Security News This Week: Oh Good, Hackers Beat Two-Factor to Rob Bank Accounts
Congratulations! You’ve gotten through the week of the Google Docs phishing ploy that rocked the world, or at least a vocal corner of the media. Speaking of speaking out, FBI Director James Comey this week gave his most thorough explanation yet of the election-rocking Clinton investigation letter he gave last fall, though it’s unlikely to satisfy critics. Oh, and apps can use your phone’s mic to listen for marketing beacons your ears can’t hear. Fun!
In other news, hackers tried to extort Netflix by threatening to put the unreleased, upcoming season of Orange Is the New Black online, a pretty serious miscalculation. Intel fixed a seven-year-old bug that left enterprise machines exposed. Researchers figured out how to hack a 220-pound industrial robot arm, which is how the uprising starts. Fancy Bear continues to hack on Russia’s behalf despite those US sanctions last fall. South Korea’s missile defense system has gone operational, but doesn’t provide as much cover as you’d think. And the US improved on last year’s last-place finish in NATO’s cyber-defense games—but could still maybe use some work.
And there’s more. Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
Chipotle appears to be just the latest food-service victim of a hacker group known as FIN7, or Carbanak Group, according to a report from CyberScoop. The group has previously struck Baja Fresh, Ruby Tuesday’s, and over a dozen other hospitality companies over the past year or so. As is so often the case, a successful phishing email was to blame for the intrusion. The motivation appears to be (surprise!) financial, which at least offers a change of pace from the nation-state shenanigans of recent months.
So-called “content deliver networks” like Cloudflare and Akamai are meant to act as the pipes that serve up web sites on behalf of their clients—in theory, without censorship or preference for any political viewpoint. But according to some critics, Cloudflare has taken that free-speech approach too far: It not only hosts abhorrent neo-Nazi websites like the Daily Stormer, a report from Pro Publica points out, but also reports anyone who asks it to stop hosting those sites to the sites’ owners, leading to multiple cases of abuse and retaliation. Although Cloudflare warns anyone who protests its hosting practices that it will alert the controversial site in question, some people who have made those complaints missed the warning. They were then surprised to find that sites like the Daily Stormer, which traffics in vile racist, anti-semitic, and misogynist content, were notified of their identifying details. One man who protested Cloudflare’s hosting of the site, for instance, received dozens of hate-filled messages, and even menacing references to his children.
For the last three years, the child pornography site Playpen has represented both the worst of the dark web and the most controversial methods US law enforcement would resort to in chasing its criminals. After quietly seizing the site’s server in December of 2014 and arresting its Florida-based creator Steven Chase, the FBI continued to run the site for two weeks, using it to indiscriminately hack into the PCs of every visitor to the site. Now, the case at the center of that vast hacking operation has found closure: A North Carolina court on Monday sentenced Chase to 30 years in prison for child pornography charges and engaging in a child exploitation enterprise. Beyond Chase, the case has resulted in close to 900 arrests around the world, the FBI wrote in a statement celebrating Chase’s sentencing, and led to 296 exploited children being identified or rescued. It also demonstrates just how broad the FBI’s hacking powers have become: Withired a single warrant, the bureau can hack thousands of computers around the globe.
Security researchers have warned for years that a gaping security hole has persisted at the heart of the global telephony system: Signaling System 7, or SS7, is designed to connect phone calls between phone networks, but can easily be hijacked by any carrier—or carrier impersonator—that decides to maliciously reroute calls. Now cybercriminals have finally cashed in on that long-lingering flaw. The German phone company O2-Telefonica told the Suddeutsche Zeitung this week that hackers had used an SS7 attack to steal the text messages sent to banking customers as part of their two-factor authentication scheme. After planting malware on the victims’ computers to steal their passwords, the hackers also intercepted the one-time codes sent over SMS when the hackers attempted to use those credentials, defeating that phone-based protection measure. The phone companies can’t say they weren’t warned: The technique was presented in 2014 at the Chaos Communication Conference. Last year, hackers demonstrated it again for 60 Minutes, using it to wiretap a Congressman on camera. And we at WIRED warned that the SS7 flaw is another reason you should stop using text messages for authentication. That advice applies now more than ever.