Microsoft is criticized for its handling of bug reporting with critics saying, “they just don’t seem to get it.” Disney is hacked by a group who claims to be punishing them for using AI to steal from artists. Kaspersky is closing down in the US. And if you think your phone is safe, the FBI just cracked a locked phone in 2 days.
All this and more on this, “what a week for our security reporter to be off” edition of Hashtag Trending.
I’m your host Jim Love. Let’s get into it.
And if you are a Cyber Security Today Listener, we hope Howard will be back next week, but today’s stories for Hashtag Trending were all about Cyber Security – one of those days – so I’m taking the liberty of cross posting this to the CST audience.
In a recent development highlighting ongoing issues with vulnerability disclosure processes, Microsoft has come under fire for its handling of a zero-day flaw in its MSHTML browser engine. The vulnerability, was discovered and reported by Trend Micro’s Zero Day Initiative.
A group calling themselves Void Banshee, is a new nation state level cyber crime group that has managed to find a way to create a zombie version of the old, now unprotected, Internet Explorer. Microsoft supposedly disabled Internet Explorer in June of 2022, but the attackers not only found a way to resurrect it, but also to use it to take over modern Windows system
Trend Micro researchers felt that this bug should be rated as extremely severe, and classed as a remote-code execution bug, which would place it near the top of the severity rating. So they were surprised when Microsoft rated it as a spoofing bug, which would have far less severity and priority. Microsoft also credited another group with the discovery.
Dustin Childs from Trend Micro’s Zero Day Initiative told the publication the Register: “It seems like they really don’t have a full grasp of what’s going on with this patch.” ZDI claims to have reported the flaw to Microsoft in May yet received no credit in the initial advisory.
This incident surfaced some frustrations and underscores some issues with coordinated vulnerability disclosure process across the tech industry. Childs warned, “It’s creating a situation where it’s really pushing researchers away from reporting to vendors, which is going to be very problematic in the near future.”
That, for all of us out here using software, would not be a good thing.
Who is at fault in this? We don’t care. Microsoft is a big player and needs to pay attention to this – their reputation in security is already problematic.
Sources include: The Register
And in another security related story, the entertainment giant, Disney is investigating a significant leak of internal messages. A hacking group called Nullbulge claims to have accessed thousands of communications from Disney employees, potentially exposing sensitive information about upcoming projects.
The hackers, claiming to be based in Russia, say they gained access through an insider to Disney’s internal Slack messaging system.
Nullbulge describes itself as a “hacktivist group protecting artists’ rights” and targets organizations it believes are harming the creative industry by using AI-generated content. On their website, they state: “Our hacks are not those of malice, but to punish those caught stealing.”
The group criticizes Disney’s handling of artist contracts, its approach to AI, and what they perceive as a disregard for consumers. However, the existence and the authenticity of the leaked data has not been independently verified. But if it is made public, you can bet there will be a lot of interest.
Sources include: BBC
Russian antivirus software provider Kaspersky Lab has announced it will cease operations in the United States starting July 20, 2024. This decision comes in the wake of recent sanctions imposed by the U.S. government.
The U.S. Treasury Department’s Office of Foreign Assets Control sanctioned twelve Kaspersky executives on June 21, freezing their U.S. assets. Additionally, the Department of Commerce added Kaspersky to its Entity List, effectively banning U.S. businesses from working with the company.
In a recent statement Kaspersky confirmed: “Starting from July 20, 2024 Kaspersky will gradually wind down its U.S. operations and eliminate U.S.-based positions.” The company cited the U.S. Department of Commerce’s decision to prohibit sales and distribution of Kaspersky products in the U.S. as the primary reason.
The U.S. government’s actions stem from concerns over potential national security risks, with the Bureau of Industry and Security stating that Kaspersky’s continued operations in the U.S. “presented a national security risk… that could not be addressed through mitigation measures short of a total prohibition.”
This move marks the end of Kaspersky’s presence in the U.S. market and highlights the ongoing tensions between the U.S. and Russia in the cybersecurity sector.
Sources include: Bleeping Computer
Remember the big deal a while ago in December 2019, back when Trump was president and there was a shooting in San Bernadino and the FBI recovered the shooter’s phones. They wanted Apple to assist them in breaking into the phones recovered from the shooters. Apple steadfastly refused to unlock the phones, even, and this is from memory, claiming they couldn’t do it – having that sort of access to iPhones would create a back door that would make iPhones less secure. That fight went on for months with Trump even saying people should boycott Apple.
The FBI eventually and somewhat quietly dropped their demands, but not because Apple stared them down. They found another way.
And that became abundantly clear after this recent Trump shooting where once again, the FBI recovered the shooter’s phone. The FBI and other law enforcement has found ways to access encrypted devices, the FBI announced it gained access to the Trump rally shooter’s phone just two days after the incident.
And it’s not just the FBI Security expert Cooper Quintin from the Electronic Frontier Foundation notes, “Almost every police department in the nation has a device called the Cellebrite, which is a device built for extracting data from phones, and it also has some capability to unlock phones.”
It turns out that a 2020 investigation found that over 2,000 law enforcement agencies across all 50 states have access to mobile device extraction tools (MDTFs). These tools, like GrayKey, can cost up to $30,000 and offer support for the latest smartphone models.
This is a difficult issue, but it’s worthy of some public discussion – now that we’ve seen the ease with which law enforcement can now access encrypted devices.
Sources include: The Verge
And that’s our show for today.
Hashtag Trending is on summer hours. We will have 3 daily news shows a week, so our next show will be our Weekend Edition which we hope to post on Friday, but as much as I need a bit of a summer recharge, we’ll play with the schedule to see what works best.
Show notes are at technewsday.ca or .com – either one works.
We love your comments. Contact me at editorial@technewsday.ca
I’m your host Jim Love, have a Wonderful Wednesday.
