This week: Troubling news for privacy advocates as UK govt gets new powers, Symantec gets into the identity space, Android phones with hidden backdoors, and Michigan State University has their database breached. Registrations are also open for RSA 2017, being held in San Francisco this coming February.
After more than 12 months of debate, jostling and a healthy dose of criticism, the United Kingdom's new surveillance regime is set to become law. Both the House of Lords and House of Commons have now passed the Investigatory Powers Bill – the biggest overhaul of surveillance powers for more than a decade. It is likely to be given Royal Assent by the end of 2016. The bill forces internet companies to keep records on their users for up to a year, and allows the Government to force companies to hack into or break things they’ve sold so they can be spied on. It has been fought against by privacy campaigners and technology companies including Apple and Twitter, with Tim Berners-Lee tweeting "Dark, dark days". In this piece Wired UK explains how the laws will affect people - whether they're from the UK or not. In another bill officially announced today, the UK government also plans to force ISPs to block the vague category of "adult" websites who fail to take appropriate age verification measures.
Symantec plans to buy LifeLock, an identity-theft protection service, for $2.3 billion, and the deal is expected to close in the first quarter of 2017 pending regulatory approval. LifeLock says it provides "proactive identity theft protection services for consumers and consumer risk management services for enterprises." Among other things, it apparently alerts users to unauthorised identity access by monitoring new account openings and credit applications, while it also trains police, government, merchants, and NGOs in identity protection techniques. Symantec is taking on $750 million in new debt to finance the purchase, which follows its acquisition in August of cloud access security broker Blue Coat for $4.65 billion.
If you're a technical person, you may want to check out the Linux monitoring tool Slack's security team have just open sourced. Ryan Huber explains: "We saw a lot of potential uses for the data we could get from auditd, but needed a way to run this at scale. We developed the project go-audit as a replacement for the userspace part of auditd". Its goal is to be fast, safe, and non-blocking. Slack monitor thousands of hosts with this setup, and pump the output to their ElasticSearch cluster. Interesting stuff!
Security researchers have discovered that third-party firmware included with over 2.8 million low-end Android smartphones allows attackers to compromise Over-the-Air (OTA) update operations and execute commands on the target's phone with root privileges. The backdoor hides itself from the OS, runs as root, and isn't encrypted so attackers can be on the local network or remote. Researchers say they discovered the issue after one of their researchers bought a BLU Studio G smartphone from Best Buy. This is the second issue of its kind that came to light this week after researchers discovered a similar secret backdoor in another Chinese firm's devices.
Michigan State University has announced on Friday that a university server and a database containing information on some 400,000 faculty, staff and students has been accessed by a unauthorised third party. The database contains names, social security numbers, IDs, and in some cases, date of birth of faculty, staff and students who were employed by MSU between 1970 and Nov. 13, 2016, and students who attended MSU between 1991 and 2016. MSU has stated that only 449 records were accessed.
- A researcher found that Outlook would sign mail with its own DKIM key when redirecting mail which meant if you forwarded an email spoofing "[email protected]", the DKIM would be valid and it'd pass spam filters.
- @dagrz presented "Hacking AWS end-to-end" at Kiwicon, and posted slides and scripts on github. Well worth a look if you want to try hack your own AWS account
- Rob Graham connected a webcam to the internet and it was compromised in 98 seconds
- Carbanak Gang is calling hotels to convince victims to install malware
- ɢoogle.com is not google.com!
That's all for this week. Feel free to send through any feedback or links, and forward this to your friends and colleagues!
Sign Up For Cloud Security Weekly