Android Malware, Free Speech, and More Security News This Week
This week, Hawaii reeled after an emergency text alert about an impending nuclear missile attack triggered panic—and then turned out to be a false alarm. Researchers provided more details about the sophisticated Triton malware that targets industrial control systems and impacted a real-world plant last year.
The anti-fascist far-left movement known as Antifa gets some of its intelligence from a computer scientist named Megan Squire, who disseminates valuable and controversial information. Officials looking to support and further law enforcement initiatives are using the clever catchphrase “responsible encryption” in an attempt to gingerly avoid debate while describing the need for backdoors into protected data. Algorithms meant to analyze crime trends and predict future incidents don’t have a particularly impressive accuracy rate. And researchers are refining an approach to automatically uncover vulnerabilities in Internet of Things Devices—ideally so they can be protected before attackers come along.
And there’s more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
###Hacking Group Linked to Lebanon Used Fake Mobile Messaging Apps to Spy on Thousands of PeopleA newly identified digital espionage initiative has stolen hundreds of gigabytes of data and surveilled thousands of people in 21 countries, including the United States, Canada, France, and Germany. The spy campaign works by tricking users into installing malicious apps that appear to be trusted messaging services like WhatsApp and Signal. The phony apps seem to work normally, but are actually laced with trojans that scoop up messages, call logs, photos, location data, and anything else users send and receive.
The campaign, discovered by the Electronic Frontier Foundation and the mobile security firm Lookout, is known as Dark Caracal and seems to be the work of nation state-funded hackers. The researchers traced the sinister project to a building owned by the Lebanese General Security Directorate in Beirut. The spying has targeted well-connected or controversial figures like activists, military personnel, journalists, and lawyers.
“Dark Caracal is part of a trend we’ve seen mounting over the past year whereby traditional … actors are moving toward using mobile as a primary target platform,” said Mike Murray, vice president of security intelligence at Lookout.
###LeakedSource Creator Charged With Selling Stolen Data He CollectedThis week unmasked LeakedSource creator Jordan Evan Bloom, a 27-year-old from Ontario, appeared in court on charges of trafficking in identity information and unauthorized computer use. Canadian officials say that Bloom sold data from the three billion credential pairs and pieces of personal information LeakdSource had on file. Bloom allegedly made almost $200,000 by selling personal data.
LeakedSource always billed itself as a good-faith service. The tool collected usernames, passwords and other personal information compromised in corporate breaches and organized it into a searchable database so web users could check whether their data had been compromised. Some security professionals had doubts about the service, created in 2015, largely because its creator remained anonymous. Other similar services, like Troy Hunt’s Have I been pwned?, are more transparent.
LeakedSource and its social media accounts have been taken offline, but at least one mirror site hosted in Russia still exists.
###Fewer Than 10 Percent of Gmail Accounts Use Two-factor AuthenticationGoogle engineer Grzegorz Milka said at the Usenix Enigma security conference on Wednesday that fewer than 10 percent of Gmail’s active users currently enable two factor authentication on their accounts. On a similarly bleak note, he cited a 2016 Pew study that only about 12 percent of people in the US use a password manager.
For two-factor authentication users need something beside their password to log into their account—like a random numeric code from an authentication app or a physical token like a UbiKey. The protection shields accounts by making it much more difficult for an attacker to have all the required information to access a victim’s account at a given time. Milka told The Register that Google hasn’t made two-factor mandatory because it’s harder for customers to use than regular username and password login. “It’s about how many people would we drive out if we force them to use additional security,” he said.
For all the hype and angst inspired by Alexa and Google Assistant, a report this week by The Intercept shows why it’s the NSA that should really have your attention. Voice recognition has been a priority for the agency for years. That doesn’t mean that they’re listening in on your conversations; instead, they use so-called voiceprints to map what certain high-value targets sound like, using them to help identify and locate persons of interest. It’s certainly not the only area in which the NSA has been a technological front-runner, but with the heightened interest in voice technology generally, it’s worth a look at how it’s been used in the past.