Things I Hearted this Week 5th Jan 2018

0
[ This article was originally published here ]

The opening of movies sets the tone for the rest of the film. Within the first few minutes you usually get an idea of the characters, whether it’s a slow suspense, a drama, or action flick.

If the first few days of 2018 are any indication, the IT Security world has kicked off with a dizzying Michael Bay-esque opening action sequence with rapid cuts that would rival any Edgar Wright montage.

So let’s jump head first right into it.

Meltdown

Step aside Heartbleed, and forget all about WannaCry, there’s a new duo of attacks in town, complete with logos, websites, and tales of doom.

Facebook and India’s controversial National ID Database

Facebook has clarified that it’s not asking new users in India for their Aadhaar information while signing up for a new Facebook account.

Aadhaar is India’s biometric ID system that links the demographic information of more than a billion Indians with their fingerprints and iris scans, and stores it in a centralized government-owned database that both government agencies and private companies can access to authenticate people’s identities. The program has been slammed by critics for enabling surveillance and violating privacy.

Facebook said this was a “small test” that the company ran with a limited number of Indian users, and that its goal was to help new users understand how to sign up to Facebook with their real names.

It sounds an awful lot like the “wallet inspector” in the school playground that would also then keep my money safe for me.

Trackmageddon

Two researchers have disclosed problems with hundreds of vulnerable GPS services using open APIs and trivial passwords (123456), resulting in a multitude of privacy issues including direct tracking. Further, many of the vulnerable services have open directories exposing logged data.

For some, the vulnerabilities discovered and disclosed by Vangelis Stykas (@evstykas) and Michael Gruhn (@0x6d696368) aren’t new. They were disclosed during Kiwicon in 2015 by Lachlan Temple, who demonstrated flaws in a popular car tracking immobilization device.

DHS leak

The US Department of Homeland Security has confirmed a major privacy leak affecting 247,000 employees. According to a DHS statement, it appears as though it was an inside leak, as opposed to an external hack.

Uber Malware

Android users should be on alert for a new malware variant which is posing as the Uber app, in an attempt to steal passwords.

Of course, users that download Uber have probably got low security expectations to begin with.

Guessing Smartphone PIN codes

Security researchers have discovered a brand new method that hackers can potentially use to unlock and compromise a user’s smartphone using just the device’s sensors. According to researchers at Nanyang Technology University (NTU) in Singapore, information gathered from six different sensors in smartphones paired with machine learning and deep learning algorithms could be used to unlock Android smartphones within only three tries.

Forever 21 breach lasted over seven months

Anyone can get breached, that’s not a bad thing. But detection controls should be designed to alert when something goes wrong… seven months is a long, long time.