This week in InfoSec takes us back to a move out of the acquisition playbook Rant of the Week asks Meta to think of the children Billy Big Balls is a tale of 2 FA Industry News brings us the latest and greatest security news stories from around the world And Tweet of the Week is a criminal group with a moral compass
This Week In InfoSec (09:00)
With content liberated from the “today in infosec” twitter account and further afield
23rd April 2008: Microsoft announced that some of its antivirus tools had mislabeled Skype as adware for several days due to a bad definition update. 3 years later Microsoft bought Skype for $8.5 billion.
Microsoft mislabels Skype as adware
https://twitter.com/todayininfosec/status/1253558642537713664
26th April 1999: Chernobyl Virus Melts Down PCs
The first known virus to target the flash BIOS of a PC, the CIH/Chernobyl Virus triggers its payload on this day, erasing hard drives and disabling PCs primarily in Asia and Europe. One of the most destructive viruses in history, it is estimated that 60 billion PCs were infected worldwide causing $1 Billion in damages.
The virus had been created exactly one year earlier on April 26, 1998 by Taiwanese student Chen Ing-hau and set to trigger its destructive payload exactly one year later. It began to spread in the wild and was first discovered in June of 1998, given the name CIH due to the author’s initials discovered in the virus code. From this time forward it was reported that a variety of companies accidentally distributed the virus through various downloads, updates, and CDs.
When the virus triggered on this date it just happened to coincide with the date of the Chernobyl disaster in 1986 and therefore the press began to call it the Chernobyl virus, even though there has never been any evidence to show that this date was chosen intentionally for this reason.
My memories of Chernobyl/CIH here: https://nakedsecurity.sophos.com/2011/04/26/memories-of-the-chernobyl-virus/
Rant of the Week (17:35)
International cops urge Meta not to implement secure encryption for all
Why? Well, think of the children, of course
An international group of law enforcement agencies are urging Meta not to standardize end-to-end encryption on Facebook Messenger and Instagram, which they say will harm their ability to fight child sexual abuse material (CSAM) online.
The Virtual Global Taskforce was formed in 2003 and is currently chaired by Britain's National Crime Agency. The VGT consists of 15 law enforcement bodies, including Interpol, the FBI, the Australian Federal Police and other law enforcement agencies from around the world. In its letter [PDF], the VGT said reports from tech industry partners play a key role in fighting CSAM content, with Meta being its leading reporter of abuse material.
But the taskforce thinks that will end if Meta continues its encryption push. "The VGT has not yet seen any indication from META that any new safety systems implemented post-E2EE will effectively match or improve their current detection methods," the taskforce said.
Billy Big Balls of the Week (28:07)
After 13 years, Google has finally added syncing to Google Authenticator in iOS and Android.
By adding sync, you no longer need to worry about losing access to your online accounts. If you lose your phone, just restore them on a new device.
All good, right? Err…
https://twitter.com/mysk_co/status/1651021165727477763
Yes, Google syncs your 2FA codes via HTTPS. But Mysk found out they weren’t end-to-end encrypted. In short, Google can see your 2FA codes. Furthermore, anyone who can access your Google account (such as law enforcement) can access your 2FA codes.
Oh dear…
https://twitter.com/christiaanbrand/status/1651279598309744640
In response, Google said it had:
“We’re always focused on the safety and security of Google users, and the newest updates to Google Authenticator was no exception.”
“Plans to offer E2EE for Google Authenticator down the line.”
“Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use. However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.”
What impressive balls of Google to introduce this new feature to a security/privacy product - after 13 years! - and brazenly do it in an insecure way.!
Industry News (37:43)
American Bar Association Breach Hits 1.5 Million Members
Thousands of Social Media Takedowns Hit People Smugglers
Yellow Pages Canada Hit by Cyber-Attack, Black Basta Claims Credit
UK Cyber Pros Burnt Out and Overwhelmed
Quad Countries Prepare For Info Sharing on Critical Infrastructure
Critical Flaw Patched in VMware Workstation and Fusion
Man Arrested for Selling Data on 300 Million Victims to Russians
Microsoft Blames Clop Affiliate for PaperCut Attacks
APT Groups Expand Reach to New Industries and Geographies
Tweet of the Week (45:06)
https://twitter.com/vxunderground/status/1651384225692786689