InfoSec News Nuggets – September 4, 2018

Home / InfoSec News Nuggets / InfoSec News Nuggets – September 4, 2018

Bitfi finally gives up claim cryptocurrency wallet is unhackable

Earlier this month, McAfee said that “maybe calling it [Bitfi] unhackable was unwise.” The slew of attacks and vulnerability reports has now forced the company to backtrack on its previous claims. On Twitter, the company posted a statement which said the company had hired external help in the form of a “Security Manager” who is “confirming vulnerabilities that have been identified by researchers.” “Effective immediately, we will be removing the “Unhackable” claim from our branding which has caused a significant amount of controversy,” the company added. “While our intention has always been to unite the community and accelerate the adoption of digital assets worldwide, we realize that some of our actions have been counterproductive to that goal.”

Researchers show Alexa “skill squatting” could hijack voice commands

The success of Internet of Things devices such as Amazon’s Echo and Google Home have created an opportunity for developers to build voice-activated applications that connect ever deeper—into customers’ homes and personal lives. And—according to research by a team from the University of Illinois at Urbana-Champaign (UIUC)—the potential to exploit some of the idiosyncrasies of voice-recognition machine-learning systems for malicious purposes has grown as well. Called “skill squatting,” the attack method (described in a paper presented at USENIX Security Symposium in Baltimore this month) is currently limited to the Amazon Alexa platform—but it reveals a weakness that other voice platforms will have to resolve as they widen support for third-party applications.

How to Roll a Strong Password with 20-Sided Dice and Fandom-Inspired Wordlists

Here’s the not-so-secret recipe for strong passphrases: a random element like dice, a long list of words, and math. And as long as you have the first two, the third takes care of itself. All together, this adds up to diceware, a simple but powerful method to create a passphrase that even the most sophisticated computer could take at least thousands of years to guess. In short, diceware involves rolling a series of dice to get a number, and then matching that number to a corresponding word on a wordlist. You then repeat the process a few times to create a passphrase consisting of multiple words.

Data vandal changes name of New York City to “Jewtropolis” across multiple apps

Late yesterday, users of Snapchat and a number of other applications began to report that the label on in-application maps for New York City had been changed to “Jewtropolis.” That change in data from the mapping developer kit company MapBox had been pulled in from OpenStreetMap—a community-driven mapping project also used by Wikimedia. The same map data made its way to the real estate application Zillow. OpenStreetMap has frequently had to deal with data vandalism, rolling back malicious changes to map data by trolls. In a prepared statement sent to press, a Mapbox spokesperson said that Mapbox has “a zero tolerance policy against hate speech and any malicious edits to our maps.”  The label change was deleted within an hour. 

Will Google’s Titan security keys revolutionize account security?

Google’s Titan security keys are now available in the Google Store for businesses and individuals. If Google gets its way, the Titan keys will be the new standard in two-factor account protection. The tiny Titan keys, which come in USB and Bluetooth form factors, were designed by Google to give users “a complete solution option from Google itself,” said Google’s Sam Srinivas. Authentication keys are nothing new, nor is the FIDO authentication framework that Google has built Titan around. What is new is a company as big as Google marketing and selling its own hardware key. With as large a market as Google has, the Titan could be the hardware key that finally replaces vulnerable two-factor authentication (2FA) methods.

Google and Harvard team up to use deep learning to predict earthquake aftershocks

After a big earthquake hits, the danger isn’t over. Smaller, follow-up quakes that are triggered by the initial shock can rumble around an affected area for months, toppling structures weakened by the parent quake. Scientists can predict the size and timing of these aftershocks to some degree, but nailing the location has always proved challenging. New research from scientists at Harvard and Google suggests AI might be able to help. In a paper published in the journal Nature this week, researchers show how deep learning can help predict aftershock locations more reliably than existing models. Scientists trained a neural network to look for patterns in a database of more than 131,000 “mainshock-aftershock” events, before testing its predictions on a database of 30,000 similar pairs. The deep learning network was significantly more reliable than the most useful existing model, known as “Coulomb failure stress change.”

U.S. accuses China of ‘super aggressive’ spy campaign on LinkedIn

The United States’ top spy catcher said Chinese espionage agencies are using fake LinkedIn accounts to try to recruit Americans with access to government and commercial secrets, and the company should shut them down. William Evanina, the U.S. counter-intelligence chief, told Reuters in an interview that intelligence and law enforcement officials have told LinkedIn, owned by Microsoft Corp., about China’s “super aggressive” efforts on the site. He said the Chinese campaign includes contacting thousands of LinkedIn members at a time, but he declined to say how many fake accounts U.S. intelligence had discovered, how many Americans may have been contacted and how much success China has had in the recruitment drive.

