Russian Spies Rush to Exploit the Latest Flash Zero Day and More Security News This Week

There’s nothing like a hefty security freakout to start the week, and the Key Reinstallation AttackWi-Fi vulnerability—you know it as Krack—announced on Monday fit the bill. The bug is in the ubiquitous WPA2 Wi-Fi protocol, so while it fortunately doesn’t impact every single device that exists, it does affect a significant portion of them. And many will likely never receive protective patches, a longstanding and critical security problem that particularly affects the Internet of Things. The relative simplicity of the Krack bug itself also highlights the importance of making technical standards accessible to researchers for review and feedback.

Google announced a new tier of account security this week called Advanced Protection that uses physical authentication tokens, advanced scanning, and siloing to help defend particularly at-risk accounts (or anyone who wants to be very cautious). And after its disastrous corporate breach, Equifax is receiving a thorough public shaming. Researchers also discovered that for just $ 1,000 they can exploit mobile advertising networks to track people’s movements in both cyberspace and the real world. Not great!

US-Iranian relations are tense and could nudge Iran’s cyber operations. And crooks have a new favorite hustle called “cryptojacking” that can secretly use your devices to mine cryptocurrency when you visit infected websites. Highs and lows.

And there’s more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

Flash Patched Its Recent Zero Day, So Russian Hackers Are Using It While They Can

Kaspersky Labs researchers announced a new Adobe Flash vulnerability on Monday, noting that unidentified hackers exploited the bug in an attack on October 10, using a compromised Microsoft Word document to deliver FinSpy malware. Adobe coordinated with Kaspersky to issue a patch on the day of the disclosure. In the wake of the patch, researchers at the security firm Proofpoint observed the hackers doubling down to exploit the flaw before potential targets widely adopt the fix. The group, which Proofpoint says is the Russia-backed collective Fancy Bear, launched an email spearphishing campaign that targeted state departments and aerospace companies. But researchers say the operation was sloppy, and that the group has followed this pattern in the past.

Microsoft Didn’t Disclose 2013 Breach of a Sensitive Vulnerability Database

Sophisticated hackers breached Microsoft’s internal vulnerability-tracking database more than four years ago, but the company didn’t publicly disclose the incident. Five former Microsoft employees told Reuters that the company was aware of the intrusion in 2013. The database would have contained critical vulnerabilities in Microsoft’s widely used software products, including Windows, and may have even included code for exploiting those flaws. Such information would be a gold mine for foreign government-backed hackers or third-party criminals alike, and could have facilitated breaches and espionage at the time.

Reuters’ sources said in separate interviews that Microsoft never connected the breach to any other attacks, and that the company didn’t disclose the incident, because doing so would have pushed attackers to exploit the vulnerabilities before they were patched. Microsoft presumably patched everything in the compromised database years ago, though. Reuters’ sources say that the Microsoft did at least improve its internal security in response to the hack. The incident was part of a rash of attacks that also hit Apple, Facebook, and Twitter. The group behind these hacks is still unidentified, but is known by different researchers as Morpho, Butterfly, and Wild Neutron, and is still active today.

UK Concludes That Iran, Not Russia or North Korea, Hacked Officials’ Email Accounts

Investigators in the United Kingdom concluded last week that Iranian government-backed hackers were behind a June email network intrusion that targeted numerous members of parliament and Prime Minister Theresa May. Every MP uses the network, but the hackers specifically looked for accounts protected by weak passwords or reused ones that had leaked online after other breaches. The parliamentary digital services team told the Guardian that it was making email security changes in response to the attack. The incident underscores Iran’s ongoing digital offensive initiatives. Though the country has been less focused on Western targets in the last few years, it is still an active threat around the world. Recently, US President Donald Trump has worked to undermine the Iran nuclear deal, but Theresa May and other European leaders say they want to preserve it.

Police Did Social Media Surveillance on New York Black Lives Matter Group

The Black Lives Matter Global Network chapter in the Rockland County, New York filed a federal lawsuit in August claiming that local Clarkstown police conducted illegal surveillance on it throughout 2015. Clarkstown police records from the Strategic Intelligence Unit describe social-media surveillance targeted at BLM members. The documents even show evidence that a lead detective told the Strategic Intelligence Unit supervisor to stop the surveillance, but this didn’t end the program. BLM is alleging that Clarkstown police engaged in racial profiling, and violated the group members’ rights to free speech and assembly.

