IEEE Computer Society Cipher --- Items from security-related news (E146)

  • 2-Factor is no panacea
    Reddit user data compromised in sophisticated hack
    The Guardian
    Aug 6, 2018
    By Samuel Gibbs

    By targeting the accounts of privileged Reddit employees, hackers got access to two stores of user data and were not detected for a few days. The cellphone accounts of the employees had been compromised so that the SMS messages for Reddit's two factor authentication were intercepted. Users of Reddit should consider changing their passwords.

  • Hal the Hacker
    New genre of artificial intelligence programs take computer hacking to another level
    Aug 8, 2018
    By Joseph Menn

    Ahead of the Black Hat conference, a team of researchers at IBM talked about their use of machine learning to develop defense-evading malware. Industry experts interviewed for the story claimed that AI designed hacking tools would become a real threat in the next few years. One claimed that "Whoever you personally consider evil is already working on this." [Editor's Note: The top rank of the Cipher Editor's personal evil list does not include any cybersecurity experts.]

  • Facebook holds Messenger calls private
    Exclusive: In test case, U.S. fails to force Facebook to wiretap Messenger calls - sources
    Sep 28, 2018
    By Joseph Menn, Dan Levine

    In a sealed decision in U.S. District Court in Fresno, a federal and state task force were rebuffed in their effort to compel Facebook to wiretap calls made with the Messenger app. In monitoring the MS-13 gang, the task force had been able to tap all ordinary phone calls, but not Messenger. At issue were 3 Messenger calls made by indicted gang members.

  • Giving up the kingdom to get rid of ads
    Popular Mac App Adware Doctor Actually Acts Like Spyware
    Sep 28, 2018
    By Lily Hey Newman

    Despite Apple's attempts to keep its App Store clean, a very popular app called Adware Doctor appeared to be a double-agent. In addition to its main function of blocking unwanted ads, the app also collected information about what other apps the user ran and sent that information regularly to a server in China. Researchers complained that Apple did not respond forcefully to their concerns, and that the app is, in fact, a reincarnation of an app that was previously banned.

  • Facebook - 3 errors make one hot mess
    Facebook says big breach exposed 50 million accounts to full takeover
    Sep 29, 2018
    By Munsif Vengattil, Arjun Panchadar, Paresh Dave

    Facebook noticed a large surge in use of the "view as" feature that let's a user see his page as though he were an ordinary user, not the owner of the page. After some deep diving into the code, Facebook engineers found that three logic errors combined to open a gaping security hole that let hackers steal the private data of some tens of million of users. It was a "complex" bug with huge implications.

  • Facebook data breach, don't worry, it's only 30 million
    Hackers accessed personal information of 30 million Facebook users
    Oct 12, 2018
    By Donie O'Sullivan

    On further examination, Facebook came up with the cheerful news that only 30 million accounts had been impacted by the "complex" bug, and of those, only 14 million were subjected to examination of personal user data. [Editor's note: Facebook recently purged a billion "fake" accounts. Perhaps some of them were in the "hacked" category.]

  • NZ says 'welcome, password holder'
    New Zealand's 'digital strip searches': Give border agents your passwords or risk a $5,000 fine
    The Washington Post
    Oct 2, 2018
    By Isaac Stanley Becker

    New Zealand has new legislation affecting incoming travelers that "balances the protection of New Zealand with individual rights" by allowing custom's agents to demand all passwords necessary to examine a traveler's digital devices. Failure to comply would risk seizure of the items and subjecting them to forensic analysis. Not to worry, this can only be done if the customs officers have reason to suspect wrongdoing.

  • The stealth chip is finally here, or is it?
    The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
    Oct 4, 2018
    By Jordan Robertson and Michael Riley

    The possibility of adding secret functionality to computer chips, in order to allow the operation of malware, is a problem that has been bothering security experts for a long time. This Bloomberg story says that that day has arrived, and it shows pictures of a tiny bump of metal on a computer board that may have been shipped to many US companies through a trustworthy third party. The board orginated in China, and the chip, it is said, compromised the boot process and allowed malware to exfiltrate data to some remote site.

    There is a great deal of argument about whether or not any US companies used the compromised boards. They may have only used them during an evaluation period, or the boards might not exist at all. In the weeks after the story was published, all the named companies denied it, and the FBI announced that it had no open investigation and knew nothing about the boards.

  • Google had a secret bug
    Google for months kept secret a bug that imperiled the personal data of Google+ users
    The Washington Post
    Oct 8, 2018
    By Craig Timberg, Renae Merle and Cat Zakrzewski

    Google found a serious privacy bug in its Google+ service, but it did not inform government regulators or users for several months. At that time, it announced that it would be winding down the Google+ service, it would impose new privacy limits on developer's for Android apps, and it would limit the sharing of information about Gmail users. Google said it could not notify users about the bug when it was first discovered because it was not sure which users were affected.