The top security news of the week included Kaspersky, Apple, and other stories.
This week, Apple officially unveiled the iPhone X, which includes a FaceID face recognition system. Researchers are keen to test FaceID’s reliability, but first indications suggest that it won’t be easy to mislead and should be secure for the typical user. Although consumer facial recognition is not new, it has not previously reached this level, raising concerns about its potential effects, notably on privacy. Researchers raised concerns this week about Apple’s “differential privacy” techniques, which are intended to aggregate and analyse customer data without invading their privacy. While Apple’s new iOS 11 mobile operating system does have more important privacy protections against thieves and government officials alike, they also raise questions about these methods. Equifax revealed that hackers gained access to its network through an Apache Struts web application vulnerability that had a patch available for two months prior to the initial intrusion at the incredible, still-burning dumpster fire that is the Equifax data breach. In other words, by fixing the flaw, Equifax might have avoided the intrusion. While authorities rushed to determine possible legal action against Equifax and sought ways to avert similar crises in the future, US citizens rushed to take precautions against potential identity theft. In order to design weapons, WIRED looked at the future of warfare and how the US can deal with new challenges like automation and global information sharing. Additionally, a fresh set of Bluetooth implementation flaws served as a stark warning to turn off wireless connectivity when not in use. But on the plus side, there’s no need to fear because Hope Hicks’ Twitter account was never suspended.
There is still more. Every week, we’ve included all the news that we didn’t break or analyse in-depth. To read the complete stories, click on the headlines.
Federal Organizations are required by DHS to stop using Kaspersky Products
The Department of Homeland Security, in a long-awaited step, this week forbade the US government from using any software sold by the Russian security company Kaspersky, citing the latter’s possible ties to the Russian government. This ruling comes after the General Services Administration, which oversees US IT spending, decided to strike Kaspersky from a list of authorised sellers months earlier. With this new regulation, organisations will have 90 days to remove all Kaspersky software from their networks. According to a statement from the DHS, “the danger that the Russian government, whether acting alone or in conjunction with Kaspersky, might capitalise on access granted by Kaspersky products to compromise federal information and information systems directly implicates US national security.” Kaspersky’s ties to Russian intelligence, notably company founder Eugene Kaspersky’s military history and association with some Kremlin officials, have come under increasing investigation in the aftermath of Russian cyber activities intended to compromise the 2016 US presidential election. In an effort to allay concerns that their software might have a backdoor, Kaspersky—and Eugene Kaspersky himself—have consistently refuted any claims of connection with the Russian government and cited a lack of evidence. They have even made their software open-source. However, the security community has remained sceptical and pointed out that Kaspersky’s antivirus does have the capability to transfer specific files from its users’ computers back to Kaspersky’s servers, just like many similar products. Both Kaspersky’s government and consumer business has been damaged by that suspicion: The company’s merchandise was quickly removed from Best Buy’s shelves earlier this week as well.
Popular D-Link Home Router Can Be Ridiculously Hacked
Home Wi-Fi routers are well known for being infamously unsecure devices that essentially manage every data packet that enters or exits your domestic life. But last week, a fresh investigation revealed a depressingly large number of faults in the well-liked D-Link 850L home router, totaling ten separate hackable vulnerabilities. Security researcher Pierre Kim, who is based in South Korea, claimed that “almost everything got pwned.” “The D-Link 850L is a router that is generally poorly constructed and has a lot of weaknesses.” Anyone within wireless range would be able to totally manage the router thanks to the faults Kim discovered, intercepting data and downloading their own firmware. Kim disclosed the issues without informing D-Link, a questionable action that he defended by saying that he had previously alerted the business to flaws that it had neglected to fix. Don’t expect D-Link to soon fix these security holes either, given their track record. It is understandable why the FTC sued D-Link earlier this year over the lack of security in their routers and IP-based cameras.
Vevo is dismembered by the OurMine hacker group.
Prior to recently, the hacker collective OurMine was only interested in taking over the celebrity and tech industry Twitter accounts. These days, it targets much bigger targets, most recently infiltrating the network of the video company Vevo and leaking more than three terabytes of its confidential data online. Gizmodo examined the exposed files, but was unable to immediately identify any potentially sensitive information. However, with many terabytes of data, the leak would rank among the biggest in recorded history. It’s unclear exactly why OurMine carried out that destructive hack, but in the past the hackers have advertised a fictitious security-testing business with their high-profile operations. Late last month, the same organisation took control of WikiLeaks’ DNS and defaced the website with a mocking message of its own. In this instance, the hackers claimed that they exposed the details after approaching a Vevo employee with accusations of the breach and was allegedly told to “fuck off” in a post that accompanied their data dump.
Two Different Malicious App Strains Tricked Google Play’s Filtering
Researchers at the security company Check Point have found a new type of Android malware that can secretly bill users for phoney in-app purchases and services. The malware, known as “ExpensiveWall,” is cleverly packaged to encrypt malicious data so that it won’t trigger Google Play’s security filters. The Android Security team discovered approximately 50 infected apps and removed them from the Play Store after Check Point initially informed Google about several samples of the malware. Google reported that between 1 million and 4.2 million people had downloaded them. But after a few days, Check Point found a fresh instance of the malware in Google Play with more than 5,000 separate downloads. Google also removed this app, but the incident illustrates the persistent challenge of vetting programmes and protecting Google Play against malware.
Report: Turkey Infringed on Human Rights in Cases using Encrypted Chat Apps
75,000 Turkish people have been sacked from their jobs or jailed by the Recep Tayyip Erdoan administration after it was claimed that they downloaded the encrypted texting app “ByLock.” However, a legal analysis conducted by Erdoan’s detractors and published in London comes to the conclusion that this behaviour is unlawful and in violation of human rights. Following a failed coup attempt in 2016, Erdoan’s administration has become more harsh in its persecution of Turkish citizens out of concern about the emergence of further uprisings. The investigation examined Turkish trial transcripts and intelligence files under the direction of British attorneys William Clegg and Simon Baker. They came to the conclusion that the cases contravened the European Convention on Human Rights (Turkey is a signatory). The European Court of Human Rights may hear appeals for cases heard in Turkey.