Apple will require all apps to have a privacy policy as of October 3

Apple  is cracking down on apps that don’t communicate to users how their personal data is used, secured or shared. In an announcementposted to developers through the App Store Connect portal, Apple says that all apps, including those still in testing, will be required to have a privacy policy as of October 3, 2018. Allowing apps without privacy policies is something of an obvious hole that Apple should have already plugged, given its generally protective nature over user data. But the change is even more critical now that Europe’s GDPR regulations have gone into effect. Though the app makers themselves would be ultimately responsible for their customers’ data, Apple, as the platform where those apps are hosted, has some responsibility here, too.

Twitter will begin labeling political ads about issues such as immigration

Twitter said Thursday that it would begin requiring some organizations that purchase political ads on topics such as abortion, health-care reform and immigration to disclose more information about themselves to users, part of the tech giant’s attempt to thwart bad actors, including Russia, from spreading propaganda ahead of the 2018 election. The new policy targets promoted tweets that mention candidates or advocate on “legislative issues of national importance,” Twitter executives said in a blog post. To purchase these ads, individuals and groups must verify their identities. If approved, their ads then would be specially labeled in users’ timelines and preserved online for the public to view. And promoted tweets, and the accounts behind them, would be required to disclose the name of the actual organization that purchased the ad in the first place.

Experts Call for Transparency Around Google’s Chinese-Made Security Keys

On Thursday, Google started selling its own Titan Security Keys on the Google Store; hardware tokens that offer more robust two-factor authentication than a text message or smartphone app. Rather than just providing a password, which a hacker may be able to phish or otherwise obtain, users have to also plug a security token into their computer, or place it close to their phone when logging in. But several senior security experts, including the former chief information security officer (CISO) of Facebook, are concerned about the devices, with some pointing to how the keys are actually produced by Feitian, a Chinese company. Multiple experts talking to Motherboard called for Google to be more transparent around these keys, amidst pressing, albeit currently unsubstantiated, concerns they could be leveraged by the Chinese state to hack users.

Proposed US law would require President to act against overseas hackers

US senators from both sides of the housee have announced a bill that would force the President to act against overseas hackers found targeting the US, or explain why he hadn’t. Senators Cory Gardner (R-CO) and Chris Coons (D-DE) announced the Cyber Deterrence and Response Act (S.3378) this week. The text of the bill cites several cybersecurity incidents, including the charging of Chinese military hackers for allegedly attacking a range of US industries, and the indictment of seven Iranians for alleged cyberattacks in the US, including DDoSes against 46 different financial institutions. The document also pointed to a May 2018 State Department recommendation to the President. That document cited a rising number of cyberattacks that were serious, but not serious enough to warrant a counterattack.

California Lawmakers Pass Net Neutrality Bill

Lawmakers in California are sending legislation to Gov. Jerry Brown that would put net neutrality regulations into state law. “This is about a level playing field and an Internet where we as individuals get to decide where we go on the Internet instead of being told by Internet service providers, or manipulated by Internet service providers, into going where they want us to go,” Wiener told reporters. The bill stops Internet service providers from blocking or slowing down certain websites or “classes of applications,” like video. It bans “paid prioritization,” also called fast lanes, where some websites would pay more for faster access. It also stops Internet providers from using some types of “zero-rating,” when companies exempt certain traffic from counting against a customer’s data usage.

Alleged ‘Satori’ IoT Botnet Operator Sought Media Spotlight, Got Indicted

A 20-year-old from Vancouver, Washington was indicted last week on federal hacking charges and for allegedly operating the “Satori” botnet, a malware strain unleashed last year that infected hundreds of thousands of wireless routers and other “Internet of Things” (IoT) devices. This outcome is hardly surprising given that the accused’s alleged alter ego has been relentless in seeking media attention for this global crime machine. The Daily Beast‘s Kevin Poulsen broke the news last week that federal authorities in Alaska indicted Kenneth Currin Schuchman of Washington on two counts of violating the Computer Fraud and Abuse Act by using malware to damage computers between August and November 2017.

Google paid million dollars to track offline purchases using Mastercard Data

New problems for Google, experts discovered a secret agreement of the tech giant with Mastercard to track user purchases offline. Google has paid Mastercard millions of dollars to access offline transactions of its users. The embarrassing agreement was revealed by Bloomberg that cited four unidentified people with knowledge of the deal. Google used Mastercard data to track whether its ads led to a sale at a physical store in the U.S. Google and Mastercard signed the agreement after a four-year negotiation, it gives the company all Mastercard transaction data in the US.

Google Fights Tech Support Scams With New Ad Restrictions

Google announced late last week that it’s preparing a new verification program designed to keep tech support scams off its advertising platform. Tech support scams still represent a major issue and while these types of schemes are often unsophisticated, fraudsters have been known to use some creative methods to achieve their goals. Tech support scammers can lure their victims through online ads, and Google’s advertising platform has been increasingly abused for this purpose. That is why the tech giant has decided to introduce some restrictions for tech support services.