Millions of Crucial Cryptography Keys Weakened By Trusted Generator

A flaw in how a popular code base generates cryptographic keys has ruined the security of millions of encryption schemes. The generator appeared in two security certification standards used my numerous governments and large corporations worldwide, meaning that the flawed keys are meant to protect particularly sensitive platforms and data. German chipmaker Infineon developed the software, which has included the key generating flaw since 2012 or possibly earlier. Attackers could exploit the bug to figure out the private part of a key from its public component. From there they could do things like manipulate digitally signed software, disable other network protections, or, of course, decrypt sensitive data. The situation affects Estonia’s much-touted secure digital ID system. Infineon, Microsoft, and Google warn that the flaw will undermine their Trusted Platform Module products until customers generate new, more robust keys. Estonia has announced plans to update the keys used for its national IDs.

Tech

U.S. senator probes Pentagon on Russian source code reviews

WASHINGTON (Reuters) – A U.S. senator on Tuesday asked the Defense Department to explain how it manages the risks when it uses software that has been scrutinized by foreign governments, saying the practice may represent a national security threat.

Reuters reported earlier this month that Hewlett Packard Enterprise Co allowed a Russian defense agency to review the source code or inner workings of cyber defense software known as ArcSight, which is used by the Pentagon to guard its computer networks.

”HPE’s ArcSight system constitutes a significant element of the U.S. military’s cyber defenses,” Democratic Senator Jeanne Shaheen wrote in a letter to Defense Secretary James Mattis seen by Reuters.

Shaheen, a member of the Senate Armed Services Committee, said disclosure of ArcSight’s source code to the Russian agency presented an “opportunity to exploit a system used on [Defense Department] platforms.”

Shaheen questioned whether the Trump administration was pushing back on demands for source code from Russia and elsewhere that are imposed on U.S. companies as a condition for entry into foreign markets.

Such reviews highlight a quandary for U.S. technology companies, as they weigh U.S. cyber security protections while pursuing business with some of Washington’s adversaries, including Russia and China, according to security experts.

“I understand that individual businesses must make decisions weighing the risk of intellectual property disclosure against the opportunity of accessing significant overseas markets,” Shaheen wrote. “However, when such products undergird [Defense Department] cyber defenses, our national security may be at stake in these decisions.”

The Pentagon and HPE did not immediately respond to requests for comment about the letter.

Cyber security experts, former U.S. intelligence officials and former ArcSight employees said the review of ArcSight’s core instruction, also known as source code, could help Moscow discover weaknesses in the software, potentially helping hackers to blind the U.S. military to an attack.

HPE has said in the past that such reviews, by a Russian government-accredited testing company, have taken place for years at a research and development center it operates outside of Russia.

The software maker has also said it closely supervises the process and that no code is allowed to leave the premises, ensuring it does not compromise the safety of its products. A company spokeswoman said last week that no current HPE products have undergone Russian source code reviews.

HPE was spun off from Hewlett-Packard Inc as a separate software company in 2015.

Shaheen’s letter asked Mattis whether he foresaw risks associated with the disclosure of ArcSight’s code and whether the Pentagon was monitoring whether technology vendors share source code or “other sensitive technical data.”

She also asked how frequently vendors disclose the source code of products used by the Pentagon to foreign governments.

Shaheen recently led successful efforts in Congress to ban all government use of software provided by Moscow-based antivirus firm Kaspersky Lab, amid allegations the company is allied with Russian intelligence. Kaspersky vehemently denies such links.

Tech companies have been under increasing pressure to allow the Russian government to examine source code in exchange for approvals to sell products in Russia. While many Western firms have complied, some, including California-based cyber firm Symantec, have refused.

ArcSight was sold to British tech company Micro Focus International Plc in a deal completed in September.

The company said last week that while source code reviews were a common industry practice, it would restrict future reviews by “high-risk” governments and subject them to chief executive approval.

Reporting by Dustin Volz and Joel Schectman; Editing by Jonathan Weber and Tom Brown

Tech

Facebook, Twitter, and Google Summoned to Congressional Panel on Russian Election Interference

Hearing is scheduled for Nov. 1.

