Hacking and infosec news: April 4, 2017
Get caught up this week with Samsung's newest security nightmare, the arrest of a hacker who hacked no-one, a study on autism and cybercrime, cybersecurity insurance comes of age, WikiLeaks takes another hit from infosec for making false info into headlines, and much more.

Project Zero Fucks

If you've been able to keep up with Google Project Zero researcher Tavis Ormandy and his relentless bug disclosures, then you already know where this is going. His latest obsession is password manager LastPass, which Ormandy has been publicly dropping bug discoveries on weekly. LastPass is gracious during the humiliation -- what else can they be? -- and wastes no time in fixing the issues. But some wonder if there isn't a better way to do this.

Coding is not a crime, redux

Remember the Iranian-born Canadian citizen who currently sits under a life sentence in Evan prison for no crime other than he built a tool allegedly used by porn sites? Saeed Malekpour's only mistake was visiting home to see family during an anti-tech sweep that had him arrested and tortured for building a tool, not using it.

In a scary echo of Iran's template, the FBI has arrested a hacker who hacked no one, but rather built a tool for remote admin (RAT) called NanoCore. The tool was used by criminals, and authorities allege its author Taylor Huddleston specifically made it for criminal use -- which can't be proven by looking at the code, of course. Huddleston insists he created the tool for lawful use. In a great article, Kevin Poulson understates the threat for hackers, saying: "Some experts say the answer to that question could have far reaching implications for developers (...)"

The Affordable Ransomware Act

Cybersecurity insurance has been getting bigger and more prevalent in the past couple years, but now it's poised to be the next big thing. For a barometer, look no further than American International Group Inc.'s new consumer product that "offers coverage for expenses that arise from online bullying, extortion and other digital misdeeds. Called "Family CyberEdge," it includes public relations and legal services, as well as at-home assessments of family electronic devices," executives told press.

Leaking up a rope

WikiLeaks took another hit among hackers and infosec professionals with its latest "Vault 7" drop, while scoring more hits in a press sector whose ignorance on security matters is verging on disastrous.

Headlines in major and minor outlets once again repeated the claims of WikiLeaks without verifying whether the claims were false, explains security firm Rendition Infosec

"WikiLeaks suggests that the Marble framework can be used to confuse analysts into attributing CIA malware to Russia or China," they wrote. "After a review of the code, Rendition Infosec assesses that the WikiLeaks analysis of the purpose of the code is incorrect." All the code suggests, Rendition unequivocally states, is that the CIA wrote custom malware targeting different languages.

The crime spectrum

A study on potential links between cybercrime and autism traits was announced last week. The project is by the University of Bath's Centre for Applied Autism, the cyber crime unit at the National Crime Agency (NCA) and the charity Research Autism.

University of Bath Professor Mark Brosnan told press: "A growing perception among law enforcement agencies suggests that a significant number of people arrested in connection with cyber crime may be on the autism spectrum.

"But whilst media coverage has helped to shape public perceptions about this issue there has, to date, been little in the way of systematic research to really unpick this idea.

"Through our project we will explore whether autistic traits are actually associated with computer-related abilities and cyber crime."

Through a stunt hack darkly

Not sure of this is a cool attack, another stunt hack that might not be reproducible, or both. A team of Israeli researchers released a PoC demonstrating an attack which used a flatbed scanner as a rely point in controlling malware in air-gapped computers. Previously, the Ben-Gurion team has been behind the PoC's of other media-friendly attacks including SPEAKE(a)R, 9-1-1 DDoS , and more.

"Your great-great-great grandmother died in the first crypto wars"

While UK citizens get nervous about the future of secure encryption in light of the recent terrorist attack, it looks like encryption's fate is to be decided by the EU sooner than later. SC Magazine reports than EU justice commissioner Věra Jourová says the European Commission "will propose in June new measures to enable police to access data from encrypted apps."

Retractors gonna ... oh, strike that

Riding high off the panic and press going around last week on the deep-sixing of FCC privacy rules, the EFF blasted out a post saying that Verizon was forcibly putting spyware on everyone's phones. This turned out to be untrue, and the EFF's post now sits entirely in strikethrough, with no regret expressed for the error, and no link to the information page provided by Verizon in its statement correcting the post. Unfortunately, some news outlets still ran with the false information.

It's no joke

On April Fools' Day, the Russian Foreign Ministry thought it would be hilarious to make fun of the biggest political scandal, and its unremitting corruption, in American history. On April 1, they shared a recording to Facebook offering hacking and election interference, created for “Russian diplomats.” The recording was in Russian and English.

“To arrange a call from a Russian diplomat to your political opponent, press 1. To use the services of Russian hackers, press 2. And to request election interference, press 3, and wait until the next election campaign,” the message said. “Please note that all calls are recorded for quality improvement and training purposes.”

It's a-Maze-ing

If you're paying attention to infosec Twitter right now, it's impossible to miss that Kaspersky's security conference "SAS" is underway. One really cool piece of research to come out so far is the analysis released on the historic Moonlight Maze cyberespionage campaign. The visualization in their video is just about one of the coolest things I've seen come out of infosec.

So much for selfie security

A video has revealed that Samsung’s new Galaxy S8 has facial recognition that's so easily spoofed, the phone can be unlocked by pointing it at a sleeping person, a photo of them, or a pic of them on another phone. 

In Samsung's not-reassuring statement to Gizmodo UK, it said: "It is important to reiterate that facial recognition, while convenient, can only be used for opening your Galaxy S8 and currently cannot be used to authenticate access to Samsung Pay or Secure Folder."

Samsung, please no

Notable in the story-about-to-develop department from this week's Kaspersky's SAS conference is the report about Samsung's new operating system, which is riddled with enough holes to make it a bad idea to release to the public as-is. The OS called "Tizen" is Samsung's bid to replace Android, and they want it to run everything from millions of phones to appliances -- this year. 

If they're trying to compete with the security failings of Android, they nailed it! Researcher Amihai Neiderman of Equus Security told press, "It may be the worst code I've ever seen." The Hill reports that the Tizen app store is given unlimited privileges to alter devices" and currently Samsung is offering a $10,000 bonus to apps on Tizen that make it to the top 100 in its store. Tizen has already been released in Russia and India.

Hola, goodbye

With the downing of the Obama-era FCC's privacy rules, media outlets rushed to publish expert guides on VPNs and covering your browsing tracks. Many were not terribly well-disguised pushes to buy their affiliate VPN services. The fact that most of these pieces omitted ways in which you should select a safe VPN is driven home by news that the popular "Hola VPN" extension sold its users' bandwidth for use in a botnet attack.

Tooting their own horns

Over the weekend, a bunch of assorted infosec cliques decided to join the Twitter-like social network Mastodon, and declared it the place to be. It should be noted that many have spent a fair amount of time on the new hangout spot complaining about Twitter, though some used it to experiment with posting their work. I'm on Mastodon as @violetblue, but I have a biiiig wait-and-see policy in place.

Thank you!

Hey, are you a patron? Thank you! If you're not, please consider a donation  to keep this little labor of love going strong.