that it doesn’t set off alarm bells in Google Play’s security filtering. Check Point initially notified Google about some samples of the malware, and the Android Security team found about 50 affected apps and removed them from the Play Store. They had been downloaded between 1 million and 4.2 million times, according to Google. Within a few days, though, Check Point discovered a new sample of the malware in Google Play that already had more than 5,000 unique downloads. Google removed this app as well, but the situation speaks to the ongoing struggle to screen apps and secure Google Play against malware.
The administration of Turkish president Recep Tayyip Erdoğan has had 75,000 Turkish citizens fired from their jobs or detained because they allegedly downloaded the encrypted messaging app “ByLock”. A legal study published in London by opponents of Erdoğan, though, concludes that this action is a human rights violation and is illegal. In the wake of a failed coup in 2016, Erdoğan’s government has been increasingly strict in cracking down on Turkish citizens, fearing the formation of new insurrections. The report, led by British lawyers William Clegg and Simon Baker, combed Turkish trial transcripts and intelligence reports. It determined that the cases are in violation of the European Convention on Human Rights (Turkey is a signatory). The cases tried in Turkey could be appealed to the European Court of Human Rights.