Representatives of Facebook, Twitter and Google have been asked to appear on Nov. 1 at hearings on alleged Russian interference in U.S. politics called by the U.S. Senate and House Intelligence Committees, officials said.

Facebook and Twitter have already agreed to send representatives to the Senate committee hearing, a Congressional official said.

An official knowledgeable about House committee plans declined to disclosed whether the companies have agreed to send representatives to its hearing.

Sources said that Google had not yet notified the committees that it would send representatives to the hearings, though ultimately the company was likely to do so.

Tech

Facebook, Google, Twitter asked to testify on Russian meddling

WASHINGTON (Reuters) – Executives from Facebook, Alphabet Inc’s Google and Twitter have been asked to testify to the U.S. Congress in coming weeks as lawmakers probe Russia’s alleged interference in the 2016 U.S. election, committee sources said on Wednesday.

A Senate aide said executives from the three firms had been asked by the Senate Intelligence Committee to appear at a public hearing on Nov. 1.

The leaders of the House of Representatives Intelligence Committee said the panel would hold an open hearing next month with representatives from unnamed technology companies in an effort to “better understand how Russia used online tools and platforms to sow discord in and influence our election.”

Representatives for Facebook and Google confirmed they had received invitations from the Senate committee but did not say whether the companies would attend. Twitter did not immediately respond to requests for comment.

The House panel did not immediately identify any companies, but a committee source said lawmakers expected to hear from the same three firms the Senate had asked to testify.

The requests are the latest move by congressional investigators to gain information from internet companies as they probe the extent of Moscow’s alleged efforts to disrupt last year’s U.S. election. Lawmakers in both parties have grown increasingly concerned that social networks may have played a key role in Russia’s influence operation.

Facebook revealed this month that suspected Russian trolls purchased more than $ 100,000 worth of divisive ads on its platform during the 2016 election cycle, a revelation that has prompted calls from some Democrats for new disclosure rules for online political ads.

On Wednesday, Trump attacked Facebook in a tweet and suggested the world’s largest social network had colluded with other media outlets that opposed him. The president has been skeptical of the conclusions of U.S. intelligence agencies that Russia interfered in the election and has denied his campaign colluded with Moscow.

The salvo prompted a lengthy rebuke from Facebook Chief Executive Mark Zuckerberg, who said both Trump and liberals were upset about ideas and content on Facebook during the campaign.

“That’s what running a platform for all ideas looks like,” Zuckerberg wrote on his personal Facebook page.

Other internet firms besides Facebook are also facing rising scrutiny over how Russia may have leveraged their platforms. Twitter is expected to privately brief the Senate panel on Thursday.

Republican Senator James Lankford, who has received classified information about Russia’s interference as a member of the Senate Intelligence Committee, said on Wednesday that the country’s attempts to sow discord in U.S. domestic affairs had not abated.

Russian internet trolls over the weekend fueled the debate ignited by Trump over whether NFL players should have the right to kneel during the national anthem, Lankford said.

Also on Wednesday, the Daily Beast, citing unnamed sources, reported that a Facebook group named “United Muslims of America” was a fake account linked to the Russian government and that it was used to push false claims about U.S. politicians, including Democratic presidential candidate Hillary Clinton.

The group bought Facebook ads to reach targeted audiences, promoting political rallies aimed at Muslims, the website reported.

The Senate and House intelligence committees are two of the main congressional panels probing allegations that Russia sought to interfere in the U.S. election to boost Trump’s chances at winning the White House, and possible collusion between Trump associates and Russia.

Reporting by Patricia Zengerle and Dustin Volz, additional reporting by Paresh Dave; Editing by Peter Cooney and Andrew Hay

Our Standards:The Thomson Reuters Trust Principles.

Tech

Trump ‘knows things’ others don’t about Russian hacking

If Russian hackers are fiddling around with America’s electricity grid, then that would be extremely alarming. It is also what was reported by the Washington Post on the heels of the Obama Administration announcing sanctions against Russia for interfering in a US election.

The original headline read, “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, U.S. officials say.” The Washington Post reported, “A code associated with the Russian hacking operation dubbed Grizzly Steppe by the Obama administration has been detected within the system of a Vermont utility, according to U.S. officials.”

To read this article in full or to leave a comment, please click here


